Skip to content

Manage E-mail attachment policy in Office 365 – part 1#4

The subject of E-mail Message attachment manifests itself in two main scenarios:

  1. Malware scenario – a scenario that relates to an event, in which hostile element attached some malware to an E-mail message, send the E-mail message to one of our organization recipients, the recipient opens the E-mail message and “excite” the malware file.
  2. Company policy, regulation, etc – a scenario in which the company policy or s specific regulation dictates what are file types that can be attached (mail attachment) to an E-mail message sent to or by some company employees.

Manage E-mail attachment policy in Office 365 | The article series

The article series include the following articles:

In the following article, I would like to review the subject of – mail attachment in Office 365 and Exchange Online based environment.

We will start with reviewing a very common miss concept of the subject of mail attachment in an Office 365 environment and later, review how to implement an E-mail attachment policy in an Office 365 based environment by creating an Exchange Online transport rules.

E-mail attachment policy – The article series

The article series Manage E-mail attachment policy include four articles.
In the first article, we will review in high level the subject of the E-mail attachment policy characters and requirements.

The rest of the three articles is dedicated to the “how to” part. In this article, we will review a couple of examples of the way for configuring E-mail attachment policy in the Office 365 environment by using Exchange Online transport rules.

Exchange Online, mail attachment, and malware

Let’s start with two important “declarations”

1. Automatic scanning and removal of the malware file attachment in Exchange Online environment.

In Office 365 based environment, the infrastructure that is responsible for the mail security and serves as a mail security gateway is – the EOP (Exchange Online protection) infrastructure.

Every E-mail message that sent to Office 365 recipients or, from Office 365 recipients to other recipients is scanned by the EOP (Exchange Online protection) infrastructure.

In case the EOP finds that the E-mail message includes an attachment that considers as a “malware” (hostile code), the EOP will automatically block the hostile file.

In case that an E-mail message includes an attachment that considers as malware, we cannot “tell” EOP that we want to accept the specific hostile attachment but instead, we can decide regarding a couple of possible “actions” that will be enforced for an E-mail message that includes a hostile attachment.

The EOP policy that relates to hostile attachment described as – Malware Detection Response

In the following screenshot, we can see the interface that we use for configuring the EOP Malware Detection Response

In the Exchange Online management, on the left menu bar, we choose the protection menu and on the top menu bar, we choose the malware filter.

Exchange Online – mail protection and Malware Detection Response -01

We can see that the choices that we have are:

  • Delete the entire message
  • Delete all attachments and use default alert text
  • Delete all attachments and use custom alert text
Exchange Online – mail protection and Malware Detection Response -02

In the following diagram, we can see an example of the flow of E-mail message that includes an EXE file attachment.

The E-mail message is accepted by EOP, EOP will scan the EXE file that is attached to ten E-mail message.

In case that the EXE is not a “malware” (a legitimate EXE file), EOP will forward the E-mail message to the user mailbox.

In case that the user uses Outlook mail client for reading the E-mail message, Outlook mail client will block by default the access to the EXE file.

The standard flow of mail that include an attachment in Office 365 environment

2. The element that is responsible for enforcing E-mail message attachment policy is the mail client and not the mail server by default.

A very common miss’s conception regarding the subject of – “E-mail message attachment policy in Exchange based environment” is that the element that is responsible for enforcing by default the of E-mail message attachment policy is the “server” side.

In reality, the truth is just the opposite.

By default, the Exchange server will not enforce any E-mail message attachment policy.

When we use a standard “Microsoft mail client” such as Outlook and OWA, the element that enforces the mail message attachment policy is – the mail client by himself!

Enforcing E-mail attachment policy

Exchange Online | OWA and Outlook mail client | mail items with attachments

As mentioned in the previous section, Outlook mail and the OWA mail client have their own built-in E-mail message attachment policy.

In the following screenshots, we can see an example of an E-mail message that includes an EXE file attachment.

When using the Outlook mail client, we can see that the E-mail message includes an EXE attachment file named- notepad.exe but, the red circle icon informs us that we cannot save or activate this file.

The default Behavior of OWA and Outlook mail client regarding executable files -02

The same concept is implemented when using OWA mail client.

The default Behavior of OWA and Outlook mail client regarding executable files -01

Notice that in our scenario, the recipient is an Office 365 recipient.

The mail that was sent to the Office 365 recipients with the EXE file attachment were delivered via the Exchange Online server.

Exchange Online didn’t block or remove the EXE file attachment because, in our scenario, the EXE file attachment is a legitimate file (the notepad executable file) and not a malware.

In other words, Exchange Online is neutral regarding the EXE file attachment.

The “element” that blocks the access to the EXE file attachment is the mail client (Outlook and OWA).

Technically speaking – we would use another mail client (not Outlook or OWA mail client) there is a change that we can access the EXE file attachment because the specific mail client that we use does not enforce E-mail message attachment policy.

The three common mail flow scenario relating to mail attachment in an Office 365 environment

When we mention the term “E-mail message attachment policy”, there are three main mail flow scenarios:

Scenario 1 – “internal mail flow”

This scenario relates to – all the mail flow between organization recipients.
In this scenario, we need to decide what is the “right” E-mail message attachment policy that we want to implement for an E-mail message that is delivered “in house”.

For example – we can say that the policy of attachment can be less restrictive and allow more types of file attachment because we can “trust” E-mail message that sent by our company users.

Scenario 2 – external recipient sends E-mail message to the organization recipient

This scenario relates to an E-mail message that sent from “un-know” or un-trusted recipient to our organization recipients.

In this case, we are much more suspicious regarding the type of mail attachment that we are “willing” to accept.

Scenario 3 – organization recipient sends E-mail message to the external recipient

This scenario relates to E-mail message that sent from our organization recipients to
“non-organization recipients”.

Seemingly, we “don’t care” about E-mail attachment that is sent to the non-organization recipient but the reality is more complicated.

We should think about a possible scenario in which our organization users sent deliberately or not, an email message that includes a malware or specific file attachment that are not “acceptable” by other organizations.

This scenario could lead to some lawsuits, damage to the company’s reputation and so on.

The three common mail flow scenario relating to mail attachment in Office 365 environment

Before we begin – what to do with E-mail messages that include a specific attachment

In the next article, we will review the different options and variations of the Exchange Online transport rule that will be used by implementing and enforcing E-mail message attachment policy.

However, before we start with the “step by step” instructions and the decision about – what type of mail attachment we will “block”, it’s very important to take a moment and allocates some time to the part of the “transport rule action part”.

In other words – what exactly to do in a scenario in which we “capture” an E-mail attachment that is not a complaint with our E-mail message attachment policy.

The good news is that the Exchange transport rule infrastructure is a very sophisticated and Includes a variety of options for us to choose from.

In the following section, I would like to briefly review common options or “actions” that we can implement in a scenario that the E-mail message includes a specific attachment that is not a complaint.

Option 1 – send E-mail with attachment to quarantine

Description

A scenario in which we “redirect” the E-mail message with the attachment to a dedicated “quarantined area” (not part of the user’s mailbox) that can be accessed by the recipient himself or by the Exchange Online admin.

Advantage:

  • The “problematic E-mail message” will not “reach “the user mailbox and by doing so, we element the risk factor, in which the users can download + activate the attachment.

Disadvantage

  • The recipient is not aware of the fact that an E-mail message was sent to him and there is a chance that the specific E-mail message is important \ legitimate E-mail message (False positive).
  • The recipient needs to access by himself to the quarantine and “pull” or deletes the E-mail message.
  • The recipient can “pull” the E-mail message to his mailbox and activates the attachment file.

Option 2 – send E-mail with attachment to “admin user”

Description

The E-mail message is not deleted but instead, sent to a “dedicated user mailbox” which will be responsible for accessing the mailbox, check the “problematic” E-mail messages etc.

Advantage:

  • The “problematic E-mail message” will not “reach” the user mailbox and by doing so, we element the risk factor, in which the users can download + activate the attachment.

Disadvantage

  • The recipient is not aware of the fact that an E-mail message was sent to him, and there is a chance that the specific E-mail message is important \ legitimate E-mail message (False positive).
  • The person which was assigned as a responsible will need to allocate the required resources for accessing the mailbox that contains the E-mail message with the attachments, inspecting and testing the attachments, informed the “destination recipients” etc.

Option 3 – Delete the E-mail with the attachment

Description

A scenario in which we don’t want to “deal” with email messages that include an attachment. The required action is – delete (destroy) the E-mail message.

Advantage:

  • The “problematic E-mail message” will not “reach “the user mailbox and by doing so, we element the risk factor, in which the users can download + activate the attachment.

Disadvantage:

  • The recipient is not aware of the fact that an E-mail message was sent to him, and there is a chance that the specific E-mail message is important \ legitimate E-mail message (False positive).
  • There is no option to recover the E-mail message in case that the E-mail message is a legitimate E-mail message.

Option 4 – prepend a disclaimer to the source and the destination recipient

Description

This “action” is applied in most cases as an addition to specific actions such as – Delete the E-mail with the attachment.

For example – in case that the E-mail message include an executable file attachment, deleted the E-mail message + send a response to the element \ recipient that sent the mail notifying him that his E-mail message was blocked or deleted and in the same time, send a notification message to the destination recipient (our organization user) notifying him that an E-mail message that was supposed to send to him was blocked because the E-mail message includes an attachment file that is not complaint to the company policy.

Advantage:

  • The advantage is that the recipient organization is “aware” of the fact that an E-mail message that was supposed to send to him was blocked. In case that the E-mail message attachment is a “legitimate attachment”, the organization user can address the external recipient that sent the E-mail and ask him to provide the file using a different way instead of the E-mail message.

Disadvantage:

  • I cannot think about a prominent disadvantage.

Next article

In the next article, we will review how to create an Exchange Online transport rule, that will enforce an E-mail attachment policy on E-mail messages by “stopping” E-mail message that includes an executable content.

o365info Team

o365info Team

This article was written by our team of experienced IT architects, consultants, and engineers.

This Post Has One Comment

  1. Hi,

    We are concerned with compliance and our problem is the opposite.  What if people are deleting the attachments from their email?  We use third-party tools to archive mailboxes, and this deletion feature leaves a small loophole in the compliance policy.  Is there a way to prevent users from deleting their attachments?  Right now the only options I have are journaling & legal hold, both of which come with a LOT of overhead just to address this little loophole.

    Your input is appreciated,

    Eyad

Leave a Reply

Your email address will not be published. Required fields are marked *