Skip to content

Manage E-mail attachment policy in Office 365 – Part 2#4

In the current article, we will review how to enforce an E-mail attachment policy by using Exchange Online transport rule.
The example that we will review in the current article is – an E-mail attachment policy that stops E-mail messages that have an executable content (executable attachment).

As we learn in the previous article, by default, Exchange Online will not use any type of mail message attachment policy besides the process of scanning incoming and outgoing E-mail message looking for an E-mail message that includes an attachment that considers as a malware.

Manage E-mail attachment policy in Office 365 | The article series

The article series include the following articles:

Choosing the “right” file attachment policy – Exchange Online transport rule

The available option when using an Exchange Online file attachment transport rule.

The Exchange Online transport rule includes a dedicated section that deals with the subject of “E-mail message attachment policy”.

In the current article, we will not review all the available options that we can use, but instead focus in three major options that are most commonly used:

  1. Block attachment that has been executable content – a policy in which we are prevented incoming and outgoing E-mail message that includes any type of ” executable attachment”. In this scenario, we are not related to the specific file extension, but instead of any type of executable attachment.
  2. Block E-mail that has an attachment with a specific file extension – a scenario in which we want to block only a specific file attachment type. In this scenario, we want to allow executable attachment but prevent or block only a specific executable attachment.
  3. Block E-mail that has an attachment that is password protected – an E-mail attachment that is protected by a password, cannot be scanned. In this scenario, we are not willing to allow incoming and outgoing E-mail message that includes an attachment that considers as a password protected.

What to do with an E-mail message that includes an attachment that is not a complaint with our E-mail message attachment policy.

Another part that we should consider when we design our E-mail message attachment policy is – the “action” that will be executed regarding attachment that is not a complaint with our E-mail message attachment policy.

For example – in a scenario, in which we dedicate an E-mail message that included an attachment that is not compliant with our E-mail message attachment policy what to do with the E-mail message?

  • Should we delete the E-mail message?
    Should we send the E-mail message to a quarantine (described as Hosted quarantine)?
  • Should we allow the E-mail message to be sent to the recipient mailbox, but mark the E-mail message as spam mail (raise the SCL value)?
  • Should we notify the originating recipient that his mail was blocked?
  • Should we notify the destination recipient that mail that was sent to him his mail was blocked because our E-mail message attachment policy?

Note – in the E-mail message attachment rule demonstration that will be provided in the next sections we will use the “action” of sending email messages with an attachment that is not a complaint with our E-mail message attachment policy to quarantine.

Using different our E-mail message attachment policy for our organization users vs. an external recipient

Another important question that we should ask is:

Should we use a different E-mail message attachment policy to E-mail messages that sent between our organization users vs. E-mail message that sent by external recipients?

The answer

As usually, there is no “one good answer”.

The “right -mail message attachment policy” depends on the specific organization needs and structure, and My main goal is just to expose the different available options and let you decide to regard what is the best solution for your specific needs.

General tip regarding Exchange Online transport rule that will enforce E-mail attachment policy

A very important tip regarding the process of creating an Exchange transport rule that will deal with an E-mail address with attachment is the subject of “more details”.

The “standard” Exchange Online transport rule includes by default a very limited option of settings that relate to the “mail attachment settings”

To be able to display the complete set of options that relate to “mail attachment settings” we should “activate” the transport rule option named – More options.

To be able to demonstrate this “issue”, we will use the following steps:

Login to Exchange admin

  • On the left bar menu, choose – mail flow
  • On the top bar menu, choose – rules
  • Click on the plus sign
  • Choose – Create a new rule…
Tip regarding Exchange Online transport rule for blocking E-mail with an attachment -01

Choose the option – Any attachment’s content includes…

Tip regarding Exchange Online transport rule for blocking E-mail with an attachment -02

In the following screenshot, we can see that the only option that is available for us is the option named – specify words or phrases.

To be able to “reveal” the additional useful options that relate to the management of file attachments, we will cancel the current windows and go back to the main rule wizard window.

Tip regarding Exchange Online transport rule for blocking E-mail with an attachment -03

All we need to do for adding the additional configuration settings is just click on the
More Options…” link

Tip regarding Exchange Online transport rule for blocking E-mail with an attachment -04

In the following screenshot, we can see that now, if we choose the menu  – Any attachment, a new submenu “appears” with a variety of configuration options which we can choose from.

Tip regarding Exchange Online transport rule for blocking E-mail with an attachment -05

Block E-mail attachments that have executable content

The main character of this E-mail attachment rule is that we would like to prevent any type of scenario, in which any element (Office 365 users and external recipient) will be able to send an E-mail message that includes an executable content.

For example, prevent the option in which Office 365 will be able to accept E-mail messages that include EXE file.

In addition, we would like also to prevent a scenario in which a hostile element, tries to “cover his tracks” by changing the file type extension from the original executable file type into an Innocent file type.
For example – rename the extension of a file named – notepad.exe to notepad.pdf

In other words, we are expecting from Exchange Online to be “smart” and implement a file scan which will “reveal” the file type based on the real file type and not only based on the name of the file extension.

Login to Exchange admin

  • On the left bar menu, choose – mail flow
  • On the top bar menu, choose – rules
  • Click on the plus sign
  • Choose – Create a new rule…
Exchange Online transport rule - Block attachment that has executable content -01

In the Name: text box, add a descriptive name for the rule that will be created.

In our specific scenario, we will use the name – Block attachment that has executable content

Exchange Online transport rule - Block attachment that has executable content -02

On the bottom part of the window, click on the option – More options…
(using the More Option… menu, is needed for displaying all of the available mail attachment rule options).

Exchange Online transport rule - Block attachment that has executable content -03

Under the *Apply this rule if…. choose the menu – Any attachment… in the sub menu that appear, choose the menu – has executable content.

Exchange Online transport rule - Block attachment that has executable content -04

The rule “action” part

In this part, we decide what is the specific action that will be implemented or enforced, in case that Exchange Online “capture” a specific E-mail message with an attachment that is not a complaint with our E-mail message attachment policy.

In our specific scenario, we decide to send the E-mail message to quarantine (described as Hosted quarantine).

The Exchange Online quarantine is a restricted area (part of the Exchange Online service) that is “accessible” for the mailbox owner and in addition, to the Exchange Online administrator.

In the section – Do the following… choose the menu Redirect the message to…. And, in the sub menu that appears, choose the menu hosted quarantine

Exchange Online transport rule - Block attachment that has executable content -05

In the following screenshot, we can see the “logic” of the Exchange Online transport rule.

The “top part” of the rule defines the condition that needs to occur.
The “bottom part” defines the action that will be execrated when a specific condition occurs.

Exchange Online transport rule - Block attachment that has executable content -06

Testing the Block attachment that has an executable content rule.

The rule that we have created should detect and stop every E-mail message that includes an executable attachment.
But what about a scenario in which a hostile element will change the file suffix from the executable suffix such an EXE into Innocent suffix such as PDF?

The answer is that the Exchange Online is “smart enough” to detect an executable attachment even if the file suffix was changed.

To be able to test this theory, we will implement the following test:

We will copy the notepad executable file into a temporary folder and change the file name suffix from the original suffix (exe) into PDF suffix.

Simulating hostile element that changing the file type extension -01

In the next step, we will send the file as an attachment.

Notice that Outlook mail client relates to the file as a PDF file.

Simulating hostile element that changing the file type extension -02

The last step is sending the E-mail message to some other Office 365 recipient and verifying if the E-mail message was sent to his mailbox or instead was captured by the Exchange Online E-mail attachment rule and was redirected to the quarantine.

Next article

In the next article, we will review how to create an Exchange Online transport rule, that will enforce an E-mail attachment policy on E-mail message by preventing E-mail messages that include an attachment with a specific file extension.

o365info Team

o365info Team

This article was written by our team of experienced IT architects, consultants, and engineers.

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *