Skip to content

Manage E-mail attachment policy in Office 365 – part 4#4

In the current article, we will review how to enforce an E-mail attachment policy by using Exchange Online transport rule.The examples that we will review in the current article are as follows:

  1. E-mail attachment policy that stops E-mail messages, that include a password-protected attachment. Each E-mail message that has this type of attachment will be sent to quarantine.
  2. E-mail attachment policy that stops E-mail messages, that include a password-protected attachment. Each E-mail message that has this type of attachment will be deleted and in addition, a notification message will be sent to the originating recipient + the destination recipient.

Manage E-mail attachment policy in Office 365 | The article series

The article series include the following articles:

Block E-mail that has an attachment that is password protected

In the following section, we will review how to create an Exchange Online transport rule, that will identify an E-mail message that includes a password-protected attachment.

The business “need” for protecting a specific file attachment using a password is to protect the file and prevent from non-authorize users to read the information, but at the same time, the password protection prevents from EOP to inspect and scan the attachment and verify that the attachment doesn’t include malware.

In case that we want to prevent such a scenario in which E-mail message includes password-protected file, we can create a dedicated rule that will block or send to quarantine.

To be able to create the required rule, use the following steps:

Login to Exchange admin

  • On the left bar menu, choose – mail flow
  • On the top bar menu, choose – rules
  • Click on the plus sign
  • Choose – Create a new rule…
Block E-mail message that have attachment that is password protected -01

In the Name: text box, add a descriptive name for the rule that will be created.

In our specific scenario we will use the name – Block E-mail with password protected attachment

On the bottom part of the window, click on the option – More options…
(using the More Option… menu is needed for displaying all of the available mail attachment rule options).

Block E-mail message that have attachment that is password protected -02

Under the *Apply this rule if…. choose the menu – Any attachment… in the sub menu that appear, choose the menu – Is password protected

Block E-mail message that have attachment that is password protected -03

The “action” rule part

In this part, we decide what is the specific action that will be implemented or enforced, in case that Exchange Online “capture” a specific E-mail message with an attachment that includes a password-protected file.

In our specific scenario, we decide to send the E-mail message to quarantine (described as Hosted quarantine).

In the section – Do the following… choose the menu Redirect the message to…. And, in the sub menu that appear, choose the menu hosted quarantine

Block E-mail message that have attachment that is password protected -04

In the following screenshot, we can see the “logic” of the Exchange Online transport rule.

The “top part” of the rule defines the condition that needs to occur.
The “bottom part” defines the action that will be execrated when a specific condition occurs.

Block E-mail message that have attachment that is password protected -05

Block E-mail that has an attachment that is password protected and send notification for the both of the recipients.

In the current section, we will demonstrate the power of the Exchange Online transport rule in creating a more advanced and sophisticated rule.

This time we want to define an attachment rule, that is based on the next logic:

In case that an E-mail message that includes a password-protected file attachment is sent to one of our organization recipients, we want to “activate” the following actions:

  1. The E-mail message will be blocked.
  2. An E-mail notification will be generated and sent to the “source recipient” notifying him that his E-mail message was blocked because it includes an attachment that violates the company policy.
  3. An E-mail notification will be generated and sent to the “destination recipient” notifying him that his E-mail message that was supposed to be sent to him was blocked because it includes an attachment that violates the company policy.
Block E-mail message and notify booth of the recipients -Source and destination

To be able to create the required rule, use the following steps:

Login to Exchange admin

  • On the left bar menu, choose – mail flow
  • On the top bar menu, choose – rules
  • Click on the plus sign
  • Choose – Create a new rule…
Block E-mail with password protected attachment and notify sender and recipient -00

In the Name: text box, add a descriptive name for the rule that will be created.

In our specific scenario, we will use the name – Block E-mail with password-protected + notify

On the bottom part of the window, click on the option – More options…
(using the More Option… menu is needed for displaying all the available mail attachment rule options).

Block E-mail with password protected attachment and notify sender and recipient -01

In the following section, define the condition that refers to the E-mail message that includes a password-protected attachment.

Under the *Apply this rule if…. choose the add condition option.

Block E-mail with password protected attachment and notify sender and recipient -02-a

Under the *Apply this rule if…. Choose the menu – Any attachment… in the sub menu that appears, choose the menu – Is password protected

Block E-mail with password protected attachment and notify sender and recipient -02-b

In the following section, define the condition that refers to the “destination recipient”.
In our scenario, we want to “activate” the rule when an E-mail message is sent to one of our organization recipients (internal recipient).
Under the *Apply this rule if…. choose the add condition option.

Block E-mail with password protected attachment and notify sender and recipient -03

Choose the option – The recipient… and in the sub menu that appear, choose the menu is an external / internal

Block E-mail with password protected attachment and notify sender and recipient -04

In the next window, choose the option – inside the organization

Block E-mail with password protected attachment and notify sender and recipient -05

In the following screenshot, we can see that, up until now, we have finished configuring the “condition” part of the rule.

Next, we will need to define “what will have happened” when the condition that we define is meet.

Block E-mail with password protected attachment and notify sender and recipient -06

The “action” rule part

In this part, we decide what is the specific action that will be enforced, in case that Exchange Online “capture” a specific E-mail message with an attachment that includes a password-protected file.

In our specific scenario, we decide to block E-mail message that includes an attachment that we cannot inspect (password-protected protected attachment).

The “response” will include three different “actions”

  1. Block the E-mail message that includes password protected.
  2. Send an E-mail notification to the recipient (source recipient) that sent the E-mail message.
  3. Send an E-mail notification to the recipient (internal recipient) that was supposed to get the E-mail message.

Now, we will define the action that will include these three different parts:

1. Send a notification to the source recipient

In the section – Do the following… choose the menu block the message…. And, in the sub menu that appears, choose the menu Reject the message and include an explanation

Block E-mail with password protected attachment and notify sender and recipient -07

The notification that we define we be sent to the “source recipient” meaning the originating of the E-mail message.

In our specific scenario, we will send a notification with the following message:

Our organization doesn’t accept E-mail message with attachment

Block E-mail with password protected attachment and notify sender and recipient -08

Next, we will need to add the additional action that will be implemented – notify the destination recipient.

Choose the option – add action

Block E-mail with password protected attachment and notify sender and recipient -09

Choose the menu option – Notify the recipient with a message…

Block E-mail with password protected attachment and notify sender and recipient -10

One of the nice options that are available for us when using a transport rule is the option to use “pre-defined fields” (variables) that will be included in the “response message”
for example, we can use the “%%From%%” as a variable that will include the name (display name and E-mail address) of the source recipient.

In addition, we can use and HTML tag that will enable us to format the text in the E-mail response message.

In the following section, you can see (and copy) and an example of a notification that will be sent to the destination recipient who should have got the E-mail message.

<p>Dear recipient (%%to%%) </p>

 

<p>Our organization mail attachment policy blocked E-mail message sent to you by <b>%%From%% </b> because, it contains an attachment. </p>

<p><u>Additional details</u></p>

<br> Sent by: %%From%% <br>

<br> Sent to: %%To%% <br>

<br> Mail subject: %%Subject%%<br>

<br> Message Date: %%MessageDate%% <br>

In the following screenshot, we can see the text that I have prepared.
I will copy the text and paste it in the section of – provide message text.

Block E-mail with password protected attachment and notify sender and recipient -11

In the window that appears past the text message that you want to send, to the destination recipient.

Block E-mail with password protected attachment and notify sender and recipient -12

In the following screenshot, we can see the “complete rule” that includes the condition and the actions that were defined in the previous steps.

Block E-mail with password protected attachment and notify sender and recipient -13

Testing the password-protected rule that we have created.

In this section, I would like to demonstrate the “result” of the rule that we have created in the previous section.

To be able to test the rule, we will use a simple mail message that will include a password-protected file.

Our expectation is that Exchange Online will block the E-mail message and will send a notification to the source + the destination recipients.

In the following screenshot, we can see the E-mail message that includes the password-protected attachment.

  • The source recipient is: Alice@o365pilot.com
  • The destination recipient is: Bobm@o365pilot.com
Block E-mail with password protected attachment and notify sender and recipient -14

1 . The mail notification that Exchange Online sends to the “source recipient”.

In the following screenshot, we can see the E-mail notification that sent to the originating of the E-mail message (Alice).

The E-mail notification that Exchange Online generates is clear and easy to understand (user-friendly).

The notice informs the sender that his E-mail message was blocked and, in addition, includes the ” explanation” that we have prepared in the previous step:

Our organization doesn’t accept E-mail message with attachment

Block E-mail with password protected attachment and notify sender and recipient -15

The following screenshot is the bottom part of the E-mail notification message that was sent to the source recipient.

We can see that the notification includes very detailed information such as the mail flow if the E-mail message, the mail servers who were involved in the process and so on.

Block E-mail with password protected attachment and notify sender and recipient -16

2. The mail notification that Exchange Online sends to the “destination recipient”.

In the following screenshot, we can see the mail notification that Exchange Online, send to the “destination recipient” (Bob in our scenario).

In the E-mail notification, we can see the “result” if the template that was had created in the previous step.

Block E-mail with password protected attachment and notify sender and recipient -17
o365info Team

o365info Team

This article was written by our team of experienced IT architects, consultants, and engineers.

This Post Has One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *