Office 365 in general is a bit lax when it comes to default protection out of the box. I’ve found that a lot of malicious attachments come through in the form of js files, scr, zips, [insert next exploitable attachment] they’re using.
As such i assembled the following two mail flow rules over the years of running Office 365 as a Silver Small and Midmarket Cloud solutions partner.
We hard fail on these rules and push them to the hosted quarantine, mainly as the users just tend to open them regardless of any modification to the email title.
As such you have 7 days to retrieve the mail if its a false positive.
- Block potential dangerous attachments.
- Block executable content.
Now these rules need to pretty much be at the top of the priority list
Name: Block executable content
Apply this rule if: includes an attachment with executable content
Do the following: Deliver the message to the hosted quarantine.
As a bit of background the block executable content rule is explained in detail here: https://blogs.msdn.microsoft.com/tzink/2014/04/08/blocking-executable-content-in-office-365-for-more-aggressive-anti-malware-protection/
Name: Block potential dangerous attachments.
Apply this rule if: any attachments file extension matches:
386
3gr
add
ade
asp
aspx
bas
bat
chm
cmd
com
cpl
crt
dbx
dll
exe
fon
hta
htm
html
img
inf
ins
iqy
iso
isp
js
jse
lnk
mdb
mde
msc
msi
msp
mst
ocx
one
pif
reg
scr
sct
shs
url
vb
vbe
vbs
vxd
wsc
wsf
wsh
Do the following: Deliver the message to the hosted quarantine.
The rule may need updating with attachments in the future however every time i’ve seen a warning / latest variant alert the list above has already covered it and protected against it. I’ve debated adding docm, xlsm and other macro enabled variants of the office formats however its far too likely to impact day to day operations – do so at your own peril.
You will also see that zips are left off the second rule, the first rule will catch the majority of malicious content inside zip files however the secondary list will cover other content inside zip files. So zipped photos inbound will be allowed, but a zipped SCR file would be blocked. Further details available here: https://technet.microsoft.com/en-us/library/jj919236(v=exchg.150).aspx
Edit: 2018-08-20 - Added additional file types: img, iqy.
Edit: 2021-03-16 - Added additional file types: htm, html, due to exploitation by phishing campaigns.
Edit: 2022-02-08 - Added additional file type: iso, one, due to exploitation.
Comments