How to reduce malware threats through file attachment blocking in Exchange Online Protection
Original KB number: 2959596
Summary
Most malware that enters an environment through email does so through an executable payload that's attached to an email message.
To reduce your risk from malware that may not be detected by Exchange Online Protection, you should enable file type blocking and file name extension blocking. This article describes how to do this.
Resolution
To create a rule to block attachments that contain executable content in Exchange Online Protection, follow these steps:
- Sign in to the Exchange admin center.
- Select mail flow, select rules, select New (
), and then select Create a new rule.
- In the Name box, specify a name for the rule, and then select More options.
- Under Apply this rule if, point to Any attachment, and then select has executable content near the bottom of the page.
- Under Do the following, point to Block the message, and then select the action that you want.
- Select save.
The following is a screenshot of a sample rule.
The system automatically detects file types by inspecting file properties rather than the actual file name extension, thus helping to prevent malicious hackers from being able to bypass mail flow rule filtering by renaming a file extension. For more information, see Use mail flow rules to inspect message attachments in Exchange Online.
More information
Microsoft is continually updating its virus definition catalog based on submissions. However, to provide customers with the most immediate and effective defense, a file filter block policy is critical.
For more information about malware defense practices and strategies, see the following Microsoft resources:
- Configure anti-malware policies in EOP
- Anti-malware protection FAQ
- Submitting malware and non-malware to Microsoft for analysis
Still need help? Go to Microsoft Community.