Use mail flow rules to inspect message attachments in Office 365

You can inspect email attachments in your Office 365 organization by setting up mail flow rules (also known as transport rules). Exchange Online offers mail flow rules that provide the ability to examine email attachments as a part of your messaging security and compliance needs. When you inspect attachments, you can then take action on the messages that were inspected based on the content or characteristics of those attachments. Here are some attachment-related tasks you can do by using mail flow rules:

  • Search for files with text that matches a pattern you specify, and add a disclaimer to the end of the message.

  • Inspect content within attachments and, if there are any keywords you specify, redirect the message to a moderator for approval before it's delivered.

  • Check for messages with attachments that can't be inspected and then block the entire message from being sent.

  • Check for attachments that exceed a certain size and then notify the sender of the issue if you choose to prevent the message from being delivered.

  • Check whether the properties of an attached Office document match the values that you specify. With this condition, you can integrate the requirements of your mail flow rules and DLP policies with a third-party classification system, such as SharePoint Server 2013 or Windows Server 2012 R2 File Classification Infrastructure (FCI).

  • Create notifications that alert users if they send a message that has matched a mail flow rule.

  • Block all messages containing attachments. For examples, see Common attachment blocking scenarios for mail flow rules.

Note

All of these conditions will scan compressed archive attachments.

Exchange Online admins can create mail flow rules in the Exchange admin center (EAC) at Mail flow > Rules. You need to be assigned permissions before you can perform this procedure. After you start to create a new rule, you can see the full list of attachment-related conditions by clicking More options > Any attachment under Apply this rule if. The attachment-related options are shown in the following diagram.

List of conditions for attachments

For more information about mail flow rules, including the full range of conditions and actions that you can choose, see Mail flow rules (transport rules) in Exchange Online. Exchange Online Protection (EOP) and hybrid customers can benefit from the mail flow rules best practices provided in Best Practices for Configuring EOP. If you're ready to start creating rules, see Manage mail flow rules.

Inspect the content within attachments

You can use the mail flow rule conditions in the following table to examine the content of attachments to messages. For these conditions, only the first one megabyte (MB) of text extracted from an attachment is inspected. Note that the 1 MB limit refers to the extracted text, not the file size of the attachment. For example, a 2 MB file may contain less than 1 MB of text, so all of the text would be inspected.

In order to start using these conditions when inspecting messages, you need to add them to a mail flow rule. Learn about creating or changing rules at Manage mail flow rules.

Condition name in the EAC Condition name in Exchange Online PowerShell Description
Any attachment's content includes
Any attachment > content includes any of these words
AttachmentContainsWords This condition matches messages with supported file type attachments that contain a specified string or group of characters.
Any attachment's content matches
Any attachment > content matches these text patterns
AttachmentMatchesPatterns This condition matches messages with supported file type attachments that contain a text pattern that matches a specified regular expression.
Any attachment's content can't be inspected
Any attachment > content can't be inspected
AttachmentIsUnsupported Mail flow rules only can inspect the content of supported file types. If the mail flow rule encounters an attachment that isn't supported, the AttachmentIsUnsupported condition is triggered. The supported file types are described in the next section.

Notes:

The conditions names in Exchange Online PowerShell are parameters names on the New-TransportRule and Set-TransportRule cmdlets. For more information, see New-TransportRule.

Learn more about property types for these conditions at Mail flow rule conditions and exceptions (predicates) in Exchange Online and Mail flow rule conditions and exceptions (predicates) in Exchange Online Protection.

To learn how to use Windows PowerShell to connect to Exchange Online, see Connect to Exchange Online PowerShell.

Supported file types for mail flow rule content inspection

The following table lists the file types supported by mail flow rules. The system automatically detects file types by inspecting file properties rather than the actual file name extension, thus helping to prevent malicious hackers from being able to bypass mail flow rule filtering by renaming a file extension. A list of file types with executable code that can be checked within the context of mail flow rules is listed later in this topic.

Category File extension Notes
Office 2007 and later .docm, .docx, .pptm, .pptx, .pub, .one, .xlsb, .xlsm, .xlsx Microsoft OneNote and Microsoft Publisher files aren't supported by default.
The contents of any embedded parts contained within these file types are also inspected. However, any objects that aren't embedded (for example, linked documents) aren't inspected.
Office 2003 .doc, .ppt, .xls None
Additional Office files .rtf, .vdw, .vsd, .vss, .vst None
Adobe PDF .pdf None
HTML .html None
XML .xml, .odp, .ods, .odt None
Text .txt, .asm, .bat, .c, .cmd, .cpp, .cxx, .def, .dic, .h, .hpp, .hxx, .ibq, .idl, .inc, inf, .ini, inx, .js, .log, .m3u, .pl, .rc, .reg, .txt, .vbs, .wtx None
OpenDocument .odp, .ods, .odt No parts of .odf files are processed. For example, if the .odf file contains an embedded document, the contents of that embedded document aren't inspected.
AutoCAD Drawing .dxf AutoCAD 2013 files aren't supported.
Image .jpg, .tiff Only the metadata text associated with these image files is inspected. There is no optical character recognition.
Compressed archive files .bz2, cab, .gz, .rar, .tar, .zip, .7z The content of these files, which were originally in a supported file type format, are inspected and processed in a manner similar to messages that have multiple attachments. The properties of the compressed archive file itself are not inspected. For example, if the container file type supports comments, that field isn't inspected.

Inspect the file properties of attachments

The following conditions can be used in mail flow rules to inspect different properties of files that are attached to messages. In order to start using these conditions when inspecting messages, you need to add them to a mail flow rule. For more information about creating or changing rules, see Manage mail flow rules.

Condition name in the EAC Condition name in Exchange Online PowerShell Description
Any attachment's file name matches
Any attachment > file name matches these text patterns
AttachmentNameMatchesPatterns This condition matches messages with attachments whose file name contains the characters you specify.
Any attachment's file extension matches
Any attachment > file extension includes these words
AttachmentExtensionMatchesWords This condition matches messages with attachments whose file name extension matches what you specify.
Any attachment is greater than or equal to
Any attachment > size is greater than or equal to
AttachmentSizeOver This condition matches messages with attachments when those attachments are greater than or equal to the size you specify.
The message didn't complete scanning
Any attachment > didn't complete scanning
AttachmentProcessingLimitExceeded This condition matches messages when an attachment is not inspected by the mail flow rules agent.
Any attachment has executable content
Any attachment > has executable content
AttachmentHasExecutableContent This condition matches messages that contain executable files as attachments. The supported file types are listed here.
Any attachment is password protected
Any attachment > is password protected
AttachmentIsPasswordProtected This condition matches messages with attachments that are protected by a password. Password detection only works for Office documents and .zip files.
Any attachment has these properties, including any of these words
Any attachment > has these properties, including any of these words
AttachmentPropertyContainsWords This condition matches messages where the specified property of the attached Office document contains specified words. A property and its possible values are separated with a colon. Multiple values are separated with a comma. Multiple property/value pairs are also separated with a comma.

Notes:

The conditions names in Exchange Online PowerShell are parameters names on the New-TransportRule and Set-TransportRule cmdlets. For more information, see New-TransportRule.

Learn more about property types for these conditions at Mail flow rule conditions and exceptions (predicates) in Exchange Online and Mail flow rule conditions and exceptions (predicates) in Exchange Online Protection.

To learn how to use Windows PowerShell to connect to Exchange Online, see Connect to Exchange Online PowerShell.

Supported executable file types for mail flow rule inspection

The mail flow rules use true type detection to inspect file properties rather than merely the file extensions. This helps to prevent malicious hackers from being able to bypass your rule by renaming a file extension. The following table lists the executable file types supported by these conditions. If a file is found that is not listed here, the AttachmentIsUnsupported condition is triggered.

Type of file Native extension
32-bit Windows executable file with a dynamic link library extension. .dll
Self-extracting executable program file. .exe
Uninstallation executable file. .exe
Program shortcut file. .exe
32-bit Windows executable file. .exe
Microsoft Visio XML drawing file. .vxd
OS/2 operating system file. .os2
16-bit Windows executable file. .w16
Disk-operating system file. .dos
European Institute for Computer Antivirus Research standard antivirus test file. .com
Windows program information file. .pif
Windows executable program file. .exe

Important

.rar (self-extracting archive files created with the WinRAR archiver), .jar (Java archive files), and .obj (compiled source code, 3D object, or sequence files) files are not considered to be executable file types. To block these files, you can use mail flow rules that look for files with these extensions as described earlier in this topic, or you can configure an antimalware policy that blocks these file types (the common attachment types filter). For more information, see Configure Anti-Malware Policies.

Data loss prevention policies and attachment mail flow rules

To help you manage important business information in email, you can include any of the attachment-related conditions along with the rules of a data loss prevention (DLP) policy.

DLP policies and attachment-related conditions can help you enforce your business needs by defining those needs as mail flow rule conditions, exceptions, and actions. When you include the sensitive information inspection in a DLP policy, any attachments to messages are scanned for that information only. However, attachment-related conditions such as size or file type are not included until you add the conditions listed in this topic. DLP is not available with all versions of Exchange; learn more at Data loss prevention.

For more information

For information on broadly blocking email with attachments, regardless of malware status, see Reducing Malware Threats Through File Attachment Blocking in Exchange Online Protection.