使用邮件流规则检查 Exchange Online 中的邮件附件Use mail flow rules to inspect message attachments in Exchange Online

您可以通过设置邮件流规则来检查 Exchange Online 组织中电子邮件 (也称为传输规则) 。You can inspect email attachments in your Exchange Online organization by setting up mail flow rules (also known as transport rules). Exchange Online 提供邮件流规则,允许您检查电子邮件附件作为邮件安全性和合规性需求的一部分。Exchange Online offers mail flow rules that allow you to examine email attachments as a part of your messaging security and compliance needs. 当您检查附件时,您可以根据这些附件的内容或特征对经过检查的邮件采取操作。When you inspect attachments, you can then take action on the messages that were inspected based on the content or characteristics of those attachments. 以下是一些可以使用邮件流规则执行与附件相关的任务:Here are some attachment-related tasks you can do by using mail flow rules:

  • 搜索具有与指定模式相匹配的文本的文件,并将免责声明添加到邮件结尾。Search for files with text that matches a pattern you specify, and add a disclaimer to the end of the message.

  • 检查附件中的内容,如果有任何您指定的关键词,则将邮件重定向到仲裁人进行审批,然后再传递。Inspect content within attachments and, if there are any keywords you specify, redirect the message to a moderator for approval before it's delivered.

  • 检查包含无法检查的附件的邮件,然后阻止整个邮件的发送。Check for messages with attachments that can't be inspected and then block the entire message from being sent.

  • 如果选择阻止邮件传递,请检查超过特定大小的附件,然后通知发件人问题。Check for attachments that exceed a certain size and then notify the sender of the issue, if you choose to prevent the message from being delivered.

  • 检查附加的 Office 文档的属性是否与您指定的值匹配。Check whether the properties of an attached Office document match the values that you specify. 通过此条件,您可以将邮件流规则和 DLP 策略的要求与第三方分类系统(如 SharePoint 或 Windows Server 文件分类基础结构 (FCI) ) 集成。With this condition, you can integrate the requirements of your mail flow rules and DLP policies with a third-party classification system, such as SharePoint or the Windows Server File Classification Infrastructure (FCI).

  • 创建通知,提醒用户发送的邮件与邮件流规则匹配。Create notifications that alert users if they send a message that has matched a mail flow rule.

  • 阻止包含附件的所有邮件。Block all messages containing attachments. 有关示例,请参阅 Exchange Online 中邮件 流规则的常见附件阻止方案For examples, see Common attachment blocking scenarios for mail flow rules in Exchange Online.

备注

所有这些情况均将扫描压缩的存档附件。All of these conditions will scan compressed archive attachments.

Exchange Online 管理员可以在 Exchange 管理中心创建邮件流规则, (EAC) 邮件流 > 规则Exchange Online admins can create mail flow rules in the Exchange admin center (EAC) at Mail flow > Rules. 需要权限才能执行此过程。You need permissions to do this procedure. After you start to create a new rule, you can see the full list of attachment-related conditions by clicking More options > Any attachment under Apply this rule if.After you start to create a new rule, you can see the full list of attachment-related conditions by clicking More options > Any attachment under Apply this rule if. The attachment-related options are shown in the following diagram.The attachment-related options are shown in the following diagram.

附件的条件列表

有关邮件流规则(包括您可以选择的全部条件和操作)详细信息,请参阅 Mail flow rules (transport rules) in Exchange OnlineFor more information about mail flow rules, including the full range of conditions and actions that you can choose, see Mail flow rules (transport rules) in Exchange Online. Exchange Online Protection (EOP) 和混合客户可以从 Best Practices for Configuring EOP中提供的邮件流规则最佳实践中获益。Exchange Online Protection (EOP) and hybrid customers can benefit from the mail flow rules best practices provided in Best Practices for Configuring EOP. 如果已准备好开始创建规则,请参阅在 Exchange Online 中管理 邮件流规则If you're ready to start creating rules, see Manage mail flow rules in Exchange Online.

检查附件中的内容Inspect the content within attachments

您可以使用下表中的邮件流规则条件来检查邮件附件的内容。You can use the mail flow rule conditions in the following table to examine the content of message attachments. 对于这些条件,仅检查从附件 () 提取的文本的前 1 MB 字节。For these conditions, only the first 1 megabyte (MB) of text extracted from an attachment is inspected. 1 MB 的限制是指提取的文本,而不是附件的文件大小。The 1 MB limit refers to the extracted text, not the file size of the attachment. 例如,一个 2 MB 的文件可能包含小于 1 MB 的文本,因此将检查整个文本。For example, a 2 MB file may contain less than 1 MB of text, so all of the text would be inspected.

若要在检查邮件时开始使用这些条件,您需要将它们添加到邮件流规则。To start using these conditions when inspecting messages, you need to add them to a mail flow rule. 若要了解如何创建或更改规则,请 通过管理 Exchange Online中的邮件流规则。Learn about creating or changing rules at Manage mail flow rules in Exchange Online.

EAC 中的条件名称Condition name in the EAC Exchange Online PowerShell 中的条件名称Condition name in Exchange Online PowerShell 说明Description
任何附件的内容都包含Any attachment's content includes
任何附件 >内容包含以下任何词语Any attachment > content includes any of these words
AttachmentContainsWordsAttachmentContainsWords 此条件会匹配受支持的文件类型附件包含指定的字符串或一组字符的邮件。This condition matches messages with supported file type attachments that contain a specified string or group of characters.
任何附件内容都匹配Any attachment's content matches
任何附件 >内容与这些文本模式匹配Any attachment > content matches these text patterns
AttachmentMatchesPatternsAttachmentMatchesPatterns 此条件会匹配受支持的文件类型附件包含的文本模式与指定正则表达式匹配的邮件。This condition matches messages with supported file type attachments that contain a text pattern that matches a specified regular expression.
任何附件的内容无法检查Any attachment's content can't be inspected
任何附件 >无法检查内容Any attachment > content can't be inspected
AttachmentIsUnsupportedAttachmentIsUnsupported 邮件流规则只能检查受支持的文件类型的内容。Mail flow rules only can inspect the content of supported file types. 如果邮件流规则找到不支持的附件,将触发 AttachmentIsUnsupported 条件。If the mail flow rule finds an attachment that isn't supported, the AttachmentIsUnsupported condition is triggered. 下一节将介绍受支持的文件类型。The supported file types are described in the next section.

备注

邮件流规则内容检查支持的文件类型Supported file types for mail flow rule content inspection

下表列出了邮件流规则支持的文件类型。The following table lists the file types supported by mail flow rules. 系统通过检查文件属性而不是实际文件扩展名来自动检测文件类型,从而有助于防止恶意黑客通过重命名文件扩展名来绕过邮件流规则筛选。The system automatically detects file types by inspecting file properties rather than the actual file name extension, thus helping to prevent malicious hackers from being able to bypass mail flow rule filtering by renaming a file extension. 本文稍后将列出具有可执行代码的文件类型列表,可以在邮件流规则上下文中进行检查。A list of file types with executable code that can be checked within the context of mail flow rules is listed later in this article.

类别Category 文件扩展名File extension 注释Notes
Office 2007 及更高版本Office 2007 and later .docm、.docx、.pptm、.pptx、.pub、.one、.xlsb、.xlsm、.xlsx.docm, .docx, .pptm, .pptx, .pub, .one, .xlsb, .xlsm, .xlsx 默认情况下,不支持 Microsoft OneNote 和 Microsoft Publisher 文件。Microsoft OneNote and Microsoft Publisher files aren't supported by default.
同时还会检查这些文件类型中包含的任何嵌入式部件的内容。The contents of any embedded parts contained within these file types are also inspected. 但是,不检查任何未嵌入 (,例如链接) 文档。However, any objects that aren't embedded (for example, linked documents) aren't inspected.
Office 2003Office 2003 .doc、.ppt、.xls.doc, .ppt, .xls None
其他 Office 文件Other Office files .rtf、.vdw、.vsd、.vss、.vst.rtf, .vdw, .vsd, .vss, .vst None
Adobe PDFAdobe PDF .pdf.pdf None
HTMLHTML .html.html None
XMLXML .xml、.odp、.ods、.odt.xml, .odp, .ods, .odt None
文本Text .txt, .asm, .bat, .c, .cmd, .cpp, .cxx, .def, .dic, .h, .hpp, .hxx, .ibq, .idl, .inc、inf, .ini、inx, .js, .log, .m3u, .pl, .rc, .reg, .txt, .vbs, .wtx.txt, .asm, .bat, .c, .cmd, .cpp, .cxx, .def, .dic, .h, .hpp, .hxx, .ibq, .idl, .inc, inf, .ini, inx, .js, .log, .m3u, .pl, .rc, .reg, .txt, .vbs, .wtx None
OpenDocumentOpenDocument .odp、.ods、.odt.odp, .ods, .odt 不处理 .odf 文件的任何部分。例如,如果 .odf 文件包含嵌入式文档,则不检查该嵌入式文档的内容。No parts of .odf files are processed. For example, if the .odf file contains an embedded document, the contents of that embedded document aren't inspected.
AutoCAD 绘图AutoCAD Drawing .dxf.dxf 不支持 AutoCAD 2013 文件。AutoCAD 2013 files aren't supported.
图像Image .jpg、.tiff.jpg, .tiff 仅检查与这些图像文件关联的元数据文本。Only the metadata text associated with these image files is inspected. 没有光学字符识别。There's no optical character recognition.
压缩的存档文件Compressed archive files .bz2、cab, .gz, .rar, .tar, .zip, .7z.bz2, cab, .gz, .rar, .tar, .zip, .7z 这些文件的内容最初采用受支持的文件类型格式,以类似于具有多个附件的邮件的方式进行检查和处理。The content of these files, that were originally in a supported file type format, are inspected and processed in a manner similar to messages that have multiple attachments. 不检查压缩存档文件本身的属性。The properties of the compressed archive file itself aren't inspected. 例如,如果容器文件类型支持注释,则不检查该字段。For example, if the container file type supports comments, that field isn't inspected.

检查附件的文件属性Inspect the file properties of attachments

邮件流规则中可以使用下列条件来检查附加到邮件的不同文件属性。The following conditions can be used in mail flow rules to inspect different properties of files that are attached to messages. 若要在检查邮件时开始使用这些条件,您需要将它们添加到邮件流规则。To start using these conditions when inspecting messages, you need to add them to a mail flow rule. 有关创建或更改规则的信息,请参阅 管理邮件流规则For more information about creating or changing rules, see Manage mail flow rules.

EAC 中的条件名称Condition name in the EAC Exchange Online PowerShell 中的条件名称Condition name in Exchange Online PowerShell 说明Description
任何附件的文件名匹配Any attachment's file name matches

任何附件 >文件名与这些文本模式匹配Any attachment > file name matches these text patterns

AttachmentNameMatchesPatternsAttachmentNameMatchesPatterns 此条件会匹配附件文件名称中包含指定字符的邮件。This condition matches messages with attachments whose file name contains the characters you specify.
任何附件的文件扩展名匹配Any attachment's file extension matches

任何附件 >文件扩展名包含以下词语Any attachment > file extension includes these words

AttachmentExtensionMatchesWordsAttachmentExtensionMatchesWords 此条件会匹配附件文件扩展名与指定内容相匹配的邮件。This condition matches messages with attachments whose file name extension matches what you specify.
任何附件都大于或等于Any attachment is greater than or equal to

任何附件 >size 大于或等于Any attachment > size is greater than or equal to

AttachmentSizeOverAttachmentSizeOver 当这些附件大于或等于指定大小时,此条件会匹配带有附件的邮件。This condition matches messages with attachments when those attachments are greater than or equal to the size you specify.

注意: 此条件是指单个附件的大小,而不是累积大小。Note: This condition refers to the sizes of individual attachments, not the cumulative size. 例如,如果将规则设置为拒绝任何大于或大于 10 MB 的附件,则大小为 15 MB 的单个附件将被拒绝,但允许包含三个 5 MB 附件的邮件。For example, if you set a rule to reject any attachment that is 10 MB or greater, a single attachment with a size of 15 MB will be rejected, but a message with three 5 MB attachments will be allowed.

邮件未完成扫描The message didn't complete scanning

任何附件 >未完成扫描Any attachment > didn't complete scanning

AttachmentProcessingLimitExceededAttachmentProcessingLimitExceeded 当邮件流规则代理不检查附件时,此条件会匹配邮件。This condition matches messages when an attachment is not inspected by the mail flow rules agent.
任何附件具有可执行内容Any attachment has executable content

任何附件 >具有可执行内容Any attachment > has executable content

AttachmentHasExecutableContentAttachmentHasExecutableContent 此条件会匹配包含可执行文件作为附件的邮件。This condition matches messages that contain executable files as attachments. 此处列出了受支持的 文件类型The supported file types are listed here.
任何附件采用密码保护Any attachment is password protected

任何附件 >受密码保护Any attachment > is password protected

AttachmentIsPasswordProtectedAttachmentIsPasswordProtected 此条件会匹配具有受密码保护的附件的邮件。This condition matches messages with attachments that are protected by a password. 密码检测仅适用于 Office 文档、.zip 文件和 .7z 文件。Password detection only works for Office documents, .zip files, and .7z files.
任何附件均具有这些属性,包括以下任何词语Any attachment has these properties, including any of these words

任何附件 >具有这些属性,包括以下任何词语Any attachment > has these properties, including any of these words

AttachmentPropertyContainsWordsAttachmentPropertyContainsWords 此条件会匹配其中附加 Office 文档的指定属性包含指定词语的邮件。用冒号分隔属性及其可能的值。用逗号分隔多个值。此外,使用逗号分隔多个属性/值对。This condition matches messages where the specified property of the attached Office document contains specified words. A property and its possible values are separated with a colon. Multiple values are separated with a comma. Multiple property/value pairs are also separated with a comma.

备注

邮件流规则检查支持的可执行文件类型Supported executable file types for mail flow rule inspection

邮件流规则使用真正的类型检测来检查文件属性,而不仅仅是文件扩展名。The mail flow rules use true type detection to inspect file properties rather than merely the file extensions. 这会帮助阻止恶意黑客通过重命名文件扩展名来绕过您的规则。This helps to prevent malicious hackers from being able to bypass your rule by renaming a file extension. 下表列出了这些条件支持的可执行文件类型。The following table lists the executable file types supported by these conditions. 如果找到未在此处列出的文件, AttachmentIsUnsupported 将触发条件。If a file is found that isn't listed here, the AttachmentIsUnsupported condition is triggered.

文件类型Type of file 本机扩展Native extension
使用动态链接库扩展名的 32 位 Windows 可执行文件。32-bit Windows executable file with a dynamic link library extension. .dll.dll
自解压的可执行程序文件。Self-extracting executable program file. .exe.exe
卸载可执行文件。Uninstallation executable file. .exe.exe
程序快捷方式文件。Program shortcut file. .exe.exe
32 位 Windows 可执行文件。32-bit Windows executable file. .exe.exe
Microsoft Visio XML 绘图文件。Microsoft Visio XML drawing file. .vxd.vxd
OS/2 操作系统文件。OS/2 operating system file. .os2.os2
16 位 Windows 可执行文件。16-bit Windows executable file. .w16.w16
磁盘操作系统文件。Disk-operating system file. .dos.dos
欧洲计算机研究所防病毒研究标准防病毒测试文件。European Institute for Computer Antivirus Research standard antivirus test file. .com.com
Windows 程序信息文件。Windows program information file. .pif.pif
Windows 可执行程序文件。Windows executable program file. .exe.exe

重要

使用 WinRAR 存档程序) 创建的 .rar (自解压缩存档文件、.jar (Java 存档文件) 和 .obj (编译的源代码、3D 对象或序列文件) 文件不被视为可执行文件类型。 .rar (self-extracting archive files created with the WinRAR archiver), .jar (Java archive files), and .obj (compiled source code, 3D object, or sequence files) files are not considered to be executable file types. 若要阻止这些文件,可以使用邮件流规则来查找具有本主题前面所述扩展名的文件,也可以配置反恶意软件策略,以阻止这些文件类型 (常见附件类型筛选器) 。To block these files, you can use mail flow rules that look for files with these extensions as described earlier in this topic, or you can configure an antimalware policy that blocks these file types (the common attachment types filter). 有关详细信息,请参阅在 EOP 中配置反恶意软件策略For more information, see Configure anti-malware policies in EOP.

数据丢失防护策略和附件邮件流规则Data loss prevention policies and attachment mail flow rules

为了帮助您管理电子邮件中的重要业务信息,您可以将任何与附件相关的条件包含在数据丢失预防 (DLP) 策略的规则内。To help you manage important business information in email, you can include any of the attachment-related conditions along with the rules of a data loss prevention (DLP) policy.

DLP 策略和与附件相关的条件可以通过将业务需求定义为邮件流规则条件、例外和操作来帮助你满足业务需求。DLP policies and attachment-related conditions can help you enforce your business needs by defining those needs as mail flow rule conditions, exceptions, and actions. 当您将敏感信息检查包含在 DLP 策略中时,会对任何邮件附件仅针对该信息进行扫描。When you include the sensitive information inspection in a DLP policy, any attachments to messages are scanned for that information only. 但是,在添加本文中列出的条件之前,不会包含与附件相关的条件,如大小或文件类型。However, attachment-related conditions such as size or file type aren't included until you add the conditions listed in this article. DLP 并非在所有版本的 Exchange 中都可用;有关详细信息,请 通过数据丢失防护了解DLP isn't available with all versions of Exchange; learn more at Data loss prevention.

更多信息For more information

有关广泛阻止带附件的电子邮件的信息,无论恶意软件状态如何,请参阅使用邮件流规则在 EOP 中阻止带有 可执行附件的邮件For information on broadly blocking email with attachments, regardless of malware status, see Use mail flow rules to block messages with executable attachments in EOP.