SEE BELOW FOR UPDATES
Original Post 16.10.2014:
________________________________________________________________________________________
Today, I was working with a nice PSS chap in Microsoft (Hi there Om Prakash Nath!)
We were both working on a problem we were having where transport rules in Microsoft Office 365 were not correctly blocking executable attachments within emails to our clients. This is something of a vital requirement nowadays with the likes of Cryptolocker, and ZIP attachments with SCR scripts and the like.
Bottom line of our problem is that two articles on the web that descibe how this SHOULD work, do not seem to work. In one case a client literally had all their mail blocked when using one method, attachment or not!
The first article we followed was this:
http://social.technet.microsoft.com/wiki/contents/articles/24715.office-365-block-incoming-attachments-cryptolocker-and-other-email-transit-virus.aspx
The second this:
Both ended up with all sorts of strangeness, including not working at all and also blocking EVERYTHING for some customers! Not cool at all.
I opened a case with Microsoft, and we worked through the problem. The only sure method we got working correctly was to use Powershell to connect to the tenant and then to run the following command:
REMOVED – SEE BELOW
After about 15 minutes, this worked without fail, including messages that had ZIP attachments with executable content within.
Hope it works for you too!
Update: 18.10.2014
After more testing, I noticed that some executable attachments, including SCR files, in ZIP’s were still getting through even with the below instructions. I then checked and found that the Office 365 filtering only blocks the following executables, and checks more than just the extension (it checks to see that it is, in fact, an executable).
Below is a list of the extensions that the Office 365 Scanner (as of today) detects with my original command in this post below.
Extension | Description |
.rar | Self-extracting archive file created with the WinRAR archiver |
.dll | 32-bit Windows executable file with dynamic link library extension |
.exe | Self-extracting executable program file |
.jar | Java archive file |
exe | Un-installation executable file |
.exe | Program shortcut file |
.obj | Compiled source code file or 3D object file or sequence file |
.exe | 32-bit Windows executable file |
.vxd | Microsoft Vizio XML drawing file |
.os2 | OS/2 operating system file |
.w16 | 16-bit Windows executable file |
.dos | Disk-operating system file |
.com | European Institute for Computer Antivirus Research standard anti-virus test file |
.pif | Windows program information file |
.exe | Windows executable program file |
So, that explains why the SCR gets past the scanner. Its not on the list above…..
To fix this, we are going to need a second rule, and I will shortly post that here in a Powershell command as well! I promise to be back in 48 hours or so….
Update: 19.10.2014
OK, back as promised. Man, the documentation sucks for this….
Here are the two commands, which you can enter in powershell (and add extensions as you see fit) in the following order…
This is the rule for blocking attachments that have executable content.
New-TransportRule -Name ‘Rule 2 – Block Executable Content MS Standard’ -Priority ‘0’ -Enabled $true -AttachmentHasExecutableContent $True -RejectMessageReasonText ‘Block Rule 2 – Sorry your mail was blocked because it contained executable content’ -StopRuleProcessing $true -SetAuditSeverity Low -SenderAddressLocation HeaderOrEnvelope
This is the rule for blocking attachments that the extension of the file matches whatever you wish below. Each extension should be in quotes, and separates with a comma…..
New-TransportRule -Name ‘Rule 1 – Block Attachments Rule – Extensions’ -Priority ‘0’ -Enabled $true -AttachmentExtensionMatchesWords ‘vbs’,’scr’ -RejectMessageReasonText ‘Block Rule 1 – Sorry your mail was blocked because it contained executable content.’ -StopRuleProcessing $true -SetAuditSeverity Low -SenderAddressLocation HeaderOrEnvelope
Lastly
It is important to wait about 60 minutes before you absolutely say to yourself “this didn’t work”. The Office 365 filters take some time to kick in, remove themself and add themselves! Give it time, have a cup of coffee and come back and check!
Files
Here is a ZIP file with an EXE in it (Regedit.exe) and here is a ZIP file with a dummy SCR Screensaver file in it, which you can test with from an external account.
How do we block scripts? some viruses are coming through VBS, JS, CHM files etc nowdays
Hi tim
Just add those extensions to the second rule. Wait 60 mins.
This works like a charm…!!
I added some extra extensions and works perfectly…
Thank you for the research done to provide us with the solution.
Hi, Great work really helped me but I have some feedback. The above command doesn’t generate a bounce back message to the sender. Any chance it can be resolved. Cheers!
Excellent! is there a way silently block the email?
Those powershell commands worked great – i Added zip (and it it also blocks all ZIP files even if they contain documents which is fine.)
Pity this doesnt work on Office 365 Small Business plans because they do not contain configurable Transport Rules
http://community.office365.com/en-us/f/158/t/232702.aspx
If anyone know another way to block them without the transport rules id be very interested.
You are able to migrate to the NEW Office 365 Business Plans (instead of the old Small Business or Medium Business Plans) and they do support all the functionality of Enterprise – including – finally – Transport Rules.
http://justworks.ca/blog/office-365-small-business-plans-now-on-par-with-enterprise?rq=365
Unfortunately, getting migrated can be a bit of a pain in the butt until October 2015 when all tenants will be automatically migrated
I don’t believe they are , contrary to the article. I’ve just tested a new Office 365 Business Premium plan and still no support for New-TransportRule
Correction – I can confirm it’s working for Exchange Online p1 and Office 365 Business.
I chose to block the same file extensions as Gmail.
.ade, .adp, .bat, .chm, .cmd, .com, .cpl, .exe, .hta, .ins, .isp, .jar, .jse, .lib, .lnk, .mde, .msc, .msp, .mst, .pif, .scr, .sct, .shb, .sys, .vb, .vbe, .vbs, .vxd, .wsc, .wsf, .wsh
(https://support.google.com/mail/answer/6590?hl=en)
Looks good. While Outlook and OWA have a long history of blocking attachments, the weakness has always been things like zips and rars, so this solves that.
I wonder, though, as long as you’re including a comprehensive list (like, for example, the Gmail extension list in the preceding comment), when would Rule 2 ever be used? In the very narrow case where a new executable extension comes along that MS knows about but that we didn’t configure in Rule 1? I’d be curious what their updated default list is and if it’s any different now than what was included in the article. I haven’t run across it, though.
Built-in soon?!
http://blogs.technet.com/b/eopfieldnotes/archive/2015/08/19/common-attachment-blocking-cab-is-coming-to-eop.aspx
we will be migrating to O365 in the next few months. Recently, we’ve been hit with phishing scams that contain an HTML file attachment that looks like a login page on the web to unsuspecting users, who in turn give up their credentials to the hacker who sent the phishing message. I realize that this article deals with executable attachments, but is there a way to block HTML attachments?
Block Rule 1, for dubious extensions in ZIP files used to work for me – but now I’ve just tested it across some O365 tenants and now it no longer seems to work – is anyone else noticing this? Is it just me? Or could this have something to do with Microsoft Long awaited ‘Common Attachment Blocking’.
Rule 2 not applying as of Jan 28 2016, but Rule 1 does. Am an E3 and E1 tenant.
Powershell just sits there with >> on next line. Tried changing priority to 5, didnt work, tried reducing extensions list also.
Noticed a version # in the Rules page of EAC, 15.0.1.1, while older rules are 14.0.0..
Seems to not be working now. I’ve tried adding and modifying the rule via the GUI and PS. Waited hours and a zip with a .js file inside gets through. Any thoughts anyone?
I’ve asked via Twitter.
https://twitter.com/nickwhittome/status/671810579531743232
Retweet that… get some attention I hope. I have not confirmed it is or is not working yet….
This is scary…I’ve already had an educated user send me an email that got through with a .js in a zip. VirusTotal reported the file was a Crypto variant. Trying to figure this out my self…
Hold that. I just successfully tested (blocked as it should) with a valid .js file in a .zip attachment. Before I had been testing with a text file just renamed with .js as the extension. when I grabbed a valid .js from an application on my machine, zipped and sent, the message was rejected. Seems its more sophisticated then just looking at the .xxx of the zipped attachment. I’m going to continue to test however.
Thanks and sorry for any confusion.
Great article. While I am not a fan of Powershell sometimes it is the only way to resolve issues.
I have had the pleasure of working with Om Prakash Nath over the last couple of years. He has never failed to find a solution to an issue. He is my “go to” when I reach an impasse in Office 365.
Great stuff. Despite the talk of adding this into O365 by default, I’m still not seeing it.
So I’m trying the scripts above. My question is: Can I send the emails to a quarantine instead of just deleting/rejecting? I’d like to add “.zip” files to the extension block but there’s occasionally a need for allowing them..I’d rather just release them from quarantine instead of re-doing rules.
What’s the command if I want to send to send all of the flagged messages to Quarantine instead of reject/delete?
Would hang with multiple extensions in the command, but would succeed with one extension, – then add extra extensions from the rules page in the GUI on admin portal.
Hey, I think your blog might be having browser compatibility issues.
When I look at your blog site in Safari, it looks fine
but when opening in Internet Explorer, it has some overlapping.
I just wanted to give you a quick heads up! Other then that, superb blog!