Blocking Executable Attachments (even in ZIP files) on Office 365 – Updated!

Office-365-New

 

SEE BELOW FOR UPDATES

Original Post 16.10.2014:

________________________________________________________________________________________

Today, I was working with a nice PSS chap in Microsoft (Hi there Om Prakash Nath!)

We were both working on a problem we were having where transport rules in Microsoft Office 365 were not correctly blocking executable attachments within emails to our clients.    This is something of a vital requirement nowadays with the likes of Cryptolocker, and ZIP attachments with SCR scripts and the like.

Bottom line of our problem is that two articles on the web that descibe how this SHOULD work, do not seem to work.   In one case a client literally had all their mail blocked when using one method, attachment or not!

The first article we followed was this:
http://social.technet.microsoft.com/wiki/contents/articles/24715.office-365-block-incoming-attachments-cryptolocker-and-other-email-transit-virus.aspx

The second this:

http://blogs.msdn.com/b/tzink/archive/2014/04/08/blocking-executable-content-in-office-365-for-more-aggressive-anti-malware-protection.aspx

Both ended up with all sorts of strangeness, including not working at all and also blocking EVERYTHING for some customers!   Not cool at all.

I opened a case with Microsoft, and we worked through the problem.    The only sure method we got working correctly was to use Powershell to connect to the tenant and then to run the following command:

REMOVED – SEE BELOW

After about 15 minutes, this worked without fail, including messages that had ZIP attachments with executable content within.

Hope it works for you too!

 

Update: 18.10.2014

After more testing, I noticed that some executable attachments, including SCR files, in ZIP’s were still getting through even with the below instructions.   I then checked and found that the Office 365 filtering only blocks the following executables, and checks more than just the extension (it checks to see that it is, in fact, an executable).

Below is a list of the extensions that the Office 365 Scanner (as of today) detects with my original command in this post below.

Extension Description
.rar Self-extracting archive file created with the WinRAR archiver
.dll 32-bit Windows executable file with dynamic link library extension
.exe Self-extracting executable program file
.jar Java archive file
exe Un-installation executable file
.exe Program shortcut file
.obj Compiled source code file or 3D object file or sequence file
.exe 32-bit Windows executable file
.vxd Microsoft Vizio XML drawing file
.os2 OS/2 operating system file
.w16 16-bit Windows executable file
.dos Disk-operating system file
.com European Institute for Computer Antivirus Research standard anti-virus test file
.pif Windows program information file
.exe Windows executable program file

 

So, that explains why the SCR gets past the scanner.      Its not on the list above…..

To fix this, we are going to need a second rule, and I will shortly post that here in a Powershell command as well!    I promise to be back in 48 hours or so….

 

Update: 19.10.2014

OK, back as promised.    Man, the documentation sucks for this….

Here are the two commands, which you can enter in powershell (and add extensions as you see fit) in the following order…

 

This is the rule for blocking attachments that have executable content.

New-TransportRule -Name ‘Rule 2 – Block Executable Content MS Standard’ -Priority ‘0’ -Enabled $true -AttachmentHasExecutableContent $True -RejectMessageReasonText ‘Block Rule 2 – Sorry your mail was blocked because it contained executable content’ -StopRuleProcessing $true -SetAuditSeverity Low -SenderAddressLocation HeaderOrEnvelope

This is the rule for blocking attachments that the extension of the file matches whatever you wish below.   Each extension should be in quotes, and separates with a comma…..

New-TransportRule -Name ‘Rule 1 – Block Attachments Rule – Extensions’ -Priority ‘0’ -Enabled $true -AttachmentExtensionMatchesWords ‘vbs’,’scr’ -RejectMessageReasonText ‘Block Rule 1 – Sorry your mail was blocked because it contained executable content.’ -StopRuleProcessing $true -SetAuditSeverity Low -SenderAddressLocation HeaderOrEnvelope

Lastly

It is important to wait about 60 minutes before you absolutely say to yourself “this didn’t work”.   The Office 365 filters take some time to kick in, remove themself and add themselves!    Give it time, have a cup of coffee and come back and check!

Files

Here is a ZIP file with an EXE in it (Regedit.exe) and here is a ZIP file with a dummy SCR Screensaver file in it, which you can test with from an external account.

  28 comments for “Blocking Executable Attachments (even in ZIP files) on Office 365 – Updated!

  1. Tim
    March 3, 2015 at 1:51 am

    How do we block scripts? some viruses are coming through VBS, JS, CHM files etc nowdays

  2. Nick
    March 3, 2015 at 7:32 am

    Hi tim

    Just add those extensions to the second rule. Wait 60 mins.

  3. March 25, 2015 at 11:54 am

    This works like a charm…!!

    I added some extra extensions and works perfectly…

    Thank you for the research done to provide us with the solution.

  4. Ali Abbas
    March 26, 2015 at 4:08 am

    Hi, Great work really helped me but I have some feedback. The above command doesn’t generate a bounce back message to the sender. Any chance it can be resolved. Cheers!

  5. Tim
    March 26, 2015 at 5:43 am

    Excellent! is there a way silently block the email?
    Those powershell commands worked great – i Added zip (and it it also blocks all ZIP files even if they contain documents which is fine.)

  6. Marcus
    March 28, 2015 at 10:33 am

    Pity this doesnt work on Office 365 Small Business plans because they do not contain configurable Transport Rules

    http://community.office365.com/en-us/f/158/t/232702.aspx

    If anyone know another way to block them without the transport rules id be very interested.

    • Ed
      April 1, 2015 at 5:09 pm

      You are able to migrate to the NEW Office 365 Business Plans (instead of the old Small Business or Medium Business Plans) and they do support all the functionality of Enterprise – including – finally – Transport Rules.

      http://justworks.ca/blog/office-365-small-business-plans-now-on-par-with-enterprise?rq=365

      Unfortunately, getting migrated can be a bit of a pain in the butt until October 2015 when all tenants will be automatically migrated

      • Admin
        May 12, 2015 at 2:40 am

        I don’t believe they are , contrary to the article. I’ve just tested a new Office 365 Business Premium plan and still no support for New-TransportRule

        • Admin
          May 14, 2015 at 4:15 am

          Correction – I can confirm it’s working for Exchange Online p1 and Office 365 Business.

  7. Zack
    May 22, 2015 at 5:29 am

    I chose to block the same file extensions as Gmail.

    .ade, .adp, .bat, .chm, .cmd, .com, .cpl, .exe, .hta, .ins, .isp, .jar, .jse, .lib, .lnk, .mde, .msc, .msp, .mst, .pif, .scr, .sct, .shb, .sys, .vb, .vbe, .vbs, .vxd, .wsc, .wsf, .wsh

    (https://support.google.com/mail/answer/6590?hl=en)

  8. July 10, 2015 at 3:04 am

    Looks good. While Outlook and OWA have a long history of blocking attachments, the weakness has always been things like zips and rars, so this solves that.

    I wonder, though, as long as you’re including a comprehensive list (like, for example, the Gmail extension list in the preceding comment), when would Rule 2 ever be used? In the very narrow case where a new executable extension comes along that MS knows about but that we didn’t configure in Rule 1? I’d be curious what their updated default list is and if it’s any different now than what was included in the article. I haven’t run across it, though.

  9. R Milbrand
    July 27, 2015 at 1:24 pm

    we will be migrating to O365 in the next few months. Recently, we’ve been hit with phishing scams that contain an HTML file attachment that looks like a login page on the web to unsuspecting users, who in turn give up their credentials to the hacker who sent the phishing message. I realize that this article deals with executable attachments, but is there a way to block HTML attachments?

  10. Rob
    December 1, 2015 at 11:08 am

    Block Rule 1, for dubious extensions in ZIP files used to work for me – but now I’ve just tested it across some O365 tenants and now it no longer seems to work – is anyone else noticing this? Is it just me? Or could this have something to do with Microsoft Long awaited ‘Common Attachment Blocking’.

    • AB
      January 29, 2016 at 4:18 am

      Rule 2 not applying as of Jan 28 2016, but Rule 1 does. Am an E3 and E1 tenant.

      Powershell just sits there with >> on next line. Tried changing priority to 5, didnt work, tried reducing extensions list also.

      Noticed a version # in the Rules page of EAC, 15.0.1.1, while older rules are 14.0.0..

  11. Nic
    December 1, 2015 at 9:56 pm

    Seems to not be working now. I’ve tried adding and modifying the rule via the GUI and PS. Waited hours and a zip with a .js file inside gets through. Any thoughts anyone?

    • Nick
      December 1, 2015 at 9:59 pm

      I’ve asked via Twitter.
      https://twitter.com/nickwhittome/status/671810579531743232

      Retweet that… get some attention I hope. I have not confirmed it is or is not working yet….

      • Nic
        December 1, 2015 at 10:11 pm

        This is scary…I’ve already had an educated user send me an email that got through with a .js in a zip. VirusTotal reported the file was a Crypto variant. Trying to figure this out my self…

        • Nic
          December 1, 2015 at 10:24 pm

          Hold that. I just successfully tested (blocked as it should) with a valid .js file in a .zip attachment. Before I had been testing with a text file just renamed with .js as the extension. when I grabbed a valid .js from an application on my machine, zipped and sent, the message was rejected. Seems its more sophisticated then just looking at the .xxx of the zipped attachment. I’m going to continue to test however.

          Thanks and sorry for any confusion.

  12. December 4, 2015 at 2:07 pm

    Great article. While I am not a fan of Powershell sometimes it is the only way to resolve issues.

    I have had the pleasure of working with Om Prakash Nath over the last couple of years. He has never failed to find a solution to an issue. He is my “go to” when I reach an impasse in Office 365.

    • ICSTech
      December 29, 2015 at 5:25 pm

      Great stuff. Despite the talk of adding this into O365 by default, I’m still not seeing it.

      So I’m trying the scripts above. My question is: Can I send the emails to a quarantine instead of just deleting/rejecting? I’d like to add “.zip” files to the extension block but there’s occasionally a need for allowing them..I’d rather just release them from quarantine instead of re-doing rules.

      What’s the command if I want to send to send all of the flagged messages to Quarantine instead of reject/delete?

      • AB
        February 12, 2016 at 6:55 pm

        Would hang with multiple extensions in the command, but would succeed with one extension, – then add extra extensions from the rules page in the GUI on admin portal.

  13. June 28, 2019 at 6:55 pm

    Hey, I think your blog might be having browser compatibility issues.
    When I look at your blog site in Safari, it looks fine
    but when opening in Internet Explorer, it has some overlapping.
    I just wanted to give you a quick heads up! Other then that, superb blog!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.