Export (0) Print
Expand All

Using transport rules to inspect message attachments

Exchange 2013
 

Applies to: Exchange Online Protection, Exchange Online

Topic Last Modified: 2014-06-10

You can inspect email attachments in your organization by setting up transport rules. Exchange offers transport rules that provide the ability to examine email attachments as a part of your messaging security and compliance needs. When you inspect attachments, you can then take action on the messages that were inspected based on the content or characteristics of those attachments. Here are some attachment-related tasks you can do by using transport rules:

  • Search files in compressed attachments such as .zip and .rar files and, if there’s any text that matches a pattern you specify, add a disclaimer to the end of the message.

  • Inspect content within attachments and, if there are any keywords you specify, redirect the message to a moderator for approval before it’s delivered.

  • Check for messages with attachments that can’t be inspected and then block the entire message from being sent.

  • Check for attachments that exceed a certain size and then notify the sender of the issue if you choose to prevent the message from being delivered.

  • Create notifications that alert users if they send a message that has matched a transport rule.

Exchange administrators can create transport rules by going to Exchange Admin Center > Mail flow > Rules. You need to be assigned permissions before you can perform this procedure. After you start to create a new rule, you can see the full list of attachment-related conditions by clicking More options > Any attachment under Apply this rule if. The attachment-related options are shown in the following diagram.

Dialog box to select attachment-related rules

For more information about transport rules, including the full range of conditions and actions that you can choose, see Transport rules. Exchange Online Protection (EOP) and hybrid customers can benefit from the transport rules best practices provided in Best practices for configuring EOP. If you’re ready to start creating rules, see Manage Transport Rules.

You can use the transport rule conditions in the following table to examine the content of attachments to messages. For these conditions, only the first 150 KB of an attachment is inspected. In order to start using these conditions when inspecting messages, you need to add them to a transport rule. Learn about creating or changing rules at Manage Transport Rules.

 

Condition name in EAC Condition name in the Shell Description

Any attachment content includes any of these words

AttachmentContainsWords

This condition matches messages with supported file type attachments that contain a specified string or group of characters.

Any attachment content matches these text patterns

AttachmentMatchesPatterns

This condition matches messages with supported file type attachments that contain a text pattern that matches a specified regular expression.

The Exchange Management Shell names for the conditions listed here are parameters that require the TransportRule cmdlet.

Learn more about the cmdlet at New-TransportRule.

Learn more about property types for these conditions at Conditions and Condition Properties for a Mailbox Server.

To learn how to use Windows PowerShell to connect to Exchange Online, see Connect to Exchange Online using remote PowerShell.

Transport rules can inspect only the content of supported file types. If the transport rules agent encounters an attachment that isn't in the list of supported file types, the AttachmentIsUnsupported condition is triggered. The supported file types are listed in the following section. Any file not listed will trigger the AttachmentIsUnsupported condition.

If the message contains a compressed archive file such as a .zip or .cab file, the transport rules agent will inspect the files contained within that attachment. Such messages are processed in a manner similar to messages that have multiple attachments. The properties of compressed archive files aren’t inspected. For example, if the container file type supports comments, that field isn’t inspected.

The following table lists the file types supported by transport rules. The system automatically detects file types by inspecting file properties rather than the actual file name extension, thus helping to prevent malicious hackers from being able to bypass transport rule filtering by renaming a file extension. A list of file types with executable code that can be checked within the context of transport rules is listed later in this topic.

 

Category File extension Notes

Office 2013, Office 2010, and Office 2007

.docm, .docx, .pptm, .pptx, .pub, .one, .xlsb, .xlsm, .xlsx

Microsoft OneNote and Microsoft Publisher files aren’t supported by default.

The contents of any embedded parts contained within these file types are also inspected. However, any objects that aren’t embedded—for example, linked documents—aren’t inspected.

Office 2003

.doc, .ppt, .xls

None

Additional Office files

.rtf, .vdw, .vsd, .vss, .vst

None

Adobe PDF

.pdf

None

HTML

.html

None

XML

.xml, .odp, .ods, .odt

None

Text

.txt, .asm, .bat, .c, .cmd, .cpp, .cxx, .def, .dic, .h, .hpp, .hxx, .ibq, .idl, .inc, inf, .ini, inx, .js, .log, .m3u, .pl, .rc, .reg, .txt, .vbs, .wtx

None

OpenDocument

.odp, .ods, .odt

No parts of .odf files are processed. For example, if the .odf file contains an embedded document, the contents of that embedded document aren’t inspected.

AutoCAD Drawing

.dxf

AutoCAD 2013 files aren’t supported.

Image

.jpg, .tiff

Only the metadata text associated with these image files is inspected. There is no optical character recognition.

The following transport rule conditions inspect the properties of a file that is attached to a message. In order to start using these conditions when inspecting messages, you need to add them to a transport rule. A list of supported file types with executable code that can be checked within the context of transport rules is listed here. For more information about creating or changing rules, see Manage Transport Rules.

 

Condition name in EAC Condition name in the Shell Description

Any attachment file name matches these text patterns

AttachmentNameMatchesPatterns

This condition matches messages with supported file type attachments when those attachments have a name that contains the characters you specify.

Any attachment file extension includes these words

AttachmentExtensionMatchesWords

This condition matches messages with supported file type attachments when the file name extension matches what you specify.

Any attachment size is greater than or equal to

AttachmentSizeOver

This condition matches messages with supported file type attachments when those attachments are larger than the size you specify.

Any attachment didn’t complete scanning

AttachmentProcessingLimitExceeded

This condition matches messages when an attachment is not inspected by the transport rules agent.

Any attachment has executable content

AttachmentHasExecutableContent

This condition matches messages that contain executable files as attachments. The supported file types are listed here.

Any attachment is password protected

AttachmentIsPasswordProtected

This condition matches messages with supported file type attachments when those attachments are protected by a password.

The Exchange Management Shell names for the conditions listed here are parameters that require the TransportRule cmdlet.

Learn more about the cmdlet at New-TransportRule.

Learn more about property types for these conditions at Conditions and Condition Properties for a Mailbox Server.

To learn how to use Windows PowerShell to connect to Exchange Online, see Connect to Exchange Online using remote PowerShell.

The transport agent uses true type detection by inspecting file properties rather than merely the file extensions. This helps to prevent malicious hackers from being able to bypass your rule by renaming a file extension. The following table lists the executable file types supported by these conditions. If a file is found that is not listed here, the AttachmentIsUnsupported condition is triggered.

 

Type of file Native extension

Self-extracting archive file created with the WinRAR archiver.

.rar

32-bit Windows executable file with a dynamic link library extension.

.dll

Self-extracting executable program file.

.exe

Java archive file.

.jar

Uninstallation executable file.

.exe

Program shortcut file.

.exe

Compiled source code file or 3-D object file or sequence file.

.obj

32-bit Windows executable file.

.exe

Microsoft Visio XML drawing file.

.vxd

OS/2 operating system file.

.os2

16-bit Windows executable file.

.w16

Disk-operating system file.

.dos

European Institute for Computer Antivirus Research standard antivirus test file.

.com

Windows program information file.

.pif

Windows executable program file.

.exe

To help you manage important business information in email, you can include any of the attachment-related conditions along with the rules of a data loss prevention (DLP) policy. For example, you might want to allow messages with passport numbers to be sent but only if the passport numbers are in a password-protected attachment. To accomplish this, do the following:

  • Create a DLP policy that inspects mail for passport-related sensitive information. Learn more at DLP procedures.

  • Add the Any attachment is password protected exception in the Except if transport rule area.

  • Define an action to take on mail that contains passport numbers that are not in the protected file.

DLP policies and attachment-related conditions can help you enforce your business needs by defining those needs as transport rule conditions, exceptions, and actions. When you include the sensitive information inspection in a DLP policy, any attachments to messages are scanned for that information only. However, attachment-related conditions such as size or file type are not included until you add the conditions listed in this topic. DLP is not available with all versions of Exchange; learn more at Data Loss Prevention.

 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft