Use mail flow rules to block messages with executable attachments in Exchange Online

In Exchange Online organizations or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, messages with harmful attachments (including executable attachments) are blocked by anti-malware policies. For more information, see Anti-malware protection in EOP.

To further enhance protection, you can use mail flow rules (also known as transport rules) to identify and block messages that contain executable attachments as described in this article.

For example, following a malware outbreak, a company could apply this rule with a time limit so that affected users can get back to sending attachments after a specified period of time.

What do you need to know before you begin?

• You need to be assigned permissions in Exchange Online or EOP before you can do the procedures in this article. Specifically, you need the Transport Rules role, which is assigned to the Organization Management, Compliance Management, and Records Management role groups by default.

  For more information, see the following topics:

  • Permissions in Exchange Online
  • Permissions in standalone EOP
  • Use the EAC modify the list of members in role groups

• To open the EAC in Exchange Online, see Exchange admin center in Exchange Online. To open the EAC in standalone EOP, see Exchange admin center in standalone EOP.

• To connect to Exchange Online PowerShell, see Connect to Exchange Online PowerShell. To connect to standalone EOP PowerShell, see Connect to Exchange Online Protection PowerShell.

• For more information about mail flow rules in Exchange Online and standalone EOP, see the following topics:

  • Mail flow rules (transport rules) in Exchange Online
  • Mail flow rule conditions and exceptions (predicates) in Exchange Online
  • Mail flow rule actions in Exchange Online

Use the EAC to create a rule that blocks messages with executable attachments

1. In the EAC, go to Mail flow > Rules.

2. Select +Add a rule and then select Create a new rule.

3. In the Set rule conditions page that opens, configure the following settings:

   • Name: Enter a unique, descriptive name for the rule.

   • Apply this rule if: Select Any attachment > has executable content.

   • Do the following: Select Block the message and then choose the action you want:

     • reject the message and include an explanation: In the Specify reject reason dialog box that appears, enter the text you want to appear in the non-delivery report (also known as an NDR or bounce message). The default enhanced status code that's used is 5.7.1.

     • reject the message with the enhanced status code of: In the Enter enhanced status code dialog box that appears, enter the enhanced status code that you want to appear in the NDR. Valid values are 5.7.1 or a value from 5.7.900 to 5.7.999. The default rejection text is: Delivery not authorized, message refused.

     • delete the message without notifying anyone (If you choose this option, you won't get the Save button, but will get the Next button.)

4. When you're finished, select Save. Your attachment blocking rule is now in force.

Use PowerShell to create a rule that blocks messages with executable attachments

Use the following syntax to create a rule to block messages that contain executable attachments:

New-TransportRule -Name "<UniqueName>" -AttachmentHasExecutableContent $true [-RejectMessageEnhancedStatusCode <5.7.1 | 5.7.900 to 5.7.999>] [-RejectMessageReasonText "<Text>"] [-DeleteMessage $true]

Notes:

• If you use the RejectMessageEnhancedStatusCode parameter without the RejectMessageReasonText parameter, the default text is: Delivery not authorized, message refused.

• If you use the RejectMessageReasonText parameter without the RejectMessageEnhancedStatusCode parameter, the default code is 5.7.1.

The following example creates a new rule named Block Executable Attachments that silently deletes messages that contain executable attachments.

New-TransportRule -Name "Block Executable Attachments" -AttachmentHasExecutableContent $true -DeleteMessage $true

For detailed syntax and parameter information, see New-TransportRule.

How do you know this worked?

To verify that you've successfully created a mail flow rule to block messages that contain executable attachments, do any of the following steps:

• In the EAC, go to Mail flow > Rules > select the rule > select Edit , select the Settings tab and verify the settings.

• In PowerShell, run the following command to verify the settings:

  Get-TransportRule -Identity "<Rule Name>" | Format-List Name,AttachmentHasExecutableContent,RejectMessage*,DeleteMessage