Use transport rules to inspect message attachments

Applies to: Exchange Server 2013

You can inspect email attachments in your organization by setting up transport rules. Exchange offers transport rules that provide the ability to examine email attachments as a part of your messaging security and compliance needs. When you inspect attachments, you can then take action on the messages that were inspected based on the content or characteristics of those attachments. Here are some attachment-related tasks you can do by using transport rules:

  • Search files in compressed attachments such as .zip and .rar files and, if there's any text that matches a pattern you specify, add a disclaimer to the end of the message.

  • Inspect content within attachments and, if there are any keywords you specify, redirect the message to a moderator for approval before it's delivered.

  • Check for messages with attachments that can't be inspected and then block the entire message from being sent.

  • Check for attachments that exceed a certain size and then notify the sender of the issue if you choose to prevent the message from being delivered.

  • Create notifications that alert users if they send a message that has matched a transport rule.

  • Block all messages containing attachments. For examples, see Common attachment blocking scenarios.

Exchange administrators can create transport rules by going to Exchange admin center > Mail flow > Rules. You need to be assigned permissions before you can perform this procedure. After you start to create a new rule, you can see the full list of attachment-related conditions by clicking More options > Any attachment under Apply this rule if. The attachment-related options are shown in the following diagram.

Dialog box to select attachment-related rules.

For more information about transport rules, including the full range of conditions and actions that you can choose, see Mail flow or transport rules. Exchange Online Protection (EOP) and hybrid customers can benefit from the transport rules best practices provided in Best practices for configuring EOP. If you're ready to start creating rules, see Manage transport rules in Exchange 2013.

Inspect the content within attachments

You can use the transport rule conditions in the following table to examine the content of attachments to messages. For these conditions, only the first 150 KB of an attachment is inspected. In order to start using these conditions when inspecting messages, you need to add them to a transport rule. Learn about creating or changing rules at Manage transport rules in Exchange 2013

Condition name in EAC Condition name in the Shell Description
Any attachment content includes any of these words AttachmentContainsWords This condition matches messages with supported file type attachments that contain a specified string or group of characters.
Any attachment content matches these text patterns AttachmentMatchesPatterns This condition matches messages with supported file type attachments that contain a text pattern that matches a specified regular expression.

The Exchange Management Shell names for the conditions listed here are parameters that require the TransportRule cmdlet.

Transport rules can inspect only the content of supported file types. If the transport rules agent encounters an attachment that isn't in the list of supported file types, the AttachmentIsUnsupported condition is triggered. The supported file types are listed in the following section. Any file not listed will trigger the AttachmentIsUnsupported condition.

Compressed archive files

If the message contains a compressed archive file such as a .zip or .cab file, the transport rules agent will inspect the files contained within that attachment. Such messages are processed in a manner similar to messages that have multiple attachments. The properties of compressed archive files aren't inspected. For example, if the container file type supports comments, that field isn't inspected.

Supported file types for transport rule content inspection

The following table lists the file types supported by transport rules. The system automatically detects file types by inspecting file properties rather than the actual file name extension. This behavior helps to prevent hackers from bypassing transport rule filtering by renaming a file extension. A list of file types with executable code that can be checked within the context of transport rules is listed later in this topic.

Category File extension Notes
Office 2013, Office 2010, and Office 2007 .docm, .docx, .pptm, .pptx, .pub, .one, .xlsb, .xlsm, .xlsx Microsoft OneNote and Microsoft Publisher files aren't supported by default. You can enable support for these file types by using IFilter integration. For more information, see Register Filter Pack IFilters with Exchange 2013.

The contents of any embedded parts contained within these file types are also inspected. However, any objects that aren't embedded (for example, linked documents) aren't inspected.
Office 2003 .doc, .ppt, .xls None
Additional Office files .rtf, .vdw, .vsd, .vss, .vst None
Adobe PDF .pdf None
HTML .html None
XML .xml, .odp, .ods, .odt None
Text .txt, .asm, .bat, .c, .cmd, .cpp, .cxx, .def, .dic, .h, .hpp, .hxx, .ibq, .idl, .inc, inf, .ini, inx, .js, .log, .m3u, .pl, .rc, .reg, .txt, .vbs, .wtx None
OpenDocument .odp, .ods, .odt No parts of .odf files are processed. For example, if the .odf file contains an embedded document, the contents of that embedded document aren't inspected.
AutoCAD Drawing .dxf AutoCAD 2013 files aren't supported.
Image .jpg, .tiff Only the metadata text associated with these image files is inspected. There's no optical character recognition.

Note

AutoCAD Drawing (.dxf) and Image (.jpg, .tiff) file types can no longer be inspected after the Exchange Server March 2024 SU has been installed. More information can be found in KB5037191.

Inspect the file properties of attachments

The following transport rule conditions inspect the properties of a file that's attached to a message. In order to start using these conditions when inspecting messages, you need to add them to a transport rule. A list of supported file types with executable code that can be checked within the context of transport rules is listed here. For more information about creating or changing rules, see Manage transport rules in Exchange 2013.

Condition name in EAC Condition name in the Shell Description
Any attachment file name matches these text patterns AttachmentNameMatchesPatterns This condition matches messages with supported file type attachments when those attachments have a name that contains the characters you specify.
Any attachment file extension includes these words AttachmentExtensionMatchesWords This condition matches messages with supported file type attachments when the file name extension matches what you specify.
Any attachment size is greater than or equal to AttachmentSizeOver This condition matches messages with supported file type attachments when those attachments are larger than the size you specify.
Any attachment didn't complete scanning AttachmentProcessingLimitExceeded This condition matches messages when an attachment isn't inspected by the transport rules agent.
Any attachment has executable content AttachmentHasExecutableContent This condition matches messages that contain executable files as attachments. The supported file types are listed here.
Any attachment is password protected AttachmentIsPasswordProtected This condition matches messages with supported file type attachments when those attachments are protected by a password.

The Exchange Management Shell names for the conditions listed here are parameters that require the TransportRule cmdlet.

Supported executable file types for transport rule inspection

The transport agent uses true type detection by inspecting file properties rather than merely the file extensions. This detection helps to prevent hackers from bypassing your rule by renaming a file extension. The following table lists the executable file types supported by these conditions. If a file is found that isn't listed here, the AttachmentIsUnsupported condition is triggered.

Type of file Native extension
Self-extracting archive file created with the WinRAR archiver. .rar
32-bit Windows executable file with a dynamic link library extension. .dll
Self-extracting executable program file. .exe
Java archive file. .jar
Uninstallation executable file. .exe
Program shortcut file. .exe
Compiled source code file or 3-D object file or sequence file. .obj
32-bit Windows executable file. .exe
Microsoft Visio XML drawing file. .vxd
OS/2 operating system file. .os2
16-bit Windows executable file. .w16
Disk-operating system file. .dos
European Institute for Computer Antivirus Research standard antivirus test file. .com
Windows program information file. .pif
Windows executable program file. .exe

Extending the number of supported file types

The supported file types listed in this topic can be revised at any time using IFilter integration. For more information, see Register Filter Pack IFilters with Exchange 2013.

The file types you add using this process become supported file types and no longer trigger the AttachmentIsUnsupported condition.

Data loss prevention policies and attachment transport rules

To help you manage important business information in email, you can include any of the attachment-related conditions along with the rules of a data loss prevention (DLP) policy. For example, you might want to allow messages with passport numbers to be sent but only if the passport numbers are in a password-protected attachment. To accomplish this, do the following steps:

  • Create a DLP policy that inspects mail for passport-related sensitive information. Learn more at DLP procedures.
  • Add the Any attachment is password protected exception in the Except if... transport rule area.
  • Define an action to take on mail that contains passport numbers that aren't in the protected file.

DLP policies and attachment-related conditions can help you enforce your business needs by defining those needs as transport rule conditions, exceptions, and actions. When you include the sensitive information inspection in a DLP policy, any attachments to messages are scanned for that information only. However, attachment-related conditions such as size or file type aren't included until you add the conditions listed in this topic. DLP isn't available with all versions of Exchange; learn more at Data loss prevention.

For more information

Data loss prevention in Exchange 2013

Mail flow or transport rules

Transport rule conditions (predicates)