Use mail flow rules to inspect message attachments in Office 365

Exchange Online
 

Applies to: Exchange Online, Exchange Online Protection

Topic Last Modified: 2018-01-25

You can inspect email attachments in your Office 365 organization by setting up mail flow rules (also known as transport rules). Exchange Online offers mail flow rules that provide the ability to examine email attachments as a part of your messaging security and compliance needs. When you inspect attachments, you can then take action on the messages that were inspected based on the content or characteristics of those attachments. Here are some attachment-related tasks you can do by using mail flow rules:

  • Search for files with text that matches a pattern you specify, and add a disclaimer to the end of the message.

  • Inspect content within attachments and, if there are any keywords you specify, redirect the message to a moderator for approval before it's delivered.

  • Check for messages with attachments that can't be inspected and then block the entire message from being sent.

  • Check for attachments that exceed a certain size and then notify the sender of the issue if you choose to prevent the message from being delivered.

  • Check whether the properties of an attached Office document match the values that you specify. With this condition, you can integrate the requirements of your mail flow rules and DLP policies with a third-party classification system, such as SharePoint Server 2013 or Windows Server 2012 R2 File Classification Infrastructure (FCI).

  • Create notifications that alert users if they send a message that has matched a mail flow rule.

  • Block all messages containing attachments. For examples, see Common attachment blocking scenarios for mail flow rules.

NoteNote:
All of these conditions will scan compressed archive attachments.

Exchange Online admins can create mail flow rules in the Exchange admin center (EAC) at Mail flow > Rules. You need to be assigned permissions before you can perform this procedure. After you start to create a new rule, you can see the full list of attachment-related conditions by clicking More options > Any attachment under Apply this rule if. The attachment-related options are shown in the following diagram.

List of conditions for attachments

For more information about mail flow rules, including the full range of conditions and actions that you can choose, see Mail flow rules (transport rules) in Exchange Online. Exchange Online Protection (EOP) and hybrid customers can benefit from the mail flow rules best practices provided in Best practices for configuring EOP. If you're ready to start creating rules, see Manage mail flow rules.

You can use the mail flow rule conditions in the following table to examine the content of attachments to messages. For these conditions, only the first one megabyte (MB) of text extracted from an attachment is inspected. Note that the 1 MB limit refers to the extracted text, not the file size of the attachment. For example, a 2 MB file may contain less than 1 MB of text, so all of the text would be inspected.

In order to start using these conditions when inspecting messages, you need to add them to a mail flow rule. Learn about creating or changing rules at Manage mail flow rules.

 

Condition name in the EAC Condition name in Exchange Online PowerShell Description

Any attachment's content includes

Any attachment > content includes any of these words

AttachmentContainsWords

This condition matches messages with supported file type attachments that contain a specified string or group of characters.

Any attachment's content matches

Any attachment > content matches these text patterns

AttachmentMatchesPatterns

This condition matches messages with supported file type attachments that contain a text pattern that matches a specified regular expression.

Any attachment's content can't be inspected

Any attachment > content can't be inspected

AttachmentIsUnsupported

Mail flow rules only can inspect the content of supported file types. If the mail flow rule encounters an attachment that isn't supported, the AttachmentIsUnsupported condition is triggered. The supported file types are described in the next section.

Notes:

The conditions names in Exchange Online PowerShell are parameters names on the New-TransportRule and Set-TransportRule cmdlets. For more information, see New-TransportRule.

Learn more about property types for these conditions at Mail flow rule conditions and exceptions (predicates) in Exchange Online and Mail flow rule conditions and exceptions (predicates) in Exchange Online Protection.

To learn how to use Windows PowerShell to connect to Exchange Online, see Connect to Exchange Online PowerShell.

The following table lists the file types supported by mail flow rules. The system automatically detects file types by inspecting file properties rather than the actual file name extension, thus helping to prevent malicious hackers from being able to bypass mail flow rule filtering by renaming a file extension. A list of file types with executable code that can be checked within the context of mail flow rules is listed later in this topic.

 

Category File extension Notes

Office 2007 and later

.docm, .docx, .pptm, .pptx, .pub, .one, .xlsb, .xlsm, .xlsx

Microsoft OneNote and Microsoft Publisher files aren't supported by default.

The contents of any embedded parts contained within these file types are also inspected. However, any objects that aren't embedded (for example, linked documents) aren't inspected.

Office 2003

.doc, .ppt, .xls

None

Additional Office files

.rtf, .vdw, .vsd, .vss, .vst

None

Adobe PDF

.pdf

None

HTML

.html

None

XML

.xml, .odp, .ods, .odt

None

Text

.txt, .asm, .bat, .c, .cmd, .cpp, .cxx, .def, .dic, .h, .hpp, .hxx, .ibq, .idl, .inc, inf, .ini, inx, .js, .log, .m3u, .pl, .rc, .reg, .txt, .vbs, .wtx

None

OpenDocument

.odp, .ods, .odt

No parts of .odf files are processed. For example, if the .odf file contains an embedded document, the contents of that embedded document aren't inspected.

AutoCAD Drawing

.dxf

AutoCAD 2013 files aren't supported.

Image

.jpg, .tiff

Only the metadata text associated with these image files is inspected. There is no optical character recognition.

Compressed archive files

.bz2, cab, .gz, .rar, .tar, .zip, .7z

The content of these files, which were originally in a supported file type format, are inspected and processed in a manner similar to messages that have multiple attachments. The properties of the compressed archive file itself are not inspected. For example, if the container file type supports comments, that field isn't inspected.

The following conditions can be used in mail flow rules to inspect different properties of files that are attached to messages. In order to start using these conditions when inspecting messages, you need to add them to a mail flow rule. For more information about creating or changing rules, see Manage mail flow rules.

 

Condition name in the EAC Condition name in Exchange Online PowerShell Description

Any attachment's file name matches

Any attachment > file name matches these text patterns

AttachmentNameMatchesPatterns

This condition matches messages with attachments whose file name contains the characters you specify.

Any attachment's file extension matches

Any attachment > file extension includes these words

AttachmentExtensionMatchesWords

This condition matches messages with attachments whose file name extension matches what you specify.

Any attachment is greater than or equal to

Any attachment > size is greater than or equal to

AttachmentSizeOver

This condition matches messages with attachments when those attachments are greater than or equal to the size you specify.

The message didn't complete scanning

Any attachment > didn't complete scanning

AttachmentProcessingLimitExceeded

This condition matches messages when an attachment is not inspected by the mail flow rules agent.

Any attachment has executable content

Any attachment > has executable content

AttachmentHasExecutableContent

This condition matches messages that contain executable files as attachments. The supported file types are listed here.

Any attachment is password protected

Any attachment > is password protected

AttachmentIsPasswordProtected

This condition matches messages with attachments that are protected by a password. Password detection only works for Office documents and .zip files.

Any attachment has these properties, including any of these words

Any attachment > has these properties, including any of these words

AttachmentPropertyContainsWords

This condition matches messages where the specified property of the attached Office document contains specified words. A property and its possible values are separated with a colon. Multiple values are separated with a comma. Multiple property/value pairs are also separated with a comma.

Notes:

The conditions names in Exchange Online PowerShell are parameters names on the New-TransportRule and Set-TransportRule cmdlets. For more information, see New-TransportRule.

Learn more about property types for these conditions at Mail flow rule conditions and exceptions (predicates) in Exchange Online and Mail flow rule conditions and exceptions (predicates) in Exchange Online Protection.

To learn how to use Windows PowerShell to connect to Exchange Online, see Connect to Exchange Online PowerShell.

The mail flow rules use true type detection to inspect file properties rather than merely the file extensions. This helps to prevent malicious hackers from being able to bypass your rule by renaming a file extension. The following table lists the executable file types supported by these conditions. If a file is found that is not listed here, the AttachmentIsUnsupported condition is triggered.

 

Type of file Native extension

32-bit Windows executable file with a dynamic link library extension.

.dll

Self-extracting executable program file.

.exe

Uninstallation executable file.

.exe

Program shortcut file.

.exe

32-bit Windows executable file.

.exe

Microsoft Visio XML drawing file.

.vxd

OS/2 operating system file.

.os2

16-bit Windows executable file.

.w16

Disk-operating system file.

.dos

European Institute for Computer Antivirus Research standard antivirus test file.

.com

Windows program information file.

.pif

Windows executable program file.

.exe

ImportantImportant:
.rar (self-extracting archive files created with the WinRAR archiver), .jar (Java archive files), and .obj (compiled source code, 3D object, or sequence files) files are not considered to be executable file types. To block these files, you can use mail flow rules that look for files with these extensions as described earlier in this topic, or you can configure an antimalware policy that blocks these file types (the common attachment types filter). For more information, see Configure anti-malware policies.

To help you manage important business information in email, you can include any of the attachment-related conditions along with the rules of a data loss prevention (DLP) policy.

DLP policies and attachment-related conditions can help you enforce your business needs by defining those needs as mail flow rule conditions, exceptions, and actions. When you include the sensitive information inspection in a DLP policy, any attachments to messages are scanned for that information only. However, attachment-related conditions such as size or file type are not included until you add the conditions listed in this topic. DLP is not available with all versions of Exchange; learn more at Data loss prevention.

For information on broadly blocking email with attachments, regardless of malware status, see Reducing malware threats through file attachment blocking in Exchange Online Protection.

 
Show: