Export (0) Print
Expand All

Using transport rules to inspect message attachments

Exchange Online
 

Applies to: Exchange Online, Exchange Online Protection

Topic Last Modified: 2015-04-22

You can inspect email attachments in your organization by setting up transport rules. Exchange offers transport rules that provide the ability to examine email attachments as a part of your messaging security and compliance needs. When you inspect attachments, you can then take action on the messages that were inspected based on the content or characteristics of those attachments. Here are some attachment-related tasks you can do by using transport rules:

  • Search for files with text that matches a pattern you specify, and add a disclaimer to the end of the message.

  • Inspect content within attachments and, if there are any keywords you specify, redirect the message to a moderator for approval before it’s delivered.

  • Check for messages with attachments that can’t be inspected and then block the entire message from being sent.

  • Check for attachments that exceed a certain size and then notify the sender of the issue if you choose to prevent the message from being delivered.

  • Check whether the properties of an attached Office document match the values that you specify. With this condition, you can integrate the requirements of your Exchange transport rules and DLP policies with a third-party classification system, such as SharePoint Server 2013 or Windows Server 2012 R2 File Classification Infrastructure (FCI).

  • Create notifications that alert users if they send a message that has matched a transport rule.

  • Block all messages containing attachments. For examples, see Common attachment blocking scenarios.

NoteNote:
All of these conditions will scan compressed archive attachments.

Exchange administrators can create transport rules by going to Exchange Admin Center > Mail flow > Rules. You need to be assigned permissions before you can perform this procedure. After you start to create a new rule, you can see the full list of attachment-related conditions by clicking More options > Any attachment under Apply this rule if. The attachment-related options are shown in the following diagram.

List of conditions for attachments

For more information about transport rules, including the full range of conditions and actions that you can choose, see Transport rules. Exchange Online Protection (EOP) and hybrid customers can benefit from the transport rules best practices provided in Best practices for configuring EOP. If you’re ready to start creating rules, see Manage Transport Rules.

You can use the transport rule conditions in the following table to examine the content of attachments to messages. For these conditions, only the first 1 MB of text extracted from an attachment is inspected. Note that the 1 MB limit refers to the extracted text, not the file size of the attachment. For example, a 2 MB file may contain less than 1 MB of text, so all of the text would be inspected.

In order to start using these conditions when inspecting messages, you need to add them to a transport rule. Learn about creating or changing rules at Manage Transport Rules.

 

Condition name in EAC Condition name in the Shell Description

Any attachment content includes any of these words

AttachmentContainsWords

This condition matches messages with supported file type attachments that contain a specified string or group of characters.

Any attachment content matches these text patterns

AttachmentMatchesPatterns

This condition matches messages with supported file type attachments that contain a text pattern that matches a specified regular expression.

The Exchange Management Shell names for the conditions listed here are parameters that require the TransportRule cmdlet.

Learn more about the cmdlet at New-TransportRule.

Learn more about property types for these conditions at Conditions and condition properties in Exchange Online and Conditions and condition properties in Exchange Online Protection.

To learn how to use Windows PowerShell to connect to Exchange Online, see Connect to Exchange Online using remote PowerShell.

Transport rules can inspect only the content of supported file types. If the transport rules agent encounters an attachment that isn't in the list of supported file types, the AttachmentIsUnsupported condition is triggered. The supported file types are listed in the following section. Any file not listed will trigger the AttachmentIsUnsupported condition.

The following table lists the file types supported by transport rules. The system automatically detects file types by inspecting file properties rather than the actual file name extension, thus helping to prevent malicious hackers from being able to bypass transport rule filtering by renaming a file extension. A list of file types with executable code that can be checked within the context of transport rules is listed later in this topic.

 

Category File extension Notes

Office 2013, Office 2010, and Office 2007

.docm, .docx, .pptm, .pptx, .pub, .one, .xlsb, .xlsm, .xlsx

Microsoft OneNote and Microsoft Publisher files aren’t supported by default.

The contents of any embedded parts contained within these file types are also inspected. However, any objects that aren’t embedded—for example, linked documents—aren’t inspected.

Office 2003

.doc, .ppt, .xls

None

Additional Office files

.rtf, .vdw, .vsd, .vss, .vst

None

Adobe PDF

.pdf

None

HTML

.html

None

XML

.xml, .odp, .ods, .odt

None

Text

.txt, .asm, .bat, .c, .cmd, .cpp, .cxx, .def, .dic, .h, .hpp, .hxx, .ibq, .idl, .inc, inf, .ini, inx, .js, .log, .m3u, .pl, .rc, .reg, .txt, .vbs, .wtx

None

OpenDocument

.odp, .ods, .odt

No parts of .odf files are processed. For example, if the .odf file contains an embedded document, the contents of that embedded document aren’t inspected.

AutoCAD Drawing

.dxf

AutoCAD 2013 files aren’t supported.

Image

.jpg, .tiff

Only the metadata text associated with these image files is inspected. There is no optical character recognition.

Compressed archive files

.bz2, cab, .gz, .rar, .tar, .zip, .7z

The content of these files, which were originally in a supported file type format, are inspected and processed in a manner similar to messages that have multiple attachments. The properties of the compressed archive file itself are not inspected. For example, if the container file type supports comments, that field isn’t inspected.

The following conditions can be used in transport rules to inspect different properties of files that are attached to messages. In order to start using these conditions when inspecting messages, you need to add them to a transport rule. For more information about creating or changing rules, see Manage Transport Rules.

 

Condition name in EAC Condition name in the Shell Description

Any attachment file name matches these text patterns

AttachmentNameMatchesPatterns

This condition matches messages with attachments whose file name contains the characters you specify.

Any attachment file extension includes these words

AttachmentExtensionMatchesWords

This condition matches messages with attachments whose file name extension matches what you specify.

Any attachment size is greater than or equal to

AttachmentSizeOver

This condition matches messages with attachments when those attachments are greater than or equal to the size you specify.

Any attachment didn’t complete scanning

AttachmentProcessingLimitExceeded

This condition matches messages when an attachment is not inspected by the transport rules agent.

Any attachment has executable content

AttachmentHasExecutableContent

This condition matches messages that contain executable files as attachments. The supported file types are listed here.

Any attachment is password protected

AttachmentIsPasswordProtected

This condition matches messages with attachments that are protected by a password.

Any attachment has these properties, including any of these words

AttachmentPropertyContainsWords

This condition matches messages where the specified property of the attached Office document contains specified words. A property and its possible values are separated with a colon. Multiple values are separated with a comma. Multiple property/value pairs are also separated with a comma.

The Exchange Management Shell names for the conditions listed here are parameters that require the TransportRule cmdlet.

Learn more about the cmdlet at New-TransportRule.

Learn more about property types for these conditions at Conditions and condition properties in Exchange Online and Conditions and condition properties in Exchange Online Protection.

To learn how to use Windows PowerShell to connect to Exchange Online, see Connect to Exchange Online using remote PowerShell.

The transport agent uses true type detection by inspecting file properties rather than merely the file extensions. This helps to prevent malicious hackers from being able to bypass your rule by renaming a file extension. The following table lists the executable file types supported by these conditions. If a file is found that is not listed here, the AttachmentIsUnsupported condition is triggered.

 

Type of file Native extension

Self-extracting archive file created with the WinRAR archiver.

.rar

32-bit Windows executable file with a dynamic link library extension.

.dll

Self-extracting executable program file.

.exe

Java archive file.

.jar

Uninstallation executable file.

.exe

Program shortcut file.

.exe

Compiled source code file or 3-D object file or sequence file.

.obj

32-bit Windows executable file.

.exe

Microsoft Visio XML drawing file.

.vxd

OS/2 operating system file.

.os2

16-bit Windows executable file.

.w16

Disk-operating system file.

.dos

European Institute for Computer Antivirus Research standard antivirus test file.

.com

Windows program information file.

.pif

Windows executable program file.

.exe

To help you manage important business information in email, you can include any of the attachment-related conditions along with the rules of a data loss prevention (DLP) policy. For example, you might want to allow messages with passport numbers to be sent but only if the passport numbers are in a password-protected attachment. To accomplish this, do the following:

  • Create a DLP policy that inspects mail for passport-related sensitive information. Learn more at DLP procedures.

  • Add the Any attachment is password protected exception in the Except if transport rule area.

  • Define an action to take on mail that contains passport numbers that are not in the protected file.

DLP policies and attachment-related conditions can help you enforce your business needs by defining those needs as transport rule conditions, exceptions, and actions. When you include the sensitive information inspection in a DLP policy, any attachments to messages are scanned for that information only. However, attachment-related conditions such as size or file type are not included until you add the conditions listed in this topic. DLP is not available with all versions of Exchange; learn more at Data loss prevention.

 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2015 Microsoft