Send Email through Graph API works w/o attachment, but messages quarantined w/attachment

Question

Send Email through Graph API works w/o attachment, but messages quarantined w/attachment

GraniteStateColin 156

We're using the send mail feature in Graph API to send email through Exchange. Works fine as long as there's no attachment. However, when we include an attachment, Exchange always quarantines the message, tagged for "malware." It reports "Blocked by organization policy : Antimalware policy block by file type." We have problem sending emails with attachments normally, so I think that proves there is no policy preventing sending messages with attachments. We only have the problem when sending via Graph API.

It doesn't seem to matter what the attachment is -- even just a plain text file attachment is flagged as malware. No other errors. This was true for smaller direct attachments or larger combined files over the 4MB limit through the assembly method (no difference in results that we can tell).

Same effect whether the recipient is external or has a mailbox on the tenant -- works if no attachment, quarantined if it does have an attachment.

I haven't been able to find anything on this yet, but I assume we're missing something so simple and obvious that it doesn't even merit much discussion on the Internet. Perhaps it's just a setting change in Exchange? Or maybe there's a need to set a MIME type as part of the sending process?

What could explain this quarantining problem and any suggestions how to resolve so these messages go through?

Aholic Liang-MSFT 13,886 Reputation points Microsoft External Staff

2022-12-28T06:26:06.267+00:00

Hi @GraniteStateColin ,

Please check the Anti-malware Policies page: Whether there are other anti-malware policies customized in addition to the default policy：Anti-malware - Microsoft 365 security
If so, please provide relevant screenshots of this custom policy for us to research better.
(Please note that this is a public forum, hide your personal information carefully.)

In addition, you could use message trace tool to find out why the messages were detected to contain malware: Message trace in the modern EAC in Exchange Online | Microsoft Learn
Aholic Liang-MSFT 13,886 Reputation points Microsoft External Staff

2023-01-03T08:42:55+00:00

Hi @GraniteStateColin ,
It has been a few days and I am checking in to see how things are going on with this issue. Does this issue have any updates?Do you perhaps have any further concerns or questions?
GraniteStateColin 156 Reputation points

2023-01-06T15:41:52.49+00:00

Thanks. I have already performed the trace, which is what led to this post. The problem and question is that the trace shows the message being quarantined as malware.

On further review, I have learned that it's definitely a problem with the quarantining and malware detection for our tenant. There is nothing wrong with these files: at least for our tenant, Exchange is flagging as malware all EPUB files. Our settings appear to be defaults. Microsoft lets these exact same files go through without issue to @harsh.com .com personal mail addresses.

At the link you provided, the only "action=" value I see is "none." There is no "ama" in the message headers released from Quarantine, so seems that means it should not have even been quarantined.

Quite confused. Any ideas?

1 answer

Your answer

Aholic Liang-MSFT 13,886 Reputation points Microsoft External Staff

2022-12-28T06:26:06.267+00:00

Hi @GraniteStateColin ,

Please check the Anti-malware Policies page: Whether there are other anti-malware policies customized in addition to the default policy：Anti-malware - Microsoft 365 security
If so, please provide relevant screenshots of this custom policy for us to research better.
(Please note that this is a public forum, hide your personal information carefully.)

In addition, you could use message trace tool to find out why the messages were detected to contain malware: Message trace in the modern EAC in Exchange Online | Microsoft Learn
Aholic Liang-MSFT 13,886 Reputation points Microsoft External Staff

2023-01-03T08:42:55+00:00

Hi @GraniteStateColin ,
It has been a few days and I am checking in to see how things are going on with this issue. Does this issue have any updates?Do you perhaps have any further concerns or questions?
GraniteStateColin 156 Reputation points

2023-01-06T15:41:52.49+00:00

Thanks. I have already performed the trace, which is what led to this post. The problem and question is that the trace shows the message being quarantined as malware.

On further review, I have learned that it's definitely a problem with the quarantining and malware detection for our tenant. There is nothing wrong with these files: at least for our tenant, Exchange is flagging as malware all EPUB files. Our settings appear to be defaults. Microsoft lets these exact same files go through without issue to @harsh.com .com personal mail addresses.

At the link you provided, the only "action=" value I see is "none." There is no "ama" in the message headers released from Quarantine, so seems that means it should not have even been quarantined.

Quite confused. Any ideas?

Answer 1

In working on this with Microsoft support, we confirmed that this is a problem for enterprise or academic tenants (but not their @outlook.com clients) with their default anti-malware filter. It will block most EPUB files.

This is because they have a bug/deficiency in that their default blocked files include .JAR files, and many (not all) EPUB files have a .JAR file inside them. An EPUB is effectively a zipped container with a bunch of HTML and related files. These files will often include a .JAR file, which Exchange Online flags by default as malware.

To fix this, if you want to receive EPUB files at your tenant, be sure to disable the .JAR filter in the Anti-malware filter.

Share via

Send Email through Graph API works w/o attachment, but messages quarantined w/attachment

1 answer

Your answer