Share via


Office 365 - Block Incoming Attachments (Cryptolocker and other email transit virus)

Introduction

This article is intended as a quick guide response on how to block executable attachments from incoming mail on Microsoft Office 365 Exchange.

Steps

  • Log into your office 365 Administrator portal
  • From the top bar, select, "Admin", then select "Exchange"
  • From the Left Side bar, select "Mail Flow"
  • From the top bar select "Rules"
  • Click on the "+" icon and select "Create A New Rule"
  • First, Click on the "More Options" link at the bottom of the screen
  • Back, to the top of the screen, In the "Name" box, give the rule a name, Something like Incoming "Incoming Executable Extension Block Rule"
  • From the "Apply this rule if..." drop down box, hover the mouse over "Any attachment" and from the pop out box, select "file extension includes these words"
  • In the "Specify words or phrases" box, enter each extension you wish to block individually and without a . in front of the extension and click the "+" icon after each (A sample list is below) - To remove one, select the extension and use the "-" icon. - Once complete, select "OK"
  • Next, from the "Do the following.." drop down box, hover the mouse over "Block the message" and form the pop out box, select any applicable action. The best one to use is "reject the message and include an explanation" - you will be asked to specify a rejection reason, here you would typically have a basic explanation "Our organization does not permit certain attachments, for more information email helpdesk@contoso.com" or whichever email provides support at your organization.
  • Next, you can if you wish further configure the rule for exceptions and auditing, this is not necessary but optional. When finished click on the "save" button.

It will take some time for the rules to propagate and come into effect, typically leave it about an hour before testing from an external email account.

This is a sample list of extensions that my own organization wishes to block. This is intended as a sample only and not a recommendation as to what you should block at your own organization

  • bat
  • chm
  • cmd
  • com
  • cpl
  • crt
  • exe
  • hlp
  • hta
  • inf
  • ins
  • isp
  • jse?
  • lnk
  • mdb
  • ms[cipt]
  • msi
  • pcd
  • pif
  • reg
  • scr
  • sct
  • shs
  • vb[se]
  • vbs
  • ws[fhc])