Use transport rules to inspect message attachments
Applies to: Exchange Server 2013
You can inspect email attachments in your organization by setting up transport rules. Exchange offers transport rules that provide the ability to examine email attachments as a part of your messaging security and compliance needs. When you inspect attachments, you can then take action on the messages that were inspected based on the content or characteristics of those attachments. Here are some attachment-related tasks you can do by using transport rules:
Search files in compressed attachments such as .zip and .rar files and, if there's any text that matches a pattern you specify, add a disclaimer to the end of the message.
Inspect content within attachments and, if there are any keywords you specify, redirect the message to a moderator for approval before it's delivered.
Check for messages with attachments that can't be inspected and then block the entire message from being sent.
Check for attachments that exceed a certain size and then notify the sender of the issue if you choose to prevent the message from being delivered.
Create notifications that alert users if they send a message that has matched a transport rule.
Block all messages containing attachments. For examples, see Common attachment blocking scenarios.
Exchange administrators can create transport rules by going to Exchange admin center > Mail flow > Rules. You need to be assigned permissions before you can perform this procedure. After you start to create a new rule, you can see the full list of attachment-related conditions by clicking More options > Any attachment under Apply this rule if. The attachment-related options are shown in the following diagram.
For more information about transport rules, including the full range of conditions and actions that you can choose, see Mail flow or transport rules. Exchange Online Protection (EOP) and hybrid customers can benefit from the transport rules best practices provided in Best practices for configuring EOP. If you're ready to start creating rules, see Manage transport rules in Exchange 2013.
Inspect the content within attachments
You can use the transport rule conditions in the following table to examine the content of attachments to messages. For these conditions, only the first 150 KB of an attachment is inspected. In order to start using these conditions when inspecting messages, you need to add them to a transport rule. Learn about creating or changing rules at Manage transport rules in Exchange 2013
Condition name in EAC | Condition name in the Shell | Description |
---|---|---|
Any attachment content includes any of these words | AttachmentContainsWords |
This condition matches messages with supported file type attachments that contain a specified string or group of characters. |
Any attachment content matches these text patterns | AttachmentMatchesPatterns |
This condition matches messages with supported file type attachments that contain a text pattern that matches a specified regular expression. |
The Exchange Management Shell names for the conditions listed here are parameters that require the TransportRule
cmdlet.
Learn more about the cmdlet at New-TransportRule.
Learn more about property types for these conditions at Conditions and Condition Properties for a Mailbox Server.
Transport rules can inspect only the content of supported file types. If the transport rules agent encounters an attachment that isn't in the list of supported file types, the AttachmentIsUnsupported
condition is triggered. The supported file types are listed in the following section. Any file not listed will trigger the AttachmentIsUnsupported
condition.
Compressed archive files
If the message contains a compressed archive file such as a .zip or .cab file, the transport rules agent will inspect the files contained within that attachment. Such messages are processed in a manner similar to messages that have multiple attachments. The properties of compressed archive files aren't inspected. For example, if the container file type supports comments, that field isn't inspected.
Supported file types for transport rule content inspection
The following table lists the file types supported by transport rules. The system automatically detects file types by inspecting file properties rather than the actual file name extension. This behavior helps to prevent hackers from bypassing transport rule filtering by renaming a file extension. A list of file types with executable code that can be checked within the context of transport rules is listed later in this topic.
Category | File extension | Notes |
---|---|---|
Office 2013, Office 2010, and Office 2007 | .docm, .docx, .pptm, .pptx, .pub, .one, .xlsb, .xlsm, .xlsx |
Microsoft OneNote and Microsoft Publisher files aren't supported by default. You can enable support for these file types by using IFilter integration. For more information, see Register Filter Pack IFilters with Exchange 2013. The contents of any embedded parts contained within these file types are also inspected. However, any objects that aren't embedded (for example, linked documents) aren't inspected. |
Office 2003 | .doc, .ppt, .xls |
None |
Additional Office files | .rtf, .vdw, .vsd, .vss, .vst |
None |
Adobe PDF | .pdf |
None |
HTML | .html | None |
XML | .xml, .odp, .ods, .odt |
None |
Text | .txt, .asm, .bat, .c, .cmd, .cpp, .cxx, .def, .dic, .h, .hpp, .hxx, .ibq, .idl, .inc, inf, .ini, inx, .js, .log, .m3u, .pl, .rc, .reg, .txt, .vbs, .wtx |
None |
OpenDocument | .odp, .ods, .odt |
No parts of .odf files are processed. For example, if the .odf file contains an embedded document, the contents of that embedded document aren't inspected. |
AutoCAD Drawing | .dxf |
AutoCAD 2013 files aren't supported. |
Image | .jpg, .tiff |
Only the metadata text associated with these image files is inspected. There's no optical character recognition. |
Note
AutoCAD Drawing (.dxf
) and Image (.jpg, .tiff
) file types can no longer be inspected after the Exchange Server March 2024 SU has been installed. More information can be found in KB5037191.
Inspect the file properties of attachments
The following transport rule conditions inspect the properties of a file that's attached to a message. In order to start using these conditions when inspecting messages, you need to add them to a transport rule. A list of supported file types with executable code that can be checked within the context of transport rules is listed here. For more information about creating or changing rules, see Manage transport rules in Exchange 2013.
Condition name in EAC | Condition name in the Shell | Description |
---|---|---|
Any attachment file name matches these text patterns | AttachmentNameMatchesPatterns |
This condition matches messages with supported file type attachments when those attachments have a name that contains the characters you specify. |
Any attachment file extension includes these words | AttachmentExtensionMatchesWords |
This condition matches messages with supported file type attachments when the file name extension matches what you specify. |
Any attachment size is greater than or equal to | AttachmentSizeOver |
This condition matches messages with supported file type attachments when those attachments are larger than the size you specify. |
Any attachment didn't complete scanning | AttachmentProcessingLimitExceeded |
This condition matches messages when an attachment isn't inspected by the transport rules agent. |
Any attachment has executable content | AttachmentHasExecutableContent |
This condition matches messages that contain executable files as attachments. The supported file types are listed here. |
Any attachment is password protected | AttachmentIsPasswordProtected |
This condition matches messages with supported file type attachments when those attachments are protected by a password. |
The Exchange Management Shell names for the conditions listed here are parameters that require the TransportRule
cmdlet.
- Learn more about the cmdlet at New-TransportRule.
- Learn more about property types for these conditions at Conditions and Condition Properties for a Mailbox Server.
Supported executable file types for transport rule inspection
The transport agent uses true type detection by inspecting file properties rather than merely the file extensions. This detection helps to prevent hackers from bypassing your rule by renaming a file extension. The following table lists the executable file types supported by these conditions. If a file is found that isn't listed here, the AttachmentIsUnsupported
condition is triggered.
Type of file | Native extension |
---|---|
Self-extracting archive file created with the WinRAR archiver. | .rar |
32-bit Windows executable file with a dynamic link library extension. | .dll |
Self-extracting executable program file. | .exe |
Java archive file. | .jar |
Uninstallation executable file. | .exe |
Program shortcut file. | .exe |
Compiled source code file or 3-D object file or sequence file. | .obj |
32-bit Windows executable file. | .exe |
Microsoft Visio XML drawing file. | .vxd |
OS/2 operating system file. | .os2 |
16-bit Windows executable file. | .w16 |
Disk-operating system file. | .dos |
European Institute for Computer Antivirus Research standard antivirus test file. | .com |
Windows program information file. | .pif |
Windows executable program file. | .exe |
Extending the number of supported file types
The supported file types listed in this topic can be revised at any time using IFilter integration. For more information, see Register Filter Pack IFilters with Exchange 2013.
The file types you add using this process become supported file types and no longer trigger the AttachmentIsUnsupported
condition.
Data loss prevention policies and attachment transport rules
To help you manage important business information in email, you can include any of the attachment-related conditions along with the rules of a data loss prevention (DLP) policy. For example, you might want to allow messages with passport numbers to be sent but only if the passport numbers are in a password-protected attachment. To accomplish this, do the following steps:
- Create a DLP policy that inspects mail for passport-related sensitive information. Learn more at DLP procedures.
- Add the Any attachment is password protected exception in the Except if... transport rule area.
- Define an action to take on mail that contains passport numbers that aren't in the protected file.
DLP policies and attachment-related conditions can help you enforce your business needs by defining those needs as transport rule conditions, exceptions, and actions. When you include the sensitive information inspection in a DLP policy, any attachments to messages are scanned for that information only. However, attachment-related conditions such as size or file type aren't included until you add the conditions listed in this topic. DLP isn't available with all versions of Exchange; learn more at Data loss prevention.