Why Exchange Online Protection didn’t block this virus and what can I do?
Before proceeding with the core part of this article, I would like to describe a bit the Exchange Online Protection malware filter.
Appendix
EOP - Exchange Online Protection
O365 - Office 365
OWA - Outlook Web App
EOP Anti-Malware protection is a layered system using multiple anti-malware scan engines in order to protect against all known and unknown threats.
However, when we talk about zero-days attacks this is a constant fight between the anti-malware companies and the attackers.
How to react and increase your protection in case of a Zero-Day Attack? Please check the below two articles:
Blocking Malware and Spoof Attacks in Office 365 Zero-Day Malware Attacks
Malware can come in different ways into an email system:
- An attachment from a legitimate looking internal or external sender (spoofed sender)What is spoofing and how can I protect?
- An e-mail containing a link to a malware site. Etc.
The attackers will always try to trick the antispam protection in order for the email to be delivered to the targeted user inbox.
During some outbreaks, the anti-malware team may have enough information about a virus or other form of malware to write policy rules that detect the threat even before a definition is available from any of the engines used by the service. These rules are published to the global network hourly to provide your organization with an extra layer of protection against attacks.
In the cases I dealt with the EOP anti-malware filter I was always asked two questions:
1. Why my local antivirus detected the suspicions file and EOP didn’t?
To answer this question, first you should know that when we talk about malware detection there are two terms to describe this detection.
- False-Positive – which means that a file was incorrectly detected as being a malware
- False-Negative – which means that a malware file passed the anti-malware protection and thus was undetected.
Each anti-malware solution chooses on its own how to publish the virus signatures in order to detect malware.
This signatures can be published to cover an extended hash or to cover a more specific hash.
Neither of these approaches are bullet proof.
For example, if you choose to publish an extended hash you will have a lot of False-Positive situations and in EOP scenario the mail flow will be affected.
In EOP the False-Positive situations happens often and can have an high business impact on an organization.
For example, think on the below scenario:
- Contoso is a large organization in O365 having to deal with orders from its clients.
- It has automatic CRM system which process the orders and generate a confirmation email containing a PDF / XLSX or DOCX file
- The CRM system sends the email through O365 and it is blocked as Malware.
What do you think the business impact will be on this organization, not being able to confirm his orders to its customers?
So you see what I mean, when I will say, that you cannot compare a locally installed anti-malware solution with an anti-malware solution which needs to process hundreds of millions of emails and decide what is legit and what is not, in seconds, without affecting the mail flow.
It’s also important to understand the difference between an infected and a clean email.
Any email that has an attachment containing a malicious script or executable, is considered a malware. This doesn’t include subscription-based messages with links to malicious sites. Those messages would be considered spam and not malware, and a different approach is used for spam messages.
For more information about combating spam using EOP, please see Anti-Spam Protection and its associated subtopics, including Submitting spam and non-spam messages to Microsoft for analysis.
2. How can I submit a file for analysis if my local antivirus deletes the file?
Whenever you will open a case to Microsoft to investigate a False-Negative malware situation, you will always be asked to:
- Submit the sample to Malware Protection Center.How can I submit?
- Provide the MMPC submission number.
- Provide an Advanced Message Trace from O365 for the affected message.
Now to answer to the question, there is no procedure on how to do this and honestly it is almost impossible to provide guidance to such behavior.
This is because an anti-malware company cannot recommend how to avoid the scanning, like disabling the local antivirus or opening the file from a different location. This scenarios are uncontrollable and what could happen during this actions are uncontrollable too.
This is also why all the anti-malware solutions recommend just "to submit the file for analysis"
However, there are certain steps that can be performed, but with the same disclaimer that these steps are uncontrollable and what could happen during this actions is uncontrollable too.
Step 1
- Create a transport rule to Quarantine certain types of emails.If the message...Includes these words in the message subject or body: 'example xxxxxx'Do the following...Deliver the message to the hosted quarantine.Except if...Is received from 'Inside the organization'
- Release the message from the Hosted Quarantine to a specific mailbox and open the mailbox in a controlled environment without an enabled anti-malware.How to release a message from Quarantine?
- Save the attachment from the Outlook client or OWA.
- Submit the file for analysis.
A controllable environment could be for example a trial Azure Machine
Step 2
- Create a shared mailbox in O365.
- Connect to Office 365 using Power Shell.
- Assign yourself Full Access permission on the shared mailbox using Power Shell.Add-MailboxPermission -Identity "Shared Mailbox Name" -User "Your Account" -AccessRights FullAccess -InheritanceType All -AutoMapping $falseHow to assign mailbox permissions?It is important to do this from Power Shell in order to disable the Auto Mapping of the shared mailbox to your account.If you can use a test or another non production account will be better.
- Create a transport rule to forward the messages sent to the affected user to the shared mailbox.If the message...Is sent to 'Affected User'Do the following...Copy (Cc) the message to 'Shared Mailbox'Except if...Is received from 'Inside the organization'
- When the affected user will experience a similar situation open the shared mailbox from OWA, from a controllable environment.How to open a shared mailbox from OWA?
- Submit the file for analysis