Anyone who works with Office 365 knows that there is no shortage of new features rolling out, the pace at which new functionality is made available definitely keeps you on your toes.
Part of what inspired me to develop www.roadmapwatch.com is that I wanted to know more about when features progressed through the various stages on the official Office 365 Roadmap. Even with that tight watch of the roadmap, there are 164 features currently in some sort of “in progress” state and it’s hard to track them all.
On top of the features documented on the roadmap, there are occasionally small items that either slip through the cracks or aren’t worthy of a roadmap mention. One of those features is the “Common Attachment Blocking” feature in EOP that was introduced some time in the last month or so.
Below is a summary of what “Common Attachment Blocking” is all about…
The Timeline
Chatter about “Common Attachment Blocking (CAB)” started on one of the EOP blogs back around August 2015. In January of this year, there was a mention on a different EOP blog and on the Office blog that the feature would be coming in “the next quarter”. And then… Well, that was it. I never saw another mention of the feature or it’s rollout status.
It turns out that the feature was released in the last couple months and you’ll likely find it available in your tenant right now.
A “New” Feature?
There’s always been a way to block attachments by extension in EOP via a transport rule. However, using a transport rule gave you somewhat limited options when it came to the user experience. You could reject or delete a message with an attachment but there wasn’t a clean way to just strip the attachment and send the message along to the end user.
Using “Common Attachment Blocking”
You’ll find CAB buried in the Anti-Malware Filter Policy in EOP. From the Exchange Admin Center, if you navigate to “Protection” and then “Malware Filter”, you’ll see your default policy. On the “Settings” tab is the option to enable CAB; despite being “recommended”, it will be disabled by default in your policy.
Once enabled, there is a default list of 10 file extensions that Microsoft has selected and you can add more from a pre-defined list of 96 file extensions. All your favorites such as .exe, .com and .vbs are there.
TIP: While you cannot add custom extensions via the portal, it does appear that you can use the “-FileTypes” switch on the “Set-MalwareFilterPolicy” cmdlet to add extensions not in the list of 96.
User Experience
Any attachment file extension that you’ve selected will trigger the “Malware Detection Response” in your policy. You have the option to delete the message in it’s entirety or you can replace the attachment with a text file containing a notification.
The default notification looks like this:
Otherwise you can provide custom text in the notification.
Testing It Out
You can easily test out the feature by creating a second anti-malware policy (you’ll find CAB enabled by default on it) and applying it to only a subset of users via the options on the “Applied To” tab of the policy.
Give it a try! Let me know what you think in the comments below.
Did you find this article helpful?
Leave a comment below or follow me on Twitter (@JoePalarchio) for additional posts and information on Office 365.
Looking to do some more reading on Office 365?
Catch up on my past articles here: Joe Palarchio.
Joe, as always I enjoy your Post. Thanks for keeping us informed. This is a very helpful feature.
Cool feature but we’d want exceptions to attachment blocking because there is a need to allow certain file types for specific recipients. Doesn’t look like that’s possible with Common Attachment Blocking, and we currently do it successfully with transport rules. Any idea if Microsoft may add exception capability to the feature in the future? Thanks for the great article.
Greg-
You can create policies based on user groupings and then have different lists of attachment extensions in the different policies. I think that would achieve what you’re trying to do.
Thanks for the comment.
Joe
Thanks Ken, I appreciate the feedback.
Thanks for always being on top of stuff
appreciated
Hi All, Lots of good information here, We have recently moved over to O365 and using EOP and im running into a number of issue I ope you can shed some light on,
Basic Set up:
Protection off and blocking a number of extensions including .DOCM
Issues:
1 – EOP is blocking internal to internal mail using a .docm (its my understanding it kicks in with incoming and outgoing mail only and not internal to internal, or am i missing something.
2 – As per your attachment above I am seeing approved file types being blocked, see below for examples both from Users on our estate.
Detections found:
Invoice (802).doc.docm O97M/Macrobe.C
Detections found:
Invoice (42).pdf.docm O97M/Macrobe.C
Users trying to send a .doc and a .pdf but being highlighted as .docm and looks to be double barreled with the .docm
Any insight would be great.
Thanks
Malachy Gillespie-
1 – Since the attachment filter is part of the malware policy, it will in fact scan internal messages as well.
2 – It appears that EOP is identifying a specific malware for those files. If they are not actually malicious, you may want to consider reporting to the Malware Protection Center (https://www.microsoft.com/en-us/security/portal/submission/submit.aspx).
Thanks
Joe
Joe,
Do you know if there are plans to allow us to do something with the Mail that has common attachment blocking action? Like, can I set it to SCL-9 (Personal Quarantine), or SCL-5 (Junk). I’m being challenged why I deliver the Message to Inbox, if I declare the attachment as Malware. Always looking for more administrative controls. – David
Hi to all,
I hope you can help me
I was doing some tests the last days regarding to the Exchange online Malware filtering. I sent a message (from a gmail account) to some email accounts of my company with a “.ex_” attachment. The weird thing is that on some user mailboxes the attachment got blocked (by exchange online malware filtering) while on some other accounts it didn’t blocked.
Keep in mind that the “.ex_” file type is not on the list of the “Common Attachment Types Filter”.
Thank you in advance
Hi,
good job!
Is there a way to unblock blocked attachmends? I tested the filter several times and my attachment have been always blocked. Fine! But how can I release an incorrectly blocked attachment?
Greetings!