Reducing an Organizations Email Attack Surface

In today’s cyber space the threat landscape is evolving on a daily basis.  There are many ways to reduce your company’s attack surface.  A simple way to reduce a company’s email attack surface is by blocking incoming file types.  Email attachments frequently contain malicious content that are delivered to organization’s end-users. These inbound attachments can contain numerous types of malicious files (ransomware, ZIP attachments with SCR scripts, .exe, Macros, VBscripts, etc.).

To block incoming file types see methods and policies outlined below.

Office 365 – Block Incoming File Types (Instructions)

  • Log into your office 365 “Administrator portal”
  • From the top bar, select, “Admin”, then select “Exchange”
  • From the Left Side bar, select “Mail Flow”
  • From the top bar select “Rules”
  • Click on the “+” icon and select “Create A New Rule”
  • First, Click on the “More Options” link at the bottom of the screen
  • Back, to the top of the screen, In the “Name” box, give the rule a name, Something like Incoming “Incoming Executable Extension Block Rule”
  • From the “Apply this rule if…” drop down box, hover the mouse over “Any attachment” and from the pop out box, select “file extension includes these words”
  • In the “Specify words or phrases” box, enter each extension you wish to block individually and without a . in front of the extension and click the “+” icon after each (A sample list is below) – To remove one, select the extension and use the “-” icon. – Once complete, select “OK”
  • Next, from the “Do the following.” drop down box, hover the mouse over “Block the message” and form the pop out box, select any applicable action. The best one to use is “reject the message and include an explanation” – you will be asked to specify a rejection reason, here you would typically have a basic explanation “Our organization does not permit certain attachments, for more information email helpdesk@companyxyz.com” or whichever email provides support at your organization.
  • Next, you can if you wish further configure the rule for exceptions and auditing, this is not necessary but optional. When finished click on the “save” button.
  • It will take some time for the rules to propagate and come into effect, typically leave it about an hour before testing from an external email account.

Exchange – Blocking incoming File Types (Instructions)

  • Sign in to the “Exchange Admin Center”
  • Go to Mail Flow > Rules
  • Select + (New) and then select create new rule.
  • In the Name box, specify a name for the rule and then select “More Options”.
  • Select the conditions and actions you want.

*These file types are intended as a sample only and not a recommendation as to what you should block at your own organization. As stated in the above article; please use with caution and testing is HIGHLY recommended.

Filetypes - {Sample File Types}

.asp

.asp

.bat

.cmd

.crt

.csh

.dll

.exe

.exe+

.gadget

.hlp

.hta

.inf

.js

.mag

.mam

.maq

.mar

.mas

.mat

.mau

.mav

.maw

.mda

.mdb

.mde

.mdt

.mdw

.mdz

.msc

.msi

.pif

.reg

.scf

.scr

.tmp

.vb

.vbe

.vbs

.vsmacros

.wsf

 

References:

https://support.office.com/en-us/article/Blocked-attachments-in-Outlook-3811cddc-17c3-4279-a30c-060ba0207372

http://social.technet.microsoft.com/wiki/contents/articles/24715.office-365-block-incoming-attachments-cryptolocker-and-other-email-transit-virus.aspx

http://nickwhittome.com/2014/10/16/blocking-executable-attachments-even-in-zip-files-on-office-365/

https://technet.microsoft.com/en-us/library/jj919236(v=exchg.150).aspx

 

Published by @portslug