Reducing an Organizations Email Attack Surface

In today’s cyber landscape threats are evolving on a daily basis.  There are many ways to reduce your company’s attack surface.  A simple way to reduce a company’s email attack surface is by blocking incoming file types.  Email attachments frequently contain malicious content that are delivered to organization’s end-users. These inbound attachments can contain numerous types of malicious files (ransomware, ZIP attachments with SCR scripts, .exe, Macros, VBscripts, etc.).

To block incoming file types see methods and policies outlined below.

It is important to spend some time testing these rules before implementing any policies in your organization and do so with caution! In some cases clients have had all of their mail blocked when using some methods and these policies can take hours to propagate across an organization. This is why testing rules before implementation is HIGHLY recommended.

Office 365 – Block Incoming File Types (Instructions)

• Log into your office 365 “Administrator portal”
• From the top bar, select, "Admin", then select "Exchange"
• From the Left Side bar, select "Mail Flow"
• From the top bar select "Rules"
• Click on the "+" icon and select "Create A New Rule"
• First, Click on the "More Options" link at the bottom of the screen
• Back, to the top of the screen, In the "Name" box, give the rule a name, Something like Incoming "Incoming Executable Extension Block Rule"
• From the "Apply this rule if..." drop down box, hover the mouse over "Any attachment" and from the pop out box, select "file extension includes these words"
• In the "Specify words or phrases" box, enter each extension you wish to block individually and without a . in front of the extension and click the "+" icon after each (A sample list is below) - To remove one, select the extension and use the "-" icon. - Once complete, select "OK"
• Next, from the "Do the following." drop down box, hover the mouse over "Block the message" and form the pop out box, select any applicable action. The best one to use is "reject the message and include an explanation" - you will be asked to specify a rejection reason, here you would typically have a basic explanation "Our organization does not permit certain attachments, for more information email [email protected]" or whichever email provides support at your organization.
• Next, you can if you wish further configure the rule for exceptions and auditing, this is not necessary but optional. When finished click on the "save" button.

• It will take some time for the rules to propagate and come into effect, typically leave it about an hour before testing from an external email account.

Exchange – Blocking incoming File Types (Instructions)

• Sign in to the “Exchange Admin Center”
• Go to Mail Flow > Rules
• Select + (New) and then select create new rule.
• In the Name box, specify a name for the rule and then select “More Options”.
• Select the conditions and actions you want.