Those of you that read last week’s post on Enforcing Cell Phone PINs are primed in the ratio of security vs user happiness. For newcomers I offer the following graph.
75% of joking aside, as an Office 365 admin it’s your job to keep the tenant and its users secure while minimizing the impact to productivity. To that end, you will find that email is going to be the attack vector where you wage war. Previously we covered round 1 of beefing up Exchange Online Protection and this week we’ll take it one step further.
I hate email attachments and I especially hate compressed file types such as ZIPs. On all tenants I manage I always start off with one simple email rule which ends up becoming the best line of defense against the endless onslaught of email borne viruses. And now I will impart this simple but elegant knowledge onto you…
To start off we’ll want to sign in to the Exchange Control Panel and move on down to the mail flow tab. On the rules heading click the + button and create new rule to begin creating a new rule. Once the pop up window appears we need to click More options to move into big boy mode.
What we’re going to do is make a rule that will reject any message that has an attachment which is on our blacklist. The rule itself is shown below. I’ve made two variants, one which will notify the sender that their message was rejected, one which will simply send the message the way of the dodo bird, and the last which will send the message to quarantine allowing the users to release it if need be. Which rule you use is completely up to your personal preference but I can tell you that the first option is my favorite.
The glory of these rules is that if the message has a SCL of -1 then the message is allowed even with the forbidden attachments (keep that in mind before tacking on file extensions to this rule). Regular readers will recall making safe sender rules for IP address, email domain, and email address in a previous blog post titled Ensuring Safe Passage. Any sender listed in those rules will be allowed to send attachments matching the extensions listed in this rule, remember this for the first piece of hate mail you receive from a user who is not getting the zip file they’re expecting from a random yahoo.com address. When you add a new safe sender be sure to wait 15 minutes or so before re-sending the message because rule changes on Office 365 need a few minutes to take effect. For this to work properly though you’ll want to ensure that this new rule is below your safe sender rules, you can use the arrow buttons to move it if needed.
This rule won’t make your tenant Fort Knox but it’s a quick simple change which will help build a line of defense against the likes of Crypto(wall, locker, etc). If you have any questions or pent up nerd rage feel free to send it to me @ firstname.lastname@example.org or leave it in the comments below.