Posey's Tips & Tricks

Using Exchange Mail Flow Rules To Fight Ransomware

One way organizations can help keep ransomware at bay is to create Exchange mail flow rules that take action against the messages that are most likely to contain ransomware. Microsoft recommends creating two different rules -- one to handle commonly infected attachments and another to handle Microsoft Office documents.

For the purposes of this column, I am going to take a slightly different approach. Rather than creating two rules, both of which take action against files with specific extensions, I am going to create two different types of rules.

I am not doing this because I think my method is better than Microsoft's, but rather because I wanted to show you two different techniques. If you want to do things Microsoft's way, however, the file extensions it recommends blocking include:

ade cmd hta jse msc scr vbs
adp com inf lnk msi sct wsc
ani cpl ins mda msp shs wsf
bas crt isp mdb mst url wsh
bat hlp job mde pcd vb exe
chm ht js mdz reg vbe pif

Before we get started, remember that mail flow rules do not provide comprehensive protection against ransomware. The techniques I am about to show you can prevent users from receiving messages with certain types of malicious attachments, but they do nothing to protect against a user clicking on a malicious link. You should use these techniques as part of a much more comprehensive ransomware-prevention strategy, rather than relying on them for your sole defense against ransomware.

With that said, let's start by creating a rule to block messages containing executable attachments. Begin the process by opening the Exchange Admin Center and selecting the Mail Flow tab on the left side of the screen, followed by the Rules tab at the top of the screen. Now, click on the New button and choose the Create a New Rule button. This will open the New Rule dialog box, shown in Figure 1.

[Click on image for larger view.] Figure 1: This is the screen used to create a new mail flow rule.

None of the options shown on this dialog box will allow you to create a file type rule. In order to create the rule, you need to click on the More Options link at the bottom of the box. Once you have done that, you can move forward with creating the rule.

The first step is to enter a name for the rule that you are creating. Next, choose the Any Attachment | Has Executable Content option. If you prefer to use Microsoft's method I mentioned earlier, you should select the Any Attachment | File Name Matches These Text Patterns option instead.

[Click on image for larger view.] Figure 2: You can create a mail flow rule that blocks executable content.

The next step is to choose what you want to happen to the message. I generally recommend blocking the message, but there are other options such as forwarding the message to someone for approval.

When you are done creating the rule, click on the Save button to complete the process.

As I previously noted, we are going to need to create two rules -- one to block executable code and another to add a warning to messages containing Office documents. We have already created a rule for dealing with executable files, so let's turn our attention to Office documents.

To create a filter for Office documents, click the New icon followed by the Create a Rule option, just as you did before. When the New Rule dialog box opens, click on the More Options link. Now, give your rule a name and choose the Any Attachment | File Name Matches These Text Patterns option from the Apply This Rule drop-down menu.

Now, you will need to create a list of the file extensions you want the filter to act on. The file extensions that Microsoft recommends using include:

dotm xll
docm pptm
xlsm potm
sltm ppam
xla ppsm
xlam sldm

Once you specify the file types to act on, you will have to tell Exchange Online what action you want to take on messages containing Office documents. Microsoft recommends choosing the Prepend a Disclaimer option and setting the message to be something like, "Do not open these types of files -- unless you were expecting them -- because the files may contain malicious code and knowing the sender isn't a guarantee of safety."

One last thing: Mail flow rules can occasionally behave in a way that is completely unexpected. As such, the bottom portion of the New Rule dialog box includes an option to either enforce the new rule or to test the new rule. It's usually best to test a new rule for a period of time before enforcing it. That way, you can get a feel for whether the rule is working as intended before allowing it to actually take action on users' e-mail messages.

About the Author

Brien Posey is a 19-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.


comments powered by Disqus