One problem with email is that many environments allow the sending of executable email attachments. In some cases this is needed, but in most cases these attachments should not be allowed.
Sometimes, you may find yourself needing one of these attachments, so blocking them entirely might not be the best solution for you. If you find yourself in this position, don’t worry – you have options.
How To Quarantine Executable Email Attachments With PowerShell
An easy way to quarantine executable email attachments, in both Exchange Online and Exchange on-prem, is to create a transport rule. This can be done in the Exchange Admin Center, but it’s faster – and easier – to do it with PowerShell.
This PowerShell blocks executables to the recipients:
- Creates a shared mailbox
- Redirects the message to the mailbox to be used as a quarantine
- Notifies the administrator
- Does not notify sender or recipient
- Gives the Administrator permissions to the mailbox
- Create the transport rule to check all attachments regardless of file name and can be layers deep inside a zip files
- Places the rule to run before any other rules
1. Create shared mailbox to redirect messages
New-Mailbox – Shared Name “MailQuarantine” -DisplayName “MailQuarantine” -Alias MailQuarantine
2. Give the administrator permissions to the mailbox
Add-MailboxPermission -Identity MailQuarantine -User Administrator -AccessRights FullAccess -InheritanceType All -AutoMapping:$false
3. Create the transport rule to block the attachments from being delivered to the recipient
New-TransportRule “Executable in attachment – Quarantine” -AttachmentHasExecutableContent:$true -Priority 0 -RedirectMessageTo ((get-mailboxMailQuarantine).primarysmtpaddress.address) -GenerateIncidentReport ((get-mailbox administrator).primarysmtpaddress.address) -IncidentReportContentSender,Recipients,Subject,Cc,Bcc,Severity,Override,RuleDetections,FalsePositive,DataClassifications,IdMatch
Even though spam filters and antivirus scan executables for something malicious, they don’t always block them – so we recommend using this rule in addition to spam filters to block these executables.
In most cases, there is nothing internal to prevent them from being emailed. If I email you word.exe, you will receive it without this rule. Within Mirazon, almost all the executables attempted to be emailed were VPN client software to clients. One client has this rule send to IT for approval before it’s sent or blocked instead of blocking them altogether.
With external spam filters being as good as they are now, I’m not seeing on-prem antivirus on Exchange servers that re-opens the door of internal emails being a source for bad attachments to spread. If you want to share programs, a better practice is to share them through OneDrive or another file sharing service.
Your email security is one of the most important elements that contributes to the safety of your business, employees, and IT infrastructure, which is why it’s one of the critical aspects of our Layered Security Strategy. If you’d like to learn more about it, contact us by using the information below!