How to use Exchange Transport Rules to track or block emails with file extensions used by ransomware

  • Go to the admin portal.

    • Go to Admin | Exchange.
    • Click Mail Flow | Rules.
    • Create a new rule by clicking the “+” , Create new rule…
  • Enter the rule Name (e.g. “Anti-Ransomware rule”) and click more options.

    •  Modify Apply this rule if… Any Attachment… file extension includes these words…
      • Enter the file extensions you want to track by clicking the “+” icon and then click Ok. You should consider:

      o Executables (ade, adp, ani, bas, bat, chm, cmd, com, cpl, crt, hlp, ht, hta, inf, ins, isp, job, js, jse, lnk, mda, mdb, mde, mdz, msc, msi, msp, mst, pcd, reg, scr, sct, shs, url, vb, vbe, vbs, wsc, wsf, wsh, exe, pif, etc.)

      o Office files that support macros (doc, xls, docm, xlsm, pptm, etc.)

    • Do the Following:

      o Track emails: Generate incident report and send it to… Your account… Custom Content: Select all of them.

    • Warn the Users: Add Action, Append the disclaimer (for example: “Do not open these type of documents from people you do not know since they might contain macros that will allow malicious code to be executed in your machine. Thanks.”) and select a fall back action (for example, Wrap)

    • Block Messages: Add Action, Block the message… Use this option only if you are certain your organization does not use these type of files.

Leave a Reply

Your email address will not be published. Required fields are marked *