With over 90% of business email compromise attacks originating from email, it makes sense to focus efforts on trying to reduce that line of entry… although first, you should lock down identities and access.

A useful anti-malware rule I had to use recently which I’ll demonstrate in this post is one that sends anything with an archive file extension to quarantine. This means the user has to review their quarantine summary email or open https://security.microsoft.com/quarantine rather than simply having instant access to the content – in theory, this should make someone think twice about whether they were expecting the mail.

Creating the rule

At the Microsoft Security portal go to Email & Collaboration –> Policies and rules –> Threat Policies –> Anti-malware

I create a new rule with the name “Archived Files” and target it to my primary domain:

On protection settings, I remove all the other file types and enter the extensions associated with archive files:

I set the action to Quarantine, and enable zero-hour auto purge. I also set my quarantine policy to one that allows the end-user to release the message themselves.

I save and apply my policy:

From now on, when email enters our tenant inboxes with those file types, users will have to manually review and release them. Any file extension type that doesn’t match the extensions I listed will follow the reject action as specified in the Default rule.

Powerful Protection

When carefully considered and configured, Defender for Office 365 combined with Exchange Online Protection policies can provide extremely robust email protection for your business.

Review the full Defender for Office 365 Protection stack