Office 365 in general is a bit lax when it comes to default protection out of the box. I’ve found that a lot of malicious attachments come through in the form of js files, scr, zips, [insert next exploitable attachment] they’re using. As such i assembled the following two mail flow rules over the years of running Office 365 as a Silver Small and Midmarket Cloud solutions partner. We hard fail on these rules and push them to the hosted quarantine, mainly as the users just tend to open them regardless of any modification to the email title. As such you have 7 days to retrieve the mail if its a false positive. 1. Block potential dangerous attachments. 2. Block executable content. Now these rules need to pretty much be at the top of the priority list > **Name:** Block executable content > **Apply this rule if:** includes an attachment with executable content > **Do the following:** Deliver the message to the hosted quarantine. As a bit of background the block executable content rule is explained in detail here: [https://blogs.msdn.microsoft.com/tzink/2014/04/08/blocking-executable-content-in-office-365-for-more-aggressive-anti-malware-protection/](https://blogs.msdn.microsoft.com/tzink/2014/04/08/blocking-executable-content-in-office-365-for-more-aggressive-anti-malware-protection/) > **Name:** Block potential dangerous attachments. > > **Apply this rule if:** any attachments file extension matches: > 386 > 3gr > add > ade > asp > aspx > bas > bat > chm > cmd > com > cpl > crt > dbx > dll > exe > fon > hta > htm > html > img > inf > ins > iqy > iso > isp > js > jse > lnk > mdb > mde > msc > msi > msp > mst > ocx > one > pif > reg > scr > sct > shs > url > vb > vbe > vbs > vxd > wsc > wsf > wsh > **Do the following:** Deliver the message to the hosted quarantine. The rule may need updating with attachments in the future however every time i’ve seen a warning / latest variant alert the list above has already covered it and protected against it. I’ve debated adding docm, xlsm and other macro enabled variants of the office formats however its far too likely to impact day to day operations – do so at your own peril. You will also see that zips are left off the second rule, the first rule will catch the majority of malicious content inside zip files however the secondary list will cover other content inside zip files. So zipped photos inbound will be allowed, but a zipped SCR file would be blocked. Further details available here: [https://technet.microsoft.com/en-us/library/jj919236(v=exchg.150).aspx](https://technet.microsoft.com/en-us/library/jj919236(v=exchg.150).aspx) Edit: 2018-08-20 - Added additional file types: img, iqy. Edit: 2021-03-16 - Added additional file types: htm, html, due to exploitation by phishing campaigns. Edit: 2022-02-08 - Added additional file type: iso, one, due to active exploitation. --- [[Epistemic status|Colophon: Brewing]]