[How-to] Block Cryptolocker at Exchange/Office 365

[How-to] Block Cryptolocker at Exchange/Office 365

Office 365 and Exchange Online has a market adoption over 70% in enterprises. An easy way to block cryptolocker viruses that come with mail attachments is to block executable files in Exchange Admin Center. There is no reason to receive executables by email. The solution below will block executables in Exchange environments, including in zipped files.

Logon to the Exchange Admin Center:

  1. With Exchange 2010 and 2013/2016 go to the URL https://<FQDN of the mailserver>/ecp i.e. https://mail.brankovucinec.com/ecp.
  2. In Office 365, go to the admin portal and click Exchange in the left bottom corner.

Go to mail flow -> Rules and click Create a new rule…

In the popup window give the rule a name, like Block EXE, select at Apply this rule if… Any attachment’s content includes…

Add EXE, MSI, BAT, CMD and any other you want to block to the list and click OK.

Select at Do the following… for Reject the message with the explanation… (To prevent unnecessary concern over administrative SPAM, you can also choose Delete the message without notifying anyone and skip the next step).

In the new popup set as reason “Executable content not allowed.” and click on OK.

Click save.

Next, we create a second rule, select again Create a new rule…

Give the new rule a name, like Executable content not allowed and click at the bottom on More options…

New options arise and you can choose now at Apply this rule if… for Any attachment… > has executable content.

Choose at Do the following… for Block the message… > reject the message and include an explanation. Again, if you want to block the administrative SPAM, just choose delete the message without notifying anyone and skip the next step.

In the new popup set as reason “Executable content not allowed.” and click on OK.

Click save.

You have now two rules that block executable attachments in your Exchange environment. When a sender tries to send an executable with an attachment they will receive a non-delivery report with status 5.7.1 Executable content not allowed.

Note: that this solution does not protect your organization 100% against cryptolocker viruses, but every ‘extra’ security layer makes it a bit safer for you and your users.

The following table lists how executable content is determined for the last rule

[table id=3 /]

The transport engine does not rely solely upon the extension to detect if it is an executable. Instead, it scans the content to determine what type of file it is.

Branko Vucinec

About Branko Vucinec

Hi! I'm Branko, a Systems Engineer focused on Microsoft technologies from the Netherlands. I enjoy helping organizations with the business and people opportunities and challenges surrounding tech.

Comments