Detections
Analytics

2.1.14 Ensure comprehensive attachment filtering is applied

Information

The Common Attachment Types Filter lets a user block known and custom malicious file types from being attached to emails. The policy provided by Microsoft covers 53 extensions, and an additional custom list of extensions can be defined.

The list of 187 extensions provided in this recommendation is comprehensive but not exhaustive.

Rationale:

Blocking known malicious file types can help prevent malware-infested files from infecting a host or performing other malicious attacks such as phishing and data extraction.

Defining a comprehensive list of attachments can help protect against additional unknown and known threats. Many legacy file formats, binary files and compressed files have been used as delivery mechanisms for malicious software. Organizations can protect themselves from Business E-mail Compromise (BEC) by allow-listing only the file types relevant to their line of business and blocking all others.

Impact:

For file types that are business necessary users will need to use other organizationally approved methods to transfer blocked extension types between business partners.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To Remediate using PowerShell:

Connect to Exchange Online using Connect-ExchangeOnline.

Run the following script:

# Create an attachment policy and associated rule. The rule is
# intentionally disabled allowing the org to enable it when ready

$Policy = @{
 Name = 'CIS L2 Attachment Policy'
 EnableFileFilter = $true
 ZapEnabled = $true
 EnableInternalSenderAdminNotifications = $true
 InternalSenderAdminAddress = '[email protected]' # Change this.
}

$L2Extensions = @(
 '7z', 'a3x', 'ace', 'ade', 'adp', 'ani', 'app', 'appinstaller',
 'applescript', 'application', 'appref-ms', 'appx', 'appxbundle', 'arj',
 'asd', 'asx', 'bas', 'bat', 'bgi', 'bz2', 'cab', 'chm', 'cmd', 'com',
 'cpl', 'crt', 'cs', 'csh', 'daa', 'dbf', 'dcr', 'deb',
 'desktopthemepackfile', 'dex', 'diagcab', 'dif', 'dir', 'dll', 'dmg',
 'doc', 'docm', 'dot', 'dotm', 'elf', 'eml', 'exe', 'fxp', 'gadget', 'gz',
 'hlp', 'hta', 'htc', 'htm', 'htm', 'html', 'html', 'hwpx', 'ics', 'img',
 'inf', 'ins', 'iqy', 'iso', 'isp', 'jar', 'jnlp', 'js', 'jse', 'kext',
 'ksh', 'lha', 'lib', 'library-ms', 'lnk', 'lzh', 'macho', 'mam', 'mda',
 'mdb', 'mde', 'mdt', 'mdw', 'mdz', 'mht', 'mhtml', 'mof', 'msc', 'msi',
 'msix', 'msp', 'msrcincident', 'mst', 'ocx', 'odt', 'ops', 'oxps', 'pcd',
 'pif', 'plg', 'pot', 'potm', 'ppa', 'ppam', 'ppkg', 'pps', 'ppsm', 'ppt',
 'pptm', 'prf', 'prg', 'ps1', 'ps11', 'ps11xml', 'ps1xml', 'ps2',
 'ps2xml', 'psc1', 'psc2', 'pub', 'py', 'pyc', 'pyo', 'pyw', 'pyz',
 'pyzw', 'rar', 'reg', 'rev', 'rtf', 'scf', 'scpt', 'scr', 'sct',
 'searchConnector-ms', 'service', 'settingcontent-ms', 'sh', 'shb', 'shs',
 'shtm', 'shtml', 'sldm', 'slk', 'so', 'spl', 'stm', 'svg', 'swf', 'sys',
 'tar', 'theme', 'themepack', 'timer', 'uif', 'url', 'uue', 'vb', 'vbe',
 'vbs', 'vhd', 'vhdx', 'vxd', 'wbk', 'website', 'wim', 'wiz', 'ws', 'wsc',
 'wsf', 'wsh', 'xla', 'xlam', 'xlc', 'xll', 'xlm', 'xls', 'xlsb', 'xlsm',
 'xlt', 'xltm', 'xlw', 'xml', 'xnk', 'xps', 'xsl', 'xz', 'z'
)

# Create the policy
New-MalwareFilterPolicy @Policy -FileTypes $L2Extensions
# Create the rule for all accepted domains
$Rule = @{
 Name = $Policy.Name
 Enabled = $false
 MalwareFilterPolicy = $Policy.Name
 RecipientDomainIs = (Get-AcceptedDomain).Name
 Priority = 0
}

New-MalwareFilterRule @Rule

When prepared enable the rule either through the UI or PowerShell.

Note: Due to the number of extensions the UI method is not covered. The objects can however be edited in the UI or manually added using the list from the script.

Navigate to Microsoft Defender at https://security.microsoft.com/

Browse to Policies & rules > Threat policies > Anti-malware.

Default Value:

The following extensions are blocked by default:

ace, ani, apk, app, appx, arj, bat, cab, cmd, com, deb, dex, dll, docm, elf, exe, hta, img, iso, jar, jnlp, kext, lha, lib, library, lnk, lzh, macho, msc, msi, msix, msp, mst, pif, ppa, ppam, reg, rev, scf, scr, sct, sys, uif, vb, vbe, vbs, vxd, wsc, wsf, wsh, xll, xz, z

See Also

https://workbench.cisecurity.org/benchmarks/15279

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-3, 800-53|SI-8, CSCv7|7.9, CSCv7|8.1

Plugin: microsoft_azure

Control ID: e6757e03921e0a430e16a25f6cd6de52c42fc6b19c1c8545387689a559739dd9