top of page
  • Hanna Korotka

Using Mail Flow Rules for Inspecting Message Attachments in Exchange Online

Email has long been a favored conduit for cyberattacks, with malicious attachments posing a significant risk to both individuals and organizations. To bolster your email security and protect your valuable data, Exchange Online equips you with a powerful arsenal of tools, including mail flow rules. In this blog post, we will take an in-depth look at mail flow rules and how they can be harnessed to inspect message attachments within Exchange Online. By implementing these rules, you can proactively shield yourself from potential email threats and keep your digital world secure.

Guarding Against Ransomware with Mail Flow Rules

Ransomware stands out as one of the most devastating cyber threats due to its ease of deployment and the high stakes involved. Attackers commonly employ a technique where they send a malicious payload as an email attachment, and opening this attachment triggers a script that encrypts the user's files. The attacker then demands a ransom for decryption, hence the name "Ransomware." While it is challenging to directly block Ransomware in all its forms, there are effective measures that can be put in place:

  • Warning Users About Macros: One approach is to issue warnings to users before they open Office file attachments containing macros, which can hide Ransomware. This cautionary measure advises users not to open files from unknown sources.

  • Blocking Risky File Types: Another key strategy is to block file types that could potentially contain Ransomware or other malicious code. A starting point is a common list of executable file types, as shown in the table below. If your organization expects to receive legitimate files of these types via email, you can incorporate them into the previously mentioned rule to provide users with a warning.

Creating Mail Transport Rules for Enhanced Security

Mail transport rules play a pivotal role in email security by enabling you to define specific actions based on the content or sender of an email. To create a mail transport rule for safeguarding against email threats, follow these steps:

  1. Go to the Exchange admin center.

  2. In the mail flow category, select rules.

  3. Select +, and then Create a new rule.

  4. Select **** at the bottom of the dialog box to see the full set of options.

  5. Apply the settings in the following table for each rule. Leave the rest of the settings at the default, unless you want to change these.

  6. Select Save.


Anti-ransomware rule: warn users

Anti-ransomware rule: block file types


Anti-ransomware rule: warn users

Anti-ransomware rule: block file types

Apply this rule if

Any attachment file extension matches

Any attachment file extension matches

Specify words or phrases

Add these file types:

dotm, docm, xlsm, sltm, xla, xlam, xll, pptm, potm, ppam, ppsm, sldm

Add these file types:

ade, adp, ani, bas, bat, chm, cmd, com, cpl, crt, hlp, ht, hta, inf, ins, isp, job, js, jse, lnk, mda, mdb, mde, mdz, msc, msi, msp, mst, pcd, reg, scr, sct, shs, url, vb, vbe, vbs, wsc, wsf, wsh, exe, pif

Do the following

Notify the recipient with a message

Block the message reject the message and include an explanation

Provide message text (for warn)

Specify rejection reason (for block)

Do not open these types of files—unless you were expecting them—because the files may contain malicious code and knowing the sender isn't a guarantee of safety.

This file type is in the blocked list since it could contain ransomware or other malicious code.


Block the message reject the message with the enhanced status code - '5.7.1'

Exchange Online mail flow rules are a vital component in your defense against email threats, including the insidious Ransomware. By issuing warnings and blocking risky file types, you can bolster your email security and minimize the risks associated with malicious attachments. Creating these rules is a proactive step towards securing your digital communication and keeping potential threats at bay. Take control of your email security today and make use of the tools at your disposal in Exchange Online.

To help you to have peace of mind knowing your business is secure, click here to schedule a Microsoft 365 Secure Score review with our experts today. We'll evaluate your current cybersecurity measures, identify potential vulnerabilities, and help you implement a strategic security plan to keep your company safe.

65 views0 comments


Get the Latest News to Your Inbox

bottom of page