Common Attachment Blocking (CAB) is coming to EOP


UPDATE: Common Attachment Blocking has been released in EOP as the Common Attachment Types Filter. See my new article, Common Attachment Types Filter, for more information on this feature.

 

The following article was written by Rob McCarthy who is a Business Program Manager for Readiness in Microsoft.

We are happy to announce that Common Attachment Blocking (CAB) is coming to EOP.

In the not so distant future, administrators will have the ability to easily block certain file types coming in through email by checking a box! This will eliminate any chance for error that creating a file block through an Exchange Transport Rule often introduces.

By default, new tenants will have CAB enabled with ten specific file types already checked. Existing tenants will see the feature, but will have to manually enable it.

Once CAB is enabled, by default, ten (10) of the most common file types will already be checked. These ten files types were chosen by our analysts as not only the most common, but often the most likely to be able to transmit malware. Common Attachment Blocking is a big step forward in catching new forms of malware without having to wait for a virus definition to be developed.

In addition to an improved strategy defending against zero-day vulnerabilities, CAB simply allows administrators to block any file they want, for any reason, in a fast, mistake free method.

Please stay tuned for release date details!

– Rob McCarthy

Comments (12)

  1. rseiler says:

    Great, but I hope it includes looking inside archive files (zip, rar, etc).

  2. SNI-DavidM says:

    @rseiler. With the confidence that Andrew would correct any mis-statements, I am sure that you can count on this looking inside "common archives" that are not password protected. You/We already have some of this where many attachment types are not allowed
    in Outlook on the Web and a subset of those are not allowed in Outlook for any new mail being created.

    We’ve followed past best practices and have many blocked via Transport rules. One rule for Internal (we deliver a polite informative message back to sender) and another rule for external (there is a less friendly message).

    Looking forward to this and to simplify the complexity of Transport rules and making it easier to support..

    Andrews post from June talks about doing a lot of this in Transport.
    http://blogs.technet.com/b/eopfieldnotes/archive/2015/06/08/tips-to-prevent-zero-day-malware-with-eop.aspx

  3. @rseiler, EOP transport rules can and so look into zip files that are not password protected. We also go multiple layers in the case where zip files are in zip files. if you are finding your transport rules aren’t catching file types that are in non-password
    protected zip files, please open up a support ticket to have one of our engineers (maybe even me!) take a look at your configuration to verify everything looks ok. It is expected that EOP will dig into non-password protected zip files.

  4. Just Karl says:

    Will this allow us to strip the attachment out of the message, replacing it with custom text like the abandoned Forefront Protection for Exchange Server did?

  5. O365 Boy says:

    Any update on this? has this been released? or in Public / Private preview?

  6. Hi O365 Boy. This is still coming out, but I don’t have any information on release window.

  7. Rob says:

    Any update on when this may be available? I'm finding more and more cryptolocker type infections being spread within .zip files that O365 doesn't seem to quarantine.

  8. Hi Rob, no dates announced yet, sorry!

  9. Kevin Robin says:

    When is this “not so distant future” taking place?
    Any A.T.A. yet? any update on this?

  10. Anders Heick says:

    Any updates on the release? It is almost a year since the initial announcement… Is it live or not?

    1. Hi there Andres, yes this has been released. Please see the “Update” note at the top of the post which contains a link to the TechNet documentation page which contains more information on this feature.

Skip to main content