Sometimes we marvel at the amazing discoveries from the James Webb Space Telescope. Other times, we turn a pair of binoculars to the sky and discover new things about the moon. If AI is like the JWST, then email security is like our pair of binoculars. Tuning our email security settings won’t help track the latest malware developments from REvil. But we can protect ourselves from the more common—and more frequent—malware that we encounter daily.
We know that an important email security tool is analyzing attachments to email messages. Hackers can embed malware in file attachments. They can also use file attachment names and file types to complement their phishing lure. For instance, hackers can create a phishing message with a subject line about an overdue invoice. They will attach a file with “invoice” in the file name and a file format you might expect to see, such as .doc, .xls or .pdf.
As part of your email security, Safe Attachments will scan the attached file for viruses and malware before delivering it with the message. (This behavior is why you will see a message notification on your phone’s Outlook client before you see it on the desktop client. In the latter case, Safe Attachments is sandboxing the message while it scans the attachment.)
Safe Attachments will not just respond to the file type shown in the attachment’s metadata. It will also scan the attachment for characteristics that determine the file’s actual (“true”) file type. This email security feature addresses the case where a hacker renames a file type to evade an attachment blocking rule.
One nice email security feature here: “Zero-hour Auto Purge.” (Or ZAP. Someone missed their calling as the person writing titles for Congressional legislation.) With ZAP, Safe Attachments will remove messages that have malware detected after the message had been delivered. Zapped, as it were. (You know I had to.) This means that the email security tool removes malware-infected messages even if they were initially given a “green light” to be delivered.
Safe Attachments also implements an email security rule to block common malware file types. The Common Attachments filter lets you block file types that are more susceptible to abuse. This includes file types such as .exe.
Safe Attachments Message Handling Options
Administrators can take these actions for handling a message with suspicious attachments.
- Monitor the message. The message is delivered even though it contains malware. Do not use this setting unless you are testing to see if downstream endpoint protection services catch the malware.
- Block the message from delivery.
- Use Dynamic Delivery to deliver the message. Here, the attachment is stripped, and the message is delivered without it. Once the attachment is scanned and declared clean, it is reattached to the email message.
Microsoft recommends blocking rather than dynamically delivering messages with malware. If a user moves a message after delivery, Dynamic Delivery may not find the message to reattach the scanned file. Poor user experience and support tickets ensue.
Working with the Quarantine
Of course, it is possible that your anti-spam and anti-malware policies are going to cause some false positives—messages that are quarantined by accident. (Even if this is not happening, users will believe it is and ask you how they can confirm that they are not missing out on legitimate messages.) So, let us look at quarantines as a part of email security.
Admins can release messages from the quarantine for any of these suspicious categories.
- Bulk email
- Spam messages
- Phishing messages
- High-confidence spam
- Mail quarantined due to mail flow rules
- High-confidence phishing messages
Users can access messages from the first four of these categories (bulk email, spam, phish, high-confidence spam). They cannot access messages quarantined due to the other categories. In some cases, users can also release messages from quarantine if administrators set the appropriate quarantine policies. Note that if you set a quarantine policy to allow users to request that a message be released, be sure to also set an alert policy. This way, admins will know that a user has requested to release a message from quarantine. Otherwise, all company administrators will get a message. Avoid the mess of unnecessary messages!
Sometimes, it is the Little Things
The simplest email security steps sometimes yield the biggest payback. Pay attention to these email security policies and settings. Fortunately, they are activated by default. You may want to go beyond the defaults and set additional policies that fit the email security circumstances for your organization.