Detections
Analytics

1.8 Ensure 'Attachment Filtering Agent' is configured

Information

The attachment filtering on Edge Transport servers restricts attachments that users receive in email messages. Attachment filtering is performed by the Attachment Filtering agent, which is available only on Edge Transport servers, and is unchanged from Exchange Server 2010.

Ensure the Attachment Filtering Agent is Enabled, and the extension filtering list is configured to the desired state.

Rationale:

Attachment filtering will allow the blocking of file extensions that are regularly abused by bad actors for nefarious purposes, including phishing, malware distribution, and macros. The list of extensions in the audit and remediation sections includes a collection found in the CIS Microsoft 365 Benchmark, Microsoft Office Benchmark, DISA STIG, and the Exchange Server defaults.

Impact:

Attachments on emails that match the filtering list will be removed and replaced with a text file. The original message will be sent to the recipient along with the replaced attachment. This is the default behavior.

Solution

Execute the following cmdlet to enable the Filtering Agent:

Enable-TransportAgent 'Attachment Filtering Agent'

Execute the bellow script to create the desired attachment filtering state:

$attachmentExtensions = @(
 '*.ace', '*.ade', '*.adp', '*.ani', '*.app', '*.appx', '*.arj', '*.asx', '*.bas', '*.bat', '*.cab', '*.chm',
 '*.cmd', '*.com', '*.cpl', '*.crt', '*.csh', '*.dbf', '*.dcr', '*.deb', '*.dex', '*.dif', '*.dir', '*.dll',
 '*.doc', '*.dot', '*.docm', '*.elf', '*.exe', '*.fxp', '*.hlp', '*.hta', '*.htc', '*.htm', '*.html', '*.img',
 '*.inf', '*.ins', '*.iso', '*.isp', '*.jar', '*.jnlp', '*.js', '*.jse', '*.kext', '*.ksh', '*.lha', '*.lib',
 '*.lnk', '*.lzh', '*.macho', '*.mda', '*.mdb', '*.mde', '*.mdt', '*.mdw', '*.mdz', '*.mht', '*.mhtml', '*.msc',
 '*.msi', '*.msix', '*.msp', '*.mst', '*.ops', '*.pcd', '*.pif', '*.plg', '*.ppa', '*.ppt', '*.ppam', '*.prf',
 '*.prg', '*.ps1', '*.ps11', '*.ps11xml', '*.ps1xml', '*.ps2', '*.ps2xml', '*.psc1', '*.psc2', '*.reg', '*.rev',
 '*.scf', '*.scr', '*.sct', '*.shb', '*.shs', '*.shtm', '*.shtml', '*.slk', '*.spl', '*.stm', '*.swf', '*.sys',
 '*.uif', '*.url', '*.vb', '*.vbe', '*.vbs', '*.vxd', '*.wsc', '*.wsf', '*.wsh', '*.xlam', '*.xla', '*.xlc',
 '*.xll', '*.xls', '*.xlsm', '*.xlt', '*.xlw', '*.xml', '*.xnk', '*.xz', '*.z'
)

foreach ($extension in $attachmentExtensions) {
 $result = Add-AttachmentFilterEntry -Name $extension -Type FileName -ErrorAction SilentlyContinue

 if ($result) {
 Write-Host 'Successfully added attachment $extension' -ForegroundColor Green
 } else {
 Write-Host 'Attachment $extension already exists in the list.' -ForegroundColor Red
 }
}

Default Value:

By default these extensions are blocked in Exchange:

*.ade, *.adp, *.app, *.asx, *.bas, *.bat, *.chm, *.cmd, *.com, *.cpl, *.crt, *.csh, *.exe, *.fxp, *.hlp, *.hta, *.inf, *.ins, *.isp, *.js, *.jse, *.ksh, *.lnk, *.mda, *.mdb, *.mde, *.mdt, *.mdw, *.mdz, *.msc, *.msi, *.msp, *.mst, *.ops, *.pcd, *.pif, *.prf, *.prg, *.ps1, *.ps11, *.ps11xml, *.ps1xml, *.ps2, *.ps2xml, *.psc1, *.psc2, *.reg, *.scf, *.scr, *.sct, *.shb, *.shs, *.url, *.vb, *.vbe, *.vbs, *.wsc, *.wsf, *.wsh, *.xnk

See Also

https://workbench.cisecurity.org/benchmarks/12442

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-3, 800-53|SI-8

Plugin: Windows

Control ID: c16a427b30985af675c698c4f7380d58c2f42b9099301b44033d3582a2ea3b20