Share via


Common Attachment Blocking (CAB) is coming to EOP

UPDATE: Common Attachment Blocking has been released in EOP as the Common Attachment Types Filter. See my new article, Common Attachment Types Filter, for more information on this feature.

 

The following article was written by Rob McCarthy who is a Business Program Manager for Readiness in Microsoft.

We are happy to announce that Common Attachment Blocking (CAB) is coming to EOP.

In the not so distant future, administrators will have the ability to easily block certain file types coming in through email by checking a box! This will eliminate any chance for error that creating a file block through an Exchange Transport Rule often introduces.

By default, new tenants will have CAB enabled with ten specific file types already checked. Existing tenants will see the feature, but will have to manually enable it.

Once CAB is enabled, by default, ten (10) of the most common file types will already be checked. These ten files types were chosen by our analysts as not only the most common, but often the most likely to be able to transmit malware. Common Attachment Blocking is a big step forward in catching new forms of malware without having to wait for a virus definition to be developed.

In addition to an improved strategy defending against zero-day vulnerabilities, CAB simply allows administrators to block any file they want, for any reason, in a fast, mistake free method.

Please stay tuned for release date details!

- Rob McCarthy

Comments

  • Anonymous
    August 19, 2015
    thanks
  • Anonymous
    August 19, 2015
    Great, but I hope it includes looking inside archive files (zip, rar, etc).
  • Anonymous
    August 19, 2015
    @rseiler. With the confidence that Andrew would correct any mis-statements, I am sure that you can count on this looking inside "common archives" that are not password protected. You/We already have some of this where many attachment types are not allowed in Outlook on the Web and a subset of those are not allowed in Outlook for any new mail being created.
    We've followed past best practices and have many blocked via Transport rules. One rule for Internal (we deliver a polite informative message back to sender) and another rule for external (there is a less friendly message).

    Looking forward to this and to simplify the complexity of Transport rules and making it easier to support..

    Andrews post from June talks about doing a lot of this in Transport.
    http://blogs.technet.com/b/eopfieldnotes/archive/2015/06/08/tips-to-prevent-zero-day-malware-with-eop.aspx

  • Anonymous
    August 19, 2015
    @rseiler, EOP transport rules can and so look into zip files that are not password protected. We also go multiple layers in the case where zip files are in zip files. if you are finding your transport rules aren't catching file types that are in non-password protected zip files, please open up a support ticket to have one of our engineers (maybe even me!) take a look at your configuration to verify everything looks ok. It is expected that EOP will dig into non-password protected zip files.
  • Anonymous
    August 28, 2015
    The comment has been removed
  • Anonymous
    October 29, 2015
    Any update on this? has this been released? or in Public / Private preview?
  • Anonymous
    November 04, 2015
    Hi O365 Boy. This is still coming out, but I don't have any information on release window.
  • Anonymous
    December 01, 2015
    Any update on when this may be available? I'm finding more and more cryptolocker type infections being spread within .zip files that O365 doesn't seem to quarantine.
  • Anonymous
    December 04, 2015
    Hi Rob, no dates announced yet, sorry!
  • Anonymous
    February 11, 2016
    When is this "not so distant future" taking place?Any A.T.A. yet? any update on this?
  • Anonymous
    August 31, 2016
    Any updates on the release? It is almost a year since the initial announcement... Is it live or not?
    • Anonymous
      September 14, 2016
      Hi there Andres, yes this has been released. Please see the "Update" note at the top of the post which contains a link to the TechNet documentation page which contains more information on this feature.