[How-to] Block Cryptolocker at Exchange/Office 365

Office 365 and Exchange Online has a market adoption over 70% in enterprises. An easy way to block cryptolocker viruses that come with mail attachments is to block executable files in Exchange Admin Center. There is no reason to receive executables by email. The solution below will block executables in Exchange environments, including in zipped files.

Logon to the Exchange Admin Center:

  1. With Exchange 2010 and 2013/2016 go to the URL https://<FQDN of the mailserver>/ecp i.e. https://mail.brankovucinec.com/ecp.
  2. In Office 365, go to the admin portal and click Exchange in the left bottom corner.

Go to mail flow -> Rules and click Create a new rule…

In the popup window give the rule a name, like Block EXE, select at Apply this rule if… Any attachment’s content includes…

Add EXE, MSI, BAT, CMD and any other you want to block to the list and click OK.

Select at Do the following… for Reject the message with the explanation… (To prevent unnecessary concern over administrative SPAM, you can also choose Delete the message without notifying anyone and skip the next step).

In the new popup set as reason “Executable content not allowed.” and click on OK.

Click save.

Next, we create a second rule, select again Create a new rule…

Give the new rule a name, like Executable content not allowed and click at the bottom on More options…

New options arise and you can choose now at Apply this rule if… for Any attachment… > has executable content.

Choose at Do the following… for Block the message… > reject the message and include an explanation. Again, if you want to block the administrative SPAM, just choose delete the message without notifying anyone and skip the next step.

In the new popup set as reason “Executable content not allowed.” and click on OK.

Click save.

You have now two rules that block executable attachments in your Exchange environment. When a sender tries to send an executable with an attachment they will receive a non-delivery report with status 5.7.1 Executable content not allowed.

Note: that this solution does not protect your organization 100% against cryptolocker viruses, but every ‘extra’ security layer makes it a bit safer for you and your users.

The following table lists how executable content is determined for the last rule

COM European Institute for Computer Antivirus Research standard anti-virus test file
DLL 32-bit Windows executable file with dynamic link library extension
DOSDisk-operating system file
EXESelf-extracting executable program file
EXEUn-installation executable file
EXEProgram shortcut file
EXEWindows executable program file
EXE32-bit Windows executable file
JAVJava archive file
OBJCompiled source code file or 3D object file or sequence file
OS2OS/2 operating system file
RARSelf-extracting archive file created with the WinRAR archiver
PIFWindows program information file
VXDMicrosoft Vizio XML drawing file
W1616-bit Windows executable file

The transport engine does not rely solely upon the extension to detect if it is an executable. Instead, it scans the content to determine what type of file it is.