Sometimes, spammers and malware writers create malware that passes through our service and arrives in customer inboxes. This is known as zero-day malware. The anti-malware engines that we use have not yet created signatures for them, and sometimes the spam rules do not catch them because the small amount of content has nothing for the spam rules to detect without causing false positives.
One solution to block this is to use an Exchange Transport Rule to block executable content. This will catch malware that uses commonly used malware mechanisms – content that executes automatically.
The above instructions will help catch zero-day malware. However, they should not be considered the definitive solution:
What about scripts? Js, vbs, cmd, bat etc. What about all this file types inside archives? One of the Cryptolocker versions spreads by using js or vbs script inside zip archive. Script is masked to document, it's name looks like "Important_document_with_long_name_tested_by_antivirus.doc.js" and it placed inside zip archive. This type of file easily goes through office365 mail protection and 90% of antiviruses.