Sometimes, spammers and malware writers create malware that passes through our service and arrives in customer inboxes. This is new or unknown malware. The anti-malware engines that we use have not yet created signatures for them, and sometimes the spam rules do not catch them because the small amount of content has nothing for the spam rules to detect without causing false positives.
One solution to block this is to use an Exchange Transport Rule to block executable content. This will catch malware that uses commonly used malware mechanisms – content that executes automatically.
a) Connect to Exchange Online using Powershell http://technet.microsoft.com/en-us/library/jj984289(v=exchg.150).aspx Or, connect to Exchange Online Protection using Powershell http://technet.microsoft.com/en-us/library/dn621036(v=exchg.150).aspx b) To delete the message without notifying anyone: New-TransportRule -Name "Block executable content" -AttachmentHasExecutableContent $true -DeleteMessage $true To set the SCL to 9 and modify the message subject: New-TransportRule -Name "Block executable content" -SetSCL 9 -PrependSubject "[POSSIBLE MALWARE]"
The above instructions will help catch zero-day malware. However, they should not be considered the definitive solution:
What about scripts? Js, vbs, cmd, bat etc. What about all this file types inside archives? One of the Cryptolocker versions spreads by using js or vbs script inside zip archive. Script is masked to document, it's name looks like "Important_document_with_long_name_tested_by_antivirus.doc.js" and it placed inside zip archive. This type of file easily goes through office365 mail protection and 90% of antiviruses.
Hi There.... I worked on this tonight with MS and using the method below works perfectly.