Anti-malware protection for email In Microsoft 365 - Microsoft Defender for Office 365 (original) (raw)

In all organizations with cloud mailboxes, anti-malware protection for email is on by default. Some of the major categories of malware are:

• Viruses that infect other programs and data, and spread through your computer or network looking for programs to infect.
• Spyware that gathers your personal information, such as sign-in information and personal data, and sends it back to its author.
• Ransomware that encrypts your data and demands payment to decrypt it. Anti-malware software doesn't help you decrypt encrypted files, but it can detect the malware payload that's associated with the ransomware.

Anti-malware protection for email in Microsoft 365 is multi-layered and designed to catch all known malware that travels into or out of your organization. The following options help provide anti-malware protection:

• Layered defenses against malware: Anti-malware scans of email help protect against both known and unknown threats. Microsoft's anti-malware includes powerful heuristic detection that provides protection even during the early stages of a malware outbreak.
• Real-time threat response: During some outbreaks, the anti-malware team might have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat, even before a definition is available. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks.
• Fast anti-malware definition deployment: The anti-malware team can receive and integrate malware definitions and patches before they're publicly released.

Microsoft 365 quarantines messages when malware is found in any attachment*. Whether the recipients can view or otherwise interact with the quarantined messages is controlled by quarantine policies. By default, messages that were quarantined due to malware can only be viewed and released by admins. Users can't release their own quarantined malware messages, regardless of any available settings that admins configure. For more information, see the following articles:

* Malware filtering is skipped on SecOps mailboxes that are identified in the advanced delivery policy. For more information, see Configure the advanced delivery policy for non-Microsoft phishing simulations and email delivery to SecOps mailboxes.

• Anatomy of a quarantine policy
• Manage quarantined messages and files as an admin.

Anti-malware policies also contain a common attachments filter. Messages that contain the specified file types are automatically rejected (default) or quarantined based on the policy setting. For more information, see the Common attachments filter in anti-malware policies section later in this article.

For more information about anti-malware protection, see the Frequently asked questions: Anti-malware protection.

To configure the default anti-malware policy, and to create, modify, and remove custom anti-malware policies, see Configure anti-malware policies. In the Standard and Strict preset security policies, the anti-malware policy settings are already configured and unmodifiable as described in Anti-malware policy settings.

Anti-malware policies

Anti-malware policies control the configurable settings and notification options for malware detections. The important settings in anti-malware policies are described in the following subsections.

Recipient filters in anti-malware policies

Recipient filters use conditions and exceptions to identify the internal recipients that the policy applies to. At least one condition is required in custom policies. Conditions and exceptions aren't available in the default policy (the default policy applies to all recipients). You can use the following recipient filters for conditions and exceptions:

• Users: One or more mailboxes, or mail users in the organization.
• Groups:
  • Members of the specified distribution groups or mail-enabled security groups (dynamic distribution groups aren't supported).
  • The specified Microsoft 365 Groups (dynamic membership groups in Microsoft Entra ID aren't supported).
• Domains: One or more of the configured accepted domains in Microsoft 365. The recipient's primary email address is in the specified domain.

You can use a condition or exception only once, but the condition or exception can contain multiple values:

• Multiple values of the same condition or exception use OR logic (for example, or ):
  • Conditions: If the recipient matches any of the specified values, the policy is applied to them.
  • Exceptions: If the recipient matches any of the specified values, the policy isn't applied to them.
• Different types of exceptions use OR logic (for example, or or ). If the recipient matches any of the specified exception values, the policy isn't applied to them.
• Different types of conditions use AND logic. The recipient must match all of the specified conditions for the policy to apply to them. For example, you configure a condition with the following values:
  • Users: romain@contoso.com
  • Groups: Executives
    The policy is applied to romain@contoso.com only if he's also a member of the Executives group. Otherwise, the policy isn't applied to him.

Common attachments filter in anti-malware policies

Some types of files aren't suited to email (for example, executable files). Rather than scanning these files for malware, why not block them all? That's where the common attachments filter comes in. When the common attachments filter detects a file type that you specified, you can Reject the message with a non-delivery report (NDR) (the default value) or Quarantine the message. Because the block is from an admin-defined policy, these messages don't get a malware verdict.

A list of default file types is used in the default anti-malware policy, in custom anti-malware policies that you create, and in the anti-malware policies in the Standard and Strict preset security policies.

In the Microsoft Defender portal, you can select from a list of additional file types or add your own values when you create or modify anti-malware policies in the Microsoft Defender portal.

• Default file types: ace, ani, apk, app, appx, arj, bat, cab, cmd, com, deb, dex, dll, docm, elf, exe, hta, img, iso, jar, jnlp, kext, lha, lib, library, lnk, lzh, macho, msc, msi, msix, msp, mst, pif, ppa, ppam, reg, rev, scf, scr, sct, sys, uif, vb, vbe, vbs, vxd, wsc, wsf, wsh, xll, xz, z.
• Additional file types to select in the Defender portal: 7z, 7zip, accdb, accde, action, ade, adp, appxbundle, asf, asp, aspx, avi, bas, bin, bundle, bz, bz2, bzip2, caction, cer, chm, command, cpl, crt, csh, css, der, dgz, dmg, doc, docx, dos, dot, dotm, dtox [sic], dylib, font, fxp, gadget, gz, gzip, hlp, Hta, htm, html, imp, inf, ins, ipa, isp, its, js, jse, ksh, Lnk, lqy, mad, maf, mag, mam, maq, mar, mas, mat, mau, mav, maw, mda, mdb, mde, mdt, mdw, mdz, mht, mhtml, mscompress, msh, msh1, msh1xml, msh2, msh2xml, mshxml, msixbundle, o, obj, odp, ods, odt, one, onenote, ops, os2, package, pages, pbix, pcd, pdb, pdf, php, pkg, plg, plugin, pps, ppsm, ppsx, ppt, pptm, pptx, prf, prg, ps1, ps1xml, ps2, ps2xml, psc1, psc2, pst, pub, py, rar, rpm, rtf, scpt, service, sh, shb, shs, shtm, shx, so, tar, tarz, terminal, tgz, tmp, tool, url, vhd, vsd, vsdm, vsdx, vsmacros, vss, vssx, vst, vstm, vstx, vsw, w16, workflow, ws, xhtml, xla, xlam, xls, xlsb, xlsm, xlsx, xlt, xltm, xltx, xnk, zi, zip, zipx.

True type matching in the common attachments filter

The common attachments filter uses best effort true type matching to detect the file type, regardless of the filename extension. True type matching uses file characteristics to determine the real file type (for example, leading and trailing bytes in the file). For example, if an exe file is renamed with a txt filename extension, the common attachments filter detects the file as an exe file.

True type matching in the common attachments filter supports the following file types:

7zip, ace, adoc, ani, arc, arj, asf, asice, avi, bmp, bz, bz2, cab, cda, chm, deb, dex, dll, dmg, doc, docm, docx, dot, dotm, dotx, dwg, eml, eps, epub, excelml, exe, fluid, gif, gzip, heic, heif, html, hyper, icon, ics, infopathml, jar, javabytecode, jnlp, jpeg, json, lib, lnk, lzh, lzma, macho, mhtml, mp3, mp4, mpeg, mpp, msaccess, mscompress, msg, msp, musx, nws, obd, obj, obt, odbcexcel, odc, odf, odg, odi, odm, odp, ods, odt, one, otc, otf, otg, oth, oti, otp, ots, ott, pal, pcx, pdf, pfb, pfile, pif, png, pointpub, pot, potm, potx, powerpointml, ppam, pps, ppsm, ppsx, ppt, pptm, pptx, ps, pub, qcp, quicktime, rar, rar4, riff, rmi, rpm, rpmsg, rtf, smime, swf, tar, tiff, tlb, tnef, ttf, txt, vcf, vcs, vdw, vdx, vsd, vsdm, vsdx, vss, vssm, vssx, vst, vstm, vstx, vsx, vtt, vtx, wav, webp, whiteboard, wmf, woff, woff2, word2, wordml, xar, xlam, xlb, xlc, xls, xlsb, xlsm, xlsx, xlt, xltm, xltx, xml, xps, xz, z, zip, zoo

If true type matching fails or isn't supported for the file type, then simple extension matching is used.

Zero-hour auto purge (ZAP) in anti-malware policies

ZAP for malware quarantines messages that are found to contain malware after they've been delivered to Exchange Online mailboxes. By default, ZAP for malware is turned on, and we recommend that you leave it on. For more information, see Zero-hour auto purge (ZAP) for malware.

Quarantine policies in anti-malware policies

Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. By default, recipients don't receive notifications for messages that were quarantined as malware, and users can't release their own quarantined malware messages, regardless of any available settings that admins configure. For more information, see Anatomy of a quarantine policy.

Admin notifications in anti-malware policies

You can specify an additional recipient (an admin) to receive notifications for malware detected in messages from internal or external senders. You can customize the From address, subject, and message text for internal and external notifications.

These settings aren't configured in the default anti-malware policy by default, or in the Standard or Strict preset security policies.

Tip

Admin notifications are sent only for attachments that are classified as malware.

The quarantine policy that's assigned to the anti-malware policy determines whether recipients receive email notifications for messages that were quarantined as malware.

Priority of anti-malware policies

If preset security policies are turned on, the Standard and Strict preset security policies are applied before any custom anti-malware policies or the default policy. If you create multiple custom anti-malware policies, you can specify the order of policy application. Policy processing stops for eligible recipients after the application of the first eligible policy (the highest priority policy for that recipient).

For more information about the order of precedence and how multiple policies are evaluated, see Order and precedence of email protection and Order of precedence for preset security policies and other policies.

Default anti-malware policy

Every organization has a built-in anti-malware policy named Default that has the following properties:

• The policy is the default policy (the IsDefault property has the value True), and you can't delete the default policy.
• The policy is automatically applied to all recipients in the organization, and you can't turn it off.
• The policy is always applied last (the Priority value is Lowest and you can't change it).