A new Emotet phishing campaign targets US taxpayers under the guise of W-9 tax forms allegedly sent by the Internal Revenue Service and companies you work with. Emotet is a notorious malware infection that has been propagated via phishing emails historically containing Microsoft Word and Excel documents containing malicious macros that install malware.
The attached OneNote document pretends to be protected and prompts you to double-click the View button to view the document properly. Beneath this view button, however, is a VBScript document that is launched instead.
As per bleepingcomputer , When launching the embedded VBScript file, Microsoft OneNote will warn the user that the file may be malicious. Unfortunately, history has shown us that many users ignore these warnings and simply allow the files to run. Once executed, the VBScript will download the Emotet DLL and run it using regsvr32.exe. The malware will now quietly run in the background, stealing email, contacts, and waiting for further payloads to install on the device.
How to block emails with .One File attachment Extension ?
We will see how you can block emails which are sent or received [Inbound or Outbound] with .one
file attachment. You can use the same steps to block other types of File attachment extensions as well. However, as we want to mitigate recent threat which involves .one file extension, we will first look at this to see how this can be blocked.
Option1: Create a Rule in Exchange Online
We will create a rule in Exchange Online which will block any emails sent or received with file attachment having .one
extension. Please follow below steps for the same:
- Login on Exchange Admin center using either Global administrator or Exchange administrator role.
- Go to Mail Flow and then Click on Rules.
- Click on +Add a rule > Create a new rule.
Rule conditions
Please provide below information for configuring Rule conditions:
- Name: Block Emails with .One File Attachment Extension
- Apply this rule if: Any attachment and File extension include these words.
- Specify words or phrases: one [without the dot]
- Do the following: Block the message and reject the message and include an explanation.
- Specify rejection reason: This email is rejected due to Invalid File Extension Type.
- Click on Next to proceed,
Rule settings
Please choose below options to configure Rule settings:
- Rule Mode: Enforce
- Keep rest of the settings to default.
- Click on Next to Proceed.
Review and finish
Review the rule conditions and settings configured. Once you are happy with it, click on Finish to create this rule. Please note that the rule is created in Disabled state by default. You need to enable it after it has been created.
Rule is created, As we already know its created in Disabled state. Therefore, it will not work or Impact any user at this stage. The rule needs to be enabled first.
Click on the rule and toggle the switch to Enable it.
Option 2: Block emails with .One File attachment extention using Anti-malware Policies
As we have seen in the previous section of the post, We had created a rule in Exchange online to block emails with file attachments having .one extensions. You can also reject these type of emails by creating an anti-malware policy as well.
You can either create a new anti-Malware policy or use the existing default anti-malware policy to add a block for .one file type. I am going for creation of a new custom anti-malware policy just for blocking .one extension type.
There are two actions you can perform on the email. You can either Reject the message with a non-delivery receipt (NDR) or you can Quarantine the message using the attachment filter.
Let’s check the steps:
- Login on Microsoft 365 Defender portal as Security administrator or Global administrator.
- Go to Email and collaboration > Policies & Rules > Threat Policies.
- Under Policies > Find Anti-malware.
- Click on + Create.
Name your policy
- Name: Reject emails with .one attachments
- Description: Reject emails and send NDR for emails with .one file attachment extension.
Users and domains
Add User or Group or Domain on which you want to apply this policy. If you add User, group and domain all together, then all conditions need to match for rule to take affect.
Protection Settings
Configure Protection settings as per below:
- Click on Select file types and then add
.one
file type into the list of extensions. Remove all other file types by clicking on X sign next to it. - When these file types are found: Select Reject the message with a non-delivery receipt (NDR). (An NDR email will be sent to the sender. The message will not be quarantined, and no recipient or admin notifications will be sent).
- Enable ZAP (Zero-hour auto purge) – Malware ZAP quarantines messages that are found to contain malware after the messages have been delivered to Exchange Online mailboxes.
- Quarantine Policy – You can select AdminOnlyAccessPolicy to not provide any access to user to view or release the messages.
- Notification – Include admin email addresses for Internal and External senders for any undelivered emails.
Click on Submit button when the configuration of protection settings has been completed.
Testing of Exchange Online Rule
We had created a rule to block all emails with file attachment extension of .one. You can verify it by performing below testing:
- Send one test email with .one file attachment from any External domain to your organization / Internal domain.
- Send one test email with .one file attachment from an Internal / organization domain to any External domain.
- Send one test email with .one file attachment from an Internal domain to Internal domain.
Anyone sending an email with .One file attachment will receive a bounce back email with below message.
“Your message to [email protected] couldn’t be delivered. A custom mail flow rule created by an admin at xxx.onmicrosoft.com has blocked your message. This message is rejected due to file attachment type.
As always, your best defense is to discard all emails from people you don’t know. If you know, call the person first to verify that you are the sender.
Source/Reference : https://cloudinfra.net/block-emails-based-on-file-attachment-extension-in-office-365