Emotet Malware with Microsoft OneNote- How to Block emails based on File attachment extension in Office 365


A new Emotet phishing campaign targets US taxpayers under the guise of W-9 tax forms allegedly sent by the Internal Revenue Service and companies you work with. Emotet is a notorious malware infection that has been propagated via phishing emails historically containing Microsoft Word and Excel documents containing malicious macros that install malware.

The attached OneNote document pretends to be protected and prompts you to double-click the View button to view the document properly. Beneath this view button, however, is a VBScript document that is launched instead.

As per bleepingcomputer , When launching the embedded VBScript file, Microsoft OneNote will warn the user that the file may be malicious. Unfortunately, history has shown us that many users ignore these warnings and simply allow the files to run. Once executed, the VBScript will download the Emotet DLL and run it using regsvr32.exe. The malware will now quietly run in the background, stealing email, contacts, and waiting for further payloads to install on the device.

How to block emails with .One File attachment Extension ?

We will see how you can block emails which are sent or received [Inbound or Outbound] with .one file attachment. You can use the same steps to block other types of File attachment extensions as well. However, as we want to mitigate recent threat which involves .one file extension, we will first look at this to see how this can be blocked.

Option1: Create a Rule in Exchange Online

We will create a rule in Exchange Online which will block any emails sent or received with file attachment having .one extension. Please follow below steps for the same:

  • Login on Exchange Admin center using either Global administrator or Exchange administrator role.
  • Go to Mail Flow and then Click on Rules.
  • Click on +Add a rule > Create a new rule.

Rule conditions

Please provide below information for configuring Rule conditions:

  • Name: Block Emails with .One File Attachment Extension
  • Apply this rule if: Any attachment and File extension include these words.
  • Specify words or phrases: one [without the dot]
  • Do the following: Block the message and reject the message and include an explanation.
  • Specify rejection reason: This email is rejected due to Invalid File Extension Type.
  • Click on Next to proceed,

Rule settings

Please choose below options to configure Rule settings:

  • Rule Mode: Enforce
  • Keep rest of the settings to default.
  • Click on Next to Proceed.

Review and finish

Review the rule conditions and settings configured. Once you are happy with it, click on Finish to create this rule. Please note that the rule is created in Disabled state by default. You need to enable it after it has been created.

Rule is created, As we already know its created in Disabled state. Therefore, it will not work or Impact any user at this stage. The rule needs to be enabled first.

Click on the rule and toggle the switch to Enable it.

Option 2: Block emails with .One File attachment extention using Anti-malware Policies

As we have seen in the previous section of the post, We had created a rule in Exchange online to block emails with file attachments having .one extensions. You can also reject these type of emails by creating an anti-malware policy as well.

You can either create a new anti-Malware policy or use the existing default anti-malware policy to add a block for .one file type. I am going for creation of a new custom anti-malware policy just for blocking .one extension type.

There are two actions you can perform on the email. You can either Reject the message with a non-delivery receipt (NDR) or you can Quarantine the message using the attachment filter.

Let’s check the steps:

  • Login on Microsoft 365 Defender portal as Security administrator or Global administrator.
  • Go to Email and collaboration > Policies & Rules > Threat Policies.
  • Under Policies > Find Anti-malware.
  • Click on + Create.

Name your policy

  • Name: Reject emails with .one attachments
  • Description: Reject emails and send NDR for emails with .one file attachment extension.

Users and domains

Add User or Group or Domain on which you want to apply this policy. If you add User, group and domain all together, then all conditions need to match for rule to take affect.

Protection Settings

Configure Protection settings as per below:

  • Click on Select file types and then add .one file type into the list of extensions. Remove all other file types by clicking on X sign next to it.
  • When these file types are found: Select Reject the message with a non-delivery receipt (NDR). (An NDR email will be sent to the sender. The message will not be quarantined, and no recipient or admin notifications will be sent).
  • Enable ZAP (Zero-hour auto purge) – Malware ZAP quarantines messages that are found to contain malware after the messages have been delivered to Exchange Online mailboxes.
  • Quarantine Policy – You can select AdminOnlyAccessPolicy to not provide any access to user to view or release the messages.
  • Notification – Include admin email addresses for Internal and External senders for any undelivered emails.

Click on Submit button when the configuration of protection settings has been completed.

Testing of Exchange Online Rule

We had created a rule to block all emails with file attachment extension of .one. You can verify it by performing below testing:

  • Send one test email with .one file attachment from any External domain to your organization / Internal domain.
  • Send one test email with .one file attachment from an Internal / organization domain to any External domain.
  • Send one test email with .one file attachment from an Internal domain to Internal domain.

Anyone sending an email with .One file attachment will receive a bounce back email with below message.

“Your message to [email protected] couldn’t be delivered. A custom mail flow rule created by an admin at xxx.onmicrosoft.com has blocked your message. This message is rejected due to file attachment type.

As always, your best defense is to discard all emails from people you don’t know. If you know, call the person first to verify that you are the sender.

Source/Reference : https://cloudinfra.net/block-emails-based-on-file-attachment-extension-in-office-365

Previous articleThe Impact of Software Consulting on Business Growth
Next articleWhat Is Software as a Service and Why Is It Relevant?
Balaganesh is a Incident Responder. Certified Ethical Hacker, Penetration Tester, Security blogger, Founder & Author of Soc Investigation.


Please enter your comment!
Please enter your name here