Attachments - Comprehensive File Extension Risk Management

Overview of Mimecast's Attachment Inspection

Mimecast offers comprehensive attachment inspection capabilities to protect against file-based threats. The settings found under Policies | Gateway Policies | Suspected Malware allow administrators to review files placed on hold. Mimecast evaluates file types, checks for macros, and can block files deemed suspicious before they reach end-users, helping to mitigate potential security risks.

Blocked File Extensions and Dangerous File Types

Organizations often block certain file extensions to prevent the spread of malware and protect their systems. Commonly blocked file extensions include:

• .exe: Executable files that can run programs.
• .bat: Batch files that can execute commands.
• .cmd: Command files that can run scripts.
• .com: Command files that can execute programs.
• .vbs: Visual Basic Script files that can run scripts.
• .js: JavaScript files that can execute code.
• .zip: Compressed files that can contain multiple files, including potentially harmful ones.
• .emz: Compressed Windows Metafile images that can exploit vulnerabilities.
• .wmz: Compressed Windows Media files that can also exploit vulnerabilities.
• .rdp: Remote Desktop Protocol files that can be used for unauthorized access.
• .svg: Scalable Vector Graphics files that can contain scripts.

Comprehensive File Extension Risk Database

A risk database can help organizations identify which file types are commonly associated with security threats. This database should be regularly updated to include new threats and should inform the organization's file type policies. Below is a sample of high-risk file types and their associated risks:

Blocking Specific File Extensions

To block SVG file extensions in Mimecast, you can use the built-in search bar to locate file types that need to be blocked. Alternatively, you can follow these steps:

1. Log in to the Administration Console.
2. Navigate to Policies | Gateway Policies | Attachment Management | Definitions.
3. View Base Extensions.
4. Enable column filter to 500.
5. Scroll to the 4th page and use Control+F to find 'svg'.
6. Select the SVG extension
7. Check the deny checkbox to block the file type.

To create an Attachment Management Bypass:

1. Navigate to Policies | Gateway Policies | Attachment Management Bypass.
2. Select New Policy.
3. Configure the policy to allow attachments from specific email addresses or domains that have encrypted zip files.

This will prevent these specific emails from being automatically blocked due to dangerous file type restrictions.

Protection Against Microsoft Office Macros

Mimecast offers protection against Microsoft Office macros through the 'Scan for Microsoft Office macros' check within the Suspected Malware definition. This feature is designed to block files containing macros before they reach the sandbox environment. The Attachment Inspection process evaluates macros and dangerous file types early in the inspection funnel, effectively intercepting and blocking potentially harmful files.

Handling of Potentially Risky Domains

Domains like Dropbox and DocuSign are often exploited to deliver malicious emails and URLs. Mimecast's threat intelligence may identify these links as suspicious due to the potential for misuse. These services can be manipulated to spread malware or phishing attempts. URLs in attachments are therefore scanned by Mimecast's URL Protection feature, which can be configured in the Mimecast Administration Console URL Protection settings.

File Type Policies

The sections below provide step-by-step instructions for configuring various file type policies in Mimecast, including Content Examination bypass, Attachment bypass, and block/allow lists. These policies can help administrators manage email security and content filtering more effectively.

Creating Content Examination Bypass Policies

To create a Content Examination Bypass policy:

1. Navigate to Users & Groups | Profile Groups.
2. Create a new folder (e.g., 'Content Examination Bypass').
3. Add specific email addresses to this group.
4. Navigate to  Policies | Gateway Policies.
5. Select Content Examination Bypass and create a policy.
6. Choose the content definition to bypass.
7. Select the address group you created.
8. Ensure Policy Override is checked to apply the bypass before other policies.

Configuring Attachment Bypass Policies

To allow macro attachments from a specific sender, you will need to create the following two types of policies:

1. Attachment Management Bypass Policy.
2. Attachment Protection Bypass Policy.

These policies will ensure that emails with macro attachments from the specified sender can pass through the system. You'll need to configure these policies to include the specific sender domain.

To configure Attachment Bypass Policies in Mimecast:

1. Create an Attachment Management Bypass Policy.
2. Create an Attachment Protection Bypass Policy.
3. Specify the sender domain or email address you want to exempt from standard attachment restrictions.
4. Test the policy with a sample email to ensure it works as expected.

Refer to our Attachment Protection and Attachment Management articles for detailed configuration instructions.

Bypassing Content Examination for Specific Senders

To bypass content examination for specific email senders:

1. Navigate to Policies | Gateway Policies | Content Examination Bypass | New Policy.
2. This allows you to allowlist specific email addresses or domains that are being held up by spam or content review filters.