Forum Discussion

Kiril's avatar
Kiril
Iron Contributor
Mar 23, 2023

How to classify E-Mails with *.html or *.htm attachments as spam?

A tenant is receiving currently an enormous amount of phishing emails with *.html or *.htm attachments. 99% of the e-mail which contain such an attachment are phishing e-mails. What's the best approach to filter out those e-mails? They are using the standard protection threat policies.

microsoft 365 defender
prevention
threat intelligence

9 Replies

Sort By
  • fire99's avatar
    fire99
    Copper Contributor
    Jul 15, 2023
    I created a rule to forward all emails with html attachments to the administrator for approval. That way I can determine if they are legit or not. It works great for us.
    • alecfunes's avatar
      alecfunes
      Copper Contributor
      Jul 21, 2023

      fire99 Creating a rule was my first step, but I only have the "mail has an attachment" condition, and then I couldnĀ“t add a 2nd condition in order to filter type of attachment.

      How did you do that?

      Thanks in advance!

      • fire99's avatar
        fire99
        Copper Contributor
        Jul 21, 2023

        alecfunes Go to the Exchange Admin Center, Under Mail Flow, Go to Rules.  Here is a screen shot of my rules.  The extensions are one I experimented with that should be blocked (there may be more I should be blocking)

         

         

        Hope this helps.  Works great for me.

         

  • dhilipan's avatar
    dhilipan
    Copper Contributor
    May 28, 2023
    If required, you can create a Transport rule to block mails with HTML or HTM attachments and even use exclude options for trusted senders.
    • alecfunes's avatar
      alecfunes
      Copper Contributor
      Jun 09, 2023

      dhilipan 

      Would you be kind enough to tell me how to that? ("create a Transport rule to block mails with HTML or HTM attachments")

      Thanks!

  • lbergstrome's avatar
    lbergstrome
    Copper Contributor
    May 05, 2023

    I hope you'll post your findings in this thread, Kiril. We're bombarded by phishing emails with *.html or *.htm attachments. 

    • Kiril's avatar
      Kiril
      Iron Contributor
      May 08, 2023
      After rigorously reporting all *.html and *.htm phishing mails they stopped coming. I didn't have to change anything.
  • ExMSW4319's avatar
    ExMSW4319
    Iron Contributor
    Mar 29, 2023

    And they are all obfuscated JavaScript, aren't they?

    Sadly the first thing you need to look for are the number of mails with HTML attachment that aren't phishes. I would be surprised if the figure is really as low as 1%. It may seem silly to send legitimate mail with HTML attachments in a world where very few mail clients cannot handle HTML message bodies, but there are reasons for doing so. PDF support is not universal and you would also get in trouble for assuming that any image format is universally acceptable or that plain text is going to be displayed in a non-proportional font.

    Armed with this list, you may discover that the X% of your HTML attachment senders who are legitimate are regular repeat senders whom you can exempt from a rule sending the rest to the hosted quarantine. That is more for small tenants rather than large ones with extremely diverse inflows.

    Where that is not an option, you might discover that it's very rare for freemailer accounts to send legitimate HTML attachments. You can then have a rule to send mail from their domains to the hosted quarantine if it has an HTML attachment.

     

    Finally, you might find that some of the more obscure formats such as SHTML are never used legitimately. If that is the case they can be added to your common attachment types filter.

Resources