Malware Policy Question - EOP only

%3CLINGO-SUB%20id%3D%22lingo-sub-202414%22%20slang%3D%22en-US%22%3EMalware%20Policy%20Question%20-%20EOP%20only%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-202414%22%20slang%3D%22en-US%22%3E%3CP%3EChallenge%3A%20Allow%20DOCM%20attachments%20to%20be%20sent%20to%20specific%20external%20recipients%20while%20preventing%20DOCM%20attachments%26nbsp%3B%20inbound%20to%20internal%20recipients.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20hate%20DOCM%20-%20there%20I%20said%20it%20-%20I%20get%20why%20some%20organizations%20use%20it%20but%20there%20are%20better%20ways%20and%20today%20the%20risk%20of%20a%20scrupulous%20payload%20is%20too%20high%20-%20Rant%20over%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20client%20I%20have%20only%20subscribes%20to%20EOP.%26nbsp%3B%20The%20default%20Malware%20policy%20contains%20'.docm'%20so%20all%20docm%20attachments%20are%20stopped.%20The%20client%20has%20a%20vendor%20that%20submits%20docm's%20(vendors%20choice%20not%20clients)%26nbsp%3B%20via%20an%20application.%20The%20client's%20users%20at%20times%20must%20send%20that%20docm%26nbsp%3B%20back%20to%20the%20vendor%20for%20whatever%20reason%20(edits%20changes%20etc).%20The%20client%20uses%20email%20to%20do%20this.%20When%20the%20client%20sends%20the%20email%20(outbound)%20the%20DOCM%20is%20stripped%20and%20quarantined%20by%20EOP.%3C%2FP%3E%3CP%3EI%20have%20created%20new%20Malware%20policies%26nbsp%3B%20to%20test%20with%20for%20days%20trying%20to%20allow%20DOCM%20attachments%20to%20only%20specific%20recipients%20but%20nothing%20works.%20I%20have%20been%20specific%20with%20'user%40domain.com'%26nbsp%3Band%20have%20used%20wildcards%20-%20'%20*%40domain.com'%20but%20in%20the%20end%20the%20attachments%20are%20always%20stripped.%20I%20have%20had%20MS%20support%20on%20the%20phone%20and%20the%20support%20person%20tested%20in%20the%20same%20way%20I%20did%20and%20he%20too%20could%20not%20get%26nbsp%3BEOP%20to%20allow%20an%20outbound%20email%20with%20the%20docm%20to%20go%20to%20a%20specific%20address.%20It%20is%20always%20stripped.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20was%20surprised%20to%20find%20that%20a%20single%20policy%20(default)%20handles%20both%20inbound%20and%20outbound.%20I%20expected%20to%20be%20able%20to%20be%20more%20granular%20but%20in%20the%20end%20the%20only%20thing%20that%20worked%20was%20to%20remove%20the%20'.docm'%20reference%20in%20the%20default%20policy.%20This%20allowed%20anything%20with%20a%20'docm'%20attachment%20to%20get%26nbsp%3Bout%20BUT%20of%20course%20it%20can%20get%20in%20too.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAm%20I%20missing%20something%20here%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3E-R-%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-202576%22%20slang%3D%22en-US%22%3ERe%3A%20Malware%20Policy%20Question%20-%20EOP%20only%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-202576%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20can%20always%20combine%20that%20policy%20with%20a%20Transport%20rule%20that%20blocks%20any%20incoming%20messages%20containing%20DOCM%20files%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

Challenge: Allow DOCM attachments to be sent to specific external recipients while preventing DOCM attachments  inbound to internal recipients.

 

I hate DOCM - there I said it - I get why some organizations use it but there are better ways and today the risk of a scrupulous payload is too high - Rant over

 

The client I have only subscribes to EOP.  The default Malware policy contains '.docm' so all docm attachments are stopped. The client has a vendor that submits docm's (vendors choice not clients)  via an application. The client's users at times must send that docm  back to the vendor for whatever reason (edits changes etc). The client uses email to do this. When the client sends the email (outbound) the DOCM is stripped and quarantined by EOP.

I have created new Malware policies  to test with for days trying to allow DOCM attachments to only specific recipients but nothing works. I have been specific with 'user@domain.com' and have used wildcards - ' *@domain.com' but in the end the attachments are always stripped. I have had MS support on the phone and the support person tested in the same way I did and he too could not get EOP to allow an outbound email with the docm to go to a specific address. It is always stripped.

 

I was surprised to find that a single policy (default) handles both inbound and outbound. I expected to be able to be more granular but in the end the only thing that worked was to remove the '.docm' reference in the default policy. This allowed anything with a 'docm' attachment to get out BUT of course it can get in too. 

 

Am I missing something here? 

 

Thanks,

-R-

1 Reply

You can always combine that policy with a Transport rule that blocks any incoming messages containing DOCM files?