microsoft-365-docs
microsoft-365-docs copied to clipboard
MicrosoftDocs
Guidance on Common Attachments filter
Can we provide guidance on new common attachments filter notification settings? The 2 options are 1) Reject the message with NDR, 2) Quarantine the message.
My assumption is Quarantine with policy to Admin Only which best reflects previous recommendations, but would like confirmation.
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 0c77e1cb-1509-83cc-7c2a-564d5e3e91ea
- Version Independent ID: 9f07278c-37ab-beac-a5dd-fa4f4825b3a4
- Content: Microsoft recommendations for EOP and Defender for Office 365 security settings - Office 365
- Content Source: microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365.md
- Product: m365-security
- Technology: mdo
- GitHub Login: @chrisda
- Microsoft Alias: chrisda
@dkotars, the quarantine policy AdminOnlyAccessPolicy does not have quarantine notifications turned on, so you would need a custom quarantine policy assigned to the anti-malware policy that duplicates AdminOnlyAccessPolicy, but with recipient notifications turned on.
Thanks for the quick response. I was wondering if we had Standard/Strict Recommendations regarding the common attachment type notifications:
@.***
I think in the past, prior to quarantine policies and this change, the behavior was to quarantine, and our recommendation was to not notify sender or recipient (maybe my memory is hazy).
Just curious if we have updated guidance on this change as I had a customer ask. My thought is Quarantine in this instance would probably fall in line with the original spirit of our recommendations - or - are we not suggesting a specific setting in this case?
Dan
@dkotars, Using the PowerShell procedures that I recently documented for preset security policies, and the recommended settings topic, it appears that the quarantine policy that's used in both Standard and Strict is AdminOnlyAccessPolicy.
The ability to use the policy settings to notify the sender is gone, and recipients aren't notified by default, unless you create and assign a custom quarantine policy as previously discussed.
The other thing to keep in mind about quarantined malware messages: you can't configure a custom quarantine policy to allow users to release messages. The Allow recipients to release a message from quarantine might be available, but it won't work. At best, you can give them Allow recipients to request a message to be released from quarantine.
According to the history of the topic, both Standard and Strict had no notifications for senders or recipients. But, before the introduction of quarantine policies, it was impossible for ordinary users to deal with malware quarantined messages; only admins could do that.
I guess common sense comes into play: if you're using the Standard or Strict recommendations without any customization of common attachment filtering, the types of files that are being blocked are almost always bad, so the need for recipients to review and request release of messages with those files is extremely low. On the other hand, if you customize the list files with entries like jpeg or other file types that are just as likely to be benign as bad, then recipient reporting becomes much more important.
Do you think I should say something like this in the recommended settings topic?
Hi Chris,
Personally I agree with the common sense notion, default settings will come into play for the common attachments, and the default behavior will be just keep the identified attachments out of site out of mind.
My customer reached out because we added the NDR option (as I understand, by some customers request). I explained to him that we stuck with the default behavior of quarantining, but provide the option for orgs that feel like they need to send an NDR.
My customers tend to think of these types of things more than most, so I'm not sure how common of an ask. It many be valuable to list a common attachment filter notification field with Quarantine recommendation for Standard and Strict just for those who may be curious.
Thanks again for the follow up and discussion!
Dan
@dkotars, be advised that a pull request just came from the PM that says the new default for reject with NDR vs. quarantine for the common attachments filter is now reject with NDR.
In my testing in a plain E5 tenant, the Default anti-malware policy was still Quarantine for me, but new policies that I created had reject with NDR selected by default. I also checked the Standard and Strict preset security policies, and their FileTypeAction parameter values were both Quarantine. I'm seeking clarification.