My company has been dealing with some viruses lately and I noticed a pattern in all of them has been that they are sent with every recipient in the "bcc:" field and an empty "to:" field along with a zip file attachment. We currently use exchange 2010 and have Exchange Online Protection.
So far we have been dealing with it by blocking the attachment file name as soon as we see the email come in, but I really would like a more proactive approach.
I tried to create a rule in EOP to delete all emails where the recipient address matches any text patterns: "^$" and any attachment's file extension matches "zip", but it isn't blocking any of my test emails.
Any ideas?
Best Answer
It sounds like you may want to use the particular predicate AnyOfToHeader. Technet Article for reference.
My bigger question is: Why is this junk getting through EOP? I occasionally get documents with macros inside archives, but typically EOP is quick to filter out recurrences of these items.
I have taken a different approach in my tenant with regard to ZIP/RAR/7z archives. I have a transport rule that delivers [items containing ZIP/RAR/7z] to an administrative mailbox instead of the user, so I may review the contents and deliver to the end user. This results in a delay to the end user, but it is less impactful than cryptolocker or some nonsense going around our file shares.
Exchange Online (which is plainly not your operating environment) is due to have a feature release coming up that will allow notification of an end user when a transport rule is met. I intend to use this to generate an email and generate a service request in our ITSM solution.