Full Report
Microsoft announced it will expand the list of blocked attachments in Outlook Web and the new Outlook for Windows starting next month. [...]
Analysis Summary
# Best Practices: Enhancing Email Security by Blocking Risky Attachments in Microsoft Outlook
## Overview
These practices detail Microsoft's evolving strategy to mitigate email-borne malware attacks by increasing restrictions and outright blocking of inherently risky file types and execution methods within Microsoft Office applications (Outlook and Microsoft 365). The focus is on hardening endpoint security against threats delivered via potentially malicious attachments.
## Key Recommendations
### Immediate Actions
1. **Verify AMSI Integration:** Ensure the Antimalware Scan Interface (AMSI) is fully enabled and correctly integrated across all Microsoft Office 365 client applications to intercept potential threats within documents.
2. **Review Macro Security Settings:** Immediately confirm that VBA Office macros are blocked by default for all downloaded or internet-sourced documents across the organization, aligning with recent default security changes.
### Short-term Improvements (1-3 months)
1. **Disable XLM Macros:** Enforce the disabling of legacy Excel 4.0 (XLM) macros across all environments, as these have been specifically targeted for exploitation.
2. **Block Untrusted XLL Add-ins:** Implement policies to block untrusted XLL add-ins by default across Microsoft 365 tenants to prevent unauthorized code execution via Excel files.
3. **Audit VBScript Usage:** Inventory and immediately reduce dependence on VBScript, which Microsoft intends to "kill off" in the second half of 2024. Plan immediate migration paths for any necessary functionality.
### Long-term Strategy (3+ months)
1. **Prepare for ActiveX Removal:** Develop a comprehensive roadmap to eliminate all dependencies on ActiveX controls within Microsoft 365 and Office 2024 applications, anticipating the default blocking scheduled for April 2025.
2. **Adopt Automated Patch Management:** Investigate and implement automated solutions for IT operations, specifically focusing on patch management, to increase patching speed, reduce manual overhead, and improve overall responsiveness to vulnerabilities (as suggested by related vendor content).
## Implementation Guidance
### For Small Organizations
- **Default Configuration Reliance:** Rely heavily on Microsoft's default protective configurations (e.g., macro blocking, XLM macro disabling) as they are enforced at the user/tenant level.
- **User Training Focus:** Prioritize user training specifically on identifying and reporting suspicious attachments, even if the file type is blocked, as social engineering remains a primary entry vector.
### For Medium Organizations
- **GPO/Intune Enforcement:** Utilize Group Policy Objects (GPO) or Microsoft Intune to centrally enforce the new attachment blocking policies and macro restrictions across all endpoints, ensuring no discrepancies between user settings.
- **Configuration Verification:** Conduct internal audits to confirm that legacy configurations that might override new default security settings are purged or updated.
### For Large Enterprises
- **Phased Rollout and Monitoring:** For any changes involving core functionality (like ActiveX removal), implement a phased testing and rollout strategy, monitoring usage logs to identify critical business processes that rely on these legacy components before full enforcement.
- **Threat Hunting Integration:** Integrate these attachment-blocking telemetry points into the Security Information and Event Management (SIEM) system for advanced threat hunting around attempted bypasses of the new controls.
## Configuration Examples
*(Note: Specific command-line or registry configuration examples for these granular file blocking mechanisms are typically managed via Microsoft 365 tenant settings or administrative templates, not directly provided in this summary, but the configuration target is clear):*
- **Target Configuration Action:** Mandate the configuration setting that **blocks VBA macros from the internet** by default.
- **Target Configuration Action:** Enforce the **disabling of Excel 4.0 (XLM) macros**.
- **Target Configuration Action:** Configure endpoint security policies to **block execution originating from untrusted XLL add-ins**.
## Compliance Alignment
- **NIST SP 800-202 (Supply Chain Risk Management):** By tightening controls on executable content delivered via email, this addresses managing risks from external sources.
- **CIS Controls (Control 12: Network Infrastructure Management & Control 13: Boundary Defense):** Hardening the initial access vector (email attachment) strengthens boundary defenses against malware ingress.
- **ISO/IEC 27002 (A.8.24 Information transfer):** Controls restricting permitted information transfer methods (attachment types) when dealing with external communication.
## Common Pitfalls to Avoid
- **Assuming Defaults are Enough:** Do not assume that default security configurations deployed by Microsoft instantly replace all local, legacy, or custom security controls. Verify enforcement.
- **Ignoring Legacy Features:** Failure to migrate away from VBScript or ActiveX immediately will lead to a significant security debt when these features are fully disabled by Microsoft.
- **Overlooking User Experience:** If necessary functionality relying on macros or add-ins is blocked without a viable alternative, users may attempt to override security settings, creating shadow IT risks.
## Resources
- Guidance on **Antimalware Scan Interface (AMSI)** deployment.
- Microsoft documentation regarding the **default blocking of Office VBA macros**.
- Official documentation detailing the implementation of **XLM macro protection**.
- Microsoft guidance on **blocking untrusted XLL add-ins** in Microsoft 365.
- Vendor guides on **automating patch management** for improved IT agility.