Filtering Emails with HTML and HTM attachments
Realistically speaking, HTML and HTM email attachments are rarely used in standard business emails. Cyber criminals, however, use these attachments often for phishing attacks and scam attempts. We have observed recently a significant increase in escalation in phishing attempts using emails with HTML attachments.
Our recommendation is to block these emails with HTML/HTM attachments completely. There are a handful legitimate websites that send these attachments which can be easily excluded within the block rule when they arrive.
We have provided the necessary steps to create a rule and add an exception via Microsoft 365 Admin Center. Albeit different, the same principles can be applied to similar email hosting platform. The system or email administrator can implement this to improve your cyber security.
Creating a filter to block emails with HTML/HTM attachments
- Open Microsoft 365 Admin Center and click Show all… in the navigation pane
- Select the Exchange Admin Center
- In the Exchange Admin Center, open Mail flow > and choose Rules
- Click the + button and select the Create a new rule… option
- Name the rule e.g., “Block html attachments”
- At the bottom of the new rule windows click More options…
- In “Apply this rule if…”, select Any attachment… > file extension includes these words
- Add html and htm to the list
- In “Do the following…”, select Deliver the message to the hosted quarantine
- Click the add action button
- Select Notify the recipient with a message…
- In the text box add the following:
<b>Company email security policy has blocked a message because it contained a banned attachment in HTML format:</b><br>
<p style=”margin-left: 40px”>Sent by: %%From%%<br>
Sent to: %%To%%<br>
If you believe you should be receiving this message, please notify the sender and arrange to receive the attachment by another method.
13. Click OK and Save. The rule will be created and is activated by default.
to the rule for specific domains
- Select the rule you created previously
- Scroll down to add exception button
- In “Except if…” select The sender… > domain is
- Add any required domains to the list
- Save the rule
Note: If a user notifies that an email has been blocked and is required, it can be found in the Security & Compliance centre > Threat management > Quarantine. From here, emails can be released to the original recipient. If the email is likely to be regular, then the domain can be added to the exception list as above.