CISA.MS.EXO.9.2 - The attachment filter SHOULD attempt to determine the true file type and assess the file extension.
Overviewā
The attachment filter SHOULD attempt to determine the true file type and assess the file extension.
Rationale: Users can change a file extension at the end of a file name (e.g., notepad.exe to notepad.txt) to obscure the actual file type. Verifying the file type and checking that this matches the designated file extension can help detect instances where the file extension was changed.
Remediation action:ā
- Sign in to Microsoft 365 Defender.
- In the left-hand menu, go to Email & Collaboration > Policies & Rules.
- Select Threat Policies.
- From the Templated policies section, select Preset Security Policies.
- Under Standard protection, slide the toggle switch to the right so the text next to the toggle reads Standard protection is on.
- Under Strict protection, slide the toggle switch to the right so the text next to the toggle reads Strict protection is on.
Note: If the toggle slider in step 5 is grayed out, click on Manage protection settings instead and configure the policy settings according to Use the Microsoft 365 Defender portal to assign Standard and Strict preset security policies to users | Microsoft Learn.
Related linksā
- Defender admin center - Preset security policies
- CISA 9 Attachment File Type - MS.EXO.9.2v1
- CISA ScubaGear Rego Reference
- Microsoft Learn - True type matching in the common attachments filter
Test Metadataā
| Field | Value |
|---|---|
| Test ID | CISA.MS.EXO.9.2 |
| Severity | Medium |
| Suite | CISA |
| Category | exchange |
| PowerShell test | Test-MtCisaAttachmentFileType |
| Tags | CISA, CISA.MS.EXO.9.2, MS.EXO, MS.EXO.9.2 |
Sourceā
- Pester test:
tests/cisa/exchange/Test-MtCisaAttachmentFileType.Tests.ps1 - PowerShell source:
powershell/public/cisa/exchange/Test-MtCisaAttachmentFileType.ps1