CIS.M365.2.1.2 - (L1) Ensure the Common Attachment Types Filter is enabled (Only Checks Default Policy)
Overview
2.1.2 (L1) Ensure the Common Attachment Types Filter is enabled
The Common Attachment Types Filter lets a user block known and custom malicious file types from being attached to emails.
Rationale
Blocking known malicious file types can help prevent malware-infested files from infecting a host.
Impact
Blocking common malicious file types should not cause an impact in modern computing environments.
Remediation action:
To enable the Common Attachment Types Filter:
- Navigate to Microsoft 365 Defender.
- Click to expand Email & collaboration select Policies & rules.
- On the Policies & rules page select Threat policies.
- Under polices select Anti-malware and click on the Default (Default) policy.
- On the Policy page that appears on the right hand pane scroll to the bottom and click on Edit protection settings, check the Enable the common attachments filter.
- Click Save.
PowerShell
- Connect to Exchange Online using
Connect-ExchangeOnline. - Run the following Exchange Online PowerShell command:
Set-MalwareFilterPolicy -Identity Default -EnableFileFilter $true
Note: Audit and Remediation guidance may focus on the Default policy however, if a Custom Policy exists in the organization's tenant, then ensure the setting is set as outlined in the highest priority policy listed.
Related links
- Microsoft 365 Defender
- Get-MalwareFilterPolicy
- Configure anti-malware policies for cloud mailboxes
- CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 78
Test Metadata
| Field | Value |
|---|---|
| Test ID | CIS.M365.2.1.2 |
| Severity | Medium |
| Suite | CIS |
| Category | CIS E3 Level 1 |
| PowerShell test | Test-MtCisAttachmentFilter |
| Tags | CIS, CIS E3, CIS E3 Level 1, CIS M365 v6.0.1, CIS.M365.2.1.2, L1 |
Source
- Pester test:
tests/cis/Test-MtCisAttachmentFilter.Tests.ps1 - PowerShell source:
powershell/public/cis/Test-MtCisAttachmentFilter.ps1