Skip to main content
Skip table of contents

Attachment Blocker Inbound / Outbound (new)

This document provides a comprehensive guide for administrators on how to configure, manage, and monitor the Attachment Blocker for both inbound and outbound email traffic.

1. Overview and Configuration

The Attachment Blocker enhances your email security and compliance posture by controlling file attachments based on administrator-defined policies.

Configuration Path:
You can find the Attachment Blocker settings by navigating to:
Home > Email Security > Administration > Service Configuration > Attachment Blocker Inbound / Outbound

Configuration Hierarchy:
For maximum flexibility, rules can be configured at multiple levels of your organization's structure, including Company, Domain, Profile, and User level. This allows you to set a general, company-wide policy and create more specific, granular exceptions for certain groups or individuals.

  • Inbound Protection: The primary goal is to protect your company's internal infrastructure from external threats by blocking unwanted or malicious file attachments.

  • Outbound Control (DLP Light): The primary goal is to prevent data leakage and protect your communication partners by stopping employees from sending files that violate company policy.

2. Core Functionality: Filter Strategy

The core of the Attachment Blocker is the Filter Mode (List Strategy). You can choose between two principles:

  • Blocklist Strategy (Default): Allows all attachments except for those explicitly listed on the blocklist.

  • Allowlist Strategy: Blocks all attachments except for those explicitly listed on the allowlist (Inbound only)

3. Configuration Parameters in Detail

This section explains each available setting in the user interface.

Feature

  • Active: The master switch to enable (Yes) or disable (No) the rule.

    • Admin Recommendation: For attachment monitoring enable feature - even without filter rules

Filter Mode

  • List Strategy: Choose between Blocklist and Allowlist.

  • File Extensions: Define the file extensions (e.g., *.exe, *.pst) to be filtered.

  • MIME Types: Define the corresponding MIME types (e.g., application/x-msdownload) for more accurate detection. Supported MIME Types

Additional Blocking Options

  • Block Password Protected Files: Blocks archives that are password-protected, as they cannot be scanned for malware.

  • Block Suspicious Archives: Blocks "zip bombs" (highly compressed or deeply nested archives).

  • Block Unknown MIME Types: Blocks any attachment whose MIME type cannot be identified.

4. Actions and Notifications

Primary Action on the Email
Defines what happens to an email that triggers the rule.

  • ACCEPT: The email is delivered with the attachment.

  • DISCARD: The entire email is deleted.

  • REMOVE: The email is delivered, but the attachment is removed.

  • QUARANTINE (Inbound): The email is moved to the user's personal quarantine.

  • QUARANTINE_AND_REMOVE (Inbound): The email is quarantined and the attachment is removed.

Admin Settings & Notifications

  • Admin Action: A secondary action for administrative review (e.g., Quarantine for inbound, Forward for outbound).

  • Admin Notification: If enabled, sends a notification to the configured Admin Email Addresses.

End-User Notifications

  • Sender Notification: Informs the original sender. Best Practice: Enable for outbound rules (internal sender), disable for inbound rules (external sender).

  • Recipient Notification: Informs the final recipient. Best Practice: Enable for inbound rules (internal recipient), disable for outbound rules (external recipient).

5. Monitoring and Troubleshooting

Tracking Filtered Emails:
To analyze why a specific email was blocked or had an attachment removed, you can use Live Search.

  • PLACEHOLDER: To investigate specific incidents, navigate to Live Search / Attachment Blocker. Use the message ID from a notification or search for emails with the filter criteria "Attachment: Blocked" or by sender/recipient to find the corresponding log entry and see which rule was applied.

6. Best Practice Strategy

For Inbound Protection (Focus: Security)

  • Use a Blocklist to block all high-risk executables and scripts.

  • Enable Block Password Protected Files and Block Suspicious Archives.

  • Set the action to REMOVE the attachment and enable Recipient Notifications to inform the internal user.

  • For high-risk groups (Finance, Executives), use a stricter Allowlist and a QUARANTINE action.

For Outbound Control (Focus: Data Loss Prevention)

  • Use a Blocklist to prevent the sending of large archives (*.zip, *.rar), database files (*.pst, *.sql), or other sensitive file types as defined by your company policy.

  • Set the action to DISCARD the email or REMOVE the attachment.

  • Crucially, enable Sender Notifications to inform the internal employee about the policy violation and guide them toward approved file-sharing methods.

  • Set the Admin Action to Forward to a compliance officer for oversight.

7. Practical Use Cases & Example Configurations

Here are five relevant use cases for a corporate environment.

Use Case 1: Global Baseline Protection (Inbound)

  • Goal: Establish foundational security for all employees against common threats.

  • Configuration:

    • Level: Company

    • Filter Mode: Blocklist Strategy

    • File Extensions: *.exe, *.vbs, *.js, *.scr, *.pif, *.bat

    • Additional Blocking Options: Block Password Protected Files = Yes

    • Recipient Action: REMOVE

    • Recipient Notification: Enabled

Use Case 2: High-Security for Risk Groups (Inbound)

  • Goal: Apply maximum protection to frequently targeted departments like Finance or Executives.

  • Configuration:

    • Level: Profile (e.g., "Finance Profile")

    • Filter Mode: Allowlist Strategy

    • File Extensions: *.pdf, *.docx, *.xlsx, *.pptx

    • Recipient Action: QUARANTINE

    • Admin Notification: Enabled

Use Case 3: Proactive Defense Against Zero-Day Exploits (Inbound)

  • Goal: Mitigate new attack waves using macro-enabled files or obfuscated archives.

  • Configuration:

    • Level: Company

    • Additional Blocking Options: Block Suspicious Archives = Yes, Block Unknown MIME Types = Yes

    • Additional Rule (Temporary): Block *.docm, *.xlsm during an active threat wave with QUARANTINE action for analysis.

Use Case 4: Enforcing Compliance for HR (Inbound)

  • Goal: Ensure job applications are only received in a safe, standardized format.

  • Configuration:

    • Level: User (for recruiting@yourcompany.com)

    • Filter Mode: Allowlist Strategy

    • File Extensions: *.pdf

    • Recipient Action: REMOVE

    • Sender Notification: Enabled

Use Case 5: Basic Data Loss Prevention (Outbound)

  • Goal: Prevent employees from sending sensitive or large-scale data via email.

  • Configuration:

    • Level: Company

    • Direction: Outbound

    • Filter Mode: Blocklist Strategy

    • File Extensions: *.pst, *.sql, *.zip, *.rar, *.7z

    • Recipient Action: DISCARD

    • Sender Notification: Enabled (instructing the user to use the official file-sharing platform).

    • Admin Action: Forward to a compliance officer.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close