Exchange transport rules to detect audio/video attachments

After my fun creating a profanity filter for Exchange Online earlier this week, my attention turned to some of the other rules that my customer needed re-creating in preparation for the move to Office 365. Most were fairly straightforward blocks on certain domains/addresses or using the normal templates to prevent financial data from being leaked, etc. but then I found another one that I’d expect to be in included in Exchange Online Protection, but isn’t: copying any audio/video files emailed from within the organisation to a defined mailbox.

The rule itself is quite simple, but the number of file extensions involved meant I actually needed 4 rules to avoid this error message:

The rule can’t be created because it is too large. It has 9028 characters, and the maximum number of characters is 8192.

Reduce the size, either by removing content, such as words or regular expressions, from the rule; or by removing conditions, exceptions, or actions from the rule.

After chunking the attachment extensions, the final Exchange transport rules used to to detect audio/video attachments were:

New-TransportRule "Notify Security if outbound email contains audio (1)" -AttachmentExtensionMatchesWords 'afc','vag','copy','vdj','sng','aob','act','ang','nra','hsb','rfl','sma','smp','syh','vyf','acm','at3','vmd','aimppl','nvf','saf','xfs','ins','alac','mod','omf','sfk','als','caf','gp5','wav','mp3','pla','abm','aup','wma','acd-zip','amxd','dmsa','dmse','emp','logicx','m4r','midi','ptx','rns','rx2','slp','trak','5xb','a2b','a2i','agr','akp','asd','bnk','bun','bww','csh','dfc','dsm','dtm','fev','flp','frg','g726','gsm','h5b','h5s','isma','krz','ksf','mbr','mmlp','mpga','mtp','musx','nkc','nkm','omg','pkf','r1m','rex','rip','rol','sbi','sfpack','smf','sseq','svd','syw','tg','u','uax','vpl','zvd','0.669','eop','mus','sf2','mid','ksd','aif','flp','oga','pcg','sty','dig','mscz','ogg','m3u','flac','sib','aiff','syx','zab','dss','gpk','xspf','mui','vlc','nbs','5xe','logic','minigsf','sd','sdat','wve','ins','cda','ram','aac','iff','nki','wave','wpk','dff','amr','3ga','dcf','aud','cwt','dls','ds2','flm','nsa','it','pcm','pho','q1','sns','sph','xwb','dsp','sam','u8','wand','ym','ac3','oma','sds','stm','acd','dsf','cpr','xa','m3u8','ftm','4mp','apl','cwp','cws','gpbank','gsflib','med','mo3','mx5','ply','qcp','rmj','w64','ahx','au','b4s','h0','h3e','hbb','hbs','ins','kit','kmp','ksc','mdl','mu3','phy','q2','sbg','sfap0','smp','toc','vgz','vmf','zpa','2sf','m4a','ds','nsf','sesx','ape','fls','mus','emx','pcast','dtshd','mmm','peak','vox','bmml','mscx','xmf','rtm','pls','sfl','xm','avastsounds','snd','voc','wax','wpp','ra','cdr','seq','gpx','au','aa','m4b','odm','mpa','amz','5xs','a2m','abc','acd-bak','adts','agm','aifc','alc','amf','band','bap','bdd','bidule','bwf','caff','cdda','cdlx','cdo','cel','cgrp','cidb','ckb','conform','cpt','cwb','dct','dewf','df2','dig','dm','dmf','dra','drg','dwd','efk','efq','efs','efv','emd','esps','f2r','f32','f3r','f4a','f64','fdp','fsb','fsc','fsm','ftm','ftmx','fzf','fzv','g721','gig','groove','gsf','h4b','hbe','igp','iti','koz','koz','kt3','la','lso','lwv','m4p','ma1','mdc','mgv','miniusf','mka','mmp','mmpz','mpc','mte','mti','mtm','mus','mux','narrative','nkb','nks','nkx','nml','note','nrt','nst','ntn','nwc','obw','okt','omx','ovw','pandora','pca','pek','pna','psm','ptm','pts','rax','rgrp','rmi','rmx','rng','rso','rti','s3i','sc2','scs11','sd2','sfz','sgp','smpx','sou','sppack','sprg','stap','sty','sxt','syn','td0','tta','txw','ult','uni','usf','usflib','ust','uw','uwf','vap','vc3','vmo','voxal','vpm','vpw','vrf','vsq','wfb','wfm','wfp','wow','wproj','wrk','wus','wut','wv','wvc','wwu','xmu','xrns','yookoo','adv','cmf','dmc','gmc','mp_','ppcx','sbk','sid','sng','vgm','6cm','8med','a52','al','d01','evr','fda' -GenerateIncidentReport security
New-TransportRule "Notify Security if outbound email contains audio (2)" -AttachmentExtensionMatchesWords 'gsm','kin','mini2sf','pd','prg','record','rmf','tmc','tun','wyz','xp','xt','kar','vb','wem','adg','dts','kfn','pk','mxl','mtf','ncw','dw','igr','vce','ddt','k25','sf','dvf','aa3','adt','fpa','h5e''mpdp','ove','rbs','sd','slx','stx','swa','vsqx','w01','zpl','mmp','opus','ppc','rsf','sdt','wav','xa','xpf','xsb','brstm','tak','ptf','efa','g723','mmf','s3m','sap','vqf','2sflib','avr','ear','mp1','dcm','ay','zvr','pat','ams','cts','gbs','ics','k26','mp2','mts','myr','ots','psf','rsn','ses','shn','snd','a2p','a2t','a2w','ab','acp','ais','alaw','all','apf','aria','ariax','axa','bwg','c01','ckf','djr','efe','emy','erb','far','fti','gbproj','gym','h3b','h4e','hdp','iaa','imp','itls','its','jam','jam','kpl','kt2','l','lof','lqt','m','m1a','m2','minipsf','minipsf2','mogg','mpu','mt2','mux','mx3','mx4','mx5template','npl','ofr','ovw','pbf','pjunoxl','plst','pno','prg','psf1','psf2','psy','ptcop','pvc','rad','raw','rbs','rcy','rmm','rta','rts','rvx','s3z','sd2f','spx','sseq','ssnd','svq','svx','thx','tsp','ub','ulaw','v2m','vmf','vtx','wtpl','wtpt','xbmml','xmi','xmz','xsp','zgr','atrac','box','fzb','hmi','imf','sdx','aax','sb','cfa','mxmf','pac','d00','8svx','ams','wfd','msv','xi','nmsv','ase','awb','expressionmap','hma','hps','mlp','mzp','sfs','snd','tak','8cm','gm','lvp','bcs','bonk','cfxr','dwa','fff','gio','gio','gro','jo','jo-7z','ksm','ktp','minincsf','mt9','musa','muz','mwand','mws','nap','orc','pmpl','r','sdii','seg','snsf','sth','sti','stw','sw','swav','syn','tfmx','tm2','tm8','ulw','val','voi' -GenerateIncidentReport security
New-TransportRule "Notify Security if outbound email contains video (1)" -AttachmentExtensionMatchesWords 'aep','dzp','viv','vro','mp4.infovid','scm','dir','rms','wlmp','dzm','mswmm','amc','psh','3gp','veg','sfd','trp','wpl','m2p','ntp','aaf','bdmv','d3v','dck','gcs','ivr','m21','mk3d','mproj','msdvd','rdb','rmp','rv','screenflow','sec','swt','trec','usm','vcpf','viewlet','xej','dnc','ivf','playlist','spl','wm','bik','swf','webm','dcr','mani','prproj','wp3','mkv','avi','fbr','gfp','srt','piv','3gp2','bu','mpeg','wmv','scc','meta','gvi','vob','m4v','aepx','dzt','ts','ism','swi','amx','m2ts','rec','rmd','vpj','g64','mmv','ifo','wve','cpi','vp6','mov','vsp','mp4','mpg','hdmov','fcp','ogm','sbk','vc1','vgz','wmx','xesc','zm3','bnp','k3g','lvix','vp3','bin','mob','dmx','kmv','flv','par','vid','rmvb','dcr','tp','xvid','mnv','str','asf','bdm','camproj','mxf','yuv','0.89','avchd','dat','m1pg','mvd','roq','tsp','wmmp','ddat','f4f','imovielibrary','lsx','proqc','qt','sbt','video','yog','f4v','mts','3gpp','3mm','r3d','dav','smv','ogv','nvc','h264','3g2','dvdmedia','fcproject','ismv','sqz','tix','clpi','f4p','fli','hdv','m2t','mvp','nsv','rsx','smk','thp','ttxt','inp','mvc','m15','0.264','lrv','mvp','wmd','camrec','dxr','divx','stx','aetx','vep','dv4','db2','mpeg4','pds','mod','aec','ajp','dv','sfera','dvr','pmf','ced','dash','rm','ale','avp','bsf','dmsm','dream','imovieproj','otrkey','3p2','arcut','avb','avv','bdt3','bmc','cine','cip','cmmtpl','cmrec','cst','d2v','dce','dmsd','dmss','dpa','evo','eyetv','fbz','flc','flh','fpdx','ftc','gts','hkm','imoviemobile','imovieproject','ircp','ismc','izz','izzy','jss','jts','jtv','kdenlive','m21','m2v','mj2','mp21','mpgindex','mpls','mpv','mse','mtv','mve','mxv','ncor','nuv','ogx','pac','photoshow','plproj','ppj','prel','prtl','pxv','qtl','qtz','rcd','rum','rvid','rvl','sdv','sedprj','seq','sfvidcap','siv','smi','svi','tda3mt','tivo','tp0','tpd','tpr','tvlayer','tvs','tvshow','usf','vbc','vcv','vdo','vdr','vfz','vlab','vtt','wcp','wvx','wxp','xfl','xlmv','y4m','zm1','zm2','exo','lrec','mp4v','mys','vcr','w32','am','aqt','cvc','gom','mpeg1','mpv2','orv','rmv','ssm','zeg','arf','moi','zmv','wtv','mjp','gifv','mpe','dpg','mpl','rcproject','amv','tod','60d','moff','mp2v','tdt','dvr-ms','bmk','asx','edl','smil','snagproj','cmmp','dv-avi','eye','mgv','mp21','pgi','pro','stl','xml','avs','box','int','irf','scn','sml','ismclip','avs','evo','smi','awlive','m4e','mpg2','tdx','vivo','movie','vf','3gpp2','psb','axm','cmproj','dmsd3d','dvx','ezt','ffm','mqv','mvy','vp7','xel','aet','anx','avc','avd','axv','bdt2','bs4','bvr','byu','camv','cmv','cx3','dlx','dmb','dmsm3d','fbr','fcarch','ffd','flx','gvp','iva','jmv','ktn','m1v','m2a','m4u','mjpg','mpsub','mvex','osp','pns','pro4dvd','pro5dvd','pssd','pva','qtch' -GenerateIncidentReport security
New-TransportRule "Notify Security if outbound email contains video (2)" -AttachmentExtensionMatchesWords 'qtindex','qtm','rp','rts','theater','tid','tvrecording','vem','vfw','vix','vs4','vse','wot','xmv','mvb','nut','pjs','sec','0.787','ssf','mpl','clk','dif','vft','vmlt','anim','grasp','moov','pvr','vmlf','modd','bix','cel','dsy','gl','ivs','lsf','m75','mpf','msh','pmv','rmd','rts','scm','vdx' -GenerateIncidentReport security

The file extension lists are taken from fileinfo.com (audio and video).

It should also be noted that these rules are fairly simple – they are only looking at the file extension name and not the actual contents of the message.

One thought on “Exchange transport rules to detect audio/video attachments

Leave a Reply