I have everything in the inbound policy set to quarantine inbound zip files, yet they still get through. Our organization has been receiving inbound messages with zip attahcments that contain a trojan executable. Is anyone else seeing this?
That behavior is both troubling and unusual. If you haven't contacted the support team that services your account, I highly encourage you to do so. A few things I would also look for are:
- In the header of the message, if a "Received from _____ by ____" hop is missing a line with a server and ESMTP ID that ends in mxlogic.net, the message bypassed the filter through direct connection.
- Verify the recipient user accounts in the Control Console were not set to exempt them from any level of filtering
- If you have access to Message Audit, check to see if this was released from quarantine by anyone. If you don't directly have this your support team can pull the neccisary details.
Above all though in a case like this contacting your support team is highly recommended so they can fully investigate the issue.
Let me know if you have any questions.
Thanks for the quick response. After speaking to support, it turns out that the malicious messages were spoofing the domain of a known business partner that had been added to the whitelist. We have now cleaned out our policy's whitelist and hopefully that should take care of it.
We were not aware that a domain's entry on the whitelist exempted it from scanning. A warning on that page would be helpful. Thanks!
This action actually concerns us, if true. In my opinion, regardless of any policy, any message with a known virus should be quarantined or handled per the orgs policy. It was my understanding that all messages are scanned for malicious content and payload.
Known viruses are blocked regardless of the sender's allow list membership. This was apparently a 0-hour exploit and the allow list bypasses the attachment policy, which is legacy functonality that should be addressed in a future release.