Email is the main method for phishing/hacking.

The usual scenario is as follows:

You receive an email, that appears to be from [supplier, customer, friend, employee] with an attachment. It either is automatically previewed, or/and requires you to click to view. It may then prompt you to enable ‘xyz’ plugin to view or activate something to see the attachment or even just open it.

If it’s malicious and you clicked, your system is no longer yours!

By simply blocking or quarantining certain common file extensions which are most often used for malicious activity the threat is stopped dead, yes, some genuine email will get stopped, but you should be expecting those emails with those types of attachment and will know to look in the quarantine which is a small inconvenience.

Block the following types (many of which are required by the Cyber Essentials Scheme):

  • .com .exe .bin .pif .msi
  • .sh .py .js .vbs .scr
  • .hta
  • .cmd .bat
  • .vb
  • .msc
  • .vbe .jse
  • .scf .inf .reg
  • .ps1 .psc1.ps1xml
  • .ps2 .psc2 .ps2xml
  • .ws .wsf .wsc .wsh
  • .msh .mshxml
  • .msh1 .msh1xml
  • .msh2 .msh2xml
  • .msp .cpl
  • .lnk
  • .zip .7z .rar .tar.gz .tar .gz .jar .gadget
  • .dmg

Macro enabled / Microsoft Office files have always been a problem so you should consider blocking them also:

  • .DOCM, .DOTM, .XLSM, .XLTM, .XLAM, .PPTM, .POTM, .PPAM, .PPSM, .SLDM
  • .RTF, .PPSX

Compressed files may contain malicious files so your email filtering system should be set up to look inside those file types.

You might notice that many of these extensions are used by the Microsoft Windows operating system, opening these on Mac or Linux would typically have little impact, some of the file types are script files which Linux and Mac may run, normally this requires the user to take a number of steps which will then even when run cause little impact on a sensibly configured device with a competent user, but that is not a given, so block first and release later even if you use Apple or Linux.