Last week, Google announced that they were selling domain registrations for the .zip and .mov top-level domains (TLDs). Google registered these TLDs as part of ICANN’s generic top level domain program. Spammers and threat actors everywhere have rejoiced at this notion–.zip and .mov files are very common malware vectors. While there haven’t been any real-world observations of attacks the SANS institute is recommended proactively blocking these domains from your network, until we better understand their behavior.
There are a number of places to block these domains (and you will see various blogs from DCAC consultants this week about the different areas). I have become our defacto email admin, so I decided to handle the Office 365 side of this.
The first thing you need to do is login to the Exchange Admin Center, which is admin.exchange.microsoft.com.
The way you are going to block a whole TLD, is using mail flow rules. You can also block an entire domain (hiya Chris Beaver), using the accepted domain feature, but that feature doesn’t not allow you to block a TLD. So on the left, expand the mail flow object in the hive, and click on rules, and then click on “Create a Rule”
In your rule, you will first need to give it a name–this is just metadata–I used Blocked Spammy Domains Demo. For where to apply this rule select “The Sender” and then “address matches any of these text patterns” and then add the patterns \.zip$ and \.mov$ as shown below.
Next you have to specify an action–here I’m going to reject the message and include an explanation that gets sent back to the sender. “Buy a better domain spammer”. Next, I’m going to notify the recipient that a spammy domain was trying to email you.
After that, you can click next, and then you will be on the set rule settings page. Select “enforce” and activate this rule and then click next again.
On the final screen, click finish to complete the rule.
Your email is now protected from these spammy domains, that could be nefarious.