TL;DR
This guide shows you how to stop users from downloading attachments sent by people outside your organisation in Office 365. We’ll use Exchange Online Transport rules to achieve this.
Step-by-step Guide
- Understand the Approach
- Access Exchange Admin Center
- Create a New Transport Rule
- Navigate to Mail flow > Rules.
- Click the + Add rule button, then select Create a new rule.
- Give your rule a descriptive name (e.g., ‘Block External Attachment Downloads’).
- Configure Rule Conditions: Identify External Senders
- Click Add condition > Sender is external. This identifies emails from outside your organisation.
- Click Add condition > Has attachments.
- Configure Rule Actions: Block Attachment Access
- Click Add action > Modify message properties.
- Select Set attachment options from the dropdown.
- Check the box for Block attachments.
- Leave other options unchecked.
- Configure Rule Exceptions (Optional)
- Click Add exception > choose the appropriate exception condition (e.g., ‘Sender is a member of’).
- Specify the sender(s) you want to exclude.
- Review and Enable the Rule
- Review all your settings carefully.
- Click Save.
- The rule is enabled by default. If not, toggle it on.
- Test the Rule
- Advanced Configuration (Optional): Using PowerShell
We’ll create a transport rule that checks if an email comes from outside your company (an external sender). If it does, and has attachments, we’ll block users from downloading them. This doesn’t stop the email itself; it just prevents attachment access.
You need to be a Global Administrator or have the Mail Flow permissions role to do this. Sign in to the Exchange admin center.
You might want to exclude certain senders or domains from this rule. For example, trusted partners.
Send an email from a non-company account with an attachment to a user in your organisation. The user should receive the email but be unable to download the attachment.
For more complex scenarios, you can use PowerShell:
New-TransportRule -Name "Block External Attachment Downloads" -FromDomain *@*.com -HasAttachments $true -AttachmentOptions BlockReplace @*.com with the domains you want to block. You’ll need to connect to Exchange Online PowerShell first.