In the past the maximum number of transport rules that you could create in Exchange Online (Enterprise, Education, and Government plans) was 100. This limit has recently been increased to 300 (for Enterprise, Education, and Government plans)! For those that were concerned about reaching the 100 rule limit, you now have 200 more rules that can be created. This increase has been updated and noted on the following TechNet page.
Exchange Online Limits - See the section Transport and Inbox rule limits across Office 365 Options.
When thinking about manageability and troubleshooting, I would not recommend creating anywhere near 300 rules. I actually wouldn’t recommend creating close to 100 rules. In certain cases though, especially with tenants that have a large number of domains, a large number of rules may be needed. For those that are in that boat, this change is for you.
On a side note, I think this is the shortest post that I have written to date.
Happy Halloween!
This article may be common knowledge for some, but it is important to revisit and refresh outselves on. You may be aware of what content EOP will flag as being executable, or you may not. In either case, I think this is an important topic so sit back, relax, and read on.
One of our best practices is to create a transport rule which blocks executable content. This would look as follows.
The reason we suggest creating this rule is that it acts as a second line of defense for catching zero day malware. If a zero day attack is missed by the EOP malware filters but is being delivered in the form of an executable attachment, this rule will stop those messages from reaching your end users.
The beauty of this transport rule predicate is that it will also catch executable files that have had their extensions renamed. For example, if the file notavirus.exe is renamed to notavirus.txt and attached to an email, this transport rule will still fire.
If you instead created a transport rule with the predicate, Any attachment’s file extension matches…
This transport rule WOULD NOT fire if a file with a matching extension has its extension renamed. With this rule, if the executable notavirus.exe was renamed to notavirus.txt, this rule would not fire. This predicate should only be used to block extensions that do not fall under what we consider “executable content.”
What EOP considers as executable is nicely documented on TechNet, however it is a little buried. The list of file types can be found on the TechNet page Using transport rules to inspect message attachments. Scroll to the bottom of this article and look for the table under the heading Supported executable file types for transport rule inspection.
To save you a click, the current list is as follows.
If your transport rule is set to look for Executable Content, the above file types will cause the rule to trigger even if their extension is renamed.
I mentioned above that one of our best practices is to create a transport rule which will trigger on executable content. I would highly recommend this, along with other great best practices can be found on the TechNet page Best practices for configuring EOP. This page also lists other file extensions that you may wish to block through a transport rule that looks at an attachments extension (see the section Extension Blocking).
Using transport rules to inspect message attachmentsBest practices for configuring EOP