Configure Microsoft Defender Attack Surface Reduction rules through Intune to prevent malicious executable files and scripts from running directly from email attachments across enterprise devices.
Email remains one of the most common attack vectors for malware delivery, with cybercriminals frequently using executable attachments to compromise enterprise environments. Traditional email security solutions may miss sophisticated threats or allow users to bypass warnings, making endpoint-level protection crucial for comprehensive defense.
Microsoft Defender's Attack Surface Reduction (ASR) rules provide granular control over potentially dangerous behaviors at the endpoint level. The "Block executable content from email client and webmail" rule specifically targets executable files and scripts that users attempt to run directly from email attachments, preventing a significant category of malware infections before they can establish persistence.
By implementing this ASR rule through Microsoft Intune, you'll establish enterprise-wide protection that prevents users from executing potentially malicious files directly from email clients like Outlook, Thunderbird, or webmail interfaces. The rule operates transparently to users while providing comprehensive logging and monitoring capabilities through the Microsoft Defender portal. You'll learn to deploy the rule safely using audit mode first, configure necessary exclusions for legitimate business applications, and monitor effectiveness across your environment.
Start by logging into the Microsoft Intune admin center to create your Attack Surface Reduction policy.
Open your browser and navigate to https://intune.microsoft.com. Sign in with your administrative credentials that have Endpoint Security Administrator or Global Administrator permissions.
Once logged in, navigate to Endpoint security in the left navigation pane, then click Attack surface reduction.
Click Create Policy to start creating a new ASR policy.
Verification: You should see the Attack surface reduction policy creation wizard with platform and profile type options.
Configure the basic policy settings for your ASR rule deployment.
In the policy creation wizard:
On the Basics page:
ASR - Block Email Executable ContentPrevents executable files and scripts from running when downloaded through email clients and webmail servicesVerification: The policy name should appear in the policy list, and you should be on the Configuration settings page.
Now configure the specific ASR rule that blocks executable content from email clients.
In the Configuration settings page, locate the rule Block executable content from email client and webmail. This rule has the GUID D3E037E1-3EB8-44C8-A917-57927947596D.
Set the rule to one of these modes:
For initial deployment, select Audit mode. This allows you to monitor what would be blocked without impacting users.
Click Next to proceed to scope tags.
Verification: The rule should show as "Audit mode" in the configuration summary.
Set up scope tags (if used) and assign the policy to target groups.
On the Scope tags page, add any relevant scope tags for your organization's administrative boundaries, or leave blank if not using scope tags. Click Next.
On the Assignments page:
Review your settings on the Review + create page and click Create.
Verification: The policy should appear in your Attack surface reduction policies list with a status of "Pending" or "Succeeded".
Verify that the policy deploys successfully to target devices.
In the Intune admin center, navigate to Endpoint security > Attack surface reduction and click on your newly created policy.
Click the Device status tab to monitor deployment progress. You should see devices listed with their compliance status.
To force immediate policy check-in on a test device, you can use the Company Portal app or run this PowerShell command as administrator on the target device:
Get-ScheduledTask | Where-Object {$_.TaskName -eq "PushLaunch"} | Start-ScheduledTaskAlternatively, restart the device to ensure policy application.
Verification: Device status should show "Succeeded" for target devices within 15-30 minutes of policy creation.
Confirm that the ASR rule is active on enrolled devices using PowerShell.
On a target device, open PowerShell as administrator and run:
Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_IdsThis should return the GUID D3E037E1-3EB8-44C8-A917-57927947596D if the rule is configured.
To check the rule's current mode, run:
Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_ActionsThe output values mean:
0 = Disabled1 = Block mode2 = Audit mode6 = Warn modeSince you configured Audit mode, you should see 2 in the output.
Verification: Both commands should return the expected GUID and action value (2 for Audit mode).
Perform a controlled test to verify the ASR rule is functioning correctly.
Create a test scenario by sending an email with a harmless executable attachment to a user on a target device. You can use a simple batch file for testing:
@echo off
echo This is a test executable
pauseSave this as test.bat and send it as an email attachment to a test user.
When the user attempts to run the attachment directly from their email client (Outlook, Thunderbird, etc.), the ASR rule should trigger.
Since you're in Audit mode, the file will execute but an event will be logged. Check the Windows Event Viewer on the target device:
1122 (Audit mode trigger)Verification: You should see Event ID 1122 with details about the blocked executable and the ASR rule GUID.
Use the Microsoft Defender portal to monitor ASR rule effectiveness across your environment.
Navigate to https://security.microsoft.com and sign in with your administrative credentials.
Go to Reports > Attack surface reduction rules in the left navigation.
Click on the Detections tab to view ASR rule triggers. You should see entries for your test and any legitimate triggers from the "Block executable content from email client and webmail" rule.
Click on the Configuration tab to see which devices have the rule enabled and their current configuration status.
Review the data for at least one week in Audit mode to identify patterns and potential false positives before switching to Block mode.
Verification: The Detections tab should show audit events from your test and any real-world triggers with detailed file information.
Based on your audit data, add exclusions for legitimate applications that are being incorrectly flagged.
Return to your ASR policy in the Intune admin center. Click Properties, then Edit next to Configuration settings.
Scroll down to find Attack Surface Reduction Rules Exclusions. Add file paths, folder paths, or file extensions that should be excluded from this rule.
Common exclusions might include:
C:\Program Files\YourApp\app.exeC:\Program Files\LegitimateApp\**.msiExample exclusion configuration:
C:\Program Files\RemoteMonitoring\winagent.exe
C:\Program Files (x86)\BusinessApp\*Click Review + save to apply the exclusions.
Verification: Test previously blocked legitimate applications to ensure they now function correctly.
After validating the rule in Audit mode and configuring necessary exclusions, switch to Block mode for full protection.
Edit your ASR policy and change the "Block executable content from email client and webmail" rule from Audit mode to Block.
Save the policy changes. The new setting will deploy to devices within the next policy refresh cycle (typically 8 hours, or immediately with manual sync).
Once you've confirmed Block mode works correctly with your pilot group, expand the assignment:
Monitor the Microsoft Defender portal for Block events (Event ID 1121) to ensure the rule is working as expected.
Set up regular monitoring schedules to review ASR effectiveness and adjust exclusions as needed.
Verification: Event Viewer should show Event ID 1121 (Block mode) instead of 1122 (Audit mode) for new triggers, and malicious email attachments should be prevented from executing.
Deepen your knowledge with related resources
Share your thoughts and insights
Sign in to join the discussion