Microsoft to block 40+ additional file extensions in Outlook on the web
Microsoft is planning to block by default 40+ new file types in Outlook on the web to improve the security for their customers.
“We took the time to audit the existing blocked file list and update it to better reflect the file types we see as risks today,” the Exchange Team noted.
Outlook on the web and blocked attachments
Outlook on the web, formerly Outlook Web Access (OWA), is a personal information manager web app included in Office 365, Exchange Server, and Exchange Online (Exchange Server delivered as a cloud service hosted by Microsoft).
The current list of attachments blocked in Outlook can be reviewed here, and it already includes the new additions, although these changes will only start rolling out from November in Exchange Online and on-prem with a future cumulative update.
The soon-to-be blocked extensions are used for/by:
- Python files (“.py”, “.pyc”, “.pyo”, “.pyw”, “.pyz”, “.pyzw”)
- Java files (“.jar”, “.jnlp”)
- PowerShell files (“.ps1”, “.ps1xml”, “.ps2”, “.ps2xml”, “.psc1”, “.psc2”, “.psd1”, “.psdm1”, “.cdxml”, “.pssc”)
- Digital certificates (“.cer”, “.crt”, “.der”)
- Third-party apps (“.appcontent-ms”, “.settingcontent-ms”, “.cnt”, “.hpj”, “.website”, “.webpnp”, “.mcf”, “.printerexport”, “.pl”, “.theme”, “.vbp”, “.xbap”, “.xll”, “.xnk”, “.msu”, “.diagcab”, “.grp”)
- Microsoft components (“.appref-ms”, “.udl”, “.wsb”).
“The newly blocked file types are rarely used, so most organizations will not be affected by the change. However, if your users are sending and receiving affected attachments, they will report that they are no longer able to download them,” the Exchange Team explained.
“If your organization requires that users be able to download attachment of these types from OWA, you should first ensure that our organization’s operating systems and application software are up-to-date (in the case files that are opened by application software) or ensure that your users are familiar with the risks associated with the file types (in the case of files that are interpreted by scripting software). If you want a particular file type to be allowed, you can add that file type to the AllowedFileTypes property of your users’ OwaMailboxPolicy objects.”
They’ve included instructions for Exchange administrators to add a file extension to the AllowedFileTypes list and remove extensions from BlockedFileTypes list.
Microsoft also pointed out that blocked files can still be sent and received, either by renaming them (and making the recipient change the name again), compressing them into an archive file, or saving them to the cloud or to a secure network share server and sending the link to them.
As a side note: Proofpoint’s threat report says that, in Q2 2019, 85% of malicious payloads were delivered via URLs in emails – malicious attachments are obviously a less desirable option.