Outlook Web App Blocks 38 More File Extensions in Email Attachments


Many types of Malware or computer virus can infect your PC in various different ways, however, one of the most famous techniques of its delivery is through the infected files attached to the emails that spread the malware into your computer when those emails are opened.

In order to protect their software users from malicious scripts and executable files, Microsoft is planning to blacklist 38 more file extensions by adding them to their list of file extensions that are not allowed to be downloaded as attachments in Outlook web app.

Earlier known as Outlook Web App or OWA, “Outlook on the Web” is Microsoft’s web-based email client for users to connect to their emails, calendars, tasks and contacts from Microsoft’s on-premises Exchange Server and cloud-based Exchange Online.

The list of blocked file extensions as of now has 104 entries, including .exe, .url, .com, .cmd, .asp, .lnk, .js, .jar, .tmp, .app, .isp, .hlp, .pif, .msi, .msh, and more.

After the expansion, the block-list will now include 38 new extensions in an upcoming-update, stopping Outlook Web App users from downloading file attachments that have any of these 142 file extensions, until or unless an Outlook or Microsoft Exchange Server administrator has whitelisted any of them on purpose by removing it from the BlockedFileTypes list.

“We’re always evaluating ways to improve security for our customers, and so we took the time to audit the existing blocked file list and update it to better reflect the file types we see as risks today,” Microsoft says in a blog post.


“The newly blocked file types are rarely used, so most organizations will not be affected by the change. However, if your users are sending and receiving affected attachments, they will report that they are no longer able to download them.”

Have a look at the new file extensions added to the BlockedFileTypes list:

  • File extensions applied by the Python scripting language: “.py”, “.pyc”, “.pyo”, “.pyw”, “.pyz”, “.pyzw”
  • Extensions applied by the PowerShell scripting language: “.ps1”, “.ps1xml”, “.ps2”, “.ps2xml”, “.psc1”, “.psc2”, “.psd1”, “.psdm1”, “.psd1”, “.psdm1”
  • Extensions applied for digital certificates: “.cer”, “.crt”, “.der”
  • Extensions applied by the Java programming language: “.jar”, “.jnlp”
  • Extensions applied by various applications: “.appcontent-ms”, “.settingcontent-ms”, “.cnt”, “.hpj”, “.website”, “.webpnp”, “.mcf”, “.printerexport”, “.pl”, “.theme”, “.vbp”, “.xbap”, “.xll”, “.xnk”, “.msu”, “.diagcab”, “.grp”

Microsoft informed that though the associated vulnerabilities with several apps have been patched, “they are being blocked for the benefit of organizations that might still have older versions of the application software in use.”
“Security of our customer’s data is our utmost priority, and we hope our customers will understand and appreciate this change. Change can be disruptive, so we hope the information here explains what we’re doing and why,” the company says.

Just like Microsoft, Google, the largest email provider, also manages a list of blocked file extensions that the organization considers to be harmful to it’s Gmail users, restricting them from attaching or downloading certain types of file extensions.

These blacklisted files include .ade, .adp, .apk, .appx, .appxbundle, .bat, .cab, .chm, .cmd, .com, .cpl, .dll, .dmg, .exe, .hta, .ins, .isp, .iso, .jar, .js, .jse, .lib, .lnk, .mde, .msc, .msi, .msix, .msixbundle, .msp, .mst, .nsh, .pif, .ps1, .scr, .sct, .shb, .sys, .vb, .vbe, .vbs, .vxd, .wsc, .wsf, .wsh.

error: Content is protected !!