Blocking Risky File Types: How Anti-Malware Policies Reduce Everyday Threats

| Posted on |

Blocking Risky File Types How Anti-Malware Policies Reduce Everyday Threats

Article summary: Cyberattackers regularly deliver malware through email attachments using file types that look routine: executable files, scripts, macro-enabled documents, and disk images. Blocking the most dangerous of these at the email gateway stops a significant category of threats before they ever reach a user’s inbox. Microsoft 365 includes this capability as part of its baseline protection, but the filter must be deliberately configured to be effective.

A single email attachment can be enough to compromise an entire business.

Cyberattackers continue to rely on malicious file attachments because they exploit a simple reality: most employees expect attachments to be safe. Once the file is opened, it may execute code, run hidden scripts, or download additional malware without the user realizing what’s happening.

Many of these file types have little or no legitimate business purpose in email. Blocking them at the email gateway is a straightforward way to reduce risk. The protection works behind the scenes, requires little day-to-day management, and prevents dangerous files from reaching employee inboxes in the first place.

For cybersecurity that works at the first line of defense, this control belongs in every Microsoft 365 tenant.

Why Certain File Types Are Dangerous

Not all email attachments carry the same risk. A standard PDF or Word document is different from an executable or a Windows script file.

Dangerous email attachments generally fall into a handful of categories.

The first is executable files. These files can run code directly on a computer when opened. Common examples include .exe, .com, .bat, and .cmd files. In most business environments, there is little reason to send or receive these file types through email.

The second category is script files, which are designed to run commands through built-in system tools. Common examples include .js, .vbs, .ps1, and .wsf files. Like executables, they rarely have a legitimate place in routine business email.

Macro-enabled Microsoft Office documents present a different risk. File types such as .xlsm, .docm, and .xlam can contain embedded code that runs when the document is opened, making them a longstanding malware delivery method.

Disk image files, including .iso and .img files, gained popularity among attackers after Microsoft began blocking internet-sourced macros by default in 2022. Because these files mount as virtual drives, they can sometimes evade security controls that focus only on traditional attachments.

Finally, archive files such as .zip and .rar deserve special attention. While often used for legitimate purposes, they can also conceal executables, scripts, and other malicious files inside a compressed package, making threats harder to identify before delivery.

Microsoft’s own threat research, published via the Microsoft Community Hub, confirms that over 50 file types should never arrive through business email. Many organizations receive some of them on a regular basis.

What the Filter Actually Does

Anti-malware attachment filtering intercepts messages before they reach the inbox. An email carrying a blocked file type is either quarantined for review or rejected outright, with an automated notification sent to the original sender.

Well-configured filters use true typing rather than relying on file name extensions. 

A blocked .exe file renamed to appear as .pdf is detected based on the file’s actual binary structure, not what someone decided to call it. This matters because attackers routinely rename dangerous files to look like ordinary documents.

From a user’s perspective, when the filter is working correctly, it is invisible. Legitimate attachments arrive normally. Dangerous ones are intercepted before they cause any decision to be made.

How This Works in Microsoft 365

Microsoft 365 includes a Common Attachment Types Filter as part of Exchange Online Protection (EOP), which is included in every Microsoft 365 business plan. The filter comes with a default list of dangerous file extensions. 

According to Active Directory Pro, enabling it requires a deliberate step in the Microsoft Defender portal. In most tenant configurations, the filter is present but not active unless an administrator has turned it on.

The default blocked list covers the highest-risk file types. IT administrators can extend it further: many organizations add .html, .htm, .iso, and certain archive types depending on their environment. 

Knowing what your Microsoft 365 plan includes confirms which protection tiers and policy controls are available to your organization.

What Should Be Blocked and What Requires Judgment

A small number of file types create an outsized security risk in business email. Executable files, batch scripts, and Windows script host files rarely have a legitimate reason to be sent as attachments and should be blocked by default at the email gateway.

Others require more thought. 

Macro-enabled Office files are occasionally used legitimately inside some organizations. Zip archives regularly contain normal business documents but can also carry dangerous files. ISO files are rarely needed as email attachments in most small business environments. The right call depends on what your business actually receives and sends day to day.

The goal is not to block everything. CyberCheck360’s configuration guide for Microsoft 365 anti-malware policies notes that best practice is to block executable and script-based file types unless there is a specific business reason to allow them. That is a smaller list than most people expect, and the operational impact of blocking it is typically minimal.

What Doesn’t Get Caught (and What Covers That Gap)

Attachment filtering handles file type threats. It does not scan the content of already-encrypted attachments, and it cannot catch a malicious link embedded in the body of an email. Those require different controls.

Microsoft Defender for Office 365 Safe Attachments, available in higher-tier plans, adds sandbox detonation: suspicious attachments are opened in a protected environment before delivery to confirm they’re safe. Safe Links scans URLs in email body text in real time.

Pairing the attachment filter with strong account security closes the other primary email attack surface. Filtering handles what arrives. Authentication handles who can access what’s already in the inbox.

A One-Time Setup with Lasting Value

Configuring attachment type filtering is not an ongoing project. It takes a short setup session, a quarterly review to confirm policies are still in place, and occasional updates as Microsoft and other security vendors revise their recommendations. For the protection it provides, it is one of the highest-value email security controls a small business can implement.

C Solutions IT helps businesses go beyond basic spam filtering by building layered email security designed to stop threats before they reach employee inboxes.

If you’d like to review your current email security settings or identify gaps in your existing protections, contact C Solutions IT at csolutionsit.com/contact.

Article FAQs

What is an anti-malware attachment filter?

An anti-malware attachment filter is a policy-based control applied at the email gateway that intercepts messages containing dangerous file types before they reach the recipient’s inbox. In Microsoft 365, the Common Attachment Types Filter performs this function, blocking or quarantining emails that carry executable files, scripts, macro-enabled documents, and other high-risk attachment types.

What file types are most dangerous in email attachments?

The highest-risk file types include executable files (.exe, .com, .bat, .cmd), script files (.js, .vbs, .ps1, .wsf), macro-enabled Office documents (.xlsm, .docm, .xlam), disk image files (.iso, .img), and certain archive formats (.zip, .rar) that can contain any of the above. Most of these have no routine legitimate use as email attachments in standard business communication.

Is the Common Attachment Types Filter enabled in Microsoft 365 by default?

No. The filter is included in Exchange Online Protection, which comes with every Microsoft 365 business plan, but it is not active by default in most tenant configurations. An administrator needs to enable it in the Microsoft Defender portal and configure the list of blocked file types. Once enabled, it runs automatically for all inbound email without any action required from end users.

Does blocking risky file types affect legitimate business email?

For most small businesses, the impact on legitimate email is minimal. The highest-risk file types have almost no routine business purpose as email attachments. Most legitimate file sharing uses PDFs, standard Office documents, images, and common archive formats, which are not affected by the default blocked list. If a specific business need requires sending a normally blocked file type internally, that can be accommodated through policy exceptions while keeping external filtering in place.