Updates:
- May 2, 2022: We will also be blocking .application, .bgi, .img, .iso and .cab starting with end of May 2022
- March 6, 2020: We will also be blocking .apk and .appx beginning April 2020.
We will soon be adding several additional file extensions to the BlockedFileTypes property of existing OwaMailboxPolicy objects. This change will prevent Outlook on the web users from downloading attachments that have those file extensions.
Why are we making this change?
We’re always evaluating ways to improve security for our customers, and so we took the time to audit the existing blocked file list and update it to better reflect the file types we see as risks today.
How does this affect me?
The newly blocked file types are rarely used, so most organizations will not be affected by the change. However, if your users are sending and receiving affected attachments, they will report that they are no longer able to download them.
How can I prepare for this change?
If your organization requires that users be able to download attachment of these types from OWA, you should first ensure that our organization's operating systems and application software are up-to-date (in the case files that are opened by application software) or ensure that your users are familiar with the risks associated with the file types (in the case of files that are interpreted by scripting software).
If you want a particular file type to be allowed, you can add that file type to the AllowedFileTypes property of your users' OwaMailboxPolicy objects.
Note: In order to minimize disruption from this change, we will not add a file extension to a policy's BlockedFileTypes list if that extension is already present in the AllowedFileTypes list.
To add a file extension to the AllowedFileTypes list:
$policy = Get-OwaMailboxPolicy [policy name]
$allowedFileTypes = $policy.AllowedFileTypes
$allowedFileTypes.Add(".foo")
Set-OwaMailboxPolicy $policy -AllowedFileTypes $allowedFileTypes
Or if you want (brought to you as part of the service that tries to teach you clever shortcuts) you can use:
Set-OwaMailboxPolicy -Identity "<Policy Name>" -AllowedFileTypes @{Add=".foo"}
If you wish to remove any extension from BlockedFileTypes list in the future:
$policy = Get-OwaMailboxPolicy [policy name]
$blockedFileTypes = $policy.BlockedFileTypes
$blockedFileTypes.Remove(".foo")
Set-OwaMailboxPolicy $policy -BlockedFileTypes $blockedFileTypes
Again, or:
Set-OwaMailboxPolicy -Identity "<Policy Name>" -BlockedFileTypes @{Remove=".foo"}
In order to determine which OwaMailboxPolicy object governs a particular user's Outlook on the Web experience, run the following commands:
$casMailbox = Get-CasMailbox [email address]
$casMailbox.OwaMailboxPolicy
What file extensions will be added to the BlockedFileTypes list with this change?
- Extensions used by the Python scripting language: ".py", ".pyc", ".pyo", ".pyw", ".pyz", ".pyzw"
- Extensions used by the PowerShell scripting language: ".ps1", ".ps1xml", ".ps2", ".ps2xml", ".psc1", ".psc2", ".psd1", ".psdm1", “.cdxml”, “.pssc”
- Extension used by Windows ClickOnce: “.appref-ms”
- Extension used by Microsoft Data Access Components (MDAC): “.udl”
- Extension used by the Windows sandbox: “.wsb”
- Extensions used for digital certificates: ".cer", ".crt", ".der"
- Extensions used by the Java programming language: ".jar", ".jnlp"
- Extensions used by various applications. While the associated vulnerabilities have been patched (for years, in most cases), they are being blocked for the benefit of organizations that might still have older versions of the application software in use: ".appcontent-ms", ".settingcontent-ms", ".cnt", ".hpj", ".website", ".webpnp", ".mcf", ".printerexport", ".pl", ".theme", ".vbp", ".xbap", ".xll", ".xnk", ".msu", ".diagcab", ".grp"
Security of our customers' data is our utmost priority, and we hope our customers will understand and appreciate this change. Change can be disruptive, so we hope the information here explains what we’re doing and why.
The Exchange Team
You Had Me at EHLO.