News for Outlook on the web users who regularly email attachments: Microsoft is about to put another 38 file extensions on its too risky to receive blocklist.
Once there – implemented through Outlook’s BlockedFileTypes filter – Outlook for the web recipients will no longer be able to receive attachments using these extensions.
Microsoft already restricts 104 file extensions and, in truth, the 38 added to this list aren’t ones most Outlook for the web users will have need to send often, assuming they’ve heard of some of them at all.
The better-known extensions on the latest list are:
.py, .pyc, .pyo, .pyw, .pyz, .pyzw
.ps1, .ps1xml, .ps2, .ps2xml, .psc1, .psc2, .psd1, .psdm1, .psd1, .psdm1, .cdxml, .pssc
Digital certificates –
.cer, .crt, .der
And some less well-known ones:
Windows ClickOnce –
Microsoft Data Access Components (MDAC) –
Windows sandbox –
Vulnerable legacy applications –
.appcontent-ms, .settingcontent-ms, .cnt, .hpj, .website, .webpnp, .mcf, .printerexport, .pl, .theme, .vbp, .xbap, .xll, .xnk, .msu, .diagcab, .grp
The reason for the move is security. Attachments, including obscure ones, have long been a popular technique for sneaking malware past inbox security checks when widely used extensions such
Outlook’s 142-strong blocklist opens even more clear water between itself and Google whose current Gmail GSuite blocklist contains only the following 44 extensions:
.ade, .adp, .apk, .appx, .appxbundle, .bat, .cab, .chm, .cmd, .com, .cpl, .dll, .dmg, .exe, .hta, .ins, .isp, .iso, .jar, .js, .jse, .lib, .lnk, .mde, .msc, .msi, .msix, .msixbundle, .msp, .mst, .nsh, .pif, .ps1, .scr, .sct, .shb, .sys, .vb, .vbe, .vbs, .vxd, .wsc, .wsf, .wsh
The restriction on Java
.jse having been implemented as recently as February 2017.
What happens if there is a genuine need to receive files with a banned extension?
Assuming the sender and recipient aren’t able to use a different email system, the easiest way is for Office 365, Exchange Server, or Exchange Online admins to allowlist specific extensions.
In a strange anomaly, one file extension not on the blocklist is
.ace, a compressed WinRAR file format which earlier this year was discovered to have a 19-year-old flaw (CVE-2018-20250) cybercriminals had started exploiting.
Although not discovered by Microsoft, the company was prominent in warning users about the threat posed by malicious files using this file extension.
It’s true that admins can configure Exchange/Outlook to block this extension, but wouldn’t it have been easier to do it by default?