Microsoft bans 38 file extensions in Outlook for the Web

Banned file types include Java, Python, and PowerShell extensions.

microsoft-outlook-on-web-gets-smarter-ai-5ca1e366dd173300b8ed4028-1-apr-03-2019-14-56-27-poster.jpg

Microsoft plans to expand the list of file extensions that are banned in Outlook for the web (previously known as Outlook Web Access (OWA)).

The list, which previously included 104 file extensions, will be expanded "soon" with 38 new entries.

These new entries are file types that are regularly used to deliver malware to Outlook inboxes.

Once added to the list of blocked file extensions, users won't be able to download any of these types of files from their inboxes -- unless the Outlook/Exchange administrator has whitelisted a particular file extension on purpose, using a special config.

"The newly blocked file types are rarely used, so most organizations will not be affected by the change," the Microsoft Exchange team said in an announcement yesterday.

The 38 new file extensions that will soon be banned in Outlook for the web include:

  • Java files: ".jar", ".jnlp"
  • Python files: ".py", ".pyc", ".pyo", ".pyw", ".pyz", ".pyzw"
  • PowerShell files: ".ps1", ".ps1xml", ".ps2", ".ps2xml", ".psc1", ".psc2", ".psd1", ".psdm1", ".psd1", ".psdm1"
  • Digital certificates: ".cer", ".crt", ".der"
  • Files used to exploit vulnerabilities in third-party software: ".appcontent-ms", ".settingcontent-ms", ".cnt", ".hpj", ".website", ".webpnp", ".mcf", ".printerexport", ".pl", ".theme", ".vbp", ".xbap", ".xll", ".xnk", ".msu", ".diagcab", ".grp"

The list of 104 file types that Microsoft is currently blocking in Outlook for the web is available here. Microsoft didn't say when the 38 new file types will be added to the Outlook ban list, but only said the change was coming "soon."

"Outlook for the web" is a web-based email client that Microsoft created as an alternative to the older Outlook desktop app.

It's included in Microsoft's Office 365 and Exchange Online subscription services, but also ships with self-hosted, on-premise Exchange email servers.

Administrators of Office 365, Exchange Online, or Exchange Server systems can whitelist any of the 142 blocked file extensions by following the steps listed on this page.