Therefore, to protect its users from malicious scripts and executable, Microsoft is planning to blacklist 38 additional file extensions by adding them to its list of file extensions that are blocked from being downloaded as attachments in Outlook on the Web.
Previously known as Outlook Web Application or OWA, "Outlook on the Web" is Microsoft's web-based email client for users to access their emails, calendars, tasks and contacts from Microsoft's on-premises Exchange Server and cloud-based Exchange Online.
The list of blocked file extensions currently has 104 entries, including .exe, .url, .com, .cmd, .asp, .lnk, .js, .jar, .tmp, .app, .isp, .hlp, .pif, .msi, .msh, and more.
Now, the expanded block list will also include 38 new extensions in an upcoming update, preventing Outlook on the Web users from downloading attachments that have any of these 142 file extensions, until or unless an Outlook or Microsoft Exchange Server administrator has whitelisted any of them on purpose by removing it from the BlockedFileTypes list.
"We're always evaluating ways to improve security for our customers, and so we took the time to audit the existing blocked file list and update it to better reflect the file types we see as risks today," Microsoft says in a blog post.
"The newly blocked file types are rarely used, so most organizations will not be affected by the change. However, if your users are sending and receiving affected attachments, they will report that they are no longer able to download them."
Here's the new file extensions added to the BlockedFileTypes list:
- File extensions used by the Python scripting language: ".py", ".pyc", ".pyo", ".pyw", ".pyz", ".pyzw"
- Extensions used by the PowerShell scripting language: ".ps1", ".ps1xml", ".ps2", ".ps2xml", ".psc1", ".psc2", ".psd1", ".psdm1", ".psd1", ".psdm1"
- Extensions used for digital certificates: ".cer", ".crt", ".der"
- Extensions used by the Java programming language: ".jar", ".jnlp"
- Extensions used by various applications: ".appcontent-ms", ".settingcontent-ms", ".cnt", ".hpj", ".website", ".webpnp", ".mcf", ".printerexport", ".pl", ".theme", ".vbp", ".xbap", ".xll", ".xnk", ".msu", ".diagcab", ".grp"
Microsoft writes that while the associated vulnerabilities with various applications have been patched, "they are being blocked for the benefit of organizations that might still have older versions of the application software in use."
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
"Security of our customer's data is our utmost priority, and we hope our customers will understand and appreciate this change. Change can be disruptive, so we hope the information here explains what we're doing and why," the company says.
Just like Microsoft, Google, the largest email provider, also maintains a list of blocked file extensions that the company considers harmful to its Gmail users, preventing them from attaching or downloading certain types of files.
These blacklisted files include .ade, .adp, .apk, .appx, .appxbundle, .bat, .cab, .chm, .cmd, .com, .cpl, .dll, .dmg, .exe, .hta, .ins, .isp, .iso, .jar, .js, .jse, .lib, .lnk, .mde, .msc, .msi, .msix, .msixbundle, .msp, .mst, .nsh, .pif, .ps1, .scr, .sct, .shb, .sys, .vb, .vbe, .vbs, .vxd, .wsc, .wsf, .wsh.