Outlook on the Web to Block File Extensions for PowerShell, Python, and More

[steven36]

Microsoft will soon be blocking an additional 38 file extension from being downloaded as attachments in Outlook on the Web in order to protect users from malicious files. These additional extensions includes files used by Java, PowerShell, Python, and various vulnerabilities.

 

Users of Outlook on the Web are blocked from downloading attachments if they have certain extensions in order to protect them from malicious scripts and executables.

The current list of 104 blocked file extensions are:

.ade, .adp, .app, .asp, .bas, .bat, .cer, .chm, .cmd, .cnt, .com, .cpl, .crt, .csh, .der, .diagcab, .exe, .fxp, .gadget, .grp, .hlp, .hpj, .hta, .inf, .ins, .isp, .its, .jar, .jnlp, .js, .jse, .ksh, .lnk, .mad, .maf, .mag, .mam, .maq, .mar, .mas, .mat, .mau, .mav, .maw, .mcf, .mda, .mdb, .mde, .mdt, .mdw, .mdz, .msc, .msh, .msh1, .msh2, .mshxml, .msh1xml, .msh2xml, .msi, .msp, .mst, .msu, .ops, .osd, .pcd, .pif, .pl, .plg, .prf, .prg, .printerexport, .ps1, .ps1xml, .ps2, .ps2xml, .psc1, .psc2, .psd1, .psdm1, .pst, .reg, .scf, .scr, .sct, .shb, .shs, .theme, .tmp, .url, .vb, .vbe, .vbp, .vbs, .vsmacros, .vsw, .webpnp, .website, .ws, .wsc, .wsf, .wsh, .xbap, .xll, .xnk

In an upcoming update, Microsoft has stated that they will be blocking an additional 38 extensions for additional security in Outlook on the Web.

"Security of our customer’s data is our utmost priority, and we hope our customers will understand and appreciate this change. Change can be disruptive, so we hope the information here explains what we’re doing and why."

The new extensions that will be blocked are listed below.

Python extensions: .py, .pyc, .pyo, .pyw, .pyz, .pyzw

PowerShell extensions: .ps1, .ps1xml, .ps2, .ps2xml, .psc1, .psc2, .psd1, .psdm1, .psd1, .psdm1

Certificate management extensions: .cer, .crt, .der

Java extensions: .jar, .jnlp

Extensions used by vulnerabilities: .appcontent-ms, .settingcontent-ms, .cnt, .hpj, .website, .webpnp, .mcf, .printerexport, .pl, .theme, .vbp, .xbap, .xll, .xnk, .msu, .diagcab, .grp

These extensions being blocked as they can be used by attackers to install malware, exploit vulnerabilities, or perform other unwanted behavior in Windows when executed.
Preparing for these changes

Microsoft is cognizant that the existing list and the upcoming changes may not work well for organizations that commonly send these types of file attachments.

Due to this, Microsoft explains that administrators can manage the "BlockedFileTypes" list by adding and removing extensions from it.

To add an extension to the block list, you can use the following PowerShell commands:

$policy = Get-OwaMailboxPolicy [policy name]
$allowedFileTypes = $policy.AllowedFileTypes
$allowedFileTypes.Add(".foo")
Set-OwaMailboxPolicy $policy -AllowedFileTypes $allowedFileTypes

To remove extensions from the block list, you can use this commands instead:

$policy = Get-OwaMailboxPolicy [policy name]
$blockedFileTypes = $policy.BlockedFileTypes
$blockedFileTypes.Remove(".foo")
Set-OwaMailboxPolicy $policy -BlockedFileTypes $blockedFileTypes

As always, when it comes to security you should take the most restrictive approach and avoid modifying the BlockedFileTypes list. Instead send the files that are normally blocked in compressed archives such as a Zip file.Microsoft will soon be blocking an additional 38 file extension from being downloaded as attachments in Outlook on the Web in order to protect users from malicious files. These additional extensions includes files used by Java, PowerShell, Python, and various vulnerabilities.
 

Source