How to reduce malware threats through file attachment blocking in Exchange Online Protection

Original KB number:   2959596


Most malware that enters an environment through email does so through an executable payload that's attached to an email message.

To reduce your risk from malware that may not be detected by Exchange Online Protection, you should enable file type blocking and file name extension blocking. This article describes how to do this.


To create a rule to block attachments that contain executable content in Exchange Online Protection, follow these steps:

  1. Sign in to the Exchange admin center.
  2. Select mail flow, select rules, select New ( ), and then select Create a new rule.
  3. In the Name box, specify a name for the rule, and then select More options.
  4. Under Apply this rule if, point to Any attachment, and then select has executable content near the bottom of the page.
  5. Under Do the following, point to Block the message, and then select the action that you want.
  6. Select save.

The following is a screenshot of a sample rule.

Screenshot of the Exchange admin center showing an example rule.

The system automatically detects file types by inspecting file properties rather than the actual file name extension, thus helping to prevent malicious hackers from being able to bypass mail flow rule filtering by renaming a file extension. For more information, see Use mail flow rules to inspect message attachments in Exchange Online.

More information

Microsoft is continually updating its virus definition catalog based on submissions. However, to provide customers with the most immediate and effective defense, a file filter block policy is critical.

For more information about malware defense practices and strategies, see the following Microsoft resources:

Still need help? Go to Microsoft Community.