The Common Attachment Types Filter

The Common Attachment Types Filter is a feature that was rolled out to Exchange Online earlier this year. If you haven’t opened your malware filter for a while, you may not even know this new filter is there!

With this filter, you no longer need to create transport rules to block file types as attachments (for example, .exe, .reg, .bat, etc…). While attachments are always scanned for malware, organizations typically prevent certain file types from entering their environment through email.

If your organization currently uses transport rules to block certain file types, moving that configuration over to the Common Attachment Types Filter can provide benefits like user notifications and reducing your number of transport rules.

If you were an Exchange Online customer prior to the roll out of this filter, by default it will be disabled. For organizations that signed up for Exchange Online after this filter was rolled out, you will find this filter enabled by default.


Enabling and Configuring

The Common Attachment Types Filter can be found in the malware filter. In the Exchange Online portal, browse to Protection, and then Malware Filter.


malware filter


In the settings of the malware filter, you will find the Common Attachment Types Filter configuration.


malware filter settings


By default the File Types list will be pre-populated with file extensions that can be dangerous. This list can of course be modified to your hearts content.

With transport rules, it's not possible to strip an attachment while still allowing the message to be delivered. Because the Common Attachment Types filter is part of the malware filter, this is possible by enabling an end user response.


malware detection response


With the above response enabled, if a user receives a message with a file attachment type that is on the filter list, the attachment will be replaced with a text file which contains information about the block. The body of the original message will remain intact and be delivered along with the replacement text file. This is an example of a text file that would replace a stripped attachment.


text file


Another benefit is that this is a True-Type filetype filter. This means that we try to detect the file type based on its contents, not just by the extension. For example, if an executable file has its extension renamed from .exe to .txt, it will still be detected as an executable file and stopped.



If you have been using transport rules to prevent certain attachment types from being sent, I would recommend you check out the Common Attachment Types Filter in the malware filter. There are many benefits from using this filter to block file types as opposed to transport rules.

Please let me know what your thoughts are in the comments below.