Turn on malware protection for your business
From the Microsoft 365 admin center, choose Show more, Admin centers, and then Security & Compliance.
Choose Threat management, and then Policy.
From the policies available, choose Anti-malware.
On the Anti-malware page, double-click the Default policy to open it, and then choose settings.
Under Common Attachment Types Filter, choose On to block sending and receiving of the file types in the list.
Optionally, add or remove file types from the File Types list.
To receive a notification every time a message containing one of these file types is blocked, select the two check boxes under Administrator Notifications and enter your email address for both.
To customize the message that is sent when a file type is blocked, select Use customized notification text and fill in the required fields.
If you want to add another policy, choose the plus (+) sign at the top of the Anti-malware page, and then repeat these steps.