Security Experts:

Microsoft Expands List of Blocked File Types in Outlook on the Web

Microsoft this week announced plans to add some new file extensions to the list of file types that are blocked in Outlook on the web.

When the change will be operated, it will immediately result in Outlook on the web users no longer being allowed to download attachments that have those file extensions, the tech giant explains.

The newly blocked file types, Microsoft claims, are rarely used, which means that the modification will have no impact on most organizations.

File types affected by the change include ones used by programing languages: ".py", ".pyc", ".pyo", ".pyw", ".pyz", ".pyzw" (all used by Python); ".ps1", ".ps1xml", ".ps2", ".ps2xml", ".psc1", ".psc2", ".psd1", ".psdm1", ".psd1", ".psdm1", “.cdxml” and “.pssc” (all used by PowerShell); and ".jar" and ".jnlp" (both used by Java).

Moreover, the tech giant will block “.appref-ms” (used by Windows ClickOnce), “.udl” (Microsoft Data Access Components (MDAC)), “.wsb” (Windows sandbox), and ".cer", ".crt" and ".der" (used by digital certificates).

Microsoft also decided to block ".appcontent-ms", ".settingcontent-ms", ".cnt", ".hpj", ".website", ".webpnp", ".mcf", ".printerexport", ".pl", ".theme", ".vbp", ".xbap", ".xll", ".xnk", ".msu", ".diagcab" and ".grp". These are used by various applications and, while associated flaws have been patched, some organizations might still use older versions of the software.

Provided that users do complain about their inability to download those file types and that the organization wants to allow for the use of a particular file type, admins will have the option to add specific extensions to the AllowedFileTypes property of users' OwaMailboxPolicy objects.

“If your organization requires that users be able to download attachment of these types from OWA, you should first ensure that our organization's operating systems and application software are up-to-date (in the case files that are opened by application software) or ensure that your users are familiar with the risks associated with the file types (in the case of files that are interpreted by scripting software),” Microsoft explains.

The company also explains that if a file extension is already present in the AllowedFileTypes list, it won’t be added to a policy's BlockedFileTypes list.

“Security of our customer’s data is our utmost priority, and we hope our customers will understand and appreciate this change. Change can be disruptive, so we hope the information here explains what we’re doing and why,” Microsoft says.

Related: U.S. Cyber Command Warns of Outlook Flaw Exploited by Iranian Hackers

Related: Turla Backdoor Controlled via Email Attachments

Related: Microsoft Patches Over 90 Vulnerabilities With August 2019 Updates

view counter