Microsoft

Microsoft Outlook For Web Banned Extensions List To Include 142 Types Of Files Which Regularly Deliver Malware

Microsoft Outlook for the web, the cloud-based email and productivity organization platform, has a comprehensive list of banned file types, and the list is about to grow even longer. Formerly known as Outlook Web Access or OWA, the platform’s banned file extension list will soon have 38 new entries, in addition to the 104 preexistent ones.

Microsoft has determined that these new file types are being increasingly used to launch malware attacks. Incidentally, Outlook/Exchange administrators can still override the restrictions and whitelist the file extensions through a special configuration.

Microsoft Outlook For Web Banned Extensions List Gets 38 New File Types That Deliver Malware To Inboxes:

‘Outlook for the Web’ is a web-based or cloud-dependent email client that Microsoft created as an alternative to the older Outlook desktop app. It is the default email and communications platform within Microsoft’s Office 365 and Exchange Online subscription services. The always-on email platform is also included within Exchange email servers that many organizations. In other words, Outlook for the Web can also work with self-hosted, on-premise Exchange email servers. Confirming the new additions through the official blog, Microsoft said,

“We will soon be adding several additional file extensions to the BlockedFileTypes property of existing OwaMailboxPolicy objects. This change will prevent Outlook on web users from downloading attachments that have those file extensions.”

What this basically means is that users won’t be able to download any of these types of files from their inboxes. Files having the extensions that are part of the banned extension list could appear greyed out and blocked automatically. However, there is a way for organizations that rely on these file types. Outlook/Exchange administrators have the right quickly “Whitelist” the blacklisted file extensions. They can do so by adding that file type to the AllowedFileTypes property of users’ OwaMailboxPolicy objects. Microsoft adds that in order to, “minimize disruption from this change, we will not add a file extension to a policy’s BlockedFileTypes list if that extension is already present in the AllowedFileTypes list.”

The 38 new file extensions that will soon be banned in Outlook for the web include:

Java files: “.jar”, “.jnlp”

Python files: “.py”, “.pyc”, “.pyo”, “.pyw”, “.pyz”, “.pyzw”

PowerShell files: “.ps1”, “.ps1xml”, “.ps2”, “.ps2xml”, “.psc1”, “.psc2”, “.psd1”, “.psdm1”, “.psd1”, “.psdm1”

Digital certificates: “.cer”, “.crt”, “.der”

Files used to exploit vulnerabilities in third-party software: “.appcontent-ms”, “.settingcontent-ms”, “.cnt”, “.hpj”, “.website”, “.webpnp”, “.mcf”, “.printerexport”, “.pl”, “.theme”, “.vbp”, “.xbap”, “.xll”, “.xnk”, “.msu”, “.diagcab”, “.grp”

The complete list of banned file extensions can be accessed through this link. Microsoft hasn’t confirmed exactly when it will be adding the 38 new file types to the banned extensions list, choosing to say that the amendments will happen “soon”.

Interestingly, Microsoft claims that these files aren’t used regularly. “The newly blocked file types are rarely used, so most organizations will not be affected by the change,” noted the company while making the announcement. However, the primary reason for banning these file extensions is that they are being actively used to deliver malware.

How To Whitelist Blacklisted File Types That Are Part Of Banned Extensions In Outlook:

Microsoft offers a few simple or multiple methods to add a file extension to the AllowedFileTypes list.

Method 1:

$policy = Get-OwaMailboxPolicy [policy name]

$allowedFileTypes = $policy.AllowedFileTypes

$allowedFileTypes.Add(“.foo”)

Set-OwaMailboxPolicy $policy -AllowedFileTypes $allowedFileTypes

Alternate Method:

There’s even a simple shortcut to achieve the same results:

Set-OwaMailboxPolicy -Identity “<Policy Name>” -BlockedFileTypes @{Add=”.foo”}


Leave a Reply

Your email address will not be published.

Close