Microsoft Outlook to Block More Risky Attachments: What It Means for Microsoft 365 Security

Microsoft has announced that Outlook will block over 20 additional risky attachment types in an upcoming update—closing a long-standing gap in email-based threat protection. These new restrictions reflect an evolution in attacker behavior, and Managed Service Providers (MSPs) supporting Microsoft 365 tenants must move quickly to adapt.

⚠️ Why Microsoft Is Expanding Attachment Blocks

Attackers have increasingly abused uncommon file extensions to deliver malware, often bypassing traditional security layers.

Newly blocked types include:

• .iso, .img, .vhd – Virtual disk formats often used to bypass traditional scanners
• .xll – Malicious Excel add-ins used for lateral movement and code execution
• .wsf, .hta, .cpl, .jse – Script engines leveraged in phishing campaigns

These formats are rarely used for legitimate purposes in most organizations but are common in current malware campaigns.

Recent related threats:

• XLL files abused in malware delivery
• ISO and VHD formats used to evade detection
• WSF scripts dropped in Qbot campaigns

📌 Key Risks for Microsoft 365 Tenants

1. Mailbox Compromise via Non-Standard Attachments
   These file types often evade basic filters and rely on user interaction. If one user opens a malicious file, account takeover or ransomware can follow.

2. Inconsistent Policy Rollout Across Tenants
   Microsoft’s update may not apply uniformly to all M365 configurations—especially those using legacy or hybrid setups.

3. False Assumptions of Protection
   Many admins assume “Microsoft blocks this by default.” In reality, Safe Attachments, Zero-hour Auto Purge, and Transport Rules must be explicitly configured and monitored.

🧰 What MSPs Should Do Immediately

1. Audit Existing Mail Flow Rules

Check for rules allowing attachment passthrough or overrides. Block the newly listed types manually until the global rollout completes.

# Example: Blocking .iso and .xll via transport rules
New-TransportRule -Name "Block Dangerous Attachments" `
-HeaderContainsMessageHeader "Content-Type" `
-HeaderContainsWords "application/x-iso9660-image","application/vnd.ms-excel.addin.macroEnabled.12" `
-RejectMessageReasonText "Blocked dangerous attachment type"

2. Review Attack Surface via Audit Logs

Use Microsoft 365 audit logs to search for past emails delivering .xll, .iso, .wsf, and similar extensions. Look for users who interacted with them.

Search-UnifiedAuditLog -StartDate "2025-05-01" -EndDate "2025-06-10" `
  -Operations Send,Receive `
  -FreeText "xll"

3. Configure Safe Attachments & Safe Links Policies

If not already in place, enable Microsoft Defender for Office 365’s Safe Attachments and Safe Links. These offer sandbox detonation and real-time protection.

# Check Safe Attachments and Safe Links policy status
Get-SafeAttachmentPolicy
Get-SafeLinksPolicy

Final Thought: Secure Email Is Not Set-and-Forget

Microsoft’s expanded file-type blocklist is a crucial step—but not a complete solution. Many MSPs wrongly assume these protections are “on by default,” leaving tenants exposed.

Proactive monitoring, regular policy reviews, and scripted enforcement are essential parts of modern Microsoft 365 defense strategy—especially across multiple clients.

✅ Next Steps for MSPs

Don’t wait for Microsoft to catch up. Take action now:

• ✅ Block high-risk attachment types manually across all tenants
• ✅ Audit historical delivery of .xll, .iso, .wsf, and similar files
• ✅ Ensure Safe Attachments & Safe Links are configured and enforced
• ✅ Standardize security policies across clients using automation and scripting
• ✅ Stay informed on evolving threats and policy updates
• ✅ Talk with us at https://optimize365.io - and see how our platform can help to automate it!

Your clients trust you to protect their email environments—don’t let gaps in configuration be the weakest link.

🔗 Full article on BleepingComputer