After getting a lot of phishing emails with suspicious HTML attachments, I was scared and decided to pull the trigger to get them blocked on the server level so no one will see them in their Outlook inbox.
Sign into Microsoft 365 Portal and go to Exchange Admin Center.
Click Mail Flow on the left-side pane, and click the little + icon to add a new rule.
Name the Rule, select the following rule as the condition,
Any attachment's file extension matches...'html' or 'htm'
Pick on the following actions as it fits your goal.
- Forward the message for approval
- Redirect the message to
- Block the message
If you only want to apply the rule to incoming messages, you can add an exception to allow outgoing emails with the same attachment.
Here is one example of the rule I set in place.
If you are using the Approval approach, you will get emails containing any HTML files for you to approve, like below.
As you can tell, it’s already caught one.