Blocking Attachments based on the File Extension on Microsoft 365

After getting a lot of phishing emails with suspicious HTML attachments, I was scared and decided to pull the trigger to get them blocked on the server level so no one will see them in their Outlook inbox.

Sign into Microsoft 365 Portal and go to Exchange Admin Center.

Click Mail Flow on the left-side pane, and click the little + icon to add a new rule.

Name the Rule, select the following rule as the condition,

Any attachment's file extension matches...'html' or 'htm'

Pick on the following actions as it fits your goal.

  • Forward the message for approval
  • Redirect the message to
  • Block the message
  • ect.

If you only want to apply the rule to incoming messages, you can add an exception to allow outgoing emails with the same attachment.

Here is one example of the rule I set in place.

image 4 600x525 - Blocking Attachments based on the File Extension on Microsoft 365

If you are using the Approval approach, you will get emails containing any HTML files for you to approve, like below.

image 5 - Blocking Attachments based on the File Extension on Microsoft 365

As you can tell, it’s already caught one.

3 thoughts on “Blocking Attachments based on the File Extension on Microsoft 365

  1. As of 2021 that option is not available in the standard Exchange Admin Centre for Office 365. The only apply this rule if… that mentions attachments is Any Attachments’ content includes… and allows only words in the list. There are no extension options. These extension filtering options are now in Security and need to be edited manually via a script in order to add .htm or .html see http://byronwright.blogspot.com/2017/09/customizing-file-types-for-common.html

    1. No, they are still there… click show more on the bottom, and then go back to the drop down and there will be more advance options re-worded.

Leave a Reply

Your email address will not be published. Required fields are marked *