Malware is specifically designed to harm or exploit devices, networks, or users. It includes various types of harmful software such as viruses, worms, trojan horses, ransomware, spyware, and adware. Malware can be distributed through email attachments, infected websites, malicious downloads, or other deceptive means.

What you can manage with an Anti-malware policy

Mailboxes in Exchange Online benefit from automatic protection against malware through Exchange Online Protection (EOP). EOP offers a multi-layered malware protection system designed to detect all known malware.

Moreover, the anti-malware policies in MDO provide an additional layer of protection by blocking specific file types for both inbound and outbound mail traffic. The policy can also utilize ZAP (Zero-hour Auto Purge) to quarantine messages found to contain malware after they have been delivered to Exchange Online mailboxes; this setting is enabled by default.

Anti-malware policy configuration

An out-of-the-box default policy is already enabled for all mailboxes in Exchange Online. While you have the option to create a new anti-malware policy to specify inclusion or exclusion of users, groups, or domains, it is advisable to stick with the default policy. This default policy is already activated for all Exchange Online mailboxes, and there is generally no need for exclusions in this case.

  1. Sign in to the Microsoft Defender portal and navigate to the Anti-malware section.

  2. Access the default anti-malware policy and select ‘Edit protection settings’.

  3. Activate the attachment filter, which comes preconfigured with 43 blocked file types such as .apk, .iso, and .cmd files.

Considering additional security measures, it’s prudent to contemplate blocking other file types like .doc, known for potentially harboring malicious macros, and .htm/.html files, which adversaries commonly exploit in Man-in-the-Middle (MITM) attacks.


After compiling a list of undesired file types, you have the option to add them either individually or in bulk utilizing the ExchangeOnlineManagement PowerShell module. To accomplish this, execute the following script.

$Values = (Get-MalwareFilterPolicy -Identity Default).FileTypes
$Values += "htm","html","doc"
Set-MalwareFilterPolicy -Identity Default -EnableFileFilter $true -FileTypes $Values
  1. ZAP (Zero-hour Auto Purge) for malware is enabled by default in anti-malware policies, it is recommended to keep it enabled.
  • ZAP continuously monitors spam and malware updates seamlessly for users. It automatically detects and acts on messages in a user’s mailbox, searching the last 48 hours of delivered email. Users aren’t notified of detected and moved messages.
  1. You have the option to determine the course of action for inbound and outbound messages containing the specified undesirable file types. Opting for ‘Reject the message with a non-delivery receipt (NDR)’ is advisable, the Quarantine policy selection will be disregarded in this case.

  2. Save your policy, and your organization will be enhanced in its defense against potential email attacks where malicious files are utilized.

Ending up

While file sharing is a normal and non-malicious activity, the current landscape of email attacks suggests that relying on email for such exchanges might not be the most secure approach. In today’s environment, tools like OneDrive offer more secure alternatives for sharing files. Considering the prevalence of email attacks, it’s advisable for individuals and organizations to reduce the practice of sharing most files via email.