File Type Filtering in Defender Stopping File Types Not in Common Types List

Ryan Halls 26 Reputation points
2024-03-06T22:06:56.09+00:00

We have a user having issues sending an email from her internal domain email to another internal user because Defender is placing her emails in quarantine. When reviewing the messages I can see it was being blocked due to the Anti-Malware policy for file types. I'm able to manually release them, but I would rather they not get flagged at all.

However, when looking at her email the files contained within are a .sql and .zip file (the files in the zip are also not on the list) and none match any extensions on the list of common file types to block. Is there a secondary list of additional file types that are being checked? This is not an issue for other users as far as I can tell and her emails are part of a standard internal process and this issue only started coming up in the last couple months. None of her other emails are being flagged, only these ones containing these file types.

Microsoft 365
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
4,908 questions
Outlook
Outlook
A family of Microsoft email and calendar products.
3,836 questions
Outlook Management
Outlook Management
Outlook: A family of Microsoft email and calendar products.Management: The act or process of organizing, handling, directing or controlling something.
5,231 questions
0 comments No comments
{count} vote

3 answers

Sort by: Most helpful
  1. Andy David - MVP 147.9K Reputation points MVP
    2024-03-06T23:30:21.54+00:00

    Could be true type attachements or wmz:

    True-type detection is when a file type that is in your common attachment filtering list triggers a detection even if the file type in the message is different. Common examples are .wmf pictures filtered as .wmz file types (.wmz are compressed versions of .wmf files). So, if your organization needs to receive .wmz file types, remove .wmf from the common attachment filter in your anti-malware policies. 

    This article may be helpful to track it down:

    https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/email-protection-basics-in-microsoft-365-anti-malware-safe/ba-p/3791516

    3 people found this answer helpful.

  2. ALBERT, MICHAEL D 5 Reputation points
    2024-07-17T15:41:07.6333333+00:00

    My organization has the same issue with MSG and EML files. Microsoft Defender is blocking MSG attachments because it detects them as EML. We block EML attachments, not MSG. We also use another very well-known brand anti-malware product in our on-premises Exchange environment. It has no problem discerning between EML and MSG. Their TrueType Matching technology detects the file type signature in the message header and does not block MSG attachments when EML attachments are blocked.

    Hex signature for EML = 52 65 63 65 69 76 65 64 3A

    Hex signature for MSG (and doc, xls, ppt, msi) = D0 CF 11 E0 A1 B1 1A E1

    I have a case open with Microsoft for this and I am very disappointed with the Microsoft response on this issue. Based on Microsoft's new emphasis on security they should fix this issue correctly in the Defender Common Attachment filter.

    1 person found this answer helpful.
    0 comments No comments

  3. Peter Malakhov 0 Reputation points
    2024-09-18T15:12:54.3933333+00:00

    I had the same problem except in my case the recipient's tenant was blocking HTML-formatted .msg file types because they were detected as .mhtml. Sounds a bit too much.

    The solution was to remove .mhtml from the filtered attachment list.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.