File Extensions you should filter from email

by | Secure Configuration

Email is the main method for phishing/hacking but also file downloads.

The usual scenario is as follows:

You receive an email, that appears to be from [supplier, customer, friend, employee] with an attachment, or download a file, when attempting to open or view prompts you to enable ‘xyz’ or ‘install xzy’ to view or ‘activate xyz’ then you need to consider carefully your next action.

If it’s malicious and you did as requested, your system, whole network may no longer be yours!


If at any point after clicking you get taken to a Login page… STOP, go and speak to your hopefully security aware IT support provider if you have one or close the page. If it was from a supplier/someone you know then open a new page and go to their site directly or give them a call.

How to reduce the risk or avoid the issue

By simply blocking or quarantining certain common file extensions which are most often used for malicious activity the threat is reduced or stopped dead, yes, some genuine email or will get stopped. For emails you should be expecting them with those types of attachment and will know to look in the quarantine which is a small inconvenience, For web downloads, you need to be cautious, there are many files that look fine, and seem to come from legitimate places are are not. PDF files are a particular concern.

Where possible always configure your systems to show file extensions as this will allow you to:

  • See the type of file
  • Detect multiple extensions such as filename.zip.exe or filename.jpg.exe.

Consider blocking the following file types (many of which are required by the Cyber Essentials Scheme):

  • .com .exe .bin .pif .msi, dll
  • .sh .py .js .vbs .scr .bas
  • .hta
  • .cmd .bat
  • .vb
  • .msc
  • .vbe .jse
  • .scf .inf .reg
  • .ps .ps1 .psc1.ps1xml
  • .ps2 .psc2 .ps2xml
  • .ws .wsf .wsc .wsh
  • .msh .mshxml
  • .msh1 .msh1xml
  • .msh2 .msh2xml
  • .msp .cpl, msc
  • .lnk
  • .gadget
  • ade, adp, ani, chm,  cpl, crt, hlp, ht, ins, isp, job, jse, mda, mdb, mde, mdz,  msp, mst, pcd, pif, reg,  sct, shs, url, wsf, vxd, os2, w16, dos

If a file type is typically used in your industry then clearly don’t block it but do ensure it gets scanned by AV before use to give you some assurance it’s not vulnerable.

Macro enabled / Microsoft Office files have always been a problem. Microsoft disable macro’s by default but that has not always been the case or may remain so. Staff with access or IT may enable macro’s for a particular user or all users which should be a managed and reviewed situation. For this reason you should consider blocking these also:

  • .DOCM, .DOTM, .XLSM, .XLTM, .XLAM, .PPTM, .POTM, .PPAM, .PPSM, .SLDM
  • .RTF, .PPSX

Compressed files may contain malicious files so your email filtering system should be set up to look inside those file types.

  • .mht
  • .zip .7z .rar .tar.gz .tar .gz .jar
  • .dmg

You might notice that many of these extensions are used by the Microsoft Windows operating system, opening some of these on Mac or Linux would typically have little impact, however some of the file types are script files which Linux and Mac may run, normally this requires the user to take a number of steps which will then even when run cause little impact on a sensibly configured device with a competent user, but that is not a given, so block first and release later even if you use Apple or Linux.

You may consider making sure script files default to opening with notepad or a text editor, however on Windows Notepad is becoming more powerful so it may not always offer much protection. See our posting about this.