Cybersecurity & Messaging Team Document version: 2.0 Last reviewed: April 2026 End of Report

| Block Type | User Experience | Typical Cause | |------------|----------------|----------------| | | Attachment cannot be saved, opened, or even seen; user receives "Outlook blocked access to the following potentially unsafe attachments" | File extension in Level 1 list (e.g., .exe, .vbs, .js) | | Level 2 (Soft Block) | User can save to disk after a warning, but cannot open directly | File extension in Level 2 list (e.g., .reg, .cpl) | | Web / Tenant Block | "This attachment is blocked due to organization policy" | Microsoft 365 Safe Attachments or Exchange mail flow rules | Note: A fourth, silent block occurs when Outlook strips attachments entirely without notification—rare, but happens with malformed MIME or tenant anti-phishing policies. 4. Default Level 1 (Hard Blocked) File Extensions Outlook (and Exchange) block these extensions by default. This list is non-exhaustive but includes the most common:

Security should never be permanently sacrificed for convenience. Implement the minimum required unblocking for the shortest necessary duration. | Goal | Command / Action | |------|------------------| | List current Level 1 blocked extensions (Exchange Online) | Get-OrganizationConfig \| fl BlockLevelOneFileExtensions | | Remove .ps1 from Level 1 | Set-OrganizationConfig -BlockLevelOneFileExtensions @Remove=".ps1" | | Add .ps1 to Level 2 | Set-OrganizationConfig -BlockLevelTwoFileExtensions @Add=".ps1" | | Unblock single saved file (Windows) | Right-click → Properties → Check "Unblock" | | Disable all unsafe attachment blocking (local Outlook) | Registry EnableUnsafeAttachmentBlocking = 0 | | Skip Level 1 block for a sender (Transport rule) | Set header X-MS-Exchange-Organization-SkipLevel1AttachmentBlock = true |