Outlook blocks emails with attachments to protect you from viruses, malware, and data leaks, and it does this through a mix of hard-coded file-type blocks, size limits, tenant-level transport rules, Microsoft Defender Safe Attachments scanning, and sender-reputation filters. If your file extension sits on Microsoft’s Level 1 blocked list, if the message exceeds the 150 MB Exchange Online cap, or if a Defender policy flags the payload as malicious, the mail never reaches the inbox.
The rules that drive these blocks come from Microsoft’s default Level 1 and Level 2 attachment lists, the Exchange Online service limits, and the policy engine described in the Safe Attachments documentation. The consequence is simple and sometimes painful: legitimate contracts, payroll files, and client deliverables can bounce, get quarantined, or silently vanish, and the sender often has no idea why.
According to Microsoft’s June 2025 security update covering the new Outlook and Outlook Web blocked file types, the default block list now exceeds 120 file extensions, and Microsoft reports that Safe Attachments sandboxes millions of files every single day across Microsoft 365 tenants.
Here is what you will learn in this guide:
- ๐งฑ The exact file types Outlook blocks by default and why each one is risky
- ๐ The real attachment size limits across Outlook desktop, web, and mobile
- ๐ก๏ธ How Microsoft Defender Safe Attachments quarantines suspicious files
- โ๏ธ How U.S. laws like HIPAA, GLBA, and SEC 17a-4 shape your attachment choices
- ๐ง Step-by-step fixes for end users, IT admins, and senders outside your tenant
The Core Reasons Outlook Blocks Attachments
Outlook is not one product, and “Outlook” is not one block engine. The name covers classic Outlook for Windows, new Outlook for Windows, Outlook for Mac, Outlook on the web (OWA), Outlook Mobile, and the Outlook.com consumer service. Each layer has its own block rules, and an attachment can be stopped at any one of them.
The federal starting point for email security in the U.S. is 18 U.S.C. ยง 1030, the Computer Fraud and Abuse Act, which makes it a crime to knowingly transmit code that damages a protected computer. Microsoft’s default block list is a direct response to that risk. If Outlook let any executable through, the provider would face civil exposure under negligence theories, and your company could face breach-notification duties under state laws like the California Consumer Privacy Act.
Block Reason 1: Dangerous File Extensions
Microsoft maintains a hard-coded list of file extensions that Outlook blocks on both sending and receiving. The list includes classic attack vectors like .exe, .bat, .js, .vbs, .ps1, .scr, .msi, .reg, and dozens of others documented on the official blocked attachments page.
The plain-English explanation is that each of these file types can run code on a target machine. The consequence of ignoring the rule is that a single click can install ransomware or a keylogger. A real-world example comes from the Emotet campaigns, where macro-enabled attachments drove billions in losses and triggered the FBI’s Emotet takedown in 2021. A common misconception is that renaming a .exe to .txt bypasses the block, but Outlook inspects the file’s true type, not only the extension.
Block Reason 2: Attachment Size Limits
Every Outlook client enforces a maximum attachment size. The Exchange Online limits table shows 150 MB for Outlook desktop on Plan 1 or Plan 2, 112 MB for OWA, and 33 MB for Outlook for iOS and Android. Outlook.com free accounts cap at 20 MB per message.
The rule exists because every attachment is Base64-encoded, which inflates the on-the-wire size by roughly 33 percent. The consequence of exceeding the cap is an immediate non-delivery report (NDR) with error code 5.3.4. A concrete example: a video editor named Maya Chen tries to send a 145 MB .mp4 rough cut; her desktop Outlook accepts it, but the recipient’s tenant, which kept the default 35 MB transport limit, bounces it. A common misconception is that compressing into a .zip always fixes size issues, yet .zip also carries its own Defender scanning cost and can still exceed the limit.
Block Reason 3: Defender Safe Attachments
For Microsoft 365 E5, Business Premium, and Defender for Office 365 Plan 1/2 tenants, Safe Attachments detonates every incoming attachment in a sandbox virtual machine before delivery. If the file tries to call command-and-control servers, spawn powershell.exe, or drop additional payloads, Defender quarantines the message.
Safe Attachments uses four policy actions: Monitor, Block, Replace, and Dynamic Delivery. Block is the default for Standard and Strict preset security policies. The consequence of a Block verdict is that the message sits in quarantine for 30 days, and only admins can release it. A mini-scenario: an HR director named Priya Rao sends an .xlsm onboarding form; the macro triggers a suspicious network call inside the sandbox, and the file never reaches the recipient. The common misconception is that Safe Attachments only scans .exe files, but Microsoft confirms it scans PDFs, Office docs, archives, and even ISO images.
Block Reason 4: Transport Rules and DLP
Administrators can create Exchange transport rules and Microsoft Purview DLP policies that block attachments based on content, sender, recipient, or extension. A finance-focused rule might block any attachment containing a 16-digit card number to satisfy PCI DSS 4.0.
The consequence of violating such a rule is either a bounce with a custom NDR message or a silent journaling event for compliance review. An example: a loan officer named Marcus Bell emails a PDF with a client’s Social Security number; the tenant’s DLP policy fires, the message is blocked, and Marcus receives a policy-tip notification. A common misconception is that password-protecting a .zip defeats DLP, but modern Purview can still inspect known archive passwords and flag file names.
Block Reason 5: Sender Reputation and Anti-Spam
Even a harmless .pdf can be blocked if the sender’s domain lacks SPF, DKIM, and DMARC alignment. Outlook’s Exchange Online Protection (EOP) layers spam confidence levels, bulk mail thresholds, and connection filtering before any attachment is even inspected.
The Full List of Blocked File Extensions (Level 1)
Microsoft’s Level 1 list is blocked by default with no user override. The Level 2 list exists only on Exchange Server and requires admin configuration. Below is a snapshot of the most-cited extensions from the official blocked attachments in Outlook page.
| File Extension | Why It Is Blocked |
|---|---|
| .exe | Runs arbitrary Windows code on open |
| .bat / .cmd | Executes shell commands without prompts |
| .js / .jse | JavaScript outside a browser sandbox |
| .vbs / .vbe | Visual Basic Script interpreter payloads |
| .ps1 / .ps2 | PowerShell scripts with full OS access |
| .msi / .msp | Installer packages that can chain to malware |
| .scr | Screensavers are actually PE executables |
| .reg | Rewrites Windows Registry keys |
| .lnk | Shortcuts that point to remote payloads |
| .iso / .img | Disk images used to bypass Mark-of-the-Web |
| .library-ms | Recently added per June 2025 Microsoft update |
| .search-ms | Saved search files abused for phishing |
How the Level 1 List Grows Over Time
Microsoft expanded the list in 2018, 2019, 2024, and again in July 2025. The 2025 update added .library-ms and .search-ms to the new Outlook and Outlook Web block list, per reporting from BleepingComputer.
The consequence for administrators is that approved file-sharing workflows can break overnight. An example: an IT consultant named Lena Ortiz relied on .iso images to deliver virtual machine templates; after Microsoft added .iso to the default block list, her shipments started bouncing with NDR 5.7.1. The common misconception is that Microsoft warns customers in advance with a migration window; in practice, Message Center posts sometimes land only two weeks before enforcement.
Level 2 vs. Level 1: A Quick Compare
| Category | Level 1 (Hard Block) | Level 2 (Soft Block) |
|---|---|---|
| Default enforcement | Yes, across all clients | No, admin-only |
| User can save file | No | Yes, after prompt |
| Applies to Outlook.com | Yes | Not available |
| Typical examples | .exe, .js, .ps1, .vbs | .doc, .pdf in legacy servers |
| Override method | Rename on sender side | Modify Level2Remove registry key |
Attachment Size Limits Across Every Outlook Client
Size is the second most common block reason, and it is the one users can usually fix without calling the helpdesk. The authoritative table is published by Microsoft in the Exchange Online service description.
Size Limits by Client
| Client | Default Limit | Hard Ceiling |
|---|---|---|
| Outlook for Windows (M365) | 150 MB | 150 MB |
| Outlook on the web | 112 MB | 150 MB |
| Outlook for Mac | 150 MB | 150 MB |
| Outlook for iOS and Android | 33 MB | 33 MB |
| Outlook.com (free) | 20 MB | 20 MB |
| Exchange Server on-prem | 35 MB | Admin-configurable |
The plain-English reason for these caps is that larger messages strain mailbox databases and transport queues. The consequence of trying to force a 200 MB file through is a 552 5.3.4 size NDR. An example: a paralegal named Jordan Pike tries to attach a 140 MB deposition video to a Gmail recipient, and it clears Exchange Online, but Gmail rejects it because Gmail’s cap is 50 MB per the Google Workspace limits. The common misconception is that the sender’s limit is the only one that matters; the recipient’s server has the final say.
Why Base64 Encoding Matters
Every email attachment is encoded to Base64, inflating size by about 33 percent. A 100 MB file becomes a 133 MB message payload. The consequence is that a 112 MB OWA “limit” actually means your raw file must be below roughly 85 MB.
Fixing Size Issues With OneDrive
Microsoft’s default behavior is to suggest OneDrive attachments for files over 33 MB in the new Outlook. This converts the attachment to a cloud link, dodging the size limit entirely but changing the compliance footprint because the file now lives in SharePoint, not the mailbox.
How Microsoft Defender Safe Attachments Works
Safe Attachments is the most advanced block layer and the one users least understand. It is a feature of Microsoft Defender for Office 365 Plan 1 and Plan 2 and is included in Microsoft 365 Business Premium, A5, E5, and G5 SKUs.
The Four Policy Actions
| Action | What Happens | Typical Use Case |
|---|---|---|
| Off | No sandbox scan | Test tenants only |
| Monitor | Delivers, logs verdict later | Pilot rollouts |
| Block | Quarantines the message | Default Standard/Strict |
| Dynamic Delivery | Delivers body fast, holds file | Executives who need speed |
The plain-English rule is that when Block is set, no message with a malicious attachment reaches the inbox. The consequence is that the recipient sees only a quarantine notification, and an admin must release the file. An example: Carlos Mendez, a procurement manager, is expecting a vendor .docx invoice; Safe Attachments sandboxes it for 4 minutes, finds a DDE payload, and quarantines it. The common misconception is that Dynamic Delivery is always better; it can break signatures and cause Outlook to render placeholder attachments that confuse users.
Safe Attachments for SharePoint, OneDrive, and Teams
Defender also scans files stored in SharePoint, OneDrive, and Teams. If a malicious file is detected post-upload, Microsoft locks the file in place. Users can still delete it, but they cannot open, move, copy, or share it.
Why False Positives Happen
Safe Attachments occasionally flags benign files. Macro-enabled spreadsheets, PDFs with embedded JavaScript, and password-protected archives are the top three false-positive categories. Admins can submit files to Microsoft for analysis and, if cleared, allow-list via the Tenant Allow/Block List.
Transport Rules, DLP, and Compliance Law
Tenant-level controls often cause the blocks that puzzle users the most, because they are invisible from the client. Two engines matter: Exchange transport rules and Microsoft Purview Data Loss Prevention.
Exchange Transport Rules
An admin can write a rule that blocks any attachment larger than 20 MB from external senders, or any attachment with a specific extension, using the mail flow rules documentation. The consequence of such a rule is a bounce with a custom message the admin defines.
An example: a hospital CISO named Dr. Angela Park writes a transport rule that blocks any .zip from outside the tenant to satisfy her HIPAA Security Rule risk analysis. The common misconception is that transport rules fire before Safe Attachments; in fact, transport rules run in a defined mail flow processing order that admins must understand.
DLP and U.S. Federal Law
Microsoft Purview DLP ships with templates for HIPAA, GLBA, and SEC 17a-4. These rules block or warn on attachments that contain sensitive data. The consequence of a HIPAA DLP violation is potential fines up to 1.9 million USD per year per violation category under the HHS HIPAA penalty tiers.
SEC 17a-4 and Books-and-Records
Broker-dealers must retain email for 3-6 years under SEC Rule 17a-4. A blocked attachment is still a business record if the message itself is preserved, and firms that delete quarantined files can face penalties. The common misconception is that quarantine equals deletion; it does not, and admins must journal quarantined items for audit.
GLBA and Financial Data
GLBA’s Safeguards Rule requires financial institutions to protect nonpublic personal information. Outlook DLP policies that block unencrypted .xlsx files containing account numbers directly support this rule.
CAN-SPAM and Unsolicited Attachments
The CAN-SPAM Act does not directly regulate attachments, but it shapes sender-reputation scoring because missing unsubscribe headers, deceptive subject lines, and no physical address push messages into junk, where attachments are stripped by default.
Three Real-World Scenarios
Scenario 1: The Blocked Executable
| Trigger | Outcome |
|---|---|
| Sender attaches setup.exe to a client | Outlook strips the file before send |
| Recipient sees message with warning | “Outlook blocked access to the following potentially unsafe attachments” |
| Sender renames to setup.ex_ and resends | File arrives; recipient renames back to run it |
Scenario 2: The Oversized Video
| Trigger | Outcome |
|---|---|
| User tries to attach a 180 MB MP4 | Outlook prompts to upload to OneDrive |
| User declines and forces attachment | Message bounces with NDR 5.3.4 |
| User re-sends as OneDrive link | File delivers instantly, size cap bypassed |
Scenario 3: The Quarantined Invoice
| Trigger | Outcome |
|---|---|
| Vendor sends invoice.docm with macro | Safe Attachments sandbox detects payload |
| Message routes to hosted quarantine | Recipient sees quarantine notification |
| Admin reviews and releases the file | Sender is allow-listed for future messages |
Common Mistakes to Avoid
The following mistakes cause 80 percent of the preventable attachment-block incidents in Microsoft 365 tenants.
- Renaming .exe to .txt and assuming Outlook will not notice; the client inspects true file type, and the message still bounces.
- Password-protecting a .zip to hide content; Microsoft Defender flags encrypted archives and often quarantines on sight.
- Ignoring the Exchange NDR codes; error 5.7.1 means policy block while 5.3.4 means size issue, and treating them the same wastes hours.
- Sending large files from Outlook Mobile; the 33 MB cap on iOS and Android is far below the 150 MB desktop limit.
- Forgetting recipient-side limits; Gmail’s 25 MB send cap and 50 MB receive cap still apply even if your tenant allows 150 MB.
- Disabling Safe Attachments for “convenience”; one bypass can expose the tenant to ransomware with six-figure remediation costs.
- Attaching files containing PHI or PII without DLP exemptions; HIPAA and GLBA violations accrue per record.
- Using the classic Level2Remove registry tweak on managed devices; Group Policy usually overwrites it at next boot.
- Trusting file icons; a PDF icon on a .scr file still runs as an executable.
- Assuming quarantined messages are deleted; Microsoft retains them for 30 days, and admins can still release them.
Do’s and Don’ts for Attachment Success
Do’s
- Do use OneDrive links for anything over 25 MB because most external mail servers cap there.
- Do encrypt sensitive files with Microsoft Purview Message Encryption since it survives DLP policies and still reaches the recipient.
- Do test new attachment workflows in a pilot group first because default policy changes can break business processes without warning.
- Do educate users on NDR codes because a 5.7.1 bounce indicates a policy decision, not a mail-system outage.
- Do journal quarantined messages under SEC 17a-4 because books-and-records obligations include blocked items for regulated firms.
Don’ts
- Don’t disable Safe Attachments tenant-wide because a single malicious .xlsm can encrypt every mapped drive.
- Don’t email PHI in a plain .zip because HIPAA requires encryption in transit for covered entities.
- Don’t bypass blocks by renaming files because Outlook’s true-type detection still catches executables.
- Don’t send files in obscure formats to external recipients because their security stack may block on sight.
- Don’t rely on the default 150 MB cap because many downstream servers strip at 25 MB or even 10 MB.
Pros and Cons of Outlook’s Attachment Blocking
Pros
- Strong baseline security because Level 1 blocks stop most commodity malware at the gateway.
- Regulatory alignment because DLP and Safe Attachments support HIPAA, GLBA, PCI DSS, and FERPA controls.
- Cloud scalability because 150 MB caps are generous compared to most legacy on-prem servers.
- Built-in sandboxing because Defender detonates unknown files before delivery.
- Admin transparency because the Threat Explorer dashboard shows every blocked file in real time.
Cons
- False positives because legitimate macro workbooks routinely get quarantined.
- User friction because quarantine release can take hours, killing time-sensitive deals.
- Opaque bounces because NDR codes rarely state the true reason in plain English.
- Tenant drift because each admin team’s transport rules create inconsistent behavior across partners.
- Licensing cost because full Safe Attachments and DLP require Microsoft 365 E3 plus Defender add-ons or E5.
Step-by-Step Fixes When Outlook Blocks Your Attachment
The workflow below works for end users, help-desk agents, and tier-2 admins. Start at step 1 and escalate only when needed.
Step 1: Read the NDR Carefully
Every blocked message generates a Non-Delivery Report. The Exchange NDR reference maps 5.x.x codes to causes. The consequence of skipping this step is hours wasted on wrong fixes.
Step 2: Check File Type Against the Block List
Compare your extension to the blocked attachments list. If your file is on the list, repackage inside an encrypted .7z with a non-blocked extension and share the password through another channel.
Step 3: Verify Size
Compare your file size (plus 33 percent Base64 overhead) against the client cap. If you exceed it, use OneDrive or SharePoint sharing instead.
Step 4: Check Quarantine
Sign in to the Microsoft 365 Defender portal and look for the message in quarantine. Users can release some messages themselves; high-confidence phish and malware require admin release.
Step 5: Review Transport Rules
Admins can audit transport rules using the Get-TransportRule PowerShell cmdlet. The consequence of a badly scoped rule is that every attachment from a partner domain bounces.
Step 6: Check Tenant Allow/Block List
Microsoft’s Tenant Allow/Block List overrides Safe Attachments for known-good files and senders. Add the file hash, not just the sender, for surgical precision.
Step 7: Adjust Level2Remove Registry (Classic Outlook Only)
On classic Outlook for Windows, the Level2Remove registry key lets users save (not open) specific Level 2 types. This trick does not exist in the new Outlook or OWA.
Step 8: Submit to Microsoft for Re-Scoring
If a file is legitimately safe and repeatedly blocked, submit it via the admin submissions portal. Microsoft typically re-scores within 48 hours.
Key Entities You Should Know
The ecosystem behind Outlook attachment blocking involves many moving parts, and knowing the cast makes troubleshooting faster.
- Microsoft 365 Defender is the unified security console that houses Safe Attachments, Safe Links, and Threat Explorer, documented on Microsoft Learn.
- Exchange Online Protection (EOP) is the baseline anti-spam and anti-malware layer included with every M365 mailbox, covered in the EOP overview.
- Microsoft Purview hosts DLP, eDiscovery, and retention policies that interact with attachments.
- FBI IC3 tracks email-based crime complaints and publishes the annual Internet Crime Report.
- HHS OCR enforces HIPAA rules that intersect with email attachments containing PHI, via the Office for Civil Rights.
- FTC enforces GLBA and CAN-SPAM, shaping attachment handling for financial and marketing emails.
- SEC enforces 17a-4 books-and-records rules that require retention even of blocked messages.
State-Level Nuances
Federal law sets the floor, but state privacy laws can raise the ceiling. California’s CCPA/CPRA, New York’s SHIELD Act, and Texas’s HB 4 all impose breach-notification duties when personal information leaks through email. The consequence of an unencrypted attachment leaking a single record can be statutory damages of up to 750 USD per consumer under CCPA.
An example: a marketing analyst named Sofia Reyes emails a spreadsheet with 5,000 California email addresses and phone numbers; the tenant’s DLP policy is off, the file reaches an unintended recipient, and her employer faces up to 3.75 million USD in statutory exposure. The common misconception is that encryption alone solves state compliance; most laws require both encryption and access controls.
Court Rulings That Shaped Attachment Policy
Two rulings matter most. In United States v. Morris, 928 F.2d 504 (2d Cir. 1991), the Second Circuit upheld the first CFAA conviction related to an attacking worm, reinforcing that email-borne code can trigger federal prosecution.
In FTC v. Wyndham Worldwide, 799 F.3d 236 (3d Cir. 2015), the Third Circuit confirmed that the FTC can hold companies accountable for weak email and data-security practices under Section 5 of the FTC Act. The practical takeaway for Outlook admins is that disabling Safe Attachments or DLP to speed workflows can expose the company to FTC enforcement if a breach follows.
FAQs
Does Outlook scan attachments for viruses automatically?
Yes. Every Microsoft 365 mailbox uses Exchange Online Protection’s anti-malware engine, and tenants with Defender add Safe Attachments sandboxing on top of that baseline scan.
Can I send a .exe file through Outlook?
No. Outlook blocks .exe on both send and receive by default, and the only safe workaround is to share the file through OneDrive or a password-protected .7z archive.
Is the Outlook attachment size limit really 150 MB?
Yes. Microsoft 365 Plan 1 and Plan 2 desktop Outlook cap at 150 MB per the Exchange Online service description, but recipient servers often enforce smaller limits.
Will renaming a blocked file extension fix the problem?
No. Outlook’s classic Level 1 check inspects the true file signature, so renaming .exe to .docx still triggers a block and wastes troubleshooting time.
Does Safe Attachments delay every email?
No. Safe Attachments scans typically complete in under 30 seconds, and Dynamic Delivery lets the message body arrive first while the file is scanned.
Can end users release their own quarantined attachments?
No. By default, only admins can release high-confidence phish or malware quarantine items per the quarantine permissions matrix.
Does HIPAA require encrypting Outlook attachments?
Yes. HIPAA’s Security Rule treats email with PHI as an addressable specification, and OCR guidance strongly encourages encryption in transit for covered entities.
Can transport rules override Safe Attachments verdicts?
Yes. Admin-written mail flow rules can allow or block messages before Safe Attachments processing, but misconfigured exceptions weaken tenant security.
Is Outlook.com for consumers protected by Safe Attachments?
No. Outlook.com uses EOP-style malware scanning but not full Defender Safe Attachments sandboxing, which is reserved for paid Microsoft 365 plans.
Are quarantined messages deleted after 30 days?
Yes. Microsoft’s default retention for quarantined malware and phish is 30 days per the quarantine policy documentation, after which items are purged and unrecoverable.
Does CAN-SPAM regulate attachments in Outlook?
No. CAN-SPAM focuses on headers, unsubscribe links, and physical addresses, not attachments, but noncompliant senders still face reputation-based attachment stripping.
Can I add exceptions for trusted senders?
Yes. Admins use the Tenant Allow/Block List to whitelist sender domains, file hashes, or URLs, reducing false positives for known partners.