An update on Exchange Online is now allowing administrators to define attachment types policy to define what they want to block or authorize.

To update your configuration, open your Exchange Online ECP (https://outlook.office365.com/ecp/) and go to the the Protection section to access the Malware filter options.

Then either edit the exiting policies or create a new one – the following screenshot has been taken while editing the default policy – and look for the Common Attachment Types Filter option available below the Settings (default is set to Off)

image 

When you create a new policy, this option is immediately available for configuration during the policy creation process and the default setting is On

image