@mttaggart @cR0w I feel like we (community we) don't share baseline bad extensions for SEGs often enough.

Maybe OpSec concerns? And not that org specific. There are some very common, but esoteric, file types no one wants to see cross dmarcs. I think the problem these tools were often built and inherited many times over where it's a default allow + block-list vs default block + allow-list.

.scr .wsf .url .scf and the office docs with macros (.pptm .xlam etc) .onepkg .arj .cab .bin .theme ... Then double and triple extensions--regex block! It never ends.

Side note I quarantine and alert on any .env .pem .key .kube .conf .tfvars .lic. I don't need AI to do $DLP basics.