Service Update
| Availability | Effective from February 18th, 2026 |
| Product(s) | Email Security Cloud Gateway (CG), Attachment Management |
| Who's affected | Email Security Cloud Gateway (CG), Attachment Management |
Overview
Mimecast has deployed a security enhancement for Attachment Management. Threat actors increasingly hide malicious files (e.g. .dat, .svg, and .wmf) inside seemingly safe attachments like Microsoft Office documents and archives. This technique is designed to evade security scanning by concealing dangerous content within trusted file formats.
To counter this, Mimecast has enhanced its scanning engines to inspect deeper inside archives and Microsoft Office files, surfacing embedded components that were previously not visible. Your existing Attachment Management policies are operating as configured — they now have greater visibility into what those attachments actually contain, which may result in more attachments being blocked than before.
What's changing
- The recent release introduces an enhanced Scanning Engine for Attachment Management. The key behavioral change is increased depth and granularity of inspection inside supported attachment types.
- Deeper inspection of archives and Office files: Mimecast can now detect embedded components inside archives and Microsoft Office documents that were not previously visible during scanning.
-
Increased detection of embedded artifacts: Items such as internal
.datfiles or thumbnail components within Office documents are now surfaced and evaluated against your Attachment Management policies. - More policy actions triggered: Because previously unseen embedded content is now detected, you may observe more attachments being blocked where your policies are configured to block those file types.
- No product defect has been identified in relation to this behavior. The system is functioning as designed, with enhanced detection capabilities strengthening your overall security posture. Mimecast is tracking this as a known behavior and monitoring its broader impact across customers.
Recommended actions
There is no required change to your existing setup. However, if the increase in blocked attachments is operationally disruptive, administrators may choose to review certain policy settings.
-
Review blocked file types: Consider whether blocking specific file types such as
.datremains necessary in all scenarios. These are often harmless internal artifacts of Microsoft Office documents and may not always represent meaningful risk. - Engage Mimecast support if needed: If you have questions or would like Mimecast to investigate a specific blocked message, contact your usual Mimecast support channel so that the message and policy behavior can be reviewed in detail.
Mimecast is working on additional administrator guidance and future improvements to help distinguish more easily between genuinely risky embedded content and common, low-risk Office artifacts.
For further assistance or clarification regarding this security enhancement and its impact on Attachment Management, please reach out through your standard Mimecast support channel.
Comments
Please update the article, with common known embedded files used in Office files.
.dat,.emf,.wmf (other)
And is the recomendation to update policies to used “linked” or “held” instead as this is causing major spikes in attachments being blcoked, and with very bad insight to why the attachment is blocked. (No reason linking to the Attachment management policy or file embedded causing the trigger)
please include .svg file type as well when updating this article, images of this file type embedded in documents has caused us major issues with the .svg file type set to anything other than allow.
Hi Steven, many thanks for your feedback, we've updated the Service Update accordingly.
Please sign in to leave a comment.