1Can you instead perhaps filter based on who sent it? How large is the .exe, did it make the file some abnormal size? If your company uses excel files a lot, I assume there's some way to determine where it's from (like the user's email ends in @mycompany.com)? – BruceWayne – 2016-09-29T20:39:18.017

I think that the method used to embed it probably has some bearing. Is "foo.xls.exe" ? Embedded = encoded as base64 and then a macro runs to save it out to disk? embedded = inserted object? – Yorik – 2016-09-29T20:58:46.263

We already let all inside emails through no matter the attachments. And the only extension is .xls. – Cody Pace – 2016-09-29T21:04:33.030

(1) Note that if a file is named foo.xls.exe, depending on your settings, it might only show you foo.xls even though it as a .exe at the end (2) any reason it can't be filtered by sender or sender domain? (3) route your external mail through an email security gateway provider which would scan all emails that go through it and remove malicious attachments – thilina R – 2016-09-29T21:11:54.173

we could filter it that way but we get these files from several different servers and email addresses – Cody Pace – 2016-09-29T21:23:57.363

1Does using .xlsx format prevent embedded binary files? If so, block .xls files and allow .xlsx. Educate your customers to use the correct format.0 – Xalorous – 2016-09-30T12:30:45.870

An xlsx is a zip file wit andere other extensie, so you could try to unzip it. I don't know uf such a thing could be done with xls. – blablabla – 2016-10-29T07:09:33.530