The standard email malware protection in Office 365 is quite basic and if your account was not setup by a Microsoft Partner or Office 365 specialist you may not have these three basic rules in place.
Add these rules in your Office 365 portal by selecting Admin Centers - Exchange - protection - malware filter
Set the Common Attachment Types Filter to On. Notice that .docm may be in the list, which you may want to remove.
Add the remaining rules in your Office365 portal by selecting Admin Centers - Exchange - mail flow - rules - new and make sure you click ‘More options…’ otherwise you cannot see the option for Any attachment… has executable content.
Any attachment's file extension matches .....
cgi, chm, cmd, com, cpl, dll, exe, hta, inf, ini, ins, jar, js, jse, lnk, mht, mhtm, mhtml, msi,
ocx, pcd, pif, pl, py, reg, scr, sct, sh, shb, shs, url, vb, vbe, vbs, vbx, ws, wsc, wsf, wsh