Aside from specifying attachments to filter, the malware filter policy mostly pertains to who gets notified if a message is not delivered due to malware being detected:
Your Office 365 tenant comes with a default malware filter. This filter does not notify users if their messages have been quarantined, does not filter attachments of any extension, does not notify internal or external senders or administrators if a message goes undelivered due to malware, and does not have any rules regarding who the policy applies to.
You can edit the default malware filter (in which case, you'll use the settings tab on the left-hand ...