If you are looking to block attachments that are almost always unsafe, we highly recommend enabling the Unsafe attachments filter option on the filtering policies page (Settings > filtering).
To block attachment types that are not covered by the Unsafe attachments filter, such as .zip, .docx or .docm, you can create a custom filter rule as follows:
The above example shows a rule to deep filter all .zip attachments. The deep filter option will delay messages for up to two hours and then re-scan them before delivery. Choose the quarantine option to send them straight to the quarantine without re-scanning.
Note also that this example shows an Account Level rule that will affect all domains on your account. To create a rule that only applies to a single domain, click on the Domain Level tab before creating the rule.
To create exceptions for certain senders, add them to your approved senders list as explained in the following article: