What does online mean?
Be specific about not downloading, or opening from the %temp% folder, or not opening from any folders at all.
If via HTTP, you can catch these requests on a firewall or router. Mail clients are configured separately (work with attachments).
Windows - You can change the association of a file extension with another program.
An enterprise-level antivirus can open and scan archives from mail if they do not have a password and are not split into parts.

the solution is worse than the problem, damn it.
The key to the real solution to the problem is mentioned in part in the previous answer: this is the prohibition of running applications that are not launched from "program files", "program files (x86)", "Windows"
Your virus, most likely (as in the case of my remote office) , this is a js script in the archive that downloads the files of the encryptor to a certain temporary folder and is not detected by the antivirus.
(I also write scripts on poweshell that download files and, sometimes, run them - it’s not all the same to detect such a completely harmless functionality). Accordingly, if the user does not have write permissions to windows, program files, then this virus will not be able to harm.

I also had such a problem, I solved it by deploying squid on centos in conjunction with sams and through it I already blocked zip exe rar for users