diff --git a/Server-Side Components/Business Rules/AttachmentFormatValidator/AttachmentFormatValidator.js b/Server-Side Components/Business Rules/AttachmentFormatValidator/AttachmentFormatValidator.js
new file mode 100644
index 0000000000..79e7a24c51
--- /dev/null
+++ b/Server-Side Components/Business Rules/AttachmentFormatValidator/AttachmentFormatValidator.js	
@@ -0,0 +1,26 @@
+(function executeRule(current, previous /*null when async*/ ) {
+
+    if (current.table_name == 'incident') {
+
+        // Fetch the file name of the uploaded attachment
+        var fileName = current.getValue('file_name');
+
+        // Fetch allowed extensions from system property (comma-separated, lowercase)
+        var allowedExtensions = gs.getProperty('attachment.format.allowedExtensions', 'pdf,docx,png,jpg')
+            .toLowerCase()
+            .split(',');
+
+        var fileExtension = '';
+        if (fileName && fileName.indexOf('.') !== -1) {
+            fileExtension = fileName.split('.').pop().toLowerCase();
+        }
+
+        // If file extension not allowed — prevent insert
+        if (allowedExtensions.indexOf(fileExtension) === -1) {
+            gs.addErrorMessage('File type "' + fileExtension + '" is not allowed. Allowed types: ' + allowedExtensions.join(', '));
+            gs.log('Attachment blocked: Disallowed file type "' + fileExtension + '" for table ' + current.table_name);
+            current.setAbortAction(true);
+            return false;
+        }
+    }
+})(current, previous);
diff --git a/Server-Side Components/Business Rules/AttachmentFormatValidator/Readme.md b/Server-Side Components/Business Rules/AttachmentFormatValidator/Readme.md
new file mode 100644
index 0000000000..5a260b2a0d
--- /dev/null
+++ b/Server-Side Components/Business Rules/AttachmentFormatValidator/Readme.md	
@@ -0,0 +1,17 @@
+The validator runs automatically on the sys_attachment table during record creation and checks each file extension against an allowed list defined in a system property.
+If a file type is not allowed, the upload is blocked, the record creation is aborted, and a descriptive error is logged.
+**Key Features:**
+Server‑side enforcement (cannot be bypassed through APIs or imports).
+Configurable allowed file extensions through a single system property.
+Optional restriction to specific business tables.
+Lightweight validation for secure instance operation.
+**Functionality Summary**
+Each attachment upload triggers the Business Rule before insert.
+The file name and extension are extracted.
+Allowed file extensions are read from the system property attachment.format.allowedExtensions.
+The script checks whether the uploaded file complies with this configuration.
+If disallowed, the upload is rejected and a clear error message appears in the system log or UI.
+
+**Configuration**
+System Property
+attachment.format.allowedExtensions -	Defines which file types users are allowed to upload - sample values : pdf,docx,xlsx,png,jpg