Oh, they do have that option, usually by default. And all reputable ISP's with mail servers block them too.
But some slip through, and users click on them.
Hell, nearly half of American voters vote for Democrats. You're surprised they click on malware too?
Outlook does, but AFAIK Thunderbird does not.
I wonder if this new malicious attachment really does have a jpg extension, or if the filename something like filename.jpg.exe.