Microsoft says that the File Explorer (previously Home windows Explorer) now robotically blocks previews for recordsdata downloaded from the Web to dam credential theft assaults through malicious paperwork.
The change is already reside for customers who’ve put in this month’s Patch Tuesday safety updates on Home windows 11 and Home windows Server techniques.
As Redmond explains in a help doc revealed this Wednesday, the preview performance might be disabled by default just for recordsdata considered on an Web Zone file share and people marked with the Mark of the Net (MotW), which exhibits that they have been downloaded utilizing an online browser, obtained as e mail attachments, and obtained from different web sources.
When trying to preview such recordsdata, the File Explorer preview pane will show a warning message saying “The file you are trying to preview may hurt your laptop. Should you belief the file and the supply you obtained it from, open it to view its contents.”
After putting in Home windows safety updates launched after October 2025, this modification will block risk actors from exploiting vulnerabilities that enable them to acquire NTLM hashes when customers preview recordsdata containing HTML tags (equivalent to ,
This assault vector is especially regarding as a result of it requires no person interplay past choosing a file to preview and removes the necessity to trick a goal into truly opening or executing it on their system.
“Beginning with Home windows safety updates launched on and after October 14, 2025, File Explorer robotically disables the preview characteristic for recordsdata downloaded from the web,” Microsoft says in a help doc revealed this Wednesday.
“This variation is designed to boost safety by stopping a vulnerability that might leak NTLM hashes when customers preview probably unsafe recordsdata.”
For many customers, no motion is required for the reason that safety is enabled robotically with the October 2025 safety replace, and current workflows stay unaffected except you usually preview downloaded recordsdata.
If you could preview a trusted file from a recognized supply, you possibly can manually take away the Web safety block. To try this, right-click the file in File Explorer, choose Properties, and click on the “Unblock” button on the backside of the Basic tab.
Nevertheless, it is necessary to notice that this will likely not take impact instantly and will require signing out and signing again in.
The preview block may also be eliminated for all recordsdata on an Web Zone file share by utilizing the Web Choices management panel’s Safety tab so as to add the file share’s handle to the Trusted websites or the Native intranet safety zone.
46% of environments had passwords cracked, practically doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and knowledge exfiltration traits.
