Microsoft Disables File Explorer Preview for Downloaded Files to Mitigate NTLM Theft Attacks

First reported

23.10.2025 18:57

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

Microsoft has disabled the File Explorer preview feature for files downloaded from the Internet. This change aims to block credential theft attacks that exploit vulnerabilities in the preview functionality. The update is live for Windows 11 and Windows Server systems that have installed the October 2025 Patch Tuesday updates. The new security measure prevents attackers from obtaining NTLM hashes when users preview files containing malicious HTML tags. This attack vector does not require user interaction beyond selecting a file to preview, making it a significant security risk. Users can manually remove the Internet security block for trusted files or configure specific file shares to bypass the preview restriction.

Timeline

23.10.2025 18:57 1 articles · 23h ago

Microsoft Disables File Explorer Preview for Downloaded Files
Starting with the October 2025 Patch Tuesday updates, Microsoft has disabled the File Explorer preview feature for files downloaded from the Internet. This change aims to block credential theft attacks that exploit vulnerabilities in the preview functionality. The update is live for Windows 11 and Windows Server systems and affects files marked with the Mark of the Web (MotW) and those viewed on an Internet Zone file share.
Show sources

Microsoft disables File Explorer preview for downloads to block attacks — www.bleepingcomputer.com — 23.10.2025 18:57
Open in new tab

Information Snippets

The File Explorer preview feature is disabled by default for files marked with the Mark of the Web (MotW).
First reported: 23.10.2025 18:57

1 source, 1 article
Show sources
- Microsoft disables File Explorer preview for downloads to block attacks — www.bleepingcomputer.com — 23.10.2025 18:57
The update applies to Windows 11 and Windows Server systems that have installed the October 2025 Patch Tuesday updates.
First reported: 23.10.2025 18:57

1 source, 1 article
Show sources
- Microsoft disables File Explorer preview for downloads to block attacks — www.bleepingcomputer.com — 23.10.2025 18:57
The change blocks attackers from exploiting vulnerabilities that allow NTLM hash theft via HTML tags in previewed files.
First reported: 23.10.2025 18:57

1 source, 1 article
Show sources
- Microsoft disables File Explorer preview for downloads to block attacks — www.bleepingcomputer.com — 23.10.2025 18:57
Users can manually unblock trusted files or configure specific file shares to bypass the preview restriction.
First reported: 23.10.2025 18:57

1 source, 1 article
Show sources
- Microsoft disables File Explorer preview for downloads to block attacks — www.bleepingcomputer.com — 23.10.2025 18:57