Microsoft has introduced a significant enhancement to its File Explorer, previously known as Windows Explorer, aimed at bolstering user security against credential theft attacks. This update, which is now active for users who have implemented the latest Patch Tuesday security updates on Windows 11 and Windows Server systems, automatically blocks previews for files downloaded from the Internet.
Enhanced Security Measures
According to a support document released by Microsoft, the preview functionality will be disabled by default for files accessed on an Internet Zone file share and those identified with the Mark of the Web (MotW). This marking indicates that the files have been downloaded via a web browser, received as email attachments, or sourced from various online platforms.
When users attempt to preview such files, the File Explorer preview pane will display a cautionary message: “The file you are attempting to preview could harm your computer. If you trust the file and the source you received it from, open it to view its contents.”
This proactive measure is particularly crucial as it addresses vulnerabilities that could allow threat actors to capture NTLM hashes when users preview files containing HTML tags that reference external paths on malicious servers. Notably, this attack vector is alarming because it requires minimal user interaction—merely selecting a file to preview—thus eliminating the need for users to inadvertently execute harmful files.
Microsoft emphasizes that starting with the security updates released on and after October 14, 2025, File Explorer will automatically disable the preview feature for files downloaded from the internet. This adjustment is designed to enhance security by mitigating the risk of leaking NTLM hashes when users preview potentially unsafe files.
For the majority of users, no additional action is necessary, as the protection will be enabled automatically with the October 2025 security update. Existing workflows will remain largely unaffected unless users frequently preview downloaded files.
However, if users need to preview a trusted file from a known source, they can manually remove the Internet security block. This can be accomplished by right-clicking the file in File Explorer, selecting Properties, and clicking the “Unblock” button located at the bottom of the General tab. It is important to note that this action may not take effect immediately and could require users to sign out and back in.
Additionally, the preview block can be lifted for all files on an Internet Zone file share by navigating to the Internet Options control panel’s Security tab and adding the file share’s address to the Trusted sites or Local intranet security zone.
