News

Microsoft disables previews for files downloaded from the internet

HackMag4610

The developers have disabled the preview feature in File Explorer (formerly Windows Explorer) for files downloaded from the internet. Now previews are automatically blocked to prevent credential theft via malicious documents.

The change has already taken effect for users who have installed the October updates for Windows 11 and Windows Server.

As the company explains, the preview feature is disabled by default only for files from network folders that Windows classifies as external (Internet zone), and for files that have the Mark of the Web (MotW), which indicates that the file was downloaded via a browser, received as an email attachment, and so on.

When you try to preview such a file, the preview pane will display a warning: “The file you’re trying to preview might harm your computer. If you trust the file and the source you got it from, open it to view its contents.”

This safeguard is designed to prevent attackers from exploiting vulnerabilities that allow the extraction of NTLM hashes when users view files containing HTML tags (such as <link>, <src>, and others) that reference external paths on attackers’ servers.

This attack vector requires virtually no user interaction beyond selecting a file for preview, and eliminates the need to trick the victim into opening or executing a file on the system.

“Starting with Windows updates released on October 14, 2025 and later, File Explorer will automatically disable the preview feature for files downloaded from the internet,” Microsoft reports. “This change is intended to improve security by preventing exploitation of a vulnerability that could lead to NTLM hash leakage when previewing potentially unsafe files.”

If necessary, you can manually remove the block for an individual file. To do this, right-click the file in File Explorer, select Properties, and click the Unblock button at the bottom of the General tab.

You can also disable the blocking for an entire network folder at once by adding its address to Trusted sites via Internet Options in the Windows Control Panel (Security tab).

it? Share:
23.04.2025 —
Improper authentication control vulnerability affects ASUS routers with AiCloud
24.03.2025 —
Alexa to stop processing data locally. All voice requests will be sent to Amazon Cloud
09.02.2025 —
Abandoned AWS S3 buckets could be used in attacks targeting supply chains
07.02.2025 —
768 vulnerabilities were exploited by hackers in 2024
28.02.2025 —
Qualcomm extends support for Android devices to 8 years
27.01.2025 —
YouTube plays hour-long ads to users with ad blockers
24.01.2025 —
Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer
28.03.2025 —
Zero-day vulnerability in Windows results in NTLM hash leaks
30.04.2025 —
Coinbase fixes 2FA bug that made customers panic
20.03.2025 —
8,000 vulnerabilities identified in WordPress ecosystem in 2024
01.06.2022 —
Quarrel on the heap. Heap exploitation on a vulnerable SOAP server in Linux
15.02.2022 —
First contact: How hackers steal money from bank cards
13.01.2022 —
Bug in Laravel. Disassembling an exploit that allows RCE in a popular PHP framework
15.02.2022 —
EVE-NG: Building a cyberpolygon for hacking experiments
11.01.2022 —
Persistence cheatsheet. How to establish persistence on the target host and detect a compromise of your own system
01.06.2022 —
F#ck AMSI! How to bypass Antimalware Scan Interface and infect Windows
21.02.2023 —
Pivoting District: GRE Pivoting over network equipment
12.01.2022 —
First contact. Attacks against contactless cards
20.07.2023 —
Evil modem. Establishing a foothold in the attacked system with a USB modem
09.02.2022 —
First contact: An introduction to credit card security