Microsoft Increases Security by Blocking More File Types in Outlook and Outlook Web

Microsoft has announced that it will expand the list of blocked attachments in Outlook Web and the new Outlook for Windows starting in July. The services will prevent the use of .library-ms and .search-ms file types.

«In our ongoing efforts to enhance security in Outlook Web and the new Outlook for Windows, we are updating the default list of blocked file types in OwaMailboxPolicy. Beginning in early July 2025, the file types [.library-ms and .search-ms] will be added to the BlockedFileTypes list,» stated Microsoft.

Windows library files (.library-ms), which define virtual collections of folders and files in the Windows file system, have been exploited in phishing attacks targeting government entities and businesses earlier this year. These attacks utilized a Windows vulnerability (CVE-2025-24054) that exposes NTLM hashes.

The .search-ms URI protocol handler has also been utilized in phishing and malicious attacks at least since June 2022. At that time, Matthew Hickey, co-founder of Hacker House and a security researcher, discovered that this handler could be used to automatically launch Windows search windows on recipients’ devices, tricking them into executing malware by exploiting a Windows Support Diagnostic Tool remote code execution vulnerability (CVE-2022-30190).

«The newly blocked file types are rarely used, so most organizations will not be adversely affected by this change. The update will automatically apply to all OWA mailbox policies within your organization. If you need to permit these file types, you can add them to the AllowedFileTypes property of your users’ OwaMailboxPolicy before deployment,» Microsoft added.

A comprehensive list of blocked attachments in Outlook can be found in Microsoft’s documentation. Corporate users with a Microsoft Exchange Server account may request their Exchange Server administrators to adjust security settings for their mailboxes to allow Outlook’s blocked attachments, provided they are not sent as archives or with different extensions, or by using OneDrive or SharePoint.

In 2018, Microsoft expanded its Anti-Malware Scanning Interface (AMSI) for Office 365 client applications to block attacks involving Office VBA macros. Since then, the company has defaulted to blocking VBA macros in Office, disabled Excel 4.0 (XLM) macros, implemented XLM macro protection, and begun blocking untrusted XLL add-ins by default across all Microsoft 365 clients.

Moreover, in May 2024, Microsoft announced its plan to discontinue VBScript and disable all ActiveX controls in Microsoft 365 and Office 2024 applications for Windows.

In April 2025, reports indicated that Microsoft began disabling all ActiveX controls in Microsoft 365 and Office 2024 applications for Windows. ActiveX has been blocked in Word, Excel, PowerPoint, and Visio.