Microsoft Outlook to block more risky attachments used in attacks

Microsoft announced it will expand the list of blocked attachments in Outlook Web and the new Outlook for Windows starting next month.

The company said on Monday in a Microsoft 365 Message Center update that Outlook will block .library-ms and .search-ms file types beginning in July.

“As part of our ongoing efforts to enhance security in Outlook Web and the New Outlook for Windows, we’re updating the default list of blocked file types in OwaMailboxPolicy,” Microsoft said. “Starting in early July 2025, the [.library-ms and .search-ms] file types will be added to the BlockedFileTypes list.”

Windows Library files (.library-ms), which define virtual collections of folders and files in the Windows file system, were used earlier this year in phishing attacks targeting government entities and private companies to exploit a Windows vulnerability (CVE-2025-24054) that exposes NTLM hashes.

The .search-ms URI protocol handler has also been exploited in phishing and malware attacks since at least June 2022, when Hacker House co-founder and security researcher Matthew Hickey found that it could be used to automatically launch Windows Search windows on recipients’ devices to trick them into launching malware when chained with a Windows Support Diagnostic Tool (MSDT) remote code execution vulnerability (CVE-2022-30190).

“The newly blocked file types are rarely used, so most organizations will not be affected by the change. However, if your users are sending and receiving affected attachments, they will report that they are no longer able to open or download them in Outlook Web or the New Outlook for Windows,” the company added on Monday.

“No action is required if your organization does not rely on these file types. The update will automatically apply to all OWA Mailbox policies in your organization. If your organization needs to allow these file types, you can add them to the AllowedFileTypes property of your users’ OwaMailboxPolicy objects before the rollout.”

You can find the complete list of blocked Outlook attachments on Microsoft’s documentation website. Enterprise users with a Microsoft Exchange Server account can ask Exchange Server administrators to adjust security settings for their mailboxes to accept attachments blocked by Outlook if they can’t be shared as an archive, using a different extension, or using OneDrive or SharePoint.

This move is part of a much broader effort to remove or turn off Office and Windows features that have been abused and exploited to infect Microsoft customers with malware.

It started in 2018 when Microsoft expanded support for its Antimalware Scan Interface (AMSI) to Office 365 client apps to block attacks using Office VBA macros.

Since then, the company began blocking VBA Office macros by default, disabled Excel 4.0 (XLM) macros, introduced XLM macro protection, and started blocking untrusted XLL add-ins by default across Microsoft 365 tenants.

Microsoft also announced in May 2024 that it would kill off VBScript and disabled all ActiveX controls in Windows versions of Microsoft 365 and Office 2024 applications in April 2025.