Microsoft has updated File Explorer to automatically block file previews for items downloaded from the internet, aiming to prevent credential theft via malicious documents.
The feature, active after the October 2025 security update, disables previews for files marked with โMark of the Webโ or accessed from other places on the Internet.
This change protects against NTLM hash leaks that can occur when previewing compromised files, though users can manually unblock trusted items if needed.
This update addresses a security flaw that could expose NTLM hashes when users preview files containing HTML elements likeย <link>ย orย <src>ย that connect to external resources. Attackers could exploit this behavior in File Explorerโs preview pane to intercept authentication data and steal user credentials.
Table Of Contents
Coming with October 2025 Update
Starting with the October 2025 Windows security update, File Explorer will now display a warning message in the preview pane for certain files:
โThe file you are attempting to preview could harm your computer. If you trust the file and the source you received it from, open it to view its contents.โ
This message appears for files tagged with theย Mark of the Web (MotW), indicating they were downloaded from the internetโor those accessed from an Internet Zone file share. The update is designed to enhance user protection by restricting previews of potentially unsafe files.
How to Disable This?
If you trust the file and its origin, Windows allows you to remove the Internet security block. To do this for a downloaded file, right-click it in File Explorer, chooseย Properties, and selectย Unblock.
Note that this change may not apply instantly, it becomes active after your next login.
For files stored on an Internet Zone network share, open theย Internet Optionsย control panel, go to theย Securityย tab, and add the file shareโs address to theย Local intranetย orย Trusted sites zone.
However, keep in mind that doing this reduces security for all files from that source, so it should only be used for trusted locations.
