Microsoft has rolled out a significant security enhancement to Windows File Explorer, automatically disabling the preview pane for files downloaded from the internet as part of security updates released on and after October 14, 2025.
This proactive measure targets a long-standing vulnerability that attackers have exploited to harvest NTLM hashes and sensitive credentials used for network authentication, potentially enabling lateral movement or full account takeovers.
The Vulnerability Behind the Update
The vulnerability stems from how Windows previews files containing HTML elements like or
When users preview such malicious files in File Explorer, these embedded elements can trigger unauthorized network requests that expose users’ NTLM hashes to attackers.
This technique has become a go-to attack vector in phishing and malware campaigns targeting Windows environments, particularly where NTLMv2 weaknesses persist despite industry pushes toward modern authentication methods like Kerberos.
By defaulting to a cautious approach, Microsoft is prioritizing security without requiring manual user intervention a welcome shift in an increasingly hostile threat landscape dominated by sophisticated credential theft campaigns.
The new behavior relies on the “Mark of the Web” (MotW) attribute, which Windows automatically applies to files from untrusted sources such as the internet or internet-zone file shares.
Once tagged, these files will not display previews in File Explorer. Instead, users encounter a clear warning message: “The file you are attempting to preview could harm your computer. If you trust the file and the source from which you received it, you may open it to view its contents.”
For most users, this represents a minor workflow adjustment. Previews remain disabled only for potentially risky files, while local documents and trusted shares function normally.
The protection activates automatically post-update without requiring additional configuration. IT administrators and power users benefit from the enterprise-wide reduction in attack surface, particularly in environments where legacy authentication protocols remain in use.
If you need to preview a trusted download, the process remains straightforward but intentionally deliberate.
Right-click the file in File Explorer, select Properties, and check the “Unblock” box changes may not apply until your next login.
For entire file shares in internet zones, navigate to Internet Options in Control Panel, access the Security tab, and add the share’s address to the Local Intranet or Trusted Sites zone.
Exercise caution with this approach, as it lowers defenses for all files from that source.
Microsoft’s official guidance emphasizes trusting files only from known origins, positioning this update as mitigation rather than complete risk elimination.
As cyber threats continue evolving, such incremental security refinements help maintain Windows resilience without overcomplicating everyday workflows, demonstrating Microsoft’s commitment to balancing security with user experience.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
