Microsoft has disabled the File Explorer preview feature for files downloaded from the internet as a new security measure. This change, included in the October 2025 Patch Tuesday updates for Windows 11 and Server, automatically blocks previews for any file marked with the "Mark of the Web." When a user attempts to preview such a file, a warning message is displayed instead.
The update is designed to prevent a specific attack where malicious documents containing HTML tags could steal a user's NTLM authentication hashes simply by being previewed. This technique is particularly dangerous as it requires no further interaction from the user beyond selecting the file. For most users, this protection is automatic and requires no configuration.
If a user needs to preview a file they trust, they can manually unblock it via the file's Properties menu, though a sign-out may be required for the change to take effect. Alternatively, administrators can adjust security zone settings to allow previews for specific trusted network shares. This proactive measure aims to close a stealthy credential theft vector that has been exploited by attackers.
Read more...