Microsoft has disabled File Explorer's preview function for files downloaded from the internet to prevent credential theft attacks through malicious documents, with the change now active for users who installed October 2025 Patch Tuesday security updates on Windows 11 and Windows Server systems.
Microsoft implemented a security change that automatically disables preview functionality in File Explorer for files downloaded from the internet. The protection applies to files viewed on an Internet Zone file share and those marked with the Mark of the Web (MotW), which indicates they were downloaded using a web browser, received as email attachments, or obtained from other internet sources. When users attempt to preview such files, the File Explorer preview pane displays a warning message stating, "The file you are attempting to preview could harm your computer. If you trust the file and the source you received it from, open it to view its contents." The change is automatically enabled for users who installed Windows security updates released on or after October 14, 2025.
The security update targets a specific vulnerability that allows threat actors to obtain NTLM hashes when users preview files containing HTML tags (such as <link>, <src>, and similar tags) that reference external paths on attacker-controlled servers. This attack vector is dangerous because it requires no user interaction beyond selecting a file to preview, eliminating the need for attackers to trick targets into opening or executing the file on their system.
Microsoft stated in a support document published Wednesday that "starting with Windows security updates released on and after October 14, 2025, File Explorer automatically disables the preview feature for files downloaded from the internet."
Microsoft further explained that "this change is designed to enhance security by preventing a vulnerability that could leak NTLM hashes when users preview potentially unsafe files."
NTLM (NT LAN Manager) hashes are credential tokens used in Windows authentication systems. When attackers obtain these hashes, they can use them to impersonate users and gain unauthorized access to systems and networks. The Mark of the Web (MotW) is a security feature that Windows uses to identify files originating from the internet, helping the operating system apply appropriate security restrictions to potentially untrusted content.
This security update addresses a vulnerability that represents a zero-click attack vector, one that requires virtually no user action beyond the task of selecting a file. The elimination of preview-based NTLM hash theft is significant because these attacks exploit normal user behavior rather than relying on social engineering tactics. By blocking this attack pathway, Microsoft is closing a gap that could allow attackers to harvest credentials simply by convincing users to download malicious files, without needing them to execute anything. This is important in healthcare and enterprise environments where shared file systems and email attachments are common, and where credential theft can lead to broader network compromise and potential data breaches.
For most users, no action is required since the protection is enabled automatically with the October 2025 security update, and existing workflows remain unaffected unless you regularly preview downloaded files. If you need to preview a trusted file from a known source, you can manually remove the Internet security block by right-clicking the file in File Explorer, selecting Properties, and clicking the "Unblock" button at the bottom of the General tab. However, this may not take effect immediately and could require signing out and signing back in. Organizations should consider keeping this protection enabled to prevent credential theft attacks that require minimal user interaction.
Learn more: Inbound Email Security
To prevent attackers from stealing NTLM hashes through malicious file previews.
Files marked with the Mark of the Web (MotW), including those downloaded from browsers or received via email attachments.
It became active with the October 2025 Patch Tuesday security updates.
It’s a Windows feature that flags files originating from the internet as potentially unsafe.
They embedded HTML tags in documents that automatically leaked NTLM hashes when previewed.