As the company explained in a Microsoft 365 admin center message on Wednesday, Microsoft 365 will display a business bar warning of this upcoming change when opening workbooks containing external links to blocked file types, starting with Build 2509. Microsoft has announced that it will start disabling external workbook links to blocked file types by default between October 2025 and July 2026. Since the start of the year, the company has also added the .library-ms and .search-ms file types to the list of blocked Outlook attachments and started turning off all ActiveX controls in Windows versions of Microsoft 365 and Office 2024 applications. Microsoft 365 admins who want to re-enable refreshing external links to blocked file types can edit the HKCU\Software\Microsoft\Office\<version>\Excel\Security\FileBlock\FileBlockExternalLinks registry key using the detailed instructions in this support document. After the rollout, Excel workbooks referencing blocked file types will display a #BLOCKED error or fail to refresh, eliminating security risks associated with accessing unsupported or high-risk file types, including, but not limited to, phishing attacks that utilize workbooks to redirect targets to malicious payloads. However, starting October 2025, the default behavior will block external links to file types currently blocked by the Trust Center," the company said. Since then, the company has started blocking VBA Office macros by default, introduced XLM macro protection, disabled Excel 4.0 (XLM) macros, announced that it would soon kill off VBScript, and begun blocking untrusted XLL add-ins by default across Microsoft 365 tenants. However, after updating to Build 2510, if the policy is unconfigured, users will no longer be able to refresh or create new references to blocked file types.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 31 Jul 2025 18:30:28 +0000