Outlook users are about to experience a new layer of email security as Microsoft expands its efforts to safeguard users from sophisticated attack vectors. In July, Microsoft will block two additional file attachment types—.library-ms and .search-ms—within Outlook, specifically targeting the OwaMailboxPolicy list. This move, while affecting only a niche segment of workflows, reflects a tireless campaign to outpace cybercriminal tactics that exploit overlooked aspects of Windows and Office environments.
The .library-ms and .search-ms file types have flown below the radar for most organizations, having rarely been used in mainstream business processes. Yet, their unique characteristics have made them potential weapons in the hands of adversaries. Microsoft’s latest blocklist expansion, announced on its security blog and covered by trusted sources such as Techzine.eu, aims to close off pathways exploited by several high-profile vulnerabilities and attack techniques.
Symantec’s February 2025 advisory traced actual threats where such files were delivered to victims, often via phishing emails masquerading as trusted correspondence. According to the advisory, successful exploitation could open the door to a variety of malware infections, data breaches, and continued network compromise. In this context, Microsoft’s decision to block .library-ms files by default in Outlook is no mere precaution: it’s a direct response to a proven attack trend.
The real risk surfaced when adversaries combined this technique with another notorious exploit: CVE-2022-30190. This vulnerability, more widely known as the “Follina” bug, exposed the Windows Support Diagnostic Tool (MSDT) to remote code execution through maliciously crafted Office documents. The combination let attackers use .search-ms files as a delivery system and trigger for serious system compromise—all with minimal user interaction.
Recognizing this, Microsoft has built configurability into the policy. Administrators can add these extensions to the AllowedFileTypes property of the OwaMailboxPolicy if business-critical scenarios require their use. This can be done ahead of the update roll-out, ensuring business continuity despite the increasing security posture.
For organizations using on-premises Exchange Server accounts, administrators have similar options. If collaboration genuinely depends on these attachments, alternatives exist—such as using compressed archives (zip files), renaming files to less risky extensions, or exchanging materials via enterprise cloud platforms like OneDrive or SharePoint, which feature their own robust scanning mechanisms.
With AMSI protection enabled within Outlook, email-borne threats containing malicious scripts, such as those masquerading as trusted macros or hidden inside uncommon file types, face an increasingly hostile environment.
These steps demonstrate Microsoft’s recognition that legacy features are more valuable to attackers than to modern business users, and that reducing the attack surface sometimes means breaking with historical compatibility.
In the face of increasingly clever adversaries, security is a moving target. Each round of policy tightening breeds innovation among both defenders and attackers. Still, the message is clear: as legacy threats fade and new ones emerge, Microsoft is willing to trade a little bit of potential disruption for a great deal more peace of mind. For most organizations, especially those with a robust IT governance structure, the incremental inconvenience is a small price to pay for preventing even one major breach.
As the July update approaches, enterprises are urged to review their current file handling workflows, communicate with end-users about the changes, and ensure that exemptions—if necessary—are implemented with full understanding of the risks. The larger lesson is undeniable: in a world of constantly evolving threats, the only truly obsolete strategy is assuming yesterday’s protections will blunt tomorrow’s attacks. With each new block, Outlook grows not only more secure, but more resilient—an essential trait for the future of workplace communications.
Source: techzine.eu Microsoft makes Outlook safer with more attachment blocking
A Targeted Security Upgrade
The .library-ms and .search-ms file types have flown below the radar for most organizations, having rarely been used in mainstream business processes. Yet, their unique characteristics have made them potential weapons in the hands of adversaries. Microsoft’s latest blocklist expansion, announced on its security blog and covered by trusted sources such as Techzine.eu, aims to close off pathways exploited by several high-profile vulnerabilities and attack techniques.The .library-ms Threat: Credential Theft
The .library-ms (Windows Library Description) file type was brought to security researchers’ attention earlier this year when Symantec (now part of Broadcom) documented an exploit leveraging a newly disclosed Windows vulnerability, cataloged as CVE-2025-24054. This vulnerability could allow a malicious .library-ms file to trigger the exfiltration of NTLM hashes—the cryptographic representations of user passwords used in many Windows authentication scenarios. Once an attacker obtains these hashes, they can launch further attacks, including pass-the-hash exploits or brute-force attempts to crack passwords, providing a potential foothold for lateral network movement or privilege escalation.Symantec’s February 2025 advisory traced actual threats where such files were delivered to victims, often via phishing emails masquerading as trusted correspondence. According to the advisory, successful exploitation could open the door to a variety of malware infections, data breaches, and continued network compromise. In this context, Microsoft’s decision to block .library-ms files by default in Outlook is no mere precaution: it’s a direct response to a proven attack trend.
.search-ms: The Persistent Protocol Problem
Meanwhile, the .search-ms file type, associated with the Windows Search URI protocol handler, has been a known concern since at least June 2022. Originally intended to let users trigger custom search windows via hyperlinks, the .search-ms handler inadvertently enabled attackers to craft malicious files that, once opened, run arbitrary searches on a victim’s machine.The real risk surfaced when adversaries combined this technique with another notorious exploit: CVE-2022-30190. This vulnerability, more widely known as the “Follina” bug, exposed the Windows Support Diagnostic Tool (MSDT) to remote code execution through maliciously crafted Office documents. The combination let attackers use .search-ms files as a delivery system and trigger for serious system compromise—all with minimal user interaction.
Limited Organizational Impact—But Not Zero
Microsoft’s decision to add .library-ms and .search-ms to Outlook’s dangerous file type blocklist should have minimal operational disruption for most organizations. These file types are almost never a legitimate part of everyday email workflows. Nevertheless, a subset of enterprise users—often those with highly customized workflows or legacy applications—may still rely on these files.Recognizing this, Microsoft has built configurability into the policy. Administrators can add these extensions to the AllowedFileTypes property of the OwaMailboxPolicy if business-critical scenarios require their use. This can be done ahead of the update roll-out, ensuring business continuity despite the increasing security posture.
For organizations using on-premises Exchange Server accounts, administrators have similar options. If collaboration genuinely depends on these attachments, alternatives exist—such as using compressed archives (zip files), renaming files to less risky extensions, or exchanging materials via enterprise cloud platforms like OneDrive or SharePoint, which feature their own robust scanning mechanisms.
The Bigger Picture: Microsoft’s Evolving Security Stack
Microsoft’s attachment filtering is just one thread in a broader tapestry of Outlook and Office 365 security enhancements, each designed to minimize the attack surface as cyber threats continue to grow in complexity.AMSI: Proactive Malware and Script Detection
In 2018, Microsoft began integrating the Antimalware Scan Interface (AMSI)—first introduced with Windows 10—into all Office 365 applications. AMSI allows Office programs to scan scripts and content, including suspicious attachments and macros, with real-time analysis against both signature-based and behavioral threats. This proactive detection layer has been effective in catching phishing campaigns and malware that would otherwise evade traditional antivirus, as documented in both Microsoft’s own research and third-party reports.With AMSI protection enabled within Outlook, email-borne threats containing malicious scripts, such as those masquerading as trusted macros or hidden inside uncommon file types, face an increasingly hostile environment.
Macros, Add-ins, and Legacy Extensions: A Security Lockdown
Attacks leveraging macros—small pieces of code that automate repetitive tasks—have been a staple of phishing campaigns for decades. In response, Microsoft steadily tightened its policies:- By default, Office 365 now blocks VBA macro execution in files downloaded from the internet, unless explicitly allowed by administrators.
- Excel 4.0 (XLM) macros, an old and potentially dangerous scripting legacy, are disabled system-wide unless specifically enabled in trusted environments.
- Microsoft further extended protection by blocking untrusted XLL add-ins, a format often misused to smuggle code into Excel.
- XLM macro protection is now a standard safeguard across the Microsoft 365 product suite.
Discontinuing Old Attack Vectors: VBScript and ActiveX
In May 2024, Microsoft announced a major policy change: VBScript—a scripting language with a storied past in both legitimate automation and notorious malware—would be discontinued in future Office and Windows versions. Simultaneously, ActiveX controls—once a staple of Office documents and browser plugins but long recognized as a critical security weakness—will be disabled by default in all relevant Microsoft 365 and Office 2024 builds starting in April 2025.These steps demonstrate Microsoft’s recognition that legacy features are more valuable to attackers than to modern business users, and that reducing the attack surface sometimes means breaking with historical compatibility.
Critical Analysis: Strengths and Potential Consequences
Strengths
Layered Defense Through Default Denial
Microsoft’s layered approach, where rarely used but potentially dangerous file types are blocked by default, is crucial. By aggressively restricting risky formats, phishing campaigns reliant on social engineering and overlooked file types are short-circuited before reaching end users. Default-deny, especially for attachment types with demonstrated exploitability, is a cornerstone of effective enterprise cybersecurity.Responsive to Real-World Threats
The decision to block .library-ms and .search-ms is not arbitrary but anchored in real-world attack telemetry. Microsoft and external partners like Symantec have monitored exploitation in the wild, ensuring these changes are preventative, not just theoretical.Customizable Security Policies
By allowing admins to revise blocklists through OwaMailboxPolicy and other tools, Microsoft strikes a balance between security and business flexibility. Organizations with valid use cases aren’t left stranded, provided they understand and manage the risks.Proactive Vulnerability Mitigation
Moves like the discontinuation of VBScript and mandatory disabling of ActiveX controls point to a proactive, forward-looking approach. Instead of waiting for the next zero-day exploit, Microsoft is systematically shrinking the window of opportunity for attackers.Potential Risks and Limitations
Workflow Disruption for Niche Use Cases
While most users will not notice the new attachment restrictions, organizations with bespoke workflows or specialized integrations could face unexpected hurdles. If communication or automated data transfer relies on these formats, last-minute policy changes without proper review could interrupt operations.Admin Overhead and Policy Management
More granular control inevitably introduces extra administrative overhead. Security teams must stay aware of which files are blocked, communicate upcoming changes to users, and audit exceptions to ensure they aren’t inadvertently reintroducing risk.Attack Vector Shifts
Blocking specific attachment types often prompts attackers to innovate. They may shift to other, less conspicuous channels—such as macro-embedded attachments, PDF exploits, or direct cloud-based phishing. Security is perpetually reactive; while today’s measures address present threats, tomorrow’s techniques will demand new responses.False Security Perceptions
It’s possible, albeit unintentionally, for organizations to develop a false sense of security, believing that Outlook’s built-in protections relieve them from needing layered defense elsewhere. The new blocks, while powerful, are not substitutes for comprehensive endpoint protection, user training, or regular patching.Verification and Source Integrity
The details of the new Outlook blocklist are corroborated by Microsoft’s Security Blog, Techzine.eu, and whitepapers issued by Broadcom/Symantec. Reports dating back as far as June 2022 show active exploitation of the .search-ms protocol handler, aligning with Microsoft’s rationale for broadening its attachment controls. Multiple independent cybersecurity studies and advisories underscore the efficacy of AMSI and the necessity of disabling legacy scripting and automation features in reducing attack surface. However, as with all rapidly evolving security topics, organizations should monitor Microsoft’s own site and trusted infosec outlets for updated advisories and implementation timelines.Outlook for Microsoft’s Security-First Email Strategy
The latest updates to Outlook’s attachment handling are emblematic of a wider industry trend: major vendors are assuming more direct responsibility for user protection by default, rather than assuming end users or IT pros will spot every threat. By methodically eliminating avenues used in modern phishing and malware campaigns—especially those involving obscure Windows features—Microsoft is not only protecting its vast user base but also setting a model for cloud-native application security.In the face of increasingly clever adversaries, security is a moving target. Each round of policy tightening breeds innovation among both defenders and attackers. Still, the message is clear: as legacy threats fade and new ones emerge, Microsoft is willing to trade a little bit of potential disruption for a great deal more peace of mind. For most organizations, especially those with a robust IT governance structure, the incremental inconvenience is a small price to pay for preventing even one major breach.
As the July update approaches, enterprises are urged to review their current file handling workflows, communicate with end-users about the changes, and ensure that exemptions—if necessary—are implemented with full understanding of the risks. The larger lesson is undeniable: in a world of constantly evolving threats, the only truly obsolete strategy is assuming yesterday’s protections will blunt tomorrow’s attacks. With each new block, Outlook grows not only more secure, but more resilient—an essential trait for the future of workplace communications.
Source: techzine.eu Microsoft makes Outlook safer with more attachment blocking
