As Microsoft continues its campaign to tighten security across its productivity platforms, Outlook users will soon notice new restrictions designed to combat sophisticated phishing attacks and malware infiltration attempts. Beginning July 2025, the company will expand the list of blocked file types in both Outlook Web Access and the new Outlook for Windows, specifically targeting rarely-used but increasingly-abused file formats: .library-ms and .search-ms. This proactive measure is a clear response to evolving cyber threats yet also highlights Microsoft's broader strategy to curtail the attack surface exploited by adversaries targeting enterprise and government users.
Microsoft’s update comes as part of its ongoing efforts to fortify the default security posture of Outlook clients. According to a recent announcement in the Microsoft 365 Message Center, the new policy will add Windows Library files (.library-ms) and Windows Search files (.search-ms) to the ever-growing BlockedFileTypes list within OwaMailboxPolicy. When the changes take effect in July 2025, users attempting to share or access these file types via Outlook Web or the new Outlook for Windows will find them blocked by default.
This tweak may appear minor at first glance—after all, both file types are not commonly exchanged by most users. However, the move underscores another layer in Microsoft's multi-year initiative to preemptively close loopholes before they can be harnessed for widescale attacks.
.search-ms files, meanwhile, are crafted to launch a Windows Search query. They leverage a URI protocol handler that directs Windows to display search results matching criteria embedded in the file. While benign in routine use, the protocol can be manipulated by attackers to open custom search results or payloads without user awareness, particularly if chained with other vulnerabilities.
The exploitation of .search-ms is even more storied. As far back as June 2022, security researcher Matthew Hickey of Hacker House demonstrated that the .search-ms protocol could be used to trigger automatic Windows Search popups on victim devices. In combination with the MSDT remote code execution flaw (CVE-2022-30190, colloquially known as “Follina”), adversaries could leverage the .search-ms handler to trick victims into running malware or opening booby-trapped documents. The result was a rise in malware campaigns that bypassed conventional email security filters by embedding attack logic in a file type rarely blocked by legacy systems.
Organizations relying on these file types for legitimate workflows still have recourse. Microsoft’s guidance details steps to explicitly allow these extensions by adding them to the AllowedFileTypes property of OwaMailboxPolicy objects ahead of the rollout. Exchange Server administrators can similarly tweak mailbox security settings to override the new defaults where business needs dictate, though cybersecurity professionals may push back against exceptions without robust justification.
For the vast majority of organizations, however, no action is required—the update will propagate automatically and seamlessly across tenants, boosting protection with minimal disruption.
Microsoft’s efforts didn’t stop there:
However, edge cases exist. Some specialized IT or development teams might use .library-ms or .search-ms for automation, testing, or support scenarios. For these teams, there are several mitigation pathways:
Microsoft’s stepwise elimination of dangerous file types, protocols, and legacy scripting languages is arguably the most effective way to thwart wide-scale exploitation. Each blocked vector is one less avenue for attackers to deliver payloads or escalate privileges. By defaulting to “most restrictive” and relying on opt-in exceptions, security is maximized without stifling innovation for those who truly need legacy features.
2. Granular Administrative Controls
For IT administrators, the ability to override baseline policies at the mailbox or tenant level is vital. Microsoft’s documentation supports nuanced exceptions for businesses with unique requirements, balancing organizational agility with collective safety. This approach also pushes organizations to critically evaluate legacy dependencies—a win for overall cyber hygiene.
3. Transparency and Communication
Public disclosure via the Microsoft 365 Message Center, clear timelines, and explicit documentation signal a commitment to transparency and collaborative risk mitigation. The company’s outreach to security researchers and rapid response to reported vulnerabilities demonstrates a positive feedback loop between industry and vendor.
Technical controls, while robust, are never foolproof. Blocking additional file types will inconvenience attackers in the short term, but history shows that threat actors rapidly pivot to new vectors. Organizations must resist the temptation to treat Microsoft’s latest hardening as a silver bullet and should maintain layered defenses including endpoint protection, user training, and vigilant incident response.
2. Shadow IT and Workarounds
Blocking attachments could incentivize users to skirt controls via personal email accounts or unsanctioned file sharing services, potentially exposing sensitive data to unmanaged platforms. Security training and usage monitoring are paramount to ensure that security improvements do not backfire by driving risky user behaviors outside sanctioned channels.
3. Admin Fatigue and Policy Drift
Over time, as organizations accumulate exceptions to default blocklists, there is a risk of “policy drift.” Regular audits are necessary to ensure that any expanded AllowedFileTypes lists remain justified by genuine business needs, not habit or inertia.
4. Disruptive to Outliers
While rare, legitimate use of .library-ms and .search-ms does exist in some enterprise environments. The impact here is expected to be minimal, but power users and IT teams should prepare communication plans and technical workarounds in advance of the July 2025 deadline.
Looking forward, it is reasonable to expect further measures as Microsoft continues to reassess the utility-versus-risk balance for legacy features across its platforms. The company’s willingness to retire or restrict once-standard components (such as VBScript and ActiveX) is indicative of a broader willingness to disrupt inertia for the sake of security.
For end users and enterprise administrators, the path forward is clear: stay abreast of platform updates, rigorously review exceptions, and double down on defense-in-depth strategies. Microsoft’s playbook, as illustrated by the new Outlook policy, is to act decisively before vulnerabilities can be widely exploited—not after they have caused real-world harm.
While not a panacea, this and related measures demonstrate how vendor controls can meaningfully move the needle on enterprise security, forcing adversaries to work harder for each foothold. Organizations must balance convenience and control, remaining vigilant as both threats and defenses evolve.
Enterprises and users who depend on these rarely-used file types should act swiftly: assess business processes, communicate impending changes, and leverage Microsoft’s administrative tools to minimize disruption. For the vast majority, these changes will pass unnoticed, but the hidden benefit—a much narrower path for cybercriminals—will be felt across the digital workplace.
Ultimately, Microsoft’s steady cadence of removing or restricting exploitable features is welcome news for security-conscious organizations—and a warning to those who lag behind in cybersecurity modernization. As the digital threat landscape grows ever more sophisticated, this type of decisive, upstream risk management is not just prudent. It is essential.
Source: BleepingComputer Microsoft Outlook to block more risky attachments used in attacks
Expanding the Shield: Outlook’s New Blocked Attachments Policy
Microsoft’s update comes as part of its ongoing efforts to fortify the default security posture of Outlook clients. According to a recent announcement in the Microsoft 365 Message Center, the new policy will add Windows Library files (.library-ms) and Windows Search files (.search-ms) to the ever-growing BlockedFileTypes list within OwaMailboxPolicy. When the changes take effect in July 2025, users attempting to share or access these file types via Outlook Web or the new Outlook for Windows will find them blocked by default.This tweak may appear minor at first glance—after all, both file types are not commonly exchanged by most users. However, the move underscores another layer in Microsoft's multi-year initiative to preemptively close loopholes before they can be harnessed for widescale attacks.
What Are .library-ms and .search-ms Files?
Transparent to many outside of IT and security circles, .library-ms files are essentially containers that define virtual collections of folders within the Windows file system. When opened, they guide Windows Explorer to display content aggregated from multiple locations on disk—a feature designed to improve workflow but which also holds significant potential for abuse when weaponized in phishing lures..search-ms files, meanwhile, are crafted to launch a Windows Search query. They leverage a URI protocol handler that directs Windows to display search results matching criteria embedded in the file. While benign in routine use, the protocol can be manipulated by attackers to open custom search results or payloads without user awareness, particularly if chained with other vulnerabilities.
Recent Threats and High-Profile Exploits
Security researchers and Microsoft have flagged a growing pattern of attackers leveraging these file types in targeted phishing campaigns. Notably, earlier this year, .library-ms attachments were observed in attacks exploiting CVE-2025-24054—a Windows vulnerability exposing NTLM hashes, which can be harvested to escalate privileges or move laterally within an organization’s network. These campaigns specifically targeted government entities and private companies, making headline news among cybersecurity professionals.The exploitation of .search-ms is even more storied. As far back as June 2022, security researcher Matthew Hickey of Hacker House demonstrated that the .search-ms protocol could be used to trigger automatic Windows Search popups on victim devices. In combination with the MSDT remote code execution flaw (CVE-2022-30190, colloquially known as “Follina”), adversaries could leverage the .search-ms handler to trick victims into running malware or opening booby-trapped documents. The result was a rise in malware campaigns that bypassed conventional email security filters by embedding attack logic in a file type rarely blocked by legacy systems.
Microsoft’s Rationale: The Risk vs. Utility Equation
In the face of these evolving threats, Microsoft’s decision to block .library-ms and .search-ms aligns with its measured approach to locking down features historically open or trusted by default. While the company freely admits that “the newly blocked file types are rarely used, so most organizations will not be affected by the change,” the logic is clear: reducing available entry points for attackers outweighs any inconvenience to a minority of power users or developers.Organizations relying on these file types for legitimate workflows still have recourse. Microsoft’s guidance details steps to explicitly allow these extensions by adding them to the AllowedFileTypes property of OwaMailboxPolicy objects ahead of the rollout. Exchange Server administrators can similarly tweak mailbox security settings to override the new defaults where business needs dictate, though cybersecurity professionals may push back against exceptions without robust justification.
For the vast majority of organizations, however, no action is required—the update will propagate automatically and seamlessly across tenants, boosting protection with minimal disruption.
Context: Microsoft’s Broader Security Initiative
This update to Outlook should be viewed not in isolation, but as part of a long-standing and escalating campaign by Microsoft to clamp down on Office and Windows “features” exploited by attackers. The battle began in earnest in 2018, when Redmond extended its Antimalware Scan Interface (AMSI) hooks to Office 365 clients, enabling real-time inspection for suspicious macro executions. The company quickly ramped up its interventions, blocking VBA (Visual Basic for Applications) macros from downloaded files by default—a controversial, but ultimately applauded move that stemmed an epidemic of macro-based malware.Microsoft’s efforts didn’t stop there:
- Excel 4.0 (XLM) Macros Disabled: Recognizing that attackers had pivoted to the even older XLM macro format, Microsoft disabled their execution by default and introduced protections across Microsoft 365.
- Untrusted XLL Add-ins Blocked: Another common malware delivery vector was eliminated by prohibiting untrusted Excel add-ins across Microsoft tenants.
- VBScript Retirement and ActiveX Controls Disabled: Announced in May 2024, Microsoft will end support for VBScript—a technology long viewed as a security liability. Additionally, as of April 2025, all ActiveX controls in Microsoft 365 and Office 2024 applications will be disabled by default, closing off yet another class of legacy attack vectors.
Enterprise Impact: Convenience vs. Control
While bolstering security always carries the risk of disrupting established workflows, Microsoft’s messaging seeks to reassure that the overwhelming majority of users—especially in enterprise environments—will not notice any functional change. Most organizations have already banned the exchange of executable or script-like files by email, either via technical controls or policy.However, edge cases exist. Some specialized IT or development teams might use .library-ms or .search-ms for automation, testing, or support scenarios. For these teams, there are several mitigation pathways:
- Archive Attachments: Blocking is circumvented if files are zipped or otherwise archived.
- Alternate Extensions: Changing file extensions allows transit, though this introduces risk and should be implemented with caution.
- Cloud Sharing: Moving to OneDrive or SharePoint sidesteps email restrictions entirely, leveraging file sharing services with integrated access controls and audit trails.
Critical Analysis: Strengths and Shortcomings
Notable Strengths
1. Proactive Attack Surface ReductionMicrosoft’s stepwise elimination of dangerous file types, protocols, and legacy scripting languages is arguably the most effective way to thwart wide-scale exploitation. Each blocked vector is one less avenue for attackers to deliver payloads or escalate privileges. By defaulting to “most restrictive” and relying on opt-in exceptions, security is maximized without stifling innovation for those who truly need legacy features.
2. Granular Administrative Controls
For IT administrators, the ability to override baseline policies at the mailbox or tenant level is vital. Microsoft’s documentation supports nuanced exceptions for businesses with unique requirements, balancing organizational agility with collective safety. This approach also pushes organizations to critically evaluate legacy dependencies—a win for overall cyber hygiene.
3. Transparency and Communication
Public disclosure via the Microsoft 365 Message Center, clear timelines, and explicit documentation signal a commitment to transparency and collaborative risk mitigation. The company’s outreach to security researchers and rapid response to reported vulnerabilities demonstrates a positive feedback loop between industry and vendor.
Potential Risks and Weaknesses
1. False Sense of SecurityTechnical controls, while robust, are never foolproof. Blocking additional file types will inconvenience attackers in the short term, but history shows that threat actors rapidly pivot to new vectors. Organizations must resist the temptation to treat Microsoft’s latest hardening as a silver bullet and should maintain layered defenses including endpoint protection, user training, and vigilant incident response.
2. Shadow IT and Workarounds
Blocking attachments could incentivize users to skirt controls via personal email accounts or unsanctioned file sharing services, potentially exposing sensitive data to unmanaged platforms. Security training and usage monitoring are paramount to ensure that security improvements do not backfire by driving risky user behaviors outside sanctioned channels.
3. Admin Fatigue and Policy Drift
Over time, as organizations accumulate exceptions to default blocklists, there is a risk of “policy drift.” Regular audits are necessary to ensure that any expanded AllowedFileTypes lists remain justified by genuine business needs, not habit or inertia.
4. Disruptive to Outliers
While rare, legitimate use of .library-ms and .search-ms does exist in some enterprise environments. The impact here is expected to be minimal, but power users and IT teams should prepare communication plans and technical workarounds in advance of the July 2025 deadline.
Looking Ahead: A More Secure Microsoft 365 Ecosystem
The current update to Outlook’s BlockedFileTypes list highlights the ongoing maturation of Microsoft’s security philosophy. The pivot from open-by-default to “secure by design” represents industry best practice, echoing similar moves by other cloud software giants. As attackers innovate, so too must software vendors and their customers.Looking forward, it is reasonable to expect further measures as Microsoft continues to reassess the utility-versus-risk balance for legacy features across its platforms. The company’s willingness to retire or restrict once-standard components (such as VBScript and ActiveX) is indicative of a broader willingness to disrupt inertia for the sake of security.
For end users and enterprise administrators, the path forward is clear: stay abreast of platform updates, rigorously review exceptions, and double down on defense-in-depth strategies. Microsoft’s playbook, as illustrated by the new Outlook policy, is to act decisively before vulnerabilities can be widely exploited—not after they have caused real-world harm.
Conclusion
The addition of .library-ms and .search-ms to Outlook’s default blocked file types marks another significant step in Microsoft’s offensive against evolving cyber threats. Though their usage rates are minimal, these file types have been used in real-world attacks, justifying their inclusion in the BlockedFileTypes list. The broader context is one of escalating hardening across Microsoft 365 and Windows platforms, representing a shift from permissiveness to proactive risk reduction.While not a panacea, this and related measures demonstrate how vendor controls can meaningfully move the needle on enterprise security, forcing adversaries to work harder for each foothold. Organizations must balance convenience and control, remaining vigilant as both threats and defenses evolve.
Enterprises and users who depend on these rarely-used file types should act swiftly: assess business processes, communicate impending changes, and leverage Microsoft’s administrative tools to minimize disruption. For the vast majority, these changes will pass unnoticed, but the hidden benefit—a much narrower path for cybercriminals—will be felt across the digital workplace.
Ultimately, Microsoft’s steady cadence of removing or restricting exploitable features is welcome news for security-conscious organizations—and a warning to those who lag behind in cybersecurity modernization. As the digital threat landscape grows ever more sophisticated, this type of decisive, upstream risk management is not just prudent. It is essential.
Source: BleepingComputer Microsoft Outlook to block more risky attachments used in attacks
