Microsoft to Block External Links in Excel, Phased Rollout Begins October 2025
Beginning in October 2025, Microsoft will implement sweeping measures to insulate Excel from potentially hazardous sources. A new default policy will block external links to certain file types, affecting all Excel users through a phased rollout set to conclude by July 2026.
These changes are enabled by the introduction of a new Group Policy setting—FileBlockExternalLinks—which expands upon the existing File Block Settings framework. Whereas previous restrictions applied solely to attempts to open suspicious files locally, the updated policy now extends similar safeguards to links referencing such files from external Excel workbooks.
In practical terms, any formula referencing a restricted file type will no longer be able to refresh its data. Instead of current values, users will see a BLOCKED error or outdated data from the last successful refresh. This effectively neutralizes a common attack vector in which malicious components are injected through formulas linked to external documents.
Preparation for this transition begins with the release of Excel build 2509. Users opening affected documents will be alerted via a Business Bar notification. In the subsequent build, 2510, unless administrators explicitly enable a specific setting, the ability to create or update external links to blocked file types will be disabled by default.
A new Workbook Links pane will be introduced in the Excel interface, displaying any files whose data failed to update. This will allow users and administrators to swiftly diagnose disruptions caused by the new restrictions and assess whether workarounds are necessary.
For organizations that rely critically on external links to file types on the blocklist, Microsoft offers two options to preserve existing functionality: either set the registry key HKCU\Software\Microsoft\Office\16.0\Excel\Security\FileBlock\FileBlockExternalLinks to 0, or disable the “File Block includes external link files” option within the Excel Group Policy template.
Enterprises are strongly encouraged to audit their internal Excel documents for such links in advance and notify staff of the forthcoming changes. This is essential to prevent workflow interruptions—particularly in environments where automatic data updates are integral to operations.
This initiative is part of Microsoft’s broader strategy to enhance the security of Office products. Following the prior enforcement of internet macro blocking, the company now aims to eliminate another favored tactic of cyber attackers: leveraging cross-document links to deliver infected or tampered files.
With these protections in place, Excel users can be confident that even an inadvertent reference to an untrusted external document will no longer endanger their data, workflows, or organizational infrastructure.
