Windows Blocks File Previews to Stop NTLM Credential Leaks

Beginning with the October 2025 Windows security updates, File Explorer now automatically blocks the preview of files downloaded from the internet. Introduced in the October 14, 2025 update, this change aims to prevent the leakage of NTLM hashes—unique authentication identifiers that attackers could exploit to gain unauthorized access to network resources. The new behavior applies to Windows 11 as well as Windows Server editions 2012, 2012 R2, 2016, 2019, 2025, and the 23H2 release.

Until now, File Explorer allowed users to preview HTML files directly within its window without launching a browser or text editor. If such documents contained elements like <link> or <src> tags referencing external sources, the system could inadvertently send authentication requests including the user’s credentials. In certain circumstances, this exposed NTLM hashes, which could then be used to compromise corporate networks.

The mechanism has now been fundamentally revised. For all files bearing the Mark of the Web (MotW)—a security attribute Windows assigns to items downloaded from online sources—the preview feature is fully disabled. Instead of displaying the file’s contents, the preview pane will now show a warning message:

“The file you are attempting to preview could harm your computer. If you trust the file and the source you received it from, open it to view its contents.”

This update affects not only files downloaded from the internet but also those hosted on network resources classified within the Internet zone. In typical use cases, users need take no additional action—the new security behavior activates automatically once the October or later cumulative updates are installed.

For users who wish to restore preview functionality for a specific trusted document, the process can be performed manually. Simply open the file’s Properties via the context menu, select “Unblock,” and apply the changes. The effect may only take place after the next system sign-in.

Access to network-based files can also be restored through classic Internet Options: under the “Security” tab, administrators can add the relevant file storage address to the “Local Intranet” or “Trusted Sites” zones. However, Microsoft cautions that such exceptions lower the overall protection level for all files retrieved from that source.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy