Microsoft Enhances Windows Security by Turning Off File Previews for Downloads

In a move to tighten defenses against credential theft, Microsoft has rolled out a significant change to Windows File Explorer starting with security updates released on and after October 14, 2025.

The update automatically disables the preview pane for files downloaded from the internet, aiming to block a sneaky vulnerability that could expose users’ NTLM hashes sensitive credentials used for network authentication.

This adjustment addresses a long-standing risk where malicious files, especially those embedding HTML elements like <link> or <src> tags pointing to external resources, could trigger unauthorized network requests during previews.

Attackers have exploited this in the past to harvest hashes, potentially leading to lateral movement in networks or full account takeovers.

By defaulting to a more cautious approach, Microsoft is prioritizing proactive security without requiring user intervention, a welcome step amid rising phishing and malware campaigns targeting Windows users.

File Previews Turned Off

The new behavior hinges on the “Mark of the Web” (MotW) attribute, which Windows applies to files from untrusted sources like the Internet or Internet Zone file shares.

Once tagged, these files will not show previews in File Explorer. Instead, users will see a clear warning message: “The file you are attempting to preview could harm your computer. If you trust the file and the source from which you received it, you may open it to view its contents.”

For everyday users, this means a minor workflow hiccup: previews are off for potentially risky files, but everything else, like local documents or trusted shares, remains unchanged. No extra setup is needed; the protection kicks in automatically post-update.

IT admins and power users will appreciate that it applies broadly to downloaded files and remote shares, reducing the attack surface in enterprise environments where NTLMv2 weaknesses persist despite pushes toward modern auth like Kerberos.

This isn’t a full lockdown, it’s a smart nudge toward safer habits. Previews still work for vetted files, and the change encourages verifying sources before diving in.

If you’re dealing with a trusted download, overriding is straightforward but deliberate. Right-click the file in File Explorer, hit Properties, and check the “Unblock” box. Note that changes might not apply until your next login.

For entire file shares in Internet Zones, head to Internet Options in the Control Panel, navigate to the Security tab, and add the share’s address to the Local Intranet or Trusted Sites zone. Be cautious: this lowers defenses for all files from that source, so reserve it for verified networks.

Microsoft’s FAQ emphasizes trusting files only from known origins, underscoring that this tweak is about mitigation, not elimination of risks. As cyber threats evolve, such incremental updates help keep Windows resilient without overcomplicating daily use.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.