Microsoft has announced that it will start disabling external workbook links to blocked file types by default between October 2025 and July 2026.
After the rollout, Excel workbooks referencing blocked file types will display a #BLOCKED error or fail to refresh, eliminating security risks associated with accessing unsupported or high-risk file types, including, but not limited to, phishing attacks that utilize workbooks to redirect targets to malicious payloads.
This change is being introduced as a new FileBlockExternalLinks group policy, which expands File Block Settings to include external workbook links.
As the company explained in a Microsoft 365 admin center message on Wednesday, Microsoft 365 will display a business bar warning of this upcoming change when opening workbooks containing external links to blocked file types, starting with Build 2509.
However, after updating to Build 2510, if the policy is unconfigured, users will no longer be able to refresh or create new references to blocked file types.
“If not configured, no changes will take effect immediately. However, starting October 2025, the default behavior will block external links to file types currently blocked by the Trust Center,” the company said.
“We recommend reviewing existing workbooks and communicating this change to users who rely on external links to ensure continuity of workflows.”
Microsoft 365 admins who want to re-enable refreshing external links to blocked file types can edit the HKCUSoftwareMicrosoftOffice<version>ExcelSecurityFileBlockFileBlockExternalLinks registry key using the detailed instructions in this support document.
Since the start of the year, the company has also added the .library-ms and .search-ms file types to the list of blocked Outlook attachments and started turning off all ActiveX controls in Windows versions of Microsoft 365 and Office 2024 applications.
These changes are part of a broader effort to remove or disable Office and Windows features that have been exploited to infect Microsoft users with malware.
This initiative began in 2018 when Microsoft expanded support for its Antimalware Scan Interface (AMSI) in Office 365 client apps, enabling the blocking of attacks that use Office VBA macros.
Since then, the company has started blocking VBA Office macros by default, introduced XLM macro protection, disabled Excel 4.0 (XLM) macros, announced that it would soon kill off VBScript, and begun blocking untrusted XLL add-ins by default across Microsoft 365 tenants.
Earlier today, Microsoft also announced that it has increased bounty payouts to $40,000 for some .NET and ASP.NET Core vulnerabilities.
Cloud Detection & Response for Dummies
Contain emerging threats in real time – before they impact your business.
Learn how cloud detection and response (CDR) gives security teams the edge they need in this practical, no-nonsense guide.
Related Articles:
Microsoft blocks ActiveX by default in Microsoft 365, Office 2024
Microsoft investigates outage affecting Microsoft 365 admin center
Microsoft 365 ‘Direct Send’ abused to send phishing as internal users
Microsoft 365 to block file access via legacy auth protocols by default
Microsoft now pays up to $40,000 for some .NET vulnerabilities