• Cyber Syrup
  • Posts
  • Microsoft Disables File Explorer Preview for Internet Files to Prevent NTLM Hash Leaks

Microsoft Disables File Explorer Preview for Internet Files to Prevent NTLM Hash Leaks

Microsoft has announced a new security change for Windows File Explorer, disabling the preview feature for files downloaded from the internet as an added layer of protection

October 24, 2025

In partnership with

CYBER SYRUP
Delivering the sweetest insights on cybersecurity.

The Gold standard for AI news

AI keeps coming up at work, but you still don't get it?

That's exactly why 1M+ professionals working at Google, Meta, and OpenAI read Superhuman AI daily.

Here's what you get:

  • Daily AI news that matters for your career - Filtered from 1000s of sources so you know what affects your industry.

  • Step-by-step tutorials you can use immediately - Real prompts and workflows that solve actual business problems.

  • New AI tools tested and reviewed - We try everything to deliver tools that drive real results.

  • All in just 3 minutes a day

Microsoft Disables File Explorer Preview for Internet Files to Prevent NTLM Hash Leaks

Microsoft has announced a new security change for Windows File Explorer, disabling the preview feature for files downloaded from the internet as an added layer of protection against NTLM hash leaks. The update, rolled out during October 2025 Patch Tuesday, affects all files tagged with the Mark of the Web (MotW) — a flag automatically applied to files downloaded via web browsers, email attachments, or other external sources.

Understanding the Mark of the Web and the Change

The Mark of the Web (MotW) is a Windows security feature that labels files originating from untrusted locations, prompting user warnings or restricting certain features like macros in Microsoft Office.

With this latest update, File Explorer will no longer automatically display previews of MotW-tagged files in the preview pane. This change aims to prevent potential NTLM (NT LAN Manager) authentication leaks, which attackers can exploit to steal or brute-force Windows user credentials.

“This change mitigates a vulnerability where NTLM hash leakage might occur if users preview files containing HTML tags referencing external paths,” Microsoft explained.

By removing automatic previews, Windows effectively blocks a potential attack vector where malicious files could trigger SMB authentication requests to attacker-controlled servers, inadvertently leaking hashed credentials.

Vulnerabilities Leading to the Update

The issue appears tied to CVE-2025-59214, a File Explorer spoofing vulnerability that allows sensitive information to leak over a network. The flaw is a patch bypass of CVE-2025-50154, which itself was a bypass of the earlier CVE-2025-24054 — a zero-click NTLM credential leakage vulnerability that has been exploited in the wild, including against government and private entities in Poland and Romania.

The original 2025 vulnerability allowed attackers to trick Windows into leaking NTLM hashes using malicious .library-ms files within ZIP archives. Simply previewing or right-clicking one of these files could trigger a network authentication request.

Security firm Cymulate discovered multiple bypasses of Microsoft’s earlier patches, leading to repeated reassignments of new CVE identifiers and prompting this broader, systemic fix.

What Users Can Expect

Following the October update, File Explorer will display a warning when users attempt to preview internet-downloaded files, advising them to proceed only if they trust the source. The restriction also applies to files accessed via Internet Zone file shares.

To regain preview functionality for a trusted file, users can:

  1. Right-click the file and select Properties.

  2. Check the Unblock box.

  3. Apply changes and, if necessary, log out and back in for the change to take effect.

Broader Implications

This update reflects Microsoft’s ongoing efforts to strengthen Windows against credential theft attacks, particularly those involving NTLM relay or brute-force exploitation. By proactively disabling risky functionality like file previews for untrusted sources, Microsoft is prioritizing defense-in-depth — reducing exposure even before users open potentially dangerous files.