Microsoft to Block Excel Links to Unsupported File Types
▼ Summary
– Microsoft will disable external workbook links to blocked file types by default between October 2025 and July 2026 to enhance security.
– Excel workbooks referencing blocked file types will show a #BLOCKED error or fail to refresh, preventing risks like phishing attacks.
– Admins can manage this via the FileBlockExternalLinks group policy or registry key, with warnings starting in Build 2509.
– Microsoft is expanding security measures, including blocking additional file types and disabling ActiveX controls in Office apps.
– These changes are part of ongoing efforts since 2018 to mitigate malware risks, including blocking macros and untrusted add-ins.
Microsoft is tightening Excel security by automatically blocking links to unsupported file types starting in late 2025. The tech giant revealed plans to disable external workbook connections to restricted formats by default, a move designed to prevent potential security threats like phishing schemes that exploit file links to deliver malware.
When the update rolls out between October 2025 and July 2026, Excel will show a #BLOCKED error for workbooks referencing prohibited file types, stopping users from refreshing or creating new links to these risky formats. The change stems from a new FileBlockExternalLinks group policy, extending existing File Block Settings to cover external workbook references.
Microsoft 365 users will receive advance notice through a business bar warning when opening files with blocked external links, beginning with Build 2509. Once systems update to Build 2510, unconfigured policies will enforce the block, cutting off access to unsupported file types unless administrators intervene.
The company emphasized that while no immediate action is required, organizations should audit existing workbooks and inform teams relying on external links to avoid workflow disruptions. Admins can override the default blocking by modifying a specific registry key, though Microsoft advises caution given the security implications.
This update follows recent additions to Microsoft’s blocked file list, including .library-ms and .search-ms attachments in Outlook, as well as the disabling of ActiveX controls in Windows versions of Office 2024 and Microsoft 365 apps. These measures align with Microsoft’s ongoing campaign to eliminate features frequently exploited by cybercriminals.
Since 2018, the company has systematically locked down Office vulnerabilities, from blocking VBA macros by default to disabling Excel 4.0 (XLM) macros and untrusted XLL add-ins. The phased removal of VBScript further underscores this security-first approach.
In related news, Microsoft also announced increased bug bounty rewards, offering up to $40,000 for critical vulnerabilities in .NET and ASP.NET Core, a clear signal of its commitment to closing security gaps across its ecosystem.
(Source: Bleeping Computer)
