Microsoft to disable Excel workbook links to blocked file types

Microsoft has announced that it will start disabling external workbook links to blocked file types by default between October 2025 and July 2026. After the rollout, Excel workbooks referencing blocked file types will display a #BLOCKED error or fail to refresh, eliminating security risks associated with accessing unsupported or high-risk file types, including, but not limited to, phishing attacks that utilize workbooks to redirect targets to malicious payloads. This change is being introduced as a new FileBlockExternalLinks group policy, which expands File Block Settings to include external workbook links. As the company explained in a Microsoft 365 admin center message on Wednesday, Microsoft 365 will display a business bar warning of this upcoming change when opening workbooks containing external links to blocked file types, starting with Build 2509. However, after updating to Build 2510, if the policy is unconfigured, users will no longer be able to refresh or create new references to blocked file types. "If not configured, no changes will take effect immediately. However, starting October 2025, the default behavior will block external links to file types currently blocked by the Trust Center," the company said. "We recommend reviewing existing workbooks and communicating this change to users who rely on external links to ensure continuity of workflows." Microsoft 365 admins who want to re-enable refreshing external links to blocked file types can edit the HKCU\Software\Microsoft\Office\\Excel\Security\FileBlock\FileBlockExternalLinks registry key using the detailed instructions in this support document. Since the start of the year, the company has also added the .library-ms and .search-ms file types to the list of blocked Outlook attachments and started turning off all ActiveX controls in Windows versions of Microsoft 365 and Office 2024 applications. These changes are part of a broader effort to remove or disable Office and Windows features that have been exploited to infect Microsoft users with malware. This initiative began in 2018 when Microsoft expanded support for its Antimalware Scan Interface (AMSI) in Office 365 client apps, enabling the blocking of attacks that use Office VBA macros. Since then, the company has started blocking VBA Office macros by default, introduced XLM macro protection, disabled Excel 4.0 (XLM) macros, announced that it would soon kill off VBScript, and begun blocking untrusted XLL add-ins by default across Microsoft 365 tenants. Earlier today, Microsoft also announced that it has increased bounty payouts to $40,000 for some .NET and ASP.NET Core vulnerabilities.