Microsoft is implementing a significant security enhancement for Outlook Web and the new Outlook for Windows, scheduled to take effect in July 2025. The technology giant is expanding its blocked file types list to include .library-ms and .search-ms files, which cybercriminals have increasingly weaponized for sophisticated phishing campaigns targeting organizations worldwide.
Understanding the .library-ms File Threat Landscape
The decision to block .library-ms files stems from their legitimate functionality being exploited for malicious purposes. In Windows environments, these files serve as library containers that combine local and remote folders into a unified Explorer view, providing users with seamless access to distributed content.
However, threat actors have transformed this benign feature into a potent attack vector. Since early 2025, security researchers have documented a surge in attacks leveraging .library-ms files against government agencies and private enterprises. The situation became particularly concerning with the emergence of CVE-2025-24054, a vulnerability that enables NTLM hash disclosure, creating substantial risks for enterprise network security.
The Evolution of search-ms Protocol Exploitation
The search-ms URI handler has a more established history of abuse in cybercriminal operations. Security researcher Matthew Hickey from Hacker House first identified the protocol’s potential for misuse in June 2022, demonstrating how attackers could automatically trigger Windows Search windows on victims’ devices.
Cybercriminals developed sophisticated attack chains combining search-ms functionality with CVE-2022-30190 to deceive users into executing malicious payloads. This technique proved particularly effective because it bypassed traditional security controls while creating convincing social engineering scenarios that appeared legitimate to unsuspecting users.
Implementation Details and Organizational Impact
Microsoft emphasizes that the new restrictions will affect minimal user populations since the blocked file types see limited use in standard business operations. The security update will automatically apply to all OWA mailbox policies across organizations, ensuring comprehensive protection without requiring manual intervention.
Organizations requiring continued access to these file types have a workaround available. System administrators can add necessary formats to the AllowedFileTypes list in OwaMailboxPolicy before the update deployment, maintaining operational flexibility while acknowledging the associated security risks.
Microsoft’s Comprehensive Security Strategy
This latest security enhancement represents a continuation of Microsoft’s systematic approach to eliminating attack vectors from its product ecosystem. The company has consistently targeted features that threat actors commonly exploit in their campaigns.
Previous security improvements include the 2018 expansion of Antimalware Scan Interface (AMSI) support to counter VBA macro-based attacks. Subsequent years saw the implementation of default VBA macro blocking, Excel 4.0 (XLM) macro disabling, and protection against untrusted XLL add-ins, demonstrating Microsoft’s commitment to proactive threat mitigation.
The blocking of .library-ms and .search-ms files represents a logical evolution in Microsoft’s security posture, addressing emerging threat vectors before they can achieve widespread adoption among cybercriminal groups. This proactive approach helps organizations stay ahead of evolving attack methodologies while maintaining the productivity and functionality that users expect from modern email platforms. Organizations should prepare for this change by reviewing their file sharing practices and updating security policies accordingly.
