Microsoft will begin restricting external links to file types blocked by the Trust Center starting October 2025. The company will complete the rollout of this policy by July 2026, according to public announcements.
Advertisеment
After implementation, Excel will show a #BLOCKED error when formulas reference external files of restricted types. In some cases, users will see outdated data instead of current values. The should reduce security risks associated with external file connections.
FileBlockExternalLinks Group Policy setting
The update relies on a new Group Policy setting called FileBlockExternalLinks, which expands the existing File Block Settings functionality. Starting with Build 2509, Microsoft 365 will display a notification bar in workbooks containing external links to blocked file types, informing users to the upcoming change.
Unless administrators adjust settings manually, the ability to create or refresh such links will end after the Build 2510 update. Microsoft advises administrators to review current workbooks and inform users who rely on external links to maintain workflow continuity.
Administrators can restore functionality by setting the registry value HKCU\Software\Microsoft\Office\16.0\Excel\Security\FileBlock\FileBlockExternalLinks to 0 or by disabling the "File Block includes external link files" option in the Excel Group Policy template.
Earlier in 2024, Microsoft added .library-ms and .search-ms file types to Outlook’s blocked attachments list. The company also disabled all ActiveX controls in Windows versions of Microsoft 365 and Office 2024.
In fact, Microsoft is disabling many of the legacy features exploited in malware attacks. This initiative began in 2018 with expanded AMSI support in Office 365 to counter VBA macro-based threats.
Since then, Microsoft has blocked VBA macros by default, introduced XLM macro protection, disabled Excel 4.0 (XLM) macros, announced plans to deprecate VBScript, and enabled default blocking of untrusted XLL add-ins across all Microsoft 365 tenants.
Microsoft has also increased its bounty for discovering specific vulnerabilities in .NET and ASP.NET Core, raising the reward to $40,000.
The company will pay up to $40,000 for critical security vulnerabilities related to remote code execution and privilege escalation, $30,000 for critical security feature bypasses, and up to $20,000 for critical remote denial of service errors.
The bounty program has also been expanded to better cover .NET Framework vulnerabilities and now includes all supported versions of .NET and ASP.NET, related technologies such as F#, supported versions of ASP.NET Core for the .NET Framework, templates provided with supported versions of .NET and ASP.NET Core, GitHub actions on the .NET and ASP.NET Core repositories.
Support us
Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options:
