Microsoft 365 Tightens Security: FPRPC File Access Blocked by Default in Windows Apps
Share this article
Microsoft is accelerating its war on legacy security vulnerabilities by blocking files accessed via the insecure FrontPage Remote Procedure Call (FPRPC) protocol by default in Microsoft 365 Windows apps. Starting with Version 2508 in late August 2025, any attempt to open files using FPRPC will automatically redirect to more secure protocols—a significant shift for enterprises still reliant on outdated infrastructure.
Why FPRPC Poses Critical Risks
FPRPC dates back to Microsoft's discontinued FrontPage web design software and has persisted as a legacy authentication method. Security teams have long warned that protocols like FPRPC, FTP, and HTTP:
- Lack modern encryption, making credentials vulnerable to interception
- Enable "pass-the-hash" attacks and credential theft
- Are frequently exploited in phishing campaigns targeting stale infrastructure
Microsoft explicitly linked the move to combatting "brute-force and phishing attacks exploiting outdated authentication methods" in its admin center announcement.
Administrative Controls and Rollout Timeline
The transition includes nuanced controls:
- Admins can re-enable FPRPC via Trust Center settings unless overridden by Group Policy or Cloud Policy Service (CPS)
- FTP/HTTP protocols remain allowed by default but can be disabled centrally
- Policies configured via CPS will lock settings, preventing user overrides
The rollout begins in late August with expected global completion by late September 2025. Crucially, this only affects Windows apps—Mac, web, iOS, and Android clients remain unchanged.
Part of a Broader Security Offensive
This isn't an isolated change. Microsoft has systematically dismantled legacy attack surfaces:
- ⛔ ActiveX controls disabled in Microsoft 365/Office 2024 Windows apps
- ⛔ .library-ms/.search-ms attachments blocked in Outlook
- ⛔ RPS protocol deprecated alongside FPRPC
- 🛡️ Teams screenshot blocking introduced for meeting security
The Inevitable End of Legacy Auth
For developers and admins, this signals a clear mandate: Technical debt has security consequences. As Microsoft methodically severs ties with vulnerable legacy systems, organizations must audit workflows still dependent on protocols like FPRPC. The provided controls offer transitional flexibility, but the writing is on the wall—insecure protocols are being phased out of the modern enterprise stack, one update at a time.