Microsoft is tightening Excel's security posture with a significant change: starting October 2025 and rolling through July 2026, the application will disable external workbook links to blocked file types by default. This move targets a common attack vector where malicious actors embed links in seemingly legitimate spreadsheets to redirect users to dangerous payloads.

Article illustration 1

When implemented, workbooks referencing these blocked file types will display a #BLOCKED error or fail to refresh entirely. The change is enforced via a new FileBlockExternalLinks group policy, extending Microsoft's existing File Block Settings framework. Administrators will see warnings in the Microsoft 365 admin center (starting with Build 2509) when opening affected workbooks. Crucially, once users update to Build 2510, the default behavior—if the policy remains unconfigured—will block the creation or refresh of any new links to file types flagged as high-risk by the Trust Center.

"We recommend reviewing existing workbooks and communicating this change to users who rely on external links to ensure continuity of workflows," Microsoft stated in its advisory.

Admins needing to maintain specific external links can re-enable them by modifying the registry key: HKCU\Software\Microsoft\Office\<version>\Excel\Security\FileBlock\FileBlockExternalLinks. However, this manual override carries inherent security risks.

This isn't an isolated update. It's part of Microsoft's multi-year campaign to neutralize legacy attack surfaces:
* Recent blocking of .library-ms and .search-ms attachments in Outlook
* Disabling all ActiveX controls by default in Windows versions of Office
* Previous crackdowns on VBA macros, XLM macros, VBScript (deprecation), and untrusted XLL add-ins

The initiative traces back to 2018's integration of the Antimalware Scan Interface (AMSI) into Office, providing deeper inspection capabilities. Today's announcement coincides with Microsoft increasing bug bounties to $40,000 for critical .NET and ASP.NET Core vulnerabilities, underscoring its intensified focus on securing the entire ecosystem.

For developers and IT teams, this mandates proactive audits of Excel-dependent workflows involving external data sources. Ignoring the October 2025 deadline risks broken processes and potential security gaps. Microsoft's message is clear: convenience is yielding to hardened security by design.

Source: BleepingComputer