Outlook Tightens Security: Microsoft to Block .library-ms & .search-ms Email Attachments Starting July
Do Son 
Beginning in July 2025, Microsoft will automatically block email attachments with the extensions .library-ms and .search-ms in both the web version of Outlook and the new Outlook for Windows. This policy change will apply to all organizations using Microsoft 365 and will be implemented via the OwaMailboxPolicy configuration, requiring no manual intervention.
The update is part of Microsoft’s ongoing efforts to bolster security, as both file types have been exploited in real-world cyberattacks. The .library-ms files, which act as links to virtual libraries in Windows, were weaponized in early 2025 to exfiltrate NTLM hashes through a vulnerability in Windows, tracked as CVE-2025-24054. These phishing campaigns specifically targeted government agencies and corporate enterprises.
Similarly, .search-ms files, which invoke Windows’ built-in search functionality, have long been favored by threat actors. As early as 2022, it was demonstrated that these files could trigger a search window on a victim’s machine and display manipulated results. When combined with the Microsoft Support Diagnostic Tool (MSDT) vulnerability—CVE-2022-30190—this allowed the execution of malicious payloads.
Microsoft emphasizes that these blocked formats are rarely used, so most organizations will experience no disruption. However, for those that do rely on such attachments, users will no longer be able to open or download them in Outlook Web or the New Outlook.
Administrators are encouraged to proactively configure exceptions by adding the relevant extensions to the AllowedFileTypes list within the OwaMailboxPolicy settings—an option reserved for organizations with a justified need to exchange such file types.
This update is part of a broader, sustained initiative by Microsoft to mitigate vulnerabilities stemming from outdated and frequently abused components in Windows and Office. These efforts date back to 2018 with the integration of the Antimalware Scan Interface (AMSI) into Office 365, enabling real-time antivirus inspection of VBA script execution.
Subsequent security enhancements included default blocking of VBA macros in Office documents, deprecation of Excel 4.0 (XLM) macros, introduction of safeguards against XLM scripts, and automatic blocking of unverified XLL add-ins across Microsoft 365 enterprise environments.
Additionally, in May 2024, Microsoft announced the end of support for VBScript, and by April 2025, it had fully disabled all ActiveX components in Office and Microsoft 365 for Windows—an effort aimed at eradicating entire classes of attacks that exploited native Windows and Office features.
For organizations operating on-premises Exchange servers, there remains the option to bypass these restrictions via local policy adjustments. Alternatively, users may transmit affected files using safer methods such as compression archives, extension renaming, or secure cloud services like OneDrive and SharePoint.
Microsoft’s official website now features an updated list of all file types blocked in Outlook, offering organizations full transparency into the evolving security landscape.
Donate