Starting in July, two new file types will be blocked in Microsoft Outlook. The .library-ms and .search-ms extensions both signal potential phishing campaigns ending up in inboxes.
Microsoft will block the .library-ms and .search-ms file types in the OwaMailboxPolicy list. The library files could exploit a Windows vulnerability (CVE-2025-24054) to steal NTLM hashes. An example of an exploit targeting library-ms was reported by Symantec (Broadcom) in February. This meant that organizations could also be affected by all kinds of other malware after an infection.
However, the .search-ms URI protocol handler has been exploited in attacks since June 2022. These files can automatically open Windows Search windows on victims’ devices. The technique often worked in conjunction with a Windows Support Diagnostic Tool (MSDT) vulnerability (CVE-2022-30190) to execute code remotely.
Limited impact for organizations
According to Microsoft, these file types have rarely been used, so most organizations are not affected. For organizations that still rely on these files, it is possible to add them to the AllowedFileTypes property of their OwaMailboxPolicy before the update is rolled out.
Business users with a Microsoft Exchange Server account can ask their administrators to adjust security settings. This is possible if files cannot be shared as archives, can use a different extension, or can be exchanged via OneDrive or SharePoint.
Continuously more secure
Microsoft is constantly working to make Outlook more secure. Since 2018, the company has extended the Antimalware Scan Interface (AMSI) introduced with Windows 10 to all Office 365 applications. Phishing attacks are becoming increasingly sophisticated, which requires more and more vulnerabilities to be closed. AMSI within Outlook was already a big step in the right direction in this regard.
Later, Microsoft began blocking VBA Office macros by default and disabling Excel 4.0 (XLM) macros. The company also introduced XLM macro protection and began blocking untrusted XLL add-ins by default within Microsoft 365 tenants. In May 2024, Microsoft announced that it would discontinue VBScript and disable all ActiveX controls in Windows versions of Microsoft 365 and Office 2024 in April 2025.