Microsoft Blocks NTLM Theft via File Explorer Previews: A No‑Brainer Security Win

Written By Frank Marano

Sometimes security fixes feel like rocket science. Other times, they’re just common sense. Microsoft’s latest change falls squarely into the latter category — and it’s a welcome one.

With this month’s Patch Tuesday updates, Windows now disables File Explorer’s preview pane for files downloaded from the internet. If you’ve already patched, this protection is live for you today (you did patch, right?).

Why This Change Matters

The update closes off a sneaky attack vector that allowed threat actors to steal NTLM hashes — the credentials Windows uses for network authentication — simply by getting a user to preview a malicious file.

Here’s how it worked:

  • Attackers crafted files containing HTML tags like <link> or <src> that referenced external resources.

  • When a user highlighted the file in File Explorer, the preview pane would automatically attempt to render it.

  • That triggered a network request to the attacker’s server, leaking the user’s NTLM hash.

The scary part? No clicks, no execution, no “are you sure?” prompts. Just hovering over the file to preview it was enough.

By disabling previews for files tagged with the “Mark of the Web” (i.e., downloaded from the internet or untrusted shares), Microsoft has effectively slammed this door shut. Users will now see a warning instead of a live preview, cutting off the attack before it starts.

A No‑Brainer Security Win

This feels like one of those “why wasn’t it always like this?” changes. But better late than never. It’s encouraging to see Microsoft making proactive adjustments that reduce risk without requiring users to change their habits.

And it’s even better to see this fix already live for anyone who’s up to date on patches. If you’re still waiting to install October’s updates, you’re leaving yourself exposed to an attack vector that requires almost no user interaction.

The Bigger Picture

This update is more than just a single fix. It’s a reminder that:

  • Attackers thrive on defaults. If the default behavior is risky, they’ll exploit it.

  • Small changes can have big impact. Blocking previews may seem minor, but it eliminates an entire class of credential theft attacks.

  • Patching quickly matters. Microsoft can release fixes, but they only protect you if you apply them.

Final Thought

Microsoft’s decision to disable risky previews is a smart, overdue move — but it’s just one piece of the puzzle. Organizations can’t afford to wait for vendors to close every gap. Proactive security assessments are the only way to stay ahead of attackers.

👉 At Actionable Security, our Cybersecurity Risk Assessments help identify vulnerabilities before Microsoft (or attackers) do. Pair that with our penetration testing and advisory services, and you’ll have a clear plan to fix issues before they become headlines.

#PatchTuesdayOrBust #NTLMnapped #PreviewPanePain

Frank Marano https://actionablesec.com
Previous

ChatGPT Atlas and the Rise of AI Browsers: Innovation Meets Security Risk
Next

Adobe Magento Under Attack: CVE‑2025‑54236 Exploited in the Wild