Microsoft Blocks File Explorer Preview for Downloads to Prevent NTLM Credential Theft

Microsoft has introduced a new security change in Windows to block a long-standing method used by attackers to steal NTLM credentials. The update disables the File Explorer preview and details panes for files downloaded from the internet.

The change affects files tagged with the “Mark of the Web,” a Windows security attribute automatically applied to files that originate from untrusted sources such as web downloads, email attachments, or external drives. When this tag is present, Windows will now prevent the preview pane from displaying file contents until the user explicitly opens or removes the tag.

This adjustment was made after security researchers demonstrated how attackers could exploit File Explorer’s preview function to trigger NTLM authentication requests. In practice, a malicious file could cause Windows to connect to a remote server controlled by an attacker and transmit NTLM hashes, allowing those credentials to be cracked or reused. In some cases, this could happen without the victim even opening the file—simply selecting it in File Explorer could be enough.

The measure aims to stop this type of automatic credential exposure. It is included in the October 2025 security updates and applies to supported versions of Windows 11 and Windows Server. Microsoft said the change will roll out gradually and become the default behavior for all Windows users.

NTLM credential theft has been one of the oldest and most reliable attack methods against Windows environments. Threat actors often use it to gain access to internal networks, escalate privileges, or move laterally between systems. By disabling automatic previews for internet-sourced files, Microsoft reduces one more opportunity for these attacks to succeed.

Administrators and users are advised to install the latest Windows updates to ensure this protection is enabled. Those who rely on previewing files frequently can still view content safely by removing the “Mark of the Web” tag manually after verifying the file’s source and authenticity.

This change is part of Microsoft’s broader effort to phase out NTLM-based authentication and strengthen Windows’ defenses against credential theft and lateral movement techniques.