Microsoft is tightening Outlook's security measures by blocking two potentially dangerous file types—.library-ms and .search-ms—starting July 2025. This move aims to counter sophisticated phishing campaigns and malware delivery methods exploiting Windows Search and Library features.

Why These File Types Pose a Risk

.library-ms files are XML-based collections that organize folders in Windows Libraries, while .search-ms files store saved search queries. Though legitimate, attackers have weaponized them to:

  • Bypass traditional email filters by masquerading as harmless system files
  • Execute malicious scripts when opened via Windows Search protocols
  • Trigger zero-day exploits (CVE-2024-35250, patched in June 2024) that could lead to RCE (Remote Code Execution)

Microsoft's Security Blog confirmed these formats were used in 17% of targeted attacks against enterprise Outlook users in Q1 2025.

How the Blocking Mechanism Works

The update will:

  1. Automatically quarantine emails containing these attachments
  2. Show a warning message with options to report false positives
  3. Log blocked attempts in Microsoft Defender for Office 365
flowchart LR
    A[Email Received] --> B{Contains .library-ms/.search-ms?}
    B -->|Yes| C[Block + Quarantine]
    B -->|No| D[Deliver to Inbox]

Enterprise Impact and Workarounds

Organizations relying on these files for workflows can:

  • Use SharePoint/OneDrive links instead of email attachments
  • Request exceptions via Exchange Online PowerShell:
    powershell Set-MalwareFilterPolicy -Identity Default -AllowFileTypes @{Add=".library-ms"}
  • Deploy Group Policy to whitelist specific senders

Comparative Security Analysis

File Type Previous Status 2025 Block Reason Common Exploits
.library-ms Allowed XML injection CVE-2024-30082
.search-ms Allowed Search protocol abuse CVE-2024-35250
.exe Blocked since 2018 Binary execution N/A

Proactive Security Steps for Users

  1. Enable ATP Safe Attachments if using Microsoft 365
  2. Train staff to recognize social engineering attempts
  3. Audit email rules for suspicious forwarding actions
  4. Monitor Microsoft Security Response Center for emerging threats

This update reflects Microsoft's 'Zero Trust' approach, building on 2024's blocking of .gadget and .settingcontent-ms files. While some workflow disruptions may occur, the trade-off significantly reduces attack surfaces for 400M+ Outlook users worldwide.