Microsoft is strengthening security for Excel users with a significant upcoming change: between October 2025 and July 2026, the company will begin disabling external workbook links to blocked file types by default. This measure is part of Microsoft’s ongoing effort to harden Office applications against indirect and potentially malicious file access.
What’s Changing?
Once implemented, Excel will no longer refresh external links to file types that are already disallowed by Excel’s Trust Center security settings. This includes file types considered unsupported or high-risk. The key details of this update are:
- External links to blocked file types will not update: Any data previously pulled from such files will remain as the last successfully retrieved value. Attempting to refresh the link will result in a
#BLOCKEDerror in affected cells. - Immediate response for newly created references: If a user tries to create a new link to a blocked file type, Excel will immediately return a
#BLOCKEDerror for the attempted connection. - User notifications during rollout: As this change is rolled out, users who open workbooks with affected links will see a notification bar (business bar) alerting them to the new behavior.
Why Is Microsoft Making This Change?
This update is designed to close potential vectors for phishing, exploitation, and exposure to malicious payloads, which can occur through indirect access to risky or unsupported files. Disabling these external links helps protect both individual users and organizations from evolving threats targeting Office documents.
Management and Exceptions for Organizations
To support organizations with unique operational needs, Microsoft will introduce a new group policy setting called FileBlockExternalLinks. Network administrators can use this policy to explicitly allow or disallow the refreshing of external links to blocked file types. If this setting is not configured, Excel’s default behavior will prevent refreshing such links.
It is important to note that while administrators can revert to the previous behavior using group policy or registry changes, Microsoft strongly advises against this practice due to the heightened security risks involved.
