Outlook blocks hyperlinks after July 2023 update; a workaround from Microsoft

[German]Since installing the July 11, 2023 security updates that closed a Security Feature Bypass vulnerability in Outlook, some users can no longer use hyperlinks without restrictions. Either a warning comes up or the hyperlinks no longer work. Now Microsoft has spoken out and has also suggested a workaround.


Advertising

Hyperlinks causes a Outlook warning

I had picked up on July 19, 2023 in the blog post Outlook 2016: Links broken after update from July 11, 2023 (KB5002427) – Security warning appears when clicking links. If users select links to open in Outlook after installing the security updates, a security warning appears.

Microsoft Outlook Security Notice

Microsoft Office has identified a potential security concern.
This location may be unsafe.

The issue was indeed related to Office 2016 and the KB5002427 security update for Outlook 2016 in the post. However, the flaw also occurs in Outlook from Office 365 when the July 2023 security updates to close the Microsoft Outlook Security Feature Bypass vulnerability CVE-2023-35311 are installed. Phil had then reached out in this German comment and wrote:

The problem only occurs when the UNC path is used as FQDN. Without domain it works without problems.

Under Control Panel, Internet Options, Security, Trusted Sites you can enter the FQDN, then it works for us (file://*.domain.local).

This was also confirmed by another user.

Microsoft confirms the problem

Via the colleagues at Bleeping Computer I came across the Microsoft support post Outlook blocks opening FQDN and IP address hyperlinks after installing protections for Microsoft Outlook Security Feature Bypass Vulnerability released July 11, 2023 released July 11, 2023. There the vendor confirms the problem for Outlook for Microsoft 365 and writes:

When you click on links in emails in Outlook Desktop where the path is to a fully qualified domain name (FQDN) or IP address you may see the following:

An Outlook warning dialog with the error "Something unexpected went wrong with this URL"

  • Silent failure for the untrusted file.

If the user tries to open links in e-mail in Outlook Desktop where the path points to either an FQDN or an IP address or a hostname path, a dialog box appears with the warning I mentioned above, "Microsoft Office has detected a potential security risk. This location may not be secure." is displayed. According to Microsoft, this behavior is to be expected. The support article cites the closed vulnerabilities and the Outlook 2013/2016 update as the cause.


Advertising

Suggested workarounds from Microsoft

Microsoft then suggested two workarounds in the support article on how to fix the above issues. The first suggestion was also outlined by blog reader Phil in this German comment.

  1. Go to Windows Settings.
  2. Search for and open Internet Options.
  3. Click the Security tab, then select Trusted Sites.
  4. Add the URL, UNC, FQDN path that you want to allow to "Add this website to the zone" (for example, add file://server.usa.corp.com).

In a nutshell: Add the FQDN or IP address path to the Trusted Sites zone. However, Microsoft writes that this intervention makes the system more vulnerable to attacks by malicious users or malicious software such as viruses. In addition, make sure that the FQDN or IP address added to the trusted sites is a valid URL path for the company or network.

Instead of manually adding the URL to the trusted website zone in the Internet options, the whole thing can also be distributed via group policy. Microsoft provides a short note about this possibility in the support article. Perhaps it will help those affected.

Similar articles
Outlook 2016: Links broken after update from July 11, 2023 (KB5002427) – Security warning appears when clicking links
Outlook appointments automatically become teams meetings
Outlook startup asks for "re-open windows", options to disable missing
Outlook.com search issue ;(July 6/7, 2023); MS Teams "duplicate contacts" bug unfixed since end of March 2023
Windows 10/11: June update can prevent Outlook and App from starting, bug fix available
Microsoft 365 (Business) Outlook shows black font on black background
Microsoft 365: Microsoft shares a workaround for hanging/slow running Outlook
Outlook 365 damages PDF and Office files since April 2023
Microsoft Office 2304 (Build 16327.20308): Outlook displays self-signed e-mails as text
Microsoft is installing Outlook-Preview without permission

Microsoft Office Updates (July 11, 2023)


Advertising

This entry was posted in issue, Office, Security, Software, Update and tagged , . Bookmark the permalink.

4 Responses to Outlook blocks hyperlinks after July 2023 update; a workaround from Microsoft

  1. Keith H says:

    The suggested fix is OK if you have only a couple of File Servers to add (The fix did not work for me or my users). What if you have hundreds of shares spread across multiple locations? Microsoft needs to come up with a better fix.

  2. André says:

    This didn't work for me either. I am still getting the warning although the locations are correctly listed in the ZoneMapKey (Trusted Sites). Doesn't even work with CNAMEs.

  3. Portsman says:

    Not working whatever combination I use for our DFS share like \domain.localdfsshare, file://domain.local/dfsshare, file://domain.local/dfsshare/share

    What a bunch of stupid children that work at Microsoft that make changes like this. Most of our staffs shitful workflow involves sending Hyperlinks of documents to each other from our file shares.

    Don't forget, if you have O365 you have support for Office from Microsoft or your reseller (ew). Contact Microsoft about this now and demand they fix this bug.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).