Outlook

Microsoft shared a workaround for Outlook Desktop blocking attempts to open IP address or fully qualified domain name (FQDN) hyperlinks after installing this month's Office security updates.

"Outlook blocks opening FQDN and IP address hyperlinks after installing protections for Microsoft Outlook Security Feature Bypass Vulnerability released July 11, 2023," the company says.

On affected systems, Outlook for Microsoft 365 users will see silent failures, be warned that the location may be unsafe, or see "Something unexpected went wrong with this URL" errors.

This happens only when clicking on links in emails within Outlook Desktop if the path leads to an FQDN, an IP address, or a hostname path.

More information can be found in the knowledgebase articles published by Microsoft with details on the CVE-2023-33151 Outlook Spoofing Vulnerability and the CVE-2023-35311 Outlook Security Feature Bypass Vulnerability.

Outlook FDQN error
Outlook silent failure (Microsoft)

​Redmond also provides impacted customers with a temporary fix to work around this known issue and allow all hyperlinks to work as expected.

However, the company warns that applying the workaround might increase the attack surface on affected systems.

"This workaround may make a computer or a network more vulnerable to attack by malicious users or by malicious software such as viruses," Microsoft warned,

"Make sure the FQDN or IP address you add to Trusted Sites is a valid URL path for your company or network."

To temporarily ensure that links to files hosted on FQDN or IP address paths are still accessible after installing the Outlook Desktop July 11th security updates, affected users have to go through the following steps to add the URLs to the Trusted Sites zone:

  1. Go to Windows Settings.
  2. Search for and open Internet Options.
  3. Click the Security tab, then select Trusted Sites.
  4. Add the URL, UNC, or FQDN path that you want to allow to "Add this website to the zone" (For example, add file://server.usa.corp.com)

This workaround can also be deployed using the Site to Zone Assignment List group policy, but admins are advised to ensure that all values are valid before deploying.

Last month, Redmond shared another temporary fix for a known issue affecting Outlook for Microsoft 365 customers and causing slow starts and freezes.

Update July 26, 05:59 EDT: Microsoft has also added a new entry acknowledging this issue to the Windows release health page and says the bug impacts systems running Windows 10 21H2/22H2 and Windows 11 21H2/22H2.

Related Articles:

Microsoft warns Gmail blocks some Outlook email as spam, shares fix

Microsoft shares temp fix for Outlook encrypted email reply issues

AT&T delays Microsoft 365 email delivery due to spam wave

Generative AI Security: Preventing Microsoft Copilot Data Exposure

Microsoft pulls fix for Outlook bug behind ICS security alerts