OneDrive’s Latest Update Automatically Flags Email Attachments as Untrusted, Disabling Macros
If you’ve ever saved an Excel workbook or Word document from an Outlook email straight into your OneDrive folder and then found that the macros won’t run, you’ve just hit a new security change from Microsoft. Starting with OneDrive version 26.002.0105.0001, released to the Production ring on January 23, 2026, files saved from Outlook attachments into any OneDrive-synced folder now get stamped with a ‘Mark of the Web’ (MOTW). This tag tells Windows and Office that the file came from the internet—triggering Protected View and, more critically, blocking all VBA macros and active content by default. The update has since reached the Deferred ring (June 1, 2026), meaning it’s now live for most business and personal users.
What’s Changing Behind the Scenes
The Mark of the Web is an alternate data stream that Windows attaches to files downloaded from the internet or received as email attachments. It’s been around for decades, and applications like Microsoft Office use it to decide whether to trust a file. Previously, OneDrive’s sync client did not preserve this marker if you simply saved an Outlook attachment into a synced folder. That meant a macro-heavy workbook sent by a trusted colleague could be saved to your Documents\OneDrive folder and opened without warning, as if it had been there all along.
No longer. According to Microsoft’s OneDrive Sync release notes, version 26.002.0105.0001 “adds the ability to mark Outlook attachments saved to OneDrive folders with the Mark of the Web.” The behavior is specific: only files that pass through Outlook’s “Save As” or “Save All Attachments” dialog directly into a OneDrive-synced location get the mark. Ordinary file syncing—like copying a file from a USB drive into OneDrive—does not add MOTW. This keeps the change targeted at the highest-risk path: attachments that arrive via email, a prime malware vector.
The practical upshot is that any macro-enabled Office file (.xlsm, .docm, .pptm), as well as scripts (.ps1, .vbs, .bat) or installers (.msi, .exe) saved this way are now treated as untrusted. Office will open them in Protected View (read-only, with security warnings), and by default macros are completely disabled. Users can’t simply click “Enable Content” in many cases; the block is absolute until the MOTW is removed.
Who Feels the Pain
Regular users: If you’re not a developer but rely on a monthly finance report sent as an Excel attachment, you might suddenly see a yellow banner: “SECURITY RISK Microsoft has blocked macros from running because the source of this file is untrusted.” You can manually unblock the file (right-click, Properties, check ‘Unblock’), but that’s a hassle and a potential security slip if you do it routinely without thinking. For home users with no IT support, this is just another obstacle.
Power users and business analysts: Workflows that depend on VBA macros embedded in templates or automations are broken. A process that has users save a daily attachment, run a macro to generate a report, and then email that report onward now halts at step one. This isn’t a theoretical problem: finance departments, operations teams, and anyone who’s ever used an emailed .xlsm as a poor man’s application distribution channel are affected.
IT administrators: The change lands at a time when Microsoft has been steadily tightening macro security. In Office 2021 and Microsoft 365 Apps, macros from the internet are blocked by default. But email attachments saved to a synced OneDrive folder had escaped that net—until now. The sudden activation means help desks will see a spike in tickets. Worse, the usual workarounds (like telling users to “just unblock the file”) don’t scale, and broad policy changes (like disabling MOTW for all attachments) introduce a huge security hole.
How We Got Here: Closing the Email Attachment Loophole
This MOTW behavior is part of Microsoft’s long-running effort to curb macro-based malware. In 2021, the Office team announced that VBA macros obtained from the internet would be blocked by default, a change that rolled out in waves. Yet the definition of “from the internet” depended on the MOTW. Because OneDrive didn’t set the mark for email-to-synced-folder saves, many organizations inadvertently trained users to save attachments there to bypass the block. Security researchers and Microsoft’s own threat intelligence noted the gap, and the sync client was updated to close it.
The feature was tracked in the Microsoft 365 roadmap as item 84960, titled “OneDrive: Mark Outlook attachments saved to OneDrive sync folder as ‘from the internet’.” It appeared in preview in late 2025 and moved to production in early 2026. The Deferred ring release date makes it clear that even organizations that typically delay updates should already be dealing with the fallout.
What to Do About It—Without Disabling Security
The immediate temptation is to turn off the MOTW behavior entirely. Windows includes a Group Policy setting under User Configuration → Windows Components → Attachment Manager: “Do not preserve zone information in file attachments.” Enabling this policy stops Windows from marking any attachment with its origin zone. Microsoft explicitly warns against doing this globally, and for good reason: it removes the very signal that helps Defender SmartScreen, Office Protected View, and macro blocking do their jobs. A blanket policy makes all attachments appear local, even genuinely malicious ones.
Instead, approach the change as a prompt to finally reform how your organization distributes legitimate active content.
For Individual Users and Small Teams
- Identify which files you regularly save from email. Are the macros truly necessary? If not, save the file without macros or ask for a macro-free version.
- If you must keep macros, consider moving the trusted file to a local folder that isn’t synced by OneDrive, then unblock it once. But that breaks collaboration and backup.
- A better short-term fix: right-click the downloaded file, select Properties, and check “Unblock” on the General tab. Do this only if you’re certain the file is safe. This removes the MOTW, and the file will open normally thereafter.
For IT Admins and Business Process Owners
1. Audit your attachment workflows. List every recurring email that carries a macro-enabled file, script, or installer. Document who sends it, who receives it, and what business outcome depends on it. Capture four details for each candidate:
- The sender (internal, external, or automated).
- The exact Outlook action used to save the file and which OneDrive folder receives it.
- The active content that must run and the business result it produces.
- A supported replacement if Windows or Office blocks the original.
2. Test the exact path. On a device with the affected OneDrive client, receive the attachment via Outlook, save it to the recipient’s usual OneDrive folder, and attempt to run the macros. Check not just the first open but subsequent opens, and any downstream processing. Test with representative users and configurations, including those on the Deferred ring and with common folder protection settings.
3. Establish a migration plan with three options for each workflow:
- Retire: If the macros are no longer needed or the process is redundant, eliminate it.
- Repackage: If the active code is still required, separate the code from the data. Store the macro-enabled template in a managed repository (SharePoint, a network share with tight permissions) and distribute only links or static data via email.
- Exception: Where immediate redesign isn’t possible, create a narrowly scoped exception. This could be a Trusted Location in Office—but use it sparingly.
4. Avoid using Trusted Locations as a universal fix. If anyone can save files to that folder, it’s no safer than email. Restrict write access to a few authorized publishers. Microsoft’s security baseline guidance advises using Trusted Locations rarely, controlling them centrally, and avoiding user-defined paths. A Trusted Location should be treated as privileged execution infrastructure, not a convenience setting.
5. Do not “Unblock” files as a policy. While manual unblocking works per file, it entrenches a habit of bypassing warnings. Users get trained to click through security prompts, which is exactly what macro-blocking was designed to prevent.
A better final state is one where Outlook is just a notification tool, not the carrier of executable content. Send a link to a document in SharePoint or a shared OneDrive folder with appropriate controls, or use a real deployment pipeline for scripts and installers.
The Outlook: Tightening Security Will Continue
This change is not an isolated event. Microsoft has been progressively locking down macro execution and attachment handling for years, and more tightening is on the horizon. The OneDrive MOTW update aligns with a broader “zero trust” philosophy where content origin always matters. IT organizations that haven’t already moved away from email-based distribution of active content should treat this as a catalyst. The deadline for reaction is already past; the next milestone should be an internal deadline by which every emailed macro, template, script, or installer is either validated, migrated, or explicitly rejected. The fix isn’t to kill the messenger—it’s to stop emailing executable code.