A user asked how to turn off attachment preview. No, not the option that displays the attachment in the reading pane, and no, he wasn’t asking about blocked external content.
He wanted to disable the thumbnail preview that is used on images attached to email. His main concern was that someone would send him a compromised jpg and the act of previewing it would trigger the payload.
I recently received an email from an unknown address that included an image attachment. For some reason Outlook displays the preview for this image. This concerns me as there is always the possibility that a malicious actor can somehow exploit the image format to execute some code on my machine.
While this is a valid concern, I was assured that the thumbnails are safe – they are too small to host an exploit and reading them doesn’t open the image. In the case of Office 365/Outlook.com mailboxes, the thumbnail is created on the server, not by Outlook.
That’s not to say that allowing users to turn off the thumbnail preview shouldn’t be an option – there are valid reason for not wanting preview – from avoiding offensive images to just reducing the size of the message header view.
If you agree that users should have the ability to turn this feature off, you can vote for the suggestion at UserVoice: Disable image attachment thumbnail previews.
Block External Content and Disable Attachment Preview
To turn off the ability to view attachments in the reading pane, go to File, Options, Trust Center, and open the Trust Center Settings, then select Attachment Handling. You can turn off Attachment preview to prevent all attachments from being previewed or click on Attachment and Document Previews to allow some files types but not others.
To keep Outlook from downloading images linked in HTML email, you’ll check the Trust Center Setting for Automatic Download. You can also open this dialog from any message: right-click on the notification Click here to download picture and choose Change Automatic Download Settings.
My preference is to not allow any external content (I’ll enable it per message as needed) but you can choose from the available options. Many people allow external content from Safe senders and recipients and domains in the Trusted Security zone in IE’s Internet Settings.
Neither of these settings will prevent embedded images, such as those added to signatures, from displaying.