• Outlook User
  • Exchange Admin
  • Office 365
  • Outlook Developer
  • Outlook.com
  • Outlook Mac
  • Outlook & iCloud
    • Common Problems
    • Outlook BCM
    • Utilities & Addins
    • Video Tutorials
    • EMO Archives
    • Outlook Updates
    • Outlook Apps
    • Forums

Why you should block external content in Outlook by default

Slipstick Systems

› Outlook › Why you should block external content in Outlook by default

Last reviewed on March 12, 2018     4 Comments

Applies to: Outlook 2016 (Win), Outlook 2013, Outlook 2010, Outlook 2007

September 1, 2012 by Diane Poremsky 4 Comments

A virus infected email is making the rounds, purportedly from Microsoft, updating their service agreement. It looks like the real message but the URLs point to another site, typical of a phishing scheme. The real Microsoft service agreement email's links point to urls like //email.microsoft.com/Key-9850701.C.CFC8.G.KK.nCdd9Wk, which redirects to a legitimate Microsoft webpage.

At least one version of the infected message includes an embedded external HTML file: <img src="//{infected-site}/index.html">

The problem? When you download external content, either automatically or per message, that file will be saved to the hard drive and it will be rendered in Outlook. In this case, the HTML file is going to be rendered. While Outlook renders HTML in the Restricted zone, it appears this week's Java exploit may be able to run the Java applet in the embedded HTML. (I'm investigating this angle.)

When you view a message (either in the reading pane or open message) and allow external content, the content is downloaded and stored in the Temporary Internet Files folder (type shell:cache in Windows Explorer address bar) and displayed in Outlook. When the file is saved to the

As one of the complainers who helped convince the Outlook team we needed the ability to block web bugs, my recommendation is never download content automatically. Don't trust external content from any address.

Don't download external content by default. No exceptions. Don't trust anyone.

With external content blocked by default, mail loads faster, web bugs aren't sent back to the sender and most importantly, blocking external content may prevent this java exploit from infecting your computer.

Messages sent with external content are almost always "bulk mail" - messages from advertisers and spammers. In most cases, the blocked content is a logo and style sheets, adding eye-candy but not content. You won't miss much by not downloading this content. In the case of advertisements that are all images, you can easily download the content when the message subject or text in the body is enticing enough to convince you that the blocked content is worth reading. (Take note advertisers: use more text, fewer external images!)

If you block external content *and* do not trust anyone, the HTML will not download and the Java definitely won't run.

Reading all mail in plain text is also an option. This is less desirable in my opinion: HTML messages displayed as plain text are harder to read and you will display more messages in HTML than you will enable external content on. It doesn't increase your security by an appreciable amount. Comparing cost (time spent enabling HTML per message) vs benefit (no risk compared to small risk), blocking external content has a good ROI.

In addition to blocking external content, these recommendations will help to increase your safety:

  1. Always hover over hyperlinks before clicking and ensure they are pointing you to legitimate sites before clicking. Look closely at the urls to insure they are not trying to fake you out with "microsoft.com.spammer.com" addresses.
  2. Look at the message's Internet headers if you aren't sure the message is legitimate.
  3. Consider disabling Java. It's too full of holes.
  4. Keep your antivirus and antimalware up to date.

Recommended settings for external content

To block external content in Outlook 2010 and up, go to File, Trust Center, Automatic Downloads. My recommendation: don't download any content and always warn before replies.
Do not download external content, even for trusted senders
(If you want to read all mail in plain text, the setting is on the E-mail Security tab.)

In Outlook 2007, block content from the Tools, Trust Center menu.

Enable blocked content per message

When you are reading a message and want to view the content, click on the Infobar and download external content for that message. You only need to do this once per message, Outlook will remember until the Temp Internet Cache is emptied.

Display blocked external content for a specific message

More Information

How do I set the preview screen to use text vs. HTML mode Discussion at Microsoft answers forum discussing the Java exploit
Blackhole targeting Java vulnerability via fake Microsoft Services Agreement email phish

Why you should block external content in Outlook by default was last modified: March 12th, 2018 by Diane Poremsky

Related Posts:

  • Problem: "Outlook isn't blocking the images in some of the messages I
    External Content is not Blocked
  • Outlook: Web Bugs & Blocked HTML Images
  • Links are Prefixed with BLOCKED::
  • Is the Image Preview Secure?

About Diane Poremsky

A Microsoft Outlook Most Valuable Professional (MVP) since 1999, Diane is the author of several books, including Outlook 2013 Absolute Beginners Book. She also created video training CDs and online training classes for Microsoft Outlook. You can find her helping people online in Outlook Forums as well as in the Microsoft Answers and TechNet forums.

4
Leave a Reply

2500
Photo and Image Files
 
 
 
Audio and Video Files
 
 
 
Other File Types
 
 
 
2500
Photo and Image Files
 
 
 
Audio and Video Files
 
 
 
Other File Types
 
 
 

  Subscribe  
newest oldest most voted
Notify of
William Pyles
William Pyles

Outlook 2016 does not appear to have the "Permit downloads from Web sites in this security zone: Trusted Zone" in the Automatic Downloadstab under Trust Center, as it did in Outlook 2010. Any idea why, and whether there is an equivalent option in Outlook 2016 that can be disabled to prevent downloading of images from external sites?

Vote Up00Vote Down Reply
December 22, 2017 12:07 pm
Diane Poremsky
Diane Poremsky

I have it in my outlook 2016 - this is in the newest insider build - build 1801.

Which build/version do you have? It's possible it was temporarily removed from a build.

trust-center.png
Vote Up00Vote Down Reply
December 23, 2017 12:05 am
Cavehomme
Cavehomme

Good tips. However, by enabling only downloads from trusted senders in the Outlook settings surely deals with this issue, or not?

Vote Up00Vote Down Reply
September 17, 2012 12:34 am
Diane Poremsky

Not necessarily. If an exploit sends mail using a faked address of a trusted contact or infects a trusted person or company's computer and send mail from them, you are at risk. Because everything has to come together just right (use outlook, trust their address, mail gets past content scanners etc), the risk may not be much but its not zero.

If you don't have java installed, there should be no additional risk as the danger is in an exploit that can bypass normal security measures and at this time, only java exploits can do this.

Vote Up00Vote Down Reply
September 17, 2012 6:40 am

Visit Slipstick Forums.
What's New at Slipstick.com

Latest EMO: Vol. 24 Issue 3

Support Services

Do you need help setting up Outlook, moving your email to a new computer, migrating or configuring Office 365, or just need some one-on-one assistance?

Subscribe to Exchange Messaging Outlook






Our Sponsors

  • Popular
  • Latest
  • Week Month All
  • Adjusting Outlook's Zoom Setting in Email
  • The Signature or Stationery and Fonts button doesn't work
  • Security Certificate Warning in Microsoft Outlook
  • This operation has been cancelled due to restrictions
  • How to Remove the Primary Account from Outlook
  • Two Copies of Sent Messages in Outlook
  • iCloud error: Outlook isn't configured to have a default profile
  • Outlook's Rules and Alerts: Run a Script
  • Outlook is Not Recognized as the Default Email Client
  • Outlook and Gmail's Less Secure Apps Setting
  • Outlook.com: Manage Subscriptions
  • Group By Views don’t work in To-Do List
  • Category shortcuts don’t work
  • How to disable the Group By view in Outlook
  • Adjusting Outlook's Zoom Setting in Email
  • Change the Subject of an Incoming Message
  • Creating Signatures in Outlook
  • Scheduling a Recurring Message
  • OneNote is missing from Office 365 / 2019
  • Create Rules using PowerShell
Ajax spinner

Newest VBA Samples

Adjusting Outlook's Zoom Setting in Email

Move email items based on a list of email addresses

Remove prefix from Gmail meeting invitations

How to hide LinkedIn, Facebook, Google and other extra contact folders in Outlook.com

Use VBA to create a Mail Merge from Excel

Open multiple Outlook windows when Outlook starts

Set most frequently used Appointment Time Zones

How to change the From field on incoming messages

VBA: File messages by client code

Update Contact Area Codes

Recent Bugs List

Microsoft keeps a running list of issues affecting recently released updates at Fixes or workarounds for recent issues in Outlook for Windows.

Windows 10 Issues

  • iCloud, Outlook 2016, and Windows 10
  • Better Outlook Reminders?
  • Coming Soon to Windows 10: Office 365 Search
  • Outlook Links Won’t Open In Windows 10
  • BCM Errors after Upgrading to Windows 10
  • Outlook can’t send mail in Windows 10: error Ox800CCC13
  • Missing Outlook data files after upgrading Windows?

Outlook 2016 Top Issues

  • The Windows Store Outlook App
  • Emails are not shown in the People Pane (Fixed)
  • Calendars aren’t printing in color
  • The Signature or Stationery and Fonts button doesn’t work
  • Outlook’s New Account Setup Wizard
  • BCM Errors after October 2017 Outlook Update
  • Excel Files Won’t Display in Reading Pane
  • Outlook 2016: No BCM
  • Exchange Account Set-up Missing in Outlook 2016

Repair PST

Convert an OST to PST

Repair damaged PST file

Repair large PST File

Remove password from PST

Merge Two Data Files

Sync & Share Outlook Data

  • Share Calendar & Contacts
  • Synchronize two computers
  • Sync Calendar and Contacts Using Outlook.com
  • Sync Outlook & Android Devices
  • Sync Google Calendar with Outlook
  • Access Folders in Other Users Mailboxes
  • “Live” Group Calendar Tools

Convert to / from Outlook

  • Converting Messages and Calendar or
    Address books
  • Moving Outlook to a New Computer
  • Moving Outlook 2010 to a new Windows computer
  • Moving from Outlook Express to Outlook

Recover Deleted Items

  • Recover deleted messages from .pst files
  • Are Deleted Items gone forever in Outlook?

Outlook 2013 Absolute Beginner's Guide

Diane Poremsky [Outlook MVP]

Make a donation

Calendar Tools

Schedule Management

Calendar Printing Tools

Calendar Reminder Tools

Calendar Dates & Data

Time and Billing Tools

Meeting Productivity Tools

Duplicate Remover Tools

Mail Tools

Sending and Retrieval Tools

Mass Mail Tools

Compose Tools

Duplicate Remover Tools

Mail Tools for Outlook

Online Services

Productivity

Productivity Tools

Automatic Message Processing Tools

Special Function Automatic Processing Tools

Housekeeping and Message Management

Task Tools

Project and Business Management Tools

Choosing the Folder to Save a Sent Message In

Run Rules on messages after reading

Help & Suggestions

Outlook Suggestion Box (UserVoice)

Slipstick Support Services

Contact Tools

Data Entry and Updating

Duplicate Checkers

Phone Number Updates

Contact Management Tools

Sync & Share

Share Calendar & Contacts

Synchronize two machines

Sharing Calendar and Contacts over the Internet

More Tools and Utilities for Sharing Outlook Data

Access Folders in Other Users Mailboxes

View Shared Subfolders in an Exchange Mailbox

"Live" Group Calendar Tools

Home | Outlook User | Exchange Administrator | Office 365 | Outlook.com | Outlook Developer
Outlook for Mac | Outlook BCM | Common Problems | Utilities & Addins | Tutorials
Outlook & iCloud Issues | Outlook Apps
EMO Archives | About Slipstick | Advertise | Slipstick Forums
Submit New or Updated Outlook and Exchange Server Utilities

Send comments using our Feedback page
Copyright © 2019 Slipstick Systems. All rights reserved.
Slipstick Systems is not affiliated with Microsoft Corporation.

You are going to send email to

Move Comment