• Outlook User
  • New Outlook app
  • Outlook.com
  • Outlook Mac
  • Outlook & iCloud
  • Developer
  • Microsoft 365 Admin
    • Common Problems
    • Microsoft 365
    • Outlook BCM
    • Utilities & Addins

Why you should block external content in Outlook by default

Slipstick Systems

› Outlook › Why you should block external content in Outlook by default

Last reviewed on March 12, 2018     4 Comments

Applies to: Outlook (classic), Outlook 2007, Outlook 2010

A virus infected email is making the rounds, purportedly from Microsoft, updating their service agreement. It looks like the real message but the URLs point to another site, typical of a phishing scheme. The real Microsoft service agreement email's links point to urls like //email.microsoft.com/Key-9850701.C.CFC8.G.KK.nCdd9Wk, which redirects to a legitimate Microsoft webpage.

At least one version of the infected message includes an embedded external HTML file: <img src="//{infected-site}/index.html">

The problem? When you download external content, either automatically or per message, that file will be saved to the hard drive and it will be rendered in Outlook. In this case, the HTML file is going to be rendered. While Outlook renders HTML in the Restricted zone, it appears this week's Java exploit may be able to run the Java applet in the embedded HTML. (I'm investigating this angle.)

When you view a message (either in the reading pane or open message) and allow external content, the content is downloaded and stored in the Temporary Internet Files folder (type shell:cache in Windows Explorer address bar) and displayed in Outlook. When the file is saved to the

As one of the complainers who helped convince the Outlook team we needed the ability to block web bugs, my recommendation is never download content automatically. Don't trust external content from any address.

Don't download external content by default. No exceptions. Don't trust anyone.

With external content blocked by default, mail loads faster, web bugs aren't sent back to the sender and most importantly, blocking external content may prevent this java exploit from infecting your computer.

Messages sent with external content are almost always "bulk mail" - messages from advertisers and spammers. In most cases, the blocked content is a logo and style sheets, adding eye-candy but not content. You won't miss much by not downloading this content. In the case of advertisements that are all images, you can easily download the content when the message subject or text in the body is enticing enough to convince you that the blocked content is worth reading. (Take note advertisers: use more text, fewer external images!)

If you block external content *and* do not trust anyone, the HTML will not download and the Java definitely won't run.

Reading all mail in plain text is also an option. This is less desirable in my opinion: HTML messages displayed as plain text are harder to read and you will display more messages in HTML than you will enable external content on. It doesn't increase your security by an appreciable amount. Comparing cost (time spent enabling HTML per message) vs benefit (no risk compared to small risk), blocking external content has a good ROI.

In addition to blocking external content, these recommendations will help to increase your safety:

  1. Always hover over hyperlinks before clicking and ensure they are pointing you to legitimate sites before clicking. Look closely at the urls to insure they are not trying to fake you out with "microsoft.com.spammer.com" addresses.
  2. Look at the message's Internet headers if you aren't sure the message is legitimate.
  3. Consider disabling Java. It's too full of holes.
  4. Keep your antivirus and antimalware up to date.

Recommended settings for external content

To block external content in Outlook 2010 and up, go to File, Trust Center, Automatic Downloads. My recommendation: don't download any content and always warn before replies.
Do not download external content, even for trusted senders
(If you want to read all mail in plain text, the setting is on the E-mail Security tab.)

In Outlook 2007, block content from the Tools, Trust Center menu.

Enable blocked content per message

When you are reading a message and want to view the content, click on the Infobar and download external content for that message. You only need to do this once per message, Outlook will remember until the Temp Internet Cache is emptied.

Display blocked external content for a specific message

More Information

How do I set the preview screen to use text vs. HTML mode Discussion at Microsoft answers forum discussing the Java exploit
Blackhole targeting Java vulnerability via fake Microsoft Services Agreement email phish

Why you should block external content in Outlook by default was last modified: March 12th, 2018 by Diane Poremsky

Related Posts:

  • Problem: "Outlook isn't blocking the images in some of the messages I
    External Content is not Blocked
  • Outlook: Web Bugs & Blocked HTML Images
  • Block External Content in New Outlook
  • How Safe is the Reading Pane?

About Diane Poremsky

A Microsoft Outlook Most Valuable Professional (MVP) since 1999, Diane is the author of several books, including Outlook 2013 Absolute Beginners Book. She also created video training CDs and online training classes for Microsoft Outlook. You can find her helping people online in Outlook Forums as well as in the Microsoft Answers and TechNet forums.

Subscribe
Notify of
4 Comments
newest
oldest most voted
Inline Feedbacks
View all comments

William Pyles (@guest_209745)
December 22, 2017 12:07 pm
#209745

Outlook 2016 does not appear to have the "Permit downloads from Web sites in this security zone: Trusted Zone" in the Automatic Downloadstab under Trust Center, as it did in Outlook 2010. Any idea why, and whether there is an equivalent option in Outlook 2016 that can be disabled to prevent downloading of images from external sites?

0
0
Reply
Diane Poremsky(@diane-poremsky)
Author
Reply to  William Pyles
December 23, 2017 12:05 am
#209752

I have it in my outlook 2016 - this is in the newest insider build - build 1801.

Which build/version do you have? It's possible it was temporarily removed from a build.

trust-center.png
0
0
Reply
Cavehomme (@guest_171347)
September 17, 2012 12:34 am
#171347

Good tips. However, by enabling only downloads from trusted senders in the Outlook settings surely deals with this issue, or not?

0
0
Reply
Diane Poremsky (@guest_171351)
Reply to  Cavehomme
September 17, 2012 6:40 am
#171351

Not necessarily. If an exploit sends mail using a faked address of a trusted contact or infects a trusted person or company's computer and send mail from them, you are at risk. Because everything has to come together just right (use outlook, trust their address, mail gets past content scanners etc), the risk may not be much but its not zero.

If you don't have java installed, there should be no additional risk as the danger is in an exploit that can bypass normal security measures and at this time, only java exploits can do this.

0
0
Reply

Visit Slipstick Forums.
What's New at Slipstick.com

Latest EMO: Vol. 30 Issue 19

Subscribe to Exchange Messaging Outlook






Support Services

Do you need help setting up Outlook, moving your email to a new computer, migrating or configuring Office 365, or just need some one-on-one assistance?

Our Sponsors

CompanionLink
ReliefJet
  • Popular
  • Latest
  • Week Month All
  • Jetpack plugin with Stats module needs to be enabled.
  • Open Outlook Templates using PowerShell
  • Count and List Folders in Classic Outlook
  • Google Workspace and Outlook with POP Mail
  • Import EML Files into New Outlook
  • Opening PST files in New Outlook
  • New Outlook: Show To, CC, BCC in Replies
  • Insert Word Document into Email using VBA
  • Delete Empty Folders using PowerShell
  • Warn Before Deleting a Contact
  • Classic Outlook is NOT Going Away in 2026
Ajax spinner

Recent Bugs List

Microsoft keeps a running list of issues affecting recently released updates at Fixes or workarounds for recent issues in classic Outlook (Windows).

For new Outlook for Windows: Fixes or workarounds for recent issues in new Outlook for Windows .

Outlook for Mac Recent issues: Fixes or workarounds for recent issues in Outlook for Mac

Outlook.com Recent issues: Fixes or workarounds for recent issues on Outlook.com

Office Update History

Update history for supported Office versions is at Update history for Office

Outlook Suggestions and Feedback

Outlook Feedback covers Outlook as an email client, including Outlook Android, iOS, Mac, and Windows clients, as well as the browser extension (PWA) and Outlook on the web.

Outlook (new) Feedback. Use this for feedback and suggestions for Outlook (new).

Use Outlook.com Feedback for suggestions or feedback about Outlook.com accounts.

Other Microsoft 365 applications and services




New Outlook Articles

Open Outlook Templates using PowerShell

Count and List Folders in Classic Outlook

Google Workspace and Outlook with POP Mail

Import EML Files into New Outlook

Opening PST files in New Outlook

New Outlook: Show To, CC, BCC in Replies

Insert Word Document into Email using VBA

Delete Empty Folders using PowerShell

Warn Before Deleting a Contact

Classic Outlook is NOT Going Away in 2026

Newest Code Samples

Open Outlook Templates using PowerShell

Count and List Folders in Classic Outlook

Insert Word Document into Email using VBA

Warn Before Deleting a Contact

Use PowerShell to Delete Attachments

Remove RE:, FWD:, and Other Prefixes from Subject Line

Change the Mailing Address Using PowerShell

Categorize @Mentioned Messages

Send an Email When You Open Outlook

Delete Old Calendar Events using VBA

Repair PST

Convert an OST to PST

Repair damaged PST file

Repair large PST File

Remove password from PST

Merge Two Data Files

Sync & Share Outlook Data

  • Share Calendar & Contacts
  • Synchronize two computers
  • Sync Calendar and Contacts Using Outlook.com
  • Sync Outlook & Android Devices
  • Sync Google Calendar with Outlook
  • Access Folders in Other Users Mailboxes

Diane Poremsky [Outlook MVP]

Make a donation

Mail Tools

Sending and Retrieval Tools

Mass Mail Tools

Compose Tools

Duplicate Remover Tools

Mail Tools for Outlook

Online Services

Calendar Tools

Schedule Management

Calendar Printing Tools

Calendar Reminder Tools

Calendar Dates & Data

Time and Billing Tools

Meeting Productivity Tools

Duplicate Remover Tools

Productivity

Productivity Tools

Automatic Message Processing Tools

Special Function Automatic Processing Tools

Housekeeping and Message Management

Task Tools

Project and Business Management Tools

Choosing the Folder to Save a Sent Message In

Run Rules on messages after reading

Help & Suggestions

Submit Outlook Feature Requests

Slipstick Support Services

Buy Microsoft 365 Office Software and Services

Visit Slipstick Forums.

What's New at Slipstick.com

Home | Outlook User | Exchange Administrator | Office 365 | Outlook.com | Outlook Developer
Outlook for Mac | Common Problems | Utilities & Addins | Tutorials
Outlook & iCloud Issues | Outlook Apps
EMO Archives | About Slipstick | Slipstick Forums
Submit New or Updated Outlook and Exchange Server Utilities

Send comments using our Feedback page
Copyright © 2025 Slipstick Systems. All rights reserved.
Slipstick Systems is not affiliated with Microsoft Corporation.

wpDiscuz

Sign up for Exchange Messaging Outlook

Our weekly Outlook & Exchange newsletter (bi-weekly during the summer)






Please note: If you subscribed to Exchange Messaging Outlook before August 2019, please re-subscribe.

Never see this message again.

You are going to send email to

Move Comment