• Outlook User
  • Exchange Admin
  • Office 365
  • Outlook Developer
  • Outlook.com
  • Outlook Mac
  • Outlook & iCloud
    • Common Problems
    • Outlook BCM
    • Utilities & Addins

Outlook Email Security Update

Slipstick Systems

› Outlook › Outlook Email Security Update

Last reviewed on February 15, 2021     4 Comments

Applies to: Outlook 2016 (Win), Outlook 2013, Outlook 2010, Outlook 2007

Following a number of bad virus attacks propagated by Outlook 98 and 2000, Microsoft added email security features. The earliest updates locked Outlook down so much that I called it the HELL patch as it made automating Outlook very difficult. As time progressed so did the security, giving Outlook 2007 and up end-users (or administrators) better control the security. Users can modify the list of blocked attachments and loosen security using Group Policy or registry edits.

It is difficult to open program files in Outlook -- including VBScript .vbs files like those that spread viruses and is aimed at making it more difficult for a virus to use Outlook to transmit itself via e-mail.  In some cases, a user may need to authorize access by outside programs, such as bulk mail applications.

Microsoft has provided two ways to customize the security settings:

  • In Microsoft Exchange Server environments, administrators can customize the security settings by installing a special Outlook custom form in a public folder and configuring security options for individuals and groups.
  • End users can allow access to particular file attachment types that the security features normally block, using the steps at "Opening .exe Attachments and Outlook E-mail Security" However, administrators can block this customization with the new security form for Outlook 2002.

Basic Facts and Download | Attachment Security | Automation Security | Outlook Forms Security | Outlook Security Zone | Known Problems | More Information

Basic Facts

  • Administrative Options for the Microsoft Outlook E-mail Security Patch
  • End users can allow access to particular file attachment types that the security features normally block.
  • OL2000: Information About the Outlook E-mail Security Update

Outlook cannot open or save the files listed below if they are attached to an Outlook message. The attachments will still be in the messages, and other programs or Outlook add-ins may be able to access them, but they will be invisible to Outlook itself.

In addition to these "Level 1" attachments, as Microsoft calls them, there is a "Level 2" list, which warns users when they try to open a file attached to a message. End users can demote a file type from Level 1 to Level 2. Only administrators in an Exchange Server environment can customize the Level 2 list.

There are many ways to open these "dangerous" files. See "Opening .exe Attachments and Outlook E-mail Security"

Users will also see a warning if they try to send an e-mail message that contains any Level 1 file attachment. However, the attachment is not actually stripped. If the receiving user is not running Outlook or has the attachment extension unblocked, they will see the attachment as they normally do.

If you try to forward a message containing one of these files, even if Outlook has been customized to consider it as a Level 2 attachment (save before opening), Outlook strips the attachment from the forwarded copy.

It's recommended you use a file sharing service to share files, rather than sending them by email and paste the URL into the message body, While it's not safer than sending an attachment, as clicking a link to a document containing a virus or an exploit will still infect you, but users will see the link and, hopefully, think a little before clicking on it.

TIP: If you need to send a file from this list and want to avoid problems with recipients who may have installed the patch, you can simply change the file name before attaching the file -- for example, rename an .exe file to a .ex_ file -- and include instructions on how to save it and rename it in the body of your message.

Or use a zip utility to compress the file. Many Compression Tools are available to work automatically from within Outlook, though probably not all will be able to grab the .exe file, given the security surrounding attachments.

Note: the following list may not be complete, as Microsoft occasionally adds new extensions to the list.

File extensionFile type
.adeMicrosoft Access project extension
.adpMicrosoft Access project
.appMicrosoft Visual FoxPro application (blocked only in Outlook 2002 SP-2 and Outlook 2000 SP-3)
.aspActive server page. (Blocked in Outlook 2002 SP3 and higher)
.asxWindows Media Audio or Video shortcut (blocked only in Outlook 2002 builds earlier than 10.0.3005.x)
.basVisual Basic class module
.batBatch file
.cer(blocked only in Outlook 2003 and later)
.chmCompiled HTML Help file
.cmdWindows NT Command script
.comMS-DOS program
.cplControl Panel extension
.crtSecurity certificate
.cshKornShell script file (blocked only in Outlook 2002 SP-2  and Outlook 2000 SP-3 and later)
.exeProgram
.fxpMicrosoft Visual FoxPro compiled program (blocked only in Outlook 2002 SP-2  and Outlook 2000 SP-3 and later)
.hlpHelp file
.htaHTML program
.infSetup  Information
.insInternet Naming Service
.ispInternet Communication settings
.jsJScript Script file
.jseJscript Encoded Script file
.kshKornShell script file (blocked only in Outlook 2002 SP-2  and Outlook 2000 SP-3 and later)
.lnkShortcut
.mdaMicrosoft Access add-in program (blocked only in Outlook 2002 and a patched version of Outlook 2000)
.mdbMicrosoft Access program
.mdtMicrosoft Access workgroup information (blocked only in Outlook 2002 SP-1  and Outlook 2000 SP-3 and later)
.mdwMicrosoft Access workgroup information (blocked only in Outlook 2002 SP-1  and Outlook 2000 SP-3 and later)
.mdeMicrosoft Access MDE database
.mdzMicrosoft Access wizard program (blocked only in Outlook 2002 and a patched version of Outlook 2000)
.mscMicrosoft Common Console document
.msiWindows Installer package
.mspWindows Installer patch
.mstVisual Test source files
.opsOffice XP settings (blocked only in Outlook 2002 SP-1 and  and Outlook 2000 SP-3 later)
.pcdPhoto CD image
.pifShortcut to MS-DOS program
.prfMicrosoft Outlook profile settings (blocked only in Outlook 2002)
.prgMicrosoft Visual FoxPro program (blocked only in Outlook 2002 SP-2  and Outlook 2000 SP-3)
.pstMicrosoft Outlook Personal Folders file (blocked only in Outlook 2000 SP-3)
.regRegistration entries
.scfWindows Explorer command (blocked only in Outlook 2002)
.scrScreen saver
.sctWindows Script Component
.shbShell Scrap Object
.shsShell Scrap Object
.tmpTemporary file. (Blocked in Outlook 2002 SP3 and higher)
.urlInternet shortcut
.vbVBScript file
.vbeVBScript encoded script file
.vbsVisual Basic Script file
.vsmacrosVisual Studio .NET macro project file. (Blocked in Outlook 2002 SP3 and higher)
.vssVisio shapes and Visio stencils (Blocked in Outlook 2002 SP3 and higher)
.vstVisio template (Blocked in Outlook 2002 SP3 and higher)
.vswVisio workspace (Blocked in Outlook 2002 SP3 and higher)
.wsWindows script file (Blocked in Outlook 2002 SP3 and higher)
.wscWindows Script Component
.wsfWindows Script file
.wshWindows Script Host Settings file

Automation Security

A "properly written" add-in should not trigger the security warnings in Outlook 2007 and newer versions, but you can use a registry to prevent the dialog.

If you don’t find Office and the following keys under Microsoft, you can add the keys manually in the same order and then continue from Step 3.

Press Windows Key + R to open the Run command. Type regedit and press Enter to open the Registry Editor.

  1. Navigate to HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\nn.0\Outlook\Security, where nn is your version of Outlook. If this key does not exist, you need to create it. For many users, this means creating each level from Microsoft down to Security.
  2. Right click on Security and choose New, DWORD. Name it PromptSimpleMAPISend (copy and paste works well as this DWORD is case sensitive).
  3. Right click on PromptSimpleMAPISend and choose Modify.
  4. Enter a value of 2.
  5. Restart Outlook. (You may need to restart the computer.)

For more information, see The programmatic security settings cannot be configured successfully when you configure the Simple MAPI settings in Outlook by using the Group Policy object

 

Object Model Guard

The "object model guard" feature of the patch imposes two extreme restrictions on automating Outlook from add-ins that use either the Outlook object model or Simple MAPI:

  • If an add-in tries to send an Outlook message, the user gets a notification pop-up and must explicitly authorize or deny each attempt to send. The user must wait 5 seconds before the Yes button becomes available to click.
  • If an add-in tries to access address information in an Outlook item or the address book or to save an Outlook item as a file, the user gets a notification pop-up and can deny access, authorize a one-time access or extend access for a period of several minutes. PDA sync utilities are an example of the kind of application that will be affected by this restriction.

The object model guard applies even if your code is digitally signed or running from a published Outlook form. The only way to turn it off is via the administrative options. Because of these restrictions, some Outlook features become virtually unusable, because of the number of times the user has to confirm the dialog boxes:

  • Sequential routing from Word
  • Mail merge to e-mail in Word
  • Automated mailing programs that use the Outlook Send method

See Applications Affected by the Outlook Email Security Update

To avoid the prompts in applications that you develop, you can use one of these programming interfaces:

Extended MAPI Language for programming Outlook/Exchange with C++ or Delphi only.

Outlook Redemption Provides a COM interface to Outlook objects that avoids the "object model guard" of the Outlook E-mail Security Update and exposes properties and methods not available through the Outlook model, such as sender address and Internet message headers. Several security features protect it from being used by malicious programs to send Outlook mail. For the redistributable version, it adds a Profman.dll component with the ability to enumerate, add, delete, and modify Outlook profiles using VB or VBScript.

Visit Outlookcode.com for more information on  programming issues.

Also see Reinforcing Dialog-Based Security, a paper by two U.S. Air Force Academy professors that demonstrates how to get around the object model guard prompts using VBScript code and the SendKeys method to, in effect, click the buttons on the prompts. For utilities that takes a similar approach, see the tools listed below.

Automation Security Tools

[addins name=autosec]

Outlook Forms Security

With the patch applied, script on unpublished or one-off Outlook forms will not run. Users will no longer see an Enable/Disable Macros prompt.

You should never check the Send form definition with item box on the Properties page of a message form, since this will cause the form to one-off. Instead, you should make sure that the recipient has access to the published form.

Outlook Security Zone

Outlook runs in the Restricted Sites security zone and disables scripting for the Restricted Sites zone. For more information, see Internet Explorer security zones registry entries for advanced users

Known Problems

The main problem is, of course, that users decide they need the blocked attachments after they've applied the patch. See Opening .exe Attachments with the Microsoft Outlook E-mail Security Patch.

More Information

  • Administrative Options for the Microsoft Outlook E-mail Security Patch
  • Protecting Microsoft Outlook against Viruses
  • Attachment Security Update for Microsoft Outlook
  • Administrator information about the Outlook E-mail Security update: June 7, 2000
  • Administrator information about the Outlook e-mail security update

Outlook Email Security Update was last modified: February 15th, 2021 by Diane Poremsky
  • Twitter
  • Facebook
  • LinkedIn
  • Reddit
  • Print

Related Posts:

  • Opening .exe Attachments and Outlook E-mail Security
  • Embedded Objects are Blocked in Outlook Items
  • Anti-Virus Tools for Outlook
  • We used to think that you had to open or, in some case, preview a mess
    Outlook Virus Misconceptions

About Diane Poremsky

A Microsoft Outlook Most Valuable Professional (MVP) since 1999, Diane is the author of several books, including Outlook 2013 Absolute Beginners Book. She also created video training CDs and online training classes for Microsoft Outlook. You can find her helping people online in Outlook Forums as well as in the Microsoft Answers and TechNet forums.

Subscribe
Notify of
4 Comments
newest
oldest most voted
Inline Feedbacks
View all comments

Robert Bryant (@guest_135884)
June 18, 2012 9:59 am
#135884

Security Update (KB2656370) refuses to download and
and continually appears, all the time, for download. This has
been going on for months, and I am at my wits end to solve
the problem. I've removed it, using existing programs, but it
reappears each time. As a result, I have had to turn off my
Automatic Download, so it doesn't keep trying, every day.

0
0
Reply
Diane Poremsky (@guest_135984)
Reply to  Robert Bryant
June 18, 2012 11:46 am
#135984

In Windows Update, click on it and hide it - that should stop it from trying to download.
Did you have the original April 2012 version? https://support.microsoft.com/kb/2656370.

0
-1
Reply
Phyllis Smith (@guest_23943)
November 22, 2011 11:51 pm
#23943

Well, getting in touch with me would be futile. I can't get into my e-mail nowadays due to something that has to do with a certificate. What the heck? From what comments I have read, it sounds like nothing can be done. Sorry to hear about that, I had important messages I needed to read.

1
-1
Reply
Diane Poremsky (@guest_23945)
Reply to  Phyllis Smith
November 23, 2011 1:51 am
#23945

What type of email account do you have? (POP3, IMAP, Exchange etc)
Who is it though? If ISP, which one. If employer, we don't need the name.
What is the exact message?

1
-1
Reply

Visit Slipstick Forums.
What's New at Slipstick.com

Latest EMO: Vol. 28 Issue 21

Support Services

Do you need help setting up Outlook, moving your email to a new computer, migrating or configuring Office 365, or just need some one-on-one assistance?

Subscribe to Exchange Messaging Outlook






Our Sponsors

CompanionLink
ReliefJet
  • Popular
  • Latest
  • WeekMonthAll
  • How to Remove the Primary Account from Outlook
  • Adjusting Outlook's Zoom Setting in Email
  • Uninstall Updates in Office 'Click to Run'
  • Move an Outlook Personal Folders .pst File
  • Save Sent Items in Shared Mailbox Sent Items folder
  • Create rules that apply to an entire domain
  • View Shared Calendar Category Colors
  • Outlook's Left Navigation Bar
  • How to Create a Pick-a-Meeting Request
  • Use PowerShell to get a list of Distribution Group members
  • Create a rule to delete spam with no sender address
  • Open Outlook Folders using PowerShell or VBScript
  • Cannot add Recipients in To, CC, BCC fields on MacOS
  • Change Appointment Reminder Sounds
  • Messages appear duplicated in message list
  • Reset the New Outlook Profile
  • Delete Old Calendar Events using VBA
  • Use PowerShell or VBA to get Outlook folder creation date
  • Outlook's Left Navigation Bar
  • Contact's Display Bug
Ajax spinner

Newest Code Samples

Delete Old Calendar Events using VBA

Use PowerShell or VBA to get Outlook folder creation date

Rename Outlook Attachments

Format Images in Outlook Email

Set Outlook Online or Offline using VBScript or PowerShell

List snoozed reminders and snooze-times

Search your Contacts using PowerShell

Filter mail when you are not the only recipient

Add Contact Information to a Task

Process Mail that was Auto Forwarded by a Rule

Recent Bugs List

Microsoft keeps a running list of issues affecting recently released updates at Fixes or workarounds for recent issues in Outlook for Windows.

Outlook for Mac Recent issues: Fixes or workarounds for recent issues in Outlook for Mac

Office Update History

Update history for supported Office versions is at Update history for Office

Outlook Suggestions and Feedback

Outlook Feedback covers Outlook as an email client, including Outlook Android, iOS, Mac, and Windows clients, as well as the browser extension (PWA) and Outlook on the web.

Use Outlook.com Feedback for suggestions or feedback about Outlook.com accounts.

Other Microsoft 365 applications and services




Windows 10 Issues

  • iCloud, Outlook 2016, and Windows 10
  • Outlook Links Won’t Open In Windows 10
  • Outlook can’t send mail in Windows 10: error Ox800CCC13
  • Missing Outlook data files after upgrading Windows?

Outlook Top Issues

  • The Windows Store Outlook App
  • The Signature or Stationery and Fonts button doesn’t work
  • Outlook’s New Account Setup Wizard
  • Outlook 2016: No BCM
  • Exchange Account Set-up Missing in Outlook 2016

Repair PST

Convert an OST to PST

Repair damaged PST file

Repair large PST File

Remove password from PST

Merge Two Data Files

Sync & Share Outlook Data

  • Share Calendar & Contacts
  • Synchronize two computers
  • Sync Calendar and Contacts Using Outlook.com
  • Sync Outlook & Android Devices
  • Sync Google Calendar with Outlook
  • Access Folders in Other Users Mailboxes

Contact Tools

Data Entry and Updating

Duplicate Checkers

Phone Number Updates

Contact Management Tools

Diane Poremsky [Outlook MVP]

Make a donation

Calendar Tools

Schedule Management

Calendar Printing Tools

Calendar Reminder Tools

Calendar Dates & Data

Time and Billing Tools

Meeting Productivity Tools

Duplicate Remover Tools

Mail Tools

Sending and Retrieval Tools

Mass Mail Tools

Compose Tools

Duplicate Remover Tools

Mail Tools for Outlook

Online Services

Productivity

Productivity Tools

Automatic Message Processing Tools

Special Function Automatic Processing Tools

Housekeeping and Message Management

Task Tools

Project and Business Management Tools

Choosing the Folder to Save a Sent Message In

Run Rules on messages after reading

Help & Suggestions

Outlook Suggestion Box (UserVoice)

Slipstick Support Services

Home | Outlook User | Exchange Administrator | Office 365 | Outlook.com | Outlook Developer
Outlook for Mac | Common Problems | Utilities & Addins | Tutorials
Outlook & iCloud Issues | Outlook Apps
EMO Archives | About Slipstick | Advertise | Slipstick Forums
Submit New or Updated Outlook and Exchange Server Utilities

Send comments using our Feedback page
Copyright © 2023 Slipstick Systems. All rights reserved.
Slipstick Systems is not affiliated with Microsoft Corporation.

wpDiscuz

Sign up for Exchange Messaging Outlook

Our weekly Outlook & Exchange newsletter (bi-weekly during the summer)






Please note: If you subscribed to Exchange Messaging Outlook before August 2019, please re-subscribe.

Never see this message again.

You are going to send email to

Move Comment