Forum Discussion

BjoernS's avatar
BjoernS
Copper Contributor
Jun 23, 2026
Solved

OWA inline CID images still not displayed – EEMS mitigation side effect persists?

Environment:

  • Exchange Server Subscription Edition (SE), RTM Jun26SU installed (all updates current as of June 2026)
  • On-premises, Windows Server 2019
  • OWA tested in Chrome, Edge, Firefox – all including InPrivate/Incognito mode

Issue: Since approximately May 14–15, 2026 (coinciding with the EEMS mitigation rollout for CVE-2026-42897), inline CID-referenced images in emails are no longer displayed in OWA. Instead, OWA replaces them with a transparent 1×1 GIF placeholder (a data-URI containing a blank GIF image).

Microsoft Support confirmed this is a known side effect of the EEMS mitigation for CVE-2026-42897. We expected the June 2026 Security Update (KB5094139) to resolve this – but the problem persists even after installation.

Test results:

MethodOWAOutlook DesktopThunderbird
External HTTPS image✅ Visible✅ Visible✅ Visible
Base64 embedded image❌ Not visible✅ Visible✅ Visible
CID inline image❌ Not visible (blank placeholder)✅ Visible✅ Visible

What we confirmed:

  • Affects all users, all browsers, all devices, all networks
  • Affects newly created mailboxes as well
  • The blank placeholder is injected server-side by OWA
  • Problem started exactly with the EEMS mitigation rollout (~May 14, 2026)
  • June 2026 SU (KB5094139) installed – problem still present
  • Microsoft Support has been engaged for 5+ weeks without resolution

Questions:

  1. Has anyone else confirmed that the June 2026 SU does not fix the OWA inline image rendering issue?
  2. Is there a known follow-up fix or hotfix planned specifically for this side effect?
  3. Has anyone found a working workaround that does not involve disabling Extended Protection?

Any feedback from the Exchange product team or other admins would be greatly appreciated.

Exchange Server
inline image
owa
  • BjoernS's avatar
    BjoernS
    Jun 24, 2026

    [SOLVED] – Solution found, sharing for the community

    After further investigation and help from the community, we were able to resolve the issue. Here is the complete solution for anyone facing the same problem:

    Root cause confirmed: The EEMS mitigation M2.1.0 remained active even after installing the June 2026 SU (KB5094139). The URL Rewrite rule (script-src-attr 'none') was still present in the OWA web.config and continued to block inline CID image rendering.

    Solution (after installing KB5094139):

    Step 1: Block M2.1.0 from being re-applied by EEMS:

    Set-ExchangeServer -Identity <YourServerName> -MitigationsBlocked @("M2.1.0")

    Step 2: Create a backup of the web.config, then remove the M2.1 rule manually:

    Copy-Item "C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\web.config" `

    "C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\web.config.bak_$(Get-Date -Format 'yyyyMMdd_HHmmss')"

    PowerShell: 

    $webConfigPath = "C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\web.config"
    [xml]$webConfig = Get-Content $webConfigPath -Encoding UTF8

    # Rewrite-Knoten finden
    $rewriteNode = $webConfig.configuration.'system.webServer'.rewrite

    # Alle M2.1-Regeln aus outboundRules entfernen
    $outboundRules = $rewriteNode.outboundRules
    $rulesToRemove = $outboundRules.rule | Where-Object { $_.name -like "*M2.1*" }
    foreach ($rule in $rulesToRemove) {
        $outboundRules.RemoveChild($rule) | Out-Null
        Write-Host "Regel entfernt: $($rule.name)" -ForegroundColor Green
    }

    # Alle M2.1-PreConditions entfernen
    $preConditionsToRemove = $outboundRules.preConditions | Where-Object { $_.name -like "*M2.1*" }
    foreach ($pre in $preConditionsToRemove) {
        $outboundRules.RemoveChild($pre) | Out-Null
        Write-Host "PreCondition entfernt: $($pre.name)" -ForegroundColor Green
    }

    # Gespeicherte Datei zurückschreiben
    $webConfig.Save($webConfigPath)
    Write-Host "web.config gespeichert." -ForegroundColor Cyan

     

    Step 3: Verify the rule is gone:

    Select-String -Path "C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\web.config" `

    -Pattern "M2.1|rewrite" -CaseSensitive:$false

     

    Expected: No M2.1 rule entry remaining ✅

    Step 4: An IIS reset is not strictly required, but can be done to be safe:

    iisreset /noforce

    Result: Inline CID images are displayed correctly in OWA again. ✅

    Important notes:

    • Only do this after installing KB5094139 – the SU fixes CVE-2026-42897 on code level
    • Microsoft explicitly allows removing M2.1 after the SU is installed (see techcommunity.microsoft.com)
    • The remaining <preCondition> entry in web.config is harmless without its associated rule
    • To revert: Set-ExchangeServer -MitigationsBlocked @() + restart MSExchangeMitigation service

    Hope this helps other admins! 🙌

3 Replies

  • BjoernS's avatar
    BjoernS
    Copper Contributor
    Jun 24, 2026

    [SOLVED] – Solution found, sharing for the community

    After further investigation and help from the community, we were able to resolve the issue. Here is the complete solution for anyone facing the same problem:

    Root cause confirmed: The EEMS mitigation M2.1.0 remained active even after installing the June 2026 SU (KB5094139). The URL Rewrite rule (script-src-attr 'none') was still present in the OWA web.config and continued to block inline CID image rendering.

    Solution (after installing KB5094139):

    Step 1: Block M2.1.0 from being re-applied by EEMS:

    Set-ExchangeServer -Identity <YourServerName> -MitigationsBlocked @("M2.1.0")

    Step 2: Create a backup of the web.config, then remove the M2.1 rule manually:

    Copy-Item "C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\web.config" `

    "C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\web.config.bak_$(Get-Date -Format 'yyyyMMdd_HHmmss')"

    PowerShell: 

    $webConfigPath = "C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\web.config"
    [xml]$webConfig = Get-Content $webConfigPath -Encoding UTF8

    # Rewrite-Knoten finden
    $rewriteNode = $webConfig.configuration.'system.webServer'.rewrite

    # Alle M2.1-Regeln aus outboundRules entfernen
    $outboundRules = $rewriteNode.outboundRules
    $rulesToRemove = $outboundRules.rule | Where-Object { $_.name -like "*M2.1*" }
    foreach ($rule in $rulesToRemove) {
        $outboundRules.RemoveChild($rule) | Out-Null
        Write-Host "Regel entfernt: $($rule.name)" -ForegroundColor Green
    }

    # Alle M2.1-PreConditions entfernen
    $preConditionsToRemove = $outboundRules.preConditions | Where-Object { $_.name -like "*M2.1*" }
    foreach ($pre in $preConditionsToRemove) {
        $outboundRules.RemoveChild($pre) | Out-Null
        Write-Host "PreCondition entfernt: $($pre.name)" -ForegroundColor Green
    }

    # Gespeicherte Datei zurückschreiben
    $webConfig.Save($webConfigPath)
    Write-Host "web.config gespeichert." -ForegroundColor Cyan

     

    Step 3: Verify the rule is gone:

    Select-String -Path "C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\web.config" `

    -Pattern "M2.1|rewrite" -CaseSensitive:$false

     

    Expected: No M2.1 rule entry remaining ✅

    Step 4: An IIS reset is not strictly required, but can be done to be safe:

    iisreset /noforce

    Result: Inline CID images are displayed correctly in OWA again. ✅

    Important notes:

    • Only do this after installing KB5094139 – the SU fixes CVE-2026-42897 on code level
    • Microsoft explicitly allows removing M2.1 after the SU is installed (see techcommunity.microsoft.com)
    • The remaining <preCondition> entry in web.config is harmless without its associated rule
    • To revert: Set-ExchangeServer -MitigationsBlocked @() + restart MSExchangeMitigation service

    Hope this helps other admins! 🙌

  • Scott_Schnoll's avatar
    Scott_Schnoll
    MVP
    Jun 23, 2026

    BjoernS​ Installing the SU does not remove the mitigation. In fact, Microsoft recommends leaving the mitigation in place after installing the SU for increased protection. They understand that some customers might prefer to have the broken functionality restored, and if that's your case, you can remove the mitigation from the server manually and then block it from being re-applied. See Released: June 2026 Exchange Server Security Updates | Microsoft Community Hub for steps to do this. Hope this helps.

    • Zohaib_Yousuf's avatar
      Zohaib_Yousuf
      MCT
      Jun 27, 2026

      Simple and easy way to remove the mitigation after installing the latest Security Update (SU):

      M2

      Run the following commands to back up the affected web.config file and remove the M2 URL Rewrite outbound rule and its precondition:

      Copy-Item -Path "$env:ExchangeInstallPath\FrontEnd\HttpProxy\owa\web.config" -Destination "$env:ExchangeInstallPath\FrontEnd\HttpProxy\owa\web.config.$((Get-Date).ToString('yyyyMMdd-HHmmss')).bak"

       

      Remove-WebConfigurationProperty -PSPath "IIS:\Sites\Default Web Site\owa" -Filter "system.webServer/rewrite/outboundRules" -Name "." -AtElement @{name="EEMS M2.1 OWA CSP - outbound"}

       

      Remove-WebConfigurationProperty -PSPath "IIS:\Sites\Default Web Site\owa" -Filter "system.webServer/rewrite/outboundRules/preConditions" -Name "." -AtElement @{name="EEMS M2.1 OWA SPA HTML shell - precondition"}

      https://learn.microsoft.com/en-gb/Exchange/plan-and-deploy/post-installation-tasks/security-best-practices/exchange-emergency-mitigation-service#rollback-procedures-for-released-mitigations