Forum Discussion

Chris Parker's avatar
Chris Parker
Iron Contributor
Feb 15, 2017
Solved

Why is this image spam getting through and why is Outlook not blocking the image?

About two or three times a month I get an email that is one giant image. The image always looks the same except for a small amount of text that changes.   Most importantly, why is EOP letting this ...
exchange online
office 365
outlook
  • Paul Cunningham's avatar
    Paul Cunningham
    Feb 16, 2017

    There was a vuln in OWA for Exchange/EXO that permitted a remote image that is coded as the background image for a table cell to display automatically, even when remote image loading was disabled. That was patched quite some time ago though. Not sure if the same issue affected Outlook fat clients but it's possible. Viewing the source of the message should show you how the remote image has been inserted.

     

    I'd say you should:

     

    • Report the spam as Vasil suggests
    • Make sure your Outlook client is fully up to date
    • Open a support case with Microsoft to investigate why a remote image is still loading (depending on your findings)
Paul Cunningham's avatar
Paul Cunningham
Iron Contributor
Feb 16, 2017

There was a vuln in OWA for Exchange/EXO that permitted a remote image that is coded as the background image for a table cell to display automatically, even when remote image loading was disabled. That was patched quite some time ago though. Not sure if the same issue affected Outlook fat clients but it's possible. Viewing the source of the message should show you how the remote image has been inserted.

 

I'd say you should:

 

  • Report the spam as Vasil suggests
  • Make sure your Outlook client is fully up to date
  • Open a support case with Microsoft to investigate why a remote image is still loading (depending on your findings)
  • Chris Parker's avatar
    Chris Parker
    Iron Contributor
    Mar 23, 2017

    I thought I'd follow up on this. Here's the source of a new similar message (this time yellow with just a few details changed):

     

     

    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"><div dir="ltr"><img src="cid:ii_j0m296230_15afa02c0c0cbd00" style="margin-right: 25px;"><br>​<br></div>

    I know HTML but I have no idea what kind of source is "cid:ii_j0m296230_15afa02c0c0cbd00".

     

    edit: I now know what "cid:" means: "Content-ID". The image is base64 encoded and is embedded somewhere (haven't found that location yet).

    • Chris Parker's avatar
      Chris Parker
      Iron Contributor
      Mar 23, 2017

      I sent the email, as an attachment, to junk@office365.microsoft.com. Hopefully, something will be done about this.

  • Chris Parker's avatar
    Chris Parker
    Iron Contributor
    Feb 17, 2017
    I'll have to wait till I get this again. I took that screenshot and deleted the message.

Resources