Home

Tipp for S/MIME Error: “External Content is not allowed in Secure eMail”

%3CLINGO-SUB%20id%3D%22lingo-sub-313556%22%20slang%3D%22en-US%22%3ETipp%20for%20S%2FMIME%20Error%3A%20%E2%80%9CExternal%20Content%20is%20not%20allowed%20in%20Secure%20eMail%E2%80%9D%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-313556%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20identified%20a%20problem%20within%20our%20internal%20eMail%20communication%20that%20external%20images%20in%20signed%20or%20encrypted%20eMails%20have%20not%20been%20loaded%20anymore.%3C%2FP%3E%3CP%3EThis%20led%20me%20to%20a%20research%20and%20troubleshooting%20were%20I%20was%20able%20to%20find%20a%20solution%20which%20I%20want%20to%20share%20with%20you%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CH4%20id%3D%22toc-hId-1281201151%22%20id%3D%22toc-hId-1431826369%22%3EBackground%3C%2FH4%3E%3CP%3EAt%20the%20beginning%20of%202018%20a%20new%20vulnerability%20was%20discovered.%20It%20exploits%20the%20advantages%20of%20S%2FMIME%20in%20combination%20with%20Microsoft%20Outlook.%20The%20attack%20was%20published%20as%20%3CA%20href%3D%22https%3A%2F%2Fwww.kb.cert.org%2Fvuls%2Fid%2F122919%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EEFAIL%3C%2FA%3E.%3C%2FP%3E%3CP%3EExplaination%20from%20%3CA%20href%3D%22https%3A%2F%2Fwww.digicert.com%2Fblog%2Fguidance-for-the-efail-smime-vulnerability%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EDigiCert%20-%20Guidance%20for%20the%20EFAIL%20S%2FMIME%20Vulnerability%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CBLOCKQUOTE%3E%3CP%3EThe%20EFAIL%20attack%20affects%20emails%20encrypted%20with%20the%20S%2FMIME%20(or%20PGP%2C%20including%20OpenPGP%20%26amp%3B%20GPG)%20protocols.%20When%20successfully%20executed%20the%20attacker%20is%20able%20to%20read%20targeted%20emails%20without%20obtaining%20the%20private%20key%20used%20to%20encrypt%20them.%3C%2FP%3E%3CP%3EIt%20appends%20malicious%20HTML%20tags%20to%20an%20encrypted%20email%20and%20hopes%20the%20email%20client%20will%20unsafely%20parse%20that%20HTML.%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CH4%20id%3D%22toc-hId--1270955810%22%20id%3D%22toc-hId--1120330592%22%3EWhat%20does%20EFAIL%20and%20the%20topic%20of%20this%20blog%20have%20in%20common%3F%3C%2FH4%3E%3CP%3EMicrosoft%20added%20a%20security%20setting%20to%20the%20TrustCenter%20via%20the%20%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-hk%2Fhelp%2F4461440%2Fdescription-of-the-security-update-for-outlook-2016-october-9-2018%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EOctober%20Patchday%3C%2FA%3E.%20This%20setting%20is%20a%20simply%20way%20to%20reduce%20the%20risk%20to%20become%20a%20victim%20of%20the%20EFAIL%20attack%20%E2%80%93%20but%20it%20comes%20differently%3A%20The%20result%20was%2C%20that%20images%20and%20other%20external%20content%20in%20signed%20or%20encrypted%20messages%20cannot%20be%20loaded%20anymore%3A%20signed%20Newsletters%20for%20example%20had%20no%20pictures%20and%20lost%20their%20design.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CH4%20id%3D%22toc-hId-471854525%22%20id%3D%22toc-hId-622479743%22%3EHow%20can%20I%20solve%20this%20problem%3F%3C%2FH4%3E%3CP%3ESimply%20adjust%20the%20newly%20added%20setting%20in%20Outlook%20TrustCenter%20and%20uncheck%20the%20box%20%E2%80%9C%3CEM%3EDon%E2%80%99t%20download%20pictures%20in%20encrypted%20or%20signed%20HTML%20email%20messages.%3C%2FEM%3E%E2%80%9C.%20Check%20out%20the%20following%20screenshot%20to%20find%20the%20setting.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F65839i6D87AE30BAF3FA7A%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%2201_securemaildownload.jpg%22%20title%3D%2201_securemaildownload.jpg%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3ETrust%20Center%20Setting%20in%20MS%20Outlook%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20article%20was%20also%20posted%20on%20my%20site%20%3CA%20href%3D%22https%3A%2F%2Fwww.patrickriedl.at%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.patrickriedl.at%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-313556%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOutlook%20for%20Windows%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Patrick Riedl
Occasional Contributor

We identified a problem within our internal eMail communication that external images in signed or encrypted eMails have not been loaded anymore.

This led me to a research and troubleshooting were I was able to find a solution which I want to share with you:

 

Background

At the beginning of 2018 a new vulnerability was discovered. It exploits the advantages of S/MIME in combination with Microsoft Outlook. The attack was published as EFAIL.

Explaination from DigiCert - Guidance for the EFAIL S/MIME Vulnerability

 

The EFAIL attack affects emails encrypted with the S/MIME (or PGP, including OpenPGP & GPG) protocols. When successfully executed the attacker is able to read targeted emails without obtaining the private key used to encrypt them.

It appends malicious HTML tags to an encrypted email and hopes the email client will unsafely parse that HTML.

 

What does EFAIL and the topic of this blog have in common?

Microsoft added a security setting to the TrustCenter via the October Patchday. This setting is a simply way to reduce the risk to become a victim of the EFAIL attack – but it comes differently: The result was, that images and other external content in signed or encrypted messages cannot be loaded anymore: signed Newsletters for example had no pictures and lost their design.

 

How can I solve this problem?

Simply adjust the newly added setting in Outlook TrustCenter and uncheck the box “Don’t download pictures in encrypted or signed HTML email messages.“. Check out the following screenshot to find the setting.

01_securemaildownload.jpgTrust Center Setting in MS Outlook

 

The article was also posted on my site https://www.patrickriedl.at

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
22 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
cntvertex in Discussions on
13 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
28 Replies