SOLVED
Home

Why is this image spam getting through and why is Outlook not blocking the image?

%3CLINGO-SUB%20id%3D%22lingo-sub-46289%22%20slang%3D%22en-US%22%3EWhy%20is%20this%20image%20spam%20getting%20through%20and%20why%20is%20Outlook%20not%20blocking%20the%20image%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-46289%22%20slang%3D%22en-US%22%3E%3CP%3EAbout%20two%20or%20three%20times%20a%20month%20I%20get%20an%20email%20that%20is%20one%20giant%20image.%20The%20image%20always%20looks%20the%20same%20except%20for%20a%20small%20amount%20of%20text%20that%20changes.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMost%20importantly%2C%20why%20is%20EOP%20letting%20this%20through%3F%20This%20kind%20of%20thing%20should%26nbsp%3B%3CEM%3Enever%3C%2FEM%3E%20make%20it%20through%20a%20spam%20filter%20(I%20never%20saw%20these%20until%20I%20got%20off%20of%20Mimecast.)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESecond%20question%3A%20Why%20is%20Outlook%20displaying%20this%20image%20by%20default%3F%20These%20emails%20come%20from%20different%20addresses%20and%20I%20verified%20that%20my%20Safe%20Senders%20list%20does%20not%20include%20the%20address%20or%20domain.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20583px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F10859i15F37AAD9FC08876%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%2214_27_10-Inbox%20-%20image%20spam%20-%20Outlook.png%22%20title%3D%2214_27_10-Inbox%20-%20image%20spam%20-%20Outlook.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-46289%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOutlook%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-56268%22%20slang%3D%22en-US%22%3ERe%3A%20Why%20is%20this%20image%20spam%20getting%20through%20and%20why%20is%20Outlook%20not%20blocking%20the%20image%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-56268%22%20slang%3D%22en-US%22%3E%3CP%3EI%20sent%20the%20email%2C%20as%20an%20attachment%2C%20to%20junk%40office365.microsoft.com.%20Hopefully%2C%20something%20will%20be%20done%20about%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-56266%22%20slang%3D%22en-US%22%3ERe%3A%20Why%20is%20this%20image%20spam%20getting%20through%20and%20why%20is%20Outlook%20not%20blocking%20the%20image%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-56266%22%20slang%3D%22en-US%22%3E%3CP%3EI%20thought%20I'd%20follow%20up%20on%20this.%20Here's%20the%20source%20of%20a%20new%20similar%20message%20(this%20time%20yellow%20with%20just%20a%20few%20details%20changed)%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3E%26lt%3Bmeta%20http-equiv%3D%22Content-Type%22%20content%3D%22text%2Fhtml%3B%20charset%3Dutf-8%22%26gt%3B%26lt%3Bdiv%20dir%3D%22ltr%22%26gt%3B%26lt%3Bimg%20src%3D%22cid%3Aii_j0m296230_15afa02c0c0cbd00%22%20style%3D%22margin-right%3A%2025px%3B%22%26gt%3B%26lt%3Bbr%26gt%3B%E2%80%8B%26lt%3Bbr%26gt%3B%26lt%3B%2Fdiv%26gt%3B%3C%2FPRE%3E%3CP%3EI%20know%20HTML%20but%20I%20have%20no%20idea%20what%20kind%20of%20source%20is%20%22cid%3Aii_j0m296230_15afa02c0c0cbd00%22.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eedit%3A%20I%20now%20know%20what%20%22cid%3A%22%20means%3A%20%22Content-ID%22.%20The%20image%20is%20base64%20encoded%20and%20is%20embedded%20somewhere%20(haven't%20found%20that%20location%20yet).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-46854%22%20slang%3D%22en-US%22%3ERe%3A%20Why%20is%20this%20image%20spam%20getting%20through%20and%20why%20is%20Outlook%20not%20blocking%20the%20image%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-46854%22%20slang%3D%22en-US%22%3EI'll%20have%20to%20wait%20till%20I%20get%20this%20again.%20I%20took%20that%20screenshot%20and%20deleted%20the%20message.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-46417%22%20slang%3D%22en-US%22%3ERe%3A%20Why%20is%20this%20image%20spam%20getting%20through%20and%20why%20is%20Outlook%20not%20blocking%20the%20image%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-46417%22%20slang%3D%22en-US%22%3E%3CP%3EThere%20was%20a%20vuln%20in%20OWA%20for%20Exchange%2FEXO%20that%20permitted%20a%20remote%20image%20that%20is%20coded%20as%20the%20background%20image%20for%20a%20table%20cell%20to%20display%20automatically%2C%20even%20when%20remote%20image%20loading%20was%20disabled.%20That%20was%20patched%20quite%20some%20time%20ago%20though.%20Not%20sure%20if%20the%20same%20issue%20affected%20Outlook%20fat%20clients%20but%20it's%20possible.%20Viewing%20the%20source%20of%20the%20message%20should%20show%20you%20how%20the%20remote%20image%20has%20been%20inserted.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'd%20say%20you%20should%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3EReport%20the%20spam%20as%20Vasil%20suggests%3C%2FLI%3E%3CLI%3EMake%20sure%20your%20Outlook%20client%20is%20fully%20up%20to%20date%3C%2FLI%3E%3CLI%3EOpen%20a%20support%20case%20with%20Microsoft%20to%20investigate%20why%20a%20remote%20image%20is%20still%20loading%20(depending%20on%20your%20findings)%3C%2FLI%3E%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-46330%22%20slang%3D%22en-US%22%3ERe%3A%20Why%20is%20this%20image%20spam%20getting%20through%20and%20why%20is%20Outlook%20not%20blocking%20the%20image%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-46330%22%20slang%3D%22en-US%22%3E%3CP%3EAnswering%20those%20questions%20requires%20a%20more%20detailed%20investigation%20into%20the%20message%20content%2C%20headers%20and%20so%20on%2C%20why%20dont%20you%20open%20a%20case%20with%20support%20and%20have%20them%20look%20at%20it%3F%20At%20the%20very%20least%2C%20you%20can%20submit%20it%20as%20spam%20so%20they%20can%20%22learn%22%20from%20it%20and%20hopefully%20adjust%20the%20filters.%20Here's%20how%3A%20%3CA%20href%3D%22https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fjj200769(v%3Dexchg.150).aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fjj200769(v%3Dexchg.150).aspx%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Chris Parker
Contributor

About two or three times a month I get an email that is one giant image. The image always looks the same except for a small amount of text that changes.

 

Most importantly, why is EOP letting this through? This kind of thing should never make it through a spam filter (I never saw these until I got off of Mimecast.)

 

Second question: Why is Outlook displaying this image by default? These emails come from different addresses and I verified that my Safe Senders list does not include the address or domain.

 

 14_27_10-Inbox - image spam - Outlook.png

5 Replies

Answering those questions requires a more detailed investigation into the message content, headers and so on, why dont you open a case with support and have them look at it? At the very least, you can submit it as spam so they can "learn" from it and hopefully adjust the filters. Here's how: https://technet.microsoft.com/en-us/library/jj200769(v=exchg.150).aspx

Solution

There was a vuln in OWA for Exchange/EXO that permitted a remote image that is coded as the background image for a table cell to display automatically, even when remote image loading was disabled. That was patched quite some time ago though. Not sure if the same issue affected Outlook fat clients but it's possible. Viewing the source of the message should show you how the remote image has been inserted.

 

I'd say you should:

 

  • Report the spam as Vasil suggests
  • Make sure your Outlook client is fully up to date
  • Open a support case with Microsoft to investigate why a remote image is still loading (depending on your findings)
I'll have to wait till I get this again. I took that screenshot and deleted the message.

I thought I'd follow up on this. Here's the source of a new similar message (this time yellow with just a few details changed):

 

 

<meta http-equiv="Content-Type" content="text/html; charset=utf-8"><div dir="ltr"><img src="cid:ii_j0m296230_15afa02c0c0cbd00" style="margin-right: 25px;"><br>​<br></div>

I know HTML but I have no idea what kind of source is "cid:ii_j0m296230_15afa02c0c0cbd00".

 

edit: I now know what "cid:" means: "Content-ID". The image is base64 encoded and is embedded somewhere (haven't found that location yet).

I sent the email, as an attachment, to junk@office365.microsoft.com. Hopefully, something will be done about this.

Related Conversations
Migrated to O365. Emails going to GMAIL Spam.
Griffe Youngleson in Office 365 on
9 Replies
Autoplay blocking does Not work on YouTube
HotCakeX in Discussions on
12 Replies
How does Teams filter for spam / junk?
Andre Siregar in Microsoft Teams on
3 Replies
Quarantine Digest
Jerry Gonzalez in Microsoft 365 on
2 Replies