We identified a problem within our internal eMail communication that external images in signed or encrypted eMails have not been loaded anymore.
This led me to a research and troubleshooting were I was able to find a solution which I want to share with you:
Background
At the beginning of 2018 a new vulnerability was discovered. It exploits the advantages of S/MIME in combination with Microsoft Outlook. The attack was published as EFAIL.
Explaination from DigiCert - Guidance for the EFAIL S/MIME Vulnerability
The EFAIL attack affects emails encrypted with the S/MIME (or PGP, including OpenPGP & GPG) protocols. When successfully executed the attacker is able to read targeted emails without obtaining the private key used to encrypt them.
It appends malicious HTML tags to an encrypted email and hopes the email client will unsafely parse that HTML.
What does EFAIL and the topic of this blog have in common?
Microsoft added a security setting to the TrustCenter via the October Patchday. This setting is a simply way to reduce the risk to become a victim of the EFAIL attack – but it comes differently: The result was, that images and other external content in signed or encrypted messages cannot be loaded anymore: signed Newsletters for example had no pictures and lost their design.
How can I solve this problem?
Simply adjust the newly added setting in Outlook TrustCenter and uncheck the box “Don’t download pictures in encrypted or signed HTML email messages.“. Check out the following screenshot to find the setting.
The article was also posted on my site https://www.patrickriedl.at