Home

Tipp for S/MIME Error: “External Content is not allowed in Secure eMail”

%3CLINGO-SUB%20id%3D%22lingo-sub-313556%22%20slang%3D%22en-US%22%3ETipp%20for%20S%2FMIME%20Error%3A%20%E2%80%9CExternal%20Content%20is%20not%20allowed%20in%20Secure%20eMail%E2%80%9D%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-313556%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20identified%20a%20problem%20within%20our%20internal%20eMail%20communication%20that%20external%20images%20in%20signed%20or%20encrypted%20eMails%20have%20not%20been%20loaded%20anymore.%3C%2FP%3E%3CP%3EThis%20led%20me%20to%20a%20research%20and%20troubleshooting%20were%20I%20was%20able%20to%20find%20a%20solution%20which%20I%20want%20to%20share%20with%20you%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CH4%20id%3D%22toc-hId-1281201151%22%20id%3D%22toc-hId-1431826369%22%3EBackground%3C%2FH4%3E%3CP%3EAt%20the%20beginning%20of%202018%20a%20new%20vulnerability%20was%20discovered.%20It%20exploits%20the%20advantages%20of%20S%2FMIME%20in%20combination%20with%20Microsoft%20Outlook.%20The%20attack%20was%20published%20as%20%3CA%20href%3D%22https%3A%2F%2Fwww.kb.cert.org%2Fvuls%2Fid%2F122919%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EEFAIL%3C%2FA%3E.%3C%2FP%3E%3CP%3EExplaination%20from%20%3CA%20href%3D%22https%3A%2F%2Fwww.digicert.com%2Fblog%2Fguidance-for-the-efail-smime-vulnerability%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EDigiCert%20-%20Guidance%20for%20the%20EFAIL%20S%2FMIME%20Vulnerability%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CBLOCKQUOTE%3E%3CP%3EThe%20EFAIL%20attack%20affects%20emails%20encrypted%20with%20the%20S%2FMIME%20(or%20PGP%2C%20including%20OpenPGP%20%26amp%3B%20GPG)%20protocols.%20When%20successfully%20executed%20the%20attacker%20is%20able%20to%20read%20targeted%20emails%20without%20obtaining%20the%20private%20key%20used%20to%20encrypt%20them.%3C%2FP%3E%3CP%3EIt%20appends%20malicious%20HTML%20tags%20to%20an%20encrypted%20email%20and%20hopes%20the%20email%20client%20will%20unsafely%20parse%20that%20HTML.%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CH4%20id%3D%22toc-hId--1270955810%22%20id%3D%22toc-hId--1120330592%22%3EWhat%20does%20EFAIL%20and%20the%20topic%20of%20this%20blog%20have%20in%20common%3F%3C%2FH4%3E%3CP%3EMicrosoft%20added%20a%20security%20setting%20to%20the%20TrustCenter%20via%20the%20%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-hk%2Fhelp%2F4461440%2Fdescription-of-the-security-update-for-outlook-2016-october-9-2018%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EOctober%20Patchday%3C%2FA%3E.%20This%20setting%20is%20a%20simply%20way%20to%20reduce%20the%20risk%20to%20become%20a%20victim%20of%20the%20EFAIL%20attack%20%E2%80%93%20but%20it%20comes%20differently%3A%20The%20result%20was%2C%20that%20images%20and%20other%20external%20content%20in%20signed%20or%20encrypted%20messages%20cannot%20be%20loaded%20anymore%3A%20signed%20Newsletters%20for%20example%20had%20no%20pictures%20and%20lost%20their%20design.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CH4%20id%3D%22toc-hId-471854525%22%20id%3D%22toc-hId-622479743%22%3EHow%20can%20I%20solve%20this%20problem%3F%3C%2FH4%3E%3CP%3ESimply%20adjust%20the%20newly%20added%20setting%20in%20Outlook%20TrustCenter%20and%20uncheck%20the%20box%20%E2%80%9C%3CEM%3EDon%E2%80%99t%20download%20pictures%20in%20encrypted%20or%20signed%20HTML%20email%20messages.%3C%2FEM%3E%E2%80%9C.%20Check%20out%20the%20following%20screenshot%20to%20find%20the%20setting.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F65839i6D87AE30BAF3FA7A%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%2201_securemaildownload.jpg%22%20title%3D%2201_securemaildownload.jpg%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3ETrust%20Center%20Setting%20in%20MS%20Outlook%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20article%20was%20also%20posted%20on%20my%20site%20%3CA%20href%3D%22https%3A%2F%2Fwww.patrickriedl.at%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.patrickriedl.at%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-313556%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOutlook%20for%20Windows%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Patrick Riedl
Occasional Contributor

We identified a problem within our internal eMail communication that external images in signed or encrypted eMails have not been loaded anymore.

This led me to a research and troubleshooting were I was able to find a solution which I want to share with you:

 

Background

At the beginning of 2018 a new vulnerability was discovered. It exploits the advantages of S/MIME in combination with Microsoft Outlook. The attack was published as EFAIL.

Explaination from DigiCert - Guidance for the EFAIL S/MIME Vulnerability

 

The EFAIL attack affects emails encrypted with the S/MIME (or PGP, including OpenPGP & GPG) protocols. When successfully executed the attacker is able to read targeted emails without obtaining the private key used to encrypt them.

It appends malicious HTML tags to an encrypted email and hopes the email client will unsafely parse that HTML.

 

What does EFAIL and the topic of this blog have in common?

Microsoft added a security setting to the TrustCenter via the October Patchday. This setting is a simply way to reduce the risk to become a victim of the EFAIL attack – but it comes differently: The result was, that images and other external content in signed or encrypted messages cannot be loaded anymore: signed Newsletters for example had no pictures and lost their design.

 

How can I solve this problem?

Simply adjust the newly added setting in Outlook TrustCenter and uncheck the box “Don’t download pictures in encrypted or signed HTML email messages.“. Check out the following screenshot to find the setting.

Trust Center Setting in MS OutlookTrust Center Setting in MS Outlook

 

The article was also posted on my site https://www.patrickriedl.at

Related Conversations
The new Fluent design Mail Icon is here!
HotCakeX in Windows Insider Program on
1 Replies
MSTeams Groups in outlook with macros disabled
ReadyorNot in Microsoft Teams on
0 Replies
Unknown Login Error
Alex_P3462 in Microsoft Teams on
0 Replies
Spelling Pop-Up Stuck on SharePoint List
aricornish in SharePoint on
0 Replies
Problem with OneDrive
esholder in OneDrive for Business on
5 Replies