EFAIL and Microsoft GPO Policy Chaos

Problem:

There is a man-in-the-middle leak where you can capture an E-Mail (Only if you have access to the flow) attach a content

And if the CLIENT does autoload (When you open the E-Mail) external pictures get content. Now this would not be too complicated if there where

No newsletters where people store large pictures external on webserver and the users want that active the moment the get the E-Mail.

Remember your Outlook.exe at home blocks the pictures and you have to manual download them with right click.

https://de.wikipedia.org/wiki/Efail

https://www.scmagazine.com/critical-pgpgpg-smime-email-encryption-vulnerabilities-revealed/article/765806/

From 2012 😉

https://www.slipstick.com/outlook/microsoft-service-agreement-virus-and-why-you-should-block-external-content/

The user wants’s it > IT does it. That’s why it’s called IT

https://social.technet.microsoft.com/Forums/en-US/a0b6afd0-8de3-4091-b4b9-2071daabe441/outlook-2016-not-displaying-all-images?forum=Office2016ITPro

Solution: check your GPO Policy and turn/change things. Remember by DEFAULT external content is NOT loaded.

New problem 😉

Sometimes when it comes to GPO’s you have to do a post doc in IT to understand this.

Is it now?

“Display pictures and external content in HTML e-mail”

Or should it be?

“Do not Display pictures and external content in HTML e-mail”

If you read the Description it says you have to enable > Then Outlook will NOT automatically download.

That is kind of confusing? Well no the people who write such things are developers and normally they are not normal.