[German]Users of Outlook 2010 to 2016 may face the problem that they suddenly see the message “External content is not allowed in secure mail” when they access e-mail. It’s not a bug, it’s a feature – a couple of days ago the right piece of the puzzle has fallen into my picture.
There was something a few months ago …
A few days ago I stumbled upon a German post, where a user reported issues with Outlook. He received the warning “External content is not allowed in secure mails”. Something rang the bell back in my mind. A short search within my German blog brought the article Microsoft Patchday-Nachlese (9. Oktober 2018) as a hit. A reader reported this issue after applying October updates. He wrote:
Since the October updates in Outlook 2016 (in connection with Exchange 2013), the info text “external content is not allowed in secure email” is displayed for signed e-mails.
At that time I did not find a solution – and I wasn’t aware, that KB4461440 has been the root cause for this behavior. Also mention Exchange 2013 turned me to the wrong the direction. I received this comment which directs to the right point, but I overlooked this hint.
The fix has been found …?
The day before I stumbled upon a German Dr. Windows article Tipp: Outlook-Meldung “Externer Inhalt ist in sicheren Mails nicht zulässig” beheben. Martin Geuß, a MVP colleague has also been confronted with that problem. He wrote that DHL delivery notification e-mails contain this error. It could also be, that signed e-mails – and images embedded in websites are then blocked. It is the old problem of mixed content on secure pages.
(Source: Dr. Windows, Click to zoom)
Martin Geuß named the right option for a German Outlook 2016, that is responsible for the warning mentioned above.
1. Go to Outlook options and select the category Trust Center.
2. Go to the sub category Automatic download and uncheck the checkbox with the option Bilder in verschlüsselten oder signierten HTML-E-Mails nicht herunterladen (English might be “Don’t download pictures in encrypted or signed HTML email messages.”).
This has also been discussed briefly here and here. This means that the unchecked Outlook security feature is no longer used. The error message is gone and external content is displayed again. At the same time, however, the signed e-mail can be tracked via this downloaded external content. Keywords are tracking pixels. Therefor read the following explanations.
Introducted via update
While writing the German version of this blog post I wanted to know more about it and searched the internet. I came across this German Technet forum post from October 2018. Someone there had described the problem and referred to my blog post mentioned above. Short time later the same solution was published there. There is also the 32-bit DWORD registry value:
within HKCU\Software\Microsoft\Office\xx\Outlook\Security\ (xx is a placeholder for the Office version 14.0, 15.0, 16.0). A value 0 disables the option, and 1 set the option. Within the German Technet post I found the note:
Important: This option isn’t available on unpatched systems.
A hint that Microsoft has introduced a new option with an update. There is also a reference to this Microsoft document where blocking external content (Web beacons) for Office is described. In the meantime, there are other web sites where the topic has been addressed since November or December 2018.
Microsoft’s Reaction to the Efail vulnerability
It was not explicitly mentioned above because I only wrote about digitally signed mails. The mails can also be encrypted. In this case, external content can be used to retrieve such encrypted emails unencrypted. The whole topic runs under the Efail vulnerability known since May 2018. If you receive encrypted e-mails, you should not deactivate the above option. Maybe it will help.