Phishing is popular activity in evil circles. Avoiding HTML and rich-text formatted email is a level of defense; one that I’ve taken on recently as a matter of security hygiene. This post describes how to configure Microsoft Office 2016 to read and send all email as text, and discusses some of the opportunities lost in not well distinguishing good guys from bad guys.
Wear your black hat
Bad actors wishing to attack a specific company often start by attaching a payload to email which sent to everyone inside the company. SOMEONE will click “run” and they have a foothold. The evil payload can be packaged as attachments, packaged as bad images, macros or referenced from HTML tags inside the formatted email. Payload can also be packaged as harmless looking or even almost hidden links to rogue websites and this last one is probably the biggest issue of all. Don’t put the payload where email scanner will find it, instead provide a link and get the user to click. Issues abound on “why this works”, but a big one is that as a user, you cannot easily distinguish between mails that are worthy of your trust and those that are potentially evil. Links embedded inside email text are a particularly large issue. They are “small” and can be framed as nothing, but when you click, even by just switching windows and clicking random spot in message, evil is unleashed from the visited website.
Bottom line – email provides an avenue for evil. Our mission is to keep the intruders away and getting away from rich-text and HTML formatted email is an important start.
Friend vs. foe
In many ways, I wish Outlook did a better job distinguishing “friendly” email from “suspect”. If I get email sent from someone inside my company, it has a higher level of trust than receiving email from outside. From outside, there are actually people I trust MORE than unknown people inside, but all of these trusted and non-trusted show up the “same” in outlooks email list presentation. One of the MOST important things in email listing is the DOMAIN of where that mail originated – but we have no view. You can’t easily figure out if email is good or bad until AFTER you open the email to view. I would like to know more about the sender of an email before I open it, but this isn’t today possible. The solution we are stuck with is rather harsh, treat everyone as suspect.
Solution – View and send all mail as text
View all email as text and then clicking text in email doesn’t open links and if we really want to follow a link, we can select text and paste into browser. Yes, it is more steps and not nearly as convenient. When we configure to view all email as text, we should also have the courtesy to SEND all email as text. This makes a statement to the receiver that they should not invest time during reply to make the email pretty because all the formatting will be removed before I see it anyway. I’m deep down hoping for a side benefit on this that it may assist in keeping emails SHORT.
Configuration settings
Default configuration for Microsoft Outlook 2016 is HTML formatted email. To change to text, follow these steps.
File / Options. Mail Tab. Set all outbound email to be composed in Plain Text.
Yes, you can switch inside mail editor to make things HTML if that’s appropriate for a discussion you are having, but by default, with this setting change made, all mail will be composed as text.
Read all email as plain text
Trust Center, Email Security – Read all email in plain text. Notice below that I left the second box clear, saying that people who send me digitally signed mail can send HTML. I expect most black hat hackers will not bother digitally signing email so this seems reasonable. I may still turn it off and require an explicit step to view such email as HTML.
Trust Center – Attachment Preview
In a world of malware delivered via attachments, its hard to imagine why automatically showing attached documents in a preview handler is considered a good idea. The default is wrong, fix it.
Disable picture download
A number of sub options on this one. May take some tweaking to get it to desired state, but for the most part if viewing email in plain text, the idea of setting the options for downloading pictures is not that important. This setting will come up only IF you decide to view a specific email in HTML format and by that point you have probably already concluded that the source is trustworthy so the particulars of this panel will not matter too much. Still, turn it off and make yourself take an extra step if you want to see the images associated with an HTML formatted email.
Macros
SERIOUSLY! Macros by default are enabled if digitally signed. This sounds scary enough that if I were a bad guy, I’d digitally sign my malware macros to get them to auto run. Turn this setting OFF.
Summary
With these security practices in place, I close by noting that I’m not precisely happy with it. Reading email as text takes me back to mainframes and UNIX of the 1980s. Yes, messages get through, but not nearly as beautifully as a colorful and elegantly formatted email “document”. Viewing in text though allows me to get the message across and makes my world a safer place.
If things change over time to better identify “good” vs. “bad” senders or even email encryption and signing could ever become mainstream, some of the “turn it off” aspects of this post could be relaxed. For the moment, I’ll be happier viewing in text.
Joe Nord
Originally published Feb 25 2016