Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The default message format must be set to use Plain Text.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-251866 | DTOO314 | SV-251866r811197_rule | Medium |
| Description |
|---|
| Outlook uses HTML as the default email format. HTML format poses a security risk by embedding information into the email itself, which could allow for release of sensitive information. If a user attempted to insert an HTML link into an email message, the link itself may direct to a malicious website. By sending emails in HTML format, the recipient could be subject to becoming infected by the malicious website. |
| STIG | Date |
|---|---|
| Microsoft Outlook 2016 Security Technical Implementation Guide | 2021-12-21 |
Details
| Check Text ( C-55326r811187_chk ) |
|---|
| Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Outlook 2016 >> Outlook Options >> Mail Format >> Internet Formatting >> Message Format "Set message format" is "Enabled: Plain Text". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\outlook\options\mail Criteria: If the value EditorPreference is REG_DWORD = 65536 (dec), this is not a finding. |
| Fix Text (F-55280r811188_fix) |
|---|
| Set the policy value for User Configuration >> Administrative Templates >> Microsoft Outlook 2016 >> Outlook Options >> Mail Format >> Internet Formatting >> Message Format "Set message format" to "Enabled: Plain Text". |