BIO 12.02.01 ISO A.8.7

Outlook External Pictures Geblokkeerd

📅 2025-10-30

•

⏱️ 7 minuten lezen

•

🔴 Must-Have

💼 Management Samenvatting

Automatisch downloaden van externe afbeeldingen in Outlook emails moet worden geblokkeerd om tracking pixels (web beacons) tegen te gaan die email open rates en gebruikersgedrag monitoren, en om malware delivery via afbeelding exploits te voorkomen.

Aanbeveling

IMPLEMENT

Risico zonder

Medium

Risk Score

5/10

Implementatie

2u (tech: 1u)

Van toepassing op:

✓ Outlook

EXTERNE AFBEELDINGEN is TRACKING + MALWARE RISK: HTML emails kunnen external images bevatten die gehost zijn op externe servers. TRACKING PIXELS (Web Beacons): 1x1 pixel transparante afbeelding embedded in email, Wanneer email geopend → Outlook download afbeelding → server registreert: Email WAS geopend (confirms email adres actief), WANNEER geopend (timestamp), WAAR geopend (IP adres → location), OP WELK DEVICE (user agent), HOE VAAK geopend. PRIVACY VIOLATION: Spammers/marketers weten: Email adres is geldig (leads to meer spam), User behavior patterns, Location data, Device info. PHISHING CONFIRMATION: Phishers gebruiken tracking pixels om: Te verificeren dat phishing email werd geopend, Meest actieve targets te identificeren, Follow-up attacks te timen. MALWARE DELIVERY: Image parser vulnerabilities kunnen worden geëxploiteerd (buffer overflows in JPG/PNG decoders), Drive-by download triggers, Embedded malicious code in image metadata. DISA STIG O365-OU-000009: Block automatische picture download.

PowerShell Modules Vereist

Primary API: Intune / Group Policy
Connection: Registry
Required Modules:

Implementatie

Block external pictures: HKCU:\Software\Policies\Microsoft\Office\16.0\OUTLOOK\Security\displaypicturesexternalcontent is 1. EFFECT: External images worden NIET automatische gedownload, Email toont placeholder met 'Right-click to download pictures', Users kunnen per email kiezen (handmatige download), Tracking pixels falen (no automatische download).

Vereisten

Outlook
User training: handmatige picture download indien nodig (voor legitieme emails)
Safe Senders list: vertrouwde senders kunnen automatische pictures krijgen (user managed)

Implementatie

Gebruik PowerShell-script display-pictures-external-content.ps1 (functie Invoke-Remediation) – Block automatische external picture download.

Intune: Outlook Security → Block automatische download of external pictures is ingeschakeld

monitoring

Gebruik PowerShell-script display-pictures-external-content.ps1 (functie Invoke-Monitoring) – Verify displaypicturesexternalcontent is 1.

Compliance en Auditing

DISA STIG O365-OU-000009 - MANDATORY
AVG - Privacy: Tracking prevention
BIO 12.02 - Bescherming tegen malware
ISO 27001 A.8.7

Remediatie

Gebruik PowerShell-script display-pictures-external-content.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

BIO: 12.02.01 - Bescherming tegen malware - Image exploit prevention
ISO 27001:2022: A.8.7 - bescherming against malware

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell

# Control: O365-OU-000009 - display pictures external content
#Requires -Version 5.1
# DISA STIG Microsoft Office 365 ProPlus v3r3

param(
    [string]$RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\OUTLOOK\Security",
    [switch]$Monitoring,
    [switch]$Remediation,
    [switch]$Revert,
    [switch]$WhatIf
)

function Invoke-Monitoring {
    Write-Host "Monitoring O365-OU-000009: display pictures external content" -ForegroundColor Green
    
    try {
        $valueName = "displaypicturesexternalcontent"
        $expectedValue = 1
        
        if (-not (Test-Path $RegistryPath)) {
            Write-Host "✗ Registry path does not exist: $RegistryPath" -ForegroundColor Red
            return $false
        }
        
        $currentValue = Get-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue
        
        if ($currentValue -and $currentValue.$valueName -eq $expectedValue) {
            Write-Host "✓ Control compliant: $valueName = $expectedValue" -ForegroundColor Green
            return $true
        }
        else {
            $actualValue = if ($currentValue) { $currentValue.$valueName } else { "Not Set" }
            Write-Host "✗ Control non-compliant: $valueName = $actualValue (Expected: $expectedValue)" -ForegroundColor Red
            return $false
        }
    }
    catch {
        Write-Host "✗ Error checking registry setting: $($_.Exception.Message)" -ForegroundColor Red
        return $false
    }
}

function Invoke-Remediation {
    Write-Host "Remediating O365-OU-000009: display pictures external content" -ForegroundColor Yellow
    
    try {
        if ($WhatIf) {
            Write-Host "  [WhatIf] Would set registry value" -ForegroundColor Cyan
            return $true
        }
        
        if (-not (Test-Path $RegistryPath)) {
            New-Item -Path $RegistryPath -Force | Out-Null
            Write-Host "  Created registry path: $RegistryPath" -ForegroundColor Green
        }

        $valueName = "displaypicturesexternalcontent"
        $expectedValue = 1

        Set-ItemProperty -Path $RegistryPath -Name $valueName -Value $expectedValue -Type DWord -Force
        Write-Host "  Set $valueName to $expectedValue" -ForegroundColor Green
        
        Start-Sleep -Seconds 1
        return Invoke-Monitoring
    }
    catch {
        Write-Host "  Error during remediation: $_" -ForegroundColor Red
        return $false
    }
}

function Invoke-Revert {
    Write-Host "Reverting O365-OU-000009: display pictures external content" -ForegroundColor Yellow
    
    try {
        if ($WhatIf) {
            Write-Host "  [WhatIf] Would remove registry value" -ForegroundColor Cyan
            return $true
        }
        
        $valueName = "displaypicturesexternalcontent"
        
        if (Test-Path $RegistryPath) {
            Remove-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue
            Write-Host "  Removed registry value: $valueName" -ForegroundColor Green
        }
        
        return $true
    }
    catch {
        Write-Host "  Error during revert: $_" -ForegroundColor Red
        return $false
    }
}

# Main execution
try {
    if ($Monitoring) {
        $result = Invoke-Monitoring
        exit $(if ($result) { 0 } else { 1 })
    }
    elseif ($Remediation) {
        $result = Invoke-Remediation
        exit $(if ($result) { 0 } else { 1 })
    }
    elseif ($Revert) {
        $result = Invoke-Revert
        exit $(if ($result) { 0 } else { 1 })
    }
    else {
        Write-Host "Usage: [-Monitoring] [-Remediation] [-Revert] [-WhatIf]" -ForegroundColor Yellow
    }
}
catch {
    Write-Host "Script execution error: $_" -ForegroundColor Red
    exit 1
}

Risico zonder implementatie

Medium: Medium privacy + security risico: Tracking pixels onthullen email open rates en user gedrag aan spammers/phishers. Possible malware via image exploits.

Management Samenvatting

Blokkeer automatische download van externe afbeeldingen in Outlook (displaypicturesexternalcontent=1). Voorkomt tracking pixels en image-based malware. DISA STIG O365-OU-000009 vereist. Voldoet aan AVG (privacy), BIO 12.02. Implementatie: 1-2 uur.

Implementatietijd: 2 uur
FTE required: 0.02 FTE

Outlook External Pictures Geblokkeerd

💼 Management Samenvatting

Implementatie

Vereisten

Implementatie

monitoring

Compliance en Auditing

Remediatie

Compliance & Frameworks

Automation

Risico zonder implementatie

Management Samenvatting

Share artikel