The default message format must be set to use Plain Text.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-251866	DTOO314	SV-251866r811197_rule	CCI-000366	medium
Description
Outlook uses HTML as the default email format. HTML format poses a security risk by embedding information into the email itself, which could allow for release of sensitive information. If a user attempted to insert an HTML link into an email message, the link itself may direct to a malicious website. By sending emails in HTML format, the recipient could be subject to becoming infected by the malicious website.
STIG			Date
Microsoft Outlook 2016 Security Technical Implementation Guide			2022-03-11

Related Frameworks

4 paths across 3 frameworks

NIST 800-531 mapping

CM-6

1.00

DISA · 2 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent

NIST 800-1712 mappings

3.4.1

1.00

DISA · 2 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent
NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent

3.4.2

1.00

DISA · 2 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent
NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent

CCI1 mapping

CCI-000366

1.00

DISA · 2 · disa_xccdf · related

Details

Check Text (C-251866r811197_chk)

Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Outlook 2016 >> Outlook Options >> Mail Format >> Internet Formatting >> Message Format "Set message format" is "Enabled: Plain Text". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\outlook\options\mail Criteria: If the value EditorPreference is REG_DWORD = 65536 (dec), this is not a finding.

Fix Text (F-55280r811188_fix)

Set the policy value for User Configuration >> Administrative Templates >> Microsoft Outlook 2016 >> Outlook Options >> Mail Format >> Internet Formatting >> Message Format "Set message format" to "Enabled: Plain Text".