Title

Text in Outlook that represents Internet and network paths must not be automatically turned into hyperlinks. (Cat II impact)

Discussion

The ability of Outlook to automatically turn text that represents Internet and network paths into hyperlinks would allow users to click on those hyperlinks in email message and access malicious or otherwise harmful websites.

Check Content

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Outlook Options -> "Internet and network path into hyperlinks" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\software\policies\Microsoft\office\15.0\outlook\options\autoformat Criteria: If the value pgrfafo_25_1 is REG_DWORD = 0, this is not a finding.

Fix Text

Set the policy User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Outlook Options -> "Internet and network path into hyperlinks" must be set to "Disabled".

Additional Identifiers

Rule ID: SV-54069r1_rule

Vulnerability ID: V-41493

Group Title: DTOO425 - Disable Internet and network path into hyperlinks

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.