Title

Text in Outlook that represents internet and network paths must not be automatically turned into hyperlinks. (Cat II impact)

Discussion

The ability of Outlook to automatically turn text that represents internet and network paths into hyperlinks would allow users to click on those hyperlinks in an email message and access malicious or otherwise harmful websites.

Check Content

Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Outlook 2016 >> Outlook Options >> "Internet and network path into hyperlinks" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\software\policies\Microsoft\office\16.0\outlook\options\autoformat Criteria: If the value pgrfafo_25_1 is REG_DWORD = 0, this is not a finding.

Fix Text

Set the policy User Configuration >> Administrative Templates >> Microsoft Outlook 2016 >> Outlook Options >> "Internet and network path into hyperlinks" must be set to "Disabled".

Additional Identifiers

Rule ID: SV-251872r812968_rule

Vulnerability ID: V-251872

Group Title: SRG-APP-000516

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.