Disable Email HTML for a Safer Inbox

Secure email

A recent article in the academic research publication The Conversation argued that displaying incoming email as plain-text is safer than HTML. Unfortunately, most major email providers do not offer this option to their users.

I agree that plain-text is a safer way to read email, and at Rackspace, we’ve let our Webmail users disable HTML display in their incoming email for more than a decade.

Webmail settings

HTML email risks

So why is HTML email more dangerous than other types of display options? The most consequential exploit made possible by HTML email is URL misrepresentation.

URL misrepresentation is the ability to make arbitrary text into a clickable hyperlink, and it’s a useful feature of HTML. It lets us replace a lengthy hard-to-read URL such as:

https://www.rackspace.com/email-hosting/webmail/features

…with concise text that describes the purpose of the page, such as “Rackspace Email Features”.

Unfortunately, it also opens the door for hiding a suspicious URL such as:

hxxp://example.com/malicious/obvious-attack

…behind text that looks like a trustworthy URL:

https://www.rackspace.com/email-hosting/webmail/cloud-drive

HTML exploit email
This is the most common way that phishing emails trick users to visit dangerous web pages.

What they send is not always what you receive

HTML emails can embed external images and CSS that clients will download at read-time. The sender could upload new versions of this content even after they send the message. Bad actors can use this technique to try and beat content-filters.

The server could also serve dynamic content based on what/when/where/who requests it. This way, bad actors can hyper-target their attack based on what they know about the recipient.

They’re watching you

A common practice of marketers is to add tracking images to their messages. The links to these external images are often customized to each recipient. When the server receives a request to that URL, it signals several useful facts to the sender:

  • That the recipient opened the email
  • When the recipient opened the email
  • Where the recipient opened the email (based on IP address)
  • That the recipient’s email address is valid
  • That the content made it past spam filters

Marketers aren’t the only one using tracking images. Malicious senders use this technique to gain information to make their phishing campaigns more effective.

Why is it safer to view incoming email as plain-text?

The techniques discussed above all depend on features of HTML email. Plain-text email is safer, as it avoids the HTML features hackers exploit to trick victims.

Rackspace Email users can disable HTML display of incoming email. As of this writing, there do not appear to be similar options in Gmail, Outlook Web Access or Office365. I hope that other mail providers will follow suit and provide this simple but important option to every email user.

Do you think that letting users disable HTML display of incoming email is an important feature for email clients? Let us know your opinion in the comments section below.

Other ways to stay safe

HTML emails are not the only way that phishers can trick their victims. Learn more about how to stay safe from phishing attacks on our recent phishing blog post.

Brian Hazzard is a product manager for Rackspace Cloud Office. He has worked for Rackspace since 2009 and is currently based out of Rackspace’s Blacksburg, VA office. Brian specializes in agile product management. He is a graduate of James Madison University in Harrisonburg, VA, where he earned a Bachelor of Business Administration in Computer Information Systems.

LEAVE A REPLY

Please enter your comment!
Please enter your name here