cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Secure Email Support Community

Product Support Talos Support Cisco Support Reference + Current Release
Gateway Reputation Lookup Open a support case Secure Email Guided Setup
Gateway: 14.0.1-033
Cloud Gateway Email Status Portal Support & Downloads docs.ces.cisco.com
Email and Web Manager: 14.1.0-227
Email and Web Manager Web & Email Reputation Worldwide Contacts Product Naming Quick Reference
Reporting Plug-in: 1.1.0.136
Encryption Bug Search
Encryption Plug-in: 1.2.1.167
Cloud Mailbox Notification Service
Outlook Add-in(s): More info

31815
Views
20
Helpful
9
Replies
landertcsi
Beginner

What is OLEDATA.mso

Lately we receive mails with this attachment. This is recognized as executable file and is therefore blocked by our mail filters.

 

Does anyone see something similar?

1 ACCEPTED SOLUTION

Accepted Solutions

You are correct. MSO files currently are marked as executable due to this defect below:

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd65801/?reffering_site=dumpcr

 

You would need to set an exception for mso files as listed in the workaround section.

 

Regards,

Libin V

View solution in original post

9 REPLIES 9
Robert Sherwin
Cisco Employee

http://file.org/extension/mso

 

What is a MSO file?

Files that contain the .mso file extension are created by the Microsoft Office 2000 application. When you send an HTML message with a Microsoft Word 2000 attachment using the Microsoft Outlook email application, the message will attach an Oledata.mso file to the email message. This allows users who are not using the Outlook email application to view the file correctly even though they do not have the same software.

The .mso file extension is also created by the Microsoft Organization Chart tool. This tool allows users to create and edit organizational charts in Microsoft Office 2003. The charts that are created are saved with the .mso file extension.

landertcsi
Beginner

Of course I knew this, but why are they arriving more frequently lately?

 

As I've seen from a user screenshot (by the sender), the mail was sent via Outlook 2016 or Office 365.

Very strange.

Thanks for the answer. I wonder why this file is tagged as executable? But as it seems, we need to write an exception to that rule so mails with that file come through.

You are correct. MSO files currently are marked as executable due to this defect below:

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd65801/?reffering_site=dumpcr

 

You would need to set an exception for mso files as listed in the workaround section.

 

Regards,

Libin V

View solution in original post

Hello,

 

Is there a way to skip this file but still analizing the rest of the file ?

Currently the workaround propose by Cisco doesn't suit in term of security.

 

Thanks !

Personally I strip them. If you need a message filter:

 

File-Stripper:
if (true) {
    drop-attachments-by-name('(?i)\\.(emz|mso|wmz)$');
}
.

 

It's Office legacy, so hardly major. The other two types were originally exploitable. For configurations with multiple listeners, the dummy condition would need to be changed to focus on your incoming listener unless your senders are part of the problem.

I have a related but different problem. Current versions of Outlook automatically add oledata.mso to ALL replies in HTML formats... And some moron in our IT department has identified these as a security threat, and so if you REPLY to any mail to an external e-mail address, the moronic file system rejects the send, rather than just stripping the #^@^$$@^@ stupid .mso addition

ATM, the only solution is to either permanently use only rich text for replies, or to set that for each message it might apply to.

MY question is, is there any way to force Outlook to not append this stupid "risky" add-on, or to strip it off during the send process (ON the sending machine), as suggested by the above.Trying to get our IT bureaucracy to change their idiotic policy is not happening.

Harry Symeonidis
Beginner

Although this is an old thread, I will provide another solution as I 've had the same issue with the Outlook 365 desktop client.

So, you are sending an oledata.mso file with HTML email messages unintentionally?

1) The problem is you (the sender), not the recipient.

2) Do not try to mess around with filetypes.

3) Send an email to yourself (your Microsoft 365 email address) with your Outlook 2016/2019/365 desktop client.

4) Check your email with Outlook Web at https://outlook.live.com/mail/0/inbox or whatever that is.

5) Stay in Outlook Web and forward the email back to yourself (ping - pong) but delete the oledata.mso attachment before sending.

6) Grab and copy your signature to the clipboard.

7) Go back to the Outlook desktop client.

Go to your signatures, delete the existing one, create a new one and paste your signature from the clipboard.

9) Save and assign to the desired mailboxes.

 

I tested this workaround with my Gmail on the Outlook 365 desktop app and hope it will help you or anyone interested.

 

Best regards,

Harry

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: ISE Demo (50%)

Content for Community-Ad