Skip to main content
All CollectionsFrequently Asked Questions
Issue: winmail.dat Attachments Received By PhishArm
Issue: winmail.dat Attachments Received By PhishArm
K
Written by Karthek S
Updated over a month ago

Table of contents:

  1. Issue Overview

  2. Potential Causes

  3. Resolution

  4. Step-by-Step Solution

  5. Limitations

Issue Overview

We receive application/ms-tnef; name="winmail.dat" attachments from the customer instead of the .eml file. Phisharm is not processing these attachments when emails are reported.

Potential Causes

Microsoft employs a unique email format called Transport Neutral Encapsulation Format (TNEF), which functions effectively within Microsoft email clients. However, many other email clients, such as Gmail and Yahoo, do not support this format. As a result, when these clients receive a TNEF email, they fail to display it correctly and instead show the email content as an attachment named winmail.dat.

Resolution

Customers need to configure their default remote domain settings to stop emails from being sent as winmail.dat attachments so they do not use TNEF.

Step-by-Step Solution

The customer can stop the email from being sent as winmail.dat attachments by following any of these two options:

Option 1: (Change default settings) Use Exchange Online PowerShell

Connect to Exchange Online PowerShell:

  • Open PowerShell and run the following commands to connect to Exchange Online:

1 # Import the Exchange Online Management module 
2 # Import-Module ExchangeOnlineManagement  
3 # Connect to Exchange Online 
4 #Connect-ExchangeOnline -UserPrincipalName [email protected]

Set TNEF to Never for Remote Domains:

  • TNEF is controlled at the remote domain level. To ensure that TNEF is disabled for the default remote domain, you must set the TNEFEnabled parameter to $false.

  • Run the following command to get a list of all remote domains:

1. Get-RemoteDomain | Format-Table Name, TNEFEnabled

  • To disable TNEF for the default remote domain, use the following loop:

1. Set-RemoteDomain -Identity default -TNEFenabled $false


โ€‹Verify the Change:

  • Run the following command to verify that TNEF is disabled for remote domains:

    1. Get-RemoteDomain | Format-Table Name, TNEFEnabled

Ensure that the TNEFEnabled value is set to Never for the domain.

Option 2: Use the Exchange Admin Center

  1. Log in to the Exchange Admin Center:

  2. Navigate to Mail Flow:

    • In the EAC, go to Mail Flow > Remote Domains.

  3. Edit Remote Domains:

    • Click on remote domain entry and set the Rich Text Format option to Never.

  4. Save the Changes:

    • Save the changes to apply the settings.

Limitations

Some rich-text Outlook features, e.g. Voting Buttons, Tasks and Contact cards require the binary packages of the TNEF format. These elements will be stripped from messages upon setting the TNEF / Rich-text format option to Never / false.

Did this answer your question?