Search code examples
c#securityoutlookoffice-automationcom-automation

Using C# and Microsoft Outlook Interop. How to set trusted status?


We use the interop service of Microsoft Outlook like this:

using Outlook = Microsoft.Office.Interop.Outlook;

...

private Outlook.MailItem _message = null;

...

SendingMailStarted?.Invoke(this, EventArgs.Empty);
InitMailParams();
_message.Send();
SendingMailCompleted?.Invoke(this, new AsyncCompletedEventArgs(null, false, null));

...

private void InitMailParams()
{
    Outlook.Application outlook;
    if (!Process.GetProcessesByName("OUTLOOK").Any())
    {
        Log.Debug("Outlook not running. Creating new outlook application object!");
        outlook = new Outlook.Application();
    }
    else
    {
        Log.Debug("Getting the current outlook application object!");
        try
        {
            outlook = (Outlook.Application)Marshal.GetActiveObject("Outlook.Application");
        }
        catch (COMException exc)
        {
            Log.Debug("Current running Outlook object not accessible - HResult: " + exc.HResult);
            Log.Debug("Creating new outlook application object instead!");
            outlook = new Outlook.Application();
        }
    }

    _message = (Outlook.MailItem)outlook.CreateItem(Outlook.OlItemType.olMailItem);
    Outlook.Recipients recipients = _message.Recipients;

    ...
}

For most users, this works without any problems. But with some we get the error 0x80004004. This means that Outlook has aborted by itself and probably here the security setting blocks our app. There are TrustedAddIns. But we only have a "normal" app, no AddIn. So how can we make our app appear as trusted to Outlook?

For Outlook 2007 there was a way to generate a hash of your dll and put that in the registry. But that only works for AddIns and it seems that Outlook asks for something like a certificate. But how? Where? I need informations about this and cannot find anything...

Edit: The security settings of the users include the following: Registry: HKCU\software\policies\microsoft\office\16.0\outlook\security -> PromptOOMSend:0 or the same setting (prompt user for outlook object model on sending emails: automatically decline)

But these settings are ignored if the application is trusted... now I want to know how to use this "trusted"...


Solution

  • It seems you have faced with a security issue when automating Outlook from an external application. To deal with a safe Application object and the entire the Outlook object model you need to develop a COM add-in which can be running along with the host application. In that case you can use standard .net framework techniques for connecting two applications together, for example, .net remoting and etc.

    To avoid security issues you can:

    1. Use a low-level API which doesn't trigger issues/dialogs in Outlook - Extended MAPI or any third-party wrappers around that API such as Redemption.
    2. Use third party components that suppress such issues/dialog in Outlook, for example, see https://www.add-in-express.com/outlook-security/index.php.
    3. Develop a COM add-in which can have access to the trusted Application object.
    4. Install any AV with latest updates.
    5. Use GPO to set up settings to not trigger security issues/dialogs.

    Read more about that in the "A program is trying to send an e-mail message on your behalf" warning in Outlook article.