Why do we set "use RTF" to never in Exchange Online?

Some customers ask why our configuration requires the Rich Text Format (RTF) to be disabled.

Rich Text Format (RTF) is not the same as HTML

A common confusion is to think that Microsoft's RTF is the same as HTML.  They are completely different.  Microsoft has deprecated RTF in favor of HTML. See below.

Microsoft Recommends using HTML rather that RTF

Rich Text Format (RTF) is a legacy proprietary email format that Microsoft created before HTML emails were popular. The short answer on why we recommend disabling it is that Microsoft recommends it. Please see this article:

"You can use RTF when you send messages inside an organization that uses Microsoft Exchange, but we recommend that you use the HTML format."

https://support.office.com/en-us/article/change-the-message-format-to-html-rich-text-format-or-plain-text-338a389d-11da-47fe-b693-cf41f792fefa

Outlook Web Access (OWA) cannot even send in RTF

Microsoft has decided to not even support sending email from OWA in RTF. OWA is however able to read RTF, but this is just for legacy support. Please see the link below.

OWA Can read messages formatted in RTF, but can't format or send this format

https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/message-format-and-transmission

RTF Security Exploits

While your systems may already be up to date with the latest Microsoft patches, the RTF format opens up potential vectors for attack. We believe that over time, the RTF format will be phased out.

1) Here is in-depth article about various exploits related to RTF/OLE:

Microsoft Rich Text Format is heavily used in the email attachments in phishing attacks. It has been gaining massive popularity and its wide adoption in phishing attacks is primarily attributed to the fact that it has an ability to contain a wide variety of exploits and can be used efficiently as a delivery mechanism to target victims.

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/an-inside-look-into-microsoft-rich-text-format-and-ole-exploits/

2) Here is an example security alert related to RTF within Outlook:

"Microsoft Outlook retrieves remote OLE content without prompting"

https://www.kb.cert.org/vuls/id/974272

Pesky winmail.dat attachments

One indication that your email message is in Rich Text Format (RTF) is if you see a winmail.dat attachment on an email.  Here is an informative article on the logic used to determine when RTF is applied:

The TNEF conversion options for messages sent to external recipients are described in the following list from highest priority to lowest priority:

  1. Remote domain settings

  2. Mail user or mail contact settings

  3. Outlook settings

https://docs.microsoft.com/en-us/exchange/mail-flow/content-conversion/tnef-conversion?view=exchserver-2019

How content conversion happens in Exchange

https://docs.microsoft.com/en-us/exchange/mail-flow/content-conversion/content-conversion?view=exchserver-2019

TNEF is not the same as RTF

TNEF and RTF are related but not exactly the same.  However, it can get confusing because they are used interchangeably.

How TNEF and RTF are encoded:

https://docs.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-oxtnef/1f0544d7-30b7-4194-b58f-adc82f3763bb

https://docs.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-oxrtfex/906fbb0f-2467-490e-8c3e-bdc31c5e9d35

https://docs.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-oxcmsg/7fd7ec40-deec-4c06-9493-1bc06b349682