One of the ways that businesses help their employees identify potentially malicious emails is to flag any email that has been sent from an external email account. These external sender warnings can easily be configured in email clients such as Microsoft Outlook and email security gateways.
When the warnings are shown, employees know they need to exercise caution when taking any action suggested in the email. If the warning is not displayed, the email has been sent from a trusted sender’s email account and is most likely non-malicious.
However, it turns out that it is easy to stop the external email warnings from being displayed on external messages with a few lines of CSS or HTML code, according to researcher Louis Dion-Marcil.
The reason for this is that email clients and email security gateways usually add a code snippet to the email body of messages after they have been scanned that displays the external sender warning. If a phisher adds their own CSS code to the email it is possible to hide the external email warning. This is an issue will all email clients and email security gateways that add warnings to the message body.
Not only is it possible to stop the external email code from appearing, it is also possible to alter the text that is displayed to indicate the email message and any attachments have been scanned and been determined to be safe. An individual receiving an email with altered text could easily be fooled into opening a malicious attachment in the mistaken belief that it is malware free.
Unfortunately, there is no easy fix for the problem, as attackers have full control of the HTML body of the emails they send, and they can simply add their own code to prevent external message warnings from being displayed. The only solution is to apply the warnings via the native email client’s user interface, rather than to the message body.
There is a solution for Microsoft Outlook, as a new feature is being introduced that allows sysadmins to enable the external email tagging feature on their Exchange server. Rather than adding code to the message body, when this feature is enabled the Microsoft Outlook client will add the warning when messages are parsed, which will prevent any CSS code in the message body from removing or altering the external message warning. Sysadmins will need to enable this feature as it will be disabled by default. The new feature is still in development and is due to be rolled out by Microsoft in April 2021.