Those "External" banners in emails from the outside are good. But they can be bypassed...
It's very common practice (and good security!) to add the "External" tag to emails originating from outside your organization.
It's no surprise to you that repeating any warning can reduce it's value, but this is just one layer of many. We don't pretend that a simple tag on an email immediately stops users from clicking on Phishes.
But you may be surprised to find out these external tags can be bypassed fairly easily. (Many thanks Infosec House for their excellent research here.)
Criminal actors do exactly this...
I wish this were actually a little harder... it would make the blog a bit longer for SEO purposes and all that.
But here goes:
Step 1: enable PGP signing on external messages and attach your public key
Step 2: send email
Step 3: magically, the "External" tag is gone
And yes, this works. And yes, Microsoft is aware.
Oh, and there's also another way...
Depending on how your organization appends the "External" tag, it could also be bypassed another way.
Many email gateways add in a (usually) yellow bar with the alert at the top of the email.
And this can be bypassed with some simple HTML/CSS sprinkled in.
Essentially, a threat actor can just overwrite the security measure that your gateway adds in automatically.
No, this doesn't all mean that tagging external emails is pointless.
But it does mean that your users can't simply rely on those external tags.
As you might have suspected, INFIMA provides its Partners with Security Awareness Training to protect against attacks just like these!
Special thanks to @ldionmarcil and @m4giktrick for great research!
Join the newsletter to receive the latest updates in your inbox.