When Outsiders Look Like Insiders
It's very common practice (and good security!) to add the "External" tag to emails originating from outside your organization.
It's no surprise to you that repeating any warning can reduce it's value, but this is just one layer of many. We don't pretend that a simple tag on an email immediately stops users from clicking on Phishes.
But you may be surprised to find out these external tags can be bypassed fairly easily. (Many thanks Infosec House for their excellent research here.)
Criminal actors do exactly this...
PGP Signature
I wish this were actually a little harder... it would make the blog a bit longer for SEO purposes and all that.
But here goes:
Step 1: enable PGP signing on external messages and attach your public key
Step 2: send email
Step 3: magically, the "External" tag is gone
And yes, this works. And yes, Microsoft is aware.
Oh, and there's also another way...
The Other Way
Depending on how your organization appends the "External" tag, it could also be bypassed another way.
Many email gateways add in a (usually) yellow bar with the alert at the top of the email.
And this can be bypassed with some simple HTML/CSS sprinkled in.
Essentially, a threat actor can just overwrite the security measure that your gateway adds in automatically.
No, this doesn't all mean that tagging external emails is pointless.
But it does mean that your users can't simply rely on those external tags.
They need to be trained on what to look for to avoid Phishing emails.
As you might have suspected, INFIMA provides its Partners with Security Awareness Training to protect against attacks just like these!
And hey, if you're an MSP and want to learn more, go check out how we work with Partners here. If you like what you see, book a time to chat!
Special thanks to @ldionmarcil and @m4giktrick for great research!