When Outsiders Look Like Insiders

It's very common practice (and good security!) to add the "External" tag to emails originating from outside your organization.

That familiar "External" tag...

It's no surprise to you that repeating any warning can reduce it's value, but this is just one layer of many. We don't pretend that a simple tag on an email immediately stops users from clicking on Phishes.

But you may be surprised to find out these external tags can be bypassed fairly easily. (Many thanks Infosec House for their excellent research here.)

Criminal actors do exactly this...

PGP Signature

I wish this were actually a little harder... it would make the blog a bit longer for SEO purposes and all that.

But here goes:
Step 1: enable PGP signing on external messages and attach your public key
Step 2: send email
Step 3: magically, the "External" tag is gone

And yes, this works. And yes, Microsoft is aware.

Oh, and there's also another way...

The Other Way

Depending on how your organization appends the "External" tag, it could also be bypassed another way.

Many email gateways add in a (usually) yellow bar with the alert at the top of the email.

These banners are useful, but they can be bypassed by malicious actors.

And this can be bypassed with some simple HTML/CSS sprinkled in.

Essentially, a threat actor can just overwrite the security measure that your gateway adds in automatically.

No, this doesn't all mean that tagging external emails is pointless.

But it does mean that your users can't simply rely on those external tags.

They need to be trained on what to look for to avoid Phishing emails.

As you might have suspected, INFIMA provides its Partners with Security Awareness Training to protect against attacks just like these!

And hey, if you're an MSP and want to learn more, go check out how we work with Partners here. If you like what you see, book a time to chat!

Special thanks to @ldionmarcil and @m4giktrick for great research!