Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Attackers Can Hide ‘External Sender’ Email Warnings With HTML And CSS

Attackers Can Hide ‘External Sender’ Email Warnings With HTML And CSS

The “external sender” warnings shown to email recipients by clients like Microsoft Outlook can be hidden by the sender, as demonstrated by a researcher.

Turns out, all it takes for attackers to alter the “external sender” warning, or remove it altogether from emails is just a few lines of HTML and CSS code.

This is problematic as phishing actors and scammers can simply include some HTML and CSS code in their outgoing emails to tamper with the wording of the warning message or to make it disappear altogether.

Senders can easily hide “external sender” warnings  

Email security products such as enterprise email gateways are often configured to display the “external sender” warning to a recipient when an email arrives from outside of the organization.

IT administrators enforce displaying such warnings to safeguard users against phishing and scam emails arriving from untrusted sources.

However, this week a researcher has shown a rather simple way that email senders can use to circumvent this protection applied by email security products.

By appending just a few lines of HTML and CSS code, researcher Louis Dion-Marcil showed how an external sender could hide the very warning from an email message.

Also Read: Data Protection Officer Singapore | 10 FAQs

Hiding “external sender” warning from an email message
Source: Twitter

This happens because email security products and gateways that are intercepting and scanning incoming emails for suspicious content are simply injecting the “external sender” warning as an HTML/CSS code snippet in the email body itself, as opposed to the UI of the native email client displaying the message.

As such, an attacker-crafted email that contains CSS instructions to override the warning snippet’s CSS code (display rules) can make the warning disappear altogether:

CSS code injected within the email hides “external sender” warning
Source: Louis Dion-Marcil

Another researcher who alluded to also being aware of this behavior from the past implied an attacker could also exploit this flaw to alter the warning message:

“You could even fake HTML and CSS to [sic] instead of hiding it, indicating the content was scanned and deemed safe,” said Jean Maes in the same thread.

Dion-Marcil has shared some insights with BleepingComputer on this behavior:

The researcher says that this is not a bug in any email client app per se, and is client-agnostic.

“It’s not really a client bug, so it’s client agnostic. nothing to do with Outlook really. I just happened to take a screenshot in Outlook, but [this] would work in Gmail, Thunderbird, etc.” 

“It’s a limitation of HTML emails. If the warning is added to the HTML body, and the attacker obviously controls the HTML body, then they can add CSS rules to hide those elements.”

“It is impossible to fix, other than moving to a non-HTML-based warning label,” Dion-Marcil told BleepingComputer in an email interview.

Microsoft Exchange native ‘external’ email tags: a potential solution

Last month, Microsoft Exchange announced the addition of an upcoming “external” email tagging feature, as reported by BleepingComputer.

If IT administrators enable this feature on their organization’s Exchange server, emails received from external sources, when parsed by native clients like Microsoft Outlook, will carry the “external” tags displayed within the native email client app’s UI, as opposed to the email body.

As an example, screenshots shared by Microsoft show external emails received in Microsoft Outlook and Outlook mobile apps showing the “External” tag in the native email client’s UI:

External tags in Outlook on the web
Source: Microsoft
External tags in Outlook for iOS
Source: Microsoft

Also Read: The DNC Singapore: Looking At 2 Sides Better

Once the “external” email tagging feature rolls out to different Office 365 environments, however, it will be disabled by default.

As such, IT administrators interested in enabling this feature will need to use the Get-ExternalInOutlook and Set-ExternalInOutlook PowerShell cmdlets to view and modify external sender identification configuration in supported Outlook versions.

“If you enable the cmdlet, within 24-48 hours, your users will start seeing a warning tag in email messages received from external sources (outside of your organization),” says Microsoft.

“In Outlook mobile, by tapping on the External tag at the top of the message, the user will see the email address of the sender.”

Regardless of whether an email contains the “external sender” warning, or on the contrary, touts itself to be “safe,” users should be careful prior to opening any links or attachments in the emails they receive. 

Update 10:52 AM: Added quotes received from Dion-Marcil.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us