External email warning banner phish

Post hero image

Table of contents

See Hoxhunt in action
Drastically improve your security awareness & phishing training metrics while automating the training lifecycle.
Get a Demo
Updated
August 28, 2024
Written by
Maxime Cartier
Fact checked by

CAUTION! This warning banner doesn't really help much anymore.

For a long time, a popular safety practice has been to implement banners that distinguish between internal and external emails. The most common configuration is probably Microsoft’s default warning banner, which flags emails originating from outside the organization. There is a good chance that you see this banner on a daily basis.

This banner informs the recipient that the email originates from outside the organization. In theory, it should help identify whether a bad actor is attempting to impersonate your coworker. But in practice, bad actors are getting better at outsmarting external email warning banners.For years, we at Hoxhunt have re-engineered these banners in various ways for our simulations to demonstrate that anything inside the email body can be fabricated by attackers. This also includes native email client features, such as meeting invites, access invites, conversation chains, and so on.

We have identified a possible problem with these warning banners

People have learned to place more trust in emails lacking such "Caution" banners. But this creates a false sense of security around a poorly implemented security feature. After all, if an attacker hides the banner, the phishing email seems more trustworthy, and the attacker can more convincingly impersonate internal email communication.Unfortunately, as demonstrated in the case below, hiding the Microsoft-provided default banner is easy. What’s even more concerning is that the original external warning banner can be replaced with a trusted sender banner.

Organizations should think carefully about the purpose and implementation of this feature. We have worked with Hoxhunt network members to find alternative methods that will increase banner effectiveness and security-related behavior change.Here’s how the banner replacement appears in different email clients.

Microsoft Windows Outlook original

Microsoft Windows Outlook replaced

Outlook web access original

Outlook web access replaced

iOS Outlook original

iOS Outlook replaced

This email is sent from outside the organization and is replacing the default external sender banner with a safe sender banner.

Hoxhunt response

We analyze tens of thousands of phishing emails including ones like these a week--and have captured tens of millions of threats to date from our reporting tool--to ensure our phishing training is at the cutting edge of the constantly-evolving threats. We cluster the threats, rate them, and incorporate the nasty ones into our training simulations in real time. This level of agility ensures that Hoxhunt users are being drilled on spotting and reporting the latest actual threats making the rounds, and thus removing potentially catastrophic threats from your system with every push of the Hoxhunt reporting button.

Want to learn more?
Be sure to check out these articles recommended by the author:
Get more cybersecurity insights like this