For a long time, a popular safety practice has been to implement banners that distinguish between internal and external emails. The most common configuration is probably Microsoft’s default warning banner, which flags emails originating from outside the organization. There is a good chance that you see this banner on a daily basis.
This banner informs the recipient that the email originates from outside the organization. In theory, it should help identify whether a bad actor is attempting to impersonate your coworker. But in practice, bad actors are getting better at outsmarting external email warning banners.For years, we at Hoxhunt have re-engineered these banners in various ways for our simulations to demonstrate that anything inside the email body can be fabricated by attackers. This also includes native email client features, such as meeting invites, access invites, conversation chains, and so on.
People have learned to place more trust in emails lacking such "Caution" banners. But this creates a false sense of security around a poorly implemented security feature. After all, if an attacker hides the banner, the phishing email seems more trustworthy, and the attacker can more convincingly impersonate internal email communication.Unfortunately, as demonstrated in the case below, hiding the Microsoft-provided default banner is easy. What’s even more concerning is that the original external warning banner can be replaced with a trusted sender banner.
Organizations should think carefully about the purpose and implementation of this feature. We have worked with Hoxhunt network members to find alternative methods that will increase banner effectiveness and security-related behavior change.Here’s how the banner replacement appears in different email clients.
This email is sent from outside the organization and is replacing the default external sender banner with a safe sender banner.
We analyze tens of thousands of phishing emails including ones like these a week--and have captured tens of millions of threats to date from our reporting tool--to ensure our training is at the cutting edge of the constantly-evolving threats. We cluster the threats, rate them, and incorporate the nasty ones into our training simulations in real time. This level of agility ensures that Hoxhunt users are being drilled on spotting and reporting the latest actual threats making the rounds, and thus removing potentially catastrophic threats from your system with every push of the Hoxhunt reporting button.