Security News > 2021 > April > Attackers can hide 'external sender' email warnings with HTML and CSS
Turns out, all it takes for attackers to alter the "External sender" warning, or remove it altogether from emails is just a few lines of HTML and CSS code.
Email security products such as enterprise email gateways are often configured to display the "External sender" warning to a recipient when an email arrives from outside of the organization.
By appending just a few lines of HTML and CSS code, researcher Louis Dion-Marcil showed how an external sender could hide the very warning from an email message.
This happens because email security products and gateways that are intercepting and scanning incoming emails for suspicious content are simply injecting the "External sender" warning as an HTML/CSS code snippet in the email body itself, as opposed to the UI of the native email client displaying the message.
"It's a limitation of HTML emails. If the warning is added to the HTML body, and the attacker obviously controls the HTML body, then they can add CSS rules to hide those elements."
Screenshots shared by Microsoft show external emails received in Microsoft Outlook and Outlook mobile apps showing the "External" tag in the native email client's UI:. Once the "External" email tagging feature rolls out to different Office 365 environments it will be disabled by default.