Email Warnings Can Be Hidden by Attackers with the Use of HTML and CSS
The Warnings Shown to Email Recipients Can Be Hidden, Attackers Being Able to Alter The “External Sender” Warning, or Remove It From Emails.
This action is problematic in itself taking into consideration that phishing actors and scammers can simply include the HTML and CSS code in outgoing emails and in this way tamper with the wording of the warning message or make it disappear altogether.
The email security products such as enterprise email gateways are usually configured to display the “external sender” warning to a recipient when an email arrives from outside of the organization, in order to be able to protect the users against phishing and scam emails coming from untrusted sources.
Recently a researcher has demonstrated a simple way in which email senders can bypass this protection, with only adding a few lines of HTML and CSS code, researcher Louis Dion-Marcil showed how an external sender could hide the specific warning.
idk why I havent thought of this before, but its very easy to hide those “external sender” warnings that get appended to your emails during phishing campaigns 🤔. Email gateways/FW just add HTML at the start/end of emails, simply add CSS to hide it! #RedTeam
See images: pic.twitter.com/pumsmP8G1k
— Louis Dion-Marcil (@ldionmarcil) April 21, 2021
This is happening because email security products and gateways are intercepting and scanning incoming emails for suspicious content just by injecting the “external sender” warning as an HTML/CSS code snippet in the email body itself, unlike the UI of the native email client that is displaying the message.
This means that an attacker-crafted email containing CSS instructions to override the warning snippet’s CSS code can make the warning disappear altogether.
Heimdal™ Threat Prevention - Network
- No need to deploy it on your endpoints;
- Protects any entry point into the organization, including BYODs;
- Stops even hidden threats using AI and your network traffic log;
- Complete DNS, HTTP and HTTPs protection, HIPS and HIDS;
Another cybersecurity researcher alluded to being also aware of this behavior and implied that an attacker could easily exploit this flaw to alter the warning message.
“You could even fake HTML and CSS to [sic] instead of hiding it, indicating the content was scanned and deemed safe,” Jean Maes said in the same thread.
It is not important whether an email contains the “external sender” warning, or seems perfectly “safe”. You should still be careful when opening any links or attachments contained in the emails you receive in order to remain safe from cyberattacks.
If you want to learn more on how to protect yourself from email scams, you can read our article on Email Fraud Prevention here.