External Sender Caution Banner Bypass

Question

Hello,

I stumbled up a blog (whynotsecurity.com) on how attackers can bypass the "external" caution banner that is configured to display on external emails. The blogger also provided a link that leads to a mitigation that inserts this "external" message as a tag into the UI, however, as far as I can tell, this only works for O365 and Exchange Online. Is there anyway to apply this to on-prem Exchange 2019? Or are we stuck with creating this rule in mail flow and utilizing HTML to create this message and leaving us open to this vulnerability? Thanks.

https://techcommunity.microsoft.com/t5/exchange-team-blog/native-external-sender-callouts-on-email-in-outlook/ba-p/2250098#comments

https://whynotsecurity.com/blog/external-email-warning-bypass/

Answer 1

Hi @icuoras

The blogger also provided a link that leads to a mitigation that inserts this "external" message as a tag into the UI, however, as far as I can tell, this only works for O365 and Exchange Online.

Yes. This feature introduced in the link (Exchange Team Blog) is for Exchange Online.
In Exchange On-premises you may need to create a mail flow rule to notify the recipients.

---

While based on my test in Exchange 2016 CU22, the HTML codes didn't seem to bypass the disclaimer in mail flow rule.

Here is my rule setting (the same setting as this link):

The email still contains the disclaimer.
In Outlook:

In OWA:

---

Besides, if it does bypass the disclaimer in this rule, I suppose you can also use this Action (Prepend the subject of the message with) instead.

It would append the external sender notification in the message subject.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

It was dead-easy to bypass WhyNotSecurity's bypass. I even stumbled upon a second bypass which I have defeated. It is a bit like playing whack a mole, but so far they have worked.

To override the body = hidden style just add the following to your table style

<table style="display:block !important">

I also found that if structure your message like this:

<html>
    <head>
        <!--[if !mso]><!-->
    </head>
    <body>
        <!--<![endif]-->
        This is the original email 
        <!--[if mso]> 
            <table>
                <tr>
                    <td>
                        <p>Try opening this email in OWA.</p>
                    </td>
                </tr>
            </table>
        <![endif]-->
        <!--[if !mso]><!-->
            <p>Secret message not shown in Outlook</p>
        <!--<![endif]-->
    </body>
</html>

That this will extinguish the banner in Outlook fat client only. The reason is that the comment in the head is interpreted by Outlook's email rendering engine (word) to not display anything until the endif. So when the banner is prefixed right after the body, it is within those two tags.

To defeat this bypass simply include

<!--<![endif]-->

BEFORE your disclaimer table code. It'll look something like this:

<!--<![endif]-->
<table style="display:block !important">
	<tr>
		<td>
			Your content goes here
		</td>
	</tr>
</table>