External Sender Caution Banner Bypass

icuoras 21 Reputation points
2022-05-02T22:32:13.69+00:00

Hello,

I stumbled up a blog (whynotsecurity.com) on how attackers can bypass the "external" caution banner that is configured to display on external emails. The blogger also provided a link that leads to a mitigation that inserts this "external" message as a tag into the UI, however, as far as I can tell, this only works for O365 and Exchange Online. Is there anyway to apply this to on-prem Exchange 2019? Or are we stuck with creating this rule in mail flow and utilizing HTML to create this message and leaving us open to this vulnerability? Thanks.

https://techcommunity.microsoft.com/t5/exchange-team-blog/native-external-sender-callouts-on-email-in-outlook/ba-p/2250098#comments

https://whynotsecurity.com/blog/external-email-warning-bypass/

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,486 questions
{count} votes

Accepted answer
  1. Kael Yao-MSFT 37,676 Reputation points Microsoft Vendor
    2022-05-03T03:42:13.927+00:00

    Hi @icuoras

    The blogger also provided a link that leads to a mitigation that inserts this "external" message as a tag into the UI, however, as far as I can tell, this only works for O365 and Exchange Online.

    Yes. This feature introduced in the link (Exchange Team Blog) is for Exchange Online.
    In Exchange On-premises you may need to create a mail flow rule to notify the recipients.


    While based on my test in Exchange 2016 CU22, the HTML codes didn't seem to bypass the disclaimer in mail flow rule.

    Here is my rule setting (the same setting as this link):
    198423-03.png

    The email still contains the disclaimer.
    In Outlook:
    198426-04.png
    In OWA:
    198434-05.png


    Besides, if it does bypass the disclaimer in this rule, I suppose you can also use this Action (Prepend the subject of the message with) instead.
    198435-06.png

    It would append the external sender notification in the message subject.
    198451-07.png


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


1 additional answer

Sort by: Most helpful
  1. jeremyahagan 1 Reputation point
    2023-09-22T07:12:55.0066667+00:00

    It was dead-easy to bypass WhyNotSecurity's bypass. I even stumbled upon a second bypass which I have defeated. It is a bit like playing whack a mole, but so far they have worked.

    To override the body = hidden style just add the following to your table style

    <table style="display:block !important">
    

    I also found that if structure your message like this:

    <html>
        <head>
            <!--[if !mso]><!-->
        </head>
        <body>
            <!--<![endif]-->
            This is the original email 
            <!--[if mso]> 
                <table>
                    <tr>
                        <td>
                            <p>Try opening this email in OWA.</p>
                        </td>
                    </tr>
                </table>
            <![endif]-->
            <!--[if !mso]><!-->
                <p>Secret message not shown in Outlook</p>
            <!--<![endif]-->
        </body>
    </html>
    

    That this will extinguish the banner in Outlook fat client only. The reason is that the comment in the head is interpreted by Outlook's email rendering engine (word) to not display anything until the endif. So when the banner is prefixed right after the body, it is within those two tags.

    To defeat this bypass simply include

    <!--<![endif]-->
    

    BEFORE your disclaimer table code. It'll look something like this:

    <!--<![endif]-->
    <table style="display:block !important">
    	<tr>
    		<td>
    			Your content goes here
    		</td>
    	</tr>
    </table>
    
    0 comments No comments