Choose your topics

What is Risk Management in Cybersecurity?

Let’s explore the essentials of risk management in the context of cybersecurity to help you understand how to identify, assess and mitigate cyber threats effectively.

Cyber Risk Management Enterprise Risk Management
3 Best Practices for Data Privacy

With more technology comes more data, and with that a greater need for data privacy enforcement. What best practices should you be following?

Data Privacy
How to Prioritize Your Third-Party Risks

How can you prioritize effectively and enhance your organization’s security posture? Here are our top tips for setting up realistic, sustainable processes.

Third-Party Risk Management GRC
Top Tips to Save Time When Assessing Third-Party Risks

Is assessing third-party risks taking up too much of your time? How can you make the process more effective and efficient? Find out in the latest post from SureCloud.

Third-Party Risk Management GRC
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Vector (7)
Penetration Testing, Cyber Security

Underpainting External Email Labels

Underpainting External Email Labels
Written by

Isadora Gregori

Published on

20 Mar 2019

Underpainting External Email Labels


Improve Email Security: Underpainting External Email Labels I SureCloud

Set the background colour on your external email warning message, here’s why…

Companies have been adding tags to emails from outside of the company for a few years now (If you’re not already doing this, it’s worth considering). These are typically warning messages such as “EXTERNAL EMAIL – PROCEED WITH CAUTION” and are added to the top of received emails.

In an effort to improve email security, they serve as a way of both reminding people that emails from outside the company are usually more dangerous, and flag forgeries pretending to be internal messages.

While these messages do rely on people taking notice of them, we’ve seen a lower number of people executing our payloads when these messages are enabled, which is fantastic! While they shouldn’t be used as the sole form of email security, they do offer one more reminder for users to be careful.

From an attacker’s perspective, these warnings are an absolute pain when it comes to our phishing, ransomware or red teaming engagements. But there is one common mistake we’ve repeatedly seen that can easily be exploited:

If the warning is added without setting the background color of the warning element, it’s possible to simply change the background color of the email body element and effectively hide the warning. Another aspect can then be added inside the body to create a section with a more normal color. There are some limitations to this method due to the nuances of email HTML; while setting the background color of the email body is supported, changing the margin and padding of the body element is not (this was disabled in Outlook a few years ago). Any attempt to change these parameters is ignored. In practice, this means there will be a small border around the content, but we have seen increased rates of payload execution with a border instead of a warning.

There are multiple methods to improve email security and protect against this type of attack:

Mitigation Benefits Drawbacks
Add background colour to warning element Changing the background colour of the body won’t ever prevent the warning being read Adds clutter to the reply chain (the same as without background colour)
Force all messages into plaintext You can’t hide the message without HTML to control colours Email formatting is likely to be impacted
Custom Outlook “Message Classifications” to add warnings within the Outlook UI More professional look, no reply clutter Not compatible with all email clients. Mainly only supported by Outlook
SPF with -all directive Should block all emails originating from a forged internal email address. Doesn’t account for homoglyph/punycode attacks, typos being exploited in domain names


About SureCloud

SureCloud is a provider of Cybersecurity services and cloud-based, integrated Risk Management products, which reinvent the way you manage risk. Certified by the National Cyber Security Centre (NCSC) & CREST and delivered using the innovative Pentest-as-a-Service (underpinned by a highly configurable technology platform), SureCloud acts as an extension of your in-house security team and ensures you have everything you need to improve your risk posture.