Do inbound emails from outside your organisation get flagged with a clear external sender warning banner?
Demonstrate that all email messages received from external senders are automatically tagged with a conspicuous warning banner that is visible to recipients before interaction with message content.
Description
What this control does
This control requires the email gateway or mail server to automatically append a visible warning banner to all inbound messages originating from external domains. The banner alerts recipients that the message came from outside the organization, prompting caution before clicking links, opening attachments, or responding to requests. This technical mitigation reduces the effectiveness of phishing, business email compromise, and social engineering attacks by providing a consistent visual cue that disrupts attacker trust exploitation.
Control objective
What auditing this proves
Demonstrate that all email messages received from external senders are automatically tagged with a conspicuous warning banner that is visible to recipients before interaction with message content.
Associated risks
Risks this control addresses
- Phishing emails from external threat actors are mistaken for internal communications, leading to credential compromise
- Business email compromise attacks using spoofed or lookalike domains succeed because recipients assume familiarity
- Social engineering attacks leveraging urgency or authority bypass user scrutiny due to lack of external sender indication
- Malicious links or attachments in external emails are opened without adequate caution or verification
- Users fail to apply appropriate skepticism to requests for wire transfers, data disclosure, or password resets from external sources
- Spear-phishing campaigns targeting executives or finance staff succeed by mimicking trusted internal correspondence patterns
Testing procedure
How an auditor verifies this control
- Identify the email gateway, mail security appliance, or cloud email service (e.g., Microsoft 365, Google Workspace, Proofpoint, Mimecast) responsible for inbound mail processing.
- Review mail flow rule configurations, transport rules, or policy settings that define external sender tagging logic and banner content.
- Verify the specific text, formatting, and placement of the external sender warning banner as configured in the system.
- Send test emails from multiple external domains (public webmail, personal accounts, and unfamiliar business domains) to internal mailboxes across different departments.
- Inspect received test messages in multiple email clients (web interface, Outlook, mobile) to confirm the banner appears consistently and prominently.
- Review exception lists, whitelists, or bypass rules to confirm no external domains are excluded from banner insertion without documented business justification.
- Examine a sample of recent inbound emails from external senders in user mailboxes or mail logs to validate the control operates in production.
- Confirm that internal-to-internal emails do not display the external warning banner, ensuring the rule discriminates correctly based on sender domain.