Are emails from outside your company marked with a clear external sender warning?
Demonstrate that all email messages received from external senders are automatically and consistently tagged with a visible warning indicator prior to delivery to end-user mailboxes.
Description
What this control does
This control ensures that all emails originating from external domains are automatically tagged with a visible warning indicator (banner, label, or prefix) within the email client interface before reaching end users. Typically implemented through mail gateway rules or Exchange transport rules, the warning alerts recipients that the message originated outside the organization's trusted domain perimeter. This compensating control reduces the likelihood that users will trust or act on fraudulent content in spoofed, phishing, or business email compromise (BEC) attempts that appear to come from legitimate external parties.
Control objective
What auditing this proves
Demonstrate that all email messages received from external senders are automatically and consistently tagged with a visible warning indicator prior to delivery to end-user mailboxes.
Associated risks
Risks this control addresses
- Phishing emails impersonating trusted external vendors, partners, or service providers successfully deceive employees into disclosing credentials or sensitive data
- Business email compromise (BEC) attacks exploiting user trust in external sender addresses to authorize fraudulent wire transfers or invoice payments
- Credential harvesting attacks using lookalike domains or spoofed external addresses that users fail to scrutinize
- Malware delivery via social engineering when users trust external senders without verifying legitimacy
- Data exfiltration via email when employees inadvertently reply to external adversaries believing them to be internal colleagues
- Supply chain compromise through socially engineered communications that exploit lack of sender verification
- Executive impersonation attacks where threat actors leverage external addresses similar to internal leadership to manipulate employees
Testing procedure
How an auditor verifies this control
- Inventory all mail gateway systems, email security appliances, and transport rule engines responsible for inbound email processing.
- Review transport rules, content filters, or header modification policies in the mail gateway and Exchange Online/on-premises configurations to identify rules that add external sender warnings.
- Export and document the exact trigger conditions (e.g., sender domain not in accepted domains list) and the warning text or HTML banner applied to external messages.
- Send test emails from at least three different external domains (public Gmail, external business domain, newly registered domain) to a sample of internal mailboxes across different departments.
- Inspect the received test messages in multiple email clients (Outlook desktop, Outlook Web Access, mobile client) to verify the external warning is visible and consistently formatted.
- Review a sample of 20-30 production inbound emails from the past 30 days to confirm external warnings are present on legitimate external correspondence and absent on internal messages.
- Test edge cases by sending emails from subdomains, distribution lists, and forwarding scenarios to verify the rule applies universally to external origins.
- Interview 3-5 end users to confirm they recognize and understand the external sender warning and have received security awareness guidance on its meaning.