External Email Tagging & Determining Link Legitimacy

I have encountered a lot of questions by customers lately around the effectiveness of tagging external emails. All the questions and pushback on these programs have made me introspective. I never personally felt much passion about email tagging before, it has always struck me as metadata, something out of the way, part ineffective and part annoying in format for power users, but overall a security nice-to-have. What was surprising to me is how much friction these tags can cause to those who do not understand the "why" behind them. I enjoy simplifying these types of things on this blog and reducing friction by taking the time to help others understand, so this has become an exciting topic for me. The best part about all of this is it wasn't until I explained the justification for external email tagging several times, that the real value at its core finally hit me. I have begun to notice that the discomfort one feels toward external email tagging is a function of how much an individual has adopted the idea that any email can be trustworthy.

Other resources have done excellent work explaining the pros and cons of email tagging, and why such tagging is important. I wanted to contribute today by focusing on the natural misconception that email can be made safe and add my voice to the way that email tagging provides metadata/input to the person making a decision on how to behave. Because these discussions often lead to questions about deciding which links are safe to click, I lay out simple steps as a guide to help make the most informed decision possible. To start us off, here is a summary of the logic

If some emails related to the internal workings of my organization are tagged as "external," how can I trust any email that I receive? Security is removing my ability to know if something is from the inside or the outside and desensitizing me against what is malicious.

When summarized this way, one can see there is a connection between the reluctance to keep one's guard up all the time and the disdain one feels for email tagging. Consider the following:

The absense of an external tag is not an endorsement that something is legitimate, nor is the existence of an external tag indicating something is malicious. External email tagging is the best way to expose these assumptions.
One's instincts surrounding what constitutes an "internal message" may not align with the reality of a message's true technical source
Tagging some internal-feeling emails as "external" is preferable to leaving technically-external emails untagged.

💡

The first principle of email safety is that email (global unauthenticated contact with pseudoanonymous strangers) is inherently dangerous.

It is important to recognize that most email is not authenticated, that the work it takes to be confident in the source of an email is not something an every day user wants to deal with, and that as such, communications can come from just about anywhere. This is inherently risky.

💡

The second principle is deciding whether to view an email, click a link, open an attachment or enter information is the responsibility of the individual.

There really is no avoiding this one. Individuals are responsible for clicking links. With the consequences facing organizations today, leaving individuals in a place where they did not realize the consequences of their actions is far too risky for organizations.

No security control exists to fully address principle two, unless you consider "don't use email" or "stay off the internet" security controls. So ultimately, each of these activities come with different risks. They range from relatively benign (e.g. letting someone know you’ve opened an email), to egregiously bad (e.g. granting someone control of your system, account, financial institution, etc.).

💡

The third principle is those with malicious intent exploit the gaps in individual ability to detect danger, and their responsibility to do so.

Different likelihoods of abuse exists based on factors like who sent the email? can you validate it was from inside your organization? when was the email sent? were you expecting it? etc. Tagging emails technically originating from outside the organization, for example, is a way to associate a piece of information that doesn’t take the responsibility of deciding “to trust” or “not trust” away from the individual, but only appends to the list of things we process as we determine this for ourselves.

What if the external tag doesn't give enough context to determine whether a link is safe or not?

Ask a trusted individual
Check the external community for reports of fraud

NOTE: this is not a silver bullet, since if you are the first one to see the URL, there may be no community detections, and using the links you may end up with a false sense of security
- https://www.virustotal.com/gui/home/url
- https://mxtoolbox.com/Problem/Blacklist/

Use experience: For example, employees of an organization will become familiar with the tools and services used by their organization. We can use this information to make reasonable determinations about what is expected or not. We should also take note of other heuristic information (dont worry, we regularly do this without thinking about it) we regularly receive emails like "pay slips available" and "we just wanted you to know your hours were approved, have a nice day". On the other end of the spectrum, subjects like "critical, your account information is unsafe, login urgently to speak with support ASAP" is not an expected message, think twice
Watch where your information is being submitted: an attacker can create a fake login page, but it is a different thing entirely to get a domain registrar to provide a TLS certificate for another company's domain. Look for domains owned by your organization or trusted domains. Password managers can help you ensure you dont send credentials to the wrong domain.
Don't click the link at all, go to the source directly. If you can't do the above or still feel uncomfortable and you want to, for example, know your pay slip information, log into the system of interest directly and access the information there. Same with your financial institutions, you don't have to click the link in the email, you can get the information from the known good source yourself

Conclusion

Email is not trustworthy. It never has been. Any means to help direct the culture away from trusting broad messages fitting general expectations is a win. A tag, while perhaps visually irritating, is metadata that can be considered with little effort by an individual. Earning allies along the way through openly recognizing that change is hard, and helping those with concerns to understand the reasons behind change is the key to improving security at scale. Preparing ahead of time with methods to make savvy decisions is a sure-fire way to minimize the pain caused to those who will benefit from learning safe habits. These methods can include awareness campaigns, Q&A sessions, tips to know how to make a good decision around email content and more.