Turns out, all it takes for attackers to alter the “external sender” warning, or remove it altogether from emails is just a few lines of HTML and CSS code, as demonstrated by a researcher.