IG2 IG3

Restrict Unnecessary or Unauthorized Browser and Email Client Extensions

Control Group: 9. Email and Web Browser Protections

Asset Type: Applications

Security Function: Protect

Description

Restrict, either through uninstalling or disabling, any unauthorized or unnecessary browser or email client plugins, extensions, and add-on applications.

Implementation Checklist

1

Assess current protection controls in place

2

Configure and deploy required security controls

3

Test control effectiveness in non-production environment

4

Deploy to production and verify functionality

5

Document configuration and operational procedures

6

Configure email authentication (SPF, DKIM, DMARC)

7

Deploy email security gateway with filtering

8

Configure attachment and URL scanning

Tool Recommendations

Microsoft Defender for Office 365 Gartner MQ Leader, Email Security 2024

Email security platform with anti-phishing, safe attachments, safe links, and automated investigation/response

Microsoft · Per-user subscription (P1/P2)

Proofpoint Email Protection Gartner MQ Leader, Email Security 2024

Advanced email security with targeted attack protection, BEC defense, impostor detection, and URL defense

Proofpoint · Per-user subscription

Abnormal Security Gartner MQ Leader, Email Security 2024

AI-native email security platform detecting BEC, phishing, and account compromise using behavioral analysis

Abnormal Security · Per-mailbox subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Malicious Browser Extension Data Exfiltration

Confidentiality

Unauthorized browser extensions with excessive permissions silently capture form data, authentication tokens, browsing history, and keystrokes, exfiltrating sensitive information to attacker-controlled servers through normal HTTPS traffic.

Email Client Plugin Compromise for Credential Theft

Confidentiality

Malicious or vulnerable email client plugins intercept email content, harvest credentials, or create mail forwarding rules that silently copy sensitive communications to external addresses without user awareness.

Supply Chain Attack via Compromised Browser Extension Update

Integrity

A previously legitimate browser extension is sold to a malicious actor or its update mechanism is compromised, pushing malicious code to all enterprise users who installed it, as has occurred with multiple Chrome extensions.

Vulnerabilities (When Safeguard Absent)

No Browser Extension Allowlist or Restriction Policy

Users can install any browser extension without restriction, including extensions requesting permissions to read all website data, modify pages, and access authentication cookies across all domains.

Unmanaged Email Client Add-Ons and Plugins

Email client plugins and add-ons are not restricted through group policy or configuration management, allowing users to install unvetted third-party extensions that can access all email content and attachments.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Technical	Configuration screenshots or exports showing protection controls enabled	Captured quarterly
Document	Procedure documentation for protection measures	Reviewed annually
Technical	Email security configuration (SPF, DKIM, DMARC records)	Verified quarterly
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Email Security Policy

Control 9

Related Safeguards in Control 9

9.1 Ensure Use of Only Fully Supported Browsers and Email Clients

9.2 Use DNS Filtering Services

9.3 Maintain and Enforce Network>Based URL Filters

9.5 Implement DMARC

9.6 Block Unnecessary File Types

9.7 Deploy and Maintain Email Server Anti>Malware Protections