Combat Spoofing with Office 365 External Email Warning

Email spoofing is one of the most prolific threats today. An attacker may spoof the name of a known person in a company, like an HR manager, to send forged messages to unsuspecting users.

In the untrained eye, it can be difficult for users to differentiate whether an email came from a legitimate sender or a malicious external source. How can you help them? This post will teach you how by adding an eye-catching warning on those external emails.

Before You Begin

This article requires the following.

  • A working Office 365 enterprise tenant. Consider signing up for an Office 365 trial tenant if you don’t have one for testing.
  • Windows PowerShell 5.1 or the latest PowerShell 7 (v7.2.5 as of this writing.)

Option 1: Enable the Native Office 365 External Email Warning

The external email tagging is disabled by default in every Office 365 tenant. But, the feature is there; you only need to enable it. But, this feature can only be managed using Exchange Online PowerShell. There’s no equivalent setting yet in the Exchange admin center.

To enable the native external email tagging feature, follow the below steps.

Open PowerShell and connect to Exchange Online.

# Import the EXO V2 module 
Import-Module ExchangeOnlineManagement 
# Connect to EXO 
Connect-ExchangeOnline

Next, run the below command to enable external email tagging.

Set-ExternalInOutlook -Enabled $true 
Get-ExternalInOutlook

The external email tagging feature is now enabled as you can see below.

office 365 external email warning
Enable External Email Tagging

That’s it! You’ve enabled the Native External Email tagging in Exchange Online for supported Outlook clients.

Note. This setting may take 24-48 hours before the changes take effect and the users won’t see the External tag on the messages they receive until then.

Add and Remove Sender Exceptions

What if you want to exclude some external domains or sender addresses from the external email tagging? You can do so by adding those sender addresses to the AllowList.

Note. The AllowList is limited to 50 entries and the total entries size should be a maximum of 1KB.

To add domains or email addresses to the external tagging exclusion, run the Set-ExternalInOutlook command with the -AllowList parameter as below.

Set-ExternalInOutlook -AllowList @('mailer365@crazyadmins365.ga','lazyexchangeadmin.cyou')

external email warning office 365

Use the following syntax to add another entry to the allow list without replacing the existing list.

Set-ExternalInOutlook -AllowList @{Add='somedomain.com','anotherdomain.org'}

external sender warning office 365

Or to remove entries, use the following syntax instead.

Set-ExternalInOutlook -AllowList @{Remove='somedomain.com','anotherdomain.org'}

As you can see below, the entries you specified to remove no longer exists in the AllowList.

o365 external email banner

The next time your users receive an email from external senders, the message will have a call-out message at the heading, as shown below.

exchange online external email warning

This is good, but…

Apart from enabling and disabling the native external email tagging, the only customization you can do with this feature is adding and removing sender domains and address to the allow list. Some organizations may find this lack of customization a show stopper.

This is why there is another option — to create a mail flow rule, and next you’ll learn how to do it.

Option 2: Create a Mail Flow Rule for Exchange Online External Email Warning

Another option to enable tagging of external emails is by creating a mail flow rule. This approach offers more flexibility and customization and takes effect quicker than native external email tagging.

Let’s create a mail flow rule that will prepend a banner of text warning the users of the message’s origin.

  1. Open the Exchange admin center (EAC) in your web browser and log in with your credentials.
  2. Once in the EAC, expand Mail flow, click Rules → New → Create a new rule.
    office 365 external recipient warning
  3. You’ll see the new rule pop-up window, as you can see below. Click the More options link.
    office 365 add external email warning
  4. Type External Email Warning in the Name field.
  5. Under the Apply this rule if, click the dropdown box, select The sender → is external/internal → Outside the organization → OK.
  6. Next, click add condition, click the dropdown box, select The recipientis external/internal → Inside the organization → OK. At this point, your rule should be like the screenshot below, so far.
    office 365 warning external email
  7. Click the dropdown box under the Do the following section. Select Apply a disclaimer to the message → prepend a disclaimer.
    add external email warning office 365
  8. Now, click the Enter text link.
    office 365 external sender warning
  9. Copy and paste the HTML code below to the specify disclaimer text pop-up box. Click OK to save the disclaimer text.
    <p>
    <div
    style="background-color:#FFEB9C; width:100%; border-style: solid; border-color:#9C6500; border-width:1pt; padding:2pt; font-size:10pt; line-height:12pt; font-family:'Calibri'; color:Black; text-align: left;">
    <span style="color:#9C6500" ; font-weight:bold;>&#9888; EXTERNAL EMAIL WARNING &#9888;</span><br>Do not click links or open attachments unless you're absolutely certain that you know the sender.
    </div>
    <br>
    </p>

    o365 external email warning
    This HTML code will appear at the top of the email as you can see below:
    microsoft 365 external email warning

  10. Next, click the Select one link. Choose Wrap as the fallback action, and click OK.
    exchange warning for external emails
  11. At this point, the mail flow rule should look similar to the image below. Click Save to save this rule.
    office 365 caution external email
    You’ve successfully created the Office 365 external email warning mail flow rule.
    The below screenshot shows what your users will see when they receive an external email.
    office 365 external email warning html

Exclude Domains and Email Address

In some cases, you may want to exclude domains or senders from external email tagging. If so, you can modify the rule to add exemptions.

  1. Click the Edit button to open the rule for editing.
    add external email disclaimer office 365
  2. Click the add exception button.
    solve office 365 external email warning
  3. Click the dropdown box and select The senderdomain is.
    microsoft office 365 external email warning
  4. Type the domain you want to exempt and click the plus button to add it to the list. Add more domains if needed, and click OK to save.
    ms office 365 add banner to external emails
  5. If you want to add specific email addresses to the exemption, click the add exception button again.
    ms o365 external email warning
  6. Click the dropdown button, select The sender → address includes any of these words.
    ms office 365 external sender warning
  7. Add the email addresses you want to exempt from the rule and click OK.
    add external email warning ms office 365
  8. The rule now lists two exceptions: domain and email address. Finally, click Save.
    ms o365 external email banner

Once the rule takes effect, which is typically within a few minutes, those email addresses and domains you exempted from will no longer be tagged.

Conclusion

Adding warnings to messages originating from external senders helps users identify an email’s source. The potential risk of your users being phishing victims will be significantly lowered.

Which method do you think is best? The native Office 365 external email warning or the mail flow rule?

Cyril Kardashevsky
Latest posts by Cyril Kardashevsky (see all)

Leave a Reply

Your email address will not be published.