External email alert in Office 365 and Outlook

–> Auch auf deutsch verfügbar!

Cyber attacks through phishing mails are still one of the most popular methods. Additionally, these attacks are becoming more and more sophisticated and authentic. Of course, there are security mechanisms, such as DKIM, DMARC or SPF. The use of these is also strongly recommended. However, even with these, we cannot guarantee one hundred percent protection. It is therefore all the more important to train our users in the use of IT and to make them aware of security risks. Exchange Online offers a few features to make it easier for users to recognize dangers:

  • External E-Mail Tags
  • Manipulation of the subject of the e-mail
  • Color warning in the body of the email

Additionally, in this blogpost I would like to show you a MailTip in Outlook that is not enabled by default, but gives the user a hint when sending an email to a person outside the organization. This tip can protect against internal/trusted document leakage.

External E-Mail Tags

Let’s start with a relatively new feature. We now have the ability to tag external emails in Outlook clients with an „External“ tag. For example, this looks like this in Outlook on the web:

You must enable this feature once tenant-wide for all mailboxes:

Set-ExternalInOutlook -Enabled $true

Please note that it can take up to 48 hours until the setting takes effect. If you want to exclude email addresses or domains of partner organizations, for example, you can put these domains on an „AllowList“:

Set-ExternalInOutlook -AllowList  @{Add="daniel@dako365.de", "dako365.com"}

And that’s it! In my opinion, simply activate, because it actually does not bother at all. Now, of course, one can discuss how well this rather small hint works. Especially since this, as already briefly mentioned, is only visible in Outlook (whether web, client or app). Furthermore, the setting options are very limited. Actually, only on or off is possible. Sure, you can maintain a whitelist via PowerShell, but this also directly undermines the basic idea. If not all external emails are tagged, how should a user then interpret whether this email is good or bad?

If you’re looking for a different way that offers more configuration options, check out the next chapter.

Manipulation of the subject of the e-mail

This is probably the classic way it has been done in Exchange on-premises. Using one (or more) transport rules, we manipulate the subject of each external email as it arrives. A common approach here is to give the subject a prefix, such as „*EXTERNAL*“:

I would like to show you how to configure this in Exchange Online.
First of all we have to go to the Exchange Online Admin Center. Here you click under „Mail flow“ on the „Rules“.

Here we create a new rule under the tab „Add a new rule“ with „Create a new rule“.

Then we give the rule an appropriate name and choose the settings below. You can see that the transport rules give us much more room for customization. For example, we can exclude users or entire groups from the rule (Except if) and assign them other rules with a different prefix. This way it is much easier to do justice to one’s own ideas.

Finally, you can set a test mode if you want to test your rules first. The severity of the rule should be set according to your other rules. We can set the priority of the rule afterwards.

Because it is important that you still activate the rule after creating it. Otherwise nothing will happen 😉

For all those who simply need more design freedom when marking emails, the transport rules are still the tool of choice. But it has another advantage: by manipulating the subject, we always have a warning regardless of the client we use. So if you use other clients than Outlook (for example the native mail app on your smartphone), you won’t have any losses here, as for example with variant 1.

Even S/MIME-encrypted e-mails can be manipulated in this way, even if decryption only takes place in the Outlook client. The subject is in the header and is therefore not encrypted.


Color warning in the body of the email

You have accounts that require special protection and you still don’t have enough information? Then you can use transport rules to insert colored hints into the body of the email. This way you also have a colored trigger. However, I often refrain from doing this, because it can be annoying for the user, since these hints are in the body as text and are therefore also sent with the reply (as with the subject).

If you still want to test it, create a transport rule again, as shown above. In the „Do the following“ area you can now use HTML to enter a warning with text and color as you like. I chose the following one, because it has the „Microsoft Style“:

Caution: This email was sent from an external address. If you do not know the sender, do not click on any links or open any attachments. If you are unsure, always contact the Service Desk.

<!-- Yellow caution banner -->
<table border=0 cellspacing=0 cellpadding=0 align="left" width="100%">
    <!-- Dark yellow border -->
    <td style="background:#ffb900;padding:5pt 2pt 5pt 2pt"></td>

    <!-- Textbox -->
    <td width="100%" cellpadding="7px 6px 7px 15px" style="background:#fff8e5;padding:5pt 4pt 5pt 12pt;word-wrap:break-word">
      <div style="color:#222222;">
        <span style="color:#222; font-weight:bold;">Caution:</span>
        This email was sent from an external address. If you do not know the sender, do not click on any links or open any attachments. If you are unsure, always contact the Service Desk.
<br />

When you create such a rule, it is important to include a fall back option in case the rule cannot be applied, in order not to produce errors. For example, a transport rule could look like this.

Unlike subject manipulation, mails that are encrypted cannot be edited this way. Changing the body is not possible due to encryption.

MailTips in Outlook

You have surely all seen the MailTips in Outlook. Most of you will have noticed that you get hints when you write an e-mail to a person with an out-of-office message or when the recipient group is larger than 25 people.

But did you know that there is exactly one MailTip that is turned off by default?

As mentioned in the introduction, we can enable a MailTip that warns us when a recipient’s address is outside the organization. This is again a simple hint for your users to be attentive when sending information. Especially when using mailing lists, this feature can be very useful.

But how do you activate it? Via PowerShell, of course:

Set-OrganizationConfig -MailTipsExternalRecipientsTipsEnabled $true

And herewith you can display all MailTips:

Get-OrganizationConfig | select *Mailtips*

My clear recommendation for activation is that this feature is more useful than it is detrimental to anyone.

Links and Facts

MailTips in Exchange Online | Microsoft Learn

Native external sender callouts on email in Outlook – Microsoft Community Hub

Set-ExternalInOutlook (ExchangePowerShell) | Microsoft Learn

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert