Office 365 External Email Notice Configuration – Part 2

This is the second blog in a three part series designed to teach an administrator of Microsoft Office 365 environments how to add the word [External] to the subject line of every incoming email from outside an organization. As stated in Part One (link), marking all externally sourced emails like this provides a huge advantage to any organization as it makes it much more difficult for attackers to trick users into clicking on malicious emails.

Blog Series Links:

Part One: Office 365 External Email Notice Configuration – Part 1

Part Two (this one): Office 365 External Email Notice Configuration – Part 2

Part Three: Office 365 External Email Notice Configuration – Part 3

Enable External Email Notice Configuration Using Exchange Transport Rule

Using this method, we will design an Exchange Transport Rule that can easily be defined and implemented. I highly recommend you test this method on a few users first in your environment for a week or more.

Exchange Transport Rule Implementation Steps:

1. Login to the Exchange Admin Console
2. Click on the Mail Flow area in the index of menus on the left side of the screen

3. Click + to create a new transport rule. In the drop down area, choose Create a new rule…

4. Define the new rule with the following settings:

First, we will define the source location of the email to trigger this rule on.

1. Before defining any fields, we need to enable More Options to expose the proper settings in our rule configuration. On the bottom of the New Rule box, click on More Options in blue text. You will now see more options within the New Rule configuration area.
2. Name the new rule External Email Notification
3. In the *Apply this rule if… field, open the options in the drop down and choose The sender is located….
4. To the right of The sender is located… area just defined, click on *Select one…
5. Select the Sender location to be Outside the organization
6. Under this newly defined area of Outside the Organization, click on the add condition box.
7. In the drop down area, hover over The recipient is located…. and then select is external/internal
8. To the right of this setting, click *Select one…. and then chose Inside the organization
9. Screen of new settings so far:

Secondly, we will define the action to take on the rule when triggered (when an external email is received).

1. In the *Do the following… field, open the options in the drop down and choose Prepend the subject of the message with…
2. In the Specify Subject Prefix field, enter [External] that includes the brackets to make the notice standout
3. Screen of new settings so far:

Optionally, you may also apply a disclaimer to the top of the email body as well with a few words of caution about emails originating from external sources. You may use this warning on its own (without a modified subject line) or in combination with a modified subject line. My rule in implementing this type of warning is to not get carried away. Keep the warning short and add some color to it. Anything more and it becomes a nuisance to your users. Remember, you want them on your side to help in the battle. 😉

To setup a disclaimer in the body of emails received from external sources, follow the steps below:

1. Continuing from within the same New Rule box above, under the Prepend the subject line of the message with… setting you just defined click on the Add Action box to expose an additional action area.
2. Click within the new dialog box area Select One
3. Choose the option to Apply a disclaimer to the message…
4. In the fly out option area, choose to Prepend a disclaimer so it is seen at the top of the email body
5. To the right of this new area, select Enter text….
6. In the Specify Disclaimer Text area, enter the code below. *Note the code settings and text can always be changed as part of your testing as you customize it for your needs. Include everything below in your copy/past action and be careful to not leave any trailing spaces.

<div id=”footer” style=”background-color:#ffeb9c; width:100%; border:1px solid #FFEB9C; padding:2pt; border-style:solid; border-color:#9C6500;”> CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.</div>

1. You now need to define the Fall Back action of this rule. Click on *Select One…. If the disclaimer can’t be inserted. In the drop down box, choose the Wrap option.
2. Screen of all new settings:

The rule is now defined in the organization after you click Save in the dialog box. Give the rule about five minutes to replicate prior to testing. Be sure to test this rule on a subset of users for a week or so to verify your new rule settings and behavior. The rule can be defined on specific users using another Add Condition option above. Below is a screen picture of the prepending subject line as well as the optionally described warning message about externally received email.

Adjust Exchange Online Rule Priority

After the new rule is defined, you are now back to the overall rule area in the Exchange Admin Center. Notice in my demonstration how this new rule was given the lowest priority, meaning that other rules will trigger first if the defined conditions are met. In my case, this rule must be moved to a higher priority as I want all external email to be flagged with this rule no matter what other rules may be triggered. Be sure to evaluate your goals and how you want this mail to flow.

The higher in the list, the more priority the rule will have over others. Highlight the rule and use the up and down arrows in the GUI to adjust them as needed.