This is the third blog in a three part series designed to teach an administrator of Microsoft Office 365 environments how to add notifications to every email sent from outside an organization. As stated in Part One, marking all externally sourced emails like this provides a huge advantage to any organization as it makes it much more difficult for attackers to trick users into clicking on malicious emails.
Blog Series Links:
Part Three (this one): Office 365 External Email Notice Configuration – Part 3
In Part Three, we will use a new option launched by Microsoft in March 2021 and impacts the web version of Outlook as well as the iOS and Android Outlook apps. It does not apply to the full Outlook client.
So why use this option instead of the Exchange Transport Rule defined in Part 2 of this blog series? In Part 2, the rule defined prepends the subject line with an [External] notification as well as optionally prepends the message body with a colored text notification at the top of every message received from an external source. Using this new method, we are utilizing a new Tag feature in Exchange Online. While this gives us a notification labeled as External on these emails, a Tag enables the user to gather a bit more information by clicking on the tag. For example, when a user sees this External tag, the user clicks on it to learn more information about that particular email, and now they can see the actual source email address. This seemingly small amount of information can make a tremendous difference to the user when trying to determine if the email in question is a real or spoofed or other type of malicious message. The more we can enable the user to ‘trust’ an email message(or not), the more protected they can help us as administrators keep the environment safe.
Although this blog focuses on how to setup these new Tags, you may want to try a combination of both methods covered in this blog series. With this in mind, let’s now describe how to setup Tags in Microsoft Exchange Online.
Enable External Email Tag Notice in Exchange Online
Using this method, we will implement the new Exchange Tag feature on all email received to an organization from an outside source. I highly recommend you test this method on a few users first in your environment for a week or more.
Exchange Tag Implementation Steps:
*Note: This capability is only available for setup using Exchange PowerShell. It is also only available in Exchange Online.
Part One: Connecting to Exchange Online Management with PowerShell
- Download the Microsoft Exchange Online V2 module prior to connecting to your Office 365 tenant
- Download the Exchange Online V2 Module from this location. Use the download labeled with (current version)
- Open PowerShell with elevated privileges
- Use the PowerShellGet feature to download the module needed. The PowerShell command is available in the link above as a copy/paste function. Below is the command I copied into my PowerShell at the time this blog was written. Enter Y to the prompts below. Within a few minutes the module is downloaded and ready to go.
- 2. By default, Powershell is not enabled to run scripts. You must therefore require that all PowerShell scripts downloaded from the Internet are digitally signed and can then be run. In Powershell, run the following command:
- 3. We now must temporarily enable WinRM by running the command below:
- 4. Install the new Exchange Online Management Module by running
Install-Module -Name ExchangeOnlineManagement
- 5. Download the Exchange Online V2 Module from this location. Use the download labeled with (current version).
Use the PowerShellGet feature to download the module needed. The PowerShell command is available in the link above as a copy/paste function. Below is the command I copied into my PowerShell at the time this blog was written. Enter Y to the prompts below.
- 6. Open a connection to Exchange Online PowerShell using Modern Authentication. For more information on the connection steps, review this Microsoft Support Document. Use the following command:
Connect-ExchangeOnline -UserPrincipalName <UPN>
Note: <UPN> is your account in user principal name format (for example, email@example.com)
For example, to connect to my demonstration environment, I used the command:
Connect-ExchangeOnline -UserPrincipalName firstname.lastname@example.org
A Logon prompt will then appear:
If Multi Factor Authentication(MFA) is enabled for this administrator account(If not already, enable MFA for all Global Admin accounts), another prompt will appear as well.
Part Two: Enabling the External Tag in Exchange Online
When logged into PowerShell and Exchange Online Management using the steps above, we can now enable this parameter
- Let’s first check the existing setting using the command below:
- 2. Notice in the above PowerShell results that Enabled is set to False. We will now change this to True using the command below:
Set-ExternalInOutlook -Enabled $True
- 3. To verify the setting is now in place, run the first command again to view the changes with the command below:
With the new External Tag now in place, you must wait 24-48 hours for the changes to replicate through the environment. In my testing, it took about an hour before I noticed the External Tag appear in my Outlook Web client. As a reminder, this will not work with the full Microsoft Outlook client on a desktop.