Creating an Office 365 Exchange Online transport rule to prepend a disclaimer for inbound external emails with a specific display name

I feel that every organization has at some point received phishing emails where the attacker impersonates a high level executive such as a CEO to email a CFO or someone in finance in the organization to try and have funds urgently transferred to an account. These phishing attempts can be very difficult to adequately protect because the attacker can easily create an email account from a legitimate service such as Gmail with the CEO’s name concatenated with perhaps a number at the end. The display name will only show the first and last name of the CEO and some users could potentially miss that the email address is not from within their organization. There are many products available that addresses this and one that I am familiar with is Office 365 Advanced Threat Protection which provides a feature named mailbox intelligence which has the following configurable actions:

85

Being able to purchase ATP would be dependent on the size of the organization and whether they’re able to afford the additional licenses but in the event that they are not able to, I would like to demonstrate a possible Exchange Online transport rule solution that can prepend a disclaimer for the incoming email. Note that this wouldn’t be very scalable as you would have to either configure separate rules for each user with a disclaimer identifying the user or have one rule configured for specific users but use a generic disclaimer.

Begin by navigating to mail flow > rules:

84

Create a new rule:

83

Provide a name for the rule and configure a condition specifying that The sender is located… with the setting Outside the organization:

82

Add another condition specifying A message header… with the setting matches these text patterns:

81

Add the full name of the user into the specify words or phrases window:

80

In the Do the following… field, you can select any of the actions you would like to execute when such a message with the matching display name but for this example we will use prepend a disclaimer:

79

You are free to use HTML to format the disclaimer and the following one I included is a yellow text box with the warning Caution: This is an external email from John Smith:

78

<table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0

style=’border-collapse:collapse;mso-yfti-tbllook:1184;mso-padding-alt:0in 0in 0in 0in’>

<tr style=’mso-yfti-irow:0;mso-yfti-firstrow:yes;mso-yfti-lastrow:yes;

height:11.9pt’>

<td width=323 valign=top style=’width:242.35pt;border:solid #2A3B48 1.0pt;

background:#F4DF11;padding:0in 5.4pt 0in 5.4pt;height:11.9pt’>

<p class=MsoNormal><b><span style=’font-size:9.0pt;color:#993922′>CAUTION: </span></b><span

style=’font-size:9.0pt’>This is an external email from John Smith <o:p></o:p></span></p>

</td>

</tr>

</table>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

Review and add any additional conditions such as The recipient is… with your own email to test the rule before adding it globally:

77

Proceed to test by sending an email from an external domain with the specified display name you created in the rule to verify that the emails are prepended with a disclaimer.

—————————————————————————————————————————-

Other layers of protection you can add in addition to this are as follows:

Enabling Mail Tips for that warn users when they send an email with external recipients

This needs to be enabled at a global level so either everyone gets the mail tip or no one does so proper communication needs to be made to the organization.

Execute the following cmdlet to determine review the setting:

Get-OrganizationConfig | FL *mailtips*

Note that the screenshot below indicates it is currently set to False. To enable it, execute the cmdlet:

Set-OrganizationConfig -MailTipsExternalRecipientsTipsEnabled $true

76

Users will notice the following when they have an email with external recipients in the To field:

75

Prepending a disclaimer for all external emails

You can create a transport rule similar to the one described in this post but omit the condition for the header and tag all external emails entering the organization. If you choose to implement this then I would suggest changing the action for the rule that matches a display name so you don’t end up inserting two disclaimers.