Phishing threats have changed drastically over the last couple of years, it no longer about good protection anymore its more about culture and awareness, you need your users to be vigilant at all time, therefore you need to give them all the signs and notices you can to stop the user clicking the links in malicious e-mails.
You cannot fix bad security with policies and procedures, you need employees that have a mindset to protect the company they work for, so like the "speed limit" sign you need to re-enforce theses with notifications and alerts, this will no stop employees and people ignoring those signs, but the "we did tell you" with all the warning and alerts enabled is an easier conversation that without any alerts.
Let talk about that in Exchange or EXO as the process is the same, if you are running local Exchange then lots of the cool options have been removed in preference for you to be using Exchange Online or EXO, damn it, but that should not stop you from adding a warning to the e-mail to warn users, that can look like this:
|
Caution:
This is an external email originating outside your company. Please take extra care when clicking links or opening attachments.
|
This is good as a visual indicator or even as a warning, in this instance that one is red, or the other option is this, which is not as striking but gets the message across the same:
|
Caution:
This is an external email from the evil internet. Please take EXTRA care when clicking links or opening attachments.
|
Finally you have the blue options which is not as "distinctive"
|
Caution:
This is an external email hopefully you are reading this. Please be vigilant with links and attachements.
|
External/Internal - how does it know?
Good question, Exchange and EXO use the accepted domains to figure of what is internal and what is external, so its best to check this before you apply rules based on this mechanism, so see a list of domains that will be considered internal, start Powershell and run this command:
Connect-MsolService Then once you have authenticated run this:
Get-MsolDomainThat will give you a list of domains that are considered for this guide as internal....here you can see bears.local is the "internal" domain (this is a non routable domain, but this is a guide)
Name Status Authentication
---- ------ --------------
bears.local Verified Managed<!-- Red caution banner -->
<table border=0 cellspacing=0 cellpadding=0 align="left" width="100%">
<tr>
<!-- Remove the next line if you don't want the Red bar on the left side -->
<td style="background:#ff0000;padding:5pt 2pt 5pt 2pt"></td>
<td width="100%" cellpadding="7px 6px 7px 15px" style="background:#fff8e5;padding:5pt 4pt 5pt 12pt;word-wrap:break-word;font-family: Verdana">
<div style="color:#FF0000;">
<span style="color:#FF0000; font-weight:bold;font-family: Verdana">Caution:</span>
This is an external email originating outside your company. Please take extra care when clicking links or opening attachments.
</div>
</td>
</tr>
</table>
<br />Yellow Warning:
<!-- Yellow caution banner -->
<table border=0 cellspacing=0 cellpadding=0 align="left" width="100%">
<tr>
<td style="background:#ffb900;padding:5pt 2pt 5pt 2pt"></td>
<td width="100%" cellpadding="7px 6px 7px 15px" style="background:#fff8e5;padding:5pt 4pt 5pt 12pt;word-wrap:break-word">
<div style="color:#222222;">
<span style="color:#222; font-weight:bold;">Caution:</span>
This is an external email and could contain suspicious content. Please take care when clicking links or opening attachments.
</div>
</td>
</tr>
</table>
<br />Blue Warning:
<!-- Blue caution banner -->
<table border=0 cellspacing=0 cellpadding=0 align="left" width="100%">
<tr>
<td style="background:#00A0d2;padding:5pt 2pt 5pt 2pt"></td>
<td width="100%" cellpadding="7px 6px 7px 15px" style="background:#e5f5fa;padding:5pt 4pt 5pt 12pt;word-wrap:break-word">
<div style="color:#222222;">
<span style="color:#222; font-weight:bold;">Caution:</span>
This is an external email and has a suspicious subject or content. Please take care when clicking links or opening attachments.
</div>
</td>
</tr>
</table>
<br/>Prepare to create the mail flow rule
The process for the external warning looks like this:
- Login to the Exchange Admin Centre using https://outlook.office.com/ecp
- Expand Mail flow
- Select Rules
- Click on the plus and select Create a new Rule
Then from here you you will get this, these will all need to be filled out, so here is the screen with nothing filled out for reference......
We now have two options here, you have one for external e-mails and then one for external e-mails with dodgy subjects (remember this is company specific) or based on previous issue, lets start.
External e-mail Warning (Testing)
Note : This will apply the alert to a single mailbox for testing, in this case lee@bear.local
- Give the rule a Name
- Apply the rule to "The recipient" and "This person" then choose the e-mail address of the person
- Add a condition to this to say "The sender" is "Outside the organisation" - which is external
- Do the following is "Apply a disclaimer to the message" then choose "prepend a disclaimer" then under enter text insert the HTML and ensure to set "wrap" as the fall back action
The code you need for the <html data> is in the HTML section for your colour options.
External e-mail Warning (Global)
- Give the rule a Name
- Apply the rule to "The recipient" is "Inside the Domain" - which is Internal
- Add a condition to this to say "The sender" is "Outside the organisation" - which is external
- Do the following is "Apply a disclaimer to the message" then choose "prepend a disclaimer" then under enter text insert the HTML and ensure to set "wrap" as the fall back action
The code you need for the <html data> is in the HTML section for your colour options.
Enable External Tagging (EXO)
This is a very insignificant tag as shown below, notice the "External" tag before the sender, very weak and not very noticeable, this is on so many e-mail people ignore it, from what I have observed.
Connect to Exchange Online with this:
Connect-ExchangeOnline Then once you have authenticated run this:
Set-ExternalInOutlook -Enabled $trueThen you can check its enabled with the top command in bold and the response should be in below the bold command, should say True not false!
Get-ExternalInOutlook | fl
Identity : <domain GUID here>
Enabled : True
AllowList : {}First contact safety tip notification
This is a phishing defence policy which is part of Defender and is not enable by deafult, personally this is very insignificant and it will notify you when you do not get e-mails from people regularly, not really a defence but some people will find it handy, looks like this as is appended to the top of messages......
You don't often get email from it@insightsforprofessionals.co.uk. Learn why this is important
The links to "Learn why this is important" is something people should not click as its a redirected link using aka.ms - so that could go anywhere, but again depends on your user state of mind, anyway if you want to enable this tou can head over to this URL :
https://security.microsoft.com/antiphishing
Then once signed in with an account that can access this resource you will see two policies, this is not this is not the always on policy, this applies to any policy that has the status of "On"
Then the policy called "First contact safety tip" is usually off by default like this:
If you wish to enable it, at the bottom of a list of policies you will notice there is a "Edit Action" options like this:
