Overview
We know that some of our customers leverage Exchange transport rules to prepend subject line or insert the message body to show the email is from external senders. This approach has a few ...
Updated Oct 06, 2023
Version 16.0
Blog Post
@tonysperbeck, you are very right; people should pay attention to this. I am not sure why this is even a feature if anyone can spoof real emails within the organization; I regret enabling this feature vs the transport rule (it is too late to roll it back as I read your comment and tested in 09/2024 ). People will have a false sense of security, so ensure your DKIM and SPF are correctly configured. I am listing again what tonysperbeck said - credit to him for testing this .. Also something to add it does not work on native IOS and Android on mobile phones. 09/2024
Just an important note about this feature to share with you all........
Per Microsoft's design, the IsExternalSender MAPI property is not set to TRUE if an external sender spoofs an SMTP-address that is assigned to a mailbox within your Exchange Online organization. This is important for your mail users to be aware of, as the "External" call-out will not be applied to messages that spoof fellow mail users from the same Exchange Online organization.
So do not have your employees rely on this "External" call-out to differentiate someone maliciously phishing as an executive employee giving directions to do things.
While DMARC policy can route such spoofing messages to the Junk Email folder, they still will not have the "External" call-out applied to them by Outlook.
Thanks tonysperbeck and Tech726 for calling attention to this. I have been trying to troubleshoot this issue with Microsoft Support for several weeks now and have made little to no progress.
As mentioned above, I'm not sure why MS would design the feature to work this way. Possibly this is an oversight. The primary reason for using this technology (or a transport rule or whatever) to "tag" external emails is to help users determine the trustworthiness of an email message. If this feature fails to properly tag a spoofed email as external, arguably THE RISKIEST, MOST LIKELY TO BE MALICIOUS type of external email, then what is the point?
Granted, if you have proper controls in place, SPF, DKIM, DMARC, an email security gateway, etc., spoofed emails messages SHOULDN'T make it to an internal user's inbox. However, with any technology, 100% certainty is rare if not impossible. Due to software bugs, misconfigurations, exploits, vulnerabilities, etc., there is ALWAYS a chance a spoofed message will make it through.
That said, I wonder if there is a way to influence or set the IsExternalSender property with a transport rule?