One of my clients is experiencing phishing from where the external senders use a display name of one of the board members. An IT admin looks at the complete email address, but regular users are tempted to only look at the display name and will respond to the message. This way CEO/CFO fraud easily happens.
To avoid this, we can create a Transport Rule in Exchange Online that identifies external email with display names of internal recipients. So, when someone on the internet with a name like my name, a disclaimer is prepended to the message. This way recipients always know it is not an internal message and it will look something like this:
To create a transport rule there are two conditions:
- Sender is located outside the organization.
- From message header matches one or more internal display names.
If these conditions are met, a warning message is prepended to the email message.
Open the Exchange Admin Console and navigate to Rules under Mail flow. Create a new rule (use the More Options to add additional conditions. Select the external sender option and select the message headers matches option. Enter the βFromβ header enter the display names as shown in the following screenshot:
In the Do the following⦠dropdown box select prepend the disclaimer option and enter a warning message, something like:
This message was sent from outside the company by someone with a display name matching a user in your organization. Please do not click links or open attachments unless you recognize the source of this email and know the content is safe.
You can use plain text or HTML formatting like I did:
When you click save the transport rule is saved, but it can take an hour before it becomes effective. When a new message arrives from someone with a similar display name a warning message is added to the email message.
Hopefully this will alert users that the email is not an internal message but comes from the Internet (but it can still be a valid message of course)
You can deploy anti phising this will help for this
LikeLike
I am aware of that and my customer is using ATP in combination with Office 365 E3. Unfortunately there are still a number of ways to bypass most of the checks, hence the article.
LikeLike
Can you post the html you provided in your sample? I like how it produces a nice alert that is not your typical ugly.
LikeLike
I think I cannot post HMTL here, but I’ll send you an email with it.
LikeLike
Can you send me the HTML as well please? That would be great!
LikeLike
HTML is on its way π
LikeLike
Is the HTML code available?
LikeLike
just sent you the HTML code
LikeLike
Nice guide! Could you please share the HTML code?
LikeLike
Please could I have the HTML for this banner ?
LikeLike
What is your email address so I can send it (if I can find it, it’s an old article).
Thanks, Jaap
LikeLike
Jaap, great post. Can you send me the HTML too please?
LikeLike