Establish Transport Rule for External Email Security Awareness

#exchangeonline #microsoft #saas #security

INTRODUCTION

In today’s digital landscape, email security is critical. External emails pose risks such as phishing, malware, and social engineering attacks. Adding a security disclaimer to external emails in Microsoft Exchange Online helps alert users to exercise caution when interacting with messages from outside your organization. This guide provides a step-by-step process to create a transport rule (mail flow rule) in Exchange Online that appends a customizable security message to all incoming external emails. By the end, you’ll enhance user awareness and reduce risks associated with external communications.

Step-by-Step Guide

Prerequisites

- Exchange Online Access:
Admin credentials for Microsoft 365 with permissions to manage mail flow rules.

- Message Content:
Prepare the security disclaimer text (e.g., “Caution: This email originated from outside our organization. Do not click links or open attachments unless you trust the sender.”).

Log in to Exchange Admin Center (EAC)

Visit https://admin.exchange.microsoft.com.
Log in using your Microsoft 365 admin account.

Navigate to Mail Flow Rules

In the left pane, select Mail Flow > Rules.
Click + Add a rule and choose Create a new rule.

Configure the Transport Rule

- Name the Rule
Name: External Email Security Disclaimer (or a descriptive name).

- Set Conditions
Under Apply this rule if…, select The sender is located… > Outside the organization.

This targets emails from external domains.

(Optional) Add exceptions under Except if… (e.g., exclude emails from trusted partners).

- Define the Action
Under Do the following…, select Apply a disclaimer > Prepend a disclaimer….

Click Enter text and paste your security message.
Example:

<div style="color: #ff0000; font-family: Calibri; border: 1px solid #ff0000; padding: 10px;">  
<strong>Security Alert:</strong> This email originated from an external source. Avoid clicking links or attachments unless you verified the sender.  
</div>

Note: Use HTML for formatting (supported in modern clients like Outlook and Outlook on the web).

- Additional Settings

Rule Mode: Keep as Enforce.
Audit the rule: Enable if testing.
Priority: Adjust if other rules conflict.

Save and Enable the Rule

Click Next > Finish > Save.

- The rule is deactivated by default; the rule needs to be activated.

- Rule Activated

Test the Rule

Send a test email from an external account (e.g., Gmail) to a user in your domain.
Verify the disclaimer appears at the top of the email body.
Check clients: Outlook, Outlook on the web, mobile devices.

Troubleshooting
Disclaimer Not Appearing:

Confirm the sender is truly external (check headers via Message Trace in EAC).
Ensure no conflicting rules are overriding it (adjust priority in Rules list).

Conclusion

By implementing this transport rule, you add a critical layer of security awareness to your organization’s email communications. The disclaimer serves as a constant reminder for users to scrutinize external messages, reducing the likelihood of successful phishing or malware attacks.

Key Takeaways:

Transport rules are flexible and can be customized further (e.g., adding multilingual disclaimers).
Regularly review the rule’s effectiveness via message trace logs.
Combine this with other security measures (e.g., anti-spam policies, DMARC) for robust protection.

Stay proactive by periodically updating the disclaimer text to reflect emerging threats or organizational policies. With this setup, your users become the first line of defense against email-borne risks.