What is the External tagging mail-tip?
External tagging is a feature that is included with your Microsoft 365 subscription.
Messages received from any domain except those registered for your Office 365 organization are marked by Exchange Online as [External] when they pass through the transport service on their way to user mailboxes. Outlook clients that support it then display this “External” origination status using a tag or mail tip.
These external tags are designed to alert you that an email has not originated from your organization’s Office 365 tenant.
What do External tags look like?
Microsoft Outlook (Windows)
External tags appear in Microsoft Outlook for Windows in several places.
- In the ‘reading pane’ where your messages are displayed.
- In the ‘header’ or the top of a message sent to you.
(Image courtesy of Microsoft)
External tags appear in Microsoft Outlook Mobile in a few places as well.
- In the ‘inbox’
- As a warning in the top of messages themselves
- When clicked, the external tag describes itself more in depth.
Outlook on the Web
External tags also appear in Outlook on the web!
- In the reading pane
- In the ‘Header’ or top of the message.
What is the purpose & benefit of this?
- This helps your company be better protected against a rising cyber threat known as Business Email Compromise [fbi.gov].
- In Business Email Compromise, threat actors commonly work by impersonating a known, internal user but are using an external email address. Typically, the display name and other aspects of the email message like the email signature may look familiar. The email address does not match–but attackers are able to mask this at first glance.
- A common tactic is to impersonate a CEO or Manager, and “ask for help” acquiring gift cards to be used as employee rewards.
- This can be very difficult to spot when moving quickly in Outlook, or on the go. We’ve seen an increase in users falling for scams like this over the past year (and potentially losing significant amounts in fraudulent wire transfers and gift cards).
- This method is very difficult for traditional security measures to detect:
- uses email addresses with good or neutral reputation (so as to avoid getting blocked by spam filters)
- doesn’t contain links or attachments (since these will be flagged by content scanners)
- This means that enhancing user awareness is key to identifying and avoiding compromise.
What do I do if I receive one?
Most messages you receive from external senders are legitimate and require no action. What you’re looking for are messages from someone you expect to be internal (a colleague, manager, or executive) that is flagged as “External”. If this happens:
- Confirm you are expecting to receive correspondence from the sender.
- Confirm that it’s a valid email address (for instance, they may be sending you correspondence from their external or personal email address).
- If there’s any doubt at all as to the validity of the message:
- CALL them, using a known number (do NOT call a number contained in the email you’re trying to verify!)
- Don’t take any further action on their request until you’ve confirmed the validity of the message.
- Report any fraudulent attempts to GreenLoop so that we can help flag the sender’s reputation. There may be other measures we can put in place to help protect frequently-impersonated individuals.
Do we have an option to exclude this tagging from certain senders that are outside of my organization?
It is possible to exclude specific domains from this (not senders). It should usually be limited to close partner companies–please contact us if you have further questions.
I don’t like seeing this in my Outlook. Can I disable it?
As mentioned above, this notification adds an important layer of security and awareness for you and your users, and helps protect your company from risk of emerging email-based threats. We strongly recommend leaving this enabled and it’s part of GreenLoop’s Security-Enhancement Best Practice Standards for all Office 365 customers. If you still have questions, please reach out to your Account Manager.