image
Dave Herrell
Entra ID (Azure AD), MS365, Users

MS365: Exchange External Label Tagging

Traditionally, email systems like Exchange allowed adding a disclaimer at the bottom of incoming emails to warn users about external senders.  Something like “Hey dummy, this is an external email!”.  While this approach is simple to implement, it has limitations. In today’s fast-paced world, we often access emails on their phones and might not scroll down to see the warning before taking action. Phishing attackers exploit this behavior by crafting emails that appear legitimate.  This is where we can add an extra layer of ID’ing an email with Exchange tagging.  

This simply places an “External” tag on all email that comes into your MS365 Exchange environment.  The tag, or label as some call it, is very visible to Outlook users including those using Outlook on mobile apps.  The tag is not intrusive and looks like this: 

 

This is not currently enabled by default, although in my opinion it should be.   To enable this function, you’ll need to fire up PowerShell to enable it. 

Run PowerShell as an admin and Connect to Exchange Online.  You need to make sure you have administrator rights to Exchange to do this. 

To connect to Exchange Online run: 

				
					Connect-ExchangeOnline

This will pop-up a sign-in for MS365 to verify your login.  

Next, to turn this feature ON you simple run this: 

				
					Set-ExternalInOutlook –Enabled $true

Less work then you thought, right?  

But let’s say you have an Atlassian Jira domain, that you know is legit, and you dont want all the emails marked.  You can setup whitelisting per domain easily.  Before you do this, I want to stress, dont do this with TLD’s like gmail.com or hotmail.com for instance.  This does open a path for Phishing, so whitelist domains only if you have to.

To whitelist a domain, run this: 

				
					Set-ExternalInOutlook -AllowList @{Add="daveherrell.atlassian.net"}

One thing to note, this isn’t immediate.  It may take a few hours before this whitelist rule kicks in.  So please keep that in mind. 

To audit your configuration, simple run this command:

				
					Get-ExternalInOutlook

This will print out if the external tagging is enabled along with any whitelisting you may have setup. 

And yes, you can remove a domain just as easy.  Simply run this: 

				
					Set-ExternalInOutlook -AllowList @{Remove="daveherrell.com"}

Double check config by running the Get-ExternalInOutlook and you are all set! 

Hope you find this helpful!