How to Add External Email Warning using Defined Regex List – CloudSecOp.com : Real-World Tech Insights

Phishing emails are one the biggest security threads at the moment. The phishing emails are getting better every year making it hard to block them up front. Typically users find them also hard to recognize and click too often on the links in the emails. We can prevent that by adding an external email warning or tag external emails.

There are basically two options, which you should both implement. The first one is enabling the external email tag in Exchange Online. This will enable a built-in warning between the subject and body of the email when the email is sent from outside your organization.

The second option is to add a custom warning banner at the top of the email. We can show the custom warning based on words in the subject or body, making it really versatile. It allows us to show a warning for phrases like, “keep your password”, or “update your password”

The warning message is displayed only if whether the message meets one or more of the criteria we’ll mention later.

this an exemple for an external email Warning :

I – Enable external email tag in Exchange Online :

1- Connect to Exchange Online through PowerShell :

Set-ExecutionPolicy RemoteSigned -Force

# Importer le module Exchange Online
Import-Module ExchangeOnlineManagement

# Connect to Exchange Online
Write-Host "Connect to Exchange Online" -ForegroundColor Cyan
Connect-ExchangeOnline

2 – Enable external email tag :

Set-ExternalInOutlook -Enabled $true

3 – Add your domain to allowed list :

# Add domains to allow list
Set-ExternalInOutlook -AllowList  @{Add="GlobalITNow.com"}

II – Adding custom warning banner at the top of the email

This step can be configured using the Exchange admin center or PowerShell (most easy for me is powershell 😎).

The configuration consists of creating a rule that adds a warning message to the top of the email if the message contains an item from the following list:

Password.*[expire|reset]
Password access
[reset|change|update].*password
Change.*password
\.odt
E-Notification
EMERGENCY
Retrieve*.document
Download*.document
confirm ownership for
word must be installed
prevent further unauthorized
prevent further unauthorised
informations has been
fallow our process
confirm your informations
failed to validate
unable to verify
delayed payment
activate your account
Update your payment
submit your payment
via Paypal
has been compromised
FRAUD NOTICE
your account will be closed
your apple id was used to sign in to
was blocked for violation
urged to download
that you validate your account
multiple login attempt
trying to access your account
suspend your account
restricted if you fail to update
informations on your account
update your account information
update in our security
Unusual sign-in activity
Account Was Limited
verify and reactivate
has.*been.*limited
have.*locked
has.*been.*suspended
unusual.*activity
notifications.*pending
your\ (customer\ )?account\ has
your\ (customer\ )?account\ was
new.*voice(\ )?mail
Periodic.*Maintenance
refund.*not.*approved
account.*(is\ )?on.*hold
wire.*transfer
secure.*update
secure.*document
temporar(il)?y.*deactivated
verification.*required
blocked\ your?\ online
suspicious\ activit
securely*.onedrive
securely*.dropbox
securely*.google drive
view message
view attachment
*voice*mail
billing

1 – Configuration using PowerShell :

Start the PowerShell ISE editor and type the following code which will do all the work :

 Set-ExecutionPolicy RemoteSigned -Force

# Importer le module Exchange Online
Import-Module ExchangeOnlineManagement

# Connect to Exchange Online
Write-Host "Connect to Exchange Online" -ForegroundColor Cyan
Connect-ExchangeOnline


# HTML Message
$HTMLDisclaimer = '<table border=0 cellspacing=0 cellpadding=0 align="left" width="100%">
  <tr>
    <td style="background:#ffb900;padding:5pt 2pt 5pt 2pt"></td>
    <td width="100%" cellpadding="7px 6px 7px 15px" style="background:yellow;padding:5pt 4pt 5pt 12pt;word-wrap:break-word">
      <div style="color:#222222;">
        <h2><span style="color:#222; font-weight:bold;"><p style="color:red;">Caution:</p></span></h2>
        <b>This is an external email and has a suspicious subject or content. Please take care when clicking links or opening attachments. When in doubt, contact your IT Department.</b> <br><br>
      </div>
    </td>
  </tr>
</table>
<br/>
<br>'


# Phishing key list
$PhishingKeys = "Password.*[expire|reset]","Password access","[reset|change|update].*password","Change.*password","\.odt","E-Notification",
"EMERGENCY","Retrieve*.document","Download*.document","confirm ownership for","word must be installed","prevent further unauthorized",
"prevent further unauthorised","informations has been","fallow our process","confirm your informations","failed to validate","unable to verify",
"delayed payment","activate your account","Update your payment","submit your payment","via Paypal","has been compromised","FRAUD NOTICE",
"your account will be closed","your apple id was used to sign in to","was blocked for violation","urged to download","that you validate your account",
"multiple login attempt","trying to access your account","suspend your account","restricted if you fail to update","informations on your account",
"update your account information","update in our security","Unusual sign-in activity","Account Was Limited","verify and reactivate","has.*been.*limited",
"have.*locked","has.*been.*suspended","unusual.*activity","notifications.*pending","your\ (customer\ )?account\ has","your\ (customer\ )?account\ was",
"new.*voice(\ )?mail","Periodic.*Maintenance","refund.*not.*approved","account.*(is\ )?on.*hold","wire.*transfer","secure.*update","secure.*document",
"temporar(il)?y.*deactivated","verification.*required","blocked\ your?\ online","suspicious\ activit","securely*.onedrive","securely*.dropbox",
"securely*.google drive","view message","view attachment"


Write-Host "Creating Transport Rule" -ForegroundColor Cyan

# Create new Transport Rule
New-TransportRule -Name "External Email Warning" `
                  -FromScope NotInOrganization `
                  -SentToScope InOrganization `
                  -SubjectOrBodyMatchesPatterns $PhishingKeys `
                  -ApplyHtmlDisclaimerLocation Prepend `
                  -ApplyHtmlDisclaimerText $HTMLDisclaimer `
                  -ApplyHtmlDisclaimerFallbackAction Wrap

Write-Host "Transport rule created" -ForegroundColor Green

2 – Configuration from Exchange Admin Center :

Here we propose a second way of doing the same configuration, but from the admin center console.

Login to the Exchange Admin Center
Expand Mail flow
Select Rules
Click on the plus and select Create a new Rule

Give a rule name
if (“the sender” is “outside the organisation”)

Clic “+” to add second condition : And (“the subject or Budy” much “words or phrases”) (Enter the word phrases one by one from the top list)

We can use this HTML to format the warning message in the next step :

<table border=0 cellspacing=0 cellpadding=0 align="left" width="100%">
  <tr>
    <td style="background:#ffb900;padding:5pt 2pt 5pt 2pt"></td>
    <td width="100%" cellpadding="7px 6px 7px 15px" style="background:yellow;padding:5pt 4pt 5pt 12pt;word-wrap:break-word">
      <div style="color:#222222;">
        <h2><span style="color:#222; font-weight:bold;"><p style="color:red;">Caution:</p></span></h2>
        <b>This is an external email and has a suspicious subject or content. Please take care when clicking links or opening attachments. When in doubt, contact your IT Department.</b> <br><br>
      </div>
    </td>
  </tr>
</table>
<br/>
<br>