Email phishing attacks are only becoming more prevalent and sophisticated. Here is a quick and easy way to warn your users that an email has originated from outside the organistation and remind them not to click on links or open attachments unless they’ve come from a trusted sender.

Here is how you can add a warning banner to incoming emails from external sources using Exchange online.

  1. Open the Exchange admin center ( and navigate to Mail flow > Rules
  2. Select the + symbol and choose ‘Create new rule…
  3. From here create the rule like the following image.
    Apply this rule if:
    The sender is located – Outside the organization
    The recipient is located – Inside the organizationPrepend the disclaimer:

    <div style="background-color:#FFEB9C;width:100%;border-style:dashed;border-color:#9C6500;border-width:.5pt;padding:1pt;font-size:10pt;line-height:10pt;font-family:'Calibri';color:Black;text-align:center><span style="color:#9C6500″;>⚠ This email originated from outside of the organisation. Do not open links or attachments unless you know the content is safe. &nbsp;⚠</div></br>

    I’ve also added an exclusion for certain email addresses that ‘spoof’ the internal domain. Notably for a cloud based OCR service that uses an internal email address as the ‘from’ address.

  4. This will result in your end users seeing the following banner on all incoming emails from outside the organisation. I’d advise to keep the banner message short as this will be added to all incoming emails including email chains and will also take up part of the Outlook email ‘preview’ pane.