Detecting Spoofed Emails in Office 365

Spoofed Emails

​We Won’t Get Spoofed Again

In the last six months, our clients have seen an uptick in the number of spoofed emails in Office 365 that appear to be coming from an internal user. These are phishing attempts that attempt to get the employee to click on a link contained within the email. They look legitimate because the return address will be that of a co-worker. If the link is clicked on there is a good chance their machine will be infected resulting in data theft.

This guide will show you how to put a one-line advisory at the top of every incoming email so you know if it originated from inside or outside of your organization.

Top Tip

If one of your users is fooled into clicking on a malware link, don’t shame them publicly – it helps no one. Instead, use it as a continuing education opportunity. Send out a reminder to everyone in the company to look out for fake and spoofed emails using an anonymized version of the phishing attempt with screenshots. You should be doing this quarterly anyway.


Go to and log in as an administrator, then click on the Admin icon. On the left-hand side pick Admin Centers, then Exchange.

Exchange Admin Center

Parameters for the Spoofed Email Rule

Click Mail Flow, then the Plus (+) symbol and select Create a New Rule.

Adding a New Mail Flow Rule

Moving to Azure or Office 365?
Let's work together today!

On the new rule setting page, name the rule, select “The sender is located…” “Outside the organization” and click on More options towards the bottom.

New Mail Flow Rule

Click on Add Condition, then fill in the parameters as pictured below – “The recipient is located…” and “Inside the Organization.” Then add an action of “Prepend the disclaimer…” with the HTML code:

<em style=”color: #ff0000;”>***&nbsp;EXTERNAL EMAIL&nbsp;***</em>

Select the fallback option as Wrap. This is illustrated below:

New Mail Flow Rule 2


 End Results

After savings those settings, every user will receive this line at the top of emails that originated from outside:
External Email Notification

Need help with Azure or Office 365?
Let's talk now!



Train your users to look for the External Email warning at the top of every email to make sure it’s sent from a legitimate user in your organization instead of a spoofed email address. Naturally, this won’t help if someone’s password has been cracked but that too can be largely mitigated by using multi-factor authentication (MFA/2FA.)

Phishing Attempt

Microsoft is usually pretty good at blocking these types of spoofed emails but it’s always an arms race between the good and bad guys. This small change will add an extra line of defense. Always remember that the best security policy is layered – there is not a magic bullet that will completely protect you.