Photo by Brett Jordan / Unsplash

Tagging External Emails in Exchange using Rules the Unintrusive Way

Aug 15, 2022

Cyber insurance requirements continue becoming more strict as the number and severity of incidents increase year over year. Each year there are new requirements and recommendations that IT teams either need to implement for base coverage or can implement to reduce risk and therefor premiums.

One of the largest attack vectors focused on by insurance underwriters is email due to its prevalence and generally business critical nature. It's also a piece of infrastructure that can be exploited with relative ease if not configured properly or with enough end user training. A common recommendation is to tag external emails to alert users that it is not an internal communication. This helps to cut down on replies to external users pretending to be a manager or other authority figure.

There are several popular ways to tag these emails which boil down to 2 areas:

  • In subject
  • In body

In body a favorite for many organizations but it can be intrusive. My baseline will be to implement in subject alerts and progress from there.

To do this you want to log into your Exchange admin panel and go to mail flow rules. Create a new rule with the following information:

External Emails

If the message...
Is received from 'Outside the organization'

Do the following...
Prepend the subject with '[External]'

Except if...
Includes these words in the message subject: 'External'

We can break down what's happening here step by step...

  1. Exchange receives an email
  2. The mail rule checks to see if it's internal or external
  3. If it's internal, it does nothing and passes it onto other rules if there are any
  4. If it is external it checks to see if "External" is already present in the email, if it is the message is passed onto other rules if there are any
  5. If it is not already tagged based on the previous step "[External]" is prepended to the beginning of the email

You can change "External" to whatever you prefer, this example is meant to be easy to follow. The Except If step to check for an existing tag helps prevent the pile up of tags in an email chain. You don't want emails to look like this

[External]Re: [External][External]Re: [External]Status update

Here's an image of the entire rule for reference:

The Maw