So this has apparently been around for awhile in Office 365 implementations, but I just ran across it in the wild recently. Transport rules can be configured to display a warning for all received emails that are not sent by someone from within the organization, such as this example:
I thought it was an interesting idea, but apparently people who have deployed this in their organizations find a number of issues:
- The warning only appears if you are using Outlook. If I switch and view the message in Thunderbird, no warning.
- Not surprisingly, users apparently ignore the warning after awhile.
- To the extent it does work, I would be concerned that users would assume any messages that do not have the warning message are, therefore safe. But, at least from my experience, the most effective phishing attacks are two-stage affairs that rely first on compromising a number of organizational accounts, and then using those accounts to spread the actual phishing attack. The lack of a warning message on these emails may ultimately lull employees into a false sense of security.