Office Protect Settings - Flag Phishing Emails Using Tenant Domain or Staff Name

Attachments containing links are often used for phishing.


A common phishing practice is to use a staff member name (CEO name is most common) and/or your own domain name in the "From" of a phishing email. This setting will add a message to any email using this technique. It will not prevent the delivery. Users need to understand they should be suspicious of these emails. Some systems (like ticket trackers) will use staff names in the “From:” and could trigger this warning.


You can customize the warning message displayed to your user to fit your organization’s needs directly in the setting.


When enabled, Office Protect will create a set of transport rules, the number of rules depends on the total count of users you have in your organization.


You can find the transport rules in the Exchange Admin Center, in the Mail Flow section, the transport rules will be named "External Senders with matching Domain Names" and "External Senders with matching Domain Names (Group #)".


Operation to look for in the Unified Audit Logs: Set-TransportRule 

Limitations for Flag Phishing setting

External emails using an tenant's employee name or domain will be flagged.


This transport rule will protect each User Principal Name (M365 usernames) individually. Unfortunately, Microsoft has a size limit per Transport Rule and a global size limit for all Transport Rules for a tenant.

We evaluated that Office Protect can protect somewhere between 1000 and 1500 users, depending on the length of the User Principal Names. If you have a large organization to protect, Office Protect will include as many users as Microsoft allows, in alphabetical order. If you have too many users and we reach the size limit for transport rules, this will cause Office Protect to fail the application of the setting, but the rules will remain in place. We suggest you open up the rule to check out which users are protected.


If you have a Defender for Office 365 license, we recommend that you use the Defender Anti-Phishing policy. This type of policy allows you to protect key members of your organization such as admins, and managers. If you choose to do so, we recommend that you disable this setting. 


Microsoft’s documentation on Transport Rules: https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules


Microsoft Anti-Phishing Policy: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-anti-phishing-policies?view=o365-worldwide


Microsoft’s documentation on Exchange Online’s limitations: https://docs.microsoft.com/en-us/office365/servicedescriptions/exchange-online-service-description/exchange-online-limits