Phishing attacks are ever more common for all email users. These attacks can target organizations or individual users.. Most phishing emails are easy to spot, but even the savviest of us can be caught off guard, and when a user ends up clicking on a dangerous link in an email message, then suddenly a bunch of servers start getting encrypted and your whole weekend is ruined. In an attempt to help reduce this problem, Microsoft is currently rolling out email safety tips as part of Exchange Online Protection in Office 365.
For clarity sake, I have broken this blog post down into two sections; first I will take about the functionality of this feature, then I will editorialize about the feature.
The part where I talk about the functionality
Email safety tips are a new visual indicator that can be added to some messages. The intention is to provide an additional layer of protection against phishing attacks, or provide assurance that the message is safe. These visual indicators are added in up to 4 different colors for different situations depending on the email client being used.
In OWA (do I really need to call it "Outlook on the Web"?) all 4 safety tips can be displayed. The four safety tips are:
Suspicious: messages identified as suspicious will be marked with a red safety tip when they are a known phishing attack, have failed sender identification (via SPF, DKIM, or DMARC), are a suspected spoofing message, or have met some other criteria that EOP has used to determine the message is fraudulent. Users should be trained to use extreme caution interacting with message marked with a red safety tip.
Unknown: messages identified as unknown will be marked with a yellow safety tip when EOP marks a message as spam, but its settings still allow that message to be delivered to your mailbox. Users will be able to click the "It's not spam" link in the safety tip bar to move the message from junk mail into their inbox.
Trusted: messages from domains that Microsoft has identified as safe will display a green safety tip.
Safe: messages that are not filtered for spam because it is either considered safe by the user's organization, is on the user's safe senders list, or was moved to the inbox by the user clicking "It's not spam" in the safety bar of an unknown message will display a grey safety tip.
In the full Outlook client (safety tips work in all versions of Outlook), and in Outlook mobile clients, the only safety tip that is displayed is the red suspicious tip. Presumably the other three safety tips will make their way into these clients eventually, but Microsoft has not confirmed that is true at this point.
The part where I editorialize about the feature
It is important to note that these safety tips will not be applied to all messages. They will only be applied to messages when EOP thinks it is appropriate. I did some testing myself and was unable to determine any real rhyme or reason for when EOP thinks a message warrants a safety tip.
I found some messages that were very obviously phishing attempts that did not receive any safety tips, and some messages that absolutely were not phishing attempts that did. I tried sending myself phishing messages from domains that I verified as safe, but was unable to get any of those messages to display any safety tip at all.
Microsoft often states that they do not provide documentation on how EOP makes filtering decisions because doing so would give spammers an advantage. I suppose that is justified to a point, but I also think Microsoft could do a much better job of communicating what is going on behind the scenes with features like this. Would it really be damaging to tell us the criteria for a domain to qualify as safe and get the trusted safety tip? Why do some messages from domains that Microsoft has deemed as trusted get a safety tip while other messages from the same domain do not? Clearly documented descriptions of what the difference between spam confidence level (SCL) 7 and 8 are would also be helpful.
Additionally, I would like to see Microsoft provide some level of administrative control over safety tips. The ability to designate messages from specific accounts received within the same tenant as the user resides as always having the green trusted safety tip would be useful to many organizations. This would allow an organization to designate messages from the help desk or CEO as being trusted.
I'm fairly sure a number of organizations would like to option to turn off these safety tips all together if they find they are generating calls from confused users.
I think that this feature can be helpful in the fight to educate email users about what messages are safe and what messages are not. Safety tips will be much more useful to Office 365 administrators if they get more administrative controls, and better documentation from Microsoft about how this feature works. This is not the first feature Microsoft has introduced that lacks administrative controls and documentation. Really this situation seems to be the rule more than the exception these days.
Nathan O'Bryan MCSM
Nathan is a five time former Microsoft MVP and he specializes in Exchange, Microsoft 365, Active Directory, and cloud identity and security.
The Challenges of Reporting and Monitoring Exchange in the Cloud