Released recently to no fanfare at all, Microsoft now has a SafetyTip that appears if you receive email from a first time recipient.
Most often phish emails will come from an address you have never received email from before, and sometimes this email will try to impersonate people you communicate with or are internal to your organization. Warning for attempted spoofed domains or users is part of Microsoft Defender for Office 365 (previously known as Advanced Threat Protection for Office 365) and the functionality to warn based on similar sender is also part of this product if you enable the “mailbox intelligence” option. But the option to warning for a new sender is available for all Exchange Online users without ATP licences.
The user sees the SafetyTip above the email body as shown below once this new feature is enabled:
To turn on this option you enable a custom message header in a transport rule and then within 30 minutes or so, every new sender under the scope of the rule is warned when they receive email from a new sender. This also includes senders that have not send a lot of message to you, as I see that this Safety Tip appear on subsequent messages from the same sender. Not sure yet when this stops appearing for slightly less new senders!
To enable this feature create the following transport rule, restricting the scope of the rule to some users only to start with and then when happy with the functionality changing the rule to apply to all users.
Open Exchange Online Control Panel (at the time of writing this is in the old UX for this, so these screenshots represent the classic view – this will change at some point in the future) and select Mail Flow > Rules
Click the + icon > Modify Messages and fill in the name “Enable First Contact Safety Tip”
Select under Apply this rule if… The sender is located > Outside the organization
Select under Do the following… Set the message header to this value and click the first option for Enter text and copy and paste the following string X-MS-Exchange-EnableFirstContactSafetyTip
Click the second option for Enter text and enter any value you like. I have had reports that only “enable” works but that is not my experience and I had this working with the value AnythingYouLike!
I turn off the audit option and then save the rule as shown:
To set the rule for a pilot program, click More options and then the newly displayed add condition button and then select that the rule should only apply if the recipient is and select a few names from your global address list.
Within 30 minutes and then the next new sender and Outlook, Outlook Web Access and Outlook Mobile will display the new safety tip