Information
External callouts provide a native experience to identify emails from senders outside the organization. This is achieved by presenting a new tag on emails called "External" (the string is localized based on the client language setting) and exposing related user interface at the top of the message reading view to see and verify the real sender's email address.
The recommended state is ExternalInOutlook set to Enabled True
Tagging emails from external senders helps to inform end users about the origin of the email. This can allow them to proceed with more caution and make informed decisions when it comes to identifying spam or phishing emails.
Mail flow rules are often used by Exchange administrators to accomplish the External email tagging by appending a tag to the front of a subject line. There are limitations to this outlined
here.
The preferred method in the CIS Benchmark is to use the native experience.
Note: Existing emails in a user's inbox from external senders are not tagged retroactively.
Solution
To remediate using PowerShell:
- Connect to Exchange online using Connect-ExchangeOnline
- Run the following PowerShell command:
Set-ExternalInOutlook -Enabled $true
Impact:
Mail flow rules using external tagging must be disabled, along with third-party mail filtering tools that offer similar features, to avoid duplicate [External] tags.
External tags can consume additional screen space on systems with limited real estate, such as thin clients or mobile devices.
After enabling this feature via PowerShell, it may take 24-48 hours for users to see the External sender tag in emails from outside your organization. Rolling back the feature takes the same amount of time.
Note: Third-party tools that provide similar functionality will also meet compliance requirements, although Microsoft recommends using the native experience for better interoperability.