Ever thought to outsmart phishing exercises and have Microsoft Outlook alerting you for phishing, upfront?
You can.
In short
Set a mail rule that
- inspects the mail headers for X-PHISH and/or PHISHINGTEST tags…
- Moves the incoming mail to a folder
- Optionally flag the mail or set a category
Steps
Create a mail rule
Step 1: Select condition
Set : “specific words in the message header”
Set the tags
- X-PHISH
- PHISHTEST
There might be some variations on these tags.
Additionally, if you know phishing test mails are sent from specific domains… add the domain/mail server
Step 2: move it to specified folder in your mailbox
Other options
Some other ideas: set mail alerts or use Power Automate to alert you… (but that’s for another article)
Disclaimer
Obviously it only works for these specific mail header tags, if phishing tests use different headers or other approach, you’ll need to adapt. Don’t take this solution for granted.
And worse, the real stuff… is still out there attacking you.
Stay alert, don’t click on mails and links you don’t expect!
Advanced
While you never should click on any suspicious mail, suspicious links or links in these mails… it still might be a good exercise and learning item to inspect the mail header info.
Look for anomalies in
- mail sender name and published address mismatch with mailbox listed
- sender vs reply-to mismatch
- mail server mismatch with originating server
- mail domain mismatch with originating domain
Advisory – Best practice
If you suspect a mail to be the real thing, actual phishing, better report the mail as spam and forward it to your local CERT or local cybersecurity authority for analysis (and domain URL blocking)…
And message your security team they failed the phishing test 😉
See also
Some info for mail server administrators 😉
- https://learn.microsoft.com/en-us/answers/questions/238559/microsoft-outlook-search-including-message-headers
- https://support.phishingtackle.com/hc/en-gb/articles/360029672471-Allowlisting-by-Email-Headers-in-Exchange-2013-2016-or-Microsoft-365-formerly-Office-365-
- https://support.knowbe4.com/hc/en-us/articles/212723707-Whitelisting-by-Email-Header-in-Exchange-2013-2016-or-Microsoft-365
Identity Underground 