Collaboration with Email
For most of the last 25 years or so, most people with “office” jobs have relied on email as their...
For clarity sake, I have broken this blog post down into two sections; first I will take about the functionality of this feature, then I will editorialize about the feature.
Email safety tips are a new visual indicator that can be added to some messages. The intention is to provide an additional layer of protection against phishing attacks, or provide assurance that the message is safe. These visual indicators are added in up to 4 different colors for different situations depending on the email client being used.
In OWA (do I really need to call it "Outlook on the Web"?) all 4 safety tips can be displayed. The four safety tips are:
In the full Outlook client (safety tips work in all versions of Outlook), and in Outlook mobile clients, the only safety tip that is displayed is the red suspicious tip. Presumably the other three safety tips will make their way into these clients eventually, but Microsoft has not confirmed that is true at this point.
It is important to note that these safety tips will not be applied to all messages. They will only be applied to messages when EOP thinks it is appropriate. I did some testing myself and was unable to determine any real rhyme or reason for when EOP thinks a message warrants a safety tip.
I found some messages that were very obviously phishing attempts that did not receive any safety tips, and some messages that absolutely were not phishing attempts that did. I tried sending myself phishing messages from domains that I verified as safe, but was unable to get any of those messages to display any safety tip at all.
Microsoft often states that they do not provide documentation on how EOP makes filtering decisions because doing so would give spammers an advantage. I suppose that is justified to a point, but I also think Microsoft could do a much better job of communicating what is going on behind the scenes with features like this. Would it really be damaging to tell us the criteria for a domain to qualify as safe and get the trusted safety tip? Why do some messages from domains that Microsoft has deemed as trusted get a safety tip while other messages from the same domain do not? Clearly documented descriptions of what the difference between spam confidence level (SCL) 7 and 8 are would also be helpful.
Additionally, I would like to see Microsoft provide some level of administrative control over safety tips. The ability to designate messages from specific accounts received within the same tenant as the user resides as always having the green trusted safety tip would be useful to many organizations. This would allow an organization to designate messages from the help desk or CEO as being trusted.
I'm fairly sure a number of organizations would like to option to turn off these safety tips all together if they find they are generating calls from confused users.
I think that this feature can be helpful in the fight to educate email users about what messages are safe and what messages are not. Safety tips will be much more useful to Office 365 administrators if they get more administrative controls, and better documentation from Microsoft about how this feature works. This is not the first feature Microsoft has introduced that lacks administrative controls and documentation. Really this situation seems to be the rule more than the exception these days.
Nathan is a five time former Microsoft MVP and he specializes in Exchange, Microsoft 365, Active Directory, and cloud identity and security.
For most of the last 25 years or so, most people with “office” jobs have relied on email as their...
This is a story about one company’s trials and tribulations of migrating to and maintaining a...