Cyber threats are evolving, and phishing attacks remain one of the biggest risks to schools and trusts. With hackers attempting to impersonate trusted senders, staff awareness and email security measures are critical.
At Cloud Design Box, we recently implemented a simple yet highly effective security rule in our Microsoft 365 Exchange settings – automatically flagging external emails to help staff identify potential phishing attempts.
In a recent video, our Chief of Operations Darren Hemming and Support Manager Joe Bannister share how this easy-to-implement solution can reduce the risk of email fraud and data breaches.
Why flagging external emails matters
Email spoofing – where attackers impersonate someone within your organisation – is a common tactic used in phishing attacks. Hackers can manipulate an email to look like it is from a trusted sender, such as a school leader or finance department, making it easier to trick staff into revealing sensitive information.
Darren explains:
“If somebody wanted to pretend to be me, they could send an email that looks like it comes from my email address. I could be asking a colleague to ‘please send me money now’ or ‘please change your password and tell me what it is’ – a clear security risk.”
By adding [External] to the subject line of incoming emails from outside your organisation, you create an instant visual cue for staff to verify whether the sender is truly internal:
- Immediate warning: Staff can instantly recognise if an email claiming to be from a colleague is actually external.
- Reduces risk of phishing scams: Helps staff spot impersonation attempts before engaging.
- Encourages better security habits: Prompts employees to double-check before clicking suspicious links or downloading attachments.
How to set up the ‘External’ email tag in Microsoft Exchange
IT admins can implement this rule in just a few minutes using the Exchange Admin Centre in Microsoft 365. Here’s how:
Step 1: Create a New Mail Flow Rule
- Open Exchange Admin Centre
- Navigate to Mail Flow > Rules
- Tap + Add a rule
Step 2: Configure the Rule
- Apply this rule if… The sender is not inside the organisation
- Do the following… Add a prefix to the subject line (e.g., [External])
- Add exceptions… Exclude internal shared inboxes (e.g., support@yourtrust.co.uk) to avoid unnecessary labels
Avoiding common pitfalls
When we first implemented this rule, we noticed an issue:
Multiple ‘External’ tags stacking up
Every time someone replied to an external email, the subject line kept adding [External], leading to long, unreadable email chains.
The Fix: A simple exception rule prevents adding [External] multiple times, ensuring a cleaner inbox experience.
Joe explains:
“Just that one little trick stops the clutter – otherwise, after 10 replies, you’d end up with ‘[External] [External] [External]’ all over the subject line.”
Go beyond the technical fix: Staff awareness and training
While technical safeguards help, staff education is equally important.
Train staff to recognise phishing attempts – If an email claims to be from an internal sender but is marked [External], question its authenticity before clicking links or sharing data.
Encourage a ‘Stop and Think’ mindset – Before responding to urgent-sounding requests for money, credentials, or sensitive data, verify them through a trusted channel.
Combine security with user-friendly policies – Clear communication reduces frustration and ensures policies are followed.
What about guest users in Microsoft Teams and SharePoint?
A common question for IT admins:
“If we invite external users into our Microsoft 365 tenant as guests, will they still be flagged as external?”
Yes. Even though they are added as guests, they remain outside the organisation and will still receive the [External] tag.
Joe confirms:
“Guests are still external, even if they have access to SharePoint or Teams. They won’t be able to bypass the rule.”
This quick and simple rule provides a huge boost to email security, helping schools and trusts reduce phishing risks and protect staff from cyber threats.
IT admins can set up external email tagging in Microsoft 365 today – it only takes five minutes but can prevent serious security breaches.
Want to strengthen your school’s digital security further? Get in touch with Cloud Design Box for best practices, governance and training to keep your school safe from cyber threats.
