Transport rule for messages outside the organization are trigered for migrated mailboxes outgoing mail

Jesus Urbina 1 Reputation point
2022-04-06T17:17:59.96+00:00

Hello. Running into an issue: (1) Mail destined to outside the organization from a migrated mailbox to online, triggers a transport rule that is configured for incoming emails from outside the organization ("Caution: this email is from outside of the organization...") and (2) mail between mailboxes migrated to online do not trigger the transport rule for a disclaimer however, it does between online and onprem.

The environment is Exchange Hybrid with Centralized mail flow due to internal requirements. I can see in the Message Tracking log under the EventID AGENTINFO the Directionality is labeled as Incoming which I believe is the culprit however, how can I correct this?

Thanks in advance for any guidance.

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,390 questions
Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
1,916 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Jesus Urbina 1 Reputation point
    2022-04-06T19:01:20.373+00:00

    Thanks for looking at this. It is a basic rule

    RunspaceId : a88076fa-a73f-426a-b66d-b92dceb52ab6
    Priority : 19
    DlpPolicy :
    DlpPolicyId : 00000000-0000-0000-0000-000000000000
    Comments :

    ManuallyModified : False
    ActivationDate :
    ExpiryDate :
    Description : If the message:
    Is received from 'Outside the organization'
    Take the following actions:
    Set audit severity level to 'Low'
    and Prepend the message with the disclaimer '<div style='border:solid #9C6500 1.0pt;padding:4.0pt 4.0pt
    4.0pt 4.0pt'><p
    style='margin:0in;margin-bottom:.0001pt;line-height:14.4pt;background:#FFEB9C'><strong><span
    style='font-family:"Calibri",sans-serif;color:black'>Caution:</span></strong><span style='color:black'>
    This email originated from an external source. <strong><span style='font-family:"Calibri",sans-serif'>Be
    Suspicious of Attachments, Links and Requests for Login Information. <br /><br />Utilize the Phishing
    Button in Outlook to report suspected phishing emails.</span></strong></span><o:p></o:p></p></div>'. If
    the disclaimer can't be applied, take no action.

    RuleVersion : 15.0.1.0
    Conditions : {Microsoft.Exchange.MessagingPolicies.Rules.Tasks.FromScopePredicate}
    Exceptions :
    Actions : {Microsoft.Exchange.MessagingPolicies.Rules.Tasks.SetAuditSeverityAction,
    Microsoft.Exchange.MessagingPolicies.Rules.Tasks.ApplyHtmlDisclaimerAction}
    State : Enabled
    Mode : Enforce
    RuleErrorAction : Ignore
    SenderAddressLocation : Header
    RuleSubType : None
    UseLegacyRegex : False
    From :
    FromMemberOf :
    FromScope : NotInOrganization
    SentTo :
    SentToMemberOf :
    SentToScope :
    BetweenMemberOf1 :
    BetweenMemberOf2 :
    ManagerAddresses :
    ManagerForEvaluatedUser :
    SenderManagementRelationship :
    ADComparisonAttribute :
    ADComparisonOperator :
    SenderADAttributeContainsWords :
    SenderADAttributeMatchesPatterns :
    RecipientADAttributeContainsWords :
    RecipientADAttributeMatchesPatterns :
    AnyOfToHeader :
    AnyOfToHeaderMemberOf :
    AnyOfCcHeader :
    AnyOfCcHeaderMemberOf :
    AnyOfToCcHeader :
    AnyOfToCcHeaderMemberOf :
    HasClassification :
    HasNoClassification : False
    SubjectContainsWords :
    SubjectOrBodyContainsWords :
    HeaderContainsMessageHeader :
    HeaderContainsWords :
    FromAddressContainsWords :
    SenderDomainIs :
    RecipientDomainIs :
    SubjectMatchesPatterns :
    SubjectOrBodyMatchesPatterns :
    HeaderMatchesMessageHeader :
    HeaderMatchesPatterns :
    FromAddressMatchesPatterns :
    AttachmentNameMatchesPatterns :
    AttachmentExtensionMatchesWords :
    AttachmentPropertyContainsWords :
    ContentCharacterSetContainsWords :
    HasSenderOverride : False
    MessageContainsDataClassifications :
    MessageContainsAllDataClassifications :
    SenderIpRanges :
    SCLOver :
    AttachmentSizeOver :
    MessageSizeOver :
    WithImportance :
    MessageTypeMatches :
    RecipientAddressContainsWords :
    RecipientAddressMatchesPatterns :
    SenderInRecipientList :
    RecipientInSenderList :
    AttachmentContainsWords :
    AttachmentMatchesPatterns :
    AttachmentIsUnsupported : False
    AttachmentProcessingLimitExceeded : False
    AttachmentHasExecutableContent : False
    AttachmentIsPasswordProtected : False
    AnyOfRecipientAddressContainsWords :
    AnyOfRecipientAddressMatchesPatterns :
    ExceptIfFrom :
    ExceptIfFromMemberOf :
    ExceptIfFromScope :
    ExceptIfSentTo :
    ExceptIfSentToMemberOf :
    ExceptIfSentToScope :
    ExceptIfBetweenMemberOf1 :
    ExceptIfBetweenMemberOf2 :
    ExceptIfManagerAddresses :
    ExceptIfManagerForEvaluatedUser :
    ExceptIfSenderManagementRelationship :
    ExceptIfADComparisonAttribute :
    ExceptIfADComparisonOperator :
    ExceptIfSenderADAttributeContainsWords :
    ExceptIfSenderADAttributeMatchesPatterns :
    ExceptIfRecipientADAttributeContainsWords :
    ExceptIfRecipientADAttributeMatchesPatterns :
    ExceptIfAnyOfToHeader :
    ExceptIfAnyOfToHeaderMemberOf :
    ExceptIfAnyOfCcHeader :
    ExceptIfAnyOfCcHeaderMemberOf :
    ExceptIfAnyOfToCcHeader :
    ExceptIfAnyOfToCcHeaderMemberOf :
    ExceptIfHasClassification :
    ExceptIfHasNoClassification : False
    ExceptIfSubjectContainsWords :
    ExceptIfSubjectOrBodyContainsWords :
    ExceptIfHeaderContainsMessageHeader :
    ExceptIfHeaderContainsWords :
    ExceptIfFromAddressContainsWords :
    ExceptIfSenderDomainIs :
    ExceptIfRecipientDomainIs :
    ExceptIfSubjectMatchesPatterns :
    ExceptIfSubjectOrBodyMatchesPatterns :
    ExceptIfHeaderMatchesMessageHeader :
    ExceptIfHeaderMatchesPatterns :
    ExceptIfFromAddressMatchesPatterns :
    ExceptIfAttachmentNameMatchesPatterns :
    ExceptIfAttachmentExtensionMatchesWords :
    ExceptIfAttachmentPropertyContainsWords :
    ExceptIfContentCharacterSetContainsWords :
    ExceptIfSCLOver :
    ExceptIfAttachmentSizeOver :
    ExceptIfMessageSizeOver :
    ExceptIfWithImportance :
    ExceptIfMessageTypeMatches :
    ExceptIfRecipientAddressContainsWords :
    ExceptIfRecipientAddressMatchesPatterns :
    ExceptIfSenderInRecipientList :
    ExceptIfRecipientInSenderList :
    ExceptIfAttachmentContainsWords :
    ExceptIfAttachmentMatchesPatterns :
    ExceptIfAttachmentIsUnsupported : False
    ExceptIfAttachmentProcessingLimitExceeded : False
    ExceptIfAttachmentHasExecutableContent : False
    ExceptIfAttachmentIsPasswordProtected : False
    ExceptIfAnyOfRecipientAddressContainsWords :
    ExceptIfAnyOfRecipientAddressMatchesPatterns :
    ExceptIfHasSenderOverride : False
    ExceptIfMessageContainsDataClassifications :
    ExceptIfMessageContainsAllDataClassifications :
    ExceptIfSenderIpRanges :
    PrependSubject :
    SetAuditSeverity : Low
    ApplyClassification :
    ApplyHtmlDisclaimerLocation : Prepend
    ApplyHtmlDisclaimerText : <div style='border:solid #9C6500 1.0pt;padding:4.0pt 4.0pt 4.0pt 4.0pt'><p
    style='margin:0in;margin-bottom:.0001pt;line-height:14.4pt;background:#FFEB9C'><strong><span
    style='font-family:"Calibri",sans-serif;color:black'>Caution:</span></strong><span style='color:black'>
    This email originated from an external source. <strong><span style='font-family:"Calibri",sans-serif'>Be
    Suspicious of Attachments, Links and Requests for Login Information. <br /><br />Utilize the Phishing
    Button in Outlook to report suspected phishing emails.</span></strong></span><o:p></o:p></p></div>
    ApplyHtmlDisclaimerFallbackAction : Ignore
    ApplyRightsProtectionTemplate :
    SetSCL :
    SetHeaderName :
    SetHeaderValue :
    RemoveHeader :
    AddToRecipients :
    CopyTo :
    BlindCopyTo :
    AddManagerAsRecipientType :
    ModerateMessageByUser :
    ModerateMessageByManager : False
    RedirectMessageTo :
    RejectMessageEnhancedStatusCode :
    RejectMessageReasonText :
    DeleteMessage : False
    Disconnect : False
    Quarantine : False
    SmtpRejectMessageRejectText :
    SmtpRejectMessageRejectStatusCode :
    LogEventText :
    StopRuleProcessing : False
    SenderNotificationType :
    GenerateIncidentReport :
    IncidentReportContent :
    RouteMessageOutboundConnector :
    RouteMessageOutboundRequireTls : False
    ApplyOME : False
    RemoveOME : False
    OMEExpiryDays : 0
    GenerateNotification :
    Identity : Caution Banner for Incoming Email from External Sources
    DistinguishedName : CN=Caution Banner for Incoming Email from External Sources,CN=TransportVersioned,CN=Rules,CN=Transport
    Settings,CN=domain,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=domain
    Guid : b0c50cfe-4dc9-47fe-8f73-be404a6f2848
    ImmutableId : b0c50cfe-4dc9-47fe-8f73-be404a6f2848
    OrganizationId :
    Name : Caution Banner for Incoming Email from External Sources
    IsValid : True
    WhenChanged : 4/6/2022 1:48:10 PM
    ExchangeVersion : 0.1 (8.0.535.0)
    ObjectState : Unchanged

    0 comments No comments

  2. Jeremy Bradshaw 31 Reputation points
    2023-08-08T19:24:18.0233333+00:00

    Hello just wondering if there was ever any closure on this? I'm seeing current day Exchange 2016 latest Hybrid deployment with EXO, Centralized Mail Transport enabled. Disclaimer-prepending Transport Rule in on-premises Exchange with sole condition of Sender is.. Outside the organization (i.e., "FromScope : NotInOrganization").

    • BAD: Messages sent from EXO mailboxes to external senders trigger the rule and the disclaimer is prepended.
    • GOOD: Messages from EXO mailboxes to on-premises mailboxes do NOT trigger the rule.
    • Can't think of any other relevant flows to cover off here...

    I don't see any decent headers on the BAD-impacted messages for use as an exception on the rule. For now I've suggested to add an extra condition on the rule that states the recipient is "Inside the organization", since that clause doesn't have the BAD impact.

    I have most experience with CBR instead of Centralized Mail Transport. When I saw this thread I thought maybe this is something somewhat common that I managed to (thankfully/luckily) miss so far.

    0 comments No comments