This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 98%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJU%3C/text%3E%3C/svg%3E)
Hello. Running into an issue: (1) Mail destined to outside the organization from a migrated mailbox to online, triggers a transport rule that is configured for incoming emails from outside the organization ("Caution: this email is from outside of the organization...") and (2) mail between mailboxes migrated to online do not trigger the transport rule for a disclaimer however, it does between online and onprem.
The environment is Exchange Hybrid with Centralized mail flow due to internal requirements. I can see in the Message Tracking log under the EventID AGENTINFO the Directionality is labeled as Incoming which I believe is the culprit however, how can I correct this?
Thanks in advance for any guidance.
Please post the exact and complete rule w/o any personal info
To narrow down this one, I want to confirm some information with you:
Here is an article which could help you to demystify when a message is internal.
Answer to your questions
1 - Yes, the transport rule was created on Exchange On-premises. The rules have been in place prior to migrating the mailbox to the cloud
2 - Correct
3 - The "Caution: this email is from outside of the organization..." rule is not triggered when sending emails from migrated mailbox to on-premises mailbox. The Disclaimer rule is triggered from on-premises mailbox to migrated mailboxes.
I am still going over the article you posted (my native language is not English) and trying to figure out how to check for the specific attributes listed in it.
Thanks in advance for looking into this.
Thanks for looking at this. It is a basic rule
RunspaceId : a88076fa-a73f-426a-b66d-b92dceb52ab6
Priority : 19
DlpPolicy :
DlpPolicyId : 00000000-0000-0000-0000-000000000000
Comments :
ManuallyModified : False
ActivationDate :
ExpiryDate :
Description : If the message:
Is received from 'Outside the organization'
Take the following actions:
Set audit severity level to 'Low'
and Prepend the message with the disclaimer '<div style='border:solid #9C6500 1.0pt;padding:4.0pt 4.0pt
4.0pt 4.0pt'><p
style='margin:0in;margin-bottom:.0001pt;line-height:14.4pt;background:#FFEB9C'><strong><span
style='font-family:"Calibri",sans-serif;color:black'>Caution:</span></strong><span style='color:black'>
This email originated from an external source. <strong><span style='font-family:"Calibri",sans-serif'>Be
Suspicious of Attachments, Links and Requests for Login Information. <br /><br />Utilize the Phishing
Button in Outlook to report suspected phishing emails.</span></strong></span><o:p></o:p></p></div>'. If
the disclaimer can't be applied, take no action.
RuleVersion : 15.0.1.0
Conditions : {Microsoft.Exchange.MessagingPolicies.Rules.Tasks.FromScopePredicate}
Exceptions :
Actions : {Microsoft.Exchange.MessagingPolicies.Rules.Tasks.SetAuditSeverityAction,
Microsoft.Exchange.MessagingPolicies.Rules.Tasks.ApplyHtmlDisclaimerAction}
State : Enabled
Mode : Enforce
RuleErrorAction : Ignore
SenderAddressLocation : Header
RuleSubType : None
UseLegacyRegex : False
From :
FromMemberOf :
FromScope : NotInOrganization
SentTo :
SentToMemberOf :
SentToScope :
BetweenMemberOf1 :
BetweenMemberOf2 :
ManagerAddresses :
ManagerForEvaluatedUser :
SenderManagementRelationship :
ADComparisonAttribute :
ADComparisonOperator :
SenderADAttributeContainsWords :
SenderADAttributeMatchesPatterns :
RecipientADAttributeContainsWords :
RecipientADAttributeMatchesPatterns :
AnyOfToHeader :
AnyOfToHeaderMemberOf :
AnyOfCcHeader :
AnyOfCcHeaderMemberOf :
AnyOfToCcHeader :
AnyOfToCcHeaderMemberOf :
HasClassification :
HasNoClassification : False
SubjectContainsWords :
SubjectOrBodyContainsWords :
HeaderContainsMessageHeader :
HeaderContainsWords :
FromAddressContainsWords :
SenderDomainIs :
RecipientDomainIs :
SubjectMatchesPatterns :
SubjectOrBodyMatchesPatterns :
HeaderMatchesMessageHeader :
HeaderMatchesPatterns :
FromAddressMatchesPatterns :
AttachmentNameMatchesPatterns :
AttachmentExtensionMatchesWords :
AttachmentPropertyContainsWords :
ContentCharacterSetContainsWords :
HasSenderOverride : False
MessageContainsDataClassifications :
MessageContainsAllDataClassifications :
SenderIpRanges :
SCLOver :
AttachmentSizeOver :
MessageSizeOver :
WithImportance :
MessageTypeMatches :
RecipientAddressContainsWords :
RecipientAddressMatchesPatterns :
SenderInRecipientList :
RecipientInSenderList :
AttachmentContainsWords :
AttachmentMatchesPatterns :
AttachmentIsUnsupported : False
AttachmentProcessingLimitExceeded : False
AttachmentHasExecutableContent : False
AttachmentIsPasswordProtected : False
AnyOfRecipientAddressContainsWords :
AnyOfRecipientAddressMatchesPatterns :
ExceptIfFrom :
ExceptIfFromMemberOf :
ExceptIfFromScope :
ExceptIfSentTo :
ExceptIfSentToMemberOf :
ExceptIfSentToScope :
ExceptIfBetweenMemberOf1 :
ExceptIfBetweenMemberOf2 :
ExceptIfManagerAddresses :
ExceptIfManagerForEvaluatedUser :
ExceptIfSenderManagementRelationship :
ExceptIfADComparisonAttribute :
ExceptIfADComparisonOperator :
ExceptIfSenderADAttributeContainsWords :
ExceptIfSenderADAttributeMatchesPatterns :
ExceptIfRecipientADAttributeContainsWords :
ExceptIfRecipientADAttributeMatchesPatterns :
ExceptIfAnyOfToHeader :
ExceptIfAnyOfToHeaderMemberOf :
ExceptIfAnyOfCcHeader :
ExceptIfAnyOfCcHeaderMemberOf :
ExceptIfAnyOfToCcHeader :
ExceptIfAnyOfToCcHeaderMemberOf :
ExceptIfHasClassification :
ExceptIfHasNoClassification : False
ExceptIfSubjectContainsWords :
ExceptIfSubjectOrBodyContainsWords :
ExceptIfHeaderContainsMessageHeader :
ExceptIfHeaderContainsWords :
ExceptIfFromAddressContainsWords :
ExceptIfSenderDomainIs :
ExceptIfRecipientDomainIs :
ExceptIfSubjectMatchesPatterns :
ExceptIfSubjectOrBodyMatchesPatterns :
ExceptIfHeaderMatchesMessageHeader :
ExceptIfHeaderMatchesPatterns :
ExceptIfFromAddressMatchesPatterns :
ExceptIfAttachmentNameMatchesPatterns :
ExceptIfAttachmentExtensionMatchesWords :
ExceptIfAttachmentPropertyContainsWords :
ExceptIfContentCharacterSetContainsWords :
ExceptIfSCLOver :
ExceptIfAttachmentSizeOver :
ExceptIfMessageSizeOver :
ExceptIfWithImportance :
ExceptIfMessageTypeMatches :
ExceptIfRecipientAddressContainsWords :
ExceptIfRecipientAddressMatchesPatterns :
ExceptIfSenderInRecipientList :
ExceptIfRecipientInSenderList :
ExceptIfAttachmentContainsWords :
ExceptIfAttachmentMatchesPatterns :
ExceptIfAttachmentIsUnsupported : False
ExceptIfAttachmentProcessingLimitExceeded : False
ExceptIfAttachmentHasExecutableContent : False
ExceptIfAttachmentIsPasswordProtected : False
ExceptIfAnyOfRecipientAddressContainsWords :
ExceptIfAnyOfRecipientAddressMatchesPatterns :
ExceptIfHasSenderOverride : False
ExceptIfMessageContainsDataClassifications :
ExceptIfMessageContainsAllDataClassifications :
ExceptIfSenderIpRanges :
PrependSubject :
SetAuditSeverity : Low
ApplyClassification :
ApplyHtmlDisclaimerLocation : Prepend
ApplyHtmlDisclaimerText : <div style='border:solid #9C6500 1.0pt;padding:4.0pt 4.0pt 4.0pt 4.0pt'><p
style='margin:0in;margin-bottom:.0001pt;line-height:14.4pt;background:#FFEB9C'><strong><span
style='font-family:"Calibri",sans-serif;color:black'>Caution:</span></strong><span style='color:black'>
This email originated from an external source. <strong><span style='font-family:"Calibri",sans-serif'>Be
Suspicious of Attachments, Links and Requests for Login Information. <br /><br />Utilize the Phishing
Button in Outlook to report suspected phishing emails.</span></strong></span><o:p></o:p></p></div>
ApplyHtmlDisclaimerFallbackAction : Ignore
ApplyRightsProtectionTemplate :
SetSCL :
SetHeaderName :
SetHeaderValue :
RemoveHeader :
AddToRecipients :
CopyTo :
BlindCopyTo :
AddManagerAsRecipientType :
ModerateMessageByUser :
ModerateMessageByManager : False
RedirectMessageTo :
RejectMessageEnhancedStatusCode :
RejectMessageReasonText :
DeleteMessage : False
Disconnect : False
Quarantine : False
SmtpRejectMessageRejectText :
SmtpRejectMessageRejectStatusCode :
LogEventText :
StopRuleProcessing : False
SenderNotificationType :
GenerateIncidentReport :
IncidentReportContent :
RouteMessageOutboundConnector :
RouteMessageOutboundRequireTls : False
ApplyOME : False
RemoveOME : False
OMEExpiryDays : 0
GenerateNotification :
Identity : Caution Banner for Incoming Email from External Sources
DistinguishedName : CN=Caution Banner for Incoming Email from External Sources,CN=TransportVersioned,CN=Rules,CN=Transport
Settings,CN=domain,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=domain
Guid : b0c50cfe-4dc9-47fe-8f73-be404a6f2848
ImmutableId : b0c50cfe-4dc9-47fe-8f73-be404a6f2848
OrganizationId :
Name : Caution Banner for Incoming Email from External Sources
IsValid : True
WhenChanged : 4/6/2022 1:48:10 PM
ExchangeVersion : 0.1 (8.0.535.0)
ObjectState : Unchanged
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 78%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJB%3C/text%3E%3C/svg%3E)
Hello just wondering if there was ever any closure on this? I'm seeing current day Exchange 2016 latest Hybrid deployment with EXO, Centralized Mail Transport enabled. Disclaimer-prepending Transport Rule in on-premises Exchange with sole condition of Sender is.. Outside the organization (i.e., "FromScope : NotInOrganization").
I don't see any decent headers on the BAD-impacted messages for use as an exception on the rule. For now I've suggested to add an extra condition on the rule that states the recipient is "Inside the organization", since that clause doesn't have the BAD impact.
I have most experience with CBR instead of Centralized Mail Transport. When I saw this thread I thought maybe this is something somewhat common that I managed to (thankfully/luckily) miss so far.