"A banner's effectiveness drops exponentially the more often it appears." Many organisations set an external-sender warning in Exchange or Microsoft 365: a banner above incoming email reading "Caution: this email comes from outside the organisation." The thinking is logical. An attacker impersonating a colleague gives themselves away through this banner. The only question is whether the banner keeps doing its job once it sits on virtually every message.
What is the external-sender warning and why do organisations use it?
The external-sender warning is a banner or prefix automatically added to incoming email as soon as the sender does not belong to your own domain. In Exchange Online you arrange this with a mail flow rule (transport rule), or you activate the built-in marking in Microsoft 365. The warning appears at the top of the message body, sometimes also in the subject, and reminds the recipient to be careful.
The measure is popular because it is cheap and set up in minutes. It requires no extra licences and does not slow the mail flow. To many administrators it therefore looks like a free extra layer of defence. But that very ease is also the risk: a measure this simple to switch on is often enabled without anyone thinking through how it works in daily practice.
Does the banner actually work? What the research shows
The answer is not black and white. In controlled studies a warning banner genuinely helped. Groups with banners recognised phishing more often than groups without. So the banner does something essential: it interrupts the automatic pace at which people work through their inbox and briefly puts them in a more critical frame of mind.
The problem is that those studies take place under ideal conditions. In the reality of a busy inbox it is different. There the banner appears on so many legitimate messages that it loses its signal value. This is not a gut feeling but a well-documented phenomenon. Our brain habituates to anything constantly present. With a yellow bar on eight out of ten emails, exactly the same happens. After a few weeks employees scroll past it without registering it at all.
The core problem: habituation and a false sense of safety
Through habituation the warning undermines itself: the more often it appears, the less it means. But there is a second, subtler risk that weighs far heavier. Because employees learn that external mail has "that bar", they start to regard internal mail without a bar as safe.
This creates a false sense of safety around messages that need not be safe at all. The most dangerous messages — those from a compromised mailbox or a hijacked colleague's account — lack the banner and are therefore opened with less suspicion. This is the same mechanism as the padlock in Chrome's address bar that Google removed in 2023: people read it as "this site is safe", while it only meant the connection was encrypted. The external-sender warning carries exactly that risk.
The banner can be technically deceived
A determined attacker can bypass the banner. Security researchers have shown that Microsoft's default banner is relatively easy to hide. By placing clever style rules in the header section of an HTML email, a sender can simply make the later-added warning invisible.
In some attacks the warning is not only hidden but replaced by a reassuring "trusted sender" banner. With encrypted messages (S/MIME or Purview Message Encryption) the employee also sees no banner on an external message. The banner is therefore not worthless, but its absence must never count as proof of safety.
How do you weigh the measure? Four decisive design choices
It is not about whether you think the banner is good or bad, but about how you deploy it. The difference between an effective and a worthless banner lies mainly in a few design choices:
- A generic banner that is always on is the weakest variant. A fixed text above every external mail leads to habituation. Research indicates a warning has the most effect when it sits close to the suspicious link and temporarily makes that link unclickable.
- A context- or risk-based warning works better. Show the warning only when something genuinely stands out: the first time a sender makes contact, a sender address that closely resembles an existing domain, or an external sender with an internal display name. That preserves the banner's signal value.
- Explicitly allow trusted external senders. Resellers, regular suppliers and known system senders can be excepted. This stops the banner appearing on the vast majority of legitimate mail.
- Make the banner harder to abuse. Where possible, limit the room to manipulate the formatting of incoming mail, and combine the banner with strong verification via SPF, DKIM and DMARC. The most practical implementation is a banner that only appears for a sender you have not mailed with before.
The message employees really need
The biggest gain is not in the banner itself, but in what you tell your employees about it. The core message is: the presence of a banner means extra caution, but its absence does not mean a message is safe. Teach employees not to rely on the banner, but to look at the context.
Does this request match how we normally do things? Does it fit the relationship with this sender? Is pressure or urgency being built up? Those questions are a more reliable filter than any coloured bar. This is most effective when practised explicitly in training and phishing simulations. Employees must experience that a message without a banner can also come from outside and therefore deserves caution precisely then.
How do you anchor this in a security awareness programme?
The external-sender warning is a fine example of a technical measure that only gains value through behaviour. So treat it explicitly in your awareness approach instead of switching it on quietly in the background.
In a short module, explain why the banner is there, that it can be deceived, and that your own judgement of content and context remains more important than the coloured panel. In phishing simulations, show how a message can arrive with and without a banner, so employees experience that the absence of a warning guarantees nothing. Combine this with clear verification agreements: a call-back number for supplier changes, a four-eyes principle, and a fixed route for reporting doubtful cases.
That way you put the measure in service of behaviour, instead of treating it as a button the IT department flips. The banner then becomes a prompt for the right conversation, and ultimately it is that conversation which protects employees.
Related articles
- Recognising phishing: the key signals
- Recognising and preventing CEO fraud
- Supplier fraud via email explained
FAQ
What does the external-sender warning actually do?
It is a banner or prefix automatically added to incoming email as soon as the sender does not belong to your own domain, as a reminder to be careful.
Does the banner actually make employees more alert?
In controlled studies yes, but in daily practice that effect weakens quickly through habituation, especially when the banner sits on virtually every email.
Why is it risky if the banner is on nearly all mail?
Employees get used to it and stop seeing it, and they start to regard internal mail without a banner as safe, which is dangerous with hacked internal accounts.
Can an attacker hide the banner?
Yes. Through clever style rules in HTML the banner can be made invisible, sometimes even replaced by a reassuring fake banner. It is also often missing on encrypted messages.
Should I just turn the banner off then?
Not necessarily. The measure has value as part of a whole, but works best on a context basis and combined with sender verification via SPF, DKIM and DMARC.
What is the most important message for employees?
That the presence of a banner is a reason for caution, but its absence does not mean a message is safe. Your own judgement remains more important than the bar.
How does this work together with phishing simulations?
Simulations show what a banner does and does not guarantee. By practising messages with and without a warning, employees learn to trust content and context, not colour.