How to Enable the First Contact Safety Tip for Exchange Online Protection

Anti-Phishing, Defender, and Impersonation

Updated June 15, 2021

Microsoft Defender for Office 365 is the new name for what used to be called Advanced Threat Protection (ATP). While Exchange Online Protection includes anti-phishing policies to stop phishing attempts like this recent example, Defender extends the anti-phishing policy with impersonation settings (Figure 1).

Impersonation settings in an anti-phishing policy
Figure 1: Impersonation settings in an anti-phishing policy

Impersonation is where an inbound email appears to come from a sender or domain that is known but is slightly different, such as email from Micriosoft.com. It’s done to lure the recipient into a false sense of security that the email they receive originated from a trusted sender or domain whereas it’s an attempt to hoodwink them into doing something bad, like revealing confidential information.

The impersonation settings in anti-phishing policies allow tenants to define up to 60 protected email addresses (per policy) which are then subject to checks to pick up attempts at impersonation. The checks only work if the sender has never communicated with the recipient before. If an attempt is detected, policy settings determine what happens next, such as moving the message to Junk Email.

Safety Tips Highlight Potential Problems

Exchange Online Protection uses safety tips to highlight potentially problematic messages to users. For example, Figure 2 shows a safety tip for a message where the sender’s address could not be verified because the message failed both DKIM and DMARC tests upon arrival into Office 365

Figure 2: Safety tip for an unverifiable sender address

Figure 3 shows an example of an impersonation safety tips. Microsoft Defender has identified that the email address of an inbound message is similar to an address used by a regular correspondent, so the fact is highlighted.

An example of an impersonation safety tip
Figure 3: An example of an impersonation safety tip

Enabling the First Contact Safety Tip with a Mail Transport Rule

The initial method to implement the first contact safety tip was through a mail flow (transport) rule which inserts the X-MS-Exchange-EnableFirstContactSafetyTip x-header into external messages. The presence of the header causes Microsoft Defender to generate a safety tip if the sender has never sent email to the recipient before. The mail flow rule is very straightforward. It applies to all inbound email and applies the x-header to those messages (Figure 4).

Creating a mail flow rule to apply X-MS-Exchange-EnableFirstContactSafetyTip
Figure 4: Creating a mail flow rule to apply X-MS-Exchange-EnableFirstContactSafetyTip

Note: An earlier version of this post used True as the value for the x-header. Exchange engineering have advised that the x-header should be set to Enable.

The effect of the mail flow rule is shown in Figure 5. The documentation says “Specific safety tips will be displayed notifying recipients that they often don’t get email from the sender or in cases when the recipient gets an email for the first time from the sender.” This implies that different text is used when a message is received from someone for the first time. However, I have only ever seen safety tips saying that “You don’t often get email from…

An inbound message is tagged with the "first contact" safety tip
Figure 5: An inbound message is tagged with the “first contact” safety tip

Even though the first contact safety tip is connected to impersonation prevention, it’s not covered by the same licensing requirements. The safety tips appear on messages sent to mailboxes which don’t have Microsoft Defender for Office 365 licenses.

Updating the Anti-Phishing Policy

In June 2021, Microsoft announced (MC262087, June 14, Microsoft 365 roadmap item 82052) that an update to the anti-phishing policy rolling out in late June allows administrators to configure a policy setting to force display of the first contact safety tip. When the update is available you can continue using the mail transport rule and do nothing or update the anti-phishing policy through the Security and Compliance center to select the Show first contact safety tip. This is a welcome step because it makes it easier for inexperienced administrators to enable the safety tip for users.

Warning Users is Goodness

If your tenant has Microsoft Defender for Office 365 it’s a good idea to create and use the mail flow rule recommended by Microsoft. There’s no downside and it could stop someone falling victim to an phishing attempt in an email received from someone who seems to be like a person that the recipient is used to receiving messages from. Warning people of potential problems is pure and simple goodness!


Keep up to date with change inside Exchange Online and the other Office 365 apps by subscribing to the Office 365 for IT Pros ebook. We update the book monthly to make sure that our subscribers have the latest news.

2 Replies to “How to Enable the First Contact Safety Tip for Exchange Online Protection”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.