Identify Malicious Phishing Attacks with Outlook Conditional Formatting

In recent years, more organizations and individuals are being constantly bombarded by attacks made by cyber-criminals that use social engineering techniques to convince the recipients to do something that will cause damage to the recipient. This can be in form of financial transactions either directly from the attacked person to the criminal, such as a money order or bank withdraw.

One of the delivery methods used by the criminals is email, mostly because of the ease of use and availability to both the attacker and victims alike. Email is used to send legitimate-looking messages to non-suspecting recipients, which are designed to entice the user to open a file that contains a malware infection, click on a link that will drive the user to a website that’s infected with malware, will ask the user to login using their credentials, or hand over your personal information under false pretenses.
There are several different degrees of phishing, and while regular attacks are not overly sophisticated, there’s a more advanced attack called spear phishing, in which the attacker uses cleverly crafted and targeted emails designed to trick the victim into performing an action, such as clicking on a link or opening a file. On top of that, there are also business email compromise (BEC) attacks, which are an even more focused type of attack, where the attacker performs extensive reconnaissance about personnel within an organization and personally targets specific individuals in the organization to provide accurate information in the email message, which increases the likelihood of the victim to bite the bait.
For example, let’s take a look at an email that was sent to a company’s CFO. At first glance, this message seems to be sent from the CEO. Obviously, I masked the names and e-mail aliases, but trust me, this looks authentic:

Although being able to identify URLs and malicious files is important, most people detect phishing attacks by analyzing the context of the email, rather than focusing on the technical elements within it. For example, many phishing emails appear to come from a person within the organization. Unfortunately, it’s quite easy for attackers to impersonate and send emails that appear to be sent from a legitimate co-worker.
In our previous example, the CFO didn’t realize that she was emailing a fake CEO, so she immediately replied, and the attacker quickly emailed her the money transfer instructions:

Preventing phishing attacks should be listed as a high priority in an organization’s security protection agenda. Aside from proper employee training and occasional internal employee testing, an administrator can give these simple rules to the employees, allowing them to better identify a potential phishing attack.

In our example, the money transfer was stopped just before the order went out, but how many of these attacks do come through? The FBI states:

“Since the FBI’s Internet Crime Complaint Center (IC3) began tracking BEC scams in late 2013, it has compiled statistics on more than 7,000 U.S. companies that have been victimized—with total dollar losses exceeding $740 million. That doesn’t include victims outside the U.S. and unreported losses.”

So how do you help employees identify when an email may be coming from an attacker versus one that’s sent from a trusted internal peer? Asides from employee training, an administrator can help by creating rules in Outlook that will color code email messages to distinguish whether the message was sent from someone belonging to the organization. Note that although color coding is a nice thing to have, do not rely solely on this practice, as false positives may exist.
The instructions listed in this article apply to Outlook 2013 and may also apply for future versions of Outlook.
First, let’s open Outlook.
Click on the “View” tab.
Click on “View Settings.”

Click on “Conditional Formatting.”

Click on “Add”.

In the new rule, type in a name. I would suggest creating three separate rules with the following details:
Name: External senders
Font: Whatever you like, I use red color
Conditions: “From” = “@” (no quotes)

Name: Internal senders
Font: Whatever you like, I keep the default
Conditions: “From” = “/ou” (no quotes)

Name: Spoofing senders
Font: Whatever you like, I use fuchsia color
Conditions: “From” = “@YOURDOMAIN” (no quotes, for example “@petri.com”)

Move the “Spoofing senders” rule to the top of the list.

Click OK to confirm your changes.


The result is that all external senders, even the ones that appear to be sending email from the same organization are marked in red. Obviously you can change the color and font to whatever you like, as long as it helps you identify external and internal senders. And again, do not rely on the color code as the only indicator, use it as an aid and always be vigilant by inspecting email text and links to spot phishing attacks before replying or sending important information.