Office 365 Email Security Monitoring at Princeton

About the Office 365 Email Security Monitoring service

This service is similar to other solutions the University uses to scan messages such as Exchange Online Protection (see KB# 0012210). But with this next generation email security monitoring service, automated pattern recognition and other machine learning techniques are used to analyze the message. Models of behavior are then collected and further analyzed. The service alerts users to potentially malicious messages by displaying a warning banner across the top of the email. The banner message includes the reason(s) for the warning and will not affect your ability to access the email’s original content. Please note that there are no user selectable settings for this service.

Who does it impact & when was it introduced? 



Why are we implementing this service?

With scams on the rise in the evolving security landscape, adding an additional layer of email protection was essential to protect our campus. This service automatically analyzes email and surfaces any abnormal signs in the form of awareness banners, decreasing the likelihood of users responding to attackers or interacting with malicious content. In addition to providing increased security, this service also serves as an educational tool that helps users identify the signs of fraudulent communications.

What does an email security warning banner look like?

sample image of orange banner

How should I respond to a warning banner?

Carefully review the banner content to gain a better understanding of the suspicious nature of the email. You can do this by reviewing the reasons listed at the bottom of the banner (“flags”).  See the table below for descriptions of the flags.

If an email displays a warning banner, please do not reply to the attacker, forward it to a coworker, or interact with links/attachments in any way. If the message has not already been posted to the University’s Phish Bowl (, please report it by forwarding to:  

If you believe a message was falsely flagged with a warning banner, please report it by forwarding to: The Information Security Office will review your submission.

Can I control the way this email security monitoring service interacts with my mail? 

No, the end user cannot adjust settings for this service.

Can I obtain more information on the reason a message was flagged?

Yes, the following list defines the warning flags which are displayed on the warning banners.


Warning Flag Title


Suspicious Link(s)

The email content is unusual due to one or more of the following:

Message body contains a link to a recently created website (domain*), which is a common practice associated with cyber attacks.

Message body contains a shortened link that redirects to a potentially malicious website.

Message content is asking the recipient to click on a suspicious link and/or attachment.

Message contains suspicious link(s) that include email address(es), which is a common pattern in credential theft attacks.

Message contains a link that resembles a legitimate URL* but actually links to a malicious website.

Link(s) Detected in Attachment

The email attachment contains a link to an external website that may be malicious.

Redirect Link(s) Detected

The original link in the email appears to redirect to a malicious website.

Link(s) detected in cloud-sharing document

A link appears to be a cloud-sharing document that contains an embedded link to an external site.

Unusual Sender

The email exhibits suspicious sending behavior:

Sender's email signature (display name/email address) appears to match a member of the University and email may be asking the recipient to engage in an unsafe action.

Sender's display name is attempting to impersonate University leadership.

Sender's email signature (display name/email address) falsely matches/resembles/is associated with a known brand or a known vendor.

Sender has never sent email from this email address. They usually send from a different email address.

Recipient has never received email from the sender's email address.

Sender uses suspicious language.

Sender's account recently showed signs of suspicious activity.

Sender has never used this email address before or has never sent email to our organization.

Sender's email address does not match the sender's display name (a common pattern in impersonation attempts).

Sender's email is coming from an unvalidated source, a pattern commonly observed in email attacks. 

Sender's email was sent from an IP address* that is suspicious. 


Unusual IP* Geolocation


The email sender's IP address* indicates a combination of:

  • Recipient has never received email from this country
  • Email rarely originates from this country
  • Many email attacks originate from this country
  • Many email attacks originate from this IP address*

Potential Spoof

Email source validation fails even though email is sent from a legitimate company domain*. Email account is potentially spoofed.

Invisible Character(s) Found in Email

The email body contains invisible characters (a common pattern observed in email attacks).

Abnormal Recipient Pattern

All email recipients were BCC'd, which is a common pattern when attackers send attacks to many recipients.

Suspicious Attachment

The attachment's extension type is suspicious and is potentially malware.

Unusual Sender Domain*

The email's sender domain* is suspicious:

The sender's domain* is new and was registered less than one year before the email was sent.

The sender's domain* does not match any domains* found in message links.

Unusual Reply To

The “reply to” address exhibits suspicious patterns:

When hitting the “reply to” button, the address displayed is different from the sender’s address.

When hitting the “reply to” button, the domain* address displayed is different from the domain* address in any links in the message.

Potential Gift Card Fraud

The email subject/body contains language commonly found in gift card fraud attacks.

Potential Payroll Fraud

The email subject/body contains language commonly found in payroll fraud attacks.

Suspicious Fax or Voicemail Notification

The message resembles a fax or voicemail notification with malicious content (a method commonly used in email attacks).

Bitcoin Topics


The message contains bitcoin phrases commonly found in bitcoin extortion attacks.


 *Technical Definitions

Domain: In general, a domain name identifies an organization’s network on the internet.

URL: URL stands for Uniform Resource Locator and is used to specify addresses on the internet.

IP address: An Internet Protocol address is a numerical label assigned to each device connected to a computer network.