Identify Suspicious Messages in Outlook on the Web
A phishing email appears legitimate but is actually an attempt to retrieve your personal information with an intention to harm you. Hackers may also use spoofing to disguise their real email address.
Spoof Intelligence in Office 365 and Exchange Online Protection help prevent phishing messages from reaching your Outlook inbox. Outlook verifies the sender and marks malicious messages as junk email. If the message is suspicious but it is not deemed malicious, the sender will be marked as unverified to notify the receiver that the sender may not be who they appear to be.
Important: When an email is marked as a phishing mail, Outlook displays a warning message at the top of the page, but any links in the mail can still be opened.
How to identify a suspicious message in inbox?
Outlook will show an indication when the sender of a message is unverified, and either can not be identified through email authentication protocols or their identity is different from what you are seeing in the From address.
You see a '?' in a sender image - When Outlook can not verify the identity of the sender using email authentication techniques so it displays a '?' in the sender photo.
Not every message that fails to authenticate is malicious message. However, you should be careful about interacting with messages that do not authenticate if you don't recognize the sender. Or, if you recognize the sender that normally doesn't have a '?' in a sender image, but you suddenly start seeing it, that could be a sign that the sender is being spoofed.
When the sender's email address is different than what appears in the From address
Frequently, an email address you see in a message is different than what you see in the From address. Sometimes phishers try to trick you into thinking that the sender is someone other than who they really are.
When Outlook finds a difference between the sender's actual address and the address on the From address, it shows the actual sender using the via tag, which will be underlined.
In the above image, the sending domain "suspicious.com" is authenticated, but the sender put "unknown@contoso.com" in the From address.
Not all messages with a via tag is suspicious. However, if you do not recognize a message with a via tag, you should be careful while interacting with it.
In Outlook and the new Outlook on the web, you can hover your cursor over a sender's name or address in the message list to see their email address, without needing to open the message.
