← Back to BlogCybersecurity

How to Set Up an Approved Sender Whitelist in Microsoft 365

AOP IncMarch 9, 2026
phishingBECbusiness email compromiseMicrosoft 365Exchange Onlinemail flow rulesemail securitymanaged ITLake Charles

$2.9B

Lost to BEC in 2023

#1

Cybercrime by Dollar Loss

< 2 hrs

Setup Time

Business Email Compromise (BEC) cost U.S. companies $2.9 billion in 2023, according to the FBI's Internet Crime Complaint Center. It's the #1 cybercrime by dollar loss — and the attacks are getting more sophisticated every year.

The worst part? Most BEC attacks pass right through standard spam filters. The attacker doesn't need to hack your system. They just need one employee to trust the wrong email.

At AOP, we recently helped a client in the industrial sector set up a simple but highly effective layer of defense using nothing but their existing Microsoft 365 subscription. No third-party tools. No extra licenses. Just M365 working harder for them.

Here's exactly how we did it — and how you can do it too.


What Is an Approved Sender Whitelist?

The concept is straightforward: instead of asking "Is this email bad?" (which spam filters try to do), you ask "Is this sender known to us?"

You maintain a curated list of external contacts your organization actually does business with — vendors, clients, partners, legal counsel, accountants. Any inbound email from an address not on that list gets a bold visual warning banner prepended to the message body before your employee even reads it.

Without Whitelist

From: [email protected]

Subject: Updated Banking Details - Please Process

Hi Sarah, we've changed our payment routing. Please update our account info and process the outstanding invoice to the new details attached.

No warning. Looks identical to a real vendor email. Employee processes payment to attacker's account.

With Whitelist

EXTERNAL SENDER — NOT IN APPROVED CONTACTS

This email is from outside the organization and the sender is NOT in our approved contacts list. Verify the sender before acting.

Employee sees the warning immediately. Pauses. Calls the vendor to verify. Scam averted.

Your team immediately knows to verify before clicking, replying, or — worst case — wiring money to a spoofed account.

How It Works

The solution uses three components that are all built into Exchange Online:

Mail Contacts

Trusted external emails

Security Group

Your approved whitelist

Mail Flow Rule

Adds warning if not in group

Key insight: Your whitelist IS your rule. You never need to modify the mail flow rule itself. Just add or remove contacts from the security group — the rule references the group automatically.

Step-by-Step Setup

Create External Mail Contacts

In the Exchange Admin Center (admin.exchange.microsoft.com), go to Recipients → Contacts and create a mail contact for each trusted external sender.

For each contact, you need:

  • Display name (e.g., "Jane Smith - Acme Corp")
  • External email address
Bulk Import Tip

If you have a large vendor list, use PowerShell to import contacts in bulk. Prepare a CSV with Name and Email columns, then run:

Import-Csv "C:\approved-senders.csv" | ForEach-Object {
    New-MailContact -Name $_.Name -ExternalEmailAddress $_.Email
}

Create a Mail-Enabled Security Group

Still in Exchange Admin Center, go to Recipients → Groups and create a new Mail-enabled security group:

  • Name: Approved External Senders
  • Email: [email protected] (this won't receive mail — it's just required by Exchange)
  • Members: Add all the external mail contacts from Step 1

Create the Mail Flow Rule

Go to Mail Flow → Rules in Exchange Admin Center and create a new rule with these settings:

  • Name: Warn on Unrecognized External Senders
  • Apply this rule if: The sender is located → Outside the organization
  • Add exception: The sender is a member of → Approved External Senders
  • Do the following: Prepend the disclaimer (your warning HTML)
  • If the disclaimer can't be applied: Wrap

Here's the warning banner HTML we use for our clients — copy this into the disclaimer field:

<div style="background-color:#FFF3CD; border:2px solid #FFC107;
    border-radius:8px; padding:16px 20px; margin-bottom:16px;
    font-family:Arial,sans-serif;">
  <strong style="color:#856404; font-size:15px;">
    EXTERNAL SENDER — NOT IN APPROVED CONTACTS
  </strong>
  <p style="color:#856404; font-size:13px; margin:8px 0 0;">
    This email is from outside the organization and the sender
    is NOT in our approved contacts list. Verify the sender's
    identity before clicking links, opening attachments, or
    responding to requests for sensitive information.
  </p>
</div>

Here's what your employees will see at the top of flagged emails:

Test Your Configuration

Send a test email from a personal Gmail or Outlook.com account that is not in your Approved External Senders group. It should arrive with the yellow warning banner at the top.

Then send a test from an address that is in the group. It should arrive clean, with no warning.

Expected Results

Unapproved sender: Yellow warning banner appears at the very top of the email body.
Approved sender: Email arrives normally — no banner, no delay, no extra clicks.

Ongoing Management

This is where the approach really shines. Day-to-day management is dead simple:

  • New vendor? Create a mail contact in Exchange, add them to the Approved External Senders group.
  • Vendor relationship ended? Remove them from the group. Done.
  • Employee asks "is this email safe?" Check if the sender is in the group. If not, verify independently before acting.
  • Quarterly review? Export the group membership list and audit against your active vendor roster.

No changes to the mail flow rule. No IT ticket needed for routine updates. Your whitelist IS your security policy.

What This Catches

This approach is particularly effective against the most expensive email-based attacks:

Attack Type How It Works Why the Whitelist Stops It
Spoofed Vendor Attacker sends from a lookalike domain (acme-c0rp.com vs acmecorp.com) Real vendor is whitelisted; the fake domain is not
Payment Redirect "We've changed our bank details" emails requesting updated payment info Warning banner triggers immediate verification
CEO Impersonation External email pretending to be from your executive team External sender gets flagged — your CEO's real address is internal
First-Contact Phishing Cold emails with malicious links or attachments Unknown sender = warning banner = employee on alert

What This Doesn't Replace

Important

This is a defense-in-depth layer, not a silver bullet. It complements your existing security — it doesn't replace it.

You still need these core protections in place:

  • A quality spam filter (Microsoft Defender for Office 365 or equivalent)
  • Multi-factor authentication (MFA) on all accounts
  • Employee security awareness training
  • Endpoint detection and response (EDR) on workstations
  • Regular security posture reviews

The approved sender whitelist adds a human-readable trust signal that complements your automated defenses. It's the difference between your spam filter quietly scoring an email and your employee seeing a bright yellow warning before they read a single word.


AOP Can Set This Up for You

We configure this for clients on our Managed IT plans in under 2 hours. If your business handles invoices, wire transfers, or any financial approvals via email — this is a must-have.

Schedule a Free Consultation or call (337) 477-3700

AOP Inc

Advanced Office Products (AOP) is Southwest Louisiana's trusted technology partner, providing Managed IT Services, cybersecurity, fiber internet, cloud hosting, and Kyocera office equipment to 350+ businesses across the Lake Charles region and Southeast Texas.

Stop Managing Vendors. Start Growing Your Business.

One call. One partner. Fiber, IT, cloud, security, and equipment — all from AOP. Schedule a free 30-minute strategy session with our team.

GET YOUR FREE STRATEGY SESSION