Business Email Compromise (BEC) cost U.S. companies $2.9 billion in 2023, according to the FBI's Internet Crime Complaint Center. It's the #1 cybercrime by dollar loss — and the attacks are getting more sophisticated every year.
The worst part? Most BEC attacks pass right through standard spam filters. The attacker doesn't need to hack your system. They just need one employee to trust the wrong email.
At AOP, we recently helped a client in the industrial sector set up a simple but highly effective layer of defense using nothing but their existing Microsoft 365 subscription. No third-party tools. No extra licenses. Just M365 working harder for them.
Here's exactly how we did it — and how you can do it too.
What Is an Approved Sender Whitelist?
The concept is straightforward: instead of asking "Is this email bad?" (which spam filters try to do), you ask "Is this sender known to us?"
You maintain a curated list of external contacts your organization actually does business with — vendors, clients, partners, legal counsel, accountants. Any inbound email from an address not on that list gets a bold visual warning banner prepended to the message body before your employee even reads it.
From: [email protected]
Subject: Updated Banking Details - Please Process
Hi Sarah, we've changed our payment routing. Please update our account info and process the outstanding invoice to the new details attached.
No warning. Looks identical to a real vendor email. Employee processes payment to attacker's account.
Employee sees the warning immediately. Pauses. Calls the vendor to verify. Scam averted.
Your team immediately knows to verify before clicking, replying, or — worst case — wiring money to a spoofed account.
How It Works
The solution uses three components that are all built into Exchange Online:
Mail Contacts
Trusted external emails
Security Group
Your approved whitelist
Mail Flow Rule
Adds warning if not in group
Key insight: Your whitelist IS your rule. You never need to modify the mail flow rule itself. Just add or remove contacts from the security group — the rule references the group automatically.
Step-by-Step Setup
Create External Mail Contacts
In the Exchange Admin Center (admin.exchange.microsoft.com), go to Recipients → Contacts and create a mail contact for each trusted external sender.
For each contact, you need:
- Display name (e.g., "Jane Smith - Acme Corp")
- External email address
If you have a large vendor list, use PowerShell to import contacts in bulk. Prepare a CSV with Name and Email columns, then run:
Import-Csv "C:\approved-senders.csv" | ForEach-Object {
New-MailContact -Name $_.Name -ExternalEmailAddress $_.Email
}
Create a Mail-Enabled Security Group
Still in Exchange Admin Center, go to Recipients → Groups and create a new Mail-enabled security group:
- Name: Approved External Senders
- Email: [email protected] (this won't receive mail — it's just required by Exchange)
- Members: Add all the external mail contacts from Step 1
Create the Mail Flow Rule
Go to Mail Flow → Rules in Exchange Admin Center and create a new rule with these settings:
- Name: Warn on Unrecognized External Senders
- Apply this rule if: The sender is located → Outside the organization
- Add exception: The sender is a member of → Approved External Senders
- Do the following: Prepend the disclaimer (your warning HTML)
- If the disclaimer can't be applied: Wrap
Here's the warning banner HTML we use for our clients — copy this into the disclaimer field:
<div style="background-color:#FFF3CD; border:2px solid #FFC107;
border-radius:8px; padding:16px 20px; margin-bottom:16px;
font-family:Arial,sans-serif;">
<strong style="color:#856404; font-size:15px;">
EXTERNAL SENDER — NOT IN APPROVED CONTACTS
</strong>
<p style="color:#856404; font-size:13px; margin:8px 0 0;">
This email is from outside the organization and the sender
is NOT in our approved contacts list. Verify the sender's
identity before clicking links, opening attachments, or
responding to requests for sensitive information.
</p>
</div>
Here's what your employees will see at the top of flagged emails:
Hi Team,
Please note that we have updated our bank account details effective immediately. All future payments should be directed to the new routing number provided in the attachment.
Please process the outstanding balance of $14,200 to the updated account at your earliest convenience.
Best regards,
James Wilson
Accounts Receivable
Example: What a flagged email looks like in your inbox
Test Your Configuration
Send a test email from a personal Gmail or Outlook.com account that is not in your Approved External Senders group. It should arrive with the yellow warning banner at the top.
Then send a test from an address that is in the group. It should arrive clean, with no warning.
Unapproved sender: Yellow warning banner appears at the very top of the email body.
Approved sender: Email arrives normally — no banner, no delay, no extra clicks.
Ongoing Management
This is where the approach really shines. Day-to-day management is dead simple:
- New vendor? Create a mail contact in Exchange, add them to the Approved External Senders group.
- Vendor relationship ended? Remove them from the group. Done.
- Employee asks "is this email safe?" Check if the sender is in the group. If not, verify independently before acting.
- Quarterly review? Export the group membership list and audit against your active vendor roster.
No changes to the mail flow rule. No IT ticket needed for routine updates. Your whitelist IS your security policy.
What This Catches
This approach is particularly effective against the most expensive email-based attacks:
| Attack Type | How It Works | Why the Whitelist Stops It |
|---|---|---|
| Spoofed Vendor | Attacker sends from a lookalike domain (acme-c0rp.com vs acmecorp.com) | Real vendor is whitelisted; the fake domain is not |
| Payment Redirect | "We've changed our bank details" emails requesting updated payment info | Warning banner triggers immediate verification |
| CEO Impersonation | External email pretending to be from your executive team | External sender gets flagged — your CEO's real address is internal |
| First-Contact Phishing | Cold emails with malicious links or attachments | Unknown sender = warning banner = employee on alert |
What This Doesn't Replace
This is a defense-in-depth layer, not a silver bullet. It complements your existing security — it doesn't replace it.
You still need these core protections in place:
- A quality spam filter (Microsoft Defender for Office 365 or equivalent)
- Multi-factor authentication (MFA) on all accounts
- Employee security awareness training
- Endpoint detection and response (EDR) on workstations
- Regular security posture reviews
The approved sender whitelist adds a human-readable trust signal that complements your automated defenses. It's the difference between your spam filter quietly scoring an email and your employee seeing a bright yellow warning before they read a single word.
AOP Can Set This Up for You
We configure this for clients on our Managed IT plans in under 2 hours. If your business handles invoices, wire transfers, or any financial approvals via email — this is a must-have.
Schedule a Free Consultation or call (337) 477-3700