Seven things to know about Safety Tips

As I posted on this blog a couple of months ago, and as we posted on the Office blog last month, Office 365 is going to be releasing Safety Tips over the next few weeks. In this blog post, I go into more about how they work.

1. Outlook on the web has more Safety Tips than regular Outlook

When you check your email using Outlook on the web (formerly known as Outlook Web Access, or OWA), there are four tips:





However, when checking your email in Outlook, you'll only see the red (Suspicious) Safety Tip:


We have plans to also roll out the yellow Safety Tip a few weeks from now.
2. It doesn't matter which version of Outlook you're using, you'll get Safety Tips automatically

Safety Tips in Outlook doesn't depend on what version of Outlook you're using because we crack open and insert the Safety Tip directly into the message body. That means that whatever email client you're using will show the Safety Tip. It's done at the email filter level and not rendered at the mail client level.

And that means that not only does it show up in any version of Outlook, it shows up in any email client. But for the purposes of this blog post, I will call them as checking safety tips in Outlook.
3. Think of Safety Tips in Outlook as "Safety Tattoos"

We think of safety tips, when checking them in Outlook, as safety "tattoos" because they stick with your message forever (almost). If you drag them from the Junk folder to the Inbox, or vice versa, the color of the tip doesn't change.

The only way to delete the tip is to open up the message, highlight it, and delete it.

In this blog post, Safety Tattoos means only the version that we insert inline into the message. Safety Tips refers to both Safety Tattoos and Safety Tips in Outlook on the web, I use it as a general name for the entire feature.
4. The tattoo doesn't show up in Outlook on the web

You may be thinking "If you're inserting the safety tip directly into the message, and you're rendering it in Outlook on the web, does this mean that if I check it in Outlook on the web that I'll see it twice?"


Outlook on the web is smart enough to suppress the safety tattoo and instead show a rendered version of it that you can interact with. For example, the Outlook on the web one may say "Click here to enable blocked content." The safety tattoo does not because it does not have access to that part of the email client's rendering capabilities.
5. As an administrator, you can disable Safety Tattoos

The Exchange Admin Center lets you turn on or off Safety Tattoos, they will be on by default for both new and existing customers. We don't recommend it, but you can disable them by logging in and changing that setting.

You can't disable them in Outlook on the web, however. They also show up.


6. Safety Tips work best if your MX record points to Exchange Online Protection (EOP)

Not all customers point their MX records at EOP. Many point at a 3rd party service and then relay the email onto us. If you do that, Safety Tips won't work as well; they may be suppressed entirely. This robs your users of the additional safety experience of visual clues that something is wrong with the message.
7. The red (Suspicious) Safety Tip's criteria is continually expanding

The red safety tip has lots of different criteria that we are rolling out. Some of it is the same as in, but much of it is unique to EOP. As we find more criteria that we think is suspicious -- phishing -- we'll add it to the tip. We don't plan to document every scenario for which we assign a red tip.


Those are the items I can currently think of. As we get more, I'll add them. Not sure about what to do with the title of the blog post when that happens, though.

Comments (15)
  1. Where in the EAC can you disabled “Safety Tattoos”?

    1. tzink says:

      When it goes live for your tenant, it should be under Spam + Bulk actions in the Exchange Admin Center.

      Or via Powershell: Set-HostedContentFilterPolicy -SafetyTipsLiteEnabled

  2. Greg Hultstrand says:

    What steps were taken to stop spammers form using this as a method to trick people into clicking links. If it is simple HTML doesn’t that mean a spammer can duplicate it and then use it for their benefits?

    1. tzink says:

      We don’t think it helps a spammer or phisher to insert a red (phishing) or yellow (spam) safety tip into a message because that would undermine their message when getting it to the inbox. We don’t currently insert green (trusted) or gray (you skipped filtering).

  3. Ed says:

    The Safety tips are not enabled on our 365 tenant yet. Is there anything we need to enable/check ?

    1. tzink says:

      We’re still doing a slow rollout as we fix issues that we discover from early adopters. But it’s coming.

      1. rseiler says:

        Is it still rolling out? I just noticed that it’s not happening in our E1 tenant, and I checked in PS that “InlineSafetyTipsEnabled” is True.

        1. tzink says:

          You’ll only see the red tip stamped inline, not (yet) gray or green.

  4. Ben Harris says:

    We have Safety Tips coming up in our tenant. – is there a way to turn them off for a particular sender? for example an X-Header we could use? – we have a SCL-1 rule in place for someone who legitimately spoof’s us, but this doesn’t stop the safety tip from showing – we don’t even have the option under our spam filter settings yet to turn it off globally should we want to (which we don’t 🙂 )

    1. tzink says:

      1. SCL -1 should suppress the tip, depending on how you’ve gotten it set up. Safe Senders doesn’t suppress the tip, but ETR or IP allows should.

      2. Safety Tips can only be disabled when they are inserted inline into the message, not when viewing them in Outlook Web Access (OWA). Also, when disabling them, they are either On or Off; there is no conditionality.

      1. Ben Harris says:

        Thanks dude. I’ll log a case with MS then, as the emails are marked as SCL-1 but are still getting the tattoo stamped. (I can provide an example of this privately if you’re curious)

  5. LMMark says:

    “We don’t plan to document every scenario for which we assign a red tip.” – That sounds very un-Microsoft. Why can’t, or won’t you document everything as you normally do?

    1. tzink says:

      We do give some general explanations about how we detect spoofed messages and other types of phishing scams. However, giving too many details away tips off fraudsters to ways to work around our protection.

  6. William Holmes says:

    At what point do you “crack open” the email message. Modifying an email messages body will invalidate the DKIM body hash. This defeats a another security measure.

    Is this only done to messages that are placed in the Exchange Message Store?

    1. tzink says:

      It’s always done. If a message is forwarded, then yes, it’ll fail DKIM. The forwarded-to destination would need to suppress filtering.

Comments are closed.

Skip to main content