Identify suspicious messages in and Outlook on the web

Spoof Intelligence from Microsoft 365 Advanced Threat Protection and Exchange Online Protection helps prevent phishing messages from reaching your Outlook inbox. Outlook verifies that the sender is who they say they are and marks malicious messages as junk email. If the message is suspicious but isn't deemed malicious, the sender will be marked as unverified to notify the receiver that the sender may not be who they appear to be. 

Important: When a message is marked as a phishing message, Outlook displays a warning at the top of the page, but any links in the message can still be opened.

If you're an admin and want to manage this feature in your Microsoft 365 tenant, see Spoof settings in anti-phishing policies in Office 365.

Note: This feature is supported for Enterprise users. It is not currently available for Consumer

How can I identify a suspicious message in my inbox?

Outlook shows indicators when the sender of a message is unverified, and either can't be identified through email authentication protocols or their identity is different from what you see in the From address.

  • You see a '?' in the sender image

    When Outlook can't verify the identity of the sender using email authentication techniques, it displays a '?' in the sender photo. 

    Unauthenticated sender in Outlook

  • Not every message that fails to authenticate is malicious. However, you should be careful about interacting with messages that don't authenticate if you don't recognize the sender. Or, if you recognize a sender that normally doesn't have a '?' in the sender image, but you suddenly start seeing it, that could be a sign the sender is being spoofed. You can learn more about more about Spoof Intelligence from Microsoft 365 Advanced Threat Protection and Exchange Online Protection in the Related topics below. 

  • The sender's address is different than what appears in the From address

    Frequently, the email address you see in a message is different than what you see in the From address. Sometimes phishers try to trick you into thinking that the sender is someone other than who they really are.

    When Outlook detects a difference between the sender's actual address and the address on the From address, it shows the actual sender using the via tag, which will be underlined.

    A screenshot of the via tag

    In this example, the sending domain "" is authenticated, but the sender put "" in the From address.

    Not every message with a via tag is suspicious. However, if you don't recognize a message with a via tag, you should be cautious about interacting with it.

    In Outlook and the new Outlook on the web, you can hover your cursor over a sender's name or address in the message list to see their email address, without needing to open the message.

    A screenshot of the cursor hovering over a sender's name

See Also

Advanced security for Microsoft 365 subscribers

Need more help?

Expand your skills


Get new features first


Was this information helpful?

What affected your experience?

Thank you for your feedback!