A common practice for phishing attempts is to impersonate internal users to have them open malicious files or malicious links. Enabling this feature will add an "External" label and a warning to emails sent from outside your organization. This is a tenant-wide setting (not activated per domain, not customizable).

If your organization already uses mail flow rules (also known as transport rules) to add text to the subject line of messages from external senders, you should disable those rules before you enable this feature to avoid duplication.

Note that it may take up to 48 hours for Microsoft to activate the tag after the setting has been enabled. All external emails that have been sent prior to the activation of the feature will not be tagged. External Tags are available with Outlook for Windows Release May 2021.

This setting can only be enabled through Exchange Online Powershell.

If you want to set up custom rules (e.g.: exclude specific domains, users), you can create, in the Exchange admin portal, a custom mail flow rule targeting external senders. You should first disable the Display External Tag setting before enabling the rule to avoid duplication. 

Disabling this setting outside of Office Protect will trigger a Setting Changed Outside of Office Protect event.

The operations to look for in the Unified Audit Logs: Set-ExternalInOutlook

Microsoft’s documentation on the ExternalInOutlook Exchange Online PowerShell cmdlet: https://learn.microsoft.com/en-us/powershell/module/exchange/set-externalinoutlook?view=exchange-ps

Microsoft’s documentation on transport rules: https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules