Function 365 Spam Filter: Setup and Configuration

Subscribe banner

At the very least, spam emails are a nuisance. Nevertheless, these unsolicited messages are also a genuine menace when they contain malicious attachments or malware. Luckily, organizations using Microsoft 365 tin safeguard their mailboxes by automatically separating junk email from legitimate communication.

Exchange Online Protection (EOP) is the master security tool for Microsoft 365 subscriptions. Security administrators use EOP to create policies and filters against malware, spam and other email threats. Notation that previously, admins could admission EOP from the Exchange admin heart. Today, EOP is part of the Microsoft 365 Defender portal for advanced protection and control, and yous can go EOP as part of Exchange Online or as a standalone service.

This web log explains how Office 365 email filtering works and details the technologies included in EOP. Read on to acquire how to correctly configure your inbound and outbound spam filter policies in EOP.

space

How Does Spam Filter Work?

How to Configure Part 365 Spam Filter Policy

Creating the inbound anti-spam policy in Microsoft 365 Defender

Creating the outbound anti-spam policy in Microsoft 365 Defender

How to Configure Connection Filtering

Modifying the default connection filter policy in Microsoft 365 Defender

How to Remove Custom Anti-Spam Policies

Managing Errors in Spam Filtering

space

Before we commencement

NAKIVO Fill-in & Replication allows you to secure your Microsoft 365 environment with backup and granular recovery for Commutation Online, OneDrive for Concern and SharePoint Online. Download the Microsoft 365 data protection white paper to larn more about data protection in the deject.

How Does Spam Filter Work?

Microsoft'southward spam filtering with Substitution Online Protection (EOP) relies on previously identified spam and phishing threats besides as nerveless user feedback from Outlook.com to observe junk e-mail. The identified junk electronic mail is automatically classified and separated from legitimate inbound messages. The O365 spam filter prevents inboxes from getting filled up with useless emails and ensures polish communication across and beyond an organisation'south network.

The below technologies make up the anti-spam settings in EOP:

  • Spam (content) filtering: Y'all can configure anti-spam policies in EOP and then that entering messages are classified based on the following verdicts:
    • Spam
    • Loftier conviction spam
    • Bulk email
    • Phishing email
    • High conviction phishing email

The anti-spam policy allows y'all to define the actions for each verdict and configure the corresponding notifications settings.

  • Outbound spam filtering: You tin can too configure outbound spam filtering in EOP to prevent users at your organizations from sending spam intentionally or unintentionally past limiting outbound messages and monitoring spam within the content.
  • Connectedness filtering: You can configure filtering based on IP addresses to identify good and bad email sources in an entering email connection. Specify IP addresses or ranges for the IP Allow Listing and IP Block Listing and benefit from the safety list maintained past Microsoft.
  • Spoof intelligence: For anti-spoofing protection, configure anti-phishing policies in EOP. Other anti-spoofing methods in EOP include email hallmark and spoof intelligence insight.

How to Configure Office 365 Spam Filter Policy

In Microsoft 365 environments, an anti-spam policy includes two elements to be configured:

  • Spam filter policy: Defines the actions and notification options related to the spam filtering verdicts.
  • Spam filter rule: Refers to the priority of the spam filter policy in addition to the recipients to whom the policy applies.

Note: When you create a new anti-spam policy, yous are creating a spam filter rule and the associated spam filter policy. If y'all delete a policy, both elements are also deleted.

Organizations that use Microsoft 365 have a built-in Default anti-spam policy that can be viewed and modified from the Microsoft 365 Defender portal. This policy has the lowest priority value and doesn't deliver effective protection against spam.

For this reason, Microsoft recommends that security admins configure their custom spam filter settings based on the needs of their environments. To simplify configuration, Microsoft 365 Defender provides two congenital-in security levels, Standard and Strict, each with its preset settings detailed below.

Creating the inbound anti-spam policy in Microsoft 365 Defender

You can create a custom entering anti-spam policy and the corresponding spam filter rule by post-obit the steps below:

  1. Access the Anti-spam policies page by entering https://security.microsoft.com/antispam in your browser.

Note: You can besides go to the anti-spam policies page past using https://security.microsoft.com, then clicking Electronic mail & Collaboration > Policies & Rules > Threat policies > Anti-spam under Policies.

  1. Click + Create policy and cull Inbound from the dropdown listing.

create the inbound anti-spam policy

  1. The first page of the policy cosmos wizard is the Name your policy page. Define the following settings:
  • Proper noun: Add a descriptive and unique proper noun for your policy.
  • Description: Enter a fitting description (optional).

Click Adjacent to go along.

enter a name for the inbound anti-spam policy

  1. On the Users, groups, and domains page, add the internal recipients affected past the spam filter policy:
  • Users: postal service users, contacts or mailboxes inside your organization
  • Groups: Microsoft 365 groups, post-enabled security groups or distribution groups
  • Domains: recipients in the accepted domains in your visitor

Type a value in each box and select the one you need from the displayed results. You tin can remove a value by clicking x next to it. You can also select the checkbox adjacent to Exclude these users, groups, and domains to add together recipients to be excluded from the policy you are creating.

Annotation: Add an asterisk (*) in any box to view all available values.

Click Next to continue.

add users, groups and domains

  1. The third page is Bulk email threshold & spam properties. Configure the following settings:
  • Majority email threshold: Set the Majority Complaint Level (BCL) of letters that can trigger an action for the Bulk spam filtering verdict. The higher the number, the more than bulk emails volition become through to your inbox and vice versa. You can configure this value the way you see fit; however, Microsoft has the preset settings beneath:

space

Default Standard Strict
Bulk email threshold value 7 6 4

space

  • Increase spam score and Mark as spam: Part of the Advanced Spam Filter (ASF) settings, this option is turned off by default.
  • Contains specific languages: This is off past default. When yous select On from the dropdown, a box appears, and you tin can add the mailing linguistic communication that you consider as spam.
  • From these countries: This is also turned off by default. If y'all want to set up emails as spam from specific countries, simply choose On from the dropdown and add together the countries.
  • Test fashion: Also part of the ASF setting, this option is turned off by default.

Note: ASF is a more aggressive method for filtering spam emails. Microsoft recommends keeping the default values Off, as yous may get a large number of false positives, which cannot be reported as such with the ASF setting turned on.

Click Side by side to continue to the next footstep.

configure bulk email threshold and spam properties

  1. The Actions page is where you cull what happens to messages based on the spam filtering verdicts they receive. Earlier configuring the settings here, it is of import to empathize what each action ways:
  • Movement message to Junk Email folder: The email is delivered to the mailbox so moved to the junk folder.
  • Add together 10-header: This adds an Ten-header to the message before it is delivered to the mailbox. You lot can choose the name of the X-header field in the Add this X-header text box.
  • Prepend subject line with text: The email is delivered to the mailbox and so moved to Junk Email but you can add a text to the start of the field of study line. Enter the text in the Prefix subject line with this text box.
  • Redirect message to email address: This forwards the email to other recipients instead of the intended user. You lot tin specify the new recipient(due south) in the Redirect to this e-mail address box.
  • Delete message: The e-mail and all its attachments are deleted automatically.
  • Quarantine message: The message is sent to quarantine. You can choose how long the email should remain there using the Retain spam in quarantine for this many days box. When you select this action, you should also set the quarantine policy in the Select quarantine policy box that appears.
  • No action: As the proper noun suggests, no action is taken and the message is delivered normally.

At present that you know what each action does, you can configure these settings based on your requirements. Microsoft offers the following preset settings:

space

Default Standard Strict
Spam Move message to Junk Email folder Movement message to Junk Email folder Quarantine message
High confidence spam Quarantine message Quarantine bulletin Quarantine message
Phishing Quarantine message Quarantine message Quarantine message
Loftier confidence phishing Quarantine message Quarantine message Quarantine message
Bulk Movement message to Junk Electronic mail folder Motion message to Junk Email folder Quarantine message
Retain spam in quarantine for this many days 15 days 30 days thirty days

space

  • Safety tips: The tips are enabled by default. You can disable them by deselecting the checkbox.
  • Zero-hour auto purge (ZAP): ZAP finds and takes activeness on emails sent to Exchange Online mailboxes. This feature and its corresponding settings are turned on by default.

Click Next to continue.

manage actions in inbound anti-spam policy

  1. The Allow & cake list folio allows y'all to specify which electronic mail addresses or domains tin bypass spam filtering. In add-on, you can add blocked senders and domains. Configure the lists here by following the steps below:
  • Allowed:

i. To manage Senders, click Manage (north) sender(s). Select +Add senders in the flyout that appears and add the sender's email address. Finally, click Add senders.

ii. Click Allow domains to customize the domains. In the new tab, choose +Add together domains then enter the domain. One time washed, click Add domains.

  • Blocked: The process of adding blocked senders and/or domains is basically the same as the one higher up.

Click Next to continue.

customize allow and block lists

  1. On the Review page, y'all tin become over all the settings y'all chose. Yous can either Edit a specific section or only click Back to revert to previous pages. Finally, select Create then click Done on the confirmation folio.

Creating the outbound anti-spam policy in Microsoft 365 Defender

Whether a user in your system is sending spam emails deliberately or accidentally, EOP has controls in place for outbound spam to protect recipients:

  • Segregation of outbound email traffic: EOP scans every outbound message. When an email is determined as spam, it is delivered from a less reputable, secondary IP accost pool known equally the loftier-take chances delivery pool.
  • Disabling accounts that send besides much spam or too many emails in a short timeframe: All accounts are monitored so they would not exceed a specific electronic mail limit. When that threshold is reached, the account gets disabled.
  • Monitoring source IP accost reputation: Microsoft 365 scans numerous third-party IP block lists and generates an alert if your organization is using an IP address institute in any of those lists.

At present that you know how EOP controls outbound spam, you tin can create custom outbound anti-spam policies:

  1. Access the Anti-spam policies folio by entering https://security.microsoft.com/antispam in your browser.
    Note: Y'all can also go to the anti-spam policies page by using https://security.microsoft.com, then clicking Email & Collaboration > Policies & Rules > Threat policies > Anti-spam under Policies.
  2. Click + Create policy and choose Outbound from the dropdown list.

create the outbound anti-spam policy

  1. The first page of the policy creation wizard is the Proper noun your policy page. Define the post-obit settings:
  • Name: Add a descriptive and unique proper name for your policy.
  • Clarification: Enter a fitting description (optional).

Click Side by side once you are done.

choose a name for the outbound anti-spam policy

  1. This is the Users, groups, and domains page where you demand to add the internal recipients afflicted by the outbound spam filter policy:
  • Users: These are the mail users, contacts or mailboxes within your system.
  • Groups: Microsoft 365 groups, mail-enabled security groups or distribution groups.
  • Domains: This will include all recipients under the accepted domains in your company.

Type a value in each box and select the one you need from the displayed results. You can remove a value by clicking on 10 next to it. You tin can also select the checkbox side by side to Exclude these users, groups, and domains to add recipients that are exceptions to the policy yous are creating.

Annotation: Add an asterisk (*) in any box to view all bachelor values.

Click Next to go along.

add users, groups and domains

  1. On the Protection settings page, configure the following settings:
  • Message limits: Customize the limits of outbound emails in Substitution Online mailboxes. Type in the value or employ the arrows in each of the boxes described below. The value can range from 0 (default) to 10,000.
    • Set an external bulletin limit refers to the maximum number of external recipients in ane hour.
    • Prepare an internal message limit is the maximum number of internal recipients in ane hour.
    • Fix a daily message limit is the maximum number of all (external and internal) recipients per twenty-four hours.
  • Restriction placed on users who achieve the message limit: Define the action if a user exceeds the message limits you previously set.
    • Restrict the user from sending mail until the post-obit day: Users will be prohibited from sending additional messages for 24 hours. Security admins cannot remove this brake. Notifications are sent to the blocked user and the admins.
    • Restrict the user from sending mail: With this choice, users will be added to the Restricted users list. They will be unable to send any messages until an admin manually removes them from the list.
    • No action, alarm only: Users are not restricted only notifications are sent.
  • Forwarding rules: Manage automatic email forwarding by choosing one of the options from the dropdown list:
    • Automatic - Arrangement-controlled: Past default, the outbound spam is filtered to control external email forwarding.
    • Off - Forwarding is disabled: Automatic external electronic mail forwarding is disabled.
    • On - Forwarding is enabled: Automatic external email forwarding is enabled.
  • Notifications: Specify additional users who will receive notifications regarding outbound spam emails:
    • Send a copy of suspicious outbound that exceeds these limits to these users and groups: Enable this setting by selecting the checkbox next to it. Once done, a text box will appear in which you can add together the email addresses of recipients to include in the Bcc field of suspicious letters.
    • Notify these users and groups if a sender is blocked due to sending outbound spam: When you select this checkbox, you can add the email addresses of recipients y'all desire to notify in instance a user gets blocked for sending spam letters.

Click Next to go along.

configure protection settings in outbound anti-spam policy

  1. On the Review folio, you tin can become over all the settings you lot chose. You can either Edit a specific department or simply click Back to go back to previous pages. Finally, select Create and click Done on the confirmation page.

How to Configure Connection Filtering

Connectedness filtering in EOP is used to identify which email servers are adept and bad via their IP addresses. In Microsoft 365 Defender, anti-spam policies include a default connection filter policy which helps reduce the number of spam messages that land in your mailbox by blocking them from the source.

The default connectedness filter policy has iii primary components:

  • IP Allow Listing: By adding source email servers to this listing, all incoming messages from these servers do not go through spam filtering and are delivered direct to the mailbox. Y'all can specify servers using IP addresses or IP address ranges.
  • IP Block Listing: By adding source email servers to this list, all incoming messages from these servers are automatically blocked and rejected. You can add servers using IP addresses or IP accost ranges.
  • Safe list: This is an "permit list" managed by Microsoft and y'all cannot edit it yourself. All incoming messages from source electronic mail servers found hither skip spam filtering. It is important to note that y'all can disable this listing if needed.

Modifying the default connection filter policy in Microsoft 365 Defender

While you cannot create a new connection filter policy, you can configure the default one past post-obit the steps below:

  1. Access the Anti-spam policies page past entering https://security.microsoft.com/antispam in your browser.
    Note: You lot can also become to the anti-spam policies page by using https://security.microsoft.com, then clicking Email & Collaboration > Policies & Rules > Threat policies > Anti-spam nether Policies.
  2. Click Connection filter policy (Default).

modify the default connection filter policy

  1. In this flyout, you tin configure the settings beneath to block senders in Function 365:

a. Description: Click Edit description to add an optional descriptive text for the policy. Hit Save once yous are done.

edit the description of the connection filter policy

b. Connexion filtering: Click Edit connectedness filter policy to customize the post-obit settings:

  • Always allow messages from the following IP addresses or address range: This is where you can add a unmarried IP, an IP range or a CIDR IP to the IP Let List.
  • Always block messages from the post-obit IP addresses or address range: This is where you can add together a single IP, an IP range or a CIDR IP to the IP Block List.
  • Turn on safe list: Enable the safe list by selecting the checkbox or go along information technology disabled (default).

Click Save once you are washed.

add ip addresses to allow and block lists

How to Remove Custom Anti-Spam Policies

While yous cannot delete a default policy, y'all can easily remove a custom anti-spam policy by following these steps:

  1. Access the Anti-spam policies folio by inbound https://security.microsoft.com/antispam in your browser.
    Notation: Y'all can also go to the anti-spam policies page by using https://security.microsoft.com, and so clicking Electronic mail & Collaboration > Policies & Rules > Threat policies > Anti-spam under Policies.
  2. Click the policy you want to remove.
  3. In the flyout, select Delete policy, and so click Yeah in the confirmation pop-upwards that appears.

remove custom anti-spam policy

Note: When yous delete a custom anti-spam policy, the corresponding anti-spam rule is besides removed.

Managing Errors in Spam Filtering

Since no organization is perfect, adept emails can sometimes be divers as spam (false positive) and at the same time, some spam messages tin can pass through the filtering policy and reach your mailbox (faux negative). You can implement the Office 365 spam filter best practices to reduce these occurrences as much as possible:

  • Make sure y'all have the proper bulk e-mail settings: Check that the majority complaint level (BCL) you previously set in your custom anti-spam policies is suitable for your organization. Yous tin can adapt the BCL based on the number of bulk emails you transport and receive.
  • Review the anti-spam message headers: These can help you empathize why an electronic mail was falsely marked every bit spam or skipped filtering without getting noticed.
  • Implement email authentication: If you take your own email domain, you lot tin can configure your DNS to help forestall spam and spoofing. Attempt using all available hallmark methods (SPF, DKIM and DMARC) to get the best results.
  • Point your MX record to Microsoft 365: Microsoft recommends that yous should have your messages delivered to Microsoft 365 showtime to ensure optimal protection with EOP.

Decision

If left unchecked, spam can hands become a threat to business continuity. This is why Microsoft made certain to provide its users with advanced spam filtering tools through Exchange Online Protection (EOP). You now know how to create and configure anti-spam policies for your system and limit the amount of spam that reaches your mailboxes.

While spam filtering does a great chore in safeguarding mailboxes from spam emails, sophisticated attacks such every bit phishing and ransomware require additional safety measures. You can ensure optimal protection for your unabridged Function 365 environment by having a comprehensive backup solution. NAKIVO Backup & Replication provides Exchange Online backups in addition to instant data recovery and ransomware protection.

A complete data protection solution like NAKIVO Backup & Replication includes all the tools you lot demand to protect Microsoft 365 user data. Get the Gratuitous Edition today!