Microsoft Defender for Office 365 is a security solution designed to protect your organization’s email and collaboration tools from evolving cyber threats. With phishing, malware, and other malicious attacks increasingly targeting businesses, setting up Microsoft Defender for Office 365 is essential to safeguard sensitive data and maintain business continuity. In this blog post, we’ll walk you through the process of configuring Defender for Office 365, from setting up essential policies to fine-tuning advanced protections. We will also touch on which components fall short of security best practices and where to pursue supplemental services.
Whether you’re new to the platform or looking to optimize your existing setup, this guide will help you enhance your organization’s email security and respond effectively to emerging threats.
Pre-Requisites for Defender for Office 365
Setting up Defender for Office 365 requires a combination of roles, policies, the right licensing, and a bit of tuning to get the tool up and running from scratch.
ℹ️In order to use Defender for Office 365, the organization will need to have Defender for Office 365 P1 or P2 as part of their licensing with Microsoft 365. P1 is included in Business Premium, P2 is included in Microsoft 365 E5 licenses.
Several features like Automated Incident Remediation are only available for P2 users.
First, we will cover the initial prerequisites that you will need to get started with Defender for Office 365.
In this guide, we will cover two different methods to setup Defender for Office 365.
The specific method that you use to set up Defender for Office 365 will vary depending on whether you will be using Defender for Office 365 as your primary email filter OR if you will be using a third-party in place of Defender for Office 365 for email filtering.
You can only choose one method to deploy Defender for Office 365. You will pick the method after you set up the pre-requisites.
Enable Previewing Emails in Microsoft Purview
ℹ️This feature is only available for Defender for Office 365 P2 users.
A helpful tool for reviewing emails for potential phishing within Microsoft 365 is the Explorer feature.
By default, the Email preview button is not configured (even for Global Admin roles).
For organizations that see the Email Preview button as blank in Microsoft Defender’s Explorer tool, the following modifications to roles will need to be made within Microsoft Purview.
Once the necessary role is created that provides access to preview emails, that role will replicate into Defender’s roles and permissions, allowing the recipients of the role to preview the email.
ℹ️The time it takes for the changes made to replicate into Defender will vary based on the size of the tenant. Changes made may take up to an hour to sync throughout.
To check to see if you have the Email preview feature disabled, navigate to security.microsoft.com
Under Email & Collaboration > click Explorer > open up any email of your choosing from this window. Click the three dots in the flyout window that appears.
- If you have Email previews enabled, you can select the button here
- If you have Email previews disabled, you will see the option greyed out
To add the Preview role, following the instructions below:
Navigate to Settings > Purview Permissions in Microsoft Purview
This will bring you to the Role Groups.
Click + Create Role Group,
Name: Preview Emails in Defender
Click Next.
Click + Choose Roles.
Search for Role named Preview
Select role and click Next.
Now add members to the Role Group.
You can assign a security group or you can assign individual users, here is where you would add your Global Admin accounts to provision access.
Click Next and Save.
After about an hour, the role will sync over into Defender. Now, you can preview Emails as needed and you will not longer see the option greyed out.
Configure Quarantine Policy
Inside of Microsoft Defender located at security.microsoft.com, navigate to Policies & rules > Threat policies > Quarantine Policy.
By default, you will have three settings configured within Microsoft 365.
Each policy has a separate set of values for:
- User message access: The permissions that the user has to take on the email
- Quarantine notification: Whether or not the user will be notified of emails that go to quarantine
Example below (DefaultFullAccessPolicy):
This policy allows users to have full access to their quarantined items, meaning they can view, release, or delete messages from quarantine.
1. DefaultFullAccessPolicy
Best Practices:
- User education: Ensure that you have trained users to recognize phishing and malicious emails before allowing them full access. This helps prevent them from accidentally releasing harmful messages.
- Regular Audits: Implement regular audits of released messages to monitor if users are making safe decisions when handling quarantined emails.
- Limitations: Consider limiting this policy to users with sufficient security training or in departments that require immediate access to their email content, such as legal or executive teams.
2. AdminOnlyAccessPolicy
This policy restricts access to quarantined messages to administrators only. Users cannot see or interact with their quarantined emails.
Best Practices:
- Use for High-Security Environments: This policy is ideal for environments where strict control over email content is necessary, such as in finance or healthcare sectors.
- Centralized Review: Ensure that administrators regularly review quarantined emails and quickly act on legitimate messages to minimize disruption to users.
- Automated Alerts: Set up alerts for administrators when there is a significant number of quarantined emails, ensuring timely review and action.
3. DefaultFullAccessWithNotificationPolicy
This policy allows users full access to quarantined messages. It also provides them with notifications about quarantine events, such as when an email is quarantined.
Best Practices:
- Timely Notifications: Configure notifications to be timely so users are aware of potentially missed emails and can request an administrator’s review if needed.
- User Guidance: Include guidance in the notifications about how to handle quarantined messages, emphasizing caution when releasing emails.
- Combining Policies: Consider using this policy with regular audits by administrators, where users have access, but there’s still oversight to ensure safe practices.
General Quarantine Best Practices:
- Role-Based Access: Configure quarantine policies based on user roles and the level of trust. For example, executive or IT staff might have more access compared to regular employees.
- Quarantine Review Process: Establish a regular review process for quarantined items. Admins should check quarantined messages to ensure legitimate emails are not being mistakenly held.
- User Feedback Loop: Encourage users to report false positives or suspicious emails that have bypassed the quarantine. This feedback can improve filtering accuracy.
By carefully choosing and managing your quarantine policies in Defender for Office 365, you can balance security needs with user convenience, ensuring that your organization remains protected while minimizing the impact on daily operations. It is important to understand how these policies affect your organization as these Quarantine policies are configured inside of the Phishing Policy Actions that we will be adjusting later on within this guide.
ℹ️By default, these actions are not configured by Microsoft and any emails that fall within the category of user impersonation, domain impersonation are delivered to the inbox.
In the Quarantine policy you can choose to:
- Use any of the defaults that currently exist within Microsoft OR
- If you have a specific preference for how you want emails routed, you can always create your own custom policy here
The DefaultFullAccessNotificationPolicy works fine for most use-cases where you want to provide the users the ability to release emails from quarantine and the users are educated and informed on how to spot, report, and detect malicious emails.
Update Quarantine Policy Global Settings
In the flyout window that appears, configure the Quarantine notification settings.
At the very bottom of the flyout window, make sure that you have the Send end-user spam notifications set to the correct increments of your choosing.
The options that you have to select from are:
- Within 4 hours
- Daily
- Weekly
Changes made may take up to an hour to take effect within the tenant.
Now that you have the notifications set and the alerting cadence selected, depending on the options that you’ve chosen users can now request to release emails trapped in quarantine.
By default, all Global Admins listed in the tenant receive these requests to release emails from quarantine. If you have an external email address that you would like to receive these release request notification, you will need to configure this in an Alert Policy within Microsoft Defender.
Add External Email to Alert Policy in Microsoft Defender
In Microsoft Defender at security.microsoft.com
Navigate to Policies & Rules > Alert Policy > User requested to release a quarantined message
To add the external email, click the Pencil icon to Edit the policy. You will see the TenantAdmins listed as default recipients for the notification, type in the external email address that you’d like to add to the Alert Policy and hit Enter on your keyboard.
Save the policy.
Moving forward, TenantAdmins and the external email will receive the notifications.
Enable User Reported Add-ins in Admin Center
ℹ️If you are using a third-party provider for email filtering, you may need to choose the Use a non-Microsoft add-in button to deploy their reporting phishing button. For the purposes of this guide, we’ll be using the Microsoft provided Report button.
Now that you have the quarantine policies set, it’s important to enable the reporting email feature within Defender for Office 365.
To prep the Reporting Spam emails feature, you’ll need to go into Microsoft 365 Admin Center.
In the Admin Center > Select Settings > Select Integrated Apps
Click Get Apps > Search for Report > Two apps should appear: Report Phishing and Report Message, select Get it Now for both applications.
Deploy the Application for the Entire Organization, uncheck the option to Enable Email Notification (you can choose to leave this checked if you would like your users to receive a notice) and save changes.
ℹ️Changes made may take up to an hour to reflect throughout the tenant. After that hour, you should see the Report button appear in Outlook. You may need to reboot the Outlook application in order for the changes made to appear.
Now that you have enabled the Report Phishing and Report Spam buttons, these will now appear in your user’s mailbloxes. This gives your users the ability to report any phishing or junk emails that they receive in their inbox.
- Upon reporting junk emails, the email filter will move messages to the Junk Email folder.
- Upon reporting phishing emails, the filter will send messages to the reporting mailbox, to Microsoft, or both. The filter will also delete messages from the mailbox (you will configure these settings below).
In the settings below, we are going to set what happens when users report emails and how the Defender for Office 365 email filter is going to alert and handle those emails moving forward.
Create Shared Mailbox for User Reported Emails
Next up, you will create a Shared Mailbox for the reported emails. Give your mailbox a name that indicates it is solely for reported emails.
EX: ReportedContent, PhishingAnalysis, SecOpsMailbox, whatever makes the most sense for your organization.
Great, now that you have this, document this as you will need this for the upcoming section.
Configure User Reported Settings
Microsoft’s User reported message settings allows you to decide where to upload the suspicious emails your employees report. You can choose between:
- Microsoft only,
- My reporting mailbox only, or
- Microsoft and my reporting mailbox
Navigate to security.microsoft.com > Settings > Email & Collaboration > User reported settings to adjust these settings.
There are 4 different sections of settings that you have to review and adjust.
1. Outlook
ℹ️If you are using a third-party provider for email filtering, you may need to choose the Use a non-Microsoft add-in button to deploy their reporting phishing button. For the purposes of this guide, we’ll be using the Microsoft provided Report button.
- Enable the settings as documented below.
- “Ask the user to confirm before reporting” and “Show a success message after the message is reported” are optional settings
2. Microsoft Teams
- Users can report messages in Teams from internal chats, channels, and meeting conversations.
- Reporting does not extend to External users.
3. Reported Message Destinations
Below are your destination options. You can only pick one.
- Microsoft Only
- My reporting mailbox only
- Microsoft and my reporting mailbox
Add the Shared Mailbox that you created earlier to this section.
It is helpful to add the Shared Mailbox as you will add the Shared Mailbox to operate as a SecOps mailbox. This will help with the Attack Simulation results in Defender.
4. Reporting From Quarantine
This provides additional functionality in the reporting section for users to report email as phishing in their Quarantine Notifications.
Add the Shared mailbox to Advanced Delivery Settings
To prevent Defender from quarantining User reported messages, you’ll need to specify your Shared Mailbox as a dedicated SecOps mailbox.
Navigate to security.microsoft.com > Policies & rules > Threat policies > Advanced delivery
- Select Add and search for your mailbox
- Add your mailbox and save your settings
This also helps to prevent Defender thwarting User reported messages that are your legitimate phishing simulations (if you’re using the Attack simulations in Defender).
Now that all this is set up, let’s start adjusting some email filtering rules.
Anti-Phishing
ℹ️Configure protection settings for phishing attacks and determine actions to take on impersonated emails and domains.
The Anti-Phishing section in Microsoft Defender for Office 365 focuses on identifying and mitigating phishing attacks that target your organization.
- Mitigations include tips appended to user emails and quarantining impersonation attempts
Phishing attacks are one of the most common and dangerous threats, often involving attackers impersonating trusted domains or users to deceive recipients.
By configuring protection settings, you can define how the system handles impersonation attempts and suspicious emails. The default policy, “Office365 AntiPhish Default,” provides baseline protection, but you can customize it to better suit your organization’s specific needs.
Office AntiPhish Default (Default)
Set Phishing threshold & protection
- Phishing threshold (1-4, 4 being the most aggressive)
- Recommendation: Set the phishing threshold to 4 for the strictest filtering. This setting maximizes the chances of catching phishing attempts but may also increase false positives.
- Best Practice: Regularly monitor the false positive rates and adjust if necessary. Consider starting with a lower threshold (e.g., 3) and gradually increasing it based on observed results.
- User impersonation protection (max # of users = 350)
- Recommendation: Enable user impersonation protection for key individuals within the organization, such as executives and financial officers. If you have less than 350 users, you can add all of the users in the organization.
- Best Practice: Periodically update the list of protected users to include new employees in critical roles
- Domain impersonation protection
- Recommendation: Activate domain impersonation protection. This will cover frequently-spoofed domains, such as your organization’s domain and those of trusted partners.
- Best Practice: Regularly review and update the protected domains list based on new threats or partnerships.
- Trusted impersonated senders and domains
- Recommendation: Add only highly trusted and verified domains and senders to this list to prevent unnecessary filtering of legitimate emails.
- Best Practice: Review the list periodically to remove any obsolete or no longer trusted entries.
- Mailbox intelligence:
- Recommendation: Ensure that you have enabled mailbox intelligence to leverage historical email communication patterns for detecting anomalies.
- Best Practice: Use the insights from mailbox intelligence to fine-tune other security policies, and consider regular audits to ensure the feature is performing as expected.
- Mailbox intelligence for impersonations
- Recommendation: Activate this feature to automatically detect and prevent impersonation attempts based on historical data.
- Best Practice: Regularly monitor the output of this feature to adjust protection levels as needed.
- Spoof intelligence
- Recommendation: Enable spoof intelligence to automatically detect and block spoofed emails.
- Best Practice: Regularly review the spoof intelligence reports and update your blocklists and policies based on the findings.
ℹ️Each of the Quarantine actions below will require appending the Quarantine Policy that we had reviewed previously. Depending on the use-case and organization, select the applicable policy that aligns best with the best practice recommendations for managing quarantine.
Set Actions
- If user impersonation is detected in a message: Quarantine
- If a message is detected as domain impersonation: Quarantine
- If Mailbox intelligence detects an impersonated user: Quarantine
- If the message is detected as spoof and DMARC Policy is set as p=quarantine: Quarantine
- If the message is detected as spoof and DMARC Policy is set as p=reject: Quarantine
- If spoof intelligence detects the message as spoof: Quarantine
- First contact safety tip On: Enable this to notify users when they receive an email from an unknown sender, helping them identify potential phishing attempts.
- User impersonation safety tip On: Keep this enabled to alert users when an email appears to impersonate someone within the organization.
- Domain impersonation safety tip On: Enable this to warn users about emails that may be impersonating trusted domains.
- Unusual characters safety tip On: Activate to help users identify phishing attempts that use deceptive characters in the email address or domain name.
- Unauthenticated senders symbol (?) for spoof On: Turn this on to visibly mark emails from unauthenticated senders, providing an immediate visual cue to users.
- Show “via” tag On: Enable this to display the “via” tag in emails coming from different domains, signaling potential impersonation or spoofing attempts.
- Honor DMARC record policy when the message is detected as spoof On: Always enable this to ensure that your organization adheres to DMARC policies. This reduces the risk of delivering spoofed emails.
Anti-Spam
ℹ️Protect your organization’s email from spam, including setting bulk email threshold & spam properties
The Bulk Complaint Level (BCL) is a rating system. Microsoft Exchange Online Protection (EOP) and Microsoft Defender for Office 365 use this system to assess the likelihood that recipients of a bulk email consider it spam.
Rating Scale: The BCL is rated on a scale from 1 to 9 where:
- 1-3: Indicates that recipients are less likely to consider the message spam. These messages are typically from senders with good reputations or who have obtained permission from recipients to send bulk emails (like newsletters or promotional content).
- 4-7: Indicates a moderate likelihood of users considering the message spam. These messages could have senders with mixed reputations. Or, messages could have senders whose bulk emails often receive complaints or are not explicitly requested.
- 8-9: Indicates that users are very likely to consider the message spam. These messages often receive numerous complaints or come from senders with poor reputations.
Purpose: The BCL helps organizations determine how strictly to filter and handle bulk emails. Depending on the BCL rating, administrators can configure their anti-spam policies to quarantine, reject, or allow the bulk email.
Adjusting BCL Threshold: Organizations can adjust their filtering policies based on the BCL to align with their tolerance for bulk emails. For example, setting a lower BCL threshold might quarantine or reject more bulk emails, while a higher threshold might allow more through.
Usage Example:
If your organization receives a lot of newsletters and marketing emails that are legitimate but may not be relevant to all employees, you could set the BCL threshold to 5. This would filter out emails with higher complaint levels, reducing clutter in inboxes while still allowing some bulk communication.
Benefits:
- Reducing Spam: Helps minimize the influx of unwanted bulk emails that could be considered spam.
- Improving Email Deliverability: By understanding and managing BCL settings, organizations can improve the chances of legitimate bulk emails reaching their intended recipients.
Practical Application:
Administrators typically configure their email security settings in the Microsoft 365 Defender or Exchange Admin Center. Here, admins can set actions for different BCL ratings, ensuring consistent application of the organization’s preferences for handling bulk emails.
By managing BCL settings, organizations can strike a balance between allowing useful bulk communications and reducing the clutter of unwanted spam.
Anti-spam Inbound Policy (Default)
Bulk email threshold & spam properties
| BCL | Description |
|---|---|
0 | The message isn’t from a bulk sender. |
1, 2, 3 | The message is from a bulk sender that generates few complaints. |
4, 5, 6, 7 | The message is from a bulk sender that generates a mixed number of complaints. |
8, 9 | The message is from a bulk sender that generates a high number of complaints. |
- Bulk email threshold (on a scale of 1 to 9): Set to 5, you can adjust/monitor (Generally the standard setting uses a value of 6 and strict uses a value of 5, the default uses 7)
- The following settings below increase the spam score: Your options for these settings are On, Off, and Test.
- The following ASF (Advanced Spam Filter) settings can increase an email’s spam score. When the spam score increases, the email’s Spam Confidence Level (SCL) may reach 5 or 6, which usually triggers the spam filter to treat the email as spam based on your anti-spam policy settings. However, the spam filter will not flag every email that meets these conditions as spam; spam filters will take additional spam factors into consideration.
- Image links to remote websites set to On: Spammers frequently use images hosted on remote servers to track whether a recipient has opened an email. They do so by embedding a unique identifier in the image URL. When a user opens the email, the remote server fetches the image. This signals to the spammer that the recipient’s email address is active. This technique is often used for tracking or verifying email addresses for future spam or phishing attempts.
- Numeric IP address in URL set to On: URLs containing numeric IP addresses instead of domain names are often used to hide the true destination of a link. This technique is commonly used in phishing attacks to obscure malicious websites or bypass filters that check domain names against blacklists. Legitimate websites rarely use numeric IPs in public-facing URLs.
- Numeric IP address in URL set to On: URLs containing numeric IP addresses instead of domain names are often used to hide the true destination of a link. This technique is commonly used in phishing attacks to obscure malicious websites or bypass filters that check domain names against blacklists. Legitimate websites rarely use numeric IPs in public-facing URLs.
- Links to .biz or .info websites set to On: The
.bizand.infotop-level domains (TLDs) have historically been associated with higher levels of spam and low-quality or suspicious websites. This is partly due to the fact that these domains are often cheaper and more easily obtained by spammers. As a result, spam filters are more likely to flag emails containing links to these TLDs as spam.
- Next specify whether to mark messages that include these properties as spam: Your options for these settings are On, Off, and Test.
- Spam emails often contain the properties listed because spammers commonly use these techniques to either bypass email filters, deceive recipients, or track the recipient’s actions.
- The following “Mark as spam” ASF (Advanced Spam Filter) settings automatically set the Spam Confidence Level (SCL) of detected messages to 9. This corresponds to a “High confidence spam” verdict, which means the message is treated as highly likely to be spam and will trigger the appropriate action in your anti-spam policies, such as moving the message to the junk folder or quarantining it.
- Empty messages set to On: Spammers sometimes send empty messages as a way to verify if an email address is active (i.e., if the email does not bounce back). If the recipient opens the email, the spammer knows the address is valid and may target it with further spam or phishing attempts.
- Embedded tags in HTML set to On: Spammers embed HTML tags to include hidden content, such as invisible tracking pixels (web bugs) or to manipulate the visual presentation of the email. Spammers use this to make the email appear more legitimate or to track the recipient’s behavior.
- JavaScript or VBScript in HTML set to On: Spammers embed HTML tags to include hidden content, such as invisible tracking pixels (web bugs) or to manipulate the visual presentation of the email. This can make the email appear more legitimate or to track the recipient’s behavior.
- Form tags in HTML set to On: Form tags can help create fake login forms or other input fields within the email itself. Phishing attacks, which trick the recipient into entering sensitive information, such as passwords or credit card details, directly in the email, often involve this tactic.
- Frame or iFrame tags in HTML set to On: Frames and iFrames allow spammers to load content from external sources into the email. This displays content that bypasses email filters or masks the true origin of the content. Spammers also use it to track recipients or load malicious content from external servers.
- Web bugs in HTML set to On: Web bugs are small, often invisible images embedded in emails. They notify the sender when the recipient opens the email. This allows spammers to confirm that an email address is valid and actively monitored, making it a more valuable target for future spam.
- Object tags in HTML set to On: Object tags are used to embed media files or other types of objects within an email. Spammers might use these to try and bypass certain types of content filters or to deliver malware through non-standard file types.
- Sensitive words set to Off: Microsoft maintains a dynamic but non-editable list of words that are associated with potentially offensive messages. The subject and message body are searched for these words. Only Microsoft knows what these words are so your mileage may vary with enabling this setting.
- SPF record: Hard fail set to On: An SPF (Sender Policy Framework) hard fail indicates that the email did not originate from an authorized mail server for that domain, suggesting that the email is likely spoofed. Spammers often ignore proper SPF setup, resulting in hard fails.
- Sender ID filtering hard fail set to On: Similar to SPF, Sender ID filtering is designed to verify that the email’s sender address is legitimate. A hard fail occurs when the sender’s domain does not match the sending server’s IP address, which is common in spam and phishing emails.
- Backscatter set to Off: Reference https://www.backscatterer.org/?target=usage (some backscatter from legit senders is to be expected.)
- Contains specific language: Your preference
- From these countries: Your preference
Additional feature: Bulk senders insight
Use this tool to assess the impact of adjusting the BCL settings within your environment and simulate senders who may be impacted by these settings.
Set Actions
- Spam message action:
- Recommendation: Set to Move message to Junk Email folder.
- Reason: This action ensures that potential spam emails are not delivered directly to the inbox, but are still accessible to the user if needed. Users can review and recover legitimate emails that were incorrectly flagged.
- High Confidence spam action
- Recommendation: Set to Quarantine message.
- Reason: High confidence spam is more likely to be malicious, so quarantining these messages adds an extra layer of protection by preventing them from reaching the user. The security team can review quarantined messages to determine if any should be released.
- Phishing message action
- Recommendation: Set to Quarantine message with an AdminOnlyAccessPolicy.
- Reason: Phishing emails are a significant threat, and quarantining them prevents users from interacting with potentially harmful content. Limiting access to administrators ensures that only trained personnel can review and release these emails.
- High confidence phishing message action
- Recommendation: Set to Quarantine message with an AdminOnlyAccessPolicy.
- Reason: High confidence phishing messages are almost certainly dangerous, so they should be quarantined with access restricted to administrators. This minimizes the risk of exposure to users.
- Bulk message action
- Recommendation: Set to Move message to Junk Email folder or Quarantine message with an AdminOnlyAccessPolicy.
- Reason: Bulk emails are often less critical and can be disruptive if delivered to the inbox. Quarantining or moving them to the Junk Email folder helps reduce clutter and prevent potential spam.
- Intra-Organizational messages to take action on
- Recommendation: Default setting.
- Reason: Typically, intra-organizational messages should be trusted. However, if internal phishing or spoofing is a concern, stricter settings may be considered.
- Enable spam safety tips: On
- Enabling safety tips helps educate users by highlighting potential spam or phishing emails, making them more cautious when interacting with suspicious messages.
- Enable for spam messages: On
- Enable for phishing messages: On
- Retain spam in quarantine for this many days: 30
- Retaining spam in quarantine for 30 days provides a sufficient window for users or administrators to review quarantined messages and retrieve any that were falsely flagged as spam.
- Zero-hour auto purge (ZAP): ZAP helps by automatically detecting and removing emails that are later identified as spam or phishing after they have been delivered to user inboxes. This is an essential layer of protection that helps remove threats that might have initially bypassed filtering.
- Enable zero-hour auto purge (ZAP)
- Enable for phishing messages
- Enable for spam messages
- Enable zero-hour auto purge (ZAP)
Allowed and Blocked Senders and Domains
This is the mechanism that Microsoft recommends to Allow and Block Senders within a Domain.
You may find that there are tenants that do not have this capability and for those tenants, you would have to configure Mailflow Rules to manage the Allow and the Block lists.
- Allowed senders
- Allowed domains
- Blocked senders
- Blocked domains
Read more about Exchange Mailflow Rules
You may be wondering, why are there 2 places that you can configure these rules and what’s the difference? The difference really is in the scanning and detection features that you get with Microsoft’s Advanced Threat Protection.
When you whitelist an email inside of Mailflow rules, there is no additional scanning or verification that happens which audits the email for malware or any viruses. By whitelisting domains in this section of Microsoft, you get that added security feature.
Deeper Integration with Security Policies
ATP settings for anti-phishing and anti-spam are built specifically to handle allowlists and blocklists at a deeper level. Adding addresses or domains to ATP exclusions ensures these are evaluated against Microsoft’s broader threat intelligence but bypass certain filters (like spam or impersonation) when trusted.
More Granular Control
By using ATP exclusions, you ensure that the email is still scanned for malware and viruses while allowing it to bypass certain phishing or spam checks that triggered the quarantine. This helps maintain a balance between security and deliverability.
Connection Filter Policy (Default)
Benefits of Connection Filtering:
- Prevents Unwanted Emails: By blocking known bad IP addresses at the connection level, the policy helps reduce the volume of spam and malicious emails that reach users’ inboxes.
- Enhances Security: Connection filtering adds an extra layer of defense, protecting against threats like botnets and spam networks that might otherwise bombard your organization with harmful content.
- Customizable: You can tailor the policy to your organization’s needs by adding trusted IPs to the allow list and updating the block list based on known threats or specific concerns.
For example, if you notice a spike in spam from a specific IP address or range, you can add it to the block list in the connection filter policy to immediately start rejecting emails from that source. On the other hand, if a legitimate partner’s emails are being mistakenly flagged as spam, you can add their IP to the allow list to ensure their emails are delivered without issue.
- IP Allow List:
- Function: This list ensures that incoming messages from specified IP addresses or ranges bypass spam filtering. However, spam filtering will still scan these messages for malware and high-confidence phishing threats.
- Exceptions: In certain scenarios, spam filtering may still apply to messages from IPs on the allow list.
- IP Block List:
- Function: Completely blocks messages from IP addresses or ranges on this list. This setting rejects messages outright without marking as spam or any other filtering processes.
- Effect: Skips spam filtering for messages from servers on the safe list. You can only enable or disable the use of this list; individual server configurations are not possible.
Anti-spam outbound policy (Default)
In Microsoft 365 and Exchange Online Protection (EOP), outbound emails are automatically checked for spam and unusual sending behavior to protect the service’s reputation.
Suspicious emails are marked as spam and routed through a high-risk delivery pool to prevent Microsoft 365 servers from being placed on IP blocklists.
Admins receive alerts about any suspicious activity and blocked users. The default outbound spam policy applies to all senders. However, you can create custom policies for specific users, groups, or domains.
Using Exchange Online Protection (EOP) for bulk email is not officially supported and is only allowed on a “best-effort” basis. To avoid issues, follow these recommendations:
- Adhere to Sending Limits: Avoid sending large volumes of emails or using large Bcc lists to stay within service limits.
- Use Custom Subdomains: Instead of your primary domain, use custom subdomains (e.g.,
m.contoso.comfor marketing) for bulk emails to protect the deliverability of regular emails. - Implement Email Authentication: Configure SPF, DKIM, and DMARC records for any custom subdomains to meet email authentication standards and prevent rejections.
- Provide Unsubscribe Options: Ensure that marketing emails include an easy way for recipients to unsubscribe, preferably with a one-click option.
- Maintain a Clean Email List: Regularly remove incorrect or non-existent email addresses from your database to avoid bounce-backs and maintain a good sending reputation.
These practices help ensure that you deliver bulk emails effectively to users while protecting your domain’s reputation and adhering to EOP guidelines.
Alternative Resources for Sending Bulk Email
If you need to send bulk email, consider using resources outside of Exchange Online Protection (EOP) to avoid potential issues:
- On-Premises Email Servers:
- Option: Maintain your own email infrastructure for mass mailings.
- Benefit: Full control over email sending practices and infrastructure, reducing the risk of impacting your regular email deliverability.
- Third-Party Bulk Email Providers:
- Option: Utilize a specialized third-party provider for sending bulk emails.
- Benefit: These providers have experience managing large-scale email campaigns and work with customers to ensure good email sending practices, helping to maintain your domain’s reputation.
- Recommendation: Consult the Messaging, Mobile, Malware Anti-Abuse Working Group (MAAWG) membership roster to find reputable bulk email providers. This roster recognizes companies for responsible email practices as well as reliability and compliance with internet standards.
To summarize, Microsoft 365 servers can be added to third-party IP blocklists, which can cause serious problems and costs, if you allow bulk emails to go unchecked. It’s better to block users who exceed safe sending limits than to risk these bulk activities compromising the service.
In this section, we’ll go through checking to see how much mail is sent hourly so you can put together your restrictions for outbound spam policies.
You can use the following KQL query to validate the number of emails that are being sent within the tenant outbound each hour.
Navigate to security.microsoft.com > Hunting > Advanced hunting > Copy/paste into Query + Run
EmailEvents
| where EmailDirection == "Outbound"
| summarize SentCount = count() by bin(Timestamp, 1h)
| project Timestamp, SentCount
| sort by Timestamp asc
The results from the KQLQuery will inform your protection settings. Review the hourly sending limit and talk with Operations teams to pick a sending limit that makes the most sense for the organization. Populate the data and adjust as needed.
Set Protection Settings
- Restrict sending to external recipients (per hour):
- Restrict sending to internal recipients (per hour):
- Maximum recipient limit per day:
- Over limit action: Restrict the user from sending mail
- Automatic forwarding: Automatic – System-controlled (recommended to disable forwarding and allow on a case-by-case basis)
- Send a copy of suspicious outbound messages or message that exceed these limits to these users and groups: On
- Notify these users and groups if a sender is blocked due to sending outbound spam: On
Conclusion
As you have seen, Defender for Office 365 has a lot of tools. However, in order to best secure your tenant, you should also use a third-party email filter. We recommend that you establish a baseline third-party phishing filter for your organization because Defender for Office 365 still allows for delivery of large amounts of phishing emails. Reach out to your MSP or consult your team to decide which email protection service best suits you. There are still some steps and recommendations that we omitted from the guide, see below to purchase the complete Golden Tenant.
The Complete Guide to Microsoft 365
Want full access to the ultimate Microsoft 365 deployment & security cheatsheet? Purchase our complete Golden Tenant now to get detailed instructions, in-depth explanations, and even personalized Microsoft consulting. Have peace of mind with the security of your Microsoft suite by using our CIS-compliant SOPs.
