Anti-Spam Policy¶
Defender portal → Email & collaboration → Policies & rules → Threat policies → Anti-spam
Microsoft 365 has three default policies: - Anti-spam inbound policy (Default) — applies to all users not covered by a custom policy - Anti-spam outbound policy (Default) — controls outbound sending limits - Connection filter policy (Default) — IP allow/block list
Inbound Anti-Spam Policy¶
Recommended Custom Policy (applied before Default)¶
Create a new policy and apply to all users (or use the Strict preset which covers this).
Spam thresholds & actions¶
| Setting | Recommended value |
|---|---|
| Bulk email threshold | 5 (more aggressive) or 6 (balanced) |
| Mark as spam: Empty messages | On |
| Mark as spam: Embedded tags in HTML | On |
| Mark as spam: JavaScript or VBScript in HTML | On |
| Mark as spam: SPF record hard fail | On |
| Mark as spam: Sender ID filtering hard fail | On |
| Mark as spam: Backscatter | On |
Actions¶
| Verdict | Action | Quarantine policy |
|---|---|---|
| Spam | Move to Junk | — |
| High confidence spam | Quarantine | DefaultFullAccessWithNotificationPolicy |
| Phishing | Quarantine | DefaultFullAccessPolicy |
| High confidence phishing | Quarantine (admin only) | AdminOnlyAccessPolicy |
| Bulk | Move to Junk | — |
Safety tips & zero-hour auto purge (ZAP)¶
| Setting | Value |
|---|---|
| Enable spam safety tips | On |
| Enable phishing safety tips | On |
| Enable unusual characters safety tips | On |
| Zero-hour auto purge (ZAP) for spam | On |
| Zero-hour auto purge (ZAP) for phishing | On |
Allow/Block lists (use sparingly)¶
The inbound policy allow list bypasses spam and phishing filtering — only use for trusted internal systems.
Never allowlist entire domains
Allowlisting @microsoft.com or any large domain allows any spoofed email from that domain to bypass filtering. Use specific IP-based mail flow rules instead.
Outbound Anti-Spam Policy¶
Prevents your tenant from being used to send spam (which would get your IPs blacklisted).
Defender portal → Anti-spam → Anti-spam outbound policy (Default) → Edit
| Setting | Recommended value |
|---|---|
| Set an external message limit | 400 per hour per user |
| Set an internal message limit | 800 per hour per user |
| Set a daily message limit | 10000 per day |
| Restriction placed on users who reach the message limit | Restrict the user from sending mail until the following day |
| Automatic forwarding rules | Automatic — system-controlled (or Off to block all auto-forwarding) |
Block auto-forwarding to external domains
Auto-forwarding is a common exfiltration path post-compromise. Set Automatic forwarding rules to Off unless users have a business need. Override with a mail flow rule for specific mailboxes that need it.
Notification for blocked senders¶
Add an admin email address under Notify these users and groups if a sender is blocked due to sending outbound spam so IT is alerted immediately.
Connection Filter Policy¶
Defender portal → Anti-spam → Connection filter policy (Default)
| Setting | Value |
|---|---|
| IP allow list | Add trusted relay/gateway IPs (on-premises mail relays, LOB app SMTP relays) |
| IP block list | Add known malicious IPs if identified through threat hunting |
| Enable safe list | Off — the Microsoft safe list is not recommended as sole allow mechanism |
Quarantine Management¶
Defender portal → Email & collaboration → Review → Quarantine
Quarantine policies¶
| Policy | Who can release | Use case |
|---|---|---|
| AdminOnlyAccessPolicy | Admins only | High-confidence phishing |
| DefaultFullAccessPolicy | Users can self-release | Spam |
| DefaultFullAccessWithNotificationPolicy | Users notified + can self-release | High-confidence spam |
Quarantine notification (digest) frequency¶
Set users to receive a daily or weekly quarantine digest:
Defender portal → Anti-spam → Quarantine notification → Edit the default policy → Enable notifications → Frequency: Daily.
Useful PowerShell¶
Connect-ExchangeOnline -UserPrincipalName admin@domain.com
# View current inbound policy settings
Get-HostedContentFilterPolicy -Identity Default
# Check outbound policy
Get-HostedOutboundSpamFilterPolicy -Identity Default
# List quarantined messages in the last 7 days
Get-QuarantineMessage -StartReceivedDate (Get-Date).AddDays(-7) -PageSize 100 |
Select-Object Subject, SenderAddress, RecipientAddress, QuarantineTypes, ReceivedTime |
Sort-Object ReceivedTime -Descending
# View connection filter policy
Get-HostedConnectionFilterPolicy -Identity Default