question

StevePogue-5990 avatar image
0 Votes"
StevePogue-5990 asked LucasLiu-MSFT commented

Create mail flow rule to drop incoming email with a recipient count greater than 10

Our email is hosted within Exchange Online.

The latest waves of incoming phish and spam emails seem to be sent in batches with each incoming email sent to about 50-60 of our internal users within the To: field.
I can't think of a reason why my organization would ever accept an email from outside that is addressed to more than 10 recipients.
Looked in mail flow rules to see we could block an incoming email based on the number of internal recipients on the To: field
Did not find anything.

I have been working with SPAM issues for over 25 years. Don't need advice on reducing SPAM.
We have O365 ATP SPAM policies, Phish Policies SafeLinks, SafeAttachments.
None of the above will protect you when you receive a 0 hour 0 day targeted email based threat that is addressed to dozens of your internal users.
You try and hide your internal email addresses but over time, the crooks build inventories of your email addresses.
We have been receiving targeted emails addressed to 50+ internal valid recipients.
need a way to drop emails based on the number of recipients within X-MS-Exchange-Organization-OriginalEnvelopeRecipients: field or the length of that field.

Spam scores are usually 0 and the X-MS-Exchange-Organization-OriginalEnvelopeRecipients: looks something like this:

X-MS-Exchange-Organization-SpamScore: 0
X-Microsoft-Antispam: BCL:0;

X-MS-Exchange-Organization-OriginalEnvelopeRecipients: =?us-ascii?Q?jswea@iai.com;jbyv@iai?=
=?us-ascii?Q?.com;?=81849-originalenvelope.png


office-exchange-server-mailflow
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

LucasLiu-MSFT avatar image
0 Votes"
LucasLiu-MSFT answered LucasLiu-MSFT commented

Hi @StevePogue-5990 ,
According to my research, we cannot limit the number of recipients included in the received mail through mail flow. In the "To" column, we can specify specific recipients or recipients that contain specific information. And if you delete the mail according to the number of recipients, it is easy to accidentally delete the mail.

For mail restrictions, we can only pass “Message size limit”,” Message header size limit”, “Subject length limit”, “File attachments limit”, “File attachment size limit” “Multipart message limit” and “Embedded message depth limit”. For more information please refer to: Message limits

About this issue:
1.Please make sure that SPF, DKIM and DMARC are set correctly. These DNS records will help protect you from spam.
For more information: Set up SPF to help prevent spoofing
2.EOP will helps protect your organization against spam and malware. Are there any similarities among spammers? For example, sending address, sender IP, etc. If so, we can block the incoming spam by creating a block list of senders.
For more information: Create blocked sender lists in EOP



If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.




· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @StevePogue-5990 ,
As I said above, there is no method to limit the recipients of the email we received.
Have you tried to create blocked sender lists based on the sender’s information?



If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.




0 Votes 0 ·

Hi @StevePogue-5990 ,
I am writing here to confirm with you how thing going now?



If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 Votes 0 ·