Order and precedence of email protection
In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, inbound email may be flagged by multiple forms of protection. For example, the built-in EOP anti-phishing policies that are available to all Microsoft 365 customers, and the more robust ATP anti-phishing policies that are also available to Office 365 Advanced Threat Protection (Office 365 ATP) customers. Messages also pass through multiple detection scans for malware, spam, phishing, etc. Given all this activity, there may be some confusion as to which policy is applied.
In general, a policy that's applied to a message is identified in the X-Forefront-Antispam-Report header in the CAT (Category) property. For more information, see Anti-spam message headers.
There are two major factors that determine which policy is applied to a message:
The priority of the email protection type: This order is not configurable, and is described in the following table:
Priority Email protection Category Where to manage 1 Malware CAT:MALW Configure anti-malware policies in EOP 2 Phishing CAT:PHSH Configure anti-spam policies in EOP 3 High confidence spam CAT:HSPM Configure anti-spam policies in EOP 4 Spoofing CAT:SPOOF Configure spoof intelligence in EOP 5 Spam CAT:SPM Configure anti-spam policies in EOP 6 Bulk CAT:BULK Configure anti-spam policies in EOP 7* Domain impersonation (protected users) DIMP Configure ATP anti-phishing policies 8* User impersonation (protected domains) UIMP Configure ATP anti-phishing policies
* These features are only available in ATP anti-phishing policies.
The priority of the policy: For each protection type (anti-spam, anti-malware, anti-phishing, etc.), there's a default policy that applies to everyone, but you can create custom policies that apply to specific users. Each custom policy has a priority value that determines the order that the policies are applied in. The default policy is always applied last.
If a user is defined in multiple policies of the same type, only the policy with the highest priority is applied to them. Any remaining policies of that type are not evaluated for the user (including the default policy).
For example, consider the following ATP anti-phishing policies that apply to the same users, and a message that's identified as both user impersonation and spoofing:
|ATP anti-phishing policy||Priority||User impersonation||Anti-spoofing|
- The message is marked and treated as spoof, because spoofing has a higher priority (4) than user impersonation (8).
- Policy A is applied to the users because it has a higher priority than Policy B.
- Based on the settings in Policy A, no action is taken on the message, because anti-spoofing is turned off in the policy.
- Policy processing stops, so Policy B is never applied to the users.
Because it's possible that the same users are intentionally or unintentionally included in multiple custom policies of the same type, use the following design guidelines for custom policies:
- Assign a higher priority to policies that apply to a small number of users, and a lower priority to policies that apply to a large number of users. Remember, the default policy is always applied last.
- Configure your higher priority policies to have stricter or more specialized settings than lower priority policies.
- Consider using fewer custom policies (only use custom policies for users who require stricter or more specialized settings).