Order and precedence of email protection

In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, inbound email may be flagged by multiple forms of protection. For example, the built-in EOP anti-phishing policies that are available to all Microsoft 365 customers, and the more robust ATP anti-phishing policies that are also available to Office 365 Advanced Threat Protection (Office 365 ATP) customers. Messages also pass through multiple detection scans for malware, spam, phishing, etc. Given all this activity, there may be some confusion as to which policy is applied.

In general, a policy that's applied to a message is identified in the X-Forefront-Antispam-Report header in the CAT (Category) property. For more information, see Anti-spam message headers.

There are two major factors that determine which policy is applied to a message:

For example, consider the following ATP anti-phishing policies that apply to the same users, and a message that's identified as both user impersonation and spoofing:

ATP anti-phishing policy Priority User impersonation Anti-spoofing
Policy A 1 On Off
Policy B 2 Off On
  1. The message is marked and treated as spoof, because spoofing has a higher priority (4) than user impersonation (8).
  2. Policy A is applied to the users because it has a higher priority than Policy B.
  3. Based on the settings in Policy A, no action is taken on the message, because anti-spoofing is turned off in the policy.
  4. Policy processing stops, so Policy B is never applied to the users.

Because it's possible that the same users are intentionally or unintentionally included in multiple custom policies of the same type, use the following design guidelines for custom policies:

  • Assign a higher priority to policies that apply to a small number of users, and a lower priority to policies that apply to a large number of users. Remember, the default policy is always applied last.
  • Configure your higher priority policies to have stricter or more specialized settings than lower priority policies.
  • Consider using fewer custom policies (only use custom policies for users who require stricter or more specialized settings).