Recommended settings for EOP and Office 365 ATP security

Exchange Online Protection (EOP) is the core of security for Microsoft 365 subscriptions and helps keep malicious emails from reaching your employee's inboxes. But with new, more sophisticated attacks emerging every day, improved protections are often required. Office 365 Advanced Threat Protection (ATP) ATP Plan 1 or ATP Plan 2 contain additional features that give admins more layers of security, control, and investigation.

Although we empower security administrators to customize their security settings, there are two security levels in EOP and Office 365 ATP that we recommend: Standard and Strict. Each customer's environment and needs are different, but we believe that these levels of mail filtering configurations will help prevent unwanted mail from reaching your employees' inbox in most situations.

Important

The junk email rule needs to be enabled on a mailbox in order for filtering to work properly. It's enabled by default, but you should check it if filtering does not seem to be working. For more information, see Configure junk email settings on Exchange Online mailboxes in Office 365.

This topic describes these Microsoft-recommended settings to help protect your users.

Tip

There is a new PowerShell Module that you can download called the Office 365 Advanced Threat Protection Recommended Configuration Analyzer (ORCA) that helps determine some of these settings. When run as an admin in your tenant, Get-ORCAReport will help generate an assessment of the anti-spam, anti-phish, and other message hygiene settings. You can download this module at https://www.powershellgallery.com/packages/ORCA/.

Anti-spam, anti-malware, and anti-phishing protection in EOP

Anti-spam, anti-malware, and anti-phishing are features of EOP that can be configured by admins. We recommend the following configurations.

EOP anti-spam policy settings

To create and configure anti-spam policies, see Configure anti-spam policies in Office 365.

Security feature name Standard Strict Comment
Spam detection action

SpamAction
Move message to Junk Email folder

MoveToJmf
Quarantine message

Quarantine
High confidence spam detection action

HighConfidenceSpamAction
Quarantine message

Quarantine
Quarantine message

Quarantine
Phishing email detection action

PhishSpamAction
Quarantine message

Quarantine
Quarantine message

Quarantine
High confidence phishing email detection action

HighConfidencePhishAction
Quarantine message

Quarantine
Quarantine message

Quarantine
Bulk email detection action

BulkSpamAction
Move message to Junk Email folder

MoveToJmf
Quarantine message

Quarantine
Bulk email threshold

BulkThreshold
6 4 The default value is currently 7, but we recommend that you change it to 6. For details, see Bulk complaint level (BCL) in Office 365.
Quarantine retention period

QuarantineRetentionPeriod
30 days 30 days
Safety Tips

InlineSafetyTipsEnabled
On

$true
On

$true
Allowed Senders

AllowedSenders
None None
Allowed Sender Domains

AllowedSenderDomains
None None Adding domains that you own (also known as accepted domains) to the allowed senders list is not required. In fact, it's considered high risk since it creates opportunities for bad actors to send you mail that would otherwise be filtered out. Use spoof intelligence in the Security & Compliance Center on the Anti-spam settings page to review all senders who are spoofing sender email addresses in your organization's email domains or spoofing sender email addresses in external domains.
Blocked Senders

BlockedSenders
None None
Blocked Sender Domains

BlockedSenderDomains
None None
Enable end-user spam notifications

EnableEndUserSpamNotifications
Enabled

$true
Enabled

$true
Send end-user spam notifications every (days)

EndUserSpamNotificationFrequency
3 days 3 days
Spam ZAP

SpamZapEnabled
Enabled

$true
Enabled

$true
Phish ZAP

PhishZapEnabled
Enabled

$true
Enabled

$true
MarkAsSpamBulkMail On On This setting is only available in PowerShell.

There are several other Advanced Spam Filter (ASF) settings in anti-spam policies that are in the process of being deprecated. More information on the timelines for the depreciation of these features will be communicated outside of this topic.

We recommend that you turn these ASF settings Off for both Standard and Strict levels. For more information about ASF settings, see Advanced Spam Filter (ASF) settings in Office 365.

Security feature name Comment
Image links to remote sites (IncreaseScoreWithImageLinks)
Numeric IP address in URL (IncreaseScoreWithNumericIps)
UL redirect to other port (IncreaseScoreWithRedirectToOtherPort)
URL to .biz or .info websites (IncreaseScoreWithBizOrInfoUrls)
Empty messages (MarkAsSpamEmptyMessages)
JavaScript or VBScript in HTML (MarkAsSpamJavaScriptInHtml)
Frame or IFrame tags in HTML (MarkAsSpamFramesInHtml)
Object tags in HTML (MarkAsSpamObjectTagsInHtml)
Embed tags in HTML (MarkAsSpamEmbedTagsInHtml)
Form tags in HTML (MarkAsSpamFormTagsInHtml)
Web bugs in HTML (MarkAsSpamWebBugsInHtml)
Apply sensitive word list (MarkAsSpamSensitiveWordList)
SPF record: hard fail (MarkAsSpamSpfRecordHardFail)
Conditional Sender ID filtering: hard fail (MarkAsSpamFromAddressAuthFail)
NDR backscatter (MarkAsSpamNdrBackscatter)

EOP outbound spam policy settings

To create and configure outbound spam policies, see Configure outbound spam filtering in Office 365.

Security feature name Standard Strict Comment
Maximum number of recipients per user: External hourly limit

RecipientLimitExternalPerHour
500 400
Maximum number of recipients per user: Internal hourly limit

RecipientLimitInternalPerHour
1000 800
Maximum number of recipients per user: Daily limit

RecipientLimitPerDay
1000 800
Action when a user exceeds the limits

ActionWhenThresholdReached
Restrict the user from sending mail

BlockUser
Restrict the user from sending mail

BlockUser

EOP anti-malware policy settings

To create and configure anti-malware policies, see Configure anti-malware policies in Office 365.

Security feature name Standard Strict Comment
Do you want to notify recipients if their messages are quarantined?

Action
No

DeleteMessage
No

DeleteMessage
If malware is detected in an email attachment, the message is quarantined and can be released only by an admin.
Common Attachment Types Filter

EnableFileFilter
On

$true
On

$true
This setting quarantines messages that contain executable attachments based on file type, regardless of the attachment content.
Malware Zero-hour Auto Purge

ZapEnabled
On

$true
On

$true
Notify internal senders of the undelivered message

EnableInternalSenderNotifications
Disabled

$false
Disabled

$false
Notify external senders of the undelivered message

EnableExternalSenderNotifications
Disabled

$false
Disabled

$false

EOP default anti-phishing policy settings

For more information about these settings, see Spoof settings. To configure these settings, see Configure anti-phishing policies in EOP.

Security feature name Standard Strict Comment
Enable anti-spoofing protection

EnableAntispoofEnforcement
On

$true
On

$true
Enable Unauthenticated Sender

EnableUnauthenticatedSender
On

$true
On

$true
Adds a question mark (?) to the sender's photo in Outlook for unidentified spoofed senders. For more information, see Spoof settings in anti-phishing policies.
If email is sent by someone who's not allowed to spoof your domain

AuthenticationFailAction
Move message to the recipients' Junk Email folders

MoveToJmf
Quarantine the message

Quarantine
This applies to blocked senders in spoof intelligence.

Office 365 Advanced Threat Protection security

Additional security benefits come with an Office 365 Advanced Threat Protection (ATP) subscription. For the latest news and information, you can see What's new in Office 365 ATP.

Office 365 ATP includes the Safe Attachment and Safe Links policies to prevent email with potentially malicious attachments from being delivered, and to keep users from clicking potentially unsafe URLs.

Important

Advanced anti-phishing is one of the benefits of an Office 365 ATP subscription. Although it's enabled by default, you must configure at least one anti-phishing policy before it can start filtering mail. Forgetting to configure anti-phishing policies could exposes users to risky emails. Be sure to configure your anti-phishing policies after you add an Office 365 ATP subscription.

If you've added an Office 365 ATP subscription to your EOP, set the following configurations.

Office ATP anti-phishing policy settings

EOP customers get basic anti-phishing as previously described, but Office 365 ATP includes more features and control to help prevent, detect, and remediate against attacks. To create and configure these policies, see Configure ATP anti-phishing policies in Office 365.

Impersonation settings in ATP anti-phishing policies

For more information about these settings, see Impersonation settings in ATP anti-phishing policies. To configure these settings, see Configure ATP anti-phishing policies.

Security feature name Standard Strict Comment
Protected users: Add users to protect

EnableTargetedUserProtection

TargetedUsersToProtect
On

$true

<list of users>
On

$true

<list of users>
Depends on your organization, but we recommend adding users in key roles. Internally, these might be your CEO, CFO, and other senior leaders. Externally, these could include council members or your board of directors.
Protected domains: Automatically include the domains I own

EnableOrganizationDomainsProtection
On

$true
On

$true
Protected domains: Include custom domains

EnableTargetedDomainsProtection

TargetedDomainsToProtect
On

$true

<list of domains>
On

$true

<list of domains>
Depends on your organization, but we recommend adding domains you frequently interact with that you don't own.
Protected users: If email is sent by an impersonated user

TargetedUserProtectionAction
Quarantine the message

Quarantine
Quarantine the message

Quarantine
Protected domains: If email is sent by an impersonated domain

TargetedUserProtectionAction
Quarantine the message

Quarantine
Quarantine the message

Quarantine
Show tip for impersonated users

EnableSimilarUsersSafetyTips
On

$true
On

$true
Show tip for impersonated domains

EnableSimilarDomainsSafetyTips
On

$true
On

$true
Show tip for unusual characters

EnableUnusualCharactersSafetyTips
On

$true
On

$true
Enable Mailbox intelligence?

EnableMailboxIntelligence
On

$true
On

$true
Enable Mailbox intelligence based impersonation protection?

EnableMailboxIntelligenceProtection
On

$true
On

$true
If email is sent by an impersonated user protected by mailbox intelligence

MailboxIntelligenceProtectionAction
Move message to the recipients' Junk Email folders

MoveToJmf
Quarantine the message

Quarantine
Trusted senders

ExcludedSenders
None None Depends on your organization, but we recommend adding users that incorrectly get marked as phish due to impersonation only and not other filters.
Trusted domains

ExcludedDomains
None None Depends on your organization, but we recommend adding domains that incorrectly get marked as phish due to impersonation only and not other filters.

Spoof settings in ATP anti-phishing policies

Note that these are the same settings that are available in anti-spam policy settings in EOP.

Security feature name Standard Strict Comment
Enable anti-spoofing protection

EnableAntispoofEnforcement
On

$true
On

$true
Enable Unauthenticated Sender

EnableUnauthenticatedSender
On

$true
On

$true
Adds a question mark (?) to the sender's photo in Outlook for unidentified spoofed senders. For more information, see Spoof settings in anti-phishing policies.
If email is sent by someone who's not allowed to spoof your domain

AuthenticationFailAction
Move message to the recipients' Junk Email folders

MoveToJmf
Quarantine the message

Quarantine
This applies to blocked senders in spoof intelligence.

Advanced settings in ATP anti-phishing policies

For more information about this setting, see Advanced phishing thresholds in ATP anti-phishing policies. To configure this setting, see Configure ATP anti-phishing policies.

Security feature name Standard Strict Comment
Advanced phishing thresholds

PhishThresholdLevel
2 - Aggressive

2
3 - More aggressive

3

To configure these settings, see Set up Office 365 ATP Safe Links policies.

Note: In PowerShell, you use the Set-AtpPolicyForO365 cmdlet for these settings.

Security feature name Standard Strict Comment
Use Safe Links in: Office 365 applications

EnableSafeLinksForO365Clients
On

$true
On

$true
Use ATP Safe Links in Office 365 Apps, Office for iOS and Android.
Do not track when users click safe links

TrackClicks
Off

$true
Off

$true
Do not let users click through safe links to original URL

AllowClickThrough
On

$false
On

$false

Note: In PowerShell, you use the New-SafeLinksPolicy and [Set-SafeLinksPolicy](https://docs.microsoft.com/powershell/module/exchange/set-safelinkspolicycmdlet cmdlets for these settings.

Security feature name Standard Strict Comment
Select the action for unknown potentially malicious URLs in messages

IsEnabled
On

$true
On

$true
Select the action for unknown or potentially malicious URLs within Microsoft Teams

EnableSafeLinksForTeams
On

$true
On

$true
Apply real-time URL scanning for suspicious links and links that point to files

ScanUrls
On

$true
On

$true
Wait for URL scanning to complete before delivering the message

DeliverMessageAfterScan
On

$true
On

$true
Apply safe links to email messages sent within the organization

EnableForInternalSenders
On

$true
On

$true
Do not track when users click safe links

DoNotTrackUserClicks
Off

$false
Off

$false
Do not let users click through safe links to original URL

DoNotAllowClickThrough
On

$true
On

$true

ATP Safe Attachments policy settings

To configure these settings, see Set up Office 365 ATP Safe Attachments policies.

Safe Attachments policy settings in the default policy for all users

Note: In PowerShell, you use the Set-AtpPolicyForO365 cmdlet for these settings.

Security feature name Standard Strict Comment
Turn on ATP for SharePoint, OneDrive, and Microsoft Teams

EnableATPForSPOTeamsODB
On

$true
On

$true
Turn on Safe Documents for Office clients
EnableSafeDocs
On

$true
On

$true
This setting is only available with Microsoft 365 E5 or Microsoft 365 E5 Security licenses. For more information, see Safe Documents in Office 365 Advanced Threat Protection.
Allow people to click through Protected View even if Safe Documents identified the file as malicious
AllowSafeDocsOpen
Off

$false
Off

$false

Safe Attachments policy settings in custom policies for specific users

Note: In PowerShell, you use the New-SafeAttachmentPolicy and Set-SafeAttachmentPolicy cmdlets for these settings.

Security feature name Standard Strict Comment
Safe Attachments unknown malware response

Action
Block

Block
Block

Block
Redirect attachment on detection : Enable redirect

Redirect

RedirectAddress
On and specify an email address.

$true

an email address
On and specify an email address.

$true

an email address
Redirect messages to a security admin for review.
Apply the above selection if malware scanning for attachments times out or error occurs.

ActionOnError
On

$true
On

$true
  • Are you looking for best practices with Exchange Mail Flow / Exchange Transport Rules? Please see this article for details.

  • Admins and users can submit false positives (good email marked as bad) and false negatives (bad email allowed) to Microsoft for analysis. For more information, see Report messages and files to Microsoft.

  • Use these links for info on how to set up your EOP service, and configure Office 365 Advanced Threat Protection. (Don't forget to see the helpful directions in 'Protect Against Threats in Office 365'.)

  • Security baselines for Windows can be found here for GPO/on-premises options, and for Intune-based security, here. Finally, a comparison between Microsoft Defender Advanced Threat Protection (ATP) and Windows Intune security baselines can be found here.