Training
Module
This module examines how to manage Safe Links in your tenant by creating and configuring policies and using transport rules to disable a policy from taking effect in certain scenarios. MS-102
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Tip
Did you know you can try the features in Microsoft Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms on Try Microsoft Defender for Office 365.
In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, inbound email messages are automatically protected against spam by EOP. EOP uses anti-spam policies (also known as spam filter policies or content filter policies) as part of your organization's overall defense against spam. For more information, see Anti-spam protection.
The default anti-spam policy automatically applies to all recipients in the organization. For greater granularity, you can also create custom anti-spam policies that apply to specific users, groups, or domains.
Tip
Instead of creating and managing custom anti-spam policies, we typically recommend turning on and adding all users to the Standard and/or Strict preset security policies. For more information, see Configure protection policies.
To understand how threat protection works in Microsoft Defender for Office 365, see Step-by-step threat protection in Microsoft Defender for Office 365.
You can configure anti-spam policies in the Microsoft Defender portal or in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes).
Tip
As a companion to this article, see our Security Analyzer setup guide to review best practices and learn to fortify defenses, improve compliance, and navigate the cybersecurity landscape with confidence. For a customized experience based on your environment, you can access the Security Analyzer automated setup guide in the Microsoft 365 admin center.
You open the Microsoft Defender portal at https://security.microsoft.com. To go directly to the Anti-spam policies page, use https://security.microsoft.com/antispam.
To connect to Exchange Online PowerShell, see Connect to Exchange Online PowerShell. To connect to standalone EOP PowerShell, see Connect to Exchange Online Protection PowerShell.
You need to be assigned permissions before you can do the procedures in this article. You have the following options:
Microsoft Defender XDR Unified role based access control (RBAC) (If Email & collaboration > Defender for Office 365 permissions is
Active. Affects the Defender portal only, not PowerShell): Authorization and settings/Security settings/Core Security settings (manage) or Authorization and settings/Security settings/Core Security settings (read).
Microsoft Entra permissions: Membership in the Global Administrator*, Security Administrator, Global Reader, or Security Reader roles gives users the required permissions and permissions for other features in Microsoft 365.
Important
* Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
For our recommended settings for anti-spam policies, see EOP anti-spam policy settings.
Tip
Settings in the default or custom anti-spam policies are ignored if a recipient is also included in the Standard or Strict preset security policies. For more information, see Order and precedence of email protection.
You can't completely turn off spam filtering, but you can use Exchange mail flow rules (also known as transport rules) to bypass most spam filtering on incoming messages (for example, if you route email through a third-party protection service or device before delivery to Microsoft 365). For more information, see Use mail flow rules to set the spam confidence level (SCL) in messages.
End-user spam notifications in anti-spam policies are replaced by quarantine notifications in quarantine policies. Quarantine notifications contain information about quarantined messages for all supported protection features (not just anti-spam policy and anti-phishing policy verdicts). For more information, see Anatomy of a quarantine policy.
In the Microsoft Defender portal at https://security.microsoft.com, go to Email & Collaboration > Policies & Rules > Threat policies > Anti-spam in the Policies section. Or, to go directly to the Anti-spam policies page, use https://security.microsoft.com/antispam.
On the Anti-spam policies page, select
Create Create policy and then select Inbound from the dropdown list to start the new anti-spam policy wizard.
On the Name your policy page, configure these settings:
When you're finished on the Name your policy page, select Next.
On the Users, groups, and domains page, identify the internal recipients that the policy applies to (recipient conditions):
Users: The specified mailboxes, mail users, mail contacts or mail enabled public folders.
Groups:
Domains: All recipients in the organization with a primary email address in the specified accepted domain.
Tip
Subdomains are automatically included unless you specifically exclude them. For example, a policy that includes contoso.com also includes marketing.contoso.com unless you exclude marketing.contoso.com.
Click in the appropriate box, start typing a value, and then select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, select
next to the value.
For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users or groups, enter an asterisk (*) by itself to see all available values.
You can use a condition only once, but the condition can contain multiple values:
Multiple values of the same condition use OR logic (for example, <recipient1> or <recipient2>). If the recipient matches any of the specified values, the policy is applied to them.
Different types of conditions use AND logic. The recipient must match all of the specified conditions for the policy to apply to them. For example, you configure a condition with the following values:
romain@contoso.com
The policy is applied to romain@contoso.com
only if he's also a member of the Executives group. Otherwise, the policy isn't applied to him.
Exclude these users, groups, and domains: To add exceptions for the internal recipients that the policy applies to (recipient exceptions), select this option and configure the exceptions.
You can use an exception only once, but the exception can contain multiple values:
When you're finished on the Users, groups, and domains page, select Next.
On the Bulk email threshold & spam properties page, configure the following settings:
Bulk email threshold section: The slider specifies the bulk complaint level (BCL) of a message that must bet met or exceeded to trigger the specified action for the Bulk compliant level (BCL) met or exceeded spam filtering verdict that you configure on the next page. A higher value indicates the message is less desirable (more likely to resemble spam). For more information about BCL, see Bulk complaint level (BCL) in EOP.
Spam properties section:
Increase spam score, Mark as spam* and Test mode: Advanced Spam Filter (ASF) settings that are turned off by default.
For details about these settings, see Advanced Spam Filter settings in EOP.
* The Contains specific languages and From these countries settings aren't part of ASF.
Contains specific languages: Select On or Off from the dropdown list. If you turn it on, a box appears. Start typing the name of a language in the box. A filtered list of supported languages appears. When you find the language that you're looking for, select it. Repeat this step as many times as necessary. To remove an existing value, select
next to the value.
From these countries: Select On or Off from the dropdown list. If you turn it on, a box appears. Start typing the name of a country/region in the box. A filtered list of supported countries/regions appears. When you find the country/region that you're looking for, select it. Repeat this step as many times as necessary. To remove an existing value, select
next to the value.
When you're finished on the Bulk email threshold & spam properties page, select Next.
On the Actions page, configure the following settings:
Message actions section: Review or select the action to take on messages based on the spam filtering verdicts:
The available actions for spam filtering verdicts are described in Actions in anti-spam policies.
Tip
If the spam filtering verdict quarantines messages by default (Quarantine message is already selected when you get to the page), the default quarantine policy name is shown in the Select quarantine policy box. If you change the action of a spam filtering verdict to Quarantine message, the Select quarantine policy box is blank by default. A blank value means the default quarantine policy for that verdict is used. When you later view or edit the anti-spam policy settings, the quarantine policy name is shown. For more information about the quarantine policies that are used by default for spam filter verdicts, see EOP anti-spam policy settings.
For High confidence phishing, the Move message to Junk Email folder action is effectively deprecated. Although you might be able to select the Move message to Junk Email folder action, high confidence phishing messages are always quarantined (equivalent to selecting Quarantine message).
Users can't release their own messages that were quarantined as high confidence phishing, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to request the release of their quarantined high confidence phishing messages.
Intra-Organizational messages to take action on: Controls whether spam filtering and the corresponding verdict actions are applied to internal messages (messages sent between users within the organization). The available values are:
Retain spam in quarantine for this many days: Specifies how long to keep the message in quarantine if you selected Quarantine message as the action for a spam filtering verdict. After the time period expires, the message is deleted, and isn't recoverable. A valid value is from 1 to 30 days.
Tip
The default value is 15 days in anti-spam policies that you create in PowerShell. The default value is 30 days in anti-spam policies that you create in the Microsoft Defender portal.
This setting also controls how long messages that were quarantined by anti-phishing policies are retained. For more information, see Quarantine retention.
Add this X-header text: This box is required and available only if you selected Add X-header as the action for a spam filtering verdict. The value you specify is the header field name that's added to the message header. The header field value is always This message appears to be spam
.
The maximum length is 255 characters, and the value can't contain spaces or colons (:).
For example, if you enter the value X-This-is-my-custom-header
, the X-header that's added to the message is X-This-is-my-custom-header: This message appears to be spam.
If you enter a value that contains spaces or colons (:), the value you enter is ignored, and the default X-header is added to the message (X-This-Is-Spam: This message appears to be spam.
).
Prepend subject line with this text: This box is required and available only if you selected Prepend subject line with text as the action for a spam filtering verdict. Enter the text to add to the beginning of the message's subject line.
Redirect to this email address: This box is required and available only if you selected the Redirect message to email address as the action for a spam filtering verdict. Enter the email address where you want to deliver the message. You can enter multiple values separated by semicolons (;).
Safety Tips section: By default, Enable Safety Tips: is selected, but you can disable Safety Tips by clearing the check box.
Zero-hour auto purge (ZAP) section:
When you're finished on the Actions page, select Next.
On the Allow & block list page, you can configure message senders by email address or email domain who are allowed to skip spam filtering.
In the Allowed section, you can configure allowed senders and allowed domains. In the Blocked section, you can add blocked senders and blocked domains.
The maximum limit for these lists is approximately 1,000 entries, but you can enter only 30 entries in the Defender portal. Use Exchange Online PowerShell to add more than 30 entries.
Important
The functionality of these lists has largely been replaced by the Tenant Allow/Block List. For important information, see Allow and block list in anti-spam policies.
The steps to add entries to any of the lists are the same:
Select the link for the list that you want to configure:
In the flyout that opens, do the following steps:
When you're finished in the Add senders or Add domains flyout, select Add senders or Add domains.
Back on the first flyout, the senders or domains that you added are listed.
To change the list of entries from normal to compact spacing, select
Change list spacing to compact or normal, and then select
Compact list.
Use the
Search box to find entries on the flyout.
To add entries, select
Add senders or Add domains and repeat the previous steps.
To remove entries, do either of the following steps:
When you're finished on the flyout, select Done to return to the Allow & block list page.
When you're finished on the Allow & block list page, select Next.
On the Review page, review your settings. You can select Edit in each section to modify the settings within the section. Or you can select Back or the specific page in the wizard.
When you're finished on the Review page, select Create.
On the New anti-spam policy created page, you can select the links to view the policy, view anti-spam policies, and learn more about anti-spam policies.
When you're finished on the New anti-spam policy created page, select Done.
Back on the Anti-spam policies page, the new policy is listed.
In the Microsoft Defender portal at https://security.microsoft.com, go to Email & Collaboration > Policies & Rules > Threat policies > Anti-spam in the Policies section. Or, to go directly to the Anti-spam policies page, use https://security.microsoft.com/antispam.
On the Anti-spam policies page, the following properties are displayed in the list of policies:
To change the list of policies from normal to compact spacing, select
Change list spacing to compact or normal, and then select
Compact list.
Use the
Search box and a corresponding value to find specific policies.
Select an anti-spam policy by clicking anywhere in the row other than the check box next to the name to open the details flyout for the policy.
Tip
To see details about other anti-spam policies without leaving the details flyout, use
Previous item and Next item at the top of the flyout.
In the Microsoft Defender portal at https://security.microsoft.com, go to Email & Collaboration > Policies & Rules > Threat policies > Anti-spam in the Policies section. Or, to go directly to the Anti-spam policies page, use https://security.microsoft.com/antispam.
On the Anti-spam policies page, select the anti-spam policy from the list by clicking anywhere in the row other than the check box next to the name. Some or all following actions are available in the details flyout that opens:
The actions are described in the following subsections.
After you select the default anti-spam policy or a custom policy by clicking anywhere in the row other than the check box next to the name, the policy settings are shown in the details flyout that opens. Select Edit in each section to modify the settings within the section. For more information about the settings, see the Create anti-spam policies section earlier in this article.
For the default policy, you can't modify the name of the policy, and there are no recipient filters to configure (the policy applies to all recipients). But, you can modify all other settings in the policy.
For the anti-spam policies named Standard Preset Security Policy and Strict Preset Security Policy that are associated with preset security policies, you can't modify the policy settings in the details flyout. Instead, you select
View preset security policies in the details flyout to go to the Preset security policies page at https://security.microsoft.com/presetSecurityPolicies to modify the preset security policies.
Tip
The bulk senders insight is currently in Preview, isn't available in all organizations, and is subject to change.
If you select Edit spam threshold and properties at the bottom of the Bulk email threshold & spam properties section in the details flyout of the default anti-spam policy or a custom anti-spam policy, the Bulk email threshold section contains the bulk senders insight: information about the number of messages that were detected as bulk at all BCL levels by all anti-spam policies over the last 60 days.
By default, the bulk senders insight shows the number of messages that were delivered and identified as bulk at the current BCL threshold of the anti-spam policy.
If you decrease the bulk email threshold value, the bulk senders insight changes to show how many fewer messages would be delivered and how many more messages would be identified as bulk. The insight also shows how many bulk message identifications are likely to be false positives (good email identified as bad).
If you increase the bulk email threshold value, the bulk senders insight changes to show how many more messages would be delivered and how many fewer messages would be identified as bulk. The insight also shows how many bulk message identifications are likely to be false negatives (bad email delivered).
Selecting View bulk senders insight takes you to the main Bulk sender insights page. For more information, see Bulk senders insight in Exchange Online Protection.
You can't disable the default anti-spam policy (it's always enabled).
You can't enable or disable the anti-spam policies that are associated with Standard and Strict preset security policies. You enable or disable the Standard or Strict preset security policies on the Preset security policies page at https://security.microsoft.com/presetSecurityPolicies.
After you select an enabled custom anti-spam policy (the Status value is On) by clicking anywhere in the row other than the check box next to the name, select
Turn off at the top of the policy details flyout.
After you select a disabled custom anti-spam policy (the Status value is Off) by clicking anywhere in the row other than the check box next to the name, select
Turn on at the top of the policy details flyout.
When you're finished in the policy details flyout, select Close.
On the Anti-spam policies page, the Status value of the policy is now On or Off.
Anti-spam policies are processed in the order that they're displayed on the Anti-spam policies page:
Anti-spam protection stops for a recipient after the first policy is applied (the highest priority policy for that recipient). For more information, see Order and precedence of email protection.
After you select the custom anti-spam policy by clicking anywhere in the row other than the check box next to the name, you can increase or decrease the priority of the policy in the details flyout that opens:
When you're finished in the policy details flyout, select Close.
Back on the Anti-spam policies page, the order of the policy in the list matches the updated Priority value.
You can't remove the default anti-spam policy or the anti-spam policies named Standard Preset Security Policy and Strict Preset Security Policy that are associated with preset security policies.
After you select the custom anti-spam policy by clicking anywhere in the row other than the check box next to the name, select
Delete policy at the top of the flyout, and then select Yes in the warning dialog that opens.
On the Anti-spam policies page, the deleted policy is no longer listed.
In PowerShell, the basic elements of an anti-spam policy are:
The difference between these two elements isn't obvious when you manage anti-spam policies in the Microsoft Defender portal:
In Exchange Online PowerShell, the difference between spam filter policies and spam filter rules is apparent. You manage spam filter policies by using the *-HostedContentFilterPolicy cmdlets, and you manage spam filter rules by using the *-HostedContentFilterRule cmdlets.
A significant setting that's available only in PowerShell is the MarkAsSpamBulkMail parameter that's On
by default. The effects of this setting are explained in the Create anti-spam policies section earlier in this article.
Creating an anti-spam policy in PowerShell is a two-step process:
Note
$false
on the New-HostedContentFilterRule cmdlet).To create a spam filter policy, connect to Exchange Online PowerShell and use this syntax:
New-HostedContentFilterPolicy -Name "<PolicyName>" [-AdminDisplayName "<Comments>"] <Additional Settings>
This example creates a spam filter policy named Contoso Executives with the following settings:
New-HostedContentFilterPolicy -Name "Contoso Executives" -HighConfidenceSpamAction Quarantine -SpamAction Quarantine -BulkThreshold 6
For detailed syntax and parameter information, see New-HostedContentFilterPolicy.
Tip
For detailed instructions to specify the quarantine policy to use in a spam filter policy, see Use PowerShell to specify the quarantine policy in anti-spam policies.
To create a spam filter rule, connect to Exchange Online PowerShell and use this syntax:
New-HostedContentFilterRule -Name "<RuleName>" -HostedContentFilterPolicy "<PolicyName>" <Recipient filters> [<Recipient filter exceptions>] [-Comments "<OptionalComments>"]
This example creates a new spam filter rule named Contoso Executives with these settings:
New-HostedContentFilterRule -Name "Contoso Executives" -HostedContentFilterPolicy "Contoso Executives" -SentToMemberOf "Contoso Executives Group"
For detailed syntax and parameter information, see New-HostedContentFilterRule.
To return a summary list of all spam filter policies, connect to Exchange Online PowerShell and run this command:
Get-HostedContentFilterPolicy
To return detailed information about a specific spam filter policy, use this syntax:
Get-HostedContentFilterPolicy -Identity "<PolicyName>" | Format-List [<Specific properties to view>]
This example returns all the property values for the spam filter policy named Executives.
Get-HostedContentFilterPolicy -Identity "Executives" | Format-List
For detailed syntax and parameter information, see Get-HostedContentFilterPolicy.
To view existing spam filter rules, connect to Exchange Online PowerShell and use the following syntax:
Get-HostedContentFilterRule [-Identity "<RuleIdentity>] [-State <Enabled | Disabled]
To return a summary list of all spam filter rules, run this command:
Get-HostedContentFilterRule
To filter the list by enabled or disabled rules, run the following commands:
Get-HostedContentFilterRule -State Disabled
Get-HostedContentFilterRule -State Enabled
To return detailed information about a specific spam filter rule, use this syntax:
Get-HostedContentFilterRule -Identity "<RuleName>" | Format-List [<Specific properties to view>]
This example returns all the property values for the spam filter rule named Contoso Executives.
Get-HostedContentFilterRule -Identity "Contoso Executives" | Format-List
For detailed syntax and parameter information, see Get-HostedContentFilterRule.
Other than the following items, the same settings are available when you modify a spam filter policy in PowerShell as when you create the policy as described in the Step 1: Use PowerShell to create a spam filter policy section earlier in this article.
To modify a spam filter policy, connect to Exchange Online PowerShell and use this syntax:
Set-HostedContentFilterPolicy -Identity "<PolicyName>" <Settings>
For detailed syntax and parameter information, see Set-HostedContentFilterPolicy.
Tip
For detailed instructions to specify the quarantine policy to use in a spam filter policy, see Use PowerShell to specify the quarantine policy in anti-spam policies.
The only setting that isn't available when you modify a spam filter rule in PowerShell is the Enabled parameter that allows you to create a disabled rule. To enable or disable existing spam filter rules, see the next section.
Otherwise, no additional settings are available when you modify a spam filter rule in PowerShell. The same settings are available when you create a rule as described in the Step 2: Use PowerShell to create a spam filter rule section earlier in this article.
To modify a spam filter rule, connect to Exchange Online PowerShell and use this syntax:
Set-HostedContentFilterRule -Identity "<RuleName>" <Settings>
This example renames the existing spam filter rule named {Fabrikam Spam Filter}
.
Set-HostedContentFilterRule -Identity "{Fabrikam Spam Filter}" -Name "Fabrikam Spam Filter"
For detailed syntax and parameter information, see Set-HostedContentFilterRule.
Enabling or disabling a spam filter rule in PowerShell enables or disables the whole anti-spam policy (the spam filter rule and the assigned spam filter policy). You can't enable or disable the default anti-spam policy (it's always applied to all recipients).
To enable or disable a spam filter rule, connect to Exchange Online PowerShell and use this syntax:
<Enable-HostedContentFilterRule | Disable-HostedContentFilterRule> -Identity "<RuleName>"
This example disables the spam filter rule named Marketing Department.
Disable-HostedContentFilterRule -Identity "Marketing Department"
This example enables same rule.
Enable-HostedContentFilterRule -Identity "Marketing Department"
For detailed syntax and parameter information, see Enable-HostedContentFilterRule and Disable-HostedContentFilterRule.
The highest priority value you can set on a rule is 0. The lowest value you can set depends on the number of rules. For example, if you have five rules, you can use the priority values 0 through 4. Changing the priority of an existing rule can have a cascading effect on other rules. For example, if you have five custom rules (priorities 0 through 4), and you change the priority of a rule to 2, the existing rule with priority 2 is changed to priority 3, and the rule with priority 3 is changed to priority 4.
To set the priority of a spam filter rule, connect to Exchange Online PowerShell and use the following syntax:
Set-HostedContentFilterRule -Identity "<RuleName>" -Priority <Number>
This example sets the priority of the rule named Marketing Department to 2. All existing rules that have a priority less than or equal to 2 are decreased by 1 (their priority numbers are increased by 1).
Set-HostedContentFilterRule -Identity "Marketing Department" -Priority 2
Note
To set the priority of a new rule when you create it, use the Priority parameter on the New-HostedContentFilterRule cmdlet instead.
The default spam filter policy doesn't have a corresponding spam filter rule, and it always has the unmodifiable priority value Lowest.
When you use PowerShell to remove a spam filter policy, the corresponding spam filter rule isn't removed.
To remove a spam filter policy, connect to Exchange Online PowerShell and use this syntax:
Remove-HostedContentFilterPolicy -Identity "<PolicyName>"
This example removes the spam filter policy named Marketing Department.
Remove-HostedContentFilterPolicy -Identity "Marketing Department"
For detailed syntax and parameter information, see Remove-HostedContentFilterPolicy.
When you use PowerShell to remove a spam filter rule, the corresponding spam filter policy isn't removed.
To remove a spam filter rule, connect to Exchange Online PowerShell and use this syntax:
Remove-HostedContentFilterRule -Identity "<PolicyName>"
This example removes the spam filter rule named Marketing Department.
Remove-HostedContentFilterRule -Identity "Marketing Department"
For detailed syntax and parameter information, see Remove-HostedContentFilterRule.
Note
These steps will only work if the email organization that you're sending the GTUBE message from doesn't scan for outbound spam. If it does, you can't send the test message.
Generic Test for Unsolicited Bulk Email (GTUBE) is a text string that you include in a test message to verify your organization's anti-spam settings. A GTUBE message is similar to the European Institute for Computer Antivirus Research (EICAR) text file for testing malware settings.
Include the following GTUBE text in an email message on a single line, without any spaces or line breaks:
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
Training
Module
This module examines how to manage Safe Links in your tenant by creating and configuring policies and using transport rules to disable a policy from taking effect in certain scenarios. MS-102