Microsoft 365 Security Office 365 Security O365 Worldwide

Tell us about your PDF experience.
Microsoft Defender for Office 365

documentation
Learn about the robust security solutions in Defender for Office 365 to better protect
your email and collaboration tools.
Defender for Office 365 & Exchange Online Protection
ｅ OVERVIEW
Office 365 Security overview
Set up with Preset security policies in EOP and Defender for Office 365
Getting started with Defender for Office 365
ｂ GET STARTED
Protect against threats
Preset security policies in EOP and Microsoft Defender for Office 365
What's new in Microsoft Defender for Office 365
Evaluate Defender for Office 365
ｃ HOW-TO GUIDE
Try Defender for Office 365
Migrate to Defender for Office 365
Setting up Email Authentication protection
ｃ HOW-TO GUIDE
Set up SPF to help prevent spoofing
Use DKIM to validate outbound email sent from your custom domain
Use DMARC to validate email
Set up Exchange Online Protection
ｅ OVERVIEW
Exchange Online Protection overview
Recommended settings for EOP and Microsoft Defender for Office 365 security for set up
Prevent
ｅ OVERVIEW
Configure your Microsoft 365 tenant for increased security
Configuration analyzer in EOP and Defender for Office 365
Gain insights through Attack simulation training
Detect
ｅ OVERVIEW
Mail flow rules (transport rules) in Exchange Online
Threat Trackers
Email security reports in the Microsoft 365 Defender portal
Investigate
ｅ OVERVIEW
Views in Threat Explorer and real-time detections
Campaign Views in Microsoft Defender for Office 365
Investigate malicious email that was delivered in Office 365
View Defender for Office 365 reports

Investigate in EOP
ｅ OVERVIEW
Reporting and message trace in EOP
View the admin audit log
Respond
ｅ OVERVIEW
Remediate malicious email delivered in Office 365
Respond to a Compromised Email Account
Remediate Outlook Rules and Custom Forms Injections Attacks
Submit False Positives/False Negatives
Automate
ｅ OVERVIEW
How Automated Investigation and Response (AIR) works in Defender for Office 365
Get Started with AIR in Defender for Office 365
Address compromised user accounts with AIR

security product overview
Article • 12/22/2022 • 8 minutes to read
 Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
Exchange Online Protection

Microsoft Defender for Office 365 plan 1 and plan 2
This article will introduce you to your new Microsoft Defender for Office 365 security
properties in the Cloud. Whether you're part of a Security Operations Center, you're a
Security Administrator new to the space, or you want a refresher, let's get started.
Ｕ Caution
If you're using Outlook.com, Microsoft 365 Family, or Microsoft 365 Personal, and
need Safe Links or Safe Attachments info, click this link: Advanced Outlook.com
security for Microsoft 365 subscribers .
What is Defender for Office 365 security

Every Office 365 subscription comes with security capabilities. The goals and actions that
you can take depend on the focus of these different subscriptions. In Office 365 security,
there are three main security services (or products) tied to your subscription type:
1. Exchange Online Protection (EOP)

2. Microsoft Defender for Office 365 Plan 1 (Defender for Office P1)
3. Microsoft Defender for Office 365 Plan 2 (Defender for Office P2)
７ Note
If you bought your subscription and need to roll out security features right now,
skip to the steps in the Protect Against Threats article. If you're new to your
subscription and would like to know your license before you begin, browse Billing
> Your Products in the Microsoft 365 admin center .
Office 365 security builds on the core protections offered by EOP. EOP is present in any
subscription where Exchange Online mailboxes can be found (remember, all the security
products discussed here are Cloud-based).
You may be accustomed to seeing these three components discussed in this way:
EOP Microsoft Defender for Office Microsoft Defender for Office 365 P2
365 P1
Prevents broad, Protects email and collaboration Adds post-breach investigation,

volume-based, from zero-day malware, phish, and hunting, and response, as well as
known attacks. business email compromise. automation, and simulation (for
training).
But in terms of architecture, let's start by thinking of each piece as cumulative layers of
security, each with a security emphasis. More like this:
Though each of these services emphasizes a goal from among Protect, Detect,
Investigate, and Respond, all the services can carry out any of the goals of protecting,
detecting, investigating, and responding.
The core of Office 365 security is EOP protection. Microsoft Defender for Office 365 P1
contains EOP in it. Defender for Office 365 P2 contains P1 and EOP. The structure is
cumulative. That's why, when configuring this product, you should start with EOP and
work to Defender for Office 365.
Though email authentication configuration takes place in public DNS, it's important to
configure this feature to help defend against spoofing. If you have EOP, you should
configure email authentication.
If you have an Office 365 E3, or below, you have EOP, but with the option to buy
standalone Defender for Office 365 P1 through upgrade. If you have Office 365 E5, you
already have Defender for Office 365 P2.
 Tip
If your subscription is neither Office 365 E3 or E5, you can still check to see if you
have the option to upgrade to Microsoft Defender for Office 365 P1. If you're
interested, this webpage lists subscriptions eligible for the Microsoft Defender
for Office 365 P1 upgrade (check the end of the page for the fine-print).
The Office 365 security ladder from EOP to

） Important
Learn the details on these pages: Exchange Online Protection, and Defender for
Office 365.
What makes adding Microsoft Defender for Office 365 plans an advantage to pure EOP
threat management can be difficult to tell at first glance. To help sort out if an upgrade
path is right for your organization, let's look at the capabilities of each product when it
comes to:
preventing and detecting threats

investigating
responding
starting with Exchange Online Protection:
Prevent/Detect Investigate Respond

Technologies include: Audit Zero-hour auto purge

spam log search (ZAP)
phish Refinement and
malware Message testing of Allow and
bulk mail Trace Block lists
spoof intelligence
impersonation detection
Admin Quarantine
False positives and false negative reporting by
admin submissions and user reported messages
Allow/Block for URLs and Files
Reports
If you want to dig in to EOP, jump to this article.
Because these products are cumulative, if you evaluate Microsoft Defender for Office
365 P1 and decide to subscribe to it, you'll add these abilities.
Gains with Defender for Office 365, Plan 1 (to date):
Technologies include everything in EOP plus: SIEM integration Same

Safe attachments API for detections
Safe links Real-time
Microsoft Defender for Office 365 protection for detections tool
workloads (ex. SharePoint Online, Teams, OneDrive for URL trace
Business)
Time-of-click protection in email, Office clients, and
Teams
anti-phishing in Defender for Office 365
User and domain impersonation protection
Alerts, and SIEM integration API for alerts
So, Microsoft Defender for Office 365 P1 expands on the prevention side of the house,
and adds extra forms of detection.
Microsoft Defender for Office 365 P1 also adds Real-time detections for investigations.
This threat hunting tool's name is in bold because having it is clear means of knowing
you have Defender for Office 365 P1. It doesn't appear in Defender for Office 365 P2.
Gains with Defender for Office 365, Plan 2 (to date):

Technologies include everything in EOP, and Threat Automated Investigation

Microsoft Defender for Office 365 P1 plus: Explorer and Response (AIR)
Same Threat AIR from Threat Explorer
Trackers AIR for compromised
users
Campaign SIEM Integration API for
views Automated Investigations
So, Microsoft Defender for Office 365 P2 expands on the investigation and response
side of the house, and adds a new hunting strength. Automation.
In Microsoft Defender for Office 365 P2, the primary hunting tool is called Threat
Explorer rather than Real-time detections. If you see Threat Explorer when you navigate
to the Microsoft 365 Defender portal, you're in Microsoft Defender for Office 365 P2.
To get into the details of Microsoft Defender for Office 365 P1 and P2, jump to this
article.
 Tip
EOP and Microsoft Defender for Office 365 are also different when it comes to end-
users. In EOP and Defender for Office 365 P1, the focus is awareness, and so those
two services include the Report message Outlook add-in so users can report emails
they find suspicious, for further analysis.
In Defender for Office 365 P2 (which contains everything in EOP and P1), the focus
shifts to further training for end-users, and so the Security Operations Center has
access to a powerful Threat Simulator tool, and the end-user metrics it provides.
Microsoft Defender for Office 365 Plan 1 vs.

Plan 2 cheat sheet
This quick-reference will help you understand what capabilities come with each
Microsoft Defender for Office 365 subscription. When combined with your knowledge of
EOP features, it can help business decision makers determine what Microsoft Defender
for Office 365 is best for their needs.
Defender for Office 365 Plan 1 Defender for Office 365 Plan 2
Defender for Office 365 Plan 1 Defender for Office 365 Plan 2
Configuration, protection, and detection Defender for Office 365 Plan 1 capabilities
capabilities: --- plus ---
Safe Attachments
Safe Links Automation, investigation, remediation, and
Safe Attachments for SharePoint, education capabilities:
OneDrive, and Microsoft Teams
Threat Trackers
Anti-phishing protection in Defender
Threat Explorer
for Office 365
Automated investigation and response
Real-time detections
Attack simulation training
Proactively hunt for threats with advanced
hunting in Microsoft 365 Defender
Investigate incidents in Microsoft 365
Defender
Investigate alerts in Microsoft 365 Defender
Microsoft Defender for Office 365 Plan 2 is included in Office 365 E5, Office 365
A5, and Microsoft 365 E5.
Microsoft Defender for Office 365 Plan 1 is included in Microsoft 365 Business
Premium.
Microsoft Defender for Office 365 Plan 1 and Defender for Office 365 Plan 2 are
each available as an add-on for certain subscriptions. To learn more, here's another
link Feature availability across Microsoft Defender for Office 365 plans.
The Safe Documents feature is only available to users with the Microsoft 365 A5 or
Microsoft 365 E5 Security licenses (not included in Microsoft Defender for Office
365 plans).
If your current subscription doesn't include Microsoft Defender for Office 365 and
you want it, contact sales to start a trial , and find out how Microsoft Defender for
Office 365 can work for in your organization.
Microsoft Defender for Office 365 P2 customers have access to Microsoft 365
Defender integration to efficiently detect, review, and respond to incidents and
alerts.
 Tip
Insider tip. You can use the Microsoft Learn table of contents to learn about EOP
and Microsoft Defender for Office 365. Navigate back to this page, Office 365
Security overview, and you'll notice that table of contents organization in the side-
bar. It begins with Deployment (including migration) and then continues into
prevention, detection, investigation, and response.
This structure is divided so that Security Administration topics are followed by

Security Operations topics. If you're a new member of either job role, use the link
in this tip, and your knowledge of the table of contents, to help learn the space.
Remember to use feedback links and rate articles as you go. Feedback helps us
improve what we offer you.
Where to go next
If you're a Security Admin, you may need to configure DKIM or DMARC for your mail.
You may want to roll out 'Strict' security presets for your priority users, or look for what's
new in the product. Or if you're with Security Ops, you may want to leverage Real-time
detections or Threat Explorer to investigate and respond, or train end-user detection
with Attack Simulator. Either way, here are some additional recommendations for what
to look at next.
Email Authentication, including SPF, DKIM, and DMARC (with links to setup of all three)
See the specific recommended 'golden' configs and use their recommended presets to
configure security policies quickly
Catch up on what's new in Microsoft Defender for Office 365 (including EOP
developments)
Use Threat Explorer or Real-time detections
Use Attack simulation training

What's new in Microsoft Defender for
Office 365
 Tip
Applies to:

Microsoft 365 Defender
This article lists new features in the latest release of Microsoft Defender for Office 365.
Features that are currently in preview are denoted with (preview).
Learn more by watching this video .
For more information on what's new with other Microsoft Defender security products,
see:
What's new in Microsoft 365 Defender

What's new in Microsoft Defender for Endpoint
What's new in Microsoft Defender for Identity
What's new in Microsoft Defender for Cloud Apps
December 2022
The new Microsoft 365 Defender role-based access control (RBAC) model, with
support for Microsoft Defender for Office, is now available in public preview. For
more information, see Microsoft 365 Defender role-based access control (RBAC).
Use the built-in Report button in Outlook on the web: Use the built-in Report
button in Outlook on the web to report messages as phish, junk, and not junk.
October 2022
Manage your allows and blocks in the Tenant Allow/Block List:
With allow expiry management (currently in private preview), if Microsoft
hasn't learned from the allow, Microsoft will automatically extend the expiry
time of allows, which are going to expire soon, by 30 days to prevent legitimate
email from going to junk or quarantine again.
Customers in the government cloud environments will now be able to create
allow and block entries for URLs and attachments in the Tenant Allow/Block List
using the admin URL and email attachment submissions. The data submitted
through the submissions experience won't leave the customer tenant, thus
satisfying the data residency commitments for government cloud clients.
Enhancement in URL click alerts:
With the new lookback scenario, the "A potentially malicious URL click was
detected" alert will now include any clicks during the past 48 hours (for emails)
from the time the malicious URL verdict is identified.
September 2022
Anti-spoofing enhancement for internal domains and senders:
For spoofing protection, the allowed senders or domains defined in the anti-
spam policy and within user allow lists must now pass authentication in order
for the allowed messages to be honored. The change only impacts messages
that are considered to be internal (the sender or sender's domain is in an
accepted domain in the organization). All other messages will continue to be
handled as they are today.
Automatic redirection from Office 365 Security & Compliance Center to Microsoft 365
Defender portal: Automatic redirection begins for users accessing the security solutions
in Office 365 Security & Compliance center (protection.office.com) to the appropriate
solutions in Microsoft 365 Defender portal (security.microsoft.com). This is for all
security workflows like: Alerts, Threat Management, and Reports.
Redirection URLs:
GCC Environment:
From Office 365 Security & Compliance Center URL: protection.office.com
To Microsoft 365 Defender URL: security.microsoft.com
GCC-High Environment:
From Office 365 Security & Compliance Center URL: scc.office365.us
To Microsoft 365 Defender URL: security.microsoft.us
DoD Environment:
From Office 365 Security & Compliance Center URL: scc.protection.apps.mil
To Microsoft 365 Defender URL: security.apps.mil
Items in the Office 365 Security & Compliance Center that aren't related to security
aren't redirected to Microsoft 365 Defender. For compliance solutions redirection
to Microsoft 365 Compliance Center, see Message Center post 244886.
This is a continuation of Microsoft 365 Defender delivers unified XDR experience to
GCC, GCC High and DoD customers - Microsoft Tech Community , announced in
March 2022.
This change enables users to view and manage additional Microsoft 365 Defender
security solutions in one portal.
This change impacts all customers who use the Office 365 Security & Compliance
Center (protection.office.com), including Microsoft Defender for Office (Plan 1 or
Plan 2), Microsoft 365 E3 / E5, Office 365 E3/ E5, and Exchange Online Protection.
For the full list, see Security & Compliance Center - Service Descriptions | Microsoft
Docs
This change impacts all users who log in to the Office 365 Security and Compliance
portal (protection.office.com), including security teams and end-users who access
the Email Quarantine experience, at the Microsoft Defender Portal > Review >
Quarantine.
Redirection is enabled by default and impacts all users of the Tenant.
Global Administrators and Security Administrators can turn on or off redirection in
the Microsoft 365 Defender portal by navigating to Settings > Email &
collaboration > Portal redirection and switch the redirection toggle.
Built-in protection: A profile that enables a base level of Safe Links and Safe
Attachments protection that's on by default for all Defender for Office 365
customers. To learn more about this new policy and order of precedence, see
Preset security policies and to learn about the specific Safe Links and Safe
Attachment controls set, see Safe Attachments settings and Safe Links settings.
Bulk Complaint Level is now available in the EmailEvents table in Advanced
Hunting with numeric BCL values from 0 to 9. A higher BCL score indicates that
bulk message is more likely to generate complaints and is more likely to be spam.
July 2022
Introducing actions into the email entity page: Admins can take preventative,
remediation and submission actions from email entity page.
June 2022
Use the Microsoft 365 Defender portal to create allow entries for spoofed senders
in the Submissions portal: Create allowed spoofed sender entries using the Tenant
Allow/Block List.
Impersonation allows using admin submission: Add allows for impersonated
senders using the Submissions page in Microsoft 365 Defender.
View converted admin submission from user reported messages: Configure a

reporting mailbox to intercept user-reported messages without sending the
messages to Microsoft for analysis.
View associated alert for user and admin submissions: View the corresponding
alert for each user reported phish message and admin email submission.
Configurable impersonation protection custom users and domains and increased

scope within Preset policies :
(Choose to) Apply Preset Strict/Standard policies to entire organization and
avoid the hassle of selecting specific recipient users, groups, or domains,
thereby securing all recipient users of your organization.
Configure impersonation protection settings for custom users and custom
domains within Preset Strict/Standard policies and automatically protect your
targeted users and targeted domain against impersonation attacks.
Simplifying the quarantine experience (part two) in Microsoft 365 Defender for
office 365 : Highlights additional features to make the quarantine experience
even easier to use.
Introducing differentiated protection for priority accounts in Microsoft Defender

for Office 365 : Introducing GCC, GCC-H, and DoD availability of differentiated
protection for priority accounts.
April 2022
Introducing the URLClickEvents table in Microsoft 365 Defender Advanced
Hunting : Introducing the UrlClickEvents table in advanced hunting with
Microsoft Defender for Office 365.
Manual email remediation enhancements: Bringing manual email purge actions
taken in Microsoft Defender for Office 365 to the Microsoft 365 Defender (M365D)
unified Action Center using a new action-focused investigation.
Introducing differentiated protection for priority accounts in Microsoft Defender
for Office 365 : Introducing the general availability of differentiated protection for
priority accounts.
March 2022
Streamlined the submission experience in Microsoft Defender for Office 365 :
Introducing the new unified and streamlined submission process to make your
experience simpler.
January 2022
Updated Hunting and Investigation Experiences for Microsoft Defender for Office
365 : Introducing the email summary panel for experiences in Defender for Office
365, along with experience updates for Threat Explorer and Real-time detections.
October 2021
Advanced Delivery DKIM enhancement: Added support for DKIM domain entry as
part of third-party phishing simulation configuration.
Secure by Default: Extended Secure by Default for Exchange mail flow rules (also
known as transport rules).
September 2021
Improved reporting experience in Defender for Office 365
Quarantine policies: Admins can configure granular control for recipient access to
quarantined messages and customize end-user spam notifications.
Video of admin experience
Video of end-user experience
Other new capabilities coming to the quarantine experience are described in
this blog post: Simplifying the Quarantine experience .
Portal redirection by default begins, redirecting users from Security & Compliance
to Microsoft 365 Defender https://security.microsoft.com . For more on this, see:
Redirecting accounts from Office 365 Security & Compliance Center to Microsoft
365 Defender
August 2021
Admin review for reported messages: Admins can now send templated messages
back to end users after they review reported messages. The templates can be
customized for your organization and based on your admin's verdict as well.
ou can now add allow entries to the Tenant Allow/Block List if the blocked message
was submitted as part of the admin submission process. Depending on the nature
of the block, the submitted URL, file, and/or sender allow will be added to the
Tenant Allow/Block List. In most cases, the allows are added to give the system
some time and allow it naturally if warranted. In some cases, Microsoft manages
the allow for you. For more information, see:
Use the Microsoft 365 Defender portal to create allow entries for URLs in the
Submissions portal
Use the Microsoft 365 Defender portal to create allow entries for files in the
Submissions portal
Use the Microsoft 365 Defender portal to create allow entries for domains and
email addresses in the Submissions portal
July 2021
Email analysis improvements in automated investigations
Advanced Delivery: Introducing a new capability for configuring the delivery of
third-party phishing simulations to users and unfiltered messages to security
operation mailboxes.
Safe Links for Microsoft Teams
New alert policies for the following scenarios: compromised mailboxes, Forms
phishing, malicious mails delivered due to overrides and rounding out ZAP
Suspicious email forwarding activity
User restricted from sharing forms and collecting responses
Form blocked due to potential phishing attempt
Form flagged and confirmed as phishing
New alert policies for ZAP
Microsoft Defender for Office 365 alerts is now integrated into Microsoft 365
Defender - Microsoft 365 Defender Unified Alerts Queue and Unified Alerts Queue
User Tags are now integrated into Microsoft Defender for Office 365 alerting
experiences, including: the alerts queue and details in Office 365 Security &
Compliance, and scoping custom alert policies to user tags to create targeted alert
policies.
Tags are also available in the unified alerts queue in the Microsoft 365 Defender
portal (Microsoft Defender for Office 365 Plan 2)
June 2021
New first contact safety tip setting within anti-phishing policies. This safety tip is
shown when recipients first receive an email from a sender or don't often receive
email from a sender. For more information on this setting and how to configure it,
see the following articles:
First contact safety tip
Configure anti-phishing policies in EOP
Configure anti-phishing policies in Microsoft Defender for Office 365
April/May 2021
Email entity page: A unified 360-degree view of an email with enriched information
around threats, authentication and detections, detonation details, and a brand-
new email preview experience.
Office 365 Management API: Updates to EmailEvents (RecordType 28) to add
delivery action, original and latest delivery locations, and updated detection
details.
Threat Analytics for Defender for Office 365: View active threat actors, popular
techniques and attack surfaces, along with extensive reporting from Microsoft
researchers around ongoing campaigns.
February/March 2021
Alert ID integration (search using Alert ID and Alert-Explorer navigation) in hunting
experiences
Increasing the limits for Export of records from 9990 to 200,000 in hunting
experiences
Extending the Explorer (and Real-time detections) data retention and search limit
for trial tenants from 7 (previous limit) to 30 days in hunting experiences
New hunting pivots called Impersonated domain and Impersonated user within
the Explorer (and Real-time detections) to search for impersonation attacks against
protected users or domains. For more information, see details. (Microsoft Defender
for Office 365 Plan 1 or Plan 2)
Microsoft Defender for Office 365 Plan 1 and

Plan 2
Did you know that Microsoft Defender for Office 365 is available in two plans? Learn
more about what each plan includes.
See also
Microsoft 365 roadmap
Microsoft Defender for Office 365 Service Description
 Tip
Applies to

） Important
This article is for business customers.
But if you're using Outlook.com, Microsoft 365 Family, or Microsoft 365 Personal,
and you need info about Safe Links or Safe Attachments in Outlook blocking
emails, see Advanced Outlook.com security for Microsoft 365 subscribers .
Microsoft Defender for Office 365 safeguards your organization against malicious
threats posed by email messages, links (URLs), and collaboration tools. Defender for
Office 365 includes:
Installation by Preset can set up everything for you: The easiest and the
recommended setup automates the roll-out of a secure environment (if automated
policies are possible in your organization). Abbreviated steps are available too: Just
the steps for preset policy setup, please!
Threat protection policies: Define threat-protection policies to set the appropriate

level of protection for your organization.
Reports: View real-time reports to monitor Defender for Office 365 performance in
your organization.
Threat investigation and response capabilities: Use leading-edge tools to

investigate, understand, simulate, and prevent threats.
Automated investigation and response capabilities: Save time and effort
investigating and mitigating threats.
Interactive guide to Microsoft Defender for

Office 365
If you need more information, this interactive guide will show you and example of how
to safeguard your organization with Microsoft Defender for Office 365.
You'll also see how Defender for Office 365 can help you define protection policies,
analyze threats to your organization, and respond to attacks.
Check out the interactive guide
What's the difference between Microsoft

Defender for Office 365 Plan 1 and Plan 2?
For more on what's included in Microsoft 365 Plans 1 & 2, browse over to this
document.
This article spells out what makes up the two products, and the emphasis of each part of
Microsoft Defender for Office 365 using a familiar structure: Protect, Detect, Investigate,
and Respond.
Graphics and short, scannable paragraphs answer questions like:
What is Plan 1 optimized to do for you?

What's the biggest advantage to you and your company in Plan 2?
Who has Exchange Online Protection and what's it optimized to do?
The goal of this article is clarity and quick readability. So, don't miss it!
Getting Started
There are two methods to set up Microsoft Defender for Office 365 for your
subscription.
Preset security policy configuration is recommended

It is recommended that -- as much as your organization can, given its specific needs --
you configure via preset security policies. You can learn more about presets here: Preset
setup information and steps; or just the steps for preset policy setup, please.
Manual configuration for Microsoft Defender for Office

365
Though it's no longer the recommended practice, here are the initial logical
configuration chunks for manual set up:
Configure everything with 'anti' in the name.

anti-malware
anti-phishing
anti-spam
Set up everything with 'safe' in the name.
Safe Links
Safe Attachments
Defend the workloads (ex. SharePoint Online, OneDrive, and Teams)
Protect with zero-hour auto purge (ZAP).
To learn by doing things manually, click this link.
７ Note
Microsoft Defender for Office 365 comes in two different Plan types. You can tell if
you have Plan 1 if you have 'Real-time Detections', and Plan 2, if you have Threat
Explorer. The Plan you have influences the tools you will see, so be certain that
you're aware of your Plan as you learn.
Manual steps to Configure Microsoft Defender

for Office 365 policies
It's recommended that you configure with preset security policies, but some
organizations must configure manually.
With Microsoft Defender for Office 365, your organization's security team can configure
protection by defining policies in the Microsoft 365 Defender portal at
https://security.microsoft.com at Email & collaboration > Policies & rules > Threat
policies. Or, you can go directly to the Threat policies page by using
https://security.microsoft.com/threatpolicy .
 Tip
For a quick list of policies to define, see Protect against threats.
Defender for Office 365 Policies

The policies that are defined for your organization determine the behavior and
protection level for predefined threats.
Policy options are extremely flexible. For example, your organization's security team can
set fine-grained threat protection at the user, organization, recipient, and domain level.
It is important to review your policies regularly because new threats and challenges
emerge daily.
Safe Attachments: Provides zero-day protection to safeguard your messaging

system, by checking email attachments for malicious content. It routes all
messages and attachments that do not have a virus/malware signature to a special
environment, and then uses machine learning and analysis techniques to detect
malicious intent. If no suspicious activity is found, the message is forwarded to the
mailbox. To learn more, see Set up Safe Attachments policies.
Safe Links: Provides time-of-click verification of URLs, for example, in emails

messages and Office files. Protection is ongoing and applies across your
messaging and Office environment. Links are scanned for each click: safe links
remain accessible and malicious links are dynamically blocked. To learn more, see
Set up Safe Links policies.
Safe Attachments for SharePoint, OneDrive, and Microsoft Teams: Protects your
organization when users collaborate and share files, by identifying and blocking
malicious files in team sites and document libraries. To learn more, see Turn on
Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams.
Anti-phishing protection in Defender for Office 365: Detects attempts to

impersonate your users and internal or custom domains. It applies machine
learning models and advanced impersonation-detection algorithms to avert
phishing attacks. To learn more, see Configure anti-phishing policies in Microsoft
Defender for Office 365.
How to view Microsoft Defender for Office 365

reports
Microsoft Defender for Office 365 includes reports to monitor Defender for Office 365.
You can access the reports in theMicrosoft 365 Defender portal at
https://security.microsoft.com at Reports > Email & collaboration > Email &
collaboration reports. You can also go directly to the Email and collaboration reports
page using https://security.microsoft.com/securityreports .
Reports update in real-time, providing you with the latest insights. These reports also
provide recommendations and alert you to imminent threats. Predefined reports include
the following:
Threat Explorer (or real-time detections)

Threat protection status report
... and several more.
Use threat investigation and response

capabilities
Microsoft Defender for Office 365 Plan 2 includes best-of-class threat investigation and
response tools that enable your organization's security team to anticipate, understand,
and prevent malicious attacks.
Threat trackers provide the latest intelligence on prevailing cybersecurity issues.

For example, you can view information about the latest malware, and take
countermeasures before it becomes an actual threat to your organization.
Available trackers include Noteworthy trackers, Trending trackers, Tracked queries,
and Saved queries.
Threat Explorer in Plan 2 (or real-time detections in Plan 1) (also referred to as

Explorer) is a real-time report that allows you to identify and analyze recent
threats. You can configure Explorer to show data for custom periods.
Attack simulation training allows you to run realistic attack scenarios in your
organization to identify vulnerabilities. Simulations of current types of attacks are
available, including spear phishing credential harvest and attachment attacks, and
password spray and brute force password attacks.
Save time with automated investigation and

response
When you are investigating a potential cyberattack, time is of the essence. The sooner
you can identify and mitigate threats, the better off your organization will be.
Automated investigation and response (AIR) capabilities include a set of security
playbooks that can be launched automatically, such as when an alert is triggered, or
manually, such as from a view in Explorer.
AIR can save your security operations team time and effort in mitigating threats
effectively and efficiently. To learn more, see AIR in Office 365.
Permissions required to use Microsoft Defender

for Office 365 features
To access Microsoft Defender for Office 365 features, you must be assigned an
appropriate role. The following table includes some examples:
Role or role Resources to learn more

group
global You can assign this role in Azure Active Directory or in the Microsoft 365
administrator Defender portal. For more information, see Permissions in the Microsoft 365
(or Defender portal.
Organization
Management)
Security You can assign this role in Azure Active Directory or in the Microsoft 365
Administrator Defender portal. For more information, see Permissions in the Microsoft 365
Defender portal.
Organization Permissions in Exchange Online

Management
in Exchange Exchange Online PowerShell
Online
Search and This role is available only in the Microsoft 365 Defender portal or the Microsoft
Purge Purview compliance portal. For more information, see Permissions in the
Microsoft 365 Defender portal and Permissions in the Microsoft Purview
compliance portal.
Where to get Microsoft Defender for Office 365

Microsoft Defender for Office 365 is included in certain subscriptions, such as Microsoft
365 E5, Office 365 E5, Office 365 A5, and Microsoft 365 Business Premium.
If your subscription doesn't include Defender for Office 365, you can get Defender for
Office 365 Plan 1 or Plan 2 as an add-on to certain subscriptions. To learn more, take a
look at the following resources:
Microsoft Defender for Office 365 availability for a list of subscriptions that include
Defender for Office 365 plans.
Feature availability across Microsoft Defender for Office 365 plans for a list of
features included in Plan 1 and 2.
Get the right Microsoft Defender for Office 365 to compare plans and purchase
Start a free trial
What new features are coming for Microsoft

Defender for Office 365?
New features are added to Microsoft Defender for Office 365 continually. To learn more,
see the following resources:
Microsoft 365 Roadmap provides a list of new features in development and

rolling out.
Microsoft Defender for Office 365 Service Description describes features and
availability across Defender for Office 365 plans.
See also
Automated investigation and response (AIR) in Microsoft 365 Defender
Step-by-step threat protection in
 Tip
Applies to:

The Microsoft Defender for Office 365 protection or filtering stack can be broken out
into 4 phases, as in this article. Generally speaking, incoming mail passes through all of
these phases before delivery, but the actual path email takes is subject to an
organization's Defender for Office 365 configuration.
 Tip
Stay tuned till the end of this article for a unified graphic of all 4 phases of Defender
for Office 365 protection!
Phase 1 - Edge Protection

Unfortunately, Edge blocks that were once critical are now relatively simple for bad
actors to overcome. Over time, less traffic is blocked here, but it remains an important
part of the stack.
Edge blocks are designed to be automatic. In the case of false positive, senders will be
notified and told how to address their issue. Connectors from trusted partners with
limited reputation can ensure deliverability, or temporary overrides can be put in place,
when onboarding new endpoints.

1. Network throttling protects Office 365 infrastructure and customers from Denial
of Service (DOS) attacks by limiting the number of messages that can be submitted
by a specific set of infrastructure.
2. IP reputation and throttling will block messages being sent from known bad
connecting IP addresses. If a specific IP sends many messages in a short period of
time they will be throttled.
3. Domain reputation will block any messages being sent from a known bad domain.
4. Directory-based edge filtering blocks attempts to harvest an organization's

directory information through SMTP.
5. Backscatter detection prevents an organization from being attacked through

invalid non-delivery reports (NDRs).
6. Enhanced filtering for connectors preserves authentication information even when

traffic passes through another device before it reaches Office 365. This improves
filtering stack accuracy, including heuristic clustering, anti-spoofing, and anti-
phishing machine learning models, even when in complex or hybrid routing
scenarios.
Phase 2 - Sender Intelligence

Features in sender intelligence are critical for catching spam, bulk, impersonation, and
unauthorized spoof messages, and also factor into phish detection. Most of these
features are individually configurable.
1. Account compromise detection triggers and alerts are raised when an account has
anomalous behavior, consistent with compromise. In some cases, the user account
is blocked and prevented from sending any further email messages until the issue
is resolved by an organization's security operations team.
2. Email Authentication involves both customer configured methods and methods
set up in the Cloud, aimed at ensuring that senders are authorized, authentic
mailers. These methods resist spoofing.
SPF can reject mails based on DNS TXT records that list IP addresses and
servers allowed to send mail on the organization's behalf.
DKIM provides an encrypted signature that authenticates the sender.
DMARC lets admins mark SPF and DKIM as required in their domain and
enforces alignment between the results of these two technologies.
ARC builds on DMARC to work with forwarding in mailing lists while
recording an authentication chain.
3. Spoof intelligence is capable of filtering those allowed to 'spoof' (that is, those
sending mail on behalf of another account, or forwarding for a mailing list) from
malicious senders who imitate organizational or known external domains. It
separates legitimate 'on behalf of' mail from senders who spoof to deliver spam
and phishing messages.
Intra-org spoof intelligence detects and blocks spoof attempts from a domain
within the organization.
4. Cross-domain spoof intelligence detects and blocks spoof attempts from a

domain outside of the organization.
5. Bulk filtering lets admins configure a bulk confidence level (BCL) indicating
whether the message was sent from a bulk sender. Administrators can use the Bulk
Slider in the Antispam policy to decide what level of bulk mail to treat as spam.
6. Mailbox intelligence learns from standard user email behaviors. It leverages a

user's communication graph to detect when a sender only appears to be someone
the user usually communicates with, but is actually malicious. This method detects
impersonation.
7. Mailbox intelligence impersonation enables or disables enhanced impersonation

results based on each user's individual sender map. When enabled, this feature
helps to identify impersonation.
8. User impersonation allows an admin to create a list of high value targets likely to
be impersonated. If a mail arrives where the sender only appears to have the same
name and address as the protected high value account, the mail is marked or
tagged. (For example, trαcye@contoso.com for tracye@contoso.com).
9. Domain impersonation detects domains that are similar to the recipient's domain
and that attempt to look like an internal domain. For example, this impersonation
tracye@liwαre.com for tracye@litware.com.
Phase 3 - Content Filtering

In this phase the filtering stack begins to handle the specific contents of the mail,
including its hyperlinks and attachments.
1. Transport rules (also known as mail flow rules or Exchange transport rules) allow
an admin to take a wide range of actions when an equally wide range of conditions
are met for a message. All messages that flow through your organization are
evaluated against the enabled mail flow rules / transport rules.
2. Microsoft Defender Antivirus and a third-party Antivirus engine are used to detect
all known malware in attachments.
3. The anti-virus (AV) engines are also used to true-type supported attachment types,
which allows Type blocking to correctly block file types specified by admins.
4. Whenever Microsoft Defender for Office 365 detects a malicious attachment, the
file's hash, and a hash of its active content, are added to Exchange Online
Protection (EOP) reputation. Attachment reputation blocking will block that file
across all Office 365, and on endpoints, through MSAV cloud calls.
5. Heuristic clustering can determine that a file is suspicious based on delivery

heuristics. When a suspicious attachment is found, the entire campaign pauses,
and the file is sandboxed. If the file is found to be malicious, the entire campaign is
blocked.
6. Machine learning models act on the header, body content, and URLs of a message
to detect phishing attempts.
7. Microsoft uses a determination of reputation from URL sandboxing as well as URL

reputation from third party feeds in URL reputation blocking, to block any
message with a known malicious URL.
8. Content heuristics can detect suspicious messages based on structure and word
frequency within the body of the message, using machine learning models.
9. Safe Attachments sandboxes every attachment for Defender for Office 365
customers, using dynamic analysis to detect never-before seen threats.
10. Linked content detonation treats every URL linking to a file in an email as an
attachment, asynchronously sandboxing the file at the time of delivery.
11. URL Detonation happens when upstream anti-phishing technology finds a

message or URL to be suspicious. URL detonation sandboxes the URLs in the
message at the time of delivery.
Phase 4 - Post-Delivery Protection

The last stage takes place after mail or file delivery, acting on mail that is in various
mailboxes and files and links that appear in clients like Microsoft Teams.
1. Safe Links is Defender for Office 365's time-of-click protection. Every URL in every
message is wrapped to point to Microsoft Safe Links servers. When a URL is clicked
it is checked against the latest reputation, before the user is redirected to the
target site. The URL is asynchronously sandboxed to update its reputation.
2. Zero-hour auto purge (ZAP) for phishing retroactively detects and neutralizes
malicious phishing messages that have already been delivered to Exchange Online
mailboxes.
3. ZAP for malware retroactively detects and neutralizes malicious malware messages
that have already been delivered to Exchange Online mailboxes.
4. ZAP for spam retroactively detects and neutralizes malicious spam messages that
have already been delivered to Exchange Online mailboxes.
5. Campaign Views let administrators see the big picture of an attack, faster and
more completely, than any team could without automation. Microsoft leverages
the vast amounts of anti-phishing, anti-spam, and anti-malware data across the
entire service to help identify campaigns, and then allows admins to investigate
them from start to end, including targets, impacts, and flows, that are also
available in a downloadable campaign write-up.
6. The Report Message add-ins enable people to easily report false positives (good
email, mistakenly marked as bad) or false negatives (bad email marked as good) to
Microsoft for further analysis.
7. Safe Links for Office clients offers the same Safe Links time-of-click protection,
natively, inside supported Office apps like Word, PowerPoint, and Excel.
8. Protection for OneDrive, SharePoint, and Teams offers the same Safe Attachments
protection against malicious files, natively, inside of OneDrive, SharePoint, and
Microsoft Teams.
9. When a URL that points to a file is selected post delivery, linked content
detonation displays a warning page until the sandboxing of the file is complete,
and the URL is found to be safe.
The filtering stack diagram

The final diagram (as with all parts of the diagram composing it) is subject to change as
the product grows and develops. Bookmark this page and use the feedback option you'll
find at the bottom if you need to ask after updates. For your records, this is the stack
with all the phases in order:
More information
Do you need to set up Microsoft Defender for Office 365 right now? Use this stack, now,
with this step-by-step to start protecting your organization.
Special thanks from MSFTTracyP and the docs writing team to Giulian Garruba for this
content.
Secure by default in Office 365
 Tip
Applies to

"Secure by default" is a term used to define the default settings that are most secure as
possible.
However, security needs to be balanced with productivity. This can include balancing
across:
Usability: Settings should not get in the way of user productivity.

Risk: Security might block important activities.
Legacy settings: Some configurations for older products and features might need
to be maintained for business reasons, even if new, modern settings are improved.
Microsoft 365 organizations with mailboxes in Exchange Online are protected by

Exchange Online Protection (EOP). This protection includes:
Email with suspected malware will automatically be quarantined. Whether

recipients are notified about quarantined malware messages is controlled by the
quarantine policy and the settings in the anti-malware policy. For more
information, see Configure anti-malware policies in EOP.
Email identified as high confidence phishing will be handled according to the anti-
spam policy action. See Configure anti-spam policies in EOP.
For more information about EOP, see Exchange Online Protection overview.
Because Microsoft wants to keep our customers secure by default, some tenants
overrides are not applied for malware or high confidence phishing. These overrides
include:
Allowed sender lists or allowed domain lists (anti-spam policies)
Outlook Safe Senders
IP Allow List (connection filtering)
Exchange mail flow rules (also known as transport rules)
More information on these overrides can be found in Create safe sender lists.
７ Note
We have deprecated the Move message to Junk Email folder action for a High
confidence phishing email verdict in EOP anti-spam policies. Anti-spam policies
that use this action for high confidence phishing messages will be converted to
Quarantine message. The Redirect message to email address action for high
confidence phishing messages is unaffected.
Secure by default is not a setting that can be turned on or off, but is the way our
filtering works out of the box to keep potentially dangerous or unwanted messages out
of your mailboxes. Malware and high confidence phishing messages should be
quarantined. By default, only admins can manage messages that are quarantined as
malware or high confidence phishing, and they can also report false positives to
Microsoft from there. For more information, see Manage quarantined messages and
files as an admin in EOP.
More on why we're doing this

The spirit of being secure by default is: we're taking the same action on the message
that you would take if you knew the message malicious, even when a configured
exception would otherwise allow the message to be delivered. This is the same
approach that we've always used on malware, and now we're extending this same
behavior to high confidence phishing messages.
Our data indicates that a user is 30 times more likely to click a malicious link in
messages in the Junk Email folder versus Quarantine. Our data also indicates that the
false positive rate (good messages marked as bad) for high confidence phishing
messages is very low, and admins can resolve any false positives with admin
submissions.
We also determined that the allowed sender and allowed domain lists in anti-spam
policies and Safe Senders in Outlook were too broad and were causing more harm than
good.
To put it another way: as a security service, we're acting on your behalf to prevent your
users from being compromised.
Exceptions
You should only consider using overrides in the following scenarios:
Phishing simulations: Simulated attacks can help you identify vulnerable users
before a real attack impacts your organization. To prevent phishing simulation
messages from being filtered, see Configure third-party phishing simulations in the
advanced delivery policy.
Security/SecOps mailboxes: Dedicated mailboxes used by security teams to get
unfiltered messages (both good and bad). Teams can then review to see if they
contain malicious content. For more information, see Configure SecOps mailboxes
in the advanced delivery policy.
Third-party filters: Secure by default only applies when the MX record for your
domain is set to Exchange Online Protection
(contoso.mail.protection.outlook.com). If it's set to another service or device, it is
possible to override Secure by default with a Transport Rule to bypass all spam
filtering. When Microsoft detects messages as High Confidence Phish with this rule
in place, they still deliver to the Inbox.
False positives: You might want to temporarily allow certain messages that are still
being analyzed by Microsoft via Admin submissions. As with all overrides, it is
recommended that they are temporary.
What is Microsoft 365 Defender?
７ Note
Want to experience Microsoft 365 Defender? Learn more about how you can
evaluate and pilot Microsoft 365 Defender.
Applies to:
Microsoft 365 Defender is a unified pre- and post-breach enterprise defense suite that
natively coordinates detection, prevention, investigation, and response across
endpoints, identities, email, and applications to provide integrated protection against
sophisticated attacks.
Here's a list of the different Microsoft 365 Defender products and solutions:
Microsoft Defender for Endpoint

Microsoft Defender for Identity
Microsoft Defender for Cloud Apps
Microsoft Defender Vulnerability Management
Azure Active Directory Identity Protection
Microsoft Data Loss Prevention
App Governance
Microsoft Defender for Cloud
Note that Azure Active Directory Identity Protection (AAD IP) is in public preview and
may be substantially modified before it's commercially released. AAD IP is available to
customers only if they already have Microsoft 365 Defender.
With the integrated Microsoft 365 Defender solution, security professionals can stitch
together the threat signals that each of these products receive and determine the full
scope and impact of the threat; how it entered the environment, what it's affected, and
how it's currently impacting the organization. Microsoft 365 Defender takes automatic
action to prevent or stop the attack and self-heal affected mailboxes, endpoints, and
user identities.
Microsoft 365 Defender interactive guide
In this interactive guide, you'll learn how to protect your organization with Microsoft 365
Defender. You'll see how Microsoft 365 Defender can help you detect security risks,
investigate attacks to your organization, and prevent harmful activities automatically.
Microsoft 365 Defender protection

Microsoft 365 Defender services protect:
Endpoints with Defender for Endpoint - Defender for Endpoint is a unified

endpoint platform for preventative protection, post-breach detection, automated
investigation, and response.
Assets with Defender Vulnerability Management - Microsoft Defender
Vulnerability Management delivers continuous asset visibility, intelligent risk-based
assessments, and built-in remediation tools to help your security and IT teams
prioritize and address critical vulnerabilities and misconfigurations across your
organization.
Email and collaboration with Defender for Office 365 - Defender for Office 365
safeguards your organization against malicious threats posed by email messages,
links (URLs) and collaboration tools.
Identities with Defender for Identity and Azure Active Directory (Azure AD)
Identity Protection - Microsoft Defender for Identity is a cloud-based security
solution that leverages your on-premises Active Directory signals to identify,
detect, and investigate advanced threats, compromised identities, and malicious
insider actions directed at your organization. Azure AD Identity Protection uses the
learnings Microsoft has acquired from their position in organizations with Azure
AD, the consumer space with Microsoft Accounts, and in gaming with Xbox to
protect your users.
Applications with Microsoft Defender for Cloud Apps - Microsoft Defender for
Cloud Apps is a comprehensive cross-SaaS solution bringing deep visibility, strong
data controls, and enhanced threat protection to your cloud apps.
https://www.microsoft.com/en-us/videoplayer/embed/RE4Bzww?postJsllMsg=true
Microsoft 365 Defender's unique cross-product layer augments the individual service
components to:
Help protect against attacks and coordinate defensive responses across the
services through signal sharing and automated actions.
Narrate the full story of the attack across product alerts, behaviors, and context for
security teams by joining data on alerts, suspicious events and impacted assets to
'incidents'.
Automate response to compromise by triggering self-healing for impacted assets
through automated remediation.
Enable security teams to perform detailed and effective threat hunting across
endpoint and Office data.
Here's an example of how the Microsoft 365 Defender portal correlates all related alerts
across products into a single incident.
Here's an example of the list of related alerts for an incident.
Here's an example of query-based hunting on top of email and endpoint raw data.

Microsoft 365 Defender cross-product features include:
Cross-product single pane of glass in the Microsoft 365 Defender portal - A

central view for all information on detections, impacted assets, automated actions
taken, and related evidence in a single queue and a single pane in Microsoft 365
Defender portal .
Combined incidents queue - To help security professionals focus on what is critical

by ensuring the full attack scope, impacted assets and automated remediation
actions are grouped together and surfaced in a timely manner.
Automatic response to threats - Critical threat information is shared in real time

between the Microsoft 365 Defender products to help stop the progression of an
attack.
For example, if a malicious file is detected on an endpoint protected by Defender

for Endpoint, it will instruct Defender for Office 365 to scan and remove the file
from all e-mail messages. The file will be blocked on sight by the entire Microsoft
365 security suite.
Self-healing for compromised devices, user identities, and mailboxes - Microsoft

365 Defender uses AI-powered automatic actions and playbooks to remediate
impacted assets back to a secure state. Microsoft 365 Defender leverages
automatic remediation capabilities of the suite products to ensure all impacted
assets related to an incident are automatically remediated where possible.
Cross-product threat hunting - Security teams can leverage their unique

organizational knowledge to hunt for signs of compromise by creating their own
custom queries over the raw data collected by the various protection products.
Microsoft 365 Defender provides query-based access to 30 days of historic raw
signals and alert data across endpoint and Defender for Office 365 data.
Get started
Microsoft 365 Defender licensing requirements must be met before you can enable the
service in the Microsoft 365 Defender portal at https://security.microsoft.com For
more information, see:
Licensing requirements
Turn on Microsoft 365 Defender
Try Microsoft Defender for Office 365
As an existing Microsoft 365 customer, the Trials and Evaluation pages in the Microsoft
365 Defender portal at https://security.microsoft.com allow you to try the features of
Microsoft Defender for Office 365 Plan 2 before you buy.
Before you try Defender for Office 365 Plan 2, there are some key questions that you
need to ask yourself:
Do I want to passively observe what Defender for Office 365 Plan 2 can do for me
(audit), or do I want Defender for Office 365 Plan 2 to take direct action on issues
that it finds (block)?
Either way, how can I tell what Defender for Office 365 Plan 2 is doing for me?
How long do I have before I need to make the decision to keep Defender for Office
365 Plan 2?
This article will help you answer those questions so you can try Defender for Office 365
Plan 2 in a way that best meets the needs of your organization.
For a companion guide for how to use your trial, see Trial User Guide: Microsoft
Overview of Defender for Office 365

Defender for Office 365 helps organizations secure their enterprise by offering a
comprehensive slate of capabilities. For more information, see Microsoft Defender for
Office 365.
You can also learn more about Defender for Office 365 at this interactive guide .
Watch this short video to learn more about how you can get more done in less time
with Microsoft Defender for Office 365.
https://www.microsoft.com/en-us/videoplayer/embed/RWMmIe?postJsllMsg=true
How trials and evaluations work for Defender

for Office 365
Policies
Defender for Office 365 includes the features of Exchange Online Protection (EOP),
which are present in all Microsoft 365 organizations with Exchange Online mailboxes,
and features that are exclusive to Defender for Office 365.
The protection features of EOP and Defender for Office 365 are implemented using
policies. Policies that are exclusive to Defender for Office 365 are created for you as
needed:
Impersonation protection in anti-phishing policies

Safe Attachments for email messages
Safe Links for email messages and Microsoft Teams
Safe Links detonates URLs during mail flow. To prevent specific URLs from being
detonated, use allow entries for URLs in the Tenant Allow/Block List. For more
information, see Manage the Tenant Allow/Block List.
Safe Links doesn't wrap URL links in email message bodies.
Your eligibility for an evaluation or trial means you already have EOP. No new or special
EOP policies are created for your evaluation or trial of Defender for Office 365 Plan 2.
Existing EOP policies in your Microsoft 365 organization are able to act on messages (for
example, send messages to the Junk Email folder or to quarantine):
Anti-malware policies
Inbound anti-spam protection
Anti-spoofing protection in anti-phishing policies
The default policies for these EOP features are always on, apply to all recipients, and are
always applied last after any custom policies.
Audit mode vs. blocking mode for Defender for Office

365
Do you want your Defender for Office 365 experience to be active or passive? These are
the two modes that you can select from:
Audit mode: Special evaluation policies are created for anti-phishing (which
includes impersonation protection), Safe Attachments, and Safe Links. These
evaluation policies are configured to detect threats only. Defender for Office 365
detects harmful messages for reporting, but the messages aren't acted upon (for
example, detected messages aren't quarantined). The settings of these evaluation
policies are described in the Policies in audit mode section later in this article.
Audit mode provides access to customized reports for threats detected by

Defender for Office 365 on the Evaluation mode page at
https://security.microsoft.com/atpEvaluation .
Blocking mode: The Standard template for preset security policies is turned on and
used for the trial, and the users you specify to include in the trial are added to the
Standard preset security policy. Defender for Office 365 detects and takes action on
harmful messages (for example, detected messages are quarantined).
The default and recommended selection is to scope these Defender for Office 365
policies to all users in the organization. But during or after the setup of your trial,
you can change the policy assignment to specific users, groups, or email domains
in the Microsoft 365 Defender portal or in Exchange Online PowerShell.
Blocking mode does not provide customized reports for threats detected by
Defender for Office 365. Instead, the information is available in the regular reports
and investigation features of Defender for Office 365 Plan 2.
A key factor in audit mode vs. blocking mode is how email is delivered to your Microsoft
365 organization:
Mail from the internet flows directly Microsoft 365, but your current subscription
has only Exchange Online Protection (EOP) or Defender for Office 365 Plan 1.
In these environments, you can select audit mode or blocking mode.
You're currently using a third-party service or device for email protection of your
Microsoft 365 mailboxes. Mail from the internet flows through the protection
service before delivery into your Microsoft 365 organization. Microsoft 365
protection is as low as possible (it's never completely off; for example, malware
protection is always enforced).
In these environments, you can select audit mode only. You don't need to change
your mail flow (MX records).
Evaluation vs. trial for Defender for Office 365

What's the difference between an evaluation and a trial of Defender for Office 365 Plan
2? Aren't they the same thing? Well, yes and no. Here's what you need to know:
If you don't already have Defender for Office 365 Plan 2 licenses (for example,
standalone EOP, Microsoft 365 E3, Microsoft 365 Business Premium, or Defender
for Office 365 Plan 1), you can start your trial from the Microsoft 365 trials page at
https://security.microsoft.com/trialHorizontalHub or the Evaluation mode page
at https://security.microsoft.com/atpEvaluation in the Microsoft 365 Defender
portal. At either location, you can select allow mode (Standard preset security
policy) or blocking mode (evaluation policies) as previously described.
Regardless of which location you use, we'll automatically provision the required
Defender for Office 365 Plan 2 trial licenses for you when you enroll. Manual or
outside steps for getting and assigning Plan 2 licenses in the Microsoft 365 admin
center are no longer required. The trial licenses are good for 90 days:
For organizations without Defender for Office 365 (for example, standalone EOP
or Microsoft 365 E3) the features (in particular, the policies) of Defender for
Office 365 are available to you during the trial period.
Organizations with Defender for Office 365 Plan 1 (for example Microsoft 365
Business Premium or add-on subscriptions) have exactly the same policies as
organizations with Defender for Office 365 Plan 2 (impersonation protection in
anti-phishing policies, Safe Attachments policies, and Safe Links policies). The
security policies from allow mode (Standard preset security policy) or blocking
mode (evaluation policies) don't expire or stop working after 90 days. What
ends after 90 days for these organizations are the automation, investigation,
remediation, and education capabilities of Plan 2 that aren't present in Plan 1.
If you already have Defender for Office 365 Plan 2 (for example, as part of a
Microsoft 365 E5 subscription), you'll never see Defender for Office 365 on the
Microsoft 365 trials page at https://security.microsoft.com/trialHorizontalHub .
Instead, you start your evaluation of Defender for Office 365 Plan to on the
Evaluation mode page at https://security.microsoft.com/atpEvaluation in allow
mode (Standard preset security policy) or blocking mode (evaluation policies).
By definition, these organizations don't require trial licenses of Defender for Office
365 Plan 2, so their evaluations are unlimited in duration.
The information from the previous list is summarized in the following table:
Organization Available Enroll from the

Enroll from Evaluation
modes Evaluation the

period
page? Trials page?
Standalone EOP
Audit mode
Yes Yes 90 days
(no Exchange Online Blocking mode
mailboxes)
Microsoft 365 E3
Defender for Office 365 Plan Audit mode

Yes Yes Unlimited*
1
Blocking mode
Microsoft 365 Business

Premium
Microsoft 365 E5 Audit mode

Yes No Unlimited
Blocking mode
*
The security policies from allow mode (Standard preset security policy) or blocking
mode (evaluation policies) don't expire or stop working after 90 days. Only the
automation, investigation, remediation, and education capabilities that are exclusive to
Defender for Office 365 Plan 2 stop working after 90 days.
Set up an evaluation or trial in audit mode

Remember, when you evaluate Defender for Office 365 in audit mode, special evaluation
policies are created so Defender for Office 365 can detect threats. The settings of these
evaluation policies are described in the Policies in audit mode section later in this article.
1. Start the evaluation in any of the available locations in the Microsoft 365 Defender
portal at https://security.microsoft.com . For example:
On the banner at the top of any Defender for Office 365 feature page, click
Start free trial.
On the Microsoft 365 trials page at
https://security.microsoft.com/trialHorizontalHub , find and select Defender
for Office 365.
On the Evaluation mode page at
https://security.microsoft.com/atpEvaluation , click Start evaluation.
2. In the Turn on protection dialog, select No, I only want reporting, and then click
Continue.
3. In the Select the users you want to include dialog, configure the following
settings:
All users: This is the default and recommended option.
Select users: If you select this option, you need to select the internal
recipients that the evaluation applies to:
Users: The specified mailboxes, mail users, or mail contacts.
Groups:
Members of the specified distribution groups or mail-enabled security
groups (dynamic distribution groups are not supported).
The specified Microsoft 365 Groups.
Domains: All recipients in the specified accepted domains in your
organization.
Click in the appropriate box, start typing a value, and select the value that
you want from the results. Repeat this process as many times as necessary. To
remove an existing value, click remove next to the value.
For users or groups, you can use most identifiers (name, display name, alias,
email address, account name, etc.), but the corresponding display name is
shown in the results. For users, enter an asterisk (*) by itself to see all
available values.
７ Note
You can change these selections after you finish setting up the trial as
described in the Manage your trial section.
Multiple different types of conditions or exceptions are not additive; they're

inclusive. The evaluation or trial is applied only to those recipients that match
all of the specified recipient filters. For example, you configure a condition
with the following values:
Users: romain@contoso.com
Groups: Executives
The evaluation or trial is applied to romain@contoso.com only if he's also a

member of the Executives group. If he's not a member of the group, then the
evaluation or trial is not applied to him.
Likewise, if you use the same recipient filter as an exception, the evaluation or
trial is not applied to romain@contoso.com only if he's also a member of the
Executives group. If he's not a member of the group, then the evaluation or
trial still applies to him.
When you're finished, click Continue.
4. In the Help us understand your mail flow dialog, configure the following options:
One of the following options is automatically selected based on our detection

of the MX record for your domain:
I'm using a third-party and/or on-premises service provider: The MX

record for your domain points somewhere other than Microsoft 365. This
selection requires the following additional settings after you click Next:
a. In the Third party or on-premises settings dialog, configure the

following settings:
Select a third party service provider: Select one of the following

values:
Barracuda
IronPort
Mimecast
Proofpoint
Sophos
Symantec
Trend Micro
Other
The connector to apply this evaluation to: Select the connector

that's used for mail flow into Microsoft 365.
Enhanced Filtering for Connectors (also known as skip listing) is

automatically configured on the connector that you specify.
When a third-party service or device sits in front of email flowing

into Microsoft 365, Enhanced Filtering for Connectors correctly
identifies the source of internet messages and greatly improves the
accuracy of the Microsoft filtering stack (especially spoof intelligence,
as well as post-breach capabilities in Threat Explorer and Automated
Investigation & Response (AIR).
List each gateway IP address your messages pass through: This

setting is available only if you selected Other for Select a third party
service provider. Enter a comma-separated list of the IP addresses
that are used by the third-party protection service or device to send
mail into Microsoft 365.
When you're finished, click Next.
b. In the Exchange mail flow rules dialog, decide if you need an Exchange
Online mail flow rule (also known as a transport rule) that skips spam
filtering for incoming messages from the third-party protection service
or device.
It's likely that you already have an SCL=-1 mail flow rule in Exchange
Online that allows all inbound mail from the protection service to
bypass (most) Microsoft 365 filtering. Many protection services
encourage this spam confidence level (SCL) mail flow rule method for
Microsoft 365 customers who use their services.
As explained in the previous step, Enhanced Filtering for Connectors is

automatically configured on the connector that you specify as the
source of mail from the protection service.
Turning on Enhanced Filtering for Connectors without an SCL=-1 rule

for incoming mail from the protection service will vastly improve the
detection capabilities of EOP protection features like spoof intelligence,
and could impact the delivery of those newly detected messages (for
example, move to the Junk Email folder or to quarantine). This impact is
limited to EOP policies; as previously explained, Defender for Office 365
policies are created in audit mode.
To create an SCL=-1 mail flow rule or to review your existing rules, click
the Go to Exchange admin center button on the page. For more
information, see Use mail flow rules to set the spam confidence level
(SCL) in messages in Exchange Online.
When you're finished, click Finish.
I'm only using Microsoft Exchange Online: The MX records for your
domain point to Microsoft 365. There's nothing left to configure, so click
Finish.
Share data with Microsoft: This option isn't selected by default, but you can
select the check box if you like.
5. A progress dialog appears as your evaluation is set up. When set up is complete,
click Done.
Set up an evaluation or trial in blocking mode

Remember, when you try Defender for Office 365 in blocking mode, the Standard preset
security is turned on and the specified users (some or everyone) are included in the
Standard preset security policy. For more information about the Standard preset security
policy, see Preset security policies.
1. Start the trial in any of the available locations in the Microsoft 365 Defender portal
at https://security.microsoft.com . For example:
On the banner at the top of any Defender for Office 365 feature page, click
Start free trial.
On the Microsoft 365 trials page at
https://security.microsoft.com/trialHorizontalHub , find and select Defender
for Office 365.
On the Evaluation mode page at
https://security.microsoft.com/atpEvaluation , click Start evaluation.
2. In the Turn on protection dialog, select Yes, protect my organization by blocking

threats, and then click Continue.
3. In the Select the users you want to include dialog, configure the following
settings:
All users: This is the default and recommended option.
Select users: If you select this option, you need to select the internal
recipients that the trial applies to:
Groups:
organization.
available values.
７ Note
You can change these selections after you finish setting up the trial as
described in the Manage your trial section.

inclusive. The evaluation or trial is applied only to those recipients that match
all of the specified recipient filters. For example, you configure a condition
with the following values:
Groups: Executives
The evaluation or trial is applied to romain@contoso.com only if he's also a
member of the Executives group. If he's not a member of the group, then the
evaluation or trial is not applied to him.
Likewise, if you use the same recipient filter as an exception, the evaluation or
trial is not applied to romain@contoso.com only if he's also a member of the
Executives group. If he's not a member of the group, then the evaluation or
trial still applies to him.
When you're finished, click Continue.
4. A progress dialog appears as your evaluation is set up. When setup is complete,
click Done.
Manage your evaluation or trial of Defender for

Office 365
After you set up your evaluation or trial in audit mode or blocking mode, the Evaluation
mode page at https://security.microsoft.com/atpEvaluation is your central location for
information about trying Defender for Office 365 Plan 2.
1. In the Microsoft 365 Defender portal at https://security.microsoft.com , go to

Email & collaboration > Policies & rules > Threat policies > select Evaluation
mode in the Others section. Or, to go directly to the Microsoft Defender for
Office 365 evaluation page, use https://security.microsoft.com/atpEvaluation .
2. On the Microsoft Defender for Office 365 evaluation page, you can do the
following tasks:
Click Buy a paid subscription to buy Defender for Office 365 Plan 2.
Click Manage. In the Microsoft Defender for Office 365 evaluation flyout
that appears, you can do the following tasks:
Change who the evaluation or trial applies to as described earlier in the

Set up an evaluation or trial in audit mode and Set up an evaluation or trial
in blocking mode.
To switch from audit mode (evaluation policies) to blocking mode

(Standard preset security policy), click Convert to standard protection,
and then click Continue in the dialog that appears to be taken to the
Apply standard protection wizard on the Preset security policies page.
The existing included and excluded recipients are copied over. For more
information, see Use the Microsoft 365 Defender portal to assign Standard
and Strict preset security policies to users.
Notes:
The policies in the Standard preset security policy have a higher priority
than the evaluation policies, which means the policies in the Standard
preset security are always applied before the evaluation policies, even if
both are present and turned on. To turn off the evaluation policies, use
the Turn off button.
There's no automatic way to go from blocking mode to audit mode.
The manual steps are:
a. Turn off the Standard preset security policy on the Preset security
policies page.
b. After clicking Manage on the Microsoft Defender for Office 365
evaluation page, verify the presence of the Turn off button, which
indicates the evaluation policies are turned on. If you see the Turn on
button, click it to turn on the evaluation policies.
c. Verify the users that the evaluation applies to.
To turn off the evaluation policies, click Turn off. To turn them back on,
click Turn on.
When you're finished in the flyout, click Save.
Reports for your evaluation or trial of Defender

for Office 365
This section describes the reports that are available in audit mode and blocking mode.
Reports for blocking mode

In blocking mode, the following reports show detections by Defender for Office 365:
The Mailflow view for the Mailflow status report:

Messages detected as user impersonation or domain impersonation by anti-
phishing policies appear in Impersonation block.
Messages detected during file or URL detonation by Safe Attachments policies
or Safe Links policies appear in Detonation block.
The Threat protection status report:

View data by Overview:
You can filter most views by the Protected by value MDO to see the effects of
View data by Email > Phish and Chart breakdown by Detection Technology
Messages detected by campaigns appear in Campaign.
Messages detected by Safe Attachments appear in File detonation and File
detonation reputation.
Messages detected by user impersonation protection in anti-phishing
policies appear in Impersonation domain, Impersonation user, and Mailbox
intelligence impersonation.
Messages detected by Safe Links appear in URL detonation and URL
View data by Email > Malware and Chart breakdown by Detection Technology
Messages detected by campaigns appear in Campaign.
Messages detected by Safe Attachments appear in File detonation and File
Messages detected by Safe Links appear in URL detonation and URL
View data by Email > Spam and Chart breakdown by Detection Technology
Messages detected by Safe Links appear in URL malicious reputation.
Chart breakdown by Policy type
Messages detected by Safe Attachments appear in Safe Attachments
View data by Content > Malware
Malicious files detected by Safe Attachments for SharePoint, OneDrive, and

Microsoft Teams appear in MDO detonation.
The Top senders and recipients report
Show data for Top malware recipients (MDO) and Show data for Top phish
recipients (MDO).
The URL protection report
Reports for audit mode

In audit mode, the following reports show detections by Defender for Office 365:
The Threat protection status report has Evaluation: Yes/No as a filterable property
in the following views:
View data by Email > Phish and Chart breakdown by Detection Technology
View data by Email > Malware and Chart breakdown by Detection Technology
View data by Email > Spam and Chart breakdown by Detection Technology
Threat Explorer shows the following banner in message detection details on the
Analysis tab for Bad attachment, spam url + malware, Phish url, and
impersonation messages that were detected by the Defender for Office 365
evaluation show the following banner in the details of the entry:
The Microsoft Defender for Office 365 evaluation page at

https://security.microsoft.com/atpEvaluation consolidates the reporting for the
policies in the evaluation:
Safe Links
Safe Attachments
Impersonation protection in anti-phishing policies
By default, the charts show data for the last 30 days, but you can filter the date range by
clicking 30 days and selecting from following additional values that are less than 30
days:
24 hours
7 days
14 days
Custom date range
You can click Download to download the chart data to a .csv file.
Required permissions
The following permissions are required in Azure AD to set up an evaluation or trial of
Defender for Microsoft 365:
Create, modify or delete an evaluation or trial: Security Administrator or Global

Administrator.
View evaluation policies and reports in audit mode: Security Administrator or
Security Reader.
For more information about Azure AD permissions in the Microsoft 365 Defender portal,
see Azure AD roles in the Microsoft 365 Defender portal
Frequently asked questions
Q: Do I need to manually get or activate trial licenses?

A: No. The trial automatically provisions Defender for Office 365 Plan 2 licenses if you
need them as previously described.
Q: How do I extend the trial?

A: See Extend your trial.
Q: What happens to my data after the trial expires?

A: After your trial expires, you'll have access to your trial data (data from features in
Defender for Office 365 that you didn't have previously) for 30 days. After this 30 day
period, all policies and data that were associated with the Defender for Office 365 trial
will be deleted.
Q: How many times can I use the Defender for Office 365
trial in my organization?
A: A maximum of 2 times. If your first trial expires, you need to wait at least 30 days after
the expiration date before you can enroll in the Defender for Office 365 trial again. After
your second trial, you can't enroll in another trial.
Q: In audit mode, are there scenarios where Defender for

Office 365 will act on messages?
A: Yes. No one in any program or SKU can turn off or bypass taking action on messages
that are classified as malware or high confidence phishing by the service.
In audit mode, anti-spoofing protection in EOP also takes action on messages. To

prevent anti-spoofing protection from acting on messages, create an Exchange mail
flow rule (also known as a transport rule) where inbound email bypasses all types of
filtering that can be bypassed (including anti-spoofing protection). For instructions, see
Use mail flow rules to set the spam confidence level (SCL) in messages in Exchange
Online.
Q: In what order are policies evaluated?

A: See Order of precedence for preset security policies and other policies.
Reference
Policy settings associated with Defender for Office 365

trials
Policies in audit mode
２ Warning
Do not attempt to create, modify, or remove the individual security policies that are
associated with the evaluation of Defender for Office 365. The only supported
method for creating the individual security policies for the evaluation is to start the
evaluation or trial in audit mode in the Microsoft 365 Defender portal for the first
time.
As previously described, when you choose audit mode for your evaluation or trial,
evaluation policies with the required settings to observe but not take action on
messages are automatically created.
To see these policies and their settings, run the following command in Exchange Online
PowerShell:
PowerShell
Write-Output -InputObject ("`r`n"*3),"Evaluation anti-phishing policy",("-

"*79);Get-AntiPhishPolicy | Where-Object -Property RecommendedPolicyType -eq
-Value "Evaluation"; Write-Output -InputObject ("`r`n"*3),"Evaluation Safe
Attachments policy",("-"*79);Get-SafeAttachmentPolicy | Where-Object -
Property RecommendedPolicyType -eq -Value "Evaluation"; Write-Output -
InputObject ("`r`n"*3),"Evaluation Safe Links policy",("-"*79);Get-
SafeLinksPolicy | Where-Object -Property RecommendedPolicyType -eq -Value
"Evaluation"
The settings are also described in the following tables.

Anti-phishing evaluation policy settings
Setting Value
Name Evaluation Policy
AdminDisplayName Evaluation Policy
AuthenticationFailAction MoveToJmf
Enabled True
EnableFirstContactSafetyTips False
EnableMailboxIntelligence True
EnableMailboxIntelligenceProtection True
EnableOrganizationDomainsProtection False
EnableSimilarDomainsSafetyTips False
EnableSimilarUsersSafetyTips False
EnableSpoofIntelligence True
EnableSuspiciousSafetyTip False
EnableTargetedDomainsProtection False
EnableTargetedUserProtection False
EnableUnauthenticatedSender True
EnableUnusualCharactersSafetyTips False
EnableViaTag True
ExcludedDomains {}
ExcludedSenders {}
ImpersonationProtectionState Manual
IsDefault False
MailboxIntelligenceProtectionAction NoAction
MailboxIntelligenceProtectionActionRecipients {}
MailboxIntelligenceQuarantineTag DefaultFullAccessPolicy
PhishThresholdLevel 1
Setting Value
PolicyTag blank
RecommendedPolicyType Evaluation
SpoofQuarantineTag DefaultFullAccessPolicy
TargetedDomainActionRecipients {}
TargetedDomainProtectionAction NoAction
TargetedDomainQuarantineTag DefaultFullAccessPolicy
TargetedDomainsToProtect {}
TargetedUserActionRecipients {}
TargetedUserProtectionAction NoAction
TargetedUserQuarantineTag DefaultFullAccessPolicy
TargetedUsersToProtect {}
Safe Attachments evaluation policy settings
Setting Value
Action Allow
ActionOnError True
ConfidenceLevelThreshold 80
Enable True
EnableOrganizationBranding False
IsBuiltInProtection False
IsDefault False
OperationMode Delay
QuarantineTag AdminOnlyAccessPolicy
Setting Value
Redirect False
RedirectAddress blank
ScanTimeout 30
Safe Links evaluation policy settings
Setting Value
AllowClickThrough True
CustomNotificationText blank
DeliverMessageAfterScan True
DisableUrlRewrite True
DoNotRewriteUrls {}
EnableForInternalSenders False
EnableOrganizationBranding False
EnableSafeLinksForEmail True
EnableSafeLinksForOffice False
EnableSafeLinksForTeams False
IsBuiltInProtection False
LocalizedNotificationTextList {}
ScanUrls True
TrackClicks True
Use PowerShell to configure recipient conditions and exceptions

to the evaluation in audit mode
A rule that's associated with the Defender for Office 365 evaluation policies controls the
recipient conditions and exceptions to the evaluation.
To view the rule that's associated with the evaluation, run the following command in
Exchange Online PowerShell:
PowerShell
Get-ATPEvaluationRule
To use Exchange Online PowerShell to modify who the evaluation applies to, use the
following syntax:
PowerShell
Set-ATPEvaluationRule -Identity "Evaluation Rule" -SentTo

<"user1","user2",... | $null> -ExceptIfSentTo <"user1","user2",... | $null>
-SentToMemberOf <"group1","group2",... | $null> -ExceptIfSentToMemberOf
<"group1","group2",... | $null> -RecipientDomainIs <"domain1","domain2",...
| $null> -ExceptIfRecipientDomainIs <"domain1","domain2",... | $null>
This example configures exceptions from the evaluation for the specified security
operations (SecOps) mailboxes.
PowerShell
Set-ATPEvaluationRule -Identity "Evaluation Rule" -ExceptIfSentTo

"SecOps1","SecOps2"
Use PowerShell to turn on or turn off the evaluation in audit mode
To turn on or turn off the evaluation in audit mode, you enable or disable the rule that's
associated with the evaluation. The State property value of the evaluation rule shows
whether the rule is Enabled or Disabled.
Run the following command to determine whether the evaluation is currently enabled or
disabled:
PowerShell
Get-ATPEvaluationRule -Identity "Evaluation Rule" | Format-Table Name,State
Run the following command to turn off the evaluation if it's turned on:
PowerShell
Disable-ATPEvaluationRule -Identity "Evaluation Rule"
Run the following command to turn on the evaluation if it's turned off:
PowerShell
Enable-ATPEvaluationRule -Identity "Evaluation Rule"
Policies and rules in block mode
As previously described, when you choose blocking mode for your trial, policies are
created using the Standard template for preset security policies.
To use Exchange Online PowerShell to view the individual security policies that are
associated with the Standard preset security policy, and to use Exchange Online
PowerShell to view and configure the recipient conditions and exceptions for the preset
security policy, see Preset security policies in Exchange Online PowerShell.
Trial user guide: Microsoft Defender for
Office 365
 Tip
Applies to:

Welcome to the Microsoft Defender for Office 365 trial user guide! This user guide will
help you make the most of your free trial by teaching you how to safeguard your
organization against malicious threats posed by email messages, links (URLs), and
collaboration tools.
What is Defender for Office 365?

Defender for Office 365 helps organizations secure their enterprise by offering a
comprehensive slate of capabilities including threat protection policies, reports, threat
investigation and response capabilities and automated investigation and response
capabilities.

In addition to the detection of advanced threats, the following video shows how the
SecOps capabilities of Defender for Office 365 can help your team respond to threats:
https://www.microsoft.com/en-us/videoplayer/embed/RWMmIe?postJsllMsg=true
Audit mode vs. blocking mode for Defender for Office

365
Do you want your Defender for Office 365 experience to be active or passive? These are
the two modes that you can select from:
Audit mode: Special evaluation policies are created for anti-phishing (which
includes impersonation protection), Safe Attachments, and Safe Links. These
evaluation policies are configured to detect threats only. Defender for Office 365
detects harmful messages for reporting, but the messages aren't acted upon (for
example, detected messages aren't quarantined). The settings of these evaluation
policies are described in the Policies in audit mode section later in this article.
Audit mode provides access to customized reports for threats detected by

Defender for Office 365 on the Evaluation mode page at
https://security.microsoft.com/atpEvaluation .
Blocking mode: The Standard template for preset security policies is turned on and
used for the trial, and the users you specify to include in the trial are added to the
Standard preset security policy. Defender for Office 365 detects and takes action on
harmful messages (for example, detected messages are quarantined).
The default and recommended selection is to scope these Defender for Office 365
policies to all users in the organization. But during or after the setup of your trial,
you can change the policy assignment to specific users, groups, or email domains
in the Microsoft 365 Defender portal or in Policy settings associated with Defender
for Office 365 trials
Blocking mode does not provide customized reports for threats detected by
Defender for Office 365. Instead, the information is available in the regular reports
and investigation features of Defender for Office 365 Plan 2.
A key factor in audit mode vs. blocking mode is how email is delivered to your Microsoft
365 organization:
Mail from the internet flows directly Microsoft 365, but your current subscription
has only Exchange Online Protection (EOP) or Defender for Office 365 Plan 1.
In these environments, you can select audit mode or blocking mode.
You're currently using a third-party service or device for email protection of your
Microsoft 365 mailboxes. Mail from the internet flows through the protection
service before delivery into your Microsoft 365 organization. Microsoft 365
protection is as low as possible (it's never completely off; for example, malware
protection is always enforced).
In these environments, you can select audit mode only. You don't need to change
your mail flow (MX records).
Let's get started!
Blocking mode
Step 1: Getting started in blocking mode

Start your Microsoft Defender for Office 365 trial
After you've initiated the trial and completed the setup process, it may take up to 2
hours for changes to take effect.
We've automatically configured Preset security policies in your environment. These

policies represent a baseline protection profile that's suitable for most users. Standard
protection includes:
Safe Links, Safe Attachments and anti-phishing policies that are scoped to the
entire tenant or subset of users you may have chosen during the trial setup
process.
Safe Attachments protection for SharePoint, OneDrive, and Microsoft Teams.
Safe Links protection for supported Office 365 apps.
Watch this video to learn more: Protect against malicious links with Safe Links in
Microsoft Defender for Office 365 - YouTube .
Enable users to report suspicious content in blocking mode

Defender for Office 365 enables users to report messages to their security teams and
allows admins to submit messages to Microsoft for analysis.
Deploy the Report Message add-in or the Report Phishing add-in.

Establish a workflow to Report false positives and false negatives.
Use the Submissions portal.
Watch this video to learn more: Learn how to use the Submissions portal to submit
messages for analysis - YouTube .
Review reports to understand the threat landscape in blocking

mode
Use the reporting capabilities in Defender for Office 365 to get more details about your
environment.
Understand threats received in email and collaboration tools with the Threat
protection status report.
See where threats are blocked with the Mailflow status report.
Review links that were viewed by users or blocked by the system.

Step 2: Intermediate steps in blocking mode
Prioritize focus on your most targeted users
Protect your most targeted and most visible users with Priority Account Protection in
Defender for Office 365, which helps you prioritize your workflow to ensure these users
are safe.
Identify your most targeted or most visible users.

Tag these users as priority accounts.
Track threats to priority account throughout the portal.
Watch this video to learn more: Protecting priority accounts in Microsoft Defender for
Office 365 - YouTube .

Avoid costly breaches by preventing user compromise

Get alerted to potential compromise and automatically limit the impact of these threats
to prevent attackers from gaining deeper access to your environment.
Review compromised user alerts.

Investigate and respond to compromised users.
Watch this video to learn more: Detect and respond to compromise in Microsoft
Defender for Office 365 - YouTube .
Use Threat Explorer to investigate malicious email
Defender for Office 365 enables you to investigate activities that put people in your
organization at risk and to take action to protect your organization. You can do this
using Threat Explorer.
Find suspicious email that was delivered: Find and delete messages, identify the IP
address of a malicious email sender, or start an incident for further investigation.
Check the delivery action and location: This check lets you know the location of
problem email messages.
View the timeline of your email: Simply hunting for your security operations team.
See campaigns targeting your organization
See the bigger picture with Campaign Views in Defender for Office 365, which gives you
a view of the attack campaigns targeting your organization and the impact they have on
your users.
Identify campaigns targeting your users.
Visualize the scope of the attack.
Track user interaction with these messages.


Watch this video to learn more: Campaign Views in Microsoft Defender for Office 365 -
YouTube .
Use automation to remediate risks

Respond efficiently using Automated investigation and response (AIR) to review,
prioritize, and respond to threats.
Learn more about investigation user guides.

View details and results of an investigation.
Eliminate threats by approving remediation actions.

Step 3: Advanced content in blocking mode
Dive deep into data with query-based hunting

Use Advanced hunting to write custom detection rules, proactively inspect events in
your environment, and locate threat indicators. Explore raw data in your environment.
Build custom detection rules.

Access shared queries created by others.
Watch this video to learn more: Threat hunting with Microsoft 365 Defender -
YouTube .
Train users to spot threats by simulating attacks

Equip your users with the right knowledge to identify threats and report suspicious
messages with Attack simulation training in Defender for Office 365.
Simulate realistic threats to identify vulnerable users.
Assign training to users based on simulation results.
Track progress of your organization in simulations and training completion.


Auditing mode
Step 1: Get started in auditing mode
Start your Defender for Office 365 evaluation

After you've completed the setup process, it may take up to 2 hours for changes to take
effect. We've automatically configured Preset Evaluation policies in your environment.
Evaluation policies ensure no action is taken on email that's detected by Defender for
Office 365.
Enable users to report suspicious content in auditing mode

Defender for Office 365 enables users to report messages to their security teams and
allows admins to submit messages to Microsoft for analysis.
Deploy the Report Message add-in or the Report Phishing add-in.

Establish a workflow to Report false positives and false negatives.
Use the Submissions portal.
Watch this video to learn more: Learn how to use the Submissions portal to submit
messages for analysis - YouTube .
Review reports to understand the threat landscape in auditing

mode
Use the reporting capabilities in Defender for Office 365 to get more details about your
environment.
The Evaluation dashboard provides an easy view of the threats detected by

Defender for Office 365 during evaluation.
Understand threats received in email and collaboration tools with the Threat
Step 2: Intermediate steps in auditing mode
Use Threat Explorer to investigate malicious email in auditing

mode
Defender for Office 365 enables you to investigate activities that put people in your
organization at risk and to take action to protect your organization. You can do this
using Threat Explorer.
Find suspicious email that was delivered: Find and delete messages, identify the IP
address of a malicious email sender, or start an incident for further investigation.
Check the delivery action and location: This check lets you know the location of
problem email messages.
View the timeline of your email: Simply hunting for your security operations team.
Convert to Standard Protection at the end of evaluation period
When you're ready to turn on Defender for Office 365 policies in production, you can
use "Convert to Standard Protection" within the evaluation management experience to
easily move to Standard protection in preset security policies.
1. On the Microsoft Defender for Office 365 evaluation page at

https://security.microsoft.com/atpEvaluation , click Manage.
2. In the flyout that opens, click Convert to Standard protection


3. In the Convert to standard protection dialog that opens, click Continue to initiate
the setup.
Migrate from a third-party protection service or device to Defender

for Office 365
If you already have an existing third-party protection service or device that sits in front
of Microsoft 365, you can migrate your protection to Microsoft Defender for Office 365
to get the benefits of a consolidated management experience, potentially reduced cost
(using products that you already pay for), and a mature product with integrated security
protection.
For more information, see Migrate from a third-party protection service or device to
Step 3: Advanced content in auditing mode

Train users to spot threats by simulating attacks in auditing mode
Equip your users with the right knowledge to identify threats and report suspicious
messages with Attack simulation training in Defender for Office 365.
Simulate realistic threats to identify vulnerable users.
Assign training to users based on simulation results.
Track progress of your organization in simulations and training completion.
Additional resources
Interactive guide: Unfamiliar with Defender for Office 365? Review the interactive
guide to understand how to get started.
Fast Track Get Started Guide*: Microsoft Defender for Office 365
Microsoft Defender for Office 365 documentation: Get detailed information on
how Defender for Office 365 works and how to best implement it for your
organization. Visit the Microsoft Defender for Office 365 documentation.
What's included: For a full list of Office 365 email security features listed by
product tier, view the Feature Matrix.
Why Defender for Office 365: The Defender for Office 365 Datasheet shows the
top 10 reasons customers choose Microsoft.
Email authentication in EOP
 Tip
Applies to

Email authentication (also known as email validation) is a group of standards that tries
to stop spoofing (email messages from forged senders). In all Microsoft 365
organizations, EOP uses these standards to verify inbound email:
SPF
DKIM
DMARC
Email authentication verifies that email messages from a sender (for example,
laura@contoso.com) are legitimate and come from expected sources for that email
domain (for example, contoso.com.)
The rest of this article explains how these technologies work, and how EOP uses them to
check inbound email.
Use email authentication to help prevent

spoofing
DMARC prevents spoofing by examining the From address in messages. The From
address is the sender's email address that users see in their email client. Destination
email organizations can also verify that the email domain has passed SPF or DKIM. In
other words, the domain has been authenticated and therefore the sender's email
address is not spoofed.
However, DNS records for SPF, DKIM, and DMARC (collectively known as email
authentication policies) are optional. Domains with strong email authentication policies
like microsoft.com and skype.com are protected from spoofing. But domains with
weaker email authentication policies, or no policy at all, are prime targets for being
spoofed.
As of March 2018, only 9% of domains of companies in the Fortune 500 publish strong
email authentication policies. The remaining 91% of companies might be spoofed by an
attacker. Unless some other email filtering mechanism is in-place, email from spoofed
senders in these domains might be delivered to users.
The proportion of small-to-medium sized companies that publish strong email

authentication policies is smaller. And the number is even smaller for email domains
outside North America and western Europe.
Lack of strong email authentication policies is a large problem. While organizations

might not understand how email authentication works, attackers fully understand, and
they take advantage. Because of phishing concerns and the limited adoption of strong
email authentication policies, Microsoft uses implicit email authentication to check
inbound email.
Implicit email authentication is an extension of regular email authentication policies.

These extensions include: sender reputation, sender history, recipient history, behavioral
analysis, and other advanced techniques. In the absence of other signals from these
extensions, messages sent from domains that don't use email authentication policies will
be marked as spoof.
To see Microsoft's general announcement, see A Sea of Phish Part 2 - Enhanced Anti-
spoofing in Microsoft 365 .
Composite authentication
If a domain doesn't have traditional SPF, DKIM, and DMARC records, those record
checks don't communicate enough authentication status information. Therefore,
Microsoft has developed an algorithm for implicit email authentication. This algorithm
combines multiple signals into a single value called composite authentication, or
compauth for short. The compauth value is stamped into the Authentication-Results
header in the message headers.
text
Authentication-Results:
compauth=<fail | pass | softpass | none> reason=<yyy>
These values are explained at Authentication-results message header.
By examining the message headers, admins or even end users can determine how
Microsoft 365 determined that the sender is spoofed.
Why email authentication is not always enough

to stop spoofing
Relying only on email authentication records to determine if an incoming message is
spoofed has the following limitations:
The sending domain might lack the required DNS records, or the records are
incorrectly configured.
The source domain has correctly configured DNS records, but that domain doesn't
match the domain in the From address. SPF and DKIM don't require the domain to
be used in the From address. Attackers or legitimate services can register a
domain, configure SPF and DKIM for the domain, and use a completely different
domain in the From address. Messages from senders in this domain will pass SPF
and DKIM.
Composite authentication can address these limitations by passing messages that would
otherwise fail email authentication checks.
For simplicity, the following examples concentrate on email authentication results. Other
back-end intelligence factors could identify messages that pass email authentication as
spoofed, or messages that fail email authentication as legitimate.
For example, the fabrikam.com domain has no SPF, DKIM, or DMARC records. Messages
from senders in the fabrikam.com domain can fail composite authentication (note the
compauth value and reason):
text
Authentication-Results: spf=none (sender IP is 10.2.3.4)
smtp.mailfrom=fabrikam.com; contoso.com; dkim=none
(message not signed) header.d=none; contoso.com; dmarc=none
action=none header.from=fabrikam.com; compauth=fail reason=001
From: chris@fabrikam.com
To: michelle@contoso.com
If fabrikam.com configures an SPF without a DKIM record, the message can pass
composite authentication. The domain that passed SPF checks is aligned with the
domain in the From address:
text
Authentication-Results: spf=pass (sender IP is 10.2.3.4)
smtp.mailfrom=fabrikam.com; contoso.com; dkim=none
(message not signed) header.d=none; contoso.com; dmarc=bestguesspass
action=none header.from=fabrikam.com; compauth=pass reason=109
If fabrikam.com configures a DKIM record without an SPF record, the message can pass
composite authentication. The domain in the DKIM signature is aligned with the domain
in the From address:
text
smtp.mailfrom=fabrikam.com; contoso.com; dkim=pass
(signature was verified) header.d=outbound.fabrikam.com;
contoso.com; dmarc=bestguesspass action=none
header.from=fabrikam.com; compauth=pass reason=109
If the domain in SPF or the DKIM signature doesn't align with the domain in the From
address, the message can fail composite authentication:
text
smtp.mailfrom=maliciousdomain.com; contoso.com; dkim=pass
(signature was verified) header.d=maliciousdomain.com;
contoso.com; dmarc=none action=none header.from=contoso.com;
compauth=fail reason=001
From: chris@contoso.com
To: michelle@fabrikam.com
Solutions for legitimate senders who are

sending unauthenticated email
Microsoft 365 keeps track of who is sending unauthenticated email to your organization.
If the service thinks the sender is not legitimate, it will mark messages from this sender
as a composite authentication failure. To avoid this verdict, you can use the
recommendations in this section.
Configure email authentication for domains you own

You can use this method to resolve intra-org spoofing and cross-domain spoofing in
cases where you own or interact with multiple tenants. It also helps resolve cross-
domain spoofing where you send to other customers within Microsoft 365 or third
parties that are hosted by other providers.
Configure SPF records for your domains.

Configure DKIM records for your primary domains.
Consider setting up DMARC records for your domain to determine your legitimate
senders.
Microsoft doesn't provide detailed implementation guidelines for SPF, DKIM, and
DMARC records. However, there's many information available online. There are also
third party companies dedicated to helping your organization set up email
authentication records.
You don't know all sources for your email

Many domains don't publish SPF records because they don't know all of the email
sources for messages in their domain. Start by publishing an SPF record that contains all
of the email sources you know about (especially where your corporate traffic is located),
and publish the neutral SPF policy ?all . For example:
text
fabrikam.com IN TXT "v=spf1 include:spf.fabrikam.com ?all"
This example means that email from your corporate infrastructure will pass email
authentication, but email from unknown sources will fall back to neutral.
Microsoft 365 will treat inbound email from your corporate infrastructure as
authenticated. Email from unidentified sources might still be marked as spoof if it fails
implicit authentication. However, this is still an improvement from all email being
marked as spoof by Microsoft 365.
Once you've gotten started with an SPF fallback policy of ?all , you can gradually
discover and include more email sources for your messages, and then update your SPF
record with a stricter policy.
Configure permitted senders of unauthenticated email

You can also use the spoof intelligence insight and the Tenant Allow/Block List to permit
senders to transmit unauthenticated messages to your organization.
For external domains, the spoofed user is the domain in the From address, while the
sending infrastructure is one of the following values:
The source IP address (divided up into /24 CIDR ranges)

The organizational domain of the reverse DNS (PTR) record.
A verified DKIM domain.
Create an allow entry for the sender/recipient pair

To bypass spam filtering, some parts of filtering for phishing, but not malware filtering
for specific senders, see Create safe sender lists in Microsoft 365.
Ask the sender to configure email authentication for

domains you don't own
Because of the problem of spam and phishing, Microsoft recommends email
authentication for all email organizations. Instead of configuring manual overrides in
your organization, you can ask an admin in the sending domain to configure their email
authentication records.
Even if they didn't need to publish email authentication records in the past, they
should do so if they send email to Microsoft.
Set up SPF to publish the domain's sending IP addresses, and set up DKIM (if
available) to digitally sign messages. They should also consider setting up DMARC
records.
If they use bulk senders to send email on their behalf, verify that the domain in the
From address (if it belongs to them) aligns with the domain that passes SPF or
DMARC.
Verify the following locations (if they use them) are included in the SPF record:
On-premises email servers.
Email sent from a software-as-a-service (SaaS) provider.
Email sent from a cloud-hosting service (Microsoft Azure, GoDaddy, Rackspace,
Amazon Web Services, etc.).
For small domains that are hosted by an ISP, configure the SPF record according to
the instructions from the ISP.
While it may be difficult at first to get sending domains to authenticate, over time, as
more and more email filters start junking or even rejecting their email, it will cause them
to set up the proper records to ensure better delivery. Also, their participation can help
in the fight against phishing, and can reduce the possibility of phishing in their
organization or organizations that they send email to.
Information for infrastructure providers (ISPs, ESPs, or cloud

hosting services)
If you host a domain's email or provide hosting infrastructure that can send email, you
should do the following steps:
Ensure your customers have documentation that explains how your customers
should configure their SPF records
Consider signing DKIM-signatures on outbound email, even if the customer

doesn't explicitly set it up (sign with a default domain). You can even double-sign
the email with DKIM signatures (once with the customer's domain if they have set
it up, and a second time with your company's DKIM signature)
Deliverability to Microsoft is not guaranteed even if you authenticate email originating

from your platform, but at least it ensures that Microsoft does not junk your email
because it isn't authenticated.
Related links
For more information about service providers best practices, see M3AAWG Mobile
Messaging Best Practices for Service Providers .
Learn how Office 365 uses SPF and supports DKIM validation:
More about SPF
More about DKIM

Prerequisites
Create or update your SPF TXT record
How to handle subdomains?
Troubleshooting SPF
This article describes how to update a Domain Name Service (DNS) record so that you
can use Sender Policy Framework (SPF) email authentication with your custom domain
in Office 365.
SPF helps validate outbound email sent from your custom domain (is coming from who
it says it is). It's a first step in setting up the full recommended email authentication
methods of SPF, DKIM, and DMARC.
Prerequisites
What does SPF email authentication actually do?
Troubleshooting SPF
More information about SPF
Prerequisites
） Important
If you are a small business, or are unfamiliar with IP addresses or DNS

configuration, call your Internet domain registrar (ex. GoDaddy, Bluehost, web.com)
& ask for help with DNS configuration of SPF (and any other email authentication
method).
If you don't use a custom URL (and the URL used for Office 365 ends in
onmicrosoft.com), SPF has already been set up for you in the Office 365 service.
Let's get started.
The SPF TXT record for Office 365 will be made in external DNS for any custom domains
or subdomains. You need some information to make the record. Gather this information:
The SPF TXT record for your custom domain, if one exists. For instructions, see
Gather the information you need to create Office 365 DNS records.
Go to your messaging server(s) and find out the External IP addresses (needed
from all on-premises messaging servers). For example, 131.107.2.200.
Domain names to use for all third-party domains that you need to include in your
SPF TXT record. Some bulk mail providers have set up subdomains to use for their
customers. For example, the company MailChimp has set up servers.mcsv.net.
Figure out what enforcement rule you want to use for your SPF TXT record. The -all
rule is recommended. For detailed information about other syntax options, see SPF
TXT record syntax for Office 365.
） Important
In order to use a custom domain, Office 365 requires that you add a Sender Policy
Framework (SPF) TXT record to your DNS record to help prevent spoofing.

1. Ensure that you're familiar with the SPF syntax in the following table.
Element If you're using... Common Add this...

for
customers?
1 Any email system Common. v=spf1

(required) All SPF TXT
records
start with
this value
2 Exchange Online Common include:spf.protection.outlook.com
3 Exchange Online Not ip4:23.103.224.0/19
dedicated only common ip4:206.191.224.0/19
ip4:40.103.0.0/16
include:spf.protection.outlook.com
4 Office 365 Germany, Not include:spf.protection.outlook.de

Microsoft Cloud common
Germany only
Element If you're using... Common Add this...
for
customers?
5 Third-party email system Not include:<domain_name>

common
<domain_name> is the domain of
the third-party email system.
6 On-premises email Not Use one of these for each additional

system. For example, common mail system:
Exchange Online ip4:<IP_address>
Protection plus another ip6:<IP_address>
email system include:<domain_name>
<IP_address> and <domain_name>

are the IP address and domain of the
other email system that sends mail
on behalf of your domain.
7 Any email system Common. <enforcement rule>

(required) All SPF TXT
records end This can be one of several values. We
with this recommend the value -all .
value
2. If you haven't already done so, form your SPF TXT record by using the syntax from
the table.
For example, if you are hosted entirely in Office 365, that is, you have no on-
premises mail servers, your SPF TXT record would include rows 1, 2, and 7 and
would look like this:
text
v=spf1 include:spf.protection.outlook.com -all
The example above is the most common SPF TXT record. This record works for
just about everyone, regardless of whether your Microsoft datacenter is located in
the United States, or in Europe (including Germany), or in another location.
However, if you bought Office 365 Germany, part of Microsoft Cloud Germany, you
should use the include statement from line 4 instead of line 2. For example, if you
are hosted entirely in Office 365 Germany, that is, you have no on-premises mail
servers, your SPF TXT record would include rows 1, 4, and 7 and would look like
this:
text
v=spf1 include:spf.protection.outlook.de -all
If you're already deployed in Office 365 and have set up your SPF TXT records for
your custom domain, and you're migrating to Office 365 Germany, you need to
update your SPF TXT record. To do this, change
include:spf.protection.outlook.com to include:spf.protection.outlook.de .
3. Once you have formed your SPF TXT record, you need to update the record in
DNS. You can only have one SPF TXT record for a domain. If an SPF TXT record
exists, instead of adding a new record, you need to update the existing record. Go
to Create DNS records for Office 365, and then select the link for your DNS host.
4. Test your SPF TXT record.

It's important to note that you need to create a separate record for each subdomain as
subdomains don't inherit the SPF record of their top-level domain.
A wildcard SPF record ( *. ) is required for every domain and subdomain to prevent
attackers from sending email claiming to be from non-existent subdomains. For
example:
text
*.subdomain.contoso.com. IN TXT "v=spf1 -all"
Troubleshooting SPF
Having trouble with your SPF TXT record? Read Troubleshooting: Best practices for SPF
in Office 365.
What does SPF email authentication actually

do?
SPF identifies which mail servers are allowed to send mail on your behalf. Basically, SPF,
along with DKIM, DMARC, and other technologies supported by Office 365, help prevent
spoofing and phishing. SPF is added as a TXT record that is used by DNS to identify
which mail servers can send mail on behalf of your custom domain. Recipient mail
systems refer to the SPF TXT record to determine whether a message from your custom
domain comes from an authorized messaging server.
For example, let's say that your custom domain contoso.com uses Office 365. You add
an SPF TXT record that lists the Office 365 messaging servers as legitimate mail servers
for your domain. When the receiving messaging server gets a message from
joe@contoso.com, the server looks up the SPF TXT record for contoso.com and finds
out whether the message is valid. If the receiving server finds out that the message
comes from a server other than the Office 365 messaging servers listed in the SPF
record, the receiving mail server can choose to reject the message as spam.
Also, if your custom domain does not have an SPF TXT record, some receiving servers
may reject the message outright. This is because the receiving server cannot validate
that the message comes from an authorized messaging server.
If you've already set up mail for Office 365, then you have already included Microsoft's
messaging servers in DNS as an SPF TXT record. However, there are some cases where
you may need to update your SPF TXT record in DNS. For example:
Previously, you had to add a different SPF TXT record to your custom domain if
you were using SharePoint Online. This is no longer required. This change should
reduce the risk of SharePoint Online notification messages ending up in the Junk
Email folder. Update your SPF TXT record if you are hitting the 10 lookup limit and
receiving errors that say things like, "exceeded the lookup limit" and "too many
hops".
If you have a hybrid environment with Office 365 and Exchange on-premises.
You intend to set up DKIM and DMARC (recommended).
More information about SPF

For advanced examples, a more detailed discussion about supported SPF syntax,
spoofing, troubleshooting, and how Office 365 supports SPF, see How SPF works to
prevent spoofing and phishing in Office 365.
Next Steps: DKIM and DMARC

SPF is designed to help prevent spoofing, but there are spoofing techniques that SPF
can't protect against. To defend against these, once you've set up SPF, you should
configure DKIM and DMARC for Office 365.
DKIM email authentication's goal is to prove the contents of the mail haven't been
tampered with.
DMARC email authentication's goal is to make sure that SPF and DKIM information
matches the From address.
For advanced examples and a more detailed discussion about supported SPF syntax, see
How SPF works to prevent spoofing and phishing in Office 365.
Use trusted ARC Senders for legitimate mailflows
Select 'This page' under 'Feedback' if you have feedback on this documentation.
Use DKIM to validate outbound email
sent from your custom domain
 Tip
Applies to

This article lists the steps to use DomainKeys Identified Mail (DKIM) with Microsoft 365
to ensure that destination email systems trust messages sent outbound from your
custom domain.
In this article:
How DKIM works better than SPF alone to prevent malicious spoofing
Steps to Create, enable and disable DKIM from Microsoft 365 Defender portal
Steps to manually upgrade your 1024-bit keys to 2048-bit DKIM encryption keys
Steps to manually set up DKIM
Steps to configure DKIM for more than one custom domain
Disabling the DKIM signing policy for a custom domain
Default behavior for DKIM and Microsoft 365
Set up DKIM so that a third-party service can send, or spoof, email on behalf of
your custom domain
Next steps: After you set up DKIM for Microsoft 365
７ Note
Microsoft 365 automatically sets up DKIM for its initial 'onmicrosoft.com' domains.
That means you don't need to do anything to set up DKIM for any initial domain
names (for example, litware.onmicrosoft.com). For more information about
domains, see Domains FAQ.
DKIM is one of the trio of Authentication methods (SPF, DKIM and DMARC) that help
prevent attackers from sending messages that look like they come from your domain.
DKIM lets you add a digital signature to outbound email messages in the message
header. When you configure DKIM, you authorize your domain to associate, or sign, its
name to an email message using cryptographic authentication. Email systems that get
email from your domain can use this digital signature to help verify whether incoming
email is legitimate.
In basic, a private key encrypts the header in a domain's outgoing email. The public key
is published in the domain's DNS records, and receiving servers can use that key to
decode the signature. DKIM verification helps the receiving servers confirm the mail is
really coming from your domain and not someone spoofing your domain.
 Tip
You can choose to do nothing about DKIM for your custom domain too. If you
don't set up DKIM for your custom domain, Microsoft 365 creates a private and
public key pair, enables DKIM signing, and then configures the Microsoft 365
default policy for your custom domain.
Microsoft-365's built-in DKIM configuration is sufficient coverage for most customers.

However, you should manually configure DKIM for your custom domain in the following
circumstances:
You have more than one custom domain in Microsoft 365

You're going to set up DMARC too (recommended)
You want control over your private key
You want to customize your CNAME records
You want to set up DKIM keys for email originating out of a third-party domain, for
example, if you use a third-party bulk mailer.
How DKIM works better than SPF alone to

prevent malicious spoofing
SPF adds information to a message envelope but DKIM encrypts a signature within the
message header. When you forward a message, portions of that message's envelope
can be stripped away by the forwarding server. Since the digital signature stays with the
email message because it's part of the email header, DKIM works even when a message
has been forwarded as shown in the following example.
In this example, if you had only published an SPF TXT record for your domain, the
recipient's mail server could have marked your email as spam and generated a false
positive result. The addition of DKIM in this scenario reduces false positive spam
reporting. Because DKIM relies on public key cryptography to authenticate and not just
IP addresses, DKIM is considered a much stronger form of authentication than SPF. We
recommend using both SPF and DKIM, as well as DMARC in your deployment.
 Tip
DKIM uses a private key to insert an encrypted signature into the message headers.
The signing domain, or outbound domain, is inserted as the value of the d= field in
the header. The verifying domain, or recipient's domain, then uses the d= field to
look up the public key from DNS, and authenticate the message. If the message is
verified, the DKIM check passes.
Steps to Create, enable and disable DKIM from

Microsoft 365 Defender portal
All the accepted domains of your tenant will be shown in the Microsoft 365 Defender
portal under the DKIM page. If you do not see it, add your accepted domain from
domains page.
Once your domain is added, follow the steps as shown below to
configure DKIM.
Step 1: Click on the domain you wish to configure DKIM on DKIM page
(https://security.microsoft.com/dkimv2 or https://protection.office.com/dkimv2 ).

Step 2: Slide the toggle to Enable. You will see a pop-up window stating that you need
to add CNAME records.
Step 3: Copy the CNAMES shown in the pop up window
Step 4: Publish the copied CNAME records to your DNS service provider.
On your DNS provider's website, add CNAME records for DKIM that you want to enable.
Make sure that the fields are set to the following values for each:
text
Record Type: CNAME (Alias)
> Host: Paste the values you copy from DKIM page.
Points to address: Copy the value from DKIM page.
TTL: 3600 (or your provider default)
Step 5: Return to DKIM page to enable DKIM.
If you see CNAME record doesn't exist error, it might be due to:
1. Synchronization with DNS server, which might take few seconds to hours, if the
problem persists repeat the steps again
2. Check for any copy paste errors, like additional space or tabs etc.
If you wish to disable DKIM, toggle back to disable mode
Steps to manually upgrade your 1024-bit keys

to 2048-bit DKIM encryption keys
７ Note
Microsoft 365 automatically sets up DKIM for onmicrosoft.com domains. No steps

are needed to use DKIM for any initial domain names (like litware.onmicrosoft.com).
For more information about domains, see Domains FAQ.
Since both 1024 and 2048 bitness are supported for DKIM keys, these directions will tell
you how to upgrade your 1024-bit key to 2048 in Exchange Online PowerShell. The
steps below are for two use-cases, please choose the one that best fits your
configuration.
When you already have DKIM configured, you rotate bitness by running the
following command:
PowerShell
Rotate-DkimSigningConfig -KeySize 2048 -Identity

<DkimSigningConfigIdParameter>
or
For a new implementation of DKIM, run the following command:
PowerShell
New-DkimSigningConfig -DomainName <Domain for which config is to be

created> -KeySize 2048 -Enabled $true
Stay connected to Exchange Online PowerShell to verify the configuration by running

the following command:
PowerShell
Get-DkimSigningConfig -Identity <Domain for which the configuration was set>

| Format-List
 Tip
This new 2048-bit key takes effect on the RotateOnDate, and will send emails with
the 1024-bit key in the interim. After four days, you can test again with the 2048-bit
key (that is, once the rotation takes effect to the second selector).
If you want to rotate to the second selector, after four days and confirming that 2048-
bitness is in use, manually rotate the second selector key by using the appropriate
cmdlet listed above.
For detailed syntax and parameter information, see the following articles: Rotate-
DkimSigningConfig, New-DkimSigningConfig, and Get-DkimSigningConfig.
Steps to manually set up DKIM

To configure DKIM, you will complete these steps:
Publish two CNAME records for your custom domain in DNS

Enable DKIM signing for your custom domain
Publish two CNAME records for your custom domain in

DNS
For each domain for which you want to add a DKIM signature in DNS, you need to
publish two CNAME records.
７ Note
If you haven't read the full article, you may have missed this time-saving PowerShell
connection information: Connect to Exchange Online PowerShell.
Run the following commands in Exchange Online PowerShell to create the selector
records:
PowerShell
New-DkimSigningConfig -DomainName <domain> -Enabled $false
Get-DkimSigningConfig -Identity <domain> | Format-List Selector1CNAME,

Selector2CNAME
If you have provisioned custom domains in addition to the initial domain in Microsoft
365, you must publish two CNAME records for each additional domain. So, if you have
two domains, you must publish two additional CNAME records, and so on.
Use the following format for the CNAME records.
） Important
If you are one of our GCC High customers, we calculate customDomainIdentifier

differently! Instead of looking up the MX record for your initialDomain to calculate
customDomainIdentifier, instead we calculate it directly from the customized
domain. For example, if your customized domain is "contoso.com" your
customDomainIdentifier becomes "contoso-com", any periods are replaced with a
dash. So, regardless of what MX record your initialDomain points to, you'll always
use the above method to calculate the customDomainIdentifier to use in your
CNAME records.
Console
Host name: selector1._domainkey
Points to address or value: selector1-

<customDomainIdentifier>._domainkey.<initialDomain>
TTL: 3600
Points to address or value: selector2-

<customDomainIdentifier>._domainkey.<initialDomain>
TTL: 3600
Where:
For Microsoft 365, the selectors will always be "selector1" or "selector2".
customDomainIdentifier is the same as the customDomainIdentifier in the

customized MX record for your custom domain that appears before
mail.protection.outlook.com. For example, in the following MX record for the
domain contoso.com, the customDomainIdentifier is contoso-com:
contoso.com. 3600 IN MX 5 contoso-com.mail.protection.outlook.com
initialDomain is the domain that you used when you signed up for Microsoft 365.
Initial domains always end in onmicrosoft.com. For information about determining
your initial domain, see Domains FAQ.
For example, if you have an initial domain of cohovineyardandwinery.onmicrosoft.com,

and two custom domains cohovineyard.com and cohowinery.com, you would need to
set up two CNAME records for each additional domain, for a total of four CNAME
records.
Console
Points to address or value: selector1-cohovineyard-

com._domainkey.cohovineyardandwinery.onmicrosoft.com
TTL: 3600
Points to address or value: selector2-cohovineyard-

TTL: 3600
Points to address or value: selector1-cohowinery-

TTL: 3600
Points to address or value: selector2-cohowinery-

TTL: 3600
７ Note
It's important to create the second record, but only one of the selectors may be
available at the time of creation. In essence, the second selector might point to an
address that hasn't been created yet. We still recommended that you create the
second CNAME record, because your key rotation will be seamless.
Steps to enable DKIM signing for your custom domain

Once you have published the CNAME records in DNS, you are ready to enable DKIM
signing through Microsoft 365. You can do this either through the Microsoft 365 admin
center or by using PowerShell.
To enable DKIM signing for your custom domain in the Microsoft

365 Defender portal
Email & Collaboration > Policies & Rules > Threat policies > Email
Authentication Settings in the Rules section >DKIM. To go directly to the DKIM
page, use https://security.microsoft.com/dkimv2 .
2. On the DKIM page, select the domain by clicking on the name.
3. In the details flyout that appears, change the Sign messages for this domain with
DKIM signatures setting to Enabled ( )
When you're finished, click Rotate DKIM keys.
4. Repeat these step for each custom domain.

5. If you are configuring DKIM for the first time and see the error 'No DKIM keys
saved for this domain' you will have to use Windows PowerShell to enable DKIM
signing as explained in the next step.
To enable DKIM signing for your custom domain by using

PowerShell
） Important
If you are configuring DKIM for the first time and see the error 'No DKIM keys
saved for this domain' complete the command in step 2 below (for example, Set-
DkimSigningConfig -Identity contoso.com -Enabled $true ) to see the key.
1. Connect to Exchange Online PowerShell.
2. Use the following syntax:
PowerShell
Set-DkimSigningConfig -Identity <Domain> -Enabled $true
<Domain> is the name of the custom domain that you want to enable DKIM
signing for.
This example enables DKIM signing for the domain contoso.com:
PowerShell
Set-DkimSigningConfig -Identity contoso.com -Enabled $true
To Confirm DKIM signing is configured properly for Microsoft 365

Wait a few minutes before you follow these steps to confirm that you have properly
configured DKIM. This allows time for the DKIM information about the domain to be
spread throughout the network.
Send a message from an account within your Microsoft 365 DKIM-enabled domain
to another email account such as outlook.com or Hotmail.com.
Do not use an aol.com account for testing purposes. AOL may skip the DKIM check
if the SPF check passes. This will nullify your test.
Open the message and look at the header. Instructions for viewing the header for
the message will vary depending on your messaging client. For instructions on
viewing message headers in Outlook, see View internet message headers in
Outlook .
The DKIM-signed message will contain the host name and domain you defined
when you published the CNAME entries. The message will look something like this
example:
Console
From: Example User <example@contoso.com>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
s=selector1; d=contoso.com; t=1429912795;
h=From:To:Message-ID:Subject:MIME-Version:Content-Type;
bh=<body hash>;
b=<signed field>;
Look for the Authentication-Results header. While each receiving service uses a
slightly different format to stamp the incoming mail, the result should include
something like DKIM=pass or DKIM=OK.
） Important
The DKIM signature is omitted under any of the following conditions:
The sender and recipient email addresses are in the same domain.
The sender and recipient email addresses are in different domains that are
controlled by the same organization.
In both cases, the header will look similar to this:
Console
Authentication-Results: dkim=none (message not signed) header.d=none;
dmarc=none action=none header.from=<sender_domain>;
To configure DKIM for more than one custom

domain
If at some point in the future you decide to add another custom domain and you want
to enable DKIM for the new domain, you must complete the steps in this article for each
domain. Specifically, complete all steps in What you need to do to manually set up
DKIM.
Disabling the DKIM signing policy for a custom

domain
Disabling the signing policy does not completely disable DKIM. After a period of time,
Microsoft 365 will automatically apply the default policy for your domain, if the default
policy is still in the enabled state. If you wish to completely disable DKIM, you need to
disable DKIM on both the custom and default domains. For more information, see
Default behavior for DKIM and Microsoft 365.
To disable the DKIM signing policy by using Windows

PowerShell
2. Run one of the following commands for each domain for which you want to
disable DKIM signing.
PowerShell
$p = Get-DkimSigningConfig -Identity <Domain>
$p[0] | Set-DkimSigningConfig -Enabled $false
For example:
PowerShell
$p = Get-DkimSigningConfig -Identity contoso.com
$p[0] | Set-DkimSigningConfig -Enabled $false
Or
PowerShell
Set-DkimSigningConfig -Identity $p[<number>].Identity -Enabled $false
Where number is the index of the policy. For example:
PowerShell
Set-DkimSigningConfig -Identity $p[0].Identity -Enabled $false
Default behavior for DKIM and Microsoft 365

If you do not enable DKIM, Microsoft 365 automatically creates a 2048-bit DKIM public
key for your Microsoft Online Email Routing Address (MOERA)/initial domain and the
associated private key which we store internally in our datacenter. By default, Microsoft
365 uses a default signing configuration for domains that do not have a policy in place.
This means that if you do not set up DKIM yourself, Microsoft 365 will use its default
policy and keys it creates to enable DKIM for your domain.
Also, if you disable DKIM signing on your custom domain after enabling it, after a period
of time, Microsoft 365 will automatically apply the MOERA/initial domain policy for your
custom domain.
In the following example, suppose that DKIM for fabrikam.com was enabled by
Microsoft 365, not by the administrator of the domain. This means that the required
CNAMEs do not exist in DNS. DKIM signatures for email from this domain will look
something like this:
Console
From: Second Example <second.example@fabrikam.com>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
s=selector1-fabrikam-com; d=contoso.onmicrosoft.com; t=1429912795;
h=From:To:Message-ID:Subject:MIME-Version:Content-Type;
bh=<body hash>;
b=<signed field>;
In this example, the host name and domain contain the values to which the CNAME
would point if DKIM-signing for fabrikam.com had been enabled by the domain
administrator. Eventually, every single message sent from Microsoft 365 will be DKIM-
signed. If you enable DKIM yourself, the domain will be the same as the domain in the
From: address, in this case fabrikam.com. If you don't, it will not align and instead will
use your organization's initial domain. For information about determining your initial
domain, see Domains FAQ.
Set up DKIM so that a third-party service can

send, or spoof, email on behalf of your custom
domain
Some bulk email service providers, or software-as-a-service providers, let you set up
DKIM keys for email that originates from their service. This requires coordination
between yourself and the third-party in order to set up the necessary DNS records.
Some third-party servers can have their own CNAME records with different selectors. No
two organizations do it exactly the same way. Instead, the process depends entirely on
the organization.
An example message showing a properly configured DKIM for contoso.com and

bulkemailprovider.com might look like this:
Console
Return-Path: <communication@bulkemailprovider.com>
From: <sender@contoso.com>
DKIM-Signature: s=s1024; d=contoso.com
Subject: Here is a message from Bulk Email Provider's infrastructure, but

with a DKIM signature authorized by contoso.com
In this example, in order to achieve this result:
1. Bulk Email Provider gave Contoso a public DKIM key.
2. Contoso published the DKIM key to its DNS record.
3. When sending email, Bulk Email Provider signs the key with the corresponding
private key. By doing so, Bulk Email Provider attached the DKIM signature to the
message header.
4. Receiving email systems perform a DKIM check by authenticating the DKIM-

Signature d=<domain> value against the domain in the From: (5322.From) address
of the message. In this example, the values match:
sender@contoso.com
d=contoso.com
Identify domains that do not send email
Organizations should explicitly state if a domain does not send email by specifying
v=DKIM1; p= in the DKIM record for those domains. This advises receiving email servers
that there are no valid public keys for the domain, and any email claiming to be from
that domain should be rejected. You should do this for each domain and subdomain
using a wildcard DKIM.
For example, the DKIM record would look like this:
Console
*._domainkey.SubDomainThatShouldntSendMail.contoso.com. TXT "v=DKIM1; p="
Next steps: After you set up DKIM for

Microsoft 365
Although DKIM is designed to help prevent spoofing, DKIM works better with SPF
and DMARC.
Once you have set up DKIM, if you have not already set up SPF you should do so. For a
quick introduction to SPF and to get it configured quickly, see Set up SPF in Microsoft
365 to help prevent spoofing. For a more in-depth understanding of how Microsoft 365
uses SPF, or for troubleshooting or non-standard deployments such as hybrid
deployments, start with How Microsoft 365 uses Sender Policy Framework (SPF) to
prevent spoofing.
Next, see Use DMARC to validate email. Anti-spam message headers includes the
syntax and header fields used by Microsoft 365 for DKIM checks.
This test will validate that the DKIM signing configuration has been configured
correctly, and that the proper DNS entries have been published.
７ Note
This feature requires a Microsoft 365 administrator account. This feature isn't
available for Microsoft 365 Government, Microsoft 365 operated by 21Vianet, or
Microsoft 365 Germany.
Run Tests: DKIM

More information
Key rotation via PowerShell: Rotate-DkimSigningConfig

 Tip
Applies to

Domain-based Message Authentication, Reporting, and Conformance (DMARC ) works

with Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to
authenticate mail senders.
DMARC ensures the destination email systems trust messages sent from your domain.
Using DMARC with SPF and DKIM gives organizations more protection against spoofing
and phishing email. DMARC helps receiving mail systems decide what to do with
messages from your domain that fail SPF or DKIM checks.
 Tip
Visit the Microsoft Intelligent Security Association (MISA) catalog to view third-
party vendors offering DMARC reporting for Microsoft 365.
 Tip
Hove you seen our step-by-step guides? Configuration 1-2-3s and no frills, for
admins in a hurry. Visit for the steps to enable DMARC Reporting for Microsoft
Online Email Routing Addresses (MOERA) and parked Domains.
How do SPF and DMARC work together to

protect email in Microsoft 365?
An email message may contain multiple originator or sender addresses. These addresses
are used for different purposes. For example, consider these addresses:
"Mail From" address: Identifies the sender and says where to send return notices if
any problems occur with the delivery of the message (such as non-delivery
notices). Mail From address appears in the envelope portion of an email message
and isn't displayed by your email application, and is sometimes called the
5321.MailFrom address or the reverse-path address.
"From" address: The address displayed as the From address by your mail
application. From address identifies the author of the email. That is, the mailbox of
the person or system responsible for writing the message. The From address is
sometimes called the 5322.From address.
SPF uses a DNS TXT record to list authorized sending IP addresses for a given domain.
Normally, SPF checks are only performed against the 5321.MailFrom address. The
5322.From address isn't authenticated when you use SPF by itself, which allows for a
scenario where a user gets a message that passed SPF checks but has a spoofed
5322.From sender address. For example, consider this SMTP transcript:
Console
S: Helo woodgrovebank.com
S: Mail from: phish@phishing.contoso.com
S: Rcpt to: astobes@tailspintoys.com
S: data
S: To: "Andrew Stobes" <astobes@tailspintoys.com>
S: From: "Woodgrove Bank Security" <security@woodgrovebank.com>
S: Subject: Woodgrove Bank - Action required
S:
S: Greetings User,
S:
S: We need to verify your banking details.
S: Please click the following link to verify that Microsoft has the right
information for your account.
S:
S: https://short.url/woodgrovebank/updateaccount/12-121.aspx
S:
S: Thank you,
S: Woodgrove Bank
S: .
In this transcript, the sender addresses are as follows:
Mail from address (5321.MailFrom): phish@phishing.contoso.com
From address (5322.From): security@woodgrovebank.com

If you configured SPF, then the receiving server does a check against the Mail from
address phish@phishing.contoso.com. If the message came from a valid source for the
domain phishing.contoso.com, then the SPF check passes. Since the email client only
displays the From address, the user sees this message came from
security@woodgrovebank.com. With SPF alone, the validity of woodgrovebank.com was
never authenticated.
When you use DMARC, the receiving server also performs a check against the From
address. In the example above, if there's a DMARC TXT record in place for
woodgrovebank.com, then the check against the From address fails.
What is a DMARC TXT record?

Like the DNS records for SPF, the record for DMARC is a DNS text (TXT) record that
helps prevent spoofing and phishing. You publish DMARC TXT records in DNS. DMARC
TXT records validate the origin of email messages by verifying the IP address of an
email's author against the alleged owner of the sending domain. The DMARC TXT
record identifies authorized outbound email servers. Destination email systems can then
verify that messages they receive originate from authorized outbound email servers.
Microsoft's DMARC TXT record looks something like this:
Console
_dmarc.microsoft.com. 3600 IN TXT "v=DMARC1; p=none; pct=100;

rua=mailto:d@rua.contoso.com; ruf=mailto:d@ruf.contoso.com; fo=1"
For more third-party vendors who offer DMARC reporting for Microsoft 365, visit the
MISA catalog .
Set up DMARC for inbound mail

You don't have to do a thing to set up DMARC for mail that you receive in Microsoft
365. It's all taken care of. If you want to learn what happens to mail that fails to pass our
DMARC checks, see How Microsoft 365 handles inbound email that fails DMARC.
Set up DMARC for outbound mail from

Microsoft 365
If you use Microsoft 365 but you aren't using a custom domain (you use
onmicrosoft.com), SPF is already set up for you and Microsoft 365 automatically
generates a DKIM signature for your outgoing mail (for more information about this
signature, see Default behavior for DKIM and Microsoft 365). To set up DMARC for your
organization, you need to Form the DMARC TXT record for the onmicrosoft.com domain
and publish it to DNS via Office 365 Admin Center > Settings > Domains > click on
onmicrosoft.com domain > Add record.
If you have a custom domain or are using on-premises Exchange servers along with
Microsoft 365, you need to manually set up DMARC for your outbound mail. Setting up
DMARC for your custom domain includes these steps:
Step 1: Identify valid sources of mail for your domain
Step 2: Set up SPF for your domain
Step 3: Set up DKIM for your custom domain
Step 4: Form the DMARC TXT record for your domain
Step 1: Identify valid sources of mail for your domain

If you have already set up SPF, then you've already gone through this exercise. There are
some further considerations for DMARC. When identifying sources of mail for your
domain, answer these two questions:
What IP addresses send messages from my domain?
For mail sent from third parties on my behalf, will the 5321.MailFrom and
5322.From domains match?
Step 2: Set up SPF for your domain

Now that you have a list of all your valid senders you can follow the steps to Set up SPF
to help prevent spoofing.
For example, assuming contoso.com sends mail from Exchange Online, an on-premises
Exchange server whose IP address is 192.168.0.1, and a web application whose IP
address is 192.168.100.100, the SPF TXT record would look like this:
Console
contoso.com IN TXT " v=spf1 ip4:192.168.0.1 ip4:192.168.100.100

include:spf.protection.outlook.com -all"
As a best practice, ensure that your SPF TXT record takes into account third-party
senders.
Step 3: Set up DKIM for your custom domain

Once you've set up SPF, you need to set up DKIM. DKIM lets you add a digital signature
to email messages in the message header. If you don't set up DKIM and instead allow
Microsoft 365 to use the default DKIM configuration for your domain, DMARC may fail.
This failure can happen because the default DKIM configuration uses your original
onmicrosoft.com domain as the 5321.MailFrom address, not your custom domain. This
creates a mismatch between the 5321.MailFrom and the 5322.From addresses in all the
email sent from your domain.
If you have third-party senders that send mail on your behalf and the mail they send has
mismatched 5321.MailFrom and 5322.From addresses, DMARC will fail for that email. To
avoid this, you need to set up DKIM for your domain specifically with that third-party
sender. This allows Microsoft 365 to authenticate email from this 3rd-party service.
However, it also allows others, for example, Yahoo, Gmail, and Comcast, to verify email
sent to them by the third-party as if it was email sent by you. This is beneficial because it
allows your customers to build trust with your domain no matter where their mailbox is
located, and at the same time Microsoft 365 won't mark a message as spam due to
spoofing because it passes authentication checks for your domain.
For instructions on setting up DKIM for your domain, including how to set up DKIM for
third-party senders so they can spoof your domain, see Use DKIM to validate outbound
email sent from your custom domain.
Step 4: Form the DMARC TXT record for your domain

Although there are other syntax options that aren't mentioned here, these are the most
commonly used options for Microsoft 365. Form the DMARC TXT record for your
domain in the format:
Console
_dmarc.domain TTL IN TXT "v=DMARC1; p=policy; pct=100"
Where:
domain is the domain you want to protect. By default, the record protects mail
from the domain and all subdomains. For example, if you specify
_dmarc.contoso.com, then DMARC protects mail from the domain and all
subdomains, such as housewares.contoso.com or plumbing.contoso.com.
TTL should always be the equivalent of one hour. The unit used for TTL, either
hours (1 hour), minutes (60 minutes), or seconds (3600 seconds), will vary
depending on the registrar for your domain.
pct=100 indicates that this rule should be used for 100% of email.
policy specifies what policy you want the receiving server to follow if DMARC fails.
You can set the policy to none, quarantine, or reject.
For information about which options to use, become familiar with the concepts in Best
practices for implementing DMARC in Microsoft 365.
Examples:
Policy set to none
Console
_dmarc.contoso.com 3600 IN TXT "v=DMARC1; p=none"
Policy set to quarantine
Console
_dmarc.contoso.com 3600 IN TXT "v=DMARC1; p=quarantine"
Policy set to reject
Console
_dmarc.contoso.com 3600 IN TXT "v=DMARC1; p=reject"
Once you've formed your record, you need to update the record at your domain
registrar.
DMARC Mail (Public Preview feature)
Ｕ Caution
Mails may not be sent out daily, and the report itself may change during public
preview. The DMARC aggregate report emails can be expected from the Consumer
accounts (such as hotmail.com, outlook.com, or live.com accounts).
In this example DMARC TXT record: dmarc.microsoft.com. 3600 IN TXT "v=DMARC1;

p=none; pct=100; rua=mailto:d@rua.agari.com; ruf=mailto:d@ruf.agari.com; fo=1" , you
can see the rua address, in this case, processed by third-party company Agari. This
address is used to send 'aggregate feedback' for analysis, and which is used to generate
a report.
 Tip
Visit the MISA catalog to view more third-party vendors offering DMARC
reporting for Microsoft 365. See IETF.org's 'Domain-based Message
Authentication, Reporting, and Conformance (DMARC)' for more information
on DMARC 'rua' addresses.
Best practices for implementing DMARC in

Microsoft 365
You can implement DMARC gradually without impacting the rest of your mail flow.
Create and implement a roll-out plan that follows these steps. Do each of these steps
first with a sub-domain, then other sub-domains, and finally with the top-level domain
in your organization before moving on to the next step.
1. Monitor the impact of implementing DMARC
Start with a simple monitoring-mode record for a sub-domain or domain that

requests that DMARC receivers send you statistics about messages that they see
using that domain. A monitoring-mode record is a DMARC TXT record that has its
policy set to none (p=none). Many companies publish a DMARC TXT record with
p=none because they're unsure about how much email they may lose by
publishing a more restrictive DMARC policy.
You can do this even before you've implemented SPF or DKIM in your messaging
infrastructure. However, you won't be able to effectively quarantine or reject mail
by using DMARC until you also implement SPF and DKIM. As you introduce SPF
and DKIM, the reports generated through DMARC will give the numbers and
sources of messages that pass these checks, versus those that don't. You can easily
see how much of your legitimate traffic is or isn't covered by them, and
troubleshoot any problems. You'll also begin to see how many fraudulent
messages are being sent, and where they're sent from.
2. Request that external mail systems quarantine mail that fails DMARC
When you believe that all or most of your legitimate traffic is protected by SPF and
DKIM, and you understand the impact of implementing DMARC, you can
implement a quarantine policy. A quarantine policy is a DMARC TXT record that
has its policy set to quarantine (p=quarantine). By doing this, you're asking
DMARC receivers to put messages from your domain that fail DMARC into the
local equivalent of a spam folder instead of your customers' inboxes.
3. Request that external mail systems not accept messages that fail DMARC
The final step is implementing a reject policy. A reject policy is a DMARC TXT
record that has its policy set to reject (p=reject). When you do this, you're asking
DMARC receivers not to accept messages that fail the DMARC checks.
4. How to set up DMARC for subdomain?
DMARC is implemented by publishing a policy as a TXT record in DNS and is

hierarchical (for example, a policy published for contoso.com will apply to
sub.domain.contoso.com unless a different policy is explicitly defined for the
subdomain). This is useful as organizations may be able to specify a smaller
number of high-level DMARC records for wider coverage. Care should be taken to
configure explicit subdomain DMARC records where you don't want the
subdomains to inherit the top-level domain's DMARC record.
Also, you can add a wildcard-type policy for DMARC when subdomains shouldn't
be sending email, by adding the sp=reject value. For example:
text
_dmarc.contoso.com. TXT "v=DMARC1; p=reject; sp=reject;

ruf=mailto:authfail@contoso.com; rua=mailto:aggrep@contoso.com"
How Microsoft 365 handles outbound email

that fails DMARC
If a message is outbound from Microsoft 365 and fails DMARC, and you have set the
policy to p=quarantine or p=reject, the message is routed through the High-risk
delivery pool for outbound messages. There's no override for outbound email.
If you publish a DMARC reject policy (p=reject), no other customer in Microsoft 365 can
spoof your domain because messages won't be able to pass SPF or DKIM for your
domain when relaying a message outbound through the service. However, if you do
publish a DMARC reject policy but don't have all of your email authenticated through
Microsoft 365, some of it may be marked as spam for inbound email (as described
above), or it will be rejected if you don't publish SPF and try to relay it outbound
through the service. This happens, for example, if you forget to include some of the IP
addresses for servers and apps that send mail on behalf of your domain when you form
your DMARC TXT record.
How Microsoft 365 handles inbound email that

fails DMARC
If the DMARC policy of the sending server is p=reject , Exchange Online Protection
(EOP) marks the message as spoof instead of rejecting it. In other words, for inbound
email, Microsoft 365 treats p=reject and p=quarantine the same way. Admins can
define the action to take on messages classified as spoof within the anti-phishing policy.
Microsoft 365 is configured like this because some legitimate email may fail DMARC. For
example, a message might fail DMARC if it's sent to a mailing list that then relays the
message to all list participants. If Microsoft 365 rejected these messages, people could
lose legitimate email and have no way to retrieve it. Instead, these messages will still fail
DMARC but they'll be marked as spam and not rejected. If desired, users can still get
these messages in their inbox through these methods:
Users add safe senders individually by using their email client.
Admins can use the spoof intelligence insight or the Tenant Allow/Block List to
allow messages from the spoofed sender.
Admins create an Exchange mail flow rule (also known as a transport rule) for all
users that allows messages for those particular senders.
For more information, see Create safe sender lists.
How Microsoft 365 utilizes Authenticated

Received Chain (ARC)
All hosted mailboxes in Microsoft 365 will now gain the benefit of ARC with improved
deliverability of messages and enhanced anti-spoofing protection. ARC preserves the
email authentication results from all participating intermediaries, or hops, when an email
is routed from the originating server to the recipient mailbox. Before ARC, modifications
performed by intermediaries in email routing, like forwarding rules or automatic
signatures, could cause DMARC failures by the time the email reached the recipient
mailbox. With ARC, the cryptographic preservation of the authentication results allows
Microsoft 365 to verify the authenticity of an email's sender.
Microsoft 365 currently utilizes ARC to verify authentication results when Microsoft is
the ARC Sealer, but plan to add support for third-party ARC sealers in the future.
Troubleshooting your DMARC implementation

If you've configured your domain's MX records where EOP isn't the first entry, DMARC
failures won't be enforced for your domain.
If you're a customer, and your domain's primary MX record doesn't point to EOP, you
won't get the benefits of DMARC. For example, DMARC won't work if you point the MX
record to your on-premises mail server and then route email to EOP by using a
connector. In this scenario, the receiving domain is one of your Accepted-Domains but
EOP isn't the primary MX. For example, suppose contoso.com points its MX at itself and
uses EOP as a secondary MX record, contoso.com's MX record looks like the following:
Console
contoso.com 3600 IN MX 0 mail.contoso.com
contoso.com 3600 IN MX 10 contoso-com.mail.protection.outlook.com
All, or most, email will first be routed to mail.contoso.com since it's the primary MX, and
then mail will get routed to EOP. In some cases, you might not even list EOP as an MX
record at all and simply hook up connectors to route your email. EOP doesn't have to be
the first entry for DMARC validation to be done. It just ensures the validation, to be
certain that all on-premise/non-O365 servers will do DMARC checks. DMARC is eligible
to be enforced for a customer's domain (not server) when you set up the DMARC TXT
record, but it's up to the receiving server to actually do the enforcement. If you set up
EOP as the receiving server, then EOP does the DMARC enforcement.

For more information

Want more information about DMARC? These resources can help.
Anti-spam message headers includes the syntax and header fields used by
Microsoft 365 for DMARC checks.
Take the DMARC Training Series from M3AAWG (Messaging, Malware, Mobile
Anti-Abuse Working Group).
Use the checklist at dmarcian .
Go directly to the source at DMARC.org .
See also
How Microsoft 365 uses Sender Policy Framework (SPF) to prevent spoofing
Set up SPF in Microsoft 365 to help prevent spoofing
Use DKIM to validate outbound email sent from your custom domain in Microsoft
365

Make a list of trusted ARC Senders to
trust legitimate indirect mailflows
Applies to

Email authentication mechanisms like SPF, DKIM, DMARC are used to verify the senders
of emails for the safety of email recipients, but some legitimate services may make
changes to the email between the sender and recipient. In Microsoft 365 Defender,
ARC will help reduce SPF, DKIM, and DMARC delivery failures that happen due to
legitimate indirect mailflows.
Authenticated Received Chain (ARC) in

Microsoft 365 Defender for Office
Services that modify message content in transit before delivery to your organization can
invalidate DKIM email signatures and affect authentication of the message. When these
intermediary services perform such actions, they can use ARC to provide details of the
original authentication before the modifications occurred. Your organization can then
trust these details to help with authenticating the message.
Trusted ARC sealers lets admins add a list of trusted intermediaries into the Microsoft
365 Defender portal. Trusted ARC sealers allows Microsoft to honor ARC signatures
from these trusted intermediaries, preventing these legitimate messages from failing the
authentication chain.
７ Note
Trusted ARC sealers is an admin-created list of intermediary domains who have

implemented ARC sealing. When an email is routed to Office 365 through an ARC
trusted intermediary of the Office 365 tenant, Microsoft validates the ARC
signature, and, based on the ARC results, can honor authentication details
provided.
When to use trusted ARC sealers?
A list of trusted ARC sealers is only needed where intermediaries are part of an
organization's email flow and:
1. May modify the email header or email contents.

2. May cause authentication to fail for other reasons (example, by removing
attachments).
By adding a trusted ARC sealer, Office 365 will validate and trust the authentication
results that the sealer provides when delivering mail to your tenant in Office 365.
Administrators should add only legitimate services as trusted ARC sealers. Adding
only services the organization expressly uses and knows will help messages that must
first go through a service to pass email authentication checks, and prevent legitimate
messages
from being sent to Junk due to authentication failures.
Steps to add a trusted ARC sealer to Microsoft

365 Defender
Trusted ARC sealers in Microsoft 365 Defender portal shows all the ARC sealers
acknowledged by and added to your tenant.
To add a new Trusted ARC sealer in the Microsoft 365 Defender portal:

Email & Collaboration > Policies & Rules > Threat policies > Email
Authentication Settings in the Rules section > ARC . To go directly to the ARC
page, use email authentication settings .
2. If this is the first time you've added a trusted ARC sealer, click the Add button.
3. Add trusted ARC sealers in the textbox shown.

a. Notice that you're adding the domains (example fabrikam.com).
b. The domain name you enter here must be a match to the domain shown in the
domain 'd' tag in ARC-Seal and ARC-Message-Signature headers (on the email
headers for the message).
c. You can see these in the properties of the message in Outlook.
Steps to validate your trusted ARC sealer

If there's an ARC seal from a third party before the message reaches Microsoft 365
Defender, check the headers once the email is received and view the latest ARC
headers.
In the last ARC-Authentication-Results header, check whether ARC validation is listed as

pass.
An ARC header that lists an 'oda' of 1 indicates that previous ARC has been verified, the
previous ARC sealer is trusted, and previous pass result can be used to override the
current DMARC failure.
An ARC pass header showing oda=1
See the email authentication methods at the end of this header-block for the oda result.
ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=pass (sender ip is
40.107.65.78) smtp.rcpttodomain=microsoft.com
smtp.mailfrom=sampledoamin.onmicrosoft.com; dmarc=bestguesspass action=none
header.from=sampledoamin.onmicrosoft.com; dkim=none (message not signed); arc=pass

(0 oda=1 ltdi=1 spf=[1,1,smtp.mailfrom=sampledoamin.onmicrosoft.com] dkim=
[1,1,header.d=sampledoamin.onmicrosoft.com] dmarc=
[1,1,header.from=sampledoamin.onmicrosoft.com])
To check whether the ARC result was used to override a DMARC failure, look for
compauth result and a reason of code(130) in the header.
See the last entry in this header-block to find compauth and reason.
Authentication-Results: spf=fail (sender IP is 51.163.158.241)

smtp.mailfrom=contoso.com; dkim=fail (body hash did not verify)
header.d=contoso.com;dmarc=fail action=none header.from=contoso.com;compauth=pass
reason=130
PowerShell steps to add or remove a trusted

ARC sealer
Admins can also set up ARC configurations with Exchange Online PowerShell.
2. Connect-ExchangeOnline.
3. To add or update a domain into a trusted ARC sealer:
Set-ArcConfig -Identity default -ArcTrustedSealers {a list of arc signing

domains split by comma}
or
Set-ArcConfig -Identity {tenant name/tenanid}\default -ArcTrustedSealers {a
list of arc signing domains split by comma}
You need to provide identity parameter -Identity default when running Set-
ArcConfig. The trusted sealers should be matched to the value of the 'd' tag in the
ARC-Seal header.
4. View the trusted ARC sealers:
Get-ArcConfig
or
Get-ArcConfig - Organization {tenant name}
Trusted ARC sealer mailflow graphics

These diagrams contrast mailflow operations with and without a trusted ARC sealer,
when using any of SPF, DKIM, and DMARC email authentication. In both graphics, there
are legitimate services used by the company that must intervene in mailflow, sometimes
violating email authentication standards by changing sending IPs, and writing to the
email header. In the first case, the indirect mailflow traffic demonstrates the result
before admins add a trusted ARC sealer.
Here, you see the same organization after leveraging the ability to create a trusted
ARC sealer.
Next steps: After you set up ARC for Microsoft
365 Defender for Office
After setup, check your ARC Headers with Message Header Analyzer .
Review SPF, DKIM, DMARC, configuration steps.

Configuration analyzer for protection
policies in EOP and Microsoft Defender
for Office 365
 Tip
Applies to

Configuration analyzer in the Microsoft 365 Defender portal provides a central location
to find and fix security policies where the settings are below the Standard protection
and Strict protection profile settings in preset security policies.
The following types of policies are analyzed by the configuration analyzer:
Exchange Online Protection (EOP) policies: This includes Microsoft 365

organizations with Exchange Online mailboxes and standalone EOP organizations
without Exchange Online mailboxes:
Anti-spam policies.
Anti-malware policies.
EOP anti-phishing policies.
Microsoft Defender for Office 365 policies: This includes organizations with
Microsoft 365 E5 or Defender for Office 365 add-on subscriptions:
Anti-phishing policies in Microsoft Defender for Office 365, which include:
The same spoof settings that are available in the EOP anti-phishing policies.
Impersonation settings
Advanced phishing thresholds
Safe Links policies.
Safe Attachments policies.
The Standard and Strict policy setting values that are used as baselines are described in
Recommended settings for EOP and Microsoft Defender for Office 365 security.
What do you need to know before you begin?

You open the Microsoft 365 Defender portal at https://security.microsoft.com . To
go directly to the Configuration analyzer page, use
https://security.microsoft.com/configurationAnalyzer .
To connect to Exchange Online PowerShell, see Connect to Exchange Online

PowerShell.
You need to be assigned permissions in the Microsoft 365 Defender portal before
you can do the procedures in this article:
To use the configuration analyzer and make updates to security policies, you
need to be a member of the Organization Management or Security
Administrator role groups.
For read-only access to the configuration analyzer, you need to be a member of
the Global Reader or Security Reader role groups.
For more information, see Permissions in the Microsoft 365 Defender portal.
７ Note
Adding users to the corresponding Azure Active Directory role gives users
the required permissions in the Microsoft 365 Defender portal and
permissions for other features in Microsoft 365. For more information, see
About admin roles.
The View-Only Organization Management role group in Exchange Online
also gives read-only access to the feature.
Use the configuration analyzer in the Microsoft

365 Defender portal
In the Microsoft 365 Defender portal at https://security.microsoft.com , go to Email &
Collaboration > Policies & Rules > Threat policies > Configuration analyzer in the
Templated policies section. To go directly to the Configuration analyzer page, use
https://security.microsoft.com/configurationAnalyzer .
The Configuration analyzer page has three main tabs:

Standard recommendations: Compare your existing security policies to the
Standard recommendations. You can adjust your settings values to bring them up
to the same level as Standard.
Strict recommendations: Compare your existing security policies to the Strict
recommendations. You can adjust your settings values to bring them up to the
same level as Strict.
Configuration drift analysis and history: Audit and track policy changes over time.
Standard recommendations and Strict recommendations

tabs in the configuration analyzer
By default, the configuration analyzer opens on the Standard recommendations tab.
You can switch to the Strict recommendations tab. The settings, layout, and actions are
the same on both tabs.
The first section of the tab displays the number of settings in each type of policy that
need improvement as compared to Standard or Strict protection. The types of policies
are:
Anti-spam
Anti-phishing
Anti-malware
Safe Attachments (if your subscription includes Microsoft Defender for Office 365)
Safe Links (if your subscription includes Microsoft Defender for Office 365)
If a policy type and number isn't shown, then all of your policies of that type meet the
recommended settings of Standard or Strict protection.
The rest of the tab is the table of settings that need to be brought up to the level
Standard or Strict protection. The table contains the following columns:
Recommendations: The value of the setting in the Standard or Strict protection

profile.
Policy: The name of the affected policy that contains the setting.
Policy group/setting name: The name of the setting that requires your attention.
Policy type: Anti-spam, Anti-phishing, Anti-malware, Safe Links, or Safe
Attachments.
Current configuration: The current value of the setting.
Last modified: The date that the policy was last modified.
Status: Typically, this value is Not started.
Change a policy setting to the recommended value

On the Standard protection or Strict protection tab of the configuration analyzer, select
the row in the table. The following buttons appear:
Apply recommendation
View policy
Refresh:
If you select a row and click Apply recommendation, a confirmation dialog (with the
option to not show the dialog again) appears. If you click OK, the following things
happen:
The setting is updated to the recommended value.

The Apply recommendation and View policy disappear (only the Refresh button
remains).
The Status value for the row changes to Complete.
If you select a row and click View policy you're taken to the details flyout of the affected
policy in the Microsoft 365 Defender portal where you can manually update the setting.
After you automatically or manually update the setting, click Refresh to see the reduced
number of recommendations and the removal of the updated row from the results.
Configuration drift analysis and history tab in the

configuration analyzer
This tab allows you to track the changes that have been made to your security policies
and how those changes compare to the Standard or Strict settings. By default, the
following information is displayed:
Last modified
Modified by
Setting Name
Policy: The name of the affected policy.
Type: Anti-spam, Anti-phishing, Anti-malware, Safe Links, or Safe Attachments.
Configuration change: The old value and the new value of the setting
Configuration drift: The value Increase or Decrease that indicates the setting
increased or decreased security compared to the recommended Standard or Strict
setting.
To filter the results, click Filter. In the Filters flyout that appears, you can select from the
following filters:
Start time and End time (date): You can go back as far as 90 days from today.
Standard protection or Strict protection
When you're finished, click Apply.
To export the results to a .csv file, click Export.
To filter the results by a specific Modified by, Setting name, or Type value, use the
Search box.

Preset security policies in EOP and
 Tip
Applies to

Preset security policies provide a centralized location for applying all of the
recommended spam, malware, and phishing policies to users at once. The policy
settings are not configurable. Instead, they are set by us and are based on our
observations and experiences in the datacenters for a balance between keeping harmful
content away from users and avoiding unnecessary disruptions.
The rest of this article describes preset security policies and how to configure them.
What preset security policies are made of

Preset security policies consist of the following elements:
Profiles
Policies
Policy settings
In addition, the order of precedence is important if multiple preset security policies and
other policies apply to the same person.
Profiles in preset security policies

A profile determines the level of protection. The following profiles are available:
Standard protection: A baseline protection profile that's suitable for most users.
Strict protection: A more aggressive protection profile for selected users (high
value targets or priority users).
for Standard protection and Strict protection, you use rules with conditions and
exceptions to determine the internal recipients that the policy applies to (recipient
conditions).
The available conditions and exceptions are:

Groups:
Domains: All recipients in the specified accepted domains in your organization.
You can only use a condition or exception once, but you can specify multiple
values for the condition or exception. Multiple values of the same condition or
exception use OR logic (for example, <recipient1> or <recipient2>). Different
conditions or exceptions use AND logic (for example, <recipient1> and <member
of group 1>).
） Important

inclusive. The preset security policy is applied only to those recipients that
match all of the specified recipient filters. For example, you configure a
recipient filter condition in the policy with the following values:
Groups: Executives
The policy is applied to romain@contoso.com only if he's also a member of

the Executives group. If he's not a member of the group, then the policy is not
applied to him.
Likewise, if you use the same recipient filter as an exception to the policy, the
policy is not applied to romain@contoso.com only if he's also a member of
the Executives group. If he's not a member of the group, then the policy still
applies to him.
Built-in protection (Defender for Office 365 only): A profile that enables Safe Links
and Safe Attachments protection only. This profile effectively provides default
policies for Safe Links and Safe Attachments, which never had default policies.
For Built-in protection, the preset security policy is on by default for all Defender
for Office 365 customers. Although we don't recommend it, you can also configure
exceptions based on Users, Groups, and Domains so the protection isn't applied
to specific users.
Until you assign the policies to users, the Standard and Strict preset security policies are
assigned to no one. In contrast, the Built-in protection preset security policy is assigned
to all recipients by default, but you can configure exceptions.
Policies in preset security policies

Preset security policies use the corresponding policies from the various protection
features in EOP and Microsoft Defender for Office 365. These policies are created after
you assign the Standard protection or Strict protection preset security policies to users.
You can't modify the settings in these policies.
Exchange Online Protection (EOP) policies: These policies are in all Microsoft 365
organizations with Exchange Online mailboxes and standalone EOP organizations
without Exchange Online mailboxes:
Anti-spam policies named Standard Preset Security Policy and Strict Preset
Security Policy.
Anti-malware policies named Standard Preset Security Policy and Strict Preset
Security Policy.
Anti-phishing policies (spoofing protection) named Standard Preset Security
Policy and Strict Preset Security Policy (spoof settings).
７ Note
Outbound spam policies are not part of preset security policies. The default
outbound spam policy automatically protects members of preset security
policies. Or, you can create custom outbound spam policies to customize the
protection for members of preset security policies. For more information, see
Configure outbound spam filtering in EOP.
Microsoft Defender for Office 365 policies: These policies are in organizations
with Microsoft 365 E5 or Defender for Office 365 add-on subscriptions:
Anti-phishing policies in Defender for Office 365 named Standard Preset
Security Policy and Strict Preset Security Policy, which include:
The same spoof settings that are available in the EOP anti-phishing policies.
Advanced phishing thresholds
Safe Links policies named Standard Preset Security Policy, Strict Preset Security
Policy, and Built-in Protection Policy.
Safe Attachments policies named Standard Preset Security Policy, Strict Preset
Security Policy, and Built-in Protection Policy.
You can apply EOP protections to different users than Defender for Office 365
protections, or you can apply EOP and Defender for Office 365 to the same recipients.
Policy settings in preset security policies

You can't modify the policy settings in the protection profiles. The Standard, Strict, and
Built-in protection policy setting values are described in Recommended settings for
EOP and Microsoft Defender for Office 365 security.
７ Note
In Defender for Office 365 protections, you need to identify the senders for user
impersonation protection and the internal or external domains for domain
impersonation protection.
All domains that you own (accepted domains) automatically receive domain
impersonation protection in preset security policies.
All recipients automatically receive impersonation protection from mailbox

intelligence in preset security policies.
Order of precedence for preset security policies and other

policies
When multiple policies are applied to a user, the following order is applied from highest
priority to lowest priority:
1. Strict preset security policy.

2. Standard preset security policy.
3. Custom policies. Custom policies are applied based on the priority value of the
policy.
4. Built-in protection preset security policy for Safe Links and Safe Attachments;
default policies for anti-malware, anti-spam, and anti-phishing.
In other words, the settings of the Strict preset security policy override the settings of
the Standard preset security policy, which overrides the settings from any custom
policies, which override the settings of the Built-in protection preset security policy for
Safe Links and Safe Attachments, and the default policies for anti-spam, anti-malware,
and anti-phishing.
For example, a security setting exists in Standard protection and an admin specifies a
user for Standard protection. The Standard protection setting is applied to the user
instead of what's configured for that setting in a custom policy or in the default policy
for the same user.
You might want to apply the Standard or Strict preset security policies to a subset of
users, and apply custom policies to other users in your organization to meet specific
needs. To meet this requirement, do the following steps:
Configure the users who should get the settings of the Standard preset security
policy and custom policies as exceptions in the Strict preset security policy.
Configure the users who should get the settings of custom policies as exceptions
in the Standard preset security policy.
Built-in protection does not affect recipients in existing Safe Links or Safe Attachments
policies. If you've already configured Standard protection, Strict protection or custom
Safe Links or Safe Attachments policies, those policies are always applied before Built-in
protection, so there's no impact to the recipients who are already defined in those
existing preset or custom policies.
Assign preset security policies to users

go directly to the Preset security policies page, use
https://security.microsoft.com/presetSecurityPolicies .

PowerShell.
You need to be assigned permissions in Exchange Online before you can do the
procedures in this article:
To configure preset security policies, you need to be a member of the
Organization Management or Security Administrator role groups.
For read-only access to preset security policies, you need to be a member of the
Global Reader role group.
For more information, see Permissions in Exchange Online.
Note: Adding users to the corresponding Azure Active Directory role in the
Microsoft 365 admin center gives users the required permissions and permissions
for other features in Microsoft 365. For more information, see About admin roles.
Use the Microsoft 365 Defender portal to assign Standard

and Strict preset security policies to users
Email & Collaboration > Policies & Rules > Threat policies > Preset Security
Policies in the Templated policies section. To go directly to the Preset security
policies page, use https://security.microsoft.com/presetSecurityPolicies .
2. On the Preset security policies page, click Manage in the Standard protection or
Strict protection sections.
3. The Apply Standard protection or Apply Strict protection wizard starts in a flyout.
On the Apply Exchange Online Protection page, identify the internal recipients
that the EOP protections apply to (recipient conditions):
All recipients
Specific recipients:
Users
Groups:
Domains
available values.
None
Exclude these recipients: To add exceptions for the internal recipients that
the policy applies to (recipient exceptions), select this option and configure
the exceptions. The settings and behavior are exactly like the conditions.
７ Note
In organizations without Defender for Office 365, clicking Next takes you to
the Review page. The remaining steps/pages before the Review page are
available only in organizations with Defender for Office 365.
4. On the Apply Defender for Office 365 protection page, identify the internal
recipients that the Defender for Office 365 protections apply to (recipient
conditions).
The settings and behavior are exactly like the EOP protections apply to page in
the previous step.
You can also select Previously selected recipients to use the same recipients that
you selected for EOP protection on the previous page.
5. On the Impersonation protection page, click Next.
6. On the Add email addresses to flag when impersonated by attackers page, add
internal and external senders who are protected by user impersonation protection.
７ Note
All recipients automatically receive impersonation protection from mailbox

intelligence in preset security policies.
Each entry consists of a display name and an email address. Enter each value in the
boxes and then click Add. Repeat this step as many times as necessary.
You can specify a maximum of 350 users, and you can't specify the same user in
the user impersonation protection settings in multiple policies.
To remove an existing entry from the list, click .

7. On the Add domains to flag when impersonated by attackers page, add internal
and external domains that are protected by domain impersonation protection.
７ Note
All domains that you own (accepted domains) automatically receive domain
impersonation protection in preset security policies.
All senders in the specified domains are protected by domain impersonation

protection.
Enter the domain in the box, and then click Add. Repeat this step as many times as
necessary.
To remove an existing entry from the list, select the entry, and then click .
The maximum number of domains that you can specify for domain impersonation
protection in all anti-phishing policies is 50.
8. On the Add trusted email addresses and domains to not flag as impersonation
page, enter the sender email addresses and domains that you want excluded from
impersonation protection. Messages from these senders will never be flagged as
an impersonation attack, but the senders are still subject to scanning by other
filters in EOP and Defender for Office 365.
Enter the email address or domain in the box, and then click Add. Repeat this step
as many times as necessary.
To remove an existing entry from the list, select the entry, and then click .
9. On the Review and confirm this policy page, verify your selections, and then click
Confirm.
Use the Microsoft 365 Defender portal to modify the

assignments of Standard and Strict preset security
policies
The steps to modify the assignment of the Standard protection or Strict protection
preset security policy are the same as when you initially assigned the preset security
policies to users.
To disable the Standard protection or Strict protection preset security policies while still
preserving the existing conditions and exceptions, slide the toggle to Disabled . To
enable the policies, slide the toggle to Enabled .
Use the Microsoft 365 Defender portal to modify the

assignments of the Built-in protection preset security
policy
Remember, the Built-in protection preset security policy is assigned to all recipients,
and doesn't affect recipients who are defined in the Standard protection or Strict
protection preset security policies, or custom Safe Links or Safe Attachments policies.
Therefore, we typically don't recommend exceptions to the Built-in protection preset

security policy.

Email & Collaboration > Policies & Rules > Threat policies > Preset Security
Policies in the Templated policies section. To go directly to the Preset security
policies page, use https://security.microsoft.com/presetSecurityPolicies .
2. On the Preset security policies page, select Add exclusions (not recommended) in
the Built-in protection section.
3. On the Exclude from Built-in protection flyout that appears, identify the internal
recipients that are excluded from the built-in Safe Links and Safe Attachments
protection:
Users
Groups:
Domains
Click in the appropriate box, start typing a value, and select the value that you
want from the results. Repeat this process as many times as necessary. To remove
an existing value, click remove next to the value.
For users or groups, you can use most identifiers (name, display name, alias, email
address, account name, etc.), but the corresponding display name is shown in the
results. For users, enter an asterisk (*) by itself to see all available values.
When you're finished, click Save.
How do you know these procedures worked?

To verify that you've successfully assigned the Standard protection or Strict protection
security policy to a user, use a protection setting where the default value is different
than the Standard protection setting, which is different that the Strict protection
setting.
For example, for email that's detected as spam (not high confidence spam) verify that
the message is delivered to the Junk Email folder for Standard protection users, and
quarantined for Strict protection users.
Or, for bulk mail, verify that the BCL value 6 or higher delivers the message to the Junk
Email folder for Standard protection users, and the BCL value 4 or higher quarantines
the message for Strict protection users.
Preset security policies in Exchange Online

PowerShell
In PowerShell, preset security policies consist of the following elements:
Individual security policies: For example, anti-malware policies, anti-spam policies,

anti-phishing policies, Safe Links policies, and Safe Attachments policies.
２ Warning
Do not attempt to create, modify, or remove the individual security policies

that are associated with preset security policies. The only supported method
for creating the individual security policies for Standard or Strict preset
security policies is to turn on the preset security policy in the Microsoft 365
Defender portal for the first time.
Rules: Separate rules for the Standard preset security policy, the Strict preset
security policy, and the Built-in protection preset security policy define the
recipient conditions and exceptions for the policies (identify the recipients that the
protections of the policy apply to).
For the Standard and Strict preset security policies, these rules are created the first
time you turn on the preset security policy in the Microsoft 365 Defender portal. If
you've never turned on the preset security policy, the associated rules don't exist.
Subsequently turning off the preset security policy does not delete the associated
rules.
The Built-in protection preset security policy has a single rule that controls
exceptions to the default Safe Links and Safe Attachments protection of the policy.
The Standard and Strict preset security policies have the following rules:
Rules for Exchange Online Protection (EOP) protections: The rule for the
Standard Preset security policy and the rule for the Strict preset security policy
controls who the EOP protections in the policy (anti-malware, anti-spam, and
anti-phishing) apply to (the recipient conditions and exceptions for EOP
protections).
Rules for Defender for Office 365 protections: The rule for the Standard Preset
security policy and the rule for the Strict preset security policy controls who the
Defender for Office 365 protections in the policy (Safe Links and Safe
Attachments) apply to (the recipient conditions and exceptions for Defender for
Office 365 protections).
The rules for Standard and Strict preset security policies also allow you to turn on
or turn of the preset security policy by enabling or disabling the rules that are
associated with the policies.
The rules for preset security policies are not available to the regular rule cmdlets
that work for individual security policies (for example, Get-AntiPhishRule). Instead,
the following cmdlets are required:
Built-in protection preset security policy: *-ATPBuiltInProtectionRule cmdlets.
Standard and strict preset security policies: *-EOPProtectionPolicyRule and *-
ATPProtectionPolicyRule cmdlets.
The following sections describe how to use these cmdlets in supported scenarios.
To connect to Exchange Online PowerShell, see Connect to Exchange Online PowerShell.
Use PowerShell to view individual security policies for

preset security policies
Remember, if you never turned on the Standard preset security policy or the Strict
preset security policy in the Microsoft 365 Defender portal, the associated security
policies for the preset security policy don't exist.
２ Warning
Do not attempt to create, modify, or remove the individual security policies that are
associated with preset security policies. The only supported method for creating
the individual security policies for Standard or Strict preset security policies is to
turn on the preset security policy in the Microsoft 365 Defender portal for the first
time.
Built-in protection preset security policy: The associated policies are named Built-
In Protection Policy. The IsBuiltInProtection property value is True for these policies.
To view the individual security policies for the Built-in protection preset security
policy, run the following command:
PowerShell
Write-Output -InputObject ("`r`n"*3),"Built-in protection Safe

Attachments policy",("-"*79);Get-SafeAttachmentPolicy -Identity "Built-
In Protection Policy" | Format-List; Write-Output -InputObject
("`r`n"*3),"Built-in protection Safe Links policy",("-"*79);Get-
SafeLinksPolicy -Identity "Built-In Protection Policy" | Format-List
Standard preset security policy: The associated policies are named Standard
Preset Security Policy<13-digit number> . For example, Standard Preset Security
Policy1622650008019 . The RecommendPolicyType property value is Standard.
Organizations without Defender for Microsoft 365:
To view the individual security policies for the Standard preset security policy in
organizations without Defender for Microsoft 365, run the following command:
PowerShell
Write-Output -InputObject ("`r`n"*3),"Standard anti-malware policy",

("-"*79);Get-MalwareFilterPolicy | Where-Object -Property
RecommendedPolicyType -eq -Value "Standard"; Write-Output -
InputObject ("`r`n"*3),"Standard anti-spam policy",("-"*79);Get-
HostedContentFilterPolicy | Where-Object -Property
InputObject ("`r`n"*3),"Standard anti-phishing policy",("-"*79);Get-
AntiPhishPolicy | Where-Object -Property RecommendedPolicyType -eq -
Value "Standard"
Organizations with Defender for Microsoft 365:
To view the individual security policies for the Standard preset security policy in
organizations with Defender for Microsoft 365, run the following command:
PowerShell
Write-Output -InputObject ("`r`n"*3),"Standard anti-malware policy",

InputObject ("`r`n"*3),"Standard anti-spam policy",("-"*79);Get-
InputObject ("`r`n"*3),"Standard anti-phishing policy",("-"*79);Get-
AntiPhishPolicy | Where-Object -Property RecommendedPolicyType -eq -
Value "Standard"; Write-Output -InputObject ("`r`n"*3),"Standard Safe
Attachments policy",("-"*79);Get-SafeAttachmentPolicy | Where-Object
-Property RecommendedPolicyType -eq -Value "Standard"; Write-Output -
InputObject ("`r`n"*3),"Standard Safe Links policy",("-"*79);Get-
SafeLinksPolicy | Where-Object -Property RecommendedPolicyType -eq -
Value "Standard"
Strict preset security policy: The associated policies are named Strict Preset
Security Policy<13-digit number> . For example, Strict Preset Security
Policy1642034872546 . The RecommendPolicyType property value is Strict.
Organizations without Defender for Microsoft 365:
To view the individual security policies for the Strict preset security policy in
organizations without Defender for Microsoft 365, run the following
command:
PowerShell
Write-Output -InputObject ("`r`n"*3),"Strict anti-malware policy",

RecommendedPolicyType -eq -Value "Strict"; Write-Output -
InputObject ("`r`n"*3),"Strict anti-spam policy",("-"*79);Get-
RecommendedPolicyType -eq -Value "Strict"; Write-Output -
InputObject ("`r`n"*3),"Strict anti-phishing policy",("-"*79);Get-
AntiPhishPolicy | Where-Object -Property RecommendedPolicyType -eq
-Value "Strict"
Organizations with Defender for Microsoft 365:

To view the individual security policies for the Strict preset security policy in
organizations with Defender for Microsoft 365, run the following command:
PowerShell
Write-Output -InputObject ("`r`n"*3),"Strict anti-malware policy",("-

"*79);Get-MalwareFilterPolicy | Where-Object -Property
RecommendedPolicyType -eq -Value "Strict"; Write-Output -InputObject
("`r`n"*3),"Strict anti-spam policy",("-"*79);Get-
("`r`n"*3),"Strict anti-phishing policy",("-"*79);Get-AntiPhishPolicy
| Where-Object -Property RecommendedPolicyType -eq -Value "Strict";
Write-Output -InputObject ("`r`n"*3),"Strict Safe Attachments
policy",("-"*79);Get-SafeAttachmentPolicy | Where-Object -Property
("`r`n"*3),"Strict Safe Links policy",("-"*79);Get-SafeLinksPolicy |
Where-Object -Property RecommendedPolicyType -eq -Value "Strict"
Use PowerShell to view rules for preset security policies

Remember, if you never turned on the Standard preset security policy or the Strict
preset security policy in the Microsoft 365 Defender portal, the associated rules for
those policies don't exist.
Built-in protection preset security policy: The associated rule is named ATP Built-
In Protection Rule.
To view the rule that's associated with the Built-in protection preset security policy,
run the following command:
PowerShell
Get-ATPBuiltInProtectionRule
For detailed syntax and parameter information, see Get-ATPBuiltInProtectionRule.
Standard preset security policy: The associated rules are named Standard Preset
Security Policy.
Use the following commands to view the rules that are associated with the
Standard preset security policy:
To view the rule that's associated with EOP protections in the Standard preset
security policy, run the following command:
PowerShell
Get-EOPProtectionPolicyRule -Identity "Standard Preset Security

Policy"
To view the rule that's associated with Defender for Office 365 protections in the
Standard preset security policy, run the following command:
PowerShell
Get-ATPProtectionPolicyRule -Identity "Standard Preset Security

Policy"
To view both rules at the same time, run the following command:
PowerShell
Write-Output -InputObject ("`r`n"*3),"EOP rule - Standard preset

security policy",("-"*79);Get-EOPProtectionPolicyRule -Identity
"Standard Preset Security Policy"; Write-Output -InputObject
("`r`n"*3),"Defender for Office 365 rule - Standard preset security
policy",("-"*79);Get-ATPProtectionPolicyRule -Identity "Standard
Preset Security Policy"
Strict preset security policy: The associated rules are named Strict Preset Security
Policy.
Use the following commands to view the rules that are associated with the Strict
preset security policy:
To view the rule that's associated with EOP protections in the Strict preset
security policy, run the following command:
PowerShell
Get-EOPProtectionPolicyRule -Identity "Strict Preset Security Policy"
To view the rule that's associated with Defender for Office 365 protections in the
Strict preset security policy, run the following command:
PowerShell
Get-ATPProtectionPolicyRule -Identity "Strict Preset Security Policy"
To view both rules at the same time, run the following command:
PowerShell
Write-Output -InputObject ("`r`n"*3),"EOP rule - Strict preset

"Strict Preset Security Policy"; Write-Output -InputObject
("`r`n"*3),"Defender for Office 365 rule - Strict preset security
policy",("-"*79);Get-ATPProtectionPolicyRule -Identity "Strict Preset
Security Policy"
For detailed syntax and parameter information, see Get-EOPProtectionPolicyRule and

Get-ATPProtectionPolicyRule.
Use PowerShell to turn on or turn off preset security

policies
As described earlier, To turn on or turn off the Standard or Strict preset security policies,
you enable or disable the rules that are associated with policy. The State property value
of the rule shows whether the rule is Enabled or Disabled.
Depending on whether your organization has Defender for Office 365, you might need
to enable or disable one rule (the rule for EOP protections) or two rules (one rule for
EOP protections, and one rule for Defender for Office 365 protections) to turn on or turn
off the preset security policy.
Standard preset security policy:
Organizations without Defender for Office 365:
In organizations without Defender for Office 365, run the following command
to determine whether the rule for the Standard preset policy is currently
enabled or disabled:
PowerShell
Get-EOPProtectionPolicyRule -Identity "Standard Preset Security

Policy" | Format-Table Name,State
Run the following command to turn off the Standard preset security policy if
it's turned on:
PowerShell
Disable-EOPProtectionPolicyRule -Identity "Standard Preset

Security Policy"
Run the following command to turn on the Standard preset security policy if
it's turned off:
PowerShell
Enable-EOPProtectionPolicyRule -Identity "Standard Preset Security

Policy"
Organizations with Defender for Office 365:
In organizations with Defender for Office 365, run the following command to
determine whether the rules for the Standard preset policy are currently
enabled or disabled:
PowerShell
Write-Output -InputObject ("`r`n"*3),"EOP rule - Standard preset

"Standard Preset Security Policy" | Format-Table Name,State;
Write-Output -InputObject `r`n,"Defender for Office 365 rule -
Standard preset security policy",("-"*63);Get-
ATPProtectionPolicyRule -Identity "Standard Preset Security
Run the following command to turn off the Standard preset security policy if
it's turned on:
PowerShell
Disable-EOPProtectionPolicyRule -Identity "Standard Preset

Security Policy"; Disable-ATPProtectionPolicyRule -Identity
"Standard Preset Security Policy"
Run the following command to turn on the Standard preset security policy if
it's turned off:
PowerShell
Enable-EOPProtectionPolicyRule -Identity "Standard Preset Security

Policy"; Enable-EOPProtectionPolicyRule -Identity "Standard Preset
Security Policy"
Strict preset security policy:
Organizations without Defender for Office 365:
determine whether the rule for the Strict preset policy is currently enabled or
disabled:
PowerShell
Get-EOPProtectionPolicyRule -Identity "Strict Preset Security

Run the following command to turn off the Strict preset security policy if it's
turned on:
PowerShell
Disable-EOPProtectionPolicyRule -Identity "Strict Preset Security

Policy"
Run the following command to turn on the Strict preset security policy if it's
turned off:
PowerShell
Enable-EOPProtectionPolicyRule -Identity "Strict Preset Security

Policy"
Organizations with Defender for Office 365:
determine whether the rules for the Strict preset policy are currently enabled
or disabled:
PowerShell
Write-Output -InputObject ("`r`n"*3),"EOP rule - Strict preset

"Strict Preset Security Policy" | Format-Table Name,State; Write-
Output -InputObject `r`n,"Defender for Office 365 rule - Strict
preset security policy",("-"*63);Get-ATPProtectionPolicyRule -
Identity "Strict Preset Security Policy" | Format-Table Name,State
Run the following command to turn off the Strict preset security policy if it's
turned on:
PowerShell
Disable-EOPProtectionPolicyRule -Identity "Strict Preset Security

Policy"; Disable-ATPProtectionPolicyRule -Identity "Strict Preset
Security Policy"
Run the following command to turn on the Strict preset security policy if it's
turned off:
PowerShell
Enable-EOPProtectionPolicyRule -Identity "Strict Preset Security
Policy"; Enable-EOPProtectionPolicyRule -Identity "Strict Preset
Security Policy"
For detailed syntax and parameter information, see Enable-EOPProtectionPolicyRule,

Enable-ATPProtectionPolicyRule, Disable-EOPProtectionPolicyRule, and Disable-
ATPProtectionPolicyRule.
Use PowerShell to specify recipient conditions and

exceptions for preset security policies
） Important

inclusive. The preset security policy is applied only to those recipients that match all
of the specified recipient filters. For example, you configure a recipient filter
condition in the policy with the following values:
Groups: Executives
The policy is applied to romain@contoso.com only if he's also a member of the

Executives group. If he's not a member of the group, then the policy is not applied
to him.
Likewise, if you use the same recipient filter as an exception to the policy, the policy
is not applied to romain@contoso.com only if he's also a member of the Executives
group. If he's not a member of the group, then the policy still applies to him.
For the Built-in protection preset security policy, you can only specify recipient
exceptions. If all exception parameter values are empty ( $null ), there are no exceptions
to the policy.
For the Standard and Strict preset security policies, you can specify recipient conditions
and exceptions for EOP protections and Defender for Office 365 protections. If all of
conditions and exception parameter values are empty ( $null ), there are no recipient
conditions or exceptions to the Standard or Strict preset security policies.
Even if there are no recipient conditions or exceptions applied to a preset security

policy, whether the policy is applied to all recipients depends on the the order of
precedence for policies as previously described in this article.
Built-in protection preset security policy:
Use the following syntax:
PowerShell
Set-ATPBuiltInProtectionRule -Identity "ATP Built-In Protection Rule" -

ExceptIfRecipientDomainIs <"domain1","domain2",... | $null> -
ExceptIfSentTo <"user1","user2",... | $null> -ExceptIfSentToMemberOf
<"group1","group2",... | $null>
This example removes all recipient exceptions from the Built-in protection preset
security policy.
PowerShell
Set-ATPBuiltInProtectionRule -Identity "ATP Built-In Protection Rule" -

ExceptIfRecipientDomainIs $null -ExceptIfSentTo $null -
ExceptIfSentToMemberOf $null
For detailed syntax and parameter information, see Set-ATPBuiltInProtectionRule.
Standard or Strict preset security policies
PowerShell
<Set-EOPProtectionPolicyRule | SetAtpProtectionPolicyRule> -Identity "

<Standard Preset Security Policy | Strict Preset Security Policy>" -
SentTo <"user1","user2",... | $null> -ExceptIfSentTo
<"user1","user2",... | $null> -SentToMemberOf <"group1","group2",... |
$null> -ExceptIfSentToMemberOf <"group1","group2",... | $null> -
RecipientDomainIs <"domain1","domain2",... | $null> -
ExceptIfRecipientDomainIs <"domain1","domain2",... | $null>
This example configures exceptions from the EOP protections in the Standard
preset security policy for members of the distribution group named Executives.
PowerShell
Set-EOPProtectionPolicyRule -Identity "Standard Preset Security Policy"

-ExceptIfSentToMemberOf Executives
This example configures exceptions from the Defender for Office 365 protections
in the Strict preset security policy for the specified security operations (SecOps)
mailboxes.
PowerShell
Set-EOPProtectionPolicyRule -Identity "Strict Preset Security Policy" -

ExceptIfSentTo "SecOps1","SecOps2"
For detailed syntax and parameter information, see Set-EOPProtectionPolicyRule

and Set-ATPProtectionPolicyRule.
 Tip
Applies to

） Important
This article is for business customers.
But if you're using Outlook.com, Microsoft 365 Family, or Microsoft 365 Personal,
and you need info about Safe Links or Safe Attachments in Outlook blocking
emails, see Advanced Outlook.com security for Microsoft 365 subscribers .
Microsoft Defender for Office 365 safeguards your organization against malicious
threats posed by email messages, links (URLs), and collaboration tools. Defender for
Office 365 includes:
Installation by Preset can set up everything for you: The easiest and the
recommended setup automates the roll-out of a secure environment (if automated
policies are possible in your organization). Abbreviated steps are available too: Just
the steps for preset policy setup, please!
Threat protection policies: Define threat-protection policies to set the appropriate

level of protection for your organization.
Reports: View real-time reports to monitor Defender for Office 365 performance in
your organization.
Threat investigation and response capabilities: Use leading-edge tools to

investigate, understand, simulate, and prevent threats.
Automated investigation and response capabilities: Save time and effort
investigating and mitigating threats.
Interactive guide to Microsoft Defender for

Office 365
If you need more information, this interactive guide will show you and example of how
to safeguard your organization with Microsoft Defender for Office 365.
You'll also see how Defender for Office 365 can help you define protection policies,
analyze threats to your organization, and respond to attacks.
What's the difference between Microsoft

Defender for Office 365 Plan 1 and Plan 2?
For more on what's included in Microsoft 365 Plans 1 & 2, browse over to this
document.
This article spells out what makes up the two products, and the emphasis of each part of
Microsoft Defender for Office 365 using a familiar structure: Protect, Detect, Investigate,
and Respond.
Graphics and short, scannable paragraphs answer questions like:
What is Plan 1 optimized to do for you?

What's the biggest advantage to you and your company in Plan 2?
Who has Exchange Online Protection and what's it optimized to do?
The goal of this article is clarity and quick readability. So, don't miss it!
Getting Started
There are two methods to set up Microsoft Defender for Office 365 for your
subscription.
Preset security policy configuration is recommended

It is recommended that -- as much as your organization can, given its specific needs --
you configure via preset security policies. You can learn more about presets here: Preset
setup information and steps; or just the steps for preset policy setup, please.
Manual configuration for Microsoft Defender for Office

365
Though it's no longer the recommended practice, here are the initial logical
configuration chunks for manual set up:
Configure everything with 'anti' in the name.

anti-malware
anti-phishing
anti-spam
Set up everything with 'safe' in the name.
Safe Links
Safe Attachments
Defend the workloads (ex. SharePoint Online, OneDrive, and Teams)
Protect with zero-hour auto purge (ZAP).
To learn by doing things manually, click this link.
７ Note
Manual steps to Configure Microsoft Defender

for Office 365 policies
It's recommended that you configure with preset security policies, but some
organizations must configure manually.
With Microsoft Defender for Office 365, your organization's security team can configure
protection by defining policies in the Microsoft 365 Defender portal at
https://security.microsoft.com at Email & collaboration > Policies & rules > Threat
policies. Or, you can go directly to the Threat policies page by using
https://security.microsoft.com/threatpolicy .
 Tip
For a quick list of policies to define, see Protect against threats.
Defender for Office 365 Policies

The policies that are defined for your organization determine the behavior and
protection level for predefined threats.
Policy options are extremely flexible. For example, your organization's security team can
set fine-grained threat protection at the user, organization, recipient, and domain level.
It is important to review your policies regularly because new threats and challenges
emerge daily.
Safe Attachments: Provides zero-day protection to safeguard your messaging

system, by checking email attachments for malicious content. It routes all
messages and attachments that do not have a virus/malware signature to a special
environment, and then uses machine learning and analysis techniques to detect
malicious intent. If no suspicious activity is found, the message is forwarded to the
mailbox. To learn more, see Set up Safe Attachments policies.
Safe Links: Provides time-of-click verification of URLs, for example, in emails

messages and Office files. Protection is ongoing and applies across your
messaging and Office environment. Links are scanned for each click: safe links
remain accessible and malicious links are dynamically blocked. To learn more, see
Set up Safe Links policies.
Safe Attachments for SharePoint, OneDrive, and Microsoft Teams: Protects your
organization when users collaborate and share files, by identifying and blocking
malicious files in team sites and document libraries. To learn more, see Turn on
Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams.
Anti-phishing protection in Defender for Office 365: Detects attempts to

impersonate your users and internal or custom domains. It applies machine
learning models and advanced impersonation-detection algorithms to avert
phishing attacks. To learn more, see Configure anti-phishing policies in Microsoft
How to view Microsoft Defender for Office 365

reports
Microsoft Defender for Office 365 includes reports to monitor Defender for Office 365.
You can access the reports in theMicrosoft 365 Defender portal at
https://security.microsoft.com at Reports > Email & collaboration > Email &
collaboration reports. You can also go directly to the Email and collaboration reports
page using https://security.microsoft.com/securityreports .
Reports update in real-time, providing you with the latest insights. These reports also
provide recommendations and alert you to imminent threats. Predefined reports include
the following:
Threat Explorer (or real-time detections)

... and several more.
Use threat investigation and response

capabilities
Microsoft Defender for Office 365 Plan 2 includes best-of-class threat investigation and
response tools that enable your organization's security team to anticipate, understand,
and prevent malicious attacks.
Threat trackers provide the latest intelligence on prevailing cybersecurity issues.

For example, you can view information about the latest malware, and take
countermeasures before it becomes an actual threat to your organization.
Available trackers include Noteworthy trackers, Trending trackers, Tracked queries,
and Saved queries.
Threat Explorer in Plan 2 (or real-time detections in Plan 1) (also referred to as

Explorer) is a real-time report that allows you to identify and analyze recent
threats. You can configure Explorer to show data for custom periods.
Attack simulation training allows you to run realistic attack scenarios in your
organization to identify vulnerabilities. Simulations of current types of attacks are
available, including spear phishing credential harvest and attachment attacks, and
password spray and brute force password attacks.
Save time with automated investigation and

response
When you are investigating a potential cyberattack, time is of the essence. The sooner
you can identify and mitigate threats, the better off your organization will be.
Automated investigation and response (AIR) capabilities include a set of security
playbooks that can be launched automatically, such as when an alert is triggered, or
manually, such as from a view in Explorer.
AIR can save your security operations team time and effort in mitigating threats
effectively and efficiently. To learn more, see AIR in Office 365.
Permissions required to use Microsoft Defender

for Office 365 features
To access Microsoft Defender for Office 365 features, you must be assigned an
appropriate role. The following table includes some examples:
Role or role Resources to learn more

group
global You can assign this role in Azure Active Directory or in the Microsoft 365
administrator Defender portal. For more information, see Permissions in the Microsoft 365
(or Defender portal.
Organization
Management)
Security You can assign this role in Azure Active Directory or in the Microsoft 365
Administrator Defender portal. For more information, see Permissions in the Microsoft 365
Defender portal.
Organization Permissions in Exchange Online

Management
in Exchange Exchange Online PowerShell
Online
Search and This role is available only in the Microsoft 365 Defender portal or the Microsoft
Purge Purview compliance portal. For more information, see Permissions in the
Microsoft 365 Defender portal and Permissions in the Microsoft Purview
compliance portal.
Where to get Microsoft Defender for Office 365

Microsoft Defender for Office 365 is included in certain subscriptions, such as Microsoft
365 E5, Office 365 E5, Office 365 A5, and Microsoft 365 Business Premium.
If your subscription doesn't include Defender for Office 365, you can get Defender for
Office 365 Plan 1 or Plan 2 as an add-on to certain subscriptions. To learn more, take a
look at the following resources:
Microsoft Defender for Office 365 availability for a list of subscriptions that include
Defender for Office 365 plans.
Feature availability across Microsoft Defender for Office 365 plans for a list of
features included in Plan 1 and 2.
Get the right Microsoft Defender for Office 365 to compare plans and purchase
Start a free trial
What new features are coming for Microsoft

New features are added to Microsoft Defender for Office 365 continually. To learn more,
see the following resources:
Microsoft 365 Roadmap provides a list of new features in development and

rolling out.
Microsoft Defender for Office 365 Service Description describes features and
availability across Defender for Office 365 plans.
See also
Automated investigation and response (AIR) in Microsoft 365 Defender
Protect against threats
 Tip
Applies to

Here's a quick-start guide that breaks the configuration of Defender for Office 365 into
chunks. If you're new to threat protection features in Office 365, not sure where to
begin, or if you learn best by doing, use this guidance as a checklist and a starting point.
） Important
Initial recommended settings are included for each kind of policy; however, many
options are available, and you can adjust your settings to meet your specific
organization's needs. Allow approximately 30 minutes for your policies or changes
to work their way through your datacenter.
To skip manual configuration of most policies in Defender for Office 365, you can
use preset security policies at the Standard or Strict level. For more information, see
Preset security policies in EOP and Microsoft Defender for Office 365.
Requirements
Subscriptions
Threat protection features are included in all Microsoft or Office 365 subscriptions;
however, some subscriptions have advanced features. The table below lists the
protection features included in this article together with the minimum subscription
requirements.
 Tip
Notice that beyond the directions to turn on auditing, steps start anti-malware,
anti-phishing, and anti-spam, which are marked as part of Office 365 Exchange
Online Protection (EOP). This can seem odd in a Defender for Office 365 article,
until you remember (Defender for Office 365) contains, and builds on, EOP.
Protection type Subscription

requirement
Audit logging (for reporting purposes) Exchange Online
Anti-malware protection Exchange Online

Protection (EOP)
Anti-phishing protection EOP
Anti-spam protection EOP
Protection from malicious URLs and files in email and Office documents Microsoft Defender
(Safe Links and Safe Attachments) for Office 365
Roles and permissions

To configure Defender for Office 365 policies, you must be assigned an appropriate role.
Take a look at the table below for roles that can do these actions.
Role or role group Where to learn more
global administrator About Microsoft 365 admin roles
Security Administrator Azure AD built-in roles
Exchange Online Organization Management Permissions in Exchange Online
To learn more, see Permissions in the Microsoft 365 Defender portal.
Turn on audit logging for reporting and investigation

Start your audit logging early. You'll need auditing to be ON for some of the
following steps. Audit logging is available in subscriptions that include Exchange
Online. In order to view data in threat protection reports, email security reports,
and Explorer, audit logging must be On. To learn more, see Turn audit log search
on or off.
Part 1 - Anti-malware protection in EOP
For more information about the recommended settings for anti-malware, see EOP anti-
malware policy settings.
1. Open the Anti-malware page in the Microsoft 365 Defender portal at

https://security.microsoft.com/antimalwarev2 .
2. On the Anti-malware page, select the policy named Default (Default) by clicking
on the name.
3. In the policy details flyout that opens, click Edit protection settings, and then
configure the following settings:
Protection settings section:

Enable the common attachments filter: Select (turn on). Click Customize
file types to add more file types.
Enable zero-hour auto purge for malware: Verify this setting is selected.
For more information about ZAP for malware, see Zero-hour auto purge
(ZAP) for malware.
Quarantine policy: Leave the default value AdminOnlyAccessPolicy selected.
Quarantine policies define what users are able to do to quarantined
messages, and whether users receive quarantine notifications. For more
information, see Quarantine policies.
Notification section: Verify that none of the notification settings are selected.
4. Back on the policy details flyout, click Close.
For detailed instructions for configuring anti-malware policies, see Configure anti-
malware policies in EOP.
Part 2 - Anti-phishing protection in EOP and

Defender for Office 365
Anti-phishing protection is available in subscriptions that include EOP. Advanced anti-
phishing protection is available in Defender for Office 365.
For more information about the recommended settings for anti-phishing policies, see
EOP anti-phishing policy settings and Anti-phishing policy settings in Microsoft
The following procedure describes how to configure the default anti-phishing policy.
Settings that are only available in Defender for Office 365 are clearly marked.
1. Open the Anti-phishing page in the Microsoft 365 Defender portal at

https://security.microsoft.com/antiphishing .
2. On the Anti-phishing page, select the policy named Office365 AntiPhish Default
(Default) by clicking on the name.
3. In the policy details flyout that appears, configure the following settings:
Phishing threshold & protection section: Click Edit protection settings and
configure the following settings in the flyout that opens:
Phishing email threshold*: Select 2 - Aggressive (Standard) or 3 - More
Aggressive (Strict).
Impersonation section*: Configure the following values:
Select Enable users to protect, click the Manage (nn) sender(s) link
that appears, and then add internal and external senders to protect
from impersonation, such as your organization's board members, your
CEO, CFO, and other senior leaders.
Select Enable domains to protect, and then configure the following
settings that appear:
Select Include domains I own to protect internal senders in your
accepted domains (visible by clicking View my domains) from
impersonation.
To protect senders in other domains, select Include custom domains,
click the Manage (nn) custom domain(s) link that appears, and then
add other domains to protect from impersonation.
Add trusted senders and domains section*: Click Manage (nn) trusted
sender(s) and domains(s) to configure sender and sender domain
exceptions to impersonation protection if needed.
Mailbox intelligence settings*: Verify that Enable mailbox intelligence and
Enable intelligence for impersonation protection are selected.
Spoof section: Verify Enable spoof intelligence is selected.
Actions section: Click Edit actions and configure the following settings in the
flyout that opens:
Message actions section: Configure the following settings:
If message is detected as an impersonated user*: Select Quarantine
the message. An Apply quarantine policy box appears where you
select the quarantine policy that applies to messages that are
quarantined by user impersonation protection.
If message is detected as an impersonated domain*: Select Quarantine
the message. An Apply quarantine policy box appears where you
select the quarantine policy that applies to messages that are
quarantined by domain impersonation protection.
If mailbox intelligence detects an impersonated user*: Select Move
message to the recipients' Junk Email folders (Standard) or Quarantine
the message (Strict). If you select Quarantine the message, an Apply
quarantine policy box appears where you select the quarantine policy
that applies to messages that are quarantined by mailbox intelligence
protection.
If message is detected as spoof: Select Move message to the
recipients' Junk Email folders (Standard) or Quarantine the message
(Strict). If you select Quarantine the message, an Apply quarantine
policy box appears where you select the quarantine policy that applies
to messages that are quarantined by spoof intelligence protection.
Safety tips & indicators section: Configure the following settings:
Show first contact safety tip: Select (turn on).
Show user impersonation safety tip*: Select (turn on).
Show domain impersonation safety tip*: Select (turn on).
Show user impersonation unusual characters safety tip*: Select (turn
on).
Show (?) for unauthenticated senders for spoof: Select (turn on).
Show "via" tag: Select (turn on).
*
This setting is available only in Defender for Office 365.
4. Click Save and then click Close
For detailed instructions for configuring anti-phishing policies, see Configure anti-
phishing policies in EOP and Configure anti-phishing policies in Microsoft Defender for
Office 365.
Part 3 - Anti-spam protection in EOP

For more information about the recommended settings for anti-spam, see EOP anti-
spam policy settings.
1. Open the Anti-spam policies page in the Microsoft 365 Defender portal at
https://security.microsoft.com/antispam .
2. On the Anti-spam policies page, select the policy named Anti-spam inbound
policy (Default) from the list by clicking on the name.
3. In the policy details flyout that appears, configure the following settings:
Bulk email threshold & spam properties section: Click Edit spam threshold
and properties. In the flyout that appears, configure the following settings:
Bulk email threshold: Set this value to 5 (Strict) or 6 (Standard).
Leave other settings at their default values (Off or None).
Actions section: Click Edit actions. In the flyout that appears, configure the
following settings:
Message actions section:

Spam: Verify Move message to Junk Email folder is selected (Standard)
or select Quarantine message (Strict).
High confidence spam: Select Quarantine message.
Phishing: Select Quarantine message.
High confidence phishing: Verify Quarantine messages is selected.
Bulk: Verify Move message to Junk Email folder is selected (Standard)
or select Quarantine message (Strict).
For each action where you select Quarantine message, a Select

quarantine policy box appears where you select the quarantine policy that
applies to messages that are quarantined by anti-spam protection.
Retain spam in quarantine for this many days: Verify the value 30 days.
Enable spam safety tips: Verify this setting is selected (turned on).
Enable zero-hour auto purge (ZAP): Verify this setting is selected (turned
on).
Enable for phishing messages: Verify this setting is selected (turned
on). For more information, see Zero-hour auto purge (ZAP) for phishing.
Enable for spam messages: Verify this setting is selected (turned on).
For more information, see Zero-hour auto purge (ZAP) for spam.

Allowed and blocked senders and domains section: Review or edit your
allowed senders and allowed domains as described in Create blocked sender
lists in EOP or Create safe sender lists in EOP.
4. When you're finished, click Close.
For detailed instructions for configuring anti-spam policies, see Configure anti-spam
policies in EOP.
Part 4 - Protection from malicious URLs and

files (Safe Links and Safe Attachments in
Defender for Office 365)
Time-of-click protection from malicious URLs and files is available in subscriptions that
include Microsoft Defender for Office 365. It's set up through Safe Attachments and Safe
Links policies.
Safe Attachments policies in Microsoft Defender for

Office 365
For more information about the recommended settings for Safe Attachments, see .Safe
Attachments settings.
1. Open the Safe Attachments page in the Microsoft 365 Defender portal at
https://security.microsoft.com/safeattachmentv2 .
2. On the Safe Attachments page, click Global settings, and then configure the
following settings on the flyout that appears:
Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft
Teams: Turn on this setting ( ).
） Important
Before you turn on Safe Attachments for SharePoint, OneDrive, and

Microsoft Teams, verify that audit logging is turned in your
organization. This action is typically done by someone who has the
Audit Logs role assigned in Exchange Online. For more information, see
Turn audit log search on or off!
Turn on Safe Documents for Office clients: Turn on this setting ( ). Note
that this feature is available and meaningful only with the required types of
licenses. For more information, see Safe Documents in Microsoft 365 E5.
Allow people to click through Protected View even if Safe Documents

identified the file as malicious: Verify this setting is turned off ( ).
When you're finished, click Save
3. Back on the Safe Attachments page, click .
4. In the Create Safe Attachments policy wizard that opens, configure the following
settings:
Name your policy page:

Name: Enter something unique and descriptive.
Description: Enter an optional description.
Users and domains page: Because this is your first policy and you likely want
to maximize coverage, consider entering your accepted domains in the
Domains box. Otherwise, you can use the Users and Groups boxes for more
granular control. You can specify exceptions by selecting Exclude these users,
groups, and domains and entering values.
Settings page:
Safe Attachments unknown malware response: Select Block.
Quarantine policy: The default value is blank, which means the
AdminOnlyAccessPolicy policy is used. Quarantine policies define what
users are able to do to quarantined messages, and whether users receive
quarantine notifications. For more information, see Quarantine policies.
Redirect attachment with detected attachments : Enable redirect: Turn
this setting on (select) and enter an email address to receive detected
messages.
Apply the Safe Attachments detection response if scanning can't
complete (timeout or errors): Verify this setting is selected.
5. When you're finished, click Submit, and then click Done.
6. (Recommended) As a global administrator or a SharePoint Online administrator,

run the Set-SPOTenant cmdlet with the DisallowInfectedFileDownload parameter
set to $true in SharePoint Online PowerShell.
$true blocks all actions (except Delete) for detected files. People can't open,
move, copy, or share detected files.

$false blocks all actions except Delete and Download. People can choose to
accept the risk and download a detected file.
7. Allow up to 30 minutes for your changes to spread to all Microsoft 365

datacenters.
For detailed instructions for configuring Safe Attachments policies and global settings
for Safe Attachments, see the following topics:
Set up Safe Attachments policies in Microsoft Defender for Office 365

Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams
Safe Documents in Microsoft 365 E5
Safe Links policies in Microsoft Defender for Office 365

For more information about the recommended settings for Safe Links, see Safe Links
settings.
1. Open the Safe Links page in the Microsoft 365 Defender portal at
https://security.microsoft.com/safelinksv2 , and then click .
2. In the Create Safe Links policy wizard that opens, configure the following settings:
Name your policy page:

Name: Enter something unique and descriptive.
Users and domains page: Because this is your first policy and you likely want
to maximize coverage, consider entering your accepted domains in the
Domains box. Otherwise, you can use the Users and Groups boxes for more
granular control. You can specify exceptions by selecting Exclude these users,
groups, and domains and entering values.
Url & click protection settings page:
Action on potentially malicious URLs within Emails section:
On: Safe Links checks a list of known, malicious links when users click
links in email: Select his setting (turn on).
Apply Safe Links to email messages sent within the organization:
Select this setting (turn on).
Apply real-time URL scanning for suspicious links and links that point
to files: Select this setting (turn on).
Wait for URL scanning to complete before delivering the message:
Select this setting (turn on).
Do not rewrite URLs, do checks via Safe Links API only: Verify this
setting is not selected (turn off).
Do not rewrite the following URLs in email: We have no specific
recommendation for this setting. For more information, see "Do not
rewrite the following URLs" lists in Safe Links policies.
Action for potentially malicious URLs in Microsoft Teams section:
*On: Safe Links checks a list of known, malicious links when users click
links in Microsoft Teams: Select this setting (turn on).
Click protection settings section:
Track user clicks: Verify this setting is selected (turned on).
Let users click through to the original URL: Turn off this setting (not
selected).
Display the organization branding on notification and warning
pages: Selecting this setting (turning it on) is meaningful only after
you've followed the instructions in Customize the Microsoft 365
theme for your organization to upload your company logo.
Notification page:
How would you like to notify users? section: Optionally, you can select
Use custom notification text to enter customized notification text to use.
You can also select Use Microsoft Translator for automatic localization to
translate the custom notification text into the user's language. Otherwise,
leave Use the default notification text selected.
3. When you're finished, click Submit, and then click Done.
For detailed instructions for configuring Safe Links policies and global settings for Safe
Links, see Set up Safe Links policies in Microsoft Defender for Office 365.
Now set up alerts for detected files in SharePoint Online

or OneDrive for Business
To receive notification when a file in SharePoint Online or OneDrive for Business has
been identified as malicious, you can set up an alert as described in this section.

Email & collaboration > Polices & rules > Alert policy.
2. On the Alert policy page, click New alert policy.
3. The New alert policy wizard opens. On the Name page, configure the following
settings:
Name: Enter a unique and descriptive name. For example, you could type
Malicious Files in Libraries.
Severity: Select Low, Medium or High.
Category: Select Threat management.
When you're finished, click Next
4. On the Create alert settings page, configure the following settings:
What do you want to alert on? section: Activity is > Detected malware in
file.
How do you want the alert to be triggered section: Verify Every time an
activity matches the rule is selected.
5. On the Set your recipients page, configure the following settings:
Send email notifications: Verify this setting is selected.

Email recipients: Select one or more global administrators, security
administrators, or security readers who should receive notification when a
malicious file is detected.
Daily notification limit: Verify No limit is selected.
6. On the Review your settings page, review your settings, verify Yes, turn it on right
away is selected, and then click Finish
To learn more about alert policies, see Alert policies in the Microsoft Purview compliance
portal.
７ Note
When you're finished configuring, use these links to start workload investigations:

Use the Microsoft 365 Defender portal to manage quarantined files in
What to do when a malicious file is found in SharePoint Online, OneDrive,
or Microsoft Teams
Manage quarantined messages and files as an admin in Microsoft 365
Post-setup tasks and next steps
After configuring the threat protection features, make sure to monitor how those
features are working! Review and revise your policies so that they do what you need
them to. Also, watch for new features and service updates that can add value.
What to do Resources to learn more
See how threat protection features are working for your Email security reports
organization by viewing reports
Reports for Microsoft Defender for
Office 365
Threat Explorer
Periodically review and revise your threat protection Secure Score

policies as needed
Microsoft 365 threat investigation
and response features
Watch for new features and service updates Standard and Targeted release
options
Message Center
Microsoft 365 Roadmap
Service Descriptions
Exchange Online Protection overview
 Tip
Applies to

Exchange Online Protection (EOP) is the cloud-based filtering service that protects your
organization against spam, malware, and other email threats. EOP is included in all
Microsoft 365 organizations with Exchange Online mailboxes.
７ Note
EOP is also available by itself to protect on-premises mailboxes and in hybrid

environments to protect on-premises Exchange mailboxes. For more information,
see Standalone Exchange Online Protection.
The steps to set up EOP security features and a comparison to the added security that
you get in Microsoft Defender for Office 365, see protect against threats. The
recommended settings for EOP features are available in Recommended settings for EOP
and Microsoft Defender for Office 365 security.
The rest of this article explains how EOP works and the features that are available in
EOP.
How EOP works

To understand how EOP works, it helps to see how it processes incoming email:

1. When an incoming message enters EOP, it initially passes through connection

filtering, which checks the sender's reputation. The majority of spam is stopped at
this point and rejected by EOP. For more information, see Configure connection
filtering.
2. Then the message is inspected for malware. If malware is found in the message or
the attachment(s) the message is delivered to quarantine. By default, only admins
can view and interact with malware quarantined messages. But, admins can create
and use quarantine policies to specify what users are allowed to do to quarantined
messages. To learn more about malware protection, see Anti-malware protection in
EOP.
3. The message continues through policy filtering, where it's evaluated against any
mail flow rules (also known as transport rules) that you've created. For example, a
rule can send a notification to a manager when a message arrives from a specific
sender.
In on-premises organization with Exchange Enterprise CAL with Services licenses,

Microsoft Purview data loss prevention (DLP) checks in EOP also happen at this
point.
4. The message passes through content filtering (anti-spam and anti-spoofing) where
harmful messages are identified as spam, high confidence spam, phishing, high
confidence phishing, or bulk (anti-spam policies) or spoofing (spoof settings in
anti-phishing policies). You can configure the action to take on the message based
on the filtering verdict (quarantine, move to the Junk Email folder, etc.), and what
users can do to the quarantined messages using quarantine policies. For more
information, see Configure anti-spam policies and Configure anti-phishing policies
in EOP.
A message that successfully passes all of these protection layers is delivered to the
recipients.
For more information, see Order and precedence of email protection.
EOP datacenters
EOP runs on a worldwide network of datacenters that are designed to provide the best
availability. For example, if a datacenter becomes unavailable, email messages are
automatically routed to another datacenter without any interruption in service. Servers
in each datacenter accept messages on your behalf, providing a layer of separation
between your organization and the internet, thereby reducing load on your servers.
Through this highly available network, Microsoft can ensure that email reaches your
organization in a timely manner.
EOP performs load balancing between datacenters but only within a region. If you're
provisioned in one region, all your messages will be processed using the mail routing for
that region.
EOP features
This section provides a high-level overview of the main features that are available in
EOP.
For information about requirements, important limits, and feature availability across all
EOP subscription plans, see the Exchange Online Protection service description.
Notes:
EOP uses several URL block lists that help detect known malicious links within
messages.
EOP uses a vast list of domains that are known to send spam.
EOP uses multiple anti-malware engines help to automatically protect our
customers at all times.
EOP inspects the active payload in the message body and all message attachments
for malware.
For recommended values for protection policies, see Recommended settings for
EOP and Microsoft Defender for Office 365 security.
For quick instructions to configure protection policies, see Protect against threats.
Feature Comments
Protection
Anti-malware Anti-malware protection in EOP
Anti-malware protection FAQ
Configure anti-malware policies in EOP
Inbound anti-spam Anti-spam protection in EOP
Anti-spam protection FAQ
Configure anti-spam policies in EOP
Outbound anti- Outbound spam protection in EOP

spam
Configure outbound spam filtering in EOP
Control automatic external email forwarding in Microsoft 365
Connection filtering Configure connection filtering
Anti-phishing Anti-phishing policies in Microsoft 365
Anti-spoofing Spoof intelligence insight in EOP

protection
Manage the Tenant Allow/Block List
Zero-hour auto ZAP in Exchange Online

purge (ZAP) for
delivered malware,
spam, and phishing
messages
Preset security Preset security policies in EOP and Microsoft Defender for Office 365
policies
Configuration analyzer for protection policies in EOP and Microsoft
Tenant Allow/Block Manage the Tenant Allow/Block List

List
Block lists for Create blocked sender lists in EOP

message senders
Allow lists for Create safe sender lists in EOP

message senders
Feature Comments
Directory Based Use Directory Based Edge Blocking to reject messages sent to invalid
Edge Blocking recipients
(DBEB)
Quarantine and
submissions
Admin submission Use Admin submission to submit suspected spam, phish, URLs, and files to
Microsoft
User reported User reported message settings

message settings
Quarantine - Manage quarantined messages and files as an admin in EOP

admins
Quarantined messages FAQ
Report messages and files to Microsoft
Anti-spam message headers in Microsoft 365
You can analyze the message headers of quarantined messages using the
Message Header Analyzer at .
Quarantine - end- Find and release quarantined messages as a user in EOP

users
Use quarantine notifications to release and report quarantined messages
Quarantine policies
Mail flow
Mail flow rules Mail flow rules (transport rules) in Exchange Online
Mail flow rule conditions and exceptions (predicates) in Exchange Online
Mail flow rule actions in Exchange Online
Manage mail flow rules in Exchange Online
Mail flow rule procedures in Exchange Online
Accepted domains Manage accepted domains in Exchange Online
Connectors Configure mail flow using connectors in Exchange Online
Enhanced Filtering Enhanced filtering for connectors in Exchange Online

for Connectors
Monitoring
Feature Comments
Message trace Message trace
Message trace in the Exchange admin center
Email & View email security reports

collaboration
reports
Mail flow reports Mail flow reports in the Exchange admin center
Mail flow insights Mail flow insights in the Exchange admin center
Auditing reports Auditing reports in the Exchange admin center
Alert policies Alert policies
Service Level
Agreements (SLAs)
and support
Spam effectiveness > 99%

SLA
False positive ratio < 1:250,000

SLA
Virus detection and 100% of known viruses

blocking SLA
Monthly uptime 99.999%

SLA
Phone and web Help and support for EOP.

technical support 24
hours a day, seven
days a week
Other features
A geo-redundant EOP runs on a worldwide network of datacenters that are designed to help
global network of provide the best availability. For more information, see the EOP
servers datacenters section earlier in this article.
Message queuing Messages in deferral remain in our queues for one day. Message retry
when the on- attempts are based on the error we get back from the recipient's mail
premises server system. On average, messages are retried every 5 minutes. For more
cannot accept mail information, see EOP queued, deferred, and bounced messages FAQ.
Feature Comments
Office 365 Message For more information, see Encryption in Office 365.
Encryption available
as an add-on
Recommended settings for EOP and Microsoft Defender
for Office 365 security
 Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free? Use the 90-day Defender
for Office 365 trial at the Microsoft 365 Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to

Exchange Online Protection (EOP) is the core of security for Microsoft 365 subscriptions and helps keep malicious emails
from reaching your employee's inboxes. But with new, more sophisticated attacks emerging every day, improved protections
are often required. Microsoft Defender for Office 365 Plan 1 or Plan 2 contain additional features that give admins more
layers of security, control, and investigation.
Although we empower security administrators to customize their security settings, there are two security levels in EOP and
Microsoft Defender for Office 365 that we recommend: Standard and Strict. Although customer environments and needs are
different, these levels of filtering will help prevent unwanted mail from reaching your employees' Inbox in most situations.
To automatically apply the Standard or Strict settings to users, see Preset security policies in EOP and Microsoft Defender for
Office 365.
This article describes the default settings, and also the recommended Standard and Strict settings to help protect your users.
The tables contain the settings in the Microsoft 365 Defender portal and PowerShell (Exchange Online PowerShell or
standalone Exchange Online Protection PowerShell for organizations without Exchange Online mailboxes).
７ Note
The Office 365 Advanced Threat Protection Recommended Configuration Analyzer (ORCA) module for PowerShell can
help you (admins) find the current values of these settings. Specifically, the Get-ORCAReport cmdlet generates an
assessment of anti-spam, anti-phishing, and other message hygiene settings. You can download the ORCA module at
https://www.powershellgallery.com/packages/ORCA/ .
In Microsoft 365 organizations, we recommend that you leave the Junk Email Filter in Outlook set to No automatic
filtering to prevent unnecessary conflicts (both positive and negative) with the spam filtering verdicts from EOP. For
more information, see the following articles:
Configure junk email settings on Exchange Online mailboxes

About junk email settings in Outlook
Change the level of protection in the Junk Email Filter
Create safe sender lists in EOP
Create blocked sender lists in EOP
Anti-spam, anti-malware, and anti-phishing protection in EOP

Anti-spam, anti-malware, and anti-phishing are EOP features that can be configured by admins. We recommend the following
Standard or Strict configurations.
EOP anti-spam policy settings

To create and configure anti-spam policies, see Configure anti-spam policies in EOP.
Security feature name Default Standard Strict Comment
Bulk email threshold &

spam properties
Bulk email threshold

7 6 5 For details, see Bulk complaint level (BCL) in EOP.
BulkThreshold
MarkAsSpamBulkMail On On On This setting is only available in PowerShell.
Increase spam score Off Off Off All of these settings are part of the Advanced Spam Filter (ASF). For
settings more information, see the ASF settings in anti-spam policies section
in this article.
Mark as spam settings Off Off Off Most of these settings are part of ASF. For more information, see
the ASF settings in anti-spam policies section in this article.
Contains specific Off

Off
Off
We have no specific recommendation for this setting. You can block
languages
messages in specific languages based on your business needs.
$false
$false
$false
EnableLanguageBlockList
Blank Blank Blank

LanguageBlockList
From these countries

Off
Off
Off
We have no specific recommendation for this setting. You can block
messages from specific countries based on your business needs.
EnableRegionBlockList
$false
$false
$false
RegionBlockList Blank Blank Blank
Test mode None None None This setting is part of ASF. For more information, see the ASF
(TestModeAction) settings in anti-spam policies section in this article.
Actions Wherever you select Quarantine message, a Select quarantine

policy box is available. Quarantine policies define what users are
allowed to do to quarantined messages.
Standard and Strict preset security policies use the default

quarantine policies (AdminOnlyAccessPolicy or
DefaultFullAccessPolicy with no quarantine notifications) as
described in the table here.
When you create a new anti-spam policy, a blank value means the
default quarantine policy is used to define the historical capabilities
for messages that were quarantined by that particular verdict
(AdminOnlyAccessPolicy with no quarantine notifications for High
confidence phishing; DefaultFullAccessPolicy with no quarantine
notifications for everything else).
Admins can create and select custom quarantine policies that define
more restrictive or less restrictive capabilities for users in the default
or custom anti-spam policies. For more information, see Quarantine
policies.
Spam detection action

Move Move Quarantine
message message message
SpamAction to Junk to Junk

Email Email Quarantine
folder
folder
MoveToJmf MoveToJmf
High confidence spam Move Quarantine Quarantine

detection action
message message
message
to Junk
HighConfidenceSpamAction Email Quarantine Quarantine
folder
MoveToJmf
*
Phishing detection action
Move Quarantine Quarantine The default value is Move message to Junk Email folder in the
message message
message
default anti-spam policy and in new anti-spam policies that you
PhishSpamAction to Junk create in PowerShell. The default value is Quarantine message in
Email Quarantine Quarantine new anti-spam policies that you create in the Microsoft 365
folder*
Defender portal.
MoveToJmf
High confidence phishing Quarantine Quarantine Quarantine

detection action
message
message
message
HighConfidencePhishAction Quarantine Quarantine Quarantine
Bulk detection action

Move Move Quarantine
message message message
BulkSpamAction to Junk to Junk

Email Email Quarantine
folder
folder
MoveToJmf MoveToJmf
Retain spam in quarantine 15 days 30 days 30 days

for this many days
This value also affects messages that are quarantined by anti-

QuarantineRetentionPeriod phishing policies. For more information, see Quarantined email
messages in EOP.
Enable spam safety tips

Selected
Selected
Selected
InlineSafetyTipsEnabled $true $true $true
Enable zero-hour auto Selected

Selected
Selected
purge (ZAP) for phishing

messages
$true $true $true
PhishZapEnabled
Enable ZAP for spam Selected

Selected
Selected
messages
$true $true $true

SpamZapEnabled
Allow & block list
Allowed senders
None None None
AllowedSenders
Allowed sender domains

None None None Adding domains to the allowed senders list is a very bad idea.
Attackers would be able to send you email that would otherwise be
AllowedSenderDomains filtered out.
Use the spoof intelligence insight and the Tenant Allow/Block List to
review all senders who are spoofing sender email addresses in your
organization's email domains or spoofing sender email addresses in
external domains.
Blocked senders
None None None
BlockedSenders
Blocked sender domains

None None None
BlockedSenderDomains
ASF settings in anti-spam policies

For more information about Advanced Spam Filter (ASF) settings in anti-spam policies, see Advanced Spam Filter (ASF)
settings in EOP.
Security feature name Default Recommended

Recommended
Comment
Standard Strict
Image links to remote sites

Off Off Off
IncreaseScoreWithImageLinks
Numeric IP address in URL

Off Off Off
IncreaseScoreWithNumericIps
URL redirect to other port

Off Off Off
IncreaseScoreWithRedirectToOtherPort
Links to .biz or .info websites

Off Off Off
IncreaseScoreWithBizOrInfoUrls
Empty messages
Off Off Off
MarkAsSpamEmptyMessages
Embed tags in HTML

Off Off Off
MarkAsSpamEmbedTagsInHtml
JavaScript or VBScript in HTML

Off Off Off
MarkAsSpamJavaScriptInHtml
Form tags in HTML

Off Off Off
MarkAsSpamFormTagsInHtml
Frame or iframe tags in HTML

Off Off Off
MarkAsSpamFramesInHtml
Web bugs in HTML

Off Off Off
MarkAsSpamWebBugsInHtml
Object tags in HTML

Off Off Off
MarkAsSpamObjectTagsInHtml
Sensitive words
Off Off Off
MarkAsSpamSensitiveWordList
Recommended
Comment
Standard Strict
SPF record: hard fail

Off Off Off
MarkAsSpamSpfRecordHardFail
Sender ID filtering hard fail

Off Off Off
MarkAsSpamFromAddressAuthFail
Backscatter
Off Off Off
MarkAsSpamNdrBackscatter
Test mode
None None None For ASF settings that support Test as an action, you
can configure the test mode action to None, Add
TestModeAction) default X-Header text, or Send Bcc message ( None ,
AddXHeader , or BccMessage ). For more information,
see Enable, disable, or test ASF settings.
EOP outbound spam policy settings
To create and configure outbound spam policies, see Configure outbound spam filtering in EOP.
For more information about the default sending limits in the service, see Sending limits.
７ Note
Outbound spam policies are not part of Standard or Strict preset security policies. The Standard and Strict values
indicate our recommended values in the default outbound spam policy or custom outbound spam policies that you
create.

Recommended
Comment
Standard Strict
Set an external message limit

0 500 400 The default value 0 means use the
service defaults.
RecipientLimitExternalPerHour
Set an internal message limit

service defaults.
RecipientLimitInternalPerHour
Set a daily message limit

service defaults.
RecipientLimitPerDay
Restriction placed on users who reach the Restrict the user Restrict the Restrict the
message limit
from sending mail user from user from
until the sending mail
sending mail
ActionWhenThresholdReached following day

BlockUser BlockUser
BlockUserForToday
Automatic forwarding rules

Automatic - Automatic - Automatic -
System-controlled System- System-
AutoForwardingMode controlled
controlled
Automatic

Automatic Automatic
Recommended
Comment
Standard Strict
Send a copy of outbound messages that Not selected

Not selected
Not selected
We have no specific
exceed these limits to these users and

recommendation for this setting.
groups
$false
$false
$false

This setting only works in the
BccSuspiciousOutboundMail
Blank Blank Blank default outbound spam policy. It
doesn't work in custom outbound
BccSuspiciousOutboundAdditionalRecipients spam policies that you create.
Notify these users and groups if a sender Not selected

Not selected
Not selected
The default alert policy named User
is blocked due to sending outbound

restricted from sending email
spam
$false
$false
$false
already sends email notifications to

members of the TenantAdmins
NotifyOutboundSpam
Blank Blank Blank (Global admins) group when users
are blocked due to exceeding the
NotifyOutboundSpamRecipients limits in policy. We strongly
recommend that you use the alert
policy rather than this setting in
the outbound spam policy to
notify admins and other users. For
instructions, see Verify the alert
settings for restricted users.
EOP anti-malware policy settings

To create and configure anti-malware policies, see Configure anti-malware policies in EOP.
Protection settings
Enable the common attachments filter

Selected
Selected
Selected
This setting quarantines

messages that contain
EnableFileFilter $true $true $true attachments based on
file type, regardless of
the attachment content.
For the list of file types,
see Anti-malware
policies.
Common attachment filter notifications Quarantine the Quarantine the Quarantine the
(When these file types are found)
message
message
message
FileTypeAction Quarantine Quarantine Quarantine
Enable zero-hour auto purge for Selected

Selected
Selected
malware

$true $true $true

ZapEnabled
Quarantine policy AdminOnlyAccessPolicy AdminOnlyAccessPolicy AdminOnlyAccessPolicy When you create a new

anti-malware policy, a
blank value means the
default quarantine
policy is used to define
the historical
capabilities for
messages that were
quarantined as malware
(AdminOnlyAccessPolicy
with no quarantine
notifications).
Standard and Strict

use the default
quarantine policy
with no quarantine
notifications) as
described in the table
here.
Admins can create and

select custom
quarantine policies that
define more capabilities
for users in the default
or custom anti-malware
policies. For more
information, see
Quarantine policies.
Admin notifications
Notify an admin about undelivered Not selected

Not selected
Not selected
We have no specific
messages from internal senders

recommendation for
$false $false $false this setting.
EnableInternalSenderAdminNotifications
InternalSenderAdminAddress
Notify an admin about undelivered Not selected

Not selected
Not selected
We have no specific
messages from external senders

recommendation for
$false $false $false this setting.
EnableExternalSenderAdminNotifications
ExternalSenderAdminAddress
Customize notifications We have no specific

recommendations for
these settings.
Use customized notification text

Not selected
Not selected
Not selected
CustomNotifications $false $false $false
From name
Blank
Blank
Blank
CustomFromName $null $null $null
From address
Blank
Blank
Blank
CustomFromAddress $null $null $null

Customize notifications for messages These settings are used

from internal senders only if Notify an admin
about undelivered
messages from internal
senders is selected.
Subject
Blank
Blank
Blank
CustomInternalSubject $null $null $null
Message
Blank
Blank
Blank
CustomInternalBody $null $null $null
Customize notifications for messages These settings are used

from external senders only if Notify an admin
about undelivered
messages from external
senders is selected.
Subject
Blank
Blank
Blank
CustomExternalSubject $null $null $null
Message
Blank
Blank
Blank
CustomExternalBody $null $null $null
EOP anti-phishing policy settings

For more information about these settings, see Spoof settings. To configure these settings, see Configure anti-phishing
policies in EOP.
The spoof settings are inter-related, but the Show first contact safety tip setting has no dependency on spoof settings.
Phishing threshold &

protection
Enable spoof intelligence

Selected
Selected
Selected
EnableSpoofIntelligence $true $true $true
Actions
If message is detected as Move Move Quarantine This setting applies to spoofed senders that were automatically
spoof
message message the blocked as shown in the spoof intelligence insight or manually
to the to the message
blocked in the Tenant Allow/Block List.
AuthenticationFailAction recipients' recipients'

Junk Junk Quarantine If you select Quarantine the message, an Apply quarantine policy
Email Email box is available to select the quarantine policy that defines what
folders
folders
users are allowed to do to messages that are quarantined as
spoofing. When you create a new anti-phishing policy, a blank
MoveToJmf MoveToJmf value means the default quarantine policy is used to define the
historical capabilities for messages that were quarantined as
spoofing (DefaultFullAccessPolicy with no quarantine notifications).

quarantine policy (DefaultFullAccessPolicy with no quarantine
notifications) as described in the table here.
Admins can create and select custom quarantine policies that

define more restrictive or less restrictive capabilities for users in the
default or custom anti-phishing policies. For more information, see
Show first contact safety tip

Not Not Not For more information, see First contact safety tip.
selected
selected
selected
EnableFirstContactSafetyTips
$false $false $false
Show (?) for Selected

Selected
Selected
Adds a question mark (?) to the sender's photo in Outlook for
unauthenticated senders for unidentified spoofed senders. For more information, see
spoof
$true $true $true Unauthenticated sender indicators.
EnableUnauthenticatedSender
Show "via" tag

Selected
Selected
Selected
Adds a via tag (chris@contoso.com via fabrikam.com) to the From
address if it's different from the domain in the DKIM signature or
EnableViaTag $true $true $true the MAIL FROM address.
For more information, see Unauthenticated sender indicators.
Microsoft Defender for Office 365 security

Additional security benefits come with a Microsoft Defender for Office 365 subscription. For the latest news and information,
you can see What's new in Defender for Office 365.
） Important
The default anti-phishing policy in Microsoft Defender for Office 365 provides spoof protection and mailbox
intelligence for all recipients. However, the other available impersonation protection features and advanced
settings are not configured or enabled in the default policy. To enable all protection features, modify the default
anti-phishing policy or create additional anti-phishing policies.
Although there's no default Safe Attachments policy or Safe Links policy, the Built-in protection preset security
policy provides Safe Attachments protection and Safe Links protection to all recipients (users who aren't defined in
the Standard or Strict preset security policies or in custom Safe Attachments policies or Safe Links policies). For
more information, see Preset security policies in EOP and Microsoft Defender for Office 365.
Safe Attachments for SharePoint, OneDrive, and Microsoft Teams protection and Safe Documents protection
have no dependencies on Safe Links policies.
If your subscription includes Microsoft Defender for Office 365 or if you've purchased Defender for Office 365 as an add-on,
set the following Standard or Strict configurations.
Anti-phishing policy settings in Microsoft Defender for Office 365

EOP customers get basic anti-phishing as previously described, but Defender for Office 365 includes more features and
control to help prevent, detect, and remediate against attacks. To create and configure these policies, see Configure anti-
phishing policies in Defender for Office 365.
Advanced settings in anti-phishing policies in Microsoft Defender for Office 365

For more information about this setting, see Advanced phishing thresholds in anti-phishing policies in Microsoft Defender for
Office 365. To configure this setting, see Configure anti-phishing policies in Defender for Office 365.
Phishing email threshold

1 - Standard
3 - More aggressive
4 - Most aggressive
PhishThresholdLevel 1 3 4
Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365
For more information about these settings, see Impersonation settings in anti-phishing policies in Microsoft Defender for
Office 365. To configure these settings, see Configure anti-phishing policies in Defender for Office 365.
Phishing threshold & protection
Enable users to protect Not Selected

Selected
We recommend adding users (message senders) in key
(impersonated user protection)
selected
roles. Internally, protected senders might be your CEO,
$true
$true
CFO, and other senior leaders. Externally, protected
EnableTargetedUserProtection
$false
senders could include council members or your board of
<list of <list of directors.
TargetedUsersToProtect none users> users>
Enable domains to protect Not Selected Selected

(impersonated domain protection) selected
Include domains I own

Off
Selected
Selected
EnableOrganizationDomainsProtection $false $true $true
Include custom domains

Off
Selected
Selected
We recommend adding domains (sender domains) that
you don't own, but you frequently interact with.
EnableTargetedDomainsProtection
$false
$true
$true
TargetedDomainsToProtect none <list of <list of

domains> domains>
Add trusted senders and domains

None None None Depending on your organization, we recommend adding
senders or domains that are incorrectly identified as
ExcludedSenders
impersonation attempts.
ExcludedDomains
Enable mailbox intelligence

Selected
Selected
Selected
EnableMailboxIntelligence $true $true $true
Enable intelligence for Off

Selected
Selected
This setting allows the specified action for impersonation
impersonation protection
detections by mailbox intelligence.
$false $true $true
EnableMailboxIntelligenceProtection
Actions Wherever you select Quarantine the message, a Select

quarantine policy box is available. Quarantine policies
define what users are allowed to do to quarantined
messages.

quarantine policy (DefaultFullAccessPolicy with no
quarantine notifications) as described in the table here.
When you create a new anti-phishing policy, a blank value

means the default quarantine policy is used to define the
historical capabilities for messages that were quarantined
by that verdict (DefaultFullAccessPolicy for all
impersonation detection types).
Admins can create and select custom quarantine policies

that define less restrictive or more restrictive capabilities
for users in the default or custom anti-phishing policies.
For more information, see Quarantine policies.
If message is detected as an Don't Quarantine Quarantine

impersonated user
apply the the
any message
message
TargetedUserProtectionAction action
Quarantine Quarantine
NoAction
If message is detected as an Don't Quarantine Quarantine

impersonated domain
apply the the
any message
message
TargetedDomainProtectionAction action
Quarantine Quarantine
NoAction
If mailbox intelligence detects an Don't Move Quarantine

impersonated user
apply message to the
any the message
MailboxIntelligenceProtectionAction action
recipients'
Junk Email Quarantine
NoAction folders
MoveToJmf
Show user impersonation safety tip

Off
Selected
Selected
EnableSimilarUsersSafetyTips $false $true $true
Show domain impersonation safety Off

Selected
Selected
tip
$false $true $true

EnableSimilarDomainsSafetyTips
Show user impersonation unusual Off

Selected
Selected
characters safety tip
$false $true $true

EnableUnusualCharactersSafetyTips
EOP anti-phishing policy settings in Microsoft Defender for Office 365
These are the same settings that are available in anti-spam policy settings in EOP.
Safe Attachments settings

Safe Attachments in Microsoft Defender for Office 365 includes global settings that have no relationship to Safe Attachments
policies, and settings that are specific to each Safe Links policy. For more information, see Safe Attachments in Defender for
Office 365.
Although there's no default Safe Attachments policy, the Built-in protection preset security policy provides Safe Attachments
protection to all recipients (users who aren't defined in the Standard or Strict preset security policies or in custom Safe
Attachments policies). For more information, see Preset security policies in EOP and Microsoft Defender for Office 365.
Global settings for Safe Attachments
７ Note
The global settings for Safe Attachments are set by the Built-in protection preset security policy, but not by the
Standard or Strict preset security policies. Either way, admins can modify these global Safe Attachments settings at any
time.
The Default column shows the values before the existence of the Built-in protection preset security policy. The Built-in
protection column shows the values that are set by the Built-in protection preset security policy, which are also our
recommended values.
To configure these settings, see Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams and Safe
Documents in Microsoft 365 E5.
In PowerShell, you use the Set-AtpPolicyForO365 cmdlet for these settings.
Security feature name Default Built-in Comment

protection
Turn on Defender for Office 365 for Off

On
To prevent users from downloading malicious files, see Use SharePoint Online
SharePoint, OneDrive, and

PowerShell to prevent users from downloading malicious files.
Microsoft Teams
$false $true
EnableATPForSPOTeamsODB
Turn on Safe Documents for Office Off

On
This feature is available and meaningful only with licenses that are not
clients

included in Defender for Office 365 (for example, Microsoft 365 A5 or
$false $true Microsoft 365 E5 Security). For more information, see Safe Documents in
EnableSafeDocs Microsoft 365 A5 or E5 Security.
Allow people to click through Off

Off
This setting is related to Safe Documents.
Protected View even if Safe

Documents identified the file as $false $false

malicious
AllowSafeDocsOpen
Safe Attachments policy settings

To configure these settings, see Set up Safe Attachments policies in Defender for Office 365.
In PowerShell, you use the New-SafeAttachmentPolicy and Set-SafeAttachmentPolicy cmdlets for these settings.
７ Note
As described earlier, there is no default Safe Attachments policy, but Safe Attachments protection is assigned to all
recipients by the Built-in protection preset security policy (users who aren't defined in any Safe Attachments policies).
The Default in custom column refers to the default values in new Safe Attachments policies that you create. The
remaining columns indicate (unless otherwise noted) the values that are configured in the corresponding preset security
policies.
Security Default in custom Built-in protection Standard Strict Comment
feature name
Safe Off
Block
Block
Block
When the Enable
Attachments

parameter is $false, the
unknown -Enable $false and - -Enable $true and - -Enable $true and - -Enable $true and - value of the Action
malware Action Block Action Block Action Block Action Block parameter doesn't
response
matter.
Enable and
Action
Quarantine AdminOnlyAccessPolicy AdminOnlyAccessPolicy AdminOnlyAccessPolicy AdminOnlyAccessPolicy

policy
(QuarantineTag) Standard and Strict
use the default
quarantine policy
with no quarantine
notifications) as
described in the table
here.
When you create a new

Safe Attachments
policy, a blank value
means the default
quarantine policy is
used to define the
historical capabilities for
messages that were
quarantined by Safe
Attachments
with no quarantine
notifications).
Admins can create and

select custom
quarantine policies that
define more capabilities
for users. For more
information, see
Redirect Not selected and no Not selected and no Selected and specify an Selected and specify an Redirect messages to a
attachment email address specified. email address specified. email address.
email address.
security admin for
with detected

review.
attachments : -Redirect $false

-Redirect $false
$true
$true
Enable redirect

Note: This setting is not
RedirectAddress is blank RedirectAddress is blank an email address an email address configured in the
Redirect
( $null ) ( $null ) Standard, Strict, or
Built-in protection
RedirectAddress preset security policies.
The Standard and Strict
values indicate our
recommended values in
new Safe Attachments
policies that you create.
Security Default in custom Built-in protection Standard Strict Comment
feature name
Apply the Safe Selected

Selected
Selected
Selected
Attachments

detection $true $true $true $true

response if
scanning can't
complete
(timeout or
errors)
ActionOnError
Safe Links settings

Safe Links in Defender for Office 365 includes global settings that apply to all users who are included in active Safe Links
policies, and settings that are specific to each Safe Links policy. For more information, see Safe Links in Defender for Office
365.
Although there's no default Safe Links policy, the Built-in protection preset security policy provides Safe Links protection to
all recipients (users who aren't defined in the Standard or Strict preset security policies or in custom Safe Links policies). For
more information, see Preset security policies in EOP and Microsoft Defender for Office 365.
Global settings for Safe Links
７ Note
The global settings for Safe Links are set by the Built-in protection preset security policy, but not by the Standard or
Strict preset security policies. Either way, admins can modify these global Safe Links settings at any time.
The Default column shows the values before the existence of the Built-in protection preset security policy. The Built-in
protection column shows the values that are set by the Built-in protection preset security policy, which are also our
recommended values.
To configure these settings, see Configure global settings for Safe Links in Defender for Office 365.
In PowerShell, you use the Set-AtpPolicyForO365 cmdlet for these settings.
Security Default Built-in Comment

feature protection
name
Block the Blank

Blank
We have no specific recommendation for this setting.
following

URLs
$null $null For more information, see "Block the following URLs" list for Safe Links.
ExcludedUrls Note: You can now manage block URL entries in the Tenant Allow/Block List. The "Block the following
URLs" list is in the process of being deprecated. We'll attempt to migrate existing entries from the
"Block the following URLs" list to block URL entries in the Tenant Allow/Block List. Messages
containing the blocked URL will be quarantined.
Safe Links policy settings

To configure these settings, see Set up Safe Links policies in Microsoft Defender for Office 365.
In PowerShell, you use the New-SafeLinksPolicy and Set-SafeLinksPolicy cmdlets for these settings.
７ Note
As described earlier, there's no default Safe Links policy, but Safe Links protection is assigned to all recipients by the
Built-in protection preset security policy (users who otherwise aren't included in any Safe Links policies).
The Default in custom column refers to the default values in new Safe Links policies that you create. The remaining
columns indicate (unless otherwise noted) the values that are configured in the corresponding preset security policies.
Security feature name Default in Built-in Standard Strict Comment

custom protection
URL & click protection

settings
Action on potentially
malicious URLs within
Emails
On: Safe Links checks a list Not Selected

Selected
Selected
of known, malicious links selected

when users click links in

$true $true $true
email
$false
EnableSafeLinksForEmail
Apply Safe Links to email Not Not Selected

Selected
messages sent within the selected

selected

organization

$true $true
$false $false
EnableForInternalSenders
Apply real-time URL Not Selected

Selected
Selected
scanning for suspicious selected

links and links that point to

$true $true $true
files
$false
ScanUrls
Wait for URL scanning to Not Selected

Selected
Selected
complete before delivering selected

the message

$true $true $true
$false
DeliverMessageAfterScan
Do not rewrite URLs, do Not Selected

Not Not
checks via Safe Links API selected

selected
selected
only

$true

$false $false $false

DisableURLRewrite
Do not rewrite the Blank

Blank
Blank
Blank
We have no specific recommendation for this
following URLs in email

setting.
$null $null $null $null

DoNotRewriteUrls Note: Entries in the "Do not rewrite the following
URLs" list are not scanned or wrapped by Safe
Links during mail flow. Use allow URL entries in the
Tenant Allow/Block List so URLs are not scanned or
wrapped by Safe Links during mail flow and at time
of click.
Action for potentially

malicious URLs in Microsoft
Teams
On: Safe Links checks a list Not Selected

Selected
Selected
of known, malicious links selected

when users click links in

$true $true $true
Microsoft Teams
$false
EnableSafeLinksForTeams
Security feature name Default in Built-in Standard Strict Comment
custom protection
Action for potentially

malicious URLs in Microsoft
Office apps
On: Safe Links checks a list Selected

Selected
Selected
Selected
Use Safe Links in supported Office 365 desktop and
of known, malicious links

mobile (iOS and Android) apps. For more
when users click links in $true $true $true $true information, see Safe Links settings for Office apps.
Microsoft Office apps
EnableSafeLinksForOffice
Click protection settings
Track user clicks

Selected
Selected
Selected
Selected
TrackClicks $true $true $true $true
Let users click through to Selected

Selected
Not Not Turning off this setting (setting AllowClickThrough
the original URL

selected
selected
to $false ) prevents click through to the original
$true $true

URL.
AllowClickThrough $false $false
Display the organization Not Not Not Not We have no specific recommendation for this
branding on notification selected
selected
selected
selected
setting.
and warning pages

$false $false $false $false Before you turn on this setting, you need to follow
EnableOrganizationBranding the instructions in Customize the Microsoft 365
theme for your organization to upload your
company logo.
Notification
How would you like to Use the Use the Use the Use the We have no specific recommendation for this
notify your users?
default default default default setting.
notification notification notification notification

CustomNotificationText
text
text
text
text
You can select Use custom notification text ( -

CustomNotificationText "<Custom text>" ) to enter
UseTranslatedNotificationText Blank Blank Blank Blank and use customized notification text. If you specify
( $null )
( $null )
( $null )
( $null )
custom text, you can also select Use Microsoft

Translator for automatic localization ( -
$false $false $false $false UseTranslatedNotificationText $true ) to
automatically translate the text into the user's
language.
Related articles
Are you looking for best practices for Exchange mail flow rules (also known as transport rules)? See Best practices for
configuring mail flow rules in Exchange Online.
Admins and users can submit false positives (good email marked as bad) and false negatives (bad email allowed) to
Microsoft for analysis. For more information, see Report messages and files to Microsoft.
Use these links for info on how to set up your EOP service, and configure Microsoft Defender for Office 365. Don't
forget the helpful directions in 'Protect Against Threats in Office 365'.
Security baselines for Windows can be found here: Where can I get the security baselines? for GPO/on-premises
options, and Use security baselines to configure Windows devices in Intune for Intune-based security. Finally, a
comparison between Microsoft Defender for Endpoint and Microsoft Intune security baselines is available in Compare
the Microsoft Defender for Endpoint and the Windows Intune security baselines.
permissions in the Microsoft 365
Defender portal
 Tip
Applies to

Global roles in Azure Active Directory (Azure AD) allow you to manage permissions and
access to capabilities in all of Microsoft 365, which also includes Microsoft Defender for
Office 365. But, if you need to limit permissions and capabilities to security features in
Defender for Office 365 only, you can assign Email & collaboration permissions in the
Microsoft 365 Defender portal.
To manage Defender for Office 365 permissions in the Microsoft 365 Defender portal,
go to Permissions & roles > expand Email & collaboration roles > select Roles or go
directly to https://security.microsoft.com/securitypermissions . You need to be a
Global administrator or a member of the Organization Management role group in
Defender for Office 365 permissions. Specifically, the Role Management role in
Defender for Office 365 allows users to view, create, and modify Defender for Office 365
role groups. By default, that role is assigned only to the Organization Management role
group (and by extension, global administrators).
７ Note
Some Defender for Office 365 features require additional permissions in Exchange
Online. For more information, see Permissions in Exchange Online.
In the Microsoft 365 Defender preview program, a different Microsoft Defender 365
RBAC model is also available. The permissions in this RBAC model are different
from the Defender for Office 365 permissions as described in this article. For more
information, see Microsoft 365 Defender role-based access control (RBAC).
For information about permissions in the Microsoft Purview compliance portal, see
Permissions in the Microsoft Purview compliance portal.
Relationship of members, roles, and role

groups
Defender for Office 365 permissions in the Microsoft 365 Defender portal are based on
the role-based access control (RBAC) permissions model. RBAC is the same permissions
model that's used by most Microsoft 365 services, so if you're familiar with the
permission structure in these services, granting permissions in the Microsoft 365
Defender portal will be very familiar.
A role grants the permissions to do a set of tasks.
A role group is a set of roles that lets people do their jobs in the Microsoft 365
Defender portal.
Defender for Office 365 permissions in the Microsoft 365 Defender portal includes
default role groups for the most common tasks and functions that you'll need to assign.
Generally, we recommend simply adding individual users as members to the default role
groups.

Roles and role groups in the Microsoft 365
Defender portal
The following types of roles and role groups are available in on the Permissions & roles
page at https://security.microsoft.com/securitypermissions in the Microsoft 365
Defender portal:
Azure AD roles: You can view the roles and assigned users, but you can't manage
them directly in the Microsoft 365 Defender portal. Azure AD roles are central roles
that assign permissions for all Microsoft 365 services.
Email & collaboration roles: You can view and manage these role groups directly
in the Microsoft 365 Defender portal. These permissions are specific to the
Microsoft 365 Defender portal and the Microsoft Purview compliance portal, and
don't cover all of the permissions that are needed in other Microsoft 365
workloads.
Azure AD roles in the Microsoft 365 Defender portal

When you open the Microsoft 365 Defender portal at https://security.microsoft.com
and go to Email & collaboration roles > Permissions & roles > Azure AD roles > Roles
(or directly to https://security.microsoft.com/aadpermissions ) you'll see the Azure AD
roles that are described in this section.
When you select a role, a details flyout that contains the description of the role and the
user assignments appears. But to manage those assignments, you need to click Manage
members in Azure AD in the details flyout.

For more information, see View and assign administrator roles in Azure Active Directory
and Manage access to Microsoft 365 Defender with Azure Active Directory global roles.
Role Description
Global Access to all administrative features in all Microsoft 365 services. Only global
administrator administrators can assign other administrator roles. For more information, see
Global Administrator / Company Administrator.
Compliance Keep track of your organization's data across Microsoft 365, make sure it's
data protected, and get insights into any issues to help mitigate risks. For more
administrator information, see Compliance Data Administrator.
Compliance Help your organization stay compliant with any regulatory requirements, manage
administrator eDiscovery cases, and maintain data governance policies across Microsoft 365
locations, identities, and apps. For more information, see Compliance
Administrator.
Security View, investigate, and respond to active threats to your Microsoft 365 users,
operator devices, and content. For more information, see Security Operator.
Security View and investigate active threats to your Microsoft 365 users, devices, and
reader content, but (unlike the Security operator) they do not have permissions to
respond by taking action. For more information, see Security Reader.
Security Control your organization's overall security by managing security policies,

administrator reviewing security analytics and reports across Microsoft 365 products, and
staying up-to-speed on the threat landscape. For more information, see Security
Administrator.
Role Description
Global reader The read-only version of the Global administrator role. View all settings and
administrative information across Microsoft 365. For more information, see
Global Reader.
Attack Create and manage all aspects of attack simulation creation, launch/scheduling of
simulation a simulation, and the review of simulation results. For more information, see
administrator Attack Simulation Administrator.
Attack Create attack payloads but not actually launch or schedule them. For more
payload information, see Attack Payload Author.
author
Email & collaboration roles in the Microsoft 365 Defender

portal
In the Microsoft 365 Defender portal at https://security.microsoft.com > Email &
collaboration roles > Permissions & roles page > Email & collaboration roles > Roles
(or directly at https://security.microsoft.com/emailandcollabpermissions ) you'll see the
same role groups that are available in the Microsoft Purview compliance portal at
https://compliance.microsoft.com > Permissions page > Microsoft Purview solutions
> Roles (or directly at
https://compliance.microsoft.com/compliancecenterpermissions ).
For complete information about these role groups, see Roles and role groups in the
Microsoft 365 Defender and Microsoft Purview compliance portals
Modify Email & collaboration role membership in the Microsoft

365 Defender portal

Email & collaboration roles > Permissions & roles > Email & collaboration roles >
Roles. To go directly to the Permissions page, use
https://security.microsoft.com/emailandcollabpermissions .
2. On the Permissions page, select the role group that you want to modify from the
list. You can click on the Name column header to sort the list by name, or you can
click Search to find the role group.
3. In the role group details flyout that appears, click Edit in the Members section.
4. In the Editing choose members page that appears, do one of the following steps:
If there are no role group members, click Choose members.
If there are existing role group members, click Edit
5. In the Choose members flyout that appears, do one of the following steps:
Click Add. In the list of users that appears, select one or more users. Or, you
can click Search to find and select users.
When you've selected the users that you want to add, click Add.
Click Remove. Select one or more of the existing members. Or, you can click
Search to find and select members.
When you've selected the users that you want to remove, click Remove.
6. Back on the Choose members flyout, click Done.
7. Back on the Editing choose members page, click Save.
8. Back on the role group details flyout, click Done.

Migrate from a third-party protection
service or device to Microsoft Defender
for Office 365
Applies to
If you already have an existing third-party protection service or device that sits in front
of Microsoft 365, you can use this guide to migrate your protection to Microsoft
Defender for Office 365 to get the benefits of a consolidated management experience,
potentially reduced cost (using products that you already pay for), and a mature product
with integrated security protection. For more information, see Microsoft Defender for
Office 365 .
Watch this short video to learn more about migrating to Defender for Office 365.
https://www.microsoft.com/en-us/videoplayer/embed/RWRwfH?postJsllMsg=true
This guide provides specific and actionable steps for your migration, and assumes the
following facts:
You already have Microsoft 365 mailboxes, but you're currently using a third-party
service or device for email protection. Mail from the internet flows through the
protection service before delivery into your Microsoft 365 organization, and
Microsoft 365 protection is as low as possible (it's never completely off; for
example, malware protection is always enforced).
You're beyond the investigation and consideration phase for protection by

Defender for Office 365. If you need to evaluate Defender for Office 365 to decide
whether it's right for your organization, we recommend that you consider the
options described in Try Microsoft Defender for Office 365.
You've already purchased Defender for Office 365 licenses.
You need to retire your existing third-party protection service, which means you'll
ultimately need to point the MX records for your email domains to Microsoft 365.
When you're done, mail from the internet will flow directly into Microsoft 365 and
will be protected exclusively by Exchange Online Protection (EOP) and Defender
for Office 365.
Eliminating your existing protection service in favor of Defender for Office 365 is a big
step that you shouldn't take lightly, nor should you rush to make the change. The
guidance in this migration guide will help you transition your protection in an orderly
manner with minimal disruption to your users.
The very high-level migration steps are illustrated in the following diagram. The actual
steps are listed in the section named The migration process later in this article.
Why use the steps in this guide?

In the IT industry, surprises are generally bad. Simply flipping your MX records to point
to Microsoft 365 without prior and thoughtful testing will result in many surprises. For
example:
You or your predecessors have likely spent a lot of time and effort customizing
your existing protection service for optimal mail delivery (in other words, blocking
what needs to be blocked, and allowing what needs to be allowed). It's almost a
guaranteed certainty that not every customization in your current protection
service is required in Defender for Office 365. It's also very possible that Defender
for Office 365 will introduce new issues (allows or blocks) that didn't happen or
weren't required in your current protection service.
Your help desk and security personnel need to know what to do in Defender for
Office 365. For example, if a user complains about a missing message, does your
help desk know where or how to look for it? They're likely familiar with the tools in
your existing protection service, but what about the tools in Defender for Office
365?
In contrast, if you follow the steps in this migration guide, you'll get the following
tangible benefits for your migration:
Minimal disruption to users.

Objective data from Defender for Office 365 that you can use as you report on the
progress and success of the migration to management.
Early involvement and instruction for help desk and security personnel.
The more you familiarize yourself with how Defender for Office 365 will affect your
organization, the better the transition will be for users, help desk personnel, security
personnel, and management.
This migration guide gives you a plan for gradually "turning the dial" so you can
monitor and test how Defender for Office 365 affects your users and their email so you
can react quickly to any issues that you encounter.
The migration process

The process of migrating from a third-party protection service to Defender for Office
365 can be divided into three phases as described in the following table:
Phase Description
Phase Description
Prepare for your migration

1. Inventory the settings at your existing protection service
2. Check your existing protection configuration in Microsoft 365
3. Check your mail routing configuration
4. Move features that modify messages into Microsoft 365
5. Define spam and bulk user experiences
6. Identify and designate priority accounts
Set up Defender for Office

365 1. Create distribution groups for pilot users
2. Configure user reported message settings
3. Maintain or create the SCL=-1 mail flow rule
4. Configure Enhanced Filtering for Connectors
5. Create pilot protection policies
Onboard to Defender for

Office 365 1. Begin onboarding Security Teams
2. (Optional) Exempt pilot users from filtering by your existing
protection service
3. Tune spoof intelligence
4. Tune impersonation protection and mailbox intelligence
5. Use data from user reported messages to measure and adjust
6. (Optional) Add more users to your pilot and iterate
7. Extend Microsoft 365 protection to all users and turn off the
SCL=-1 mail flow rule
8. Switch your MX records
Next step
Proceed to Phase 1: Prepare.
Migrate to Microsoft Defender for
Office 365 - Phase 1: Prepare
Applies to
Phase 1: Prepare Phase 2: Set up Phase 3: Onboard
You are here!
Welcome to Phase 1: Prepare of your migration to Microsoft Defender for Office 365!
This migration phase includes the following steps. You should inventory the settings at
your existing protection service first, before you make any changes. Otherwise, you can
do the remaining steps in any order:
1. Inventory the settings at your existing protection service

2. Check your existing protection configuration in Microsoft 365
3. Check your mail routing configuration
4. Move features that modify messages into Microsoft 365
5. Define spam and bulk user experiences
6. Identify and designate priority accounts
Inventory the settings at your existing

protection service
A complete inventory of settings, rules, exceptions, etc. from your existing protection
service is a good idea, because you likely won't have access to the information after you
cancel your subscription.
But, it's very important that you do not automatically or arbitrarily recreate all of your
existing customizations in Defender for Office 365. At best, you might introduce
settings that are no longer required, relevant, or functional. At worse, some of your
previous customizations might actually create security issues in Defender for Office 365.
Your testing and observation of the native capabilities and behavior of Defender for
Office 365 will ultimately determine the overrides and settings that you need. You might
find it helpful to categorize the settings from your existing protection service into the
following categories:
Connection or content filtering: You'll likely find that you don't need most of
these customizations in Defender for Office 365.
Business routing: The majority of the customizations that you need to recreate will
likely fall into this category. For example, you can recreate these settings in
Microsoft 365 as Exchange mail flow rules (also known as transport rules),
connectors, and exceptions to spoof intelligence.
Instead of moving old settings blindly into Microsoft 365, we recommend a waterfall
approach that involves a pilot phase with ever-increasing user membership, and
observation-based tuning based on balancing security considerations with
organizational business needs.
Check your existing protection configuration in

Microsoft 365
As we stated earlier, it's impossible to completely turn off all protection features for mail
that's delivered into Microsoft 365, even when you use a third-party protection service.
So, it's not unusual for a Microsoft 365 organization to have at least some email
protection features configured. For example:
In the past, you weren't using the third-party protection service with Microsoft 365.
You might have used and configured some protection features in Microsoft 365
that are currently being ignored. But those settings might take effect as you "turn
the dial" to enable the protection features in Microsoft 365.
You might have accommodations in Microsoft 365 protection for false positives
(good mail marked as bad) or false negatives (bad mail allowed) that made it
through your existing protection service.
Review your existing protection features in Microsoft 365 and consider removing or
simplifying settings that are no longer required. A rule or policy setting that was
required years ago could put the organization at risk and create unintentional gaps in
protection.
Check your mail routing configuration

If you're using any sort of complex routing (for example Centralized Mail
Transport), you should consider simplifying your routing and thoroughly
documenting it. External hops, especially after Microsoft 365 has already received
the message, can complicate configuration and troubleshooting.
Outbound and relay mail flow is out of the scope for this article. However, be
aware that you might need to do one or more of the following steps:
Verify that all of the domains that you use to send email have the proper SPF
records. For more information, see Set up SPF to help prevent spoofing.
We strongly recommend that you setup DKIM signing in Microsoft 365. For
more information, see Use DKIM to validate outbound email.
If you're not routing mail directly from Microsoft 365, you need to change that
routing by removing or changing the outbound connector.
Using Microsoft 365 to relay email from your on-premises email servers can be a
complex project in itself. A simple example is a small number of apps or devices
that send most of their messages to internal recipients and aren't used for mass
mailings. See this guide for details. More extensive environments will need to be
more thoughtful. Marketing email and messages that could be seen as spam by
recipients are not allowed.
Defender for Office 365 does not have a feature for aggregating DMARC reports.
Visit the Microsoft Intelligent Security Association (MISA) catalog to view third-
party vendors that offer DMARC reporting for Microsoft 365.
Move features that modify messages into

Microsoft 365
You need to transfer any customizations or features that modify messages in any way
into Microsoft 365. For example, your existing protection service adds an External tag to
the subject or message body of messages from external senders. Any link wrapping
feature will also cause problems with some messages. If you're using such a feature
today, you should prioritize the rollout of Safe Links as an alternative to minimize
problems.
If you don't turn off message modification features in your existing protection service,
you can expect the following negative results in Microsoft 365:
DKIM will break. Not all senders rely on DKIM, but those that do will fail
authentication.
Spoof intelligence and the tuning step later in this guide will not work properly.
You'll probably get a high number of false positives (good mail marked as bad).
To recreate external sender identification in Microsoft 365, you have the following
options:
The Outlook external sender call-out feature , together with first contact safety
tips.
Mail flow rules (also known as transport rules). For more information, see
Organization-wide message disclaimers, signatures, footers, or headers in
Exchange Online.
Microsoft is working with the industry to support the Authenticated Received Chain
(ARC) standard in the near future. If you wish to leave any message modification
features enabled at your current mail gateway provider, then we recommend contacting
them about their plans to support this standard.
Account for any active phishing simulations

If you have active third-party phishing simulations, you need to prevent the messages,
links, and attachments from being identified as phishing by Defender for Office 365. For
more information, see Configure third-party phishing simulations in the advanced
delivery policy.
Define spam and bulk user experiences

Quarantine vs. deliver to Junk Email folder: The natural and recommended
response for malicious and definitely risky messages is to quarantine the
messages. But, how do you want your users to handle less harmful messages, such
as spam, and bulk mail (also known as gray mail). Should these types of messages
be delivered to user Junk Email folders?
With our Standard security settings, we generally deliver these less risky types of
messages to the Junk Email folder. This behavior is similar to many consumer email
offerings, where users can check their Junk Email folder for missing messages, and
they can rescue those messages themselves. Or, if the user intentionally signed up
for a newsletter or marketing mail, they can choose to unsubscribe or block the
sender for their own mailbox.
However, many enterprise users are used to little (if any) mail in their Junk Email
folder. Instead, these enterprise users are used to checking a quarantine for their
missing messages. Quarantine introduces issues of quarantine notifications,
notification frequency, and the permissions that are required to view and release
messages.
Domain Keys Identified Mail (DKIM) will break.
Spoof intelligence will not work properly.
You'll probably get a high number of false positives (good mail marked as bad).
Ultimately, it's your decision if you want to prevent delivery of email to the Junk
Email folder in favor of delivery to quarantine. But, one thing is certain: if the
experience in Defender for Office 365 is different than what your users are used to,
you need to notify them and provide basic training. Incorporate learnings from the
pilot and make sure that users are prepared for any new behavior for email
delivery.
Wanted bulk mail vs. unwanted bulk mail: Many protection systems allow users to
allow or block bulk email for themselves. These settings do not easily migrate to
Microsoft 365, so you should consider working with VIPs and their staff to recreate
their existing configurations in Microsoft 365.
Today, Microsoft 365 considers some bulk mail (for example, newsletters) as safe
based on the message source. Mail from these "safe" sources is currently not
marked as bulk (the bulk complaint level or BCL is 0 or 1), so it's difficult to globally
block mail from these sources. For most users, the solution is to ask them to
individually unsubscribe from these bulk messages or use Outlook to block the
sender. But, some users will not like blocking or unsubscribing from bulk messages
themselves.
Mail flow rules that filter bulk email can be helpful when VIP users do not wish to
manage this themselves. For more information, see Use mail flow rules to filter
bulk email.
Identify and designate priority accounts

If the feature is available to you, priority accounts and user tags can help to identify
your important Microsoft 365 users so they stand out in reports. For more information,
see User tags in Microsoft Defender for Office 365 and Manage and monitor priority
accounts.
Next step
Congratulations! You have completed the Prepare phase of your migration to Microsoft
Defender for Office 365!
Proceed to Phase 2: Setup.

Office 365 - Phase 2: Setup
Applies to:
You are here!
Welcome to Phase 2: Setup of your migration to Microsoft Defender for Office 365!
This migration phase includes the following steps:
1. Create distribution groups for pilot users

2. Configure user user reported message settings
3. Maintain or create the SCL=-1 mail flow rule
4. Configure Enhanced Filtering for Connectors
5. Create pilot protection policies
Step 1: Create distribution groups for pilot

users
Distribution groups are required in Microsoft 365 for the following aspects of your
migration:
Exceptions for the SCL=-1 mail flow rule: You want pilot users to get the full effect
of Defender for Office 365 protection, so you need their incoming messages to be
scanned by Defender for Office 365. You do this by defining your pilot users in the
appropriate distribution groups in Microsoft 365, and configuring these groups as
exceptions to the SCL=-1 mail flow rule.
As we described in Onboard Step 2: (Optional) Exempt pilot users from filtering by

your existing protection service, you should consider exempting these same pilot
users from scanning by your existing protection service. Eliminating the possibility
of filtering by your existing protection service and relying exclusively on Defender
for Office 365 is the best and closest representation of what's going to happen
after your migration is complete.
Testing of specific Defender for Office 365 protection features: Even for the pilot
users, you don't want to turn on everything at once. Using a staged approach for
the protection features that are in effect for your pilot users will make
troubleshooting and adjusting much easier. With this approach in mind, we
recommend the following distribution groups:
A Safe Attachments pilot group: For example, MDOPilot_SafeAttachments
A Safe Links pilot group: For example, MDOPilot_SafeLinks
A pilot group for Standard anti-spam and anti-phishing policy settings: For
example, MDOPilot_SpamPhish_Standard
A pilot group for Strict anti-spam and anti-phishing policy settings: For
example, MDOPilot_SpamPhish_Strict
For clarity, we'll use these specific group names throughout this article, but you're free
to use your own naming convention.
When you're ready to begin testing, add these groups as exceptions to the SCL=-1 mail
flow rule. As you create policies for the various protection features in Defender for
Office 365, you'll use these groups as conditions that define who the policy applies to.
Notes:
The terms Standard and Strict come from our recommended security settings,
which are also used in preset security policies. Ideally, we would tell you to define
your pilot users in the Standard and Strict preset security policies, but we can't do
that. Why? Because you can't customize the settings in preset security policies (in
particular, actions that are taken on messages). During your migration testing,
you'll want to see what Defender for Office 365 would do to messages, verify that's
what you want to happen, and possibly adjust the policy configurations to allow or
prevent those results.
So, instead of using preset security policies, you're going to manually create
custom policies with settings that are very similar to, but in some cases are
different than, the settings of Standard and Strict preset security policies.
If you want to experiment with settings that significantly differ from our Standard
or Strict recommended values, you should consider creating and using additional
and specific distribution groups for the pilot users in those scenarios. You can use
the Configuration Analyzer to see how secure your settings are. For instructions,
see Configuration analyzer for protection policies in EOP and Microsoft Defender
for Office 365.
For most organizations, the best approach is to start with policies that closely align
with our recommended Standard settings. After as much observation and feedback
as you're able to do in your available time frame, you can move to more aggressive
settings later. Impersonation protection and delivery to the Junk Email folder vs.
delivery to quarantine might require customization.
If you use customized policies, just make sure that they're applied before the
policies that contain our recommended settings for the migration. If a user is
identified in multiple policies of the same type (for example, anti-phishing), only
one policy of that type is applied to the user (based on the priority value of the
policy). For more information, see Order and precedence of email protection.
Step 2: Configure user reported message

settings
The ability for users to report false positives or false negatives from Defender for Office
365 is an important part of the migration.
You can specify an Exchange Online mailbox to receive messages that users report as
malicious or not malicious. For instructions, see User reported message settings. This
mailbox can receive copies of messages that your users submitted to Microsoft, or the
mailbox can intercept messages without reporting them to Microsoft (you're security
team can manually analyze and submit the messages themselves). However, the
interception approach does not allow the service to automatically tune and learn.
You should also confirm that all users in the pilot have a supported way to report
messages that received an incorrect verdict from Defender for Office 365. These options
include:
The built-in Report button in Outlook on the web

The Report Message and Report Phishing add-ins
Supported third party reporting tools as described here.
Don't underestimate the importance of this step. Data from user reported messages will
give you the feedback loop that you need to verify a good, consistent end-user
experience before and after the migration. This feedback helps you to make informed
policy configuration decisions, as well as provide data-backed reports to management
that the migration went smoothly.
Instead of relying on data that's backed by the experience of the entire organization,
more than one migration has resulted in emotional speculation based on a single
negative user experience. Furthermore, if you've been running phishing simulations, you
can use feedback from your users to inform you when they see something risky that
might require investigation.
Step 3: Maintain or create the SCL=-1 mail flow

rule
Because your inbound email is routed through another protection service that sits in
front of Microsoft 365, it's very likely that you already have a mail flow rule (also known
as a transport rule) in Exchange Online that sets the spam confidence level (SCL) of all
incoming mail to the value -1 (bypass spam filtering). Most third-party protection
services encourage this SCL=-1 mail flow rule for Microsoft 365 customers who want to
use their services.
If you're using some other mechanism to override the Microsoft filtering stack (for
example, an IP allow list) we recommend that you switch to using an SCL=-1 mail flow
rule as long as all inbound internet mail into Microsoft 365 comes from the third-party
protection service (no mail flows directly from the internet into Microsoft 365).
The SCL=-1 mail flow rule is important during the migration for the following reasons:
You can use Threat Explorer to see which features in the Microsoft stack would
have acted on messages without affecting the results from your existing protection
service.
You can gradually adjust who is protected by the Microsoft 365 filtering stack by
configuring exceptions to the SCL=-1 mail flow rule. The exceptions will be the
members of the pilot distribution groups that we recommend later in this article.
Before or during the cutover of your MX record to Microsoft 365, you'll disable this
rule to turn on the full protection of the Microsoft 365 protection stack for all
recipients in your organization.
For more information, see Use mail flow rules to set the spam confidence level (SCL) in
messages in Exchange Online.
Notes:
If you plan to allow internet mail to flow through your existing protection service
and directly into Microsoft 365 at the same time, you need restrict the SCL=-1 mail
flow rule (mail that bypasses spam filtering) to mail that's gone through your
existing protection service only. You do not want unfiltered internet mail landing in
user mailboxes in Microsoft 365.
To correctly identify mail that's already been scanned by your existing protection
service, you can add a condition to the SCL=-1 mail flow rule. For example:
For cloud-based protection services: You can use a header and header value
that's unique to your organization. Messages that have the header are not
scanned by Microsoft 365. Messages without the header are scanned by
Microsoft 365
For on-premises protection services or devices: You can use source IP
addresses. Messages from the source IP addresses are not scanned by Microsoft
365. Messages that aren't from the source IP addresses are scanned by
Microsoft 365.
Do not rely exclusively on MX records to control whether mail gets filtered.

Senders can easily ignore the MX record and send email directly into Microsoft
365.
Step 4: Configure Enhanced Filtering for

Connectors
The first thing to do is configure Enhanced Filtering for Connectors (also known as skip
listing) on the connector that's used for mail flow from your existing protection service
into Microsoft 365. You can use the Inbound messages report to help identify the
connector.
Enhanced Filtering for Connectors is required by Defender for Office 365 to see where
internet messages actually came from. Enhanced Filtering for Connectors greatly
improves the accuracy of the Microsoft filtering stack (especially spoof intelligence, as
well as post-breach capabilities in Threat Explorer and Automated Investigation &
Response (AIR).
To correctly enable Enhanced Filtering for Connectors, you need to add the public IP
addresses of **all** third-party services and/or on-premises email system hosts that
route inbound mail to Microsoft 365.
To confirm that Enhanced Filtering for Connectors is working, verify that incoming
messages contain one or both of the following headers:
X-MS-Exchange-SkipListedInternetSender
X-MS-Exchange-ExternalOriginalInternetSender
Step 5: Create pilot protection policies
By creating production policies, even if they aren't applied to all users, you can test
post-breach features like Threat Explorer and test integrating Defender for Office 365
into your security response team's processes.
） Important
Policies can be scoped to users, groups, or domains. We do not recommend mixing

all three in one policy, as only users that match all three will fall inside the scope of
the policy. For pilot policies, we recommend using groups or users. For production
policies, we recommend using domains. It's extremely important to understand that
only the user's primary email domain determines if the user falls inside the scope of
the policy. So, if you switch the MX record for a user's secondary domain, make
sure that their primary domain is also covered by a policy.
Create pilot Safe Attachments policies

Safe Attachments is the easiest Defender for Office 365 feature to enable and test
before you switch your MX record. Safe Attachments has the following benefits:
Minimal configuration.
Extremely low chance of false positives.
Similar behavior to anti-malware protection, which is always on and not affected
by the SCL=-1 mail flow rule.
Create a Safe Attachments policy for your pilot users.
For the recommended settings, see Recommended Safe Attachments policy settings.
Note that the Standard and Strict recommendations are the same. To create the policy,
see Set up Safe Attachments policies. Be sure to use the group
MDOPilot_SafeAttachments as the condition of the policy (who the policy applies to).
７ Note
The Built-in protection preset security policy gives Safe Attachments protection to
all recipients that aren't defined in any Safe Attachments policies. For more
information, see Preset security policies in EOP and Microsoft Defender for Office
365.
Create pilot Safe Links policies
７ Note
We do not support wrapping or rewriting already wrapped or rewritten links. If your

current protection service already wraps or rewrites links in email messages, you
need to turn off this feature for your pilot users. One way to ensure this doesn't
happen is to exclude the URL domain of the other service in the Safe Links policy.
Create a Safe Links policy for your pilot users. Chances for false positives in Safe Links
are also pretty low, but you should consider testing the feature on a smaller number of
pilot users than Safe Attachments. Because the feature impacts the user experience, you
should consider a plan to educate users.
For the recommended settings, see Recommended Safe Links policy settings. Note that
the Standard and Strict recommendations are the same. To create the policy, see Set up
Safe Links policies. Be sure to use the group MDOPilot_SafeLinks as the condition of the
policy (who the policy applies to).
７ Note
The Built-in protection preset security policy gives Safe Links protection to all
recipients that aren't defined in any Safe Links policies. For more information, see
Preset security policies in EOP and Microsoft Defender for Office 365.
Create pilot anti-spam policies

Create two anti-spam policies for pilot users:
A policy that uses the Standard settings. Use the group

MDOPilot_SpamPhish_Standard as the condition of the policy (who the policy
applies to).
A policy that uses the Strict settings. Use the group MDOPilot_SpamPhish_Strict as
the condition of the policy (who the policy applies to). This policy should have a
higher priority (lower number) than the policy with the Standard settings.
For the recommended Standard and Strict settings, see Recommended anti-spam policy
settings. To create the policies, see Configure anti-spam policies.
Create pilot anti-phishing policies

Create two anti-phishing policies for pilot users:
A policy that uses the Standard settings, with the exception of impersonation
detection actions as described below. Use the group
MDOPilot_SpamPhish_Standard as the condition of the policy (who the policy
applies to).
A policy that uses the Strict settings, with the exception of impersonation detection
actions as described below. Use the group MDOPilot_SpamPhish_Strict as the
condition of the policy (who the policy applies to). This policy should have a higher
priority (lower number) than the policy with the Standard settings.
For spoof detections, the recommended Standard action is Move message to the
recipients' Junk Email folders, and the recommended Strict action is Quarantine the
message. Use the spoof intelligence insight to observe the results. Overrides are
explained in the next section. For more information, see Spoof intelligence insight in
EOP.
For impersonation detections, ignore the recommended Standard and Strict actions for
the pilot policies. Instead, use the value Don't apply any action for the following
settings:
If message is detected as an impersonated user

If message is detected as impersonated domain
If mailbox intelligence detects an impersonated user
Use the impersonation insight to observe the results. For more information, see
Impersonation insight in Defender for Office 365.
You'll tune spoofing protection (adjust allows and blocks) and turn on each
impersonation protection action to quarantine or move the messages to the Junk Email
folder (based on the Standard or Strict recommendations). You can observe the results
and adjust their settings as necessary.
For more information, see the following topics:
Anti-spoofing protection
Impersonation settings in anti-phishing policies
Configure anti-phishing policies in Defender for Office 365.
Next step
Congratulations! You have completed the Setup phase of your migration to Microsoft
Defender for Office 365!
Proceed to Phase 3: Onboard.
Office 365 - Phase 3: Onboard
Applies to
You are here!
Welcome to Phase 3: Onboard of your migration to Microsoft Defender for Office 365!
This migration phase includes the following steps:
1. Begin onboarding Security Teams

2. (Optional) Exempt pilot users from filtering by your existing protection service
3. Tune spoof intelligence
4. Tune impersonation protection and mailbox intelligence
5. Use data from user reported messages to measure and adjust
6. (Optional) Add more users to your pilot and iterate
7. Extend Microsoft 365 protection to all users and turn off the SCL=-1 mail flow rule
8. Switch your MX records
Step 1: Begin onboarding Security Teams

If your organization has a security response team, now is the time to begin integrating
Microsoft Defender for Office 365 into your response processes, including ticketing
systems. This is an entire topic unto itself, but it's sometimes overlooked. Getting the
security response team involved early will ensure that your organization is ready to deal
with threats when you switch your MX records. Incident response needs to be well
equipped to handle the following tasks:
Learn the new tools and integrate them into existing flows. For example:
Admin management of quarantined messages is important. For instructions, see
Manage quarantined messages and files as an admin.
Message trace allows you to see what happened to messages as they enter or
leave Microsoft 365. For more information, see Message trace in the modern
Exchange admin center in Exchange Online.
Identify risks that may have been let into the organization.
Tune and customize alerts for organizational processes.
Manage the incident queue and remediate potential risks.
If your organization has purchased Microsoft Defender for Office 365 Plan 2, they should
begin familiarizing themselves with and using features such as Threat Explorer,
Advanced Hunting, and Incidents. For relevant trainings, see https://aka.ms/mdoninja .
If your security response team collects and analyzes unfiltered messages, you can
configure a SecOps mailbox to receive these unfiltered messages. For instructions, see
Configure SecOps mailboxes in the advanced delivery policy.
SIEM/SOAR
For more information about integrating with your SIEM/SOAR, see the following articles:
Overview of Microsoft 365 Defender APIs

Streaming API
Advanced Hunting API
Incidents APIs
If your organization does not have a security response team or existing process flows,
you can use this time to familiarize yourself with basic hunting and response features in
Defender for Office 365. For more information, see Threat investigation and response.
RBAC roles
Permissions in Defender for Office 365 is based on role-based access control (RBAC) and
is explained in Permissions in the Microsoft 365 Defender portal. These are the
important points to keep in mind:
Azure AD roles give permissions to all workloads in Microsoft 365. For example, if
you add a user to the Security Administrator in the Azure portal, they have Security
Administrator permissions everywhere.
Email & collaboration roles in the Microsoft 365 Defender portal give permissions
to the Microsoft 365 Defender Portal and the Microsoft Purview compliance portal.
For example, if you add a user to Security Administrator in the Microsoft 365
Defender portal, they have Security Administrator access only in the Microsoft 365
Defender Portal and the Microsoft Purview compliance portal.
Many features in the Microsoft 365 Defender portal are based on Exchange Online
PowerShell cmdlets and therefore require role group membership in the
corresponding roles (technically, role groups) in Exchange Online (in particular, for
access to the corresponding Exchange Online PowerShell cmdlets).
There are Email & collaboration roles in the Microsoft 365 Defender portal that
have no equivalent to Azure AD roles, and are important for security operations
(for example the Preview role and the Search and Purge role).
Typically, only a subset of security personnel will need additional rights to download
messages directly from user mailboxes. This requires an additional permission that
Security Reader does not have by default.
Step 2: (Optional) Exempt pilot users from

filtering by your existing protection service
Although this step isn't required, you should consider configuring your pilot users to
bypass filtering by your existing protection service. This action allows Defender for
Office 365 to handle all filtering and protection duties for the pilot users. If you don't
exempt your pilot users from your existing protection service, Defender for Office 365
effectively operates only on misses from the other service (filtering messages that have
already been filtered).
７ Note
This step is explicitly required if your current protection service provides link
wrapping, but you want to pilot Safe Links functionality. Double wrapping of links is
not supported.
Step 3: Tune spoof intelligence

Check the Spoof intelligence insight to see what's being allowed or blocked as spoofing,
and to determine if you need to override the system verdict for spoofing. Some sources
of your business-critical email might have incorrectly configured email authentication
records in DNS (SPF, DKIM, and DMARC) and you might be using overrides in your
existing protection service to mask their domain issues.
Spoof intelligence can rescue email from domains without proper email authentication
records in DNS, but the feature sometimes needs assistance in distinguishing good
spoofing from bad spoofing. Focus on the following types of message sources:
Message sources that are outside of the IP address ranges defined in Enhanced
Filtering for Connectors.
Message sources that have the highest number of messages.
Message sources that have the highest impact on your organization.
Spoof intelligence will eventually tune itself after you configure user reported message
settings, so there is no need for perfection.
Step 4: Tune impersonation protection and

mailbox intelligence
After you've had enough time to observe the results of impersonation protection in
Don't apply any action mode, you can individually turn on each impersonation
protection action in the anti-phishing policies:
User impersonation protection: Quarantine the message for both Standard and
Strict.
Domain impersonation protection: Quarantine the message for both Standard and
Strict.
Mailbox intelligence protection: Move message to the recipients' Junk Email
folders for Standard; Quarantine the message for Strict.
The longer you monitor the impersonation protection results without acting on the
messages, the more data you'll have to identify allows or blocks that might be required.
Consider using a delay between turning on each protection that's significant enough to
allow for observation and adjustment.
７ Note
Frequent and continuous monitoring and tuning of these protections is important.

If you suspect a false positive, investigate the cause and use overrides only as
necessary and only for the detection feature that requires it.
Tune mailbox intelligence

Although mailbox intelligence has been configured to take no action on messages that
were determined to be impersonation attempts, it has been on and learning the email
sending and receiving patterns of the pilot users. If an external user is in contact with
one your pilot users, messages from that external user won't be identified as
impersonation attempts by mailbox intelligence (thus reducing false positives).
When you're ready, do the following steps to allow mailbox intelligence to act on
messages that are detected as impersonation attempts:
In the anti-phishing policy with the Standard protection settings, change the value
of If mailbox intelligence detects an impersonated user to Move message to
recipients' Junk Email folders.
In the anti-phishing policy with the Strict protection settings, change the value of If
mailbox intelligence detects and impersonated user from to Quarantine the
message.
To modify the policies, see Configure anti-phishing policies in Defender for Office 365.
After you've observed the results and made any adjustments, proceed to the next
section to quarantine messages detected by user impersonation.
Tune user impersonation protection

In both of your anti-phishing policies based on Standard and Strict settings, change the
value of If message is detected as an impersonated user to Quarantine the message.
Check the impersonation insight to see what's being blocked as user impersonation
attempts.
After you've observed the results and made any adjustments, proceed to the next
section to quarantine messages detected by domain impersonation.
Tune domain impersonation protection

In both of your anti-phishing policies based on Standard and Strict settings, change the
value of If message is detected as an impersonated domain to Quarantine the
message.
Check the impersonation insight to see what's being blocked as domain impersonation
attempts.
Observe the results and make any adjustments as necessary.

Step 5: Use data from user reported messages
to measure and adjust
As your pilot users report false positives and false negatives, the messages will appear
on the User reported tab of the Submissions page in the Microsoft 365 Defender portal.
You can report the misidentified messages to Microsoft for analysis and use the
information to adjust the settings and exceptions in your pilot polices as necessary.
Use the following features to monitor and iterate on the protection settings in Defender
for Office 365:
Quarantine
Threat Explorer
Email security reports
Defender for Office 365 reports
Mail flow insights
Mail flow reports
If your organization uses a third-party service for user reported messages, you can
integrate that data into your feedback loop.
Step 6: (Optional) Add more users to your pilot

and iterate
As you find and fix issues, you can add more users to the pilot groups (and
correspondingly exempt those new pilot users from scanning by your existing
protection service as appropriate). The more testing that you do now, the fewer user
issues that you'll need to deal with later. This "waterfall" approach allows tuning against
larger portions of the organization and gives your security teams time to adjust to the
new tools and processes.
Microsoft 365 generates alerts when high confidence phishing messages are
allowed by organizational policies. To identify these messages, you have the
following options:
Overrides in the Threat protection status report.
Filter in Threat Explorer to identify the messages.
Filter in Advanced Hunting to identify the messages.
Report any false positives to Microsoft as early as possible through admin

submissions, use the Tenant Allow/Block List feature to configure safe overrides for
those false positives.
It's also a good idea to examine unnecessary overrides. In other words, look at the
verdicts that Microsoft 365 would have provided on the messages. If Microsoft365
rendered the correct verdict, then the need for override is greatly diminished or
eliminated.
Step 7: Extend Microsoft 365 protection to all

users and turn off the SCL=-1 mail flow rule
Do the steps in this section when you're ready to switch your MX records to point to
Microsoft 365.
1. Extend the pilot policies to the entire organization. Fundamentally, there are
different ways to do this:
Use preset security policies and divide your users between the Standard
protection profile and the Strict protection profile (make sure everyone is
covered). Preset security policies are applied before any custom polices that
you've created or any default policies. You can turn off your individual pilot
policies without deleting them.
The drawback to preset security policies is you can't change many of the
important settings after you've created them.
Change the scope of the policies that you created and adjusted during the
pilot to include all users (for example, all recipients in all domains).
Remember, if multiple policies of the same type (for example, anti-phishing
policies) apply to the same user (individually, by group membership, or email
domain), only the settings of the policy with the highest priority (lowest
priority number) are applied, and processing stops for that type of policy.
2. Turn off the SCL=-1 mail flow rule (you can turn it off without deleting it).
3. Verify that the previous changes have taken effect, and that Defender for Office
365 is now properly enabled for all users. At this point, all of the protection
features of Defender for Office 365 are now allowed to act on mail for all
recipients, but that mail has already been scanned by your existing protection
service.
You can pause at this stage for more large-scale data recording and tuning.
Step 8: Switch your MX records

７ Note
When you switch the MX record for your domain, it can take up to 48 hours
for the changes to propagate throughout the internet.
We recommend lowering the TTL value of your DNS records to enable faster
response and possible rollback (if required). You can revert to the original TTL
value after the switchover is complete and verified.
You should consider starting with changing domains that are used less
frequently. You can pause and monitor before moving to larger domains.
However, even if you do this, you still should make sure that all users and
domains are covered by policies, because secondary SMTP domains are
resolved to primary domains prior to the policy application.
Multiple MX records for a single domain will technically work, allowing you to
have split routing, provided that you have followed all the guidance in this
article. Specifically, you should make sure that policies are applied to all users,
that the SCL=-1 mail flow rule is applied only to mail that passes through your
existing protection service as described in Setup Step 3: Maintain or create
the SCL=-1 mail flow rule. However, this configuration introduces behavior
that makes troubleshooting much more difficult, and therefore we do not
typically recommend it, especially for extended periods of time.
Before you switch your MX records, verify that the following settings are not
enabled on the inbound connector from the protection service to Microsoft
365. Typically, the connector will have one or more of the following settings
configured:
and require that the subject name on the certificate that the partner uses
to authenticate with Office 365 matches this domain name
(RestrictDomainsToCertificate)
Reject email messages if they aren't sent from within this IP address
range (RestrictDomainsToIPAddresses)
If the connector type is Partner and
either of these settings are turned on, all mail delivery to your domains will
fail after you switch your MX records. You need to disable these settings
before you continue. If the connector is an on-premises connector that's
used for hybrid, you don't need to modify the on-premises connector. But,
you can still check for the presence of a Partner connector.
If your current mail gateway is also providing recipient validation, you may
want to check that the domain is configured as Authoritative in Microsoft
365. This can prevent unnecessary bounce messages.
When you're ready, switch the MX record for your domains. You can migrate all of your
domains at once. Or, you can migrate less frequently used domains first, and then
migrate the rest later.
Feel free to pause and evaluate here at any point. But, remember: once you turn off the
SCL=-1 mail flow rule, users might have two different experiences for checking false
positives. The sooner you can provide a single, consistent experience, the happier your
users and help desk teams will be when they have to troubleshoot a missing message.
Next steps
Congratulations! You have completed your migration to Microsoft Defender for Office
365! Because you followed the steps in this migration guide, the first few days where
mail is delivered directly into Microsoft 365 should be much smoother.
Now you begin the normal operation and maintenance of Defender for Office 365.
Monitor and watch for issues that are similar to what you experienced during the pilot,
but on a larger scale. The spoof intelligence insight and the impersonation insight will
be most helpful, but consider making the following activities a regular occurrence:
Review user reported messages, especially user-reported phishing messages

Review overrides in the Threat protection status report.
Use Advanced Hunting queries to look for tuning opportunities and risky
messages.
Microsoft Defender for Office 365 Security
Operations Guide
 Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free?
Use the 90-day Defender for Office 365 trial at the Microsoft 365 Defender portal trials hub .
Learn about who can sign up and trial terms here.
Applies to:

This article gives an overview of the requirements and tasks for successfully operating Microsoft
Defender for Office 365 in your organization. These tasks help ensure that your security operations
center (SOC) provides a high-quality, reliable approach to protect, detect, and respond to email and
collaboration-related security threats.
The rest of this guide describes the required activities for SecOps personnel. The activities are
grouped into prescriptive daily, weekly, monthly, and ad-hoc tasks.
A companion article to this guide provides an overview to manage incidents and alerts from
Defender for Office 365 on the Incidents page in the Microsoft 365 Defender portal.
The Microsoft 365 Defender Security Operations Guide contains additional information that you can
use for planning and development.
For a video about this information, see https://youtu.be/eQanpq9N1Ps .
Daily activities
Monitor the Microsoft 365 Defender Incidents queue

The Incidents page in the Microsoft 365 Defender portal at
https://security.microsoft.com/incidents-queue (also known as the Incidents queue) allows you to
manage and monitor events from the following sources in Defender for Office 365:
Alerts.
Automated investigation and response (AIR).
For more information about the Incidents queue, see Prioritize incidents in Microsoft 365 Defender.
Your triage plan for monitoring the Incidents queue should use the following order of precedence
for incidents:
1. A potentially malicious URL click was detected.

2. User restricted from sending email.
3. Suspicious email sending patterns detected.
4. Email reported by user as malware or phish, and Multiple users reported email as malware
or phish.
5. Email messages containing malicious file removed after delivery, Email messages containing
malicious URL removed after delivery, and Email messages from a campaign removed after
delivery.
6. Phish delivered due to an ETR override, Phish delivered because a user's Junk Mail folder is
disabled, and Phish delivered due to an IP allow policy
7. Malware not zapped because ZAP is disabled and Phish not zapped because ZAP is
disabled.
Incident queue management and the responsible personas are described in the following table:
Activity Cadence Description Persona
Triage incidents in the Incidents queue Daily Verify that all Medium and High severity Security
at incidents from Defender for Office 365 are Operations
https://security.microsoft.com/incidents- triaged. Team
queue .
Investigate and take Response actions Daily Investigate all incidents and actively take Security
on incidents. the recommended or manual response Operations
actions. Team
Resolve incidents. Daily If the incident has been remediated, Security

resolve the incident. Resolving the Operations
incident resolves all linked and related Team
active alerts.
Classify incidents. Daily Classify incidents as true or false. For true Security
alerts, specify the threat type. This Operations
classification helps your security team see Team
threat patterns and defend your
organization from them.
Manage false positive and false negative detections

In Defender for Office 365, you manage false positives (good mail marked as bad) and false
negatives (bad mail allowed) in the following locations:
The Submissions portal (admin submissions).

The Tenant Allow/Block List
Threat Explorer
For more information, see the Manage false positive and false negative detections section later in
this article.
False positive and false negative management and the responsible personas are described in the
following table:
Submit false positives and false negatives to Microsoft Daily Provide signals to Security
at https://security.microsoft.com/reportsubmission . Microsoft by reporting Operations
incorrect email, URL, and Team
file detections.
Analyze admin submission details. Daily Understand the following Security

factors for the Operations
submissions you make to Team
Microsoft:
What caused the Security
false positive or Administration
false negative.
The state of your
Defender for Office
365 configuration
at the time of the
submission.
Whether you need
to make changes
to your Defender
for Office 365
configuration.
Add block entries in the Tenant Allow/Block List at Daily Use the Tenant Security
https://security.microsoft.com/tenantAllowBlockList . Allow/Block List to add Operations
block entries for false Team
negative URL, file, or
sender detections as
needed.
Release false positive from quarantine. Daily After the recipient Security
confirms that the Operations
message was incorrectly Team
quarantined, you can

release or approve Messaging
release requests for Team
users.
To control what users can

do to their own
quarantined messages
(including release or
request release), see
Review phishing and malware campaigns that resulted in

delivered mail
Review Daily Review email campaigns that targeted your organization at Security
email https://security.microsoft.com/campaigns . Focus on campaigns that Operations
campaigns. resulted in messages being delivered to recipients.
Team
Remove messages from campaigns that exist in user mailboxes. This

action is required only when a campaign contains email that hasn't
already been remediated by actions from incidents, zero-hour auto
purge (ZAP), or manual remediation.
Weekly activities
Review email detection trends in Defender for Office 365 reports

In Defender for Office 365, you can use the following reports to review email detection trends in
your organization:
The Mailflow status report

The Threat Protection status report
Review email detection reports at: Weekly Review Security

https://security.microsoft.com/reports/TPSAggregateReportATP email Administration
https://security.microsoft.com/mailflowStatusReport? detection
viewid=type trends for Security
malware, Operations
phishing, Team
and spam
as
compared
to good
email.
Observation
over time
allows you
to see
threat
patterns
and
determine
whether
you need to
adjust your
Defender
for Office
365 policies.
Track and respond to emerging threats using Threat analytics

Use Threat analytics to review active, trending threats.
Review threats in Threat analytics at Weekly Threat analytics provides detailed Security
https://security.microsoft.com/threatanalytics3 . analysis, including the following Operations
items: Team
IOCs.
Hunting queries about Threat
active threat actors and hunting
their campaigns. team
Popular and new attack
techniques.
Critical vulnerabilities.
Common attack surfaces.
Prevalent malware.
Review top targeted users for malware and phishing

Use the Top targeted users tab in Threat Explorer to discover or confirm the users who are the top
targets for malware and phishing email.
Review the Top targeted users tab in Threat Weekly Use the information to decide if Security
Explorer at you need to adjust policies or Administration
https://security.microsoft.com/threatexplorer . protections for these users. Add
the affected users to Priority Security
accounts to gain the following Operations
benefits: Team
Additional visibility when

incidents affect them.
Tailored heuristics for
executive mail flow
patterns (priority account
protection).
Email issues for priority
accounts report
Review top malware and phishing campaigns that target your

organization
Campaign Views reveals malware and phishing attacks against your organization. For more
information, see Campaign Views in Microsoft Defender for Office 365.

Use Campaign Views at Weekly Learn about the attacks and Security
https://security.microsoft.com/campaigns to techniques and what Defender for Operations
review malware and phishing attacks that affect Office 365 was able to identify Team
you. and block.
Use Download threat report in

Campaign Views for detailed
information about a campaign.
Ad-hoc activities
Manual investigation and removal of email
Investigate and remove bad email in Threat Ad-hoc Use the Trigger investigation Security
Explorer at action in Threat Explorer to start an Operations
https://security.microsoft.com/threatexplorer automated investigation and Team
based on user requests. response playbook on any email
from the last 30 days. Manually
triggering an investigation saves
time and effort by centrally
including:
A root investigation.
Steps to identify and
correlate threats.
Recommended actions to
mitigate those threats.
For more information, see Example:

A user-reported phish message
launches an investigation playbook
Or, you can use Threat Explorer to

manually investigate email with
powerful search and filtering
capabilities and take manual
response action directly from the
same place. Available manual
actions:
Move to Inbox
Move to Junk
Move to Deleted items
Soft delete
Hard delete.
Proactively hunt for threats
Regular, proactive hunting for threats at: Ad-hoc Search for threats using Security
https://security.microsoft.com/threatexplorer Threat Explorer and Operations
https://security.microsoft.com/v2/advanced- Advanced hunting. Team
hunting
Threat
. hunting
team
Share hunting queries. Ad-hoc Actively share frequently Security

used, useful queries within Operations
the security team for faster Team
manual threat hunting and

remediation.
Threat
hunting
Use Threat trackers and team
shared queries in Advanced
hunting.
Create custom detection rules at Ad-hoc Create custom detection Security

https://security.microsoft.com/custom_detection . rules to proactively monitor Operations
events, patterns, and threats Team
based on Defender for Office

365 data in Advance Hunting. Threat
Detection rules contain hunting
advanced hunting queries team
that generate alerts based on
the matching criteria.
Review Defender for Office 365 policy configurations

Review the configuration of Defender for Office 365 policies at Ad-hoc

Use the Security
https://security.microsoft.com/configurationAnalyzer . Configuration Administration
Monthly analyzer to
compare your Messaging
existing policy Team
settings to the
recommended
Standard or
Strict values
for Defender
for Office 365.
The
Configuration
analyzer
identifies
accidental or
malicious
changes that
can lower your
organization's
security
posture.
Or you can
use the
PowerShell-
based ORCA
tool .
Review detection overrides in Defender for Office 365 at Ad-hoc

Use the View Security
https://security.microsoft.com/reports/TPSMessageOverrideReportATP data by Administration
Monthly System
override > Messaging
Chart Team
breakdown by
Reason view in
the Threat
Protection
status report
to review
email that was
detected as
phishing but
delivered due
to policy or
user override
settings.
Actively
investigate,
remove, or
fine tune
overrides to
avoid delivery
of email that
was
determined to
be malicious.
Review spoof and impersonation detections
Review the Spoof intelligence insight and the Ad-hoc

Use the spoof Security
Impersonation detection insights at intelligence insight Administration
Monthly and the
<https://security.microsoft.com/spoofintelligence > impersonation Messaging
https://security.microsoft.com/impersonationinsight insight to adjust Team
filtering for spoof
.
and impersonation
detections.
Review priority account membership

Review who's defined as a priority account at Ad-hoc Keep the membership Security
https://security.microsoft.com/securitysettings/userTags . of priority accounts Operations
current with Team
organizational changes
to get the following
benefits for those users:
Better visibility in
reports.
Filtering in
incidents and
alerts.
Tailored heuristics
for executive mail
flow patterns
(priority account
protection).
Use custom user tags

for other users to get:
Better visibility in
reports.
Filtering in
incidents and
alerts.
Appendix
Learn about Microsoft Defender for Office 365 tools and

processes
Security operations and response team members need to integrate Defender for Office 365 tools
and features into existing investigations and response processes. Learning about new tools and
capabilities can take time but it's a critical part of the on-boarding process. The simplest way for
SecOps and email security team members to learn about Defender for Office 365 is to use the
training content that's available as part of the Ninja training content at https://aka.ms/mdoninja .
The content is structured for different knowledge levels (Fundamentals, Intermediate, and
Advanced) with multiple modules per level.
Short videos for specific tasks are also available in the Microsoft Defender for Office 365 YouTube
channel .
Permissions for Defender for Office 365 activities and tasks

Permissions for managing Defender for Office 365 in the Microsoft 365 Defender portal and
PowerShell are based on the role-based access control (RBAC) permissions model. RBAC is the same
permissions model that's used by most Microsoft 365 services. For more information, see
Permissions in the Microsoft 365 Defender portal.
７ Note
Privileged Identity Management (PIM) in Azure AD is also a way to assign required permissions
to SecOps personnel. For more information, see Privileged Identity Management (PIM) and
why to use it with Microsoft Defender for Office 365.
The following permissions (roles and role groups) are available in Defender for Office 365 and can
be used to grant access to security team members:
Azure AD roles: Centralized roles that assign permissions for all Microsoft 365 services,
including Defender for Office 365. You can view the Azure AD roles and assigned users in the
Microsoft 365 Defender portal, but you can't manage them directly there. Instead, you
manage Azure AD roles and members at
https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RolesAn
dAdministrators . The most frequent roles used by security teams are:
Security administrator
Security operator
Security reader
Email & collaboration roles: Roles and role groups that grant permission specific to Microsoft
Defender for Office 365. The following roles are not available in Azure AD, but can be
important for security teams:
Preview role: Assign this role to team members who need to preview or download email
messages as part of investigation activities. Allows users to preview and download email
messages in cloud mailboxes using the email entity page.
By default, this role is assigned only to the following role groups:

Data Investigator
eDiscovery Manager
To assign this role to a new or existing role group, see Modify Email & collaboration role
membership in the Microsoft 365 Defender portal.
Search and Purge role: Approve the deletion of malicious messages as recommended by
AIR or take manual action on messages in hunting experiences like Threat Explorer.
By default, this role is assigned only to the following role groups:

Data Investigator
Organization Management
To assign this role to a new or existing role group, see Modify Email & collaboration role
membership in the Microsoft 365 Defender portal.
Tenant AllowBlockList Manager: Manage allow and block entries in the Tenant Allow/Block
List. Blocking URLs, files (using file hash) or senders is a useful response action to take when
investigating malicious email that was delivered.
By default, this role is assigned only to the Security Operator role group. But, members of
the Security Administrators and Organization management role groups can also manage
entries in the Tenant Allow/Block List.
SIEM/SOAR integration
Defender for Office 365 exposes most of its data through a set of programmatic APIs. These APIs
help you automate workflows and make full use of Defender for Office 365 capabilities. Data is
available through the Microsoft 365 Defender APIs and can be used to integrate Defender for Office
365 into existing SIEM/SOAR solutions.
Incident API: Defender for Office 365 alerts and automated investigations are active parts of
incidents in Microsoft 365 Defender. Security teams can focus on what's critical by grouping
the full attack scope and all impacted assets together.
Event streaming API: Allows shipping of real-time events and alerts into a single data stream
as they happen. Supported Defender for Office 365 event types include:
EmailEvents
EmailUrlInfo
EmailAttachmentInfo
EmailPostDeliveryEvents
The events contain data from processing all email (including intra-org messages) in the last 30
days.
Advance Hunting API: Allows cross-product threat hunting.
Threat Assessment API: Can be used to report spam, phishing URLs, or malware attachments
directly to Microsoft.
To connect Defender for Office 365 incidents and raw data with Microsoft Sentinel, you can use the
Microsoft 365 Defender (M365D) connector
You can use this simple "Hello World" example to test API access to Microsoft Defender APIs: Hello
World for Microsoft 365 Defender REST API.
For more information about SIEM tool integration, see Integrate your SIEM tools with Microsoft 365
Defender.
Address false positives and false negatives in

User reported messages and admin submissions of email messages are critical positive
reinforcement signals for our machine learning detection systems. Submissions help us review,
triage, rapidly learn, and mitigate attacks. Actively reporting false positives and false negatives is an
important activity that provides feedback to Defender for Office 365 when mistakes are made
during detection.
Organizations have multiple options for configuring user reported messages. Depending on the
configuration, security teams might have more active involvement when users submit false positives
or false negatives to Microsoft:
User user reported messages are sent to Microsoft for analysis when the user reported
message settings are configured with either of the following settings:
Send the reported messages to: Microsoft only.
Send the reported messages to: Microsoft and my reporting mailbox.
Security teams members should do add-hoc admin submissions when false positives or false
negatives that were not reported by users were discovered by the operations teams.
When user reported messages are configured to send messages only to the organization's
mailbox, security teams should actively send user-reported false positives and false negatives
to Microsoft via admin submissions.
Whenever a user reports a message as phishing, Defender for Office 365 generates an alert and the
alert will trigger an AIR playbook. Incident logic will correlate this information to other alerts and
events where possible. This consolidation of information helps security teams triage, investigate,
and respond to user reported messages.
User reported messages and admin submissions are handled by the submission pipeline by
Microsoft, which follows a tightly integrated process. This process includes:
Noise reduction.
Automated triage.
Grading by security analysts and human-partnered machine learning-based solutions.
For more information, see Reporting an email in Defender for Office 365 - Microsoft Tech
Community .
Security team members can do submissions from multiple locations in the Microsoft 365 Defender
portal at https://security.microsoft.com :
Admin submission: Use the Submissions portal to submit suspected spam, phishing, URLs, and
files to Microsoft.
Directly from Threat Explorer using one of the following message actions:
Report clean
Report phishing
Report malware
Report spam
You can select up to 10 messages to perform a bulk submission. Admin submissions created
this way also visible in the Submission portal.
For the short-term mitigation of false negatives, security teams can directly manage block entries
for files, URLs, and domains or email addresses in the Tenant Allow/Block List.
For the short-term mitigation of false positives, security teams can't directly manage allow entries
for domains and email addresses in the Tenant Allow/Block List. Instead, they need to use admin
submissions to report the email message as a false positive. For instructions, see Use the Microsoft
365 Defender portal to create allow entries for domains and email addresses in the Submissions
portal.
Quarantine in Defender for Office 365 holds potentially dangerous or unwanted messages and files.
Security teams can view, release, and delete all types of quarantined messages for all users. This
capability enables security teams to respond effectively when a false positive message or file is
quarantined.
Integrate third-party reporting tools with Defender

for Office 365 user reported messages
If your organization uses a third-party reporting tool that allows users to internally report suspicious
email, you can integrate the tool with the user reported message capabilities of Defender for Office
365. This integration provides the following benefits to security teams:
Integration with the AIR capabilities of Defender for Office 365.

Simplified triage.
Reduced investigation and response time.
Designate the reporting mailbox where user reported messages are sent on the User reported page
in the Microsoft 365 Defender portal at
https://security.microsoft.com/securitysettings/userSubmission . For more information, see user
reported message settings.
７ Note
The reporting mailbox must be an Exchange Online mailbox.

The third-party reporting tool must include the original reported message as an
uncompressed .EML or .MSG attachment in the message that's sent to the reporting
mailbox (don't just forward the original message to the reporting mailbox).
The reporting mailbox requires specific prerequisites to allow potentially bad messages to
be delivered without being filtered or altered. For more information, see Configuration
requirements for the reporting mailbox.
When a user reported message arrives in the reporting mailbox, Defender for Office 365
automatically generates the alert named Email reported by user as malware or phish. This alert
launches an AIR playbook. The playbook performs a series of automated investigations steps:
Gather data about the specified email.

Gather data about the threats and entities related to that email. Entities can include files, URLs,
and recipients.
Provide recommended actions for the SecOps team to take based on the investigation
findings.
Email reported by user as malware or phish alerts, automated investigations and their
recommended actions are automatically correlated to incidents in Microsoft 365 Defender. This
correlation further simplifies the triage and response process for security teams. If multiple users
report the same or similar messages, all of the users and messages are correlated into the same
incident.
Data from alerts and investigations in Defender for Office 365 is automatically compared to alerts
and investigations in the other Microsoft 365 Defender products:

If a relationship is discovered, the system creates an incident that gives visibility for the entire
attack.
Configure your Microsoft 365 tenant for
increased security
 Tip
Applies to

Your organizational needs require security.
Specifics are up to your business.
This topic will walk you through the manual configuration of tenant-wide settings that
affect the security of your Microsoft 365 environment. Use these recommendations as a
starting point.
Tune threat management policies in the

The Microsoft 365 Defender portal has capabilities for both protection and reporting. It
has dashboards you can use to monitor and take action when threats arise.
Keep in mind that some areas come with default policy configurations. Some areas do
not include default policies or rules.
For example, the recommended setup of Microsoft Defender for Office 365 (plan 1 and
plan 2) is described by this handy step-by-step guide, right here: 'Ensuring you always
have the optimal security'. But, even so, some admins opt for a more hands-on
approach to this product.
To automate your setup of Microsoft Defender for Office 365 visit the Standard and
Strict policies under Email & collaboration > Policies & rules > Threat policies to tune
threat management settings for a more secure environment.
Area Default Recommendation

policy?
Anti-phishing Yes Configure the default anti-phishing policy as described here:

Configure anti-phishing protection settings in EOP and Defender for
Office 365.
More information:
Anti-phishing policies in Microsoft 365

Recommended anti-phishing policy settings in Microsoft
Impersonation insight
Spoof intelligence insight in EOP
Manage the Tenant Allow/Block List.
Anti-Malware Yes Configure the default anti-malware policy as described here:

Engine Configure anti-malware protection settings in EOP.
More information:
Anti-malware protection
Recommended anti-malware policy settings
Configure anti-malware policies
Safe No Configure the global settings for Safe Attachments and create a Safe
Attachments Attachments policy as described here: Configure Safe Attachments
in Defender settings in Microsoft Defender for Office 365.
for Office 365
More information:
Recommended Safe Attachments settings

Safe Attachments in Microsoft Defender for Office 365
Set up Safe Attachments policies
Safe Attachments for SharePoint, OneDrive, and Microsoft
Teams
Safe Links in No Create a Safe Links policy as described here: Configure Safe Links
Microsoft settings in Microsoft Defender for Office 365.
Defender for
Office 365 More information:
Recommended Safe Links settings

Set up Safe Links policies
Safe Links in Microsoft Defender for Office 365
Area Default Recommendation
policy?
Anti-spam Yes Configure the default anti-spam policy as described here: Configure
(mail filtering) anti-spam protection settings in EOP
More information:
Recommended anti-spam policy settings

Anti-spam protection in EOP
Email Yes Email authentication uses DNS records to add verifiable information
Authentication to email messages about the message source and sender. Microsoft
365 automatically configures email authentication for its default
domain (onmicrosoft.com), but Microsoft 365 admins can also
configure email authentication for custom domains. Three
authentication methods are used:
Sender Policy Framework (or SPF).
For setup, see Set up SPF in Microsoft 365 to help prevent
spoofing.
DomainKeys Identified Mail (DKIM).
See Use DKIM to validate outbound email sent from your
custom domain.
After you've configured DKIM, enable it in the Microsoft 365
Defender portal.
Domain-based Message Authentication, Reporting, and
Conformance (DMARC).
For DMARC setup Use DMARC to validate email in Microsoft
365.
After you've configured DKIM, enable it in the Microsoft 365
Defender portal.
Authenticated Received Chain (ARC) in Microsoft 365

Defender for Office.
List your Trusted ARC sealers so legitimate intermediaries
will be trusted even if they modify mail.
７ Note
For non-standard deployments of SPF, hybrid deployments, and troubleshooting:

How Microsoft 365 uses Sender Policy Framework (SPF) to prevent spoofing.
View dashboards and reports in the Microsoft
365 Defender portal
Browse to security.microsoft.com . The menu of Microsoft 365 Defender is divided into
sections that begin, in order, Home, Email & Collaboration, Cloud Apps, and Reports
(you may see some or all of these depending on your Plan). You're looking for Reports.
1. Browse to security.microsoft.com .
2. Click Reports on the menu.
a. Here you can view information about security trends and track the protection
status of your identities, data, devices, apps, and infrastructure.
The data in these reports will become richer as your organization uses Office 365
services, keep that in mind if you are in pilot or testing. For now, be familiar with what
you can monitor and take action on.
Inside each report, you'll see cards for the specific areas monitored.
1. Click the Email & Collaboration reports.

2. Take note of the report cards available.
a. Everything from Malware detected in email, to Spam detections, Compromised
users, to User reported messages and Submissions the final two, with a button
that links to Submissions.
3. Click a report, for example Mailflow status summary and the click the View details
button to dig into the data (which even includes a funnel view for easier
interpretation of total mail flow vs. blocked, spam, and phishing emails, and more).
Dashboard Description
Security Identities and device security reports such as users and devices with malware
reports detections, device compliance, and users at risk.
Defender The reports are available only in Defender for Office 365. For more information, see
for Office View Defender for Office 365 reports in the Microsoft 365 Defender portal.
365 reports
Mail flow These reports and insights are available in the Exchange admin center (EAC). For
reports and more information, see Mail flow reports and Mail flow insights.
insights
Threat If you are investigating or experiencing an attack against your tenant, use Explorer
Explorer (or (or real-time detections) to analyze threats. Explorer (and the real-time detections
real-time report) shows you the volume of attacks over time, and you can analyze this data by
detections) threat families, attacker infrastructure, and more. You can also mark any suspicious
email for the Incidents list.
Configure additional Exchange Online tenant-
wide settings
Here are a couple of additional settings that are recommended.
Area Recommendation
Mail flow Add a mail flow rule to help protect against ransomware by blocking executable
rules (also file types and Office file types that contain macros. For more information, see
known as Use mail flow rules to inspect message attachments in Exchange Online.
transport
rules) See these additional topics:
Protect against ransomware

Malware and Ransomware Protection in Microsoft 365
Recover from a ransomware attack in Office 365
Create a mail flow rule to prevent auto-forwarding of email to external domains.

For more information, see Mitigating Client External Forwarding Rules with
Secure Score.
More information: Mail flow rules (transport rules) in Exchange Online
Modern Modern authentication is a prerequisite for using multi-factor authentication

authentication (MFA). MFA is recommended for securing access to cloud resources, including
email.
See these topics:
Enable or disable modern authentication in Exchange Online

Skype for Business Online: Enable your tenant for modern
authentication
Modern authentication is enabled by default for Office 2016 clients, SharePoint

Online, and OneDrive for Business.
More information: How modern authentication works for Office 2013 and Office
2016 client apps
Configure tenant-wide sharing policies in

SharePoint admin center
Microsoft recommendations for configuring SharePoint team sites at increasing levels of
protection, starting with baseline protection. For more information, see Policy
recommendations for securing SharePoint sites and files.
SharePoint team sites configured at the baseline level allow sharing files with external
users by using anonymous access links. This approach is recommended instead of
sending files in email.
To support the goals for baseline protection, configure tenant-wide sharing policies as
recommended here. Sharing settings for individual sites can be more restrictive than this
tenant-wide policy, but not more permissive.
Area Includes Recommendation

a
default
policy
Sharing Yes External sharing is enabled by default. These settings are

(SharePoint Online recommended:
and OneDrive for Allow sharing to authenticated external users and using
Business) anonymous access links (default setting).
Anonymous access links expire in this many days. Enter a
number, if desired, such as 30 days.
Default link type — select Internal (people in the
organization only). Users who wish to share using
anonymous links must choose this option from the
sharing menu.
More information: External sharing overview
SharePoint admin center and OneDrive for Business admin center include the same
settings. The settings in either admin center apply to both.
Configure settings in Azure Active Directory

Be sure to visit these two areas in Azure Active Directory to complete tenant-wide setup
for more secure environments.
Configure named locations (under conditional access)

If your organization includes offices with secure network access, add the trusted IP
address ranges to Azure Active Directory as named locations. This feature helps reduce
the number of reported false positives for sign-in risk events.
See: Named locations in Azure Active Directory
Block apps that don't support modern authentication

Multi-factor authentication requires apps that support modern authentication. Apps that
do not support modern authentication cannot be blocked by using conditional access
rules.
For secure environments, be sure to disable authentication for apps that do not support
modern authentication. You can do this in Azure Active Directory with a control that is
coming soon.
In the meantime, use one of the following methods to accomplish this for SharePoint
Online and OneDrive for Business:
Use PowerShell, see Block apps that do not use modern authentication.
Configure this in the SharePoint admin center on the "device access' page —
"Control access from apps that don't use modern authentication." Choose Block.
Get started with Defender for Cloud Apps or

Office 365 Cloud App Security
Use Office 365 Cloud App Security to evaluate risk, to alert on suspicious activity, and to
automatically take action. Requires Office 365 E5 plan.
Or, use Microsoft Defender for Cloud Apps to obtain deeper visibility even after access
is granted, comprehensive controls, and improved protection for all your cloud
applications, including Office 365.
Because this solution recommends the EMS E5 plan, we recommend you start with
Defender for Cloud Apps so you can use this with other SaaS applications in your
environment. Start with default policies and settings.
More information:
Deploy Defender for Cloud Apps

More information about Microsoft Defender for Cloud Apps
What is Defender for Cloud Apps?

These articles and guides provide additional prescriptive information for securing your
Microsoft 365 environment:
Microsoft security guidance for political campaigns, nonprofits, and other agile
organizations (you can use these recommendations in any environment, especially
cloud-only environments)
Recommended security policies and configurations for identities and devices

(these recommendations include help for AD FS environments)
Security recommendations for priority
accounts in Microsoft 365
 Tip
Applies to:

Not all user accounts have access to the same company information. Some accounts
have access to sensitive information, such as financial data, product development
information, partner access to critical build systems, and more. If compromised,
accounts that have access to highly confidential information pose a serious threat. We
call these types of accounts priority accounts. Priority accounts include (but aren't limited
to) CEOs, CISOs, CFOs, infrastructure admin accounts, build system accounts, and more.
For attackers, ordinary phishing attacks that cast a random net for ordinary or unknown
users are inefficient. On the other hand, spear phishing or whaling attacks that target
priority accounts are very rewarding for attackers. So, priority accounts require stronger
than ordinary protection to help prevent account compromise.
Microsoft 365 and Microsoft Defender for Office 365 contain several key features that
provide additional layers of security for your priority accounts. This article describes
these capabilities and how to use them.
Task All Office 365 Microsoft Microsoft

Enterprise plans 365 E3 365 E5
Task All Office 365 Microsoft Microsoft
Enterprise plans 365 E3 365 E5
Increase sign-in security for priority

accounts
Use Strict preset security policies for

priority accounts
Apply user tags to priority accounts
Monitor priority accounts in alerts,

reports, and detections
Train users
７ Note
For information about securing privileged accounts (admin accounts), see this topic.
Increase sign-in security for priority accounts

Priority accounts require increased sign-in security. You can increase their sign-in
security by requiring multi-factor authentication (MFA) and disabling legacy
authentication protocols.
For instructions, see Step 1. Increase sign-in security for remote workers with MFA.
Although this article is about remote workers, the same concepts apply to priority users.
Note: We strongly recommend that you globally disable legacy authentication protocols
for all priority users as described in the previous article. If your business requirements
prevent you from doing so, Exchange Online offers the following controls to help limit
the scope of legacy authentication protocols:
You can use authentication policies and Client Access Rules in Exchange Online to
block or allow Basic authentication and legacy authentication protocols like POP3,
IMAP4, and authenticated SMTP for specific users.
You can disable POP3 and IMAP4 access on individual mailboxes. You can disable
authenticated SMTP at the organizational level and enable it on specific mailboxes
that still require it. For instructions, see the following articles:
Enable or Disable POP3 or IMAP4 access for a user
Enable or disable authenticated client SMTP submission (SMTP AUTH)
It's also worth noting that Basic authentication is in the process of being deprecated in
Exchange Online for Exchange Web Services (EWS), Exchange ActiveSync, POP3, IMAP4,
and remote PowerShell. For details, see this blog post.
Use Strict preset security policies for priority

accounts
Priority users require more stringent actions for the various protections that are
available in Exchange Online Protection (EOP) and Defender for Office 365.
For example, instead of delivering messages that were classified as spam to the Junk
Email folder, you should quarantine those same messages if they're intended for priority
accounts.
You can implement this stringent approach for priority accounts by using the Strict
profile in preset security policies.
Preset security policies are a convenient and central location to apply our recommended
Strict policy settings for all of the protections in EOP and Defender for Office 365. For
more information, see Preset security policies in EOP and Microsoft Defender for Office
365.
For details about how the Strict policy settings differ from the default and Standard
policy settings, see Recommended settings for EOP and Microsoft Defender for Office
365 security.
Apply user tags to priority accounts

User tags in Microsoft Defender for Office 365 Plan 2 (as part of Microsoft 365 E5 or an
add-on subscription) are a way to quickly identify and classify specific users or groups of
users in reports and incident investigations.
Priority accounts is a type of built-in user tag (known as a system tag) that you can use
to identify incidents and alerts that involve priority accounts. For more information
about priority accounts, see Manage and monitor priority accounts.
You can also create custom tags to further identify and classify your priority accounts.
For more information, see User tags. You can manage priority accounts (system tags) in
the same interface as custom user tags.
Monitor priority accounts in alerts, reports, and
detections
After you secure and tag your priority users, you can use the available reports, alerts,
and investigations in EOP and Defender for Office 365 to quickly identify incidents or
detections that involve priority accounts. The features that support user tags are
described in the following table.
Feature Description
Alerts The user tags of affected users are visible and available as filters on the Alerts page
in the Microsoft 365 Defender portal. For more information, see Viewing alerts.
Explorer In Explorer (Defender for Office 365 Plan 2) or Real-time detections (Defender for
Real-time Office 365 Plan 1), user tags are visible in the Email grid view and the Email details
detections flyout. User tags are also available as a filterable property. For more information, see
Tags in Explorer.
Campaign User tags are one of many filterable properties in Campaign Views in Microsoft
Views Defender for Office 365 Plan 2. For more information, see Campaign Views.
Threat In virtually all of the views and detail tables in the Threat protection status report,
protection you can filter the results by priority accounts. For more information, see Threat
status protection status report.
report
Email The Email issues for priority accounts report in the Exchange admin center (EAC)
issues for contains information about undelivered and delayed messages for priority accounts.
priority For more information, see Email issues for priority accounts report.
accounts
report
Train users
Training users with priority accounts can help save those users and your security
operations team much time and frustration. Savvy users are less likely to open
attachments or click links in questionable email messages, and they are more likely to
avoid suspicious websites.
The Harvard Kennedy School Cybersecurity Campaign Handbook provides excellent

guidance for establishing a strong culture of security awareness within your
organization, including training users to identify phishing attacks.
Microsoft 365 provides the following resources to help inform users in your
organization:
Concept Resources Description
Microsoft 365 Customizable learning These resources can help you put together training
pathways for users in your organization.
Microsoft 365 Learning module: Secure This module enables you to describe how
security your organization with Microsoft 365 security features work together and
built-in, intelligent security to articulate the benefits of these security features.
from Microsoft 365
Multi-factor Two-step verification: This article helps end users understand what multi-
authentication What is the additional factor authentication is and why it's being used at
verification page? your organization.
Attack Get started using Attack Attack simulation training in Microsoft Defender
simulation simulation training for Office 365 Plan 2 allows admin to configure,
training launch, and track simulated phishing attacks
against specific groups of users.
In addition, Microsoft recommends that users take the actions described in this article:
Protect your account and devices from hackers and malware . These actions include:
Using strong passwords

Protecting devices
Enabling security features on Windows and Mac PCs (for unmanaged devices)
See also
Announcing Priority Account Protection in Microsoft Defender for Office 365
Anti-malware protection in EOP
 Tip
Applies to

In Microsoft 365 organizations with mailboxes in Exchange Online or standalone

Exchange Online Protection (EOP) organizations without Exchange Online mailboxes,
email messages are automatically protected against malware by EOP. Some of the major
categories of malware are:
Viruses that infect other programs and data, and spread through your computer or
network looking for programs to infect.
Spyware that gathers your personal information, such as sign-in information and
personal data, and sends it back to its author.
Ransomware that encrypts your data and demands payment to decrypt it. Anti-
malware software doesn't help you decrypt encrypted files, but it can detect the
malware payload that's associated with the ransomware.
EOP offers multi-layered malware protection that's designed to catch all known malware
in Windows, Linux, and Mac that travels into or out of your organization. The following
options help provide anti-malware protection:
Layered defenses against malware: Multiple anti-malware scan engines help

protect against both known and unknown threats. These engines include powerful
heuristic detection to provide protection even during the early stages of a malware
outbreak. This multi-engine approach has been shown to provide significantly
more protection than using just one anti-malware engine.
Real-time threat response: During some outbreaks, the anti-malware team may
have enough information about a virus or other form of malware to write
sophisticated policy rules that detect the threat, even before a definition is
available from any of the scan engines used by the service. These rules are
published to the global network every 2 hours to provide your organization with
an extra layer of protection against attacks.
Fast anti-malware definition deployment: The anti-malware team maintains close
relationships with partners who develop anti-malware engines. As a result, the
service can receive and integrate malware definitions and patches before they're
publicly released. Our connection with these partners often allows us to develop
our own remedies as well. The service checks for updated definitions for all anti-
malware engines every hour.
In EOP, messages that are found to contain malware in any attachments are
quarantined. Whether the recipients can view or otherwise interact with the quarantined
messages is controlled by quarantine policies. By default, messages that were
quarantined due to malware can only be viewed and released by admins. For more
information, see the following topics:
Quarantine policies
Manage quarantined messages and files as an admin in EOP.
For more information about anti-malware protection, see the Anti-malware protection
FAQ.
To configure anti-malware policies, see Configure anti-malware policies.
To submit malware to Microsoft, see Report messages and files to Microsoft.
Anti-malware policies control the settings and notification options for malware
detections. The important settings in anti-malware policies are:
Recipient filters: For custom anti-malware policies, you can specify recipient
conditions and exceptions that determine who the policy applies to. You can use
these properties for conditions and exceptions:
Users
Groups
Domains
You can only use a condition or exception once, but the condition or exception can
contain multiple values. Multiple values of the same condition or exception use OR
logic (for example, <recipient1> or <recipient2>). Different conditions or
exceptions use AND logic (for example, <recipient1> and <member of group 1>).
） Important

inclusive. The policy is applied only to those recipients that match all of the
specified recipient filters. For example, you configure a recipient filter
Groups: Executives

applied to him.
applies to him.
Enable the common attachments filter: There are certain types of files that you
really shouldn't send via email (for example, executable files). Why bother scanning
these types of files for malware, when you should probably block them all,
anyway? That's where the common attachments filter comes in. The file types that
you specify are automatically treated as malware.
The default file types: ace, apk, app, appx, ani, arj, bat, cab, cmd,com, deb,
dex, dll, docm, elf, exe, hta, img, iso, jar, jnlp, kext, lha, lib,
library, lnk, lzh, macho, msc, msi, msix, msp, mst, pif, ppa, ppam, reg,
rev, scf, scr, sct, sys, uif, vb, vbe, vbs, vxd, wsc, wsf, wsh, xll, xz, z .
Additional predefined file types that you can select from in the Microsoft 365
Defender portal*: 7z, 7zip, a, accdb, accde, action, ade, adp, appxbundle,
asf, asp, aspx, avi, bin, bundle, bz, bz2, bzip2, cab, caction, cer, chm,
command, cpl, crt, csh, css, der, dgz, dmg, doc, docx, dot, dotm, dtox,
dylib, font, gz, gzip, hlp, htm, html, imp, inf, ins, ipa, isp, its, jnlp,
js, jse, ksh, lqy, mad, maf, mag, mam, maq, mar, mas, mat, mav, maw, mda,
mdb, mde, mdt, mdw, mdz, mht, mhtml, mscompress, msh, msh1, msh1xml, msh2,
msh2xml, mshxml, msixbundle, o, obj, odp, ods, odt, one, onenote, ops,
package, pages, pbix, pdb, pdf, php, pkg, plugin, pps, ppsm, ppsx, ppt,
pptm, pptx, prf, prg, ps1, ps1xml, ps2, ps2xml, psc1, psc2, pst, pub, py,
rar, rpm, rtf, scpt, service, sh, shb, shtm, shx, so, tar, tarz, terminal,
tgz, tool, url, vhd, vsd, vsdm, vsdx, vsmacros, vss, vssx, vst, vstm, vstx,
vsw, workflow, ws, xhtml, xla, xlam, xls, xlsb, xlsm, xlsx, xlt, xltm,
xltx, zi, zip, zipx .
*
You can enter any text value in the Defender portal or using the FileTypes
parameter in the New-MalwareFilterPolicy or Set-MalwareFilterPolicy cmdlets in
Exchange Online PowerShell.
The common attachments filter uses best effort true-typing to detect the file type
regardless of the filename extension. If true-typing fails or isn't supported for the
specified file type, then simple extension matching is used.
When these file types are found: When files are detected by the common
attachments filter, you can choose to Reject the message with a non-delivery
report (NDR) or Quarantine the message.
Zero-hour auto purge (ZAP) for malware: ZAP for malware quarantines messages
that are found to contain malware after they've been delivered to Exchange Online
mailboxes. By default, ZAP for malware is turned on, and we recommend that you
leave it on.
Quarantine policy: Select the quarantine policy that applies to messages that are
quarantined as malware. Quarantine policies define what users are able to do to
quarantined messages, and whether users receive quarantine notifications. By
default, recipients don't receive notifications for messages that were quarantined
as malware. For more information, see Quarantine policies.
Admin notifications: You can specify an additional recipient (an admin) to receive
notifications for malware detected in messages from internal or external senders.
You can customize the From address, subject, and message text for internal and
external notifications.
７ Note
Admin notifications are sent only for attachments that are classified as
malware.
The quarantine policy that's assigned to the anti-malware policy determines

whether recipients receive email notifications for messages that were
quarantined as malware.
Priority: If you create multiple custom anti-malware policies, you can specify the
order that they're applied. No two policies can have the same priority, and policy
processing stops after the first policy is applied.
For more information about the order of precedence and how multiple policies are
evaluated and applied, see Order and precedence of email protection.
Anti-malware policies in the Microsoft 365 Defender

portal vs PowerShell
The basic elements of an anti-malware policy are:
The malware filter policy: Specifies the recipient notification, sender and admin
notification, ZAP, and the common attachments filter settings.
The malware filter rule: Specifies the priority and recipient filters (who the policy
applies to) for a malware filter policy.
The difference between these two elements isn't obvious when you manage anti-
malware policies in the Microsoft 365 Defender portal:
When you create an anti-malware policy, you're actually creating a malware filter
rule and the associated malware filter policy at the same time using the same
name for both.
When you modify an anti-malware policy, settings related to the name, priority,
enabled or disabled, and recipient filters modify the malware filter rule. Other
settings (recipient notification, sender and admin notification, ZAP, and the
common attachments filter) modify the associated malware filter policy.
When you remove an anti-malware policy, the malware filter rule and the
associated malware filter policy are removed.
In Exchange Online PowerShell or standalone EOP PowerShell, the difference between

malware filter policies and malware filter rules is apparent. You manage malware filter
policies by using the *-MalwareFilterPolicy cmdlets, and you manage malware filter
rules by using the *-MalwareFilterRule cmdlets.
In PowerShell, you create the malware filter policy first, then you create the
malware filter rule that identifies the policy that the rule applies to.
In PowerShell, you modify the settings in the malware filter policy and the malware
filter rule separately.
When you remove a malware filter policy from PowerShell, the corresponding
malware filter rule isn't automatically removed, and vice versa.
Default anti-malware policy

Every organization has a built-in anti-malware policy named Default that has these
properties:
The policy is applied to all recipients in the organization, even though there's no
malware filter rule (recipient filters) associated with the policy.
The policy has the custom priority value Lowest that you can't modify (the policy is
always applied last). Any custom anti-malware policies that you create always have
a higher priority than the policy named Default.
The policy is the default policy (the IsDefault property has the value True ), and
you can't delete the default policy.
Configure anti-malware policies in EOP
 Tip
Applies to


email messages are automatically protected against malware by EOP. EOP uses anti-
malware policies for malware protection settings. For more information, see Anti-
malware protection.
Admins can view, edit, and configure (but not delete) the default anti-malware policy to
meet the needs of their organizations. For greater granularity, you can also create
custom anti-malware policies that apply to specific users, groups, or domains in your
organization. Custom policies always take precedence over the default policy, but you
can change the priority (running order) of your custom policies.
You can configure anti-malware policies in the Microsoft 365 Defender portal or in
PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes
in Exchange Online; standalone EOP PowerShell for organizations without Exchange
Online mailboxes).

go directly to the Anti-malware page, use

PowerShell. To connect to standalone EOP PowerShell, see Connect to Exchange
Online Protection PowerShell.
To add, modify, and delete anti-malware policies, you need to be a member of
the Organization Management or Security Administrator role groups.
For read-only access to anti-malware policies, you need to be a member of the
Global Reader or Security Reader role groups.
Notes:
Adding users to the corresponding Azure Active Directory role in the Microsoft
365 admin center gives users the required permissions and permissions for
other features in Microsoft 365. For more information, see About admin roles.
The View-Only Organization Management role group in Exchange Online also
gives read-only access to the feature.
For our recommended settings for anti-malware policies, see EOP anti-malware
policy settings.
Use the Microsoft 365 Defender portal to

create anti-malware policies
Creating a custom anti-malware policy in the Microsoft 365 Defender portal creates the
malware filter rule and the associated malware filter policy at the same time using the
same name for both.

Email & Collaboration > Policies & Rules > Threat policies > Anti-Malware in the
Policies section. To go directly to the Anti-malware page, use
2. On the Anti-malware page, click Create.
3. The policy wizard opens. On the Name your policy page, configure these settings:
Name: Enter a unique, descriptive name for the policy.

Description: Enter an optional description for the policy.

4. On the Users and domains page, identify the internal recipients that the policy
applies to (recipient conditions):

Groups:
organization.
Multiple values in the same condition use OR logic (for example, <recipient1> or
<recipient2>). Different conditions use AND logic (for example, <recipient1> and
<member of group 1>).
Exclude these users, groups, and domains: To add exceptions for the internal
recipients that the policy applies to (recipient exceptions), select this option
and configure the exceptions. The settings and behavior are exactly like the
conditions.
） Important

Groups: Executives

applied to him.
applies to him.
5. On the Protection settings page, configure the following settings:
Enable the common attachments filter: If you select this option, messages
with the specified attachments are treated as malware and are automatically
quarantined. You can modify the list by clicking Customize file types and
selecting or deselecting values in the list.
For the default and available values, see Anti-malware policies.
When these types are found: Select one of the following values:
Reject the message with a non-delivery report (NDR)
Quarantine the message (this is the default value)
Enable zero-hour auto purge for malware: If you select this option, ZAP
quarantines malware messages that have already been delivered. For more
information, see Zero-hour auto purge (ZAP) in Exchange Online.
Quarantine policy: Select the quarantine policy that applies to messages that
are quarantined as malware. Quarantine policies define what users are able to
do to quarantined messages, and whether users receive quarantine
notifications. For more information, see Quarantine policies.
A blank value means the default quarantine policy is used

(AdminOnlyAccessPolicy for malware detections). When you later edit the
anti-malware policy or view the settings, the default quarantine policy name
is shown. For more information about default quarantine policies that are
used for supported protection filtering verdicts, see this table.
７ Note
The quarantine policy determines whether recipients receive email

notifications for messages that were quarantined as malware.
Quarantine notifications are disabled in the AdminOnlyAccessPolicy, so
you'll need to create and assign a custom quarantine policy where
notifications are turned on. For more information, see Quarantine
policies.
Users can't release their own messages that were quarantined as
malware. At best, admins can configure the quarantine policy so users
can request the release of their quarantined malware messages.
Admin notifications: Select none, one, or both of the following options:
Notify an admin about undelivered messages from internal senders: If

you select this option, enter a recipient email address in the Admin email
address box that appears.
Notify an admin about undelivered messages from external senders: If

you select this option, enter a recipient email address in the Admin email
address box that appears.
７ Note
Admin notifications are sent only for attachments that are classified as
malware.
Customize notifications: Use the settings in this section to customize the

message properties that are used for admin notifications.
Use customized notification text: If you select this option, use the From
name and From address boxes to specify the sender's name and email
address for admin notification messages.
Customize notifications for messages from internal senders: If you

previously selected Notify an admin about undelivered messages from
internal senders, use the Subject and Message boxes to specify the
subject and message body of admin notification messages.
Customize notifications for messages from external senders: If you

previously selected Notify an admin about undelivered messages from
external senders, you need to use the Subject and Message boxes to
specify the subject and message body of admin notification messages.
6. On the Review page, review your settings. You can select Edit in each section to
modify the settings within the section. Or you can click Back or select the specific
page in the wizard.
When you're finished, click Submit.

7. On the confirmation page that appears, click Done.
Use the Microsoft 365 Defender portal to view

anti-malware policies
2. On the Anti-malware page, the following properties are displayed in the list of
anti-malware policies:
Name
Status
Priority
3. When you select a policy by clicking on the name, the policy settings are displayed
in a flyout.

modify anti-malware policies
2. On the Anti-malware page, select a policy from the list by clicking on the name.
3. In the policy details flyout that appears, select Edit in each section to modify the
settings within the section. For more information about the settings, see the
previous Use the Microsoft 365 Defender portal to create anti-malware policies
section in this article.
For the default anti-malware policy, the Users, groups, and domains section isn't
available (the policy applies to everyone), and you can't rename the policy.
To enable or disable a policy or set the policy priority order, see the following sections.
Enable or disable custom anti-malware policies

You can't disable the default anti-malware policy.

2. On the Anti-malware page, select a custom policy from the list by clicking on the
name.
3. At the top of the policy details flyout that appears, you'll see one of the following
values:
Policy off: To turn on the policy, click Turn on .

Policy on: To turn off the policy, click Turn off.
4. In the confirmation dialog that appears, click Turn on or Turn off.
5. Click Close in the policy details flyout.
Back on the main policy page, the Status value of the policy will be On or Off.
Set the priority of custom anti-malware policies

By default, anti-malware policies are given a priority that's based on the order they were
created in (newer policies are lower priority than older policies). A lower priority number
indicates a higher priority for the policy (0 is the highest), and policies are processed in
priority order (higher priority policies are processed before lower priority policies). No
two policies can have the same priority, and policy processing stops after the first policy
is applied.
To change the priority of a policy, you click Increase priority or Decrease priority in the
properties of the policy (you can't directly modify the Priority number in the Microsoft
365 Defender portal). Changing the priority of a policy only makes sense if you have
multiple policies.
Notes:
In the Microsoft 365 Defender portal, you can only change the priority of the anti-
malware policy after you create it. In PowerShell, you can override the default
priority when you create the malware filter rule (which can affect the priority of
existing rules).
Anti-malware policies are processed in the order that they're displayed (the first
policy has the Priority value 0). The default anti-malware policy has the priority
value Lowest, and you can't change it.

name.
3. At the top of the policy details flyout that appears, you'll see Increase priority or
Decrease priority based on the current priority value and the number of custom
policies:
The policy with the Priority value 0 has only the Decrease priority option
available.
The policy with the lowest Priority value (for example, 3) has only the
Increase priority option available.
If you have three or more policies, the policies between the highest and
lowest priority values have both the Increase priority and Decrease priority
options available.
Click Increase priority or Decrease priority to change the Priority value.
4. When you're finished, click Close in the policy details flyout.

remove custom anti-malware policies
When you use the Microsoft 365 Defender portal to remove a custom anti-malware
policy, the malware filter rule and the corresponding malware filter policy are both
deleted. You can't remove the default anti-malware policy.

name.
3. At the top of the policy details flyout that appears, click More actions >
Delete policy.
4. In the confirmation dialog that appears, click Yes.
Use Exchange Online PowerShell or standalone

EOP PowerShell to configure anti-malware
policies
For more information about anti-spam policies in PowerShell, see Anti-malware policies
in the Microsoft 365 Defender portal vs PowerShell.
Use PowerShell to create anti-malware policies

Creating an anti-malware policy in PowerShell is a two-step process:
1. Create the malware filter policy.

2. Create the malware filter rule that specifies the malware filter policy that the rule
applies to.
Notes:
You can create a new malware filter rule and assign an existing, unassociated
malware filter policy to it. A malware filter rule can't be associated with more than
one malware filter policy.
There are two settings that you can configure on new anti-malware policies in
PowerShell that aren't available in the Microsoft 365 Defender portal until after you
create the policy:
Create the new policy as disabled (Enabled $false on the New-
MalwareFilterRule cmdlet).
Set the priority of the policy during creation (Priority <Number>) on the New-
MalwareFilterRule cmdlet).
A new malware filter policy that you create in PowerShell isn't visible in the
Microsoft 365 Defender portal until you assign the policy to a malware filter rule.
Step 1: Use PowerShell to create a malware filter policy
To create a malware filter policy, use this syntax:
PowerShell
New-MalwareFilterPolicy -Name "<PolicyName>" [-AdminDisplayName "

<OptionalComments>"] [-CustomNotifications <$true | $false>] [<Inbound
notification options>] [<Outbound notification options>] [-QuarantineTag
<QuarantineTagName>]
This example creates a new malware filter policy named Contoso Malware Filter Policy
with these settings:
Notify admin@contoso.com when malware is detected in a message from an

internal sender.
The default quarantine policy for malware detections is used (we aren't using the
QuarantineTag parameter).
PowerShell
New-MalwareFilterPolicy -Name "Contoso Malware Filter Policy" -

EnableInternalSenderAdminNotifications $true -InternalSenderAdminAddress
admin@contoso.com
For detailed syntax and parameter information, see New-MalwareFilterPolicy.
Step 2: Use PowerShell to create a malware filter rule
To create a malware filter rule, use this syntax:
PowerShell
New-MalwareFilterRule -Name "<RuleName>" -MalwareFilterPolicy "<PolicyName>"

<Recipient filters> [<Recipient filter exceptions>] [-Comments "
<OptionalComments>"]
This example creates a new malware filter rule named Contoso Recipients with these
settings:
The malware filter policy named Contoso Malware Filter Policy is associated with
the rule.
The rule applies to recipients in the contoso.com domain.
PowerShell
New-MalwareFilterRule -Name "Contoso Recipients" -MalwareFilterPolicy

"Contoso Malware Filter Policy" -RecipientDomainIs contoso.com
For detailed syntax and parameter information, see New-MalwareFilterRule.
Use PowerShell to view malware filter policies

To return a summary list of all malware filter policies, run this command:
PowerShell
Get-MalwareFilterPolicy
To return detailed information about a specific malware filter policy, use this syntax:
PowerShell
Get-MalwareFilterPolicy -Identity "<PolicyName>" | Format-List [<Specific

properties to view>]
This example returns all the property values for the malware filter policy named
Executives.
PowerShell
Get-MalwareFilterPolicy -Identity "Executives" | Format-List
This example returns only the specified properties for the same policy.
PowerShell
Get-MalwareFilterPolicy -Identity "Executives" | Format-List

Action,AdminDisplayName,CustomNotifications,Enable*Notifications
For detailed syntax and parameter information, see Get-MalwareFilterPolicy.
Use PowerShell to view malware filter rules

To return a summary list of all malware filter rules, run this command:
PowerShell
Get-MalwareFilterRule
To filter the list by enabled or disabled rules, run the following commands:
PowerShell
Get-MalwareFilterRule -State Disabled
PowerShell
Get-MalwareFilterRule -State Enabled
To return detailed information about a specific malware filter rule, use this syntax:
PowerShell
Get-MalwareFilterRule -Identity "<RuleName>" | Format-List [<Specific

This example returns all the property values for the malware filter rule named Executives.
PowerShell
Get-MalwareFilterRule -Identity "Executives" | Format-List
This example returns only the specified properties for the same rule.
PowerShell
Get-MalwareFilterRule -Identity "Executives" | Format-List

Name,Priority,State,MalwareFilterPolicy,*Is,*SentTo,*MemberOf
For detailed syntax and parameter information, see Get-MalwareFilterRule.
Use PowerShell to modify malware filter policies

Other than the following items, the same settings are available when you modify a
malware filter policy in PowerShell as when you create the policy as described in the
Step 1: Use PowerShell to create a malware filter policy section earlier in this article.
The MakeDefault switch that turns the specified policy into the default policy
(applied to everyone, unmodifiable Lowest priority, and you can't delete it) is only
available when you modify a malware filter policy in PowerShell.
You can't rename a malware filter policy (the Set-MalwareFilterPolicy cmdlet has
no Name parameter). When you rename an anti-malware policy in the Microsoft
365 Defender portal, you're only renaming the malware filter rule.
To modify a malware filter policy, use this syntax:
PowerShell
Set-MalwareFilterPolicy -Identity "<PolicyName>" <Settings>
For detailed syntax and parameter information, see Set-MalwareFilterPolicy.

７ Note
For detailed instructions to specify the quarantine policy to use in a malware filter
policy, see Use PowerShell to specify the quarantine policy in anti-malware
policies.
Use PowerShell to modify malware filter rules

The only setting that isn't available when you modify a malware filter rule in PowerShell
is the Enabled parameter that allows you to create a disabled rule. To enable or disable
existing malware filter rules, see the next section.
Otherwise, no additional settings are available when you modify a malware filter rule in
PowerShell. The same settings are available when you create a rule as described in the
Step 2: Use PowerShell to create a malware filter rule section earlier in this article.
To modify a malware filter rule, use this syntax:
PowerShell
Set-MalwareFilterRule -Identity "<RuleName>" <Settings>
For detailed syntax and parameter information, see Set-MalwareFilterRule.
Use PowerShell to enable or disable malware filter rules

Enabling or disabling a malware filter rule in PowerShell enables or disables the whole
anti-malware policy (the malware filter rule and the assigned malware filter policy). You
can't enable or disable the default anti-malware policy (it's always applied to all
recipients).
To enable or disable a malware filter rule in PowerShell, use this syntax:
PowerShell
<Enable-MalwareFilterRule | Disable-MalwareFilterRule> -Identity "

<RuleName>"
This example disables the malware filter rule named Marketing Department.
PowerShell
Disable-MalwareFilterRule -Identity "Marketing Department"
This example enables same rule.
PowerShell
Enable-MalwareFilterRule -Identity "Marketing Department"
For detailed syntax and parameter information, see Enable-MalwareFilterRule and

Disable-MalwareFilterRule.
Use PowerShell to set the priority of malware filter rules

The highest priority value you can set on a rule is 0. The lowest value you can set
depends on the number of rules. For example, if you have five rules, you can use the
priority values 0 through 4. Changing the priority of an existing rule can have a
cascading effect on other rules. For example, if you have five custom rules (priorities 0
through 4), and you change the priority of a rule to 2, the existing rule with priority 2 is
changed to priority 3, and the rule with priority 3 is changed to priority 4.
To set the priority of a malware filter rule in PowerShell, use the following syntax:
PowerShell
Set-MalwareFilterRule -Identity "<RuleName>" -Priority <Number>
This example sets the priority of the rule named Marketing Department to 2. All existing
rules that have a priority less than or equal to 2 are decreased by 1 (their priority
numbers are increased by 1).
PowerShell
Set-MalwareFilterRule -Identity "Marketing Department" -Priority 2
Notes:
To set the priority of a new rule when you create it, use the Priority parameter on
the New-MalwareFilterRule cmdlet instead.
The default malware filter policy doesn't have a corresponding malware filter rule,
and it always has the unmodifiable priority value Lowest.
Use PowerShell to remove malware filter policies

When you use PowerShell to remove a malware filter policy, the corresponding malware
filter rule isn't removed.
To remove a malware filter policy in PowerShell, use this syntax:
PowerShell
Remove-MalwareFilterPolicy -Identity "<PolicyName>"
This example removes the malware filter policy named Marketing Department.
PowerShell
Remove-MalwareFilterPolicy -Identity "Marketing Department"
For detailed syntax and parameter information, see Remove-MalwareFilterPolicy.
Use PowerShell to remove malware filter rules

When you use PowerShell to remove a malware filter rule, the corresponding malware
filter policy isn't removed.
To remove a malware filter rule in PowerShell, use this syntax:
PowerShell
Remove-MalwareFilterRule -Identity "<PolicyName>"
This example removes the malware filter rule named Marketing Department.
PowerShell
Remove-MalwareFilterRule -Identity "Marketing Department"
For detailed syntax and parameter information, see Remove-MalwareFilterRule.
Use the EICAR.TXT file to verify your anti-malware policy

settings
） Important
The EICAR.TXT file is not a virus. The European Institute for Computer Antivirus
Research (EICAR) developed this file to safely test anti-virus installations and
settings.
1. Open Notepad and paste the following text into an empty file:
Text
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Be sure that these are the only text characters in the file. The file size should be 68
bytes.
2. Save the file as EICAR.TXT
In your desktop anti-virus program, be sure to exclude the EICAR.TXT from

scanning (otherwise, the file will be quarantined).
3. Send an email message that contains the EICAR.TXT file as an attachment, using an
email client that won't automatically block the file, and using an email service that
doesn't automatically block outbound spam. Use your anti-malware policy settings
to determine the following scenarios to test:
Email from an internal mailbox to an internal recipient.

Email from an internal mailbox to an external recipient.
Email from an external mailbox to an internal recipient.
4. Verify that the message was quarantined, and verify the admin notification results
based on your anti-malware policy settings. For example, the admin email address
that you specified is notified for internal or external message senders, with the
default or customized notification messages.
5. Delete the EICAR.TXT file after your testing is complete (so other users aren't
unnecessarily alarmed by it).
Built-in virus protection in SharePoint
Online, OneDrive, and Microsoft Teams
 Tip
Applies to

Microsoft 365 uses a common virus detection engine for scanning files that users
upload to SharePoint Online, OneDrive, and Microsoft Teams. This protection is included
with all subscriptions that include SharePoint Online, OneDrive, and Microsoft Teams.
） Important
The built-in anti-virus capabilities are a way to help contain viruses. They aren't
intended as a single point of defense against malware for your environment. We
encourage all customers to investigate and implement anti-malware protection at
various layers and apply best practices for securing their enterprise infrastructure.
What happens if an infected file is uploaded to

SharePoint Online?
The Microsoft 365 virus detection engine scans files asynchronously (at some time after
upload). If a file has not yet been scanned by the asynchronous virus detection process,
and a user tries to download the file from the browser or from Teams, a scan on
download is triggered by SharePoint before the download is allowed. All file types are
not automatically scanned. Heuristics determine the files to scan. When a file is found
to contain a virus, the file is flagged.
Here's what happens:

1. A user uploads a file to SharePoint Online.
2. SharePoint Online, as part of its virus scanning processes, later determines if the
file meets the criteria for a scan.
3. If the file meets the criteria for a scan, the virus detection engine scans the file.
4. If a virus is found within the scanned file, the virus engine sets a property on the
file that indicates the file is infected.
What happens when a user tries to download

an infected file by using the browser?
By default, users can download infected files from SharePoint Online. Here's what
happens:
1. In a web browser, a user tries to download a file from SharePoint Online that
happens to be infected.
2. The user is shown a warning that a virus has been detected in the file. The user is
given the option to proceed with the download and attempt to clean it using anti-
virus software on their device.
To change this behavior so users can't download infected files, even from the anti-virus
warning window, admins can use the DisallowInfectedFileDownload parameter on the
Set-SPOTenant cmdlet in SharePoint Online PowerShell. The value $true for the
DisallowInfectedFileDownload parameter completely blocks access to detected/blocked
files for users.
For instructions, see Use SharePoint Online PowerShell to prevent users from
downloading malicious files.
Can admins bypass

DisallowInfectedFileDownload and extract
infected files?
SharePoint admins and global admins are allowed to do forensic file extractions of
malware-infected files in SharePoint Online PowerShell with the Get-
SPOMalwareFileContent cmdlet. Admins don't need access to the site that hosts the
infected content. As long as the file has been marked as malware, admins can use Get-
SPOMalwareFileContent to extract the file.
For more information about the infected file, admins can use the Get-SPOMalwareFile
cmdlet to see the type of malware that was detected and the status of the infection.
What happens when the OneDrive sync client
tries to sync an infected file?
When a malicious file is uploaded to OneDrive, it will be synced to the local machine
before it's marked as malware. After it's marked as malware, the user can't open the
synced file anymore from their local machine.
Extended capabilities with Microsoft Defender

for Office 365
Microsoft 365 organizations that have Microsoft Defender for Office 365 included in
their subscription or purchased as an add-on can enable Safe Attachments for
SharePoint, OneDrive, and Microsoft Teams for enhanced reporting and protection. For
more information, see Safe Attachments for SharePoint, OneDrive, and Microsoft Teams.
Related articles
Malware and ransomware protection in Microsoft 365
For more information about anti-virus in SharePoint Online, OneDrive, and Microsoft
Teams, see Protect against threats and Turn on Safe Attachments for SharePoint,
OneDrive, and Microsoft Teams.
FAQ
 Tip
Applies to

This article provides frequently asked questions and answers about anti-malware
protection for Microsoft 365 organizations with mailboxes in Exchange Online, or
standalone Exchange Online Protection (EOP) organizations without Exchange Online
mailboxes.
For questions and answers about the quarantine, see Quarantine FAQ.
For questions and answers about anti-spam protection, see Anti-spam protection FAQ.
For questions and answers about anti-spoofing protection, see Anti-spoofing protection
FAQ.
What are best practice

recommendations for configuring and
using the service to combat malware?
See EOP anti-malware policy settings.
How often are the malware definitions

updated?
Each server checks for new malware definitions from our anti-malware partners every
hour.
How many anti-malware partners do
you have? Can I choose which malware
engines we use?
We have partnerships with multiple anti-malware technology providers, so messages are
scanned with the Microsoft anti-malware engines, an additional signature based engine,
and URL and file reputation scans from multiple sources. Our partners are subject to
change, but EOP always uses anti-malware protection from multiple partners. You can't
choose one anti-malware engine over another.
Where does malware scanning occur?

We scan for malware in messages that are sent to or sent from a mailbox (messages in
transit). For Exchange Online mailboxes, we also have malware zero-hour auto purge
(ZAP) to scan for malware in messages that have already been delivered. If you resend a
message from a mailbox, then it's scanned again (because it's in transit).
If I make a change to an anti-malware

policy, how long does it take after I save
my changes for them to take effect?
It might take up to 1 hour for the changes to take effect.
Does the service scan internal messages

for malware?
For organizations with Exchange Online mailbox, the service scans for malware in all
inbound and outbound messages, including messages sent between internal recipients.
A standalone EOP subscription scans messages as they enter or leave your on-premises
email organization. Messages sent between internal users aren't scanned for malware.
However, you can use the built-in anti-malware scanning features of Exchange Server.
For more information, see Anti-malware protection in Exchange Server.
Do all anti-malware engines used by the
service have heuristic scanning enabled?
Yes. Heuristic scanning scans for both known (signature match) and unknown
(suspicious) malware.
Can the service scan compressed files

(such as .zip files)?
Yes. The anti-malware engines can drill into compressed (archive) files.
Is the compressed attachment scanning

support recursive (.zip within a .zip
within a .zip) and if so, how deep does it
go?
Yes, recursive scanning of compressed files scans many layers deep.
Does the service work with legacy

Exchange versions and non-Exchange
environments?
Yes, the service is server agnostic.
What's a zero-day virus and how is it

handled by the service?
A zero-day virus is a first generation, previously unknown variant of malware that's
never been captured or analyzed.
After a zero-day virus sample is captured and analyzed by our anti-malware engines, a
definition and unique signature is created to detect the malware.
When a definition or signature exists for the malware, it's no longer considered zero-
day.
How can I configure the service to block

specific executable files (such as \*.exe)
that I fear may contain malware?
You can enable and configure the common attachments filter (also known as common
attachment blocking) as described in Anti-malware policies.
You can also create an Exchange mail flow rule (also known as transport rule) that blocks
any email attachment that has executable content.
Follow the steps in How to reduce malware threats through file attachment blocking in
Exchange Online Protection to block the file types listed in Supported file types for
mail flow rule content inspection in Exchange Online.
For increased protection, we also recommend using the Any attachment file extension
includes these words condition in mail flow rules to block some or all of the following
extensions: ade, adp, ani, bas, bat, chm, cmd, com, cpl, crt, hlp, ht, hta, inf,
ins, isp, job, js, jse, lnk, mda, mdb, mde, mdz, msc, msi, msp, mst, pcd, reg, scr,
sct, shs, url, vb, vbe, vbs, wsc, wsf, wsh .
Why did a specific malware get past the

filters?
The malware that you received is a new variant (see What's a zero-day virus and how is
it handled by the service?). The time it takes for a malware definition update is
dependent on our anti-malware partners.
How can I submit malware that made it

past the filters to Microsoft? Also, how
can I submit a file that I believe was
incorrectly detected as malware?
See Report messages and files to Microsoft.
I received an email message with an
unfamiliar attachment. Is this malware
or can I disregard this attachment?
We strongly advise that you don't open any attachments that you don't recognize. If you
would like us to investigate the attachment, go to the Malware Protection Center and
submit the possible malware to us as described previously.
Where can I get the messages that have

been deleted by the malware filters?
The messages contain active malicious code and therefore we don't allow access to
these messages. They're unceremoniously deleted.
I am not able to receive a specific

attachment because it's being falsely
filtered by the malware filters. Can I
allow this attachment through via mail
flow rules?
No. You can't use Exchange mail flow rules to skip malware filtering.
Can I get reporting data about malware

detections?
Yes, you can access reports in the Microsoft 365 Defender portal. For more information,
see View email security reports in the Microsoft 365 Defender portal.
Is there a tool that I can use to follow a

malware-detected message through the
service?
Yes, the message trace tool enables you to follow email messages as they pass through
the service. For more information about how to use the message trace tool to find out
why a message was detected to contain malware, see Message trace in the modern
Exchange admin center.
Can I use a third-party anti-spam and

anti-malware provider with Exchange
Online?
Yes. In most cases, we recommend that you point your MX records to (that is, deliver
email directly to) EOP. If you need to route your email somewhere else first, you need to
enable Enhanced Filtering for Connectors so EOP can use the true message source in
filtering decisions.
Are spam and malware messages being

investigated as to who sent them, or
being transferred to law enforcement
entities?
The service focuses on spam and malware detection and removal, though we may
occasionally investigate especially dangerous or damaging spam or attack campaigns
and pursue the perpetrators.
We often work with our legal and digital crime units to take the following actions:
Take down a spam botnet.

Block an attacker from using the service.
Pass the information on to law enforcement for criminal prosecution.

Configure anti-malware policies
 Tip
Applies to

７ Note
This topic is intended for admins. For end-user topics, see Overview of the Junk
Email Filter and Learn about junk email and phishing .

email messages are automatically protected against spam (junk email) by EOP.
Microsoft's email safety roadmap involves an unmatched cross-product approach. EOP

anti-spam and anti-phishing technology is applied across our email platforms to provide
users with the latest anti-spam and anti-phishing tools and innovations throughout the
network. The goal for EOP is to offer a comprehensive and usable email service that
helps detect and protect users from junk email, fraudulent email threats (phishing), and
malware.
As email use has grown, so has email abuse. Unmonitored junk email can clog inboxes
and networks, impact user satisfaction, and hamper the effectiveness of legitimate email
communications. That's why Microsoft continues to invest in anti-spam technologies.
Simply put, it starts by containing and filtering junk email.
 Tip
The following anti-spam technologies are useful when you want to allow or block
messages based on the message envelope (for example, the sender's domain or
the source IP address of the message). To allow or block messages based on
payload (for example, URLs in the message or attached files), then you should use
the Tenant Allow/Block List portal.
Anti-spam technologies in EOP

To help reduce junk email, EOP includes junk email protection that uses proprietary
spam filtering technologies to identify and separate junk email from legitimate email.
EOP spam filtering learns from known spam and phishing threats and user feedback
from our consumer platform, Outlook.com. Ongoing feedback from EOP users in the
junk email classification program helps ensure that the EOP technologies are continually
trained and improved.
The anti-spam settings in EOP are made of the following technologies:
Connection filtering: Identifies good and bad email source servers early in the
inbound email connection via the IP Allow List, IP Block List, and the safe list (a
dynamic but non-editable list of trusted senders maintained by Microsoft). You
configure these settings in the connection filter policy. Learn more at Configure
connection filtering.
Spam filtering (content filtering): EOP uses the spam filtering verdicts Spam, High
confidence spam, Bulk email, Phishing email and High confidence phishing email
to classify messages. You can configure the actions to take based on these verdicts,
and you can configure what users are allowed to do to quarantined messages and
whether user receive quarantine notifications by using quarantine policies. For
more information, see Configure anti-spam policies in Microsoft 365.
７ Note
By default, spam filtering is configured to send messages that were marked as

spam to the recipient's Junk Email folder. However, in hybrid environments
where EOP protects on-premises Exchange mailboxes, you need to configure
two mail flow rules (also known as transport rules) in your on-premises
Exchange organization to recognize the EOP spam headers that are added to
messages. For details, see Configure EOP to deliver spam to the Junk Email
folder in hybrid environments.
Outbound spam filtering: EOP also checks to make sure that your users don't send
spam, either in outbound message content or by exceeding outbound message
limits. For more information, see Configure outbound spam filtering in Microsoft
365.
Spoof intelligence: For more information, see Anti-spoofing protection in EOP.
Manage errors in spam filtering

It's possible that good messages can be identified as spam (also known as false
positives), or that spam can be delivered to the Inbox (also known as false negatives).
You can use the suggestions in the following sections to find out what happened and
help prevent it from happening in the future.
Here are some best practices that apply to either scenario:
Always report misclassified messages to Microsoft. For more information, see

Report messages and files to Microsoft.
Examine the anti-spam message headers: These values will tell you why a
message was marked as spam, or why it skipped spam filtering. For more
information, see Anti-spam message headers.
Point your MX record to Microsoft 365: In order for EOP to provide the best
protection, we always recommend that you have email delivered to Microsoft 365
first. For instructions, see Create DNS records at any DNS hosting provider for
Microsoft 365.
If the MX record points to some other location (for example, a third-party anti-
spam solution or appliance), it's difficult for EOP to provide accurate spam filtering.
In this scenario, you need to configure Enhanced Filtering for connectors (also
known as skip listing). For instructions, see Enhanced Filtering for Connectors in
Exchange Online.
Use email authentication: If you own an email domain, you can use DNS to help
insure that messages from senders in that domain are legitimate. To help prevent
spam and unwanted spoofing in EOP, use all of the following email authentication
methods:
SPF: Sender Policy Framework verifies the source IP address of the message
against the owner of the sending domain. For a quick introduction to SPF and
to get it configured quickly, see Set up SPF to help prevent spoofing. For a more
in-depth understanding of how Microsoft 365 uses SPF, or for troubleshooting
or non-standard deployments such as hybrid deployments, start with How
Microsoft 365 uses Sender Policy Framework (SPF) to prevent spoofing.
DKIM: DomainKeys Identified Mail adds a digital signature to the message
header of messages sent from your domain. For information, see Use DKIM to
validate outbound email sent from your custom domain in Microsoft 365.
DMARC: Domain-based Message Authentication, Reporting, and Conformance

helps destination email systems determine what to do with messages that fail
SPF or DKIM checks and provides another level of trust for your email partners.
For more information, see Use DMARC to validate email in Microsoft 365.
Verify your bulk email settings: The bulk complaint level (BCL) threshold that you
configure in anti-spam policies determines whether bulk email (also known as gray
mail) is marked as spam. The PowerShell-only setting MarkAsSpamBulkMail that's
on by default also contributes to the results. For more information, see Configure
anti-spam policies in Microsoft 365.
Prevent the delivery of spam to the Inbox

Verify your organization settings: Watch out for settings that allow messages to
skip spam filtering (for example, if you add your own domain to the allowed
domains list in anti-spam policies). For our recommended settings, see
Recommended settings for EOP and Microsoft Defender for Office 365 security
and Create safe sender lists.
Use the available blocked sender lists: For information, see Create blocked sender
lists.
Unsubscribe from bulk email If the message was something that the user signed
up for (newsletters, product announcements, etc.) and contains an unsubscribe link
from a reputable source, consider asking them to simply unsubscribe.
Standalone EOP: create mail flow rules in on-premises Exchange for EOP spam
filtering verdicts: In hybrid environments where EOP protects on-premises
Exchange mailboxes, you need to configure mail flow rules (also known as
transport rules) in on-premises Exchange. These mail flow rules translate the EOP
spam filtering verdict so the junk email rule in the mailbox can move the message
to the Junk Email folder. For details, see Configure EOP to deliver spam to the Junk
Email folder in hybrid environments.
Prevent good email from being identified as spam

Here are some steps that you can take to help prevent false positives:
Verify the user's Outlook Junk Email Filter settings:

Verify the Outlook Junk Email Filter is disabled: When the Outlook Junk Email
Filter is set to the default value No automatic filtering, Outlook doesn't attempt
to classify messages as spam. When it's set to Low or High, the Outlook Junk
Email Filter uses its own SmartScreen filter technology to identify and move
spam to the Junk Email folder, so you could get false positives. Note that
Microsoft stopped producing spam definition updates for the SmartScreen
filters in Exchange and Outlook in November, 2016. The existing SmartScreen
spam definitions were left in place, but their effectiveness will likely degrade
over time.
Verify the Outlook 'Safe Lists Only' setting is disabled: When this setting is
enabled, only messages from senders in the user's Safe Senders list or Safe
Recipients list are delivered to the Inbox; email from everyone else is
automatically moved to the Junk Email folder.
For more information about these settings, see Configure junk email settings on
Exchange Online mailboxes in Microsoft 365.
Use the available safe sender lists: For information, see Create safe sender lists.
Verify users are within the sending and receiving limits as described in Receiving
and sending limits in the Exchange Online service description.
Standalone EOP: use directory synchronization: If you use standalone EOP to help
protect your on-premises Exchange organization, you should sync user settings
with the service by using directory synchronization. Doing this ensures that your
users' Safe Senders lists are respected by EOP. For more information, see Use
directory synchronization to manage mail users.
Anti-spam legislation
At Microsoft, we believe that the development of new technologies and self-regulation
requires the support of effective government policy and legal frameworks. The
worldwide spam proliferation has spurred numerous legislative bodies to regulate
commercial email. Many countries now have spam-fighting laws in place. The United
States has both federal and state laws governing spam, and this complementary
approach is helping to curtail spam while enabling legitimate e-commerce to prosper.
The CAN-SPAM Act expands the tools available for curbing fraudulent and deceptive
email messages.
 Tip
Applies to


inbound email messages are automatically protected against spam by EOP. EOP uses
anti-spam policies (also known as spam filter policies or content filter policies) as part of
your organization's overall defense against spam. For more information, see Anti-spam
protection.
Admins can view, edit, and configure (but not delete) the default anti-spam policy. For
greater granularity, you can also create custom anti-spam policies that apply to specific
users, groups, or domains in your organization. Custom policies always take precedence
over the default policy, but you can change the priority (running order) of your custom
policies.
You can configure anti-spam policies in the Microsoft 365 Defender portal or in
Online mailboxes).
The basic elements of an anti-spam policy are:
The spam filter policy: Specifies the actions for spam filtering verdicts and the
notification options.
The spam filter rule: Specifies the priority and recipient filters (who the policy
applies to) for a spam filter policy.
The difference between these two elements isn't obvious when you manage anti-spam
polices in the Microsoft 365 Defender portal:
When you create an anti-spam policy, you're actually creating a spam filter rule
and the associated spam filter policy at the same time using the same name for
both.
When you modify an anti-spam policy, settings related to the name, priority,
enabled or disabled, and recipient filters modify the spam filter rule. All other
settings modify the associated spam filter policy.
When you remove an anti-spam policy, the spam filter rule and the associated
spam filter policy are removed.
In Exchange Online PowerShell or standalone EOP PowerShell, you manage the policy
and the rule separately. For more information, see the Use Exchange Online PowerShell
or standalone EOP PowerShell to configure anti-spam policies section later in this article.
Every organization has a built-in anti-spam policy named Default that has these
properties:
spam filter rule (recipient filters) associated with the policy.
always applied last). Any custom policies that you create always have a higher
priority.
To increase the effectiveness of spam filtering, you can create custom anti-spam policies
with stricter settings that are applied to specific users or groups of users.

go directly to the Anti-spam policies page, use

To add, modify, and delete anti-spam policies, you need to be a member of the
For read-only access to anti-spam policies, you need to be a member of the
Notes:
For our recommended settings for anti-spam policies, see EOP anti-spam policy
settings.
You can't completely turn off spam filtering, but you can use a mail flow rule (also
known as a transport rule) to bypass most spam filtering on incoming message (for
example, if you route email through a third-party protection service or device
before delivery to Microsoft 365). For more information, see Use mail flow rules to
set the spam confidence level (SCL) in messages.
High confidence phishing messages are still filtered. Other features in EOP are
not affected (for example, messages are always scanned for malware).
If you need to bypass spam filtering for SecOps mailboxes or phishing
simulations, don't use mail flow rules. For more information, see Configure the
delivery of third-party phishing simulations to users and unfiltered messages to
SecOps mailboxes.

create anti-spam policies
Creating a custom anti-spam policy in the Microsoft 365 Defender portal creates the
spam filter rule and the associated spam filter policy at the same time using the same
name for both.

Email & Collaboration > Policies & Rules > Threat policies > Anti-spam in the
Policies section. To go directly to the Anti-spam policies page, use
2. On the Anti-spam policies page, click Create policy and then select Inbound
from the drop down list.

4. On the Users, groups, and domains page that appears, identify the internal
recipients that the policy applies to (recipient conditions):

Groups:
organization.
conditions.
） Important

Groups: Executives
applied to him.
applies to him.
5. On the Bulk email threshold & spam properties page that appears, configure the
following settings:
Bulk email threshold: Specifies the bulk complaint level (BCL) of a message
that triggers the specified action for the Bulk spam filtering verdict that you
configure on the next page. A higher value indicates the message is less
desirable (more likely to resemble spam). The default value is 7. For more
information, see Bulk complaint level (BCL) in EOP and What's the difference
between junk email and bulk email?.
By default, the PowerShell only setting MarkAsSpamBulkMail is On in anti-

spam policies. This setting dramatically affects the results of a Bulk filtering
verdict:
MarkAsSpamBulkMail is On: A BCL that's greater than or equal to the
threshold is converted to an SCL 6 that corresponds to a filtering verdict of
Spam, and the action for the Bulk filtering verdict is taken on the message.
MarkAsSpamBulkMail is Off: The message is stamped with the BCL, but
no action is taken for a Bulk filtering verdict. In effect, the BCL threshold
and Bulk filtering verdict action are irrelevant.
Increase spam score, Mark as spam* and Test mode: Advanced Spam Filter
(ASF) settings that are turned off by default.
For details about these settings, see Advanced Spam Filter settings in EOP.
*
The Contains specific languages and from these countries settings are not
part of ASF.
Contains specific languages: Click the box and select On or Off from the
drop down list. If you turn it on, a box appears. Start typing the name of a
language in the box. A filtered list of supported languages will appear. When
you find the language that you're looking for, select it. Repeat this step as
many times as necessary. To remove an existing value, click remove next to
the value.
From these countries*: Click the box and select On or Off from the drop
down list. If you turn it on, a box appears. Start typing the name of a country
in the box. A filtered list of supported countries will appear. When you find
the country that you're looking for, select it. Repeat this step as many times
as necessary. To remove an existing value, click remove next to the value.
6. On the Actions page that appears, configure the following settings:
Message actions: Select or review the action to take on messages based on

the following spam filtering verdicts:
Spam
High confidence spam
Phishing
High confidence phishing
Bulk
The available actions for spam filtering verdicts are described in the following
table.
A check mark ( ✔ ) indicates the action is available (not all actions are
available for all verdicts).
An asterisk ( * ) after the check mark indicates the default action for the
spam filtering verdict.
Action Spam High

Phishing High
Bulk
confidence
confidence
spam phishing
Move message to Junk ✔* ✔* ✔ ✔*

Email folder: The message is
delivered to the mailbox and
moved to the Junk Email
folder.1,4
Action Spam High
Phishing High
Bulk
confidence
confidence
spam phishing
Add X-header: Adds an X- ✔ ✔ ✔ ✔

header to the message
header and delivers the
message to the mailbox.
You enter the X-header field

name (not the value) later in
the Add this X-header text
box.
For Spam and High

confidence spam verdicts,
the message is moved to the
Junk Email folder.1,2
Prepend subject line with ✔ ✔ ✔ ✔

text: Adds text to the
beginning of the message's
subject line. The message is
delivered to the mailbox and
moved to the Junk email
folder.1,2
You enter the text later in the

Prefix subject line with this
text box.
Redirect message to email ✔ ✔ ✔ ✔ ✔

address: Sends the message
to other recipients instead of
the intended recipients.
You specify the recipients

later in the Redirect to this
email address box.
Delete message: Silently ✔ ✔ ✔ ✔

deletes the entire message,
including all attachments.
Action Spam High
Phishing High
Bulk
confidence
confidence
spam phishing
Quarantine message: Sends ✔ ✔ ✔* ✔* ✔

the message to quarantine
instead of the intended
recipients.
You specify how long the

message should be held in
quarantine later in the
Quarantine box.
You specify the quarantine

policy that applies to
quarantined messages for
the spam filter verdict in the
Select a policy box that
appears. For more
information, see Quarantine
policies.3
No action ✔
1
EOP now uses its own mail flow delivery agent to route messages to the
Junk Email folder instead of using the junk email rule in the mailbox. The
Enabled parameter on the Set-MailboxJunkEmailConfiguration cmdlet
no longer has any effect on mail flow. For more information, see
Configure junk email settings on Exchange Online mailboxes.
In hybrid environments where EOP protects on-premises Exchange

mailboxes, you need to configure mail flow rules (also known as transport
rules) in on-premises Exchange. These mail flow rules translate the EOP
spam filtering verdict so the junk email rule in the mailbox can move the
message to the Junk Email folder. For details, see Configure EOP to
deliver spam to the Junk Email folder in hybrid environments.
2
You can this use value as a condition in mail flow rules to filter or route
the message.
3
A blank Select a policy value means the default quarantine policy for
that particular verdict is used. When you later edit the anti-spam policy or
view the settings, the default quarantine policy name is shown. For more
information about default quarantine policies that are used for the spam
filter verdicts, see this table.
4
For High confidence phishing, the action Move message to Junk Email
folder has effectively been deprecated. Although you might be able to
select Move message to Junk Email folder, high confidence phishing
messages are always quarantined (equivalent to selecting Quarantine
message).
Users can't release their own messages that were quarantined as high
confidence phishing. At best, admins can configure the quarantine policy
so users can request the release of their quarantined high confidence
phishing messages.
Retain spam in quarantine for this many days: Specifies how long to keep
the message in quarantine if you selected Quarantine message as the action
for a spam filtering verdict. After the time period expires, the message is
deleted, and is not recoverable. A valid value is from 1 to 30 days.
７ Note
The default value is 15 days in the default anti-spam policy and in new
anti-spam policies that you create in PowerShell. The default value is 30
days in new anti-spam policies that you create in the Microsoft 365
Defender portal.
This setting also controls how long messages that were quarantined by
anti-phishing policies are retained. For more information, see
Quarantined messages in EOP and Defender for Office 365.
Add this X-header text: This box is required and available only if you selected
Add X-header as the action for a spam filtering verdict. The value you specify
is the header field name that's added to the message header. The header
field value is always This message appears to be spam .
The maximum length is 255 characters, and the value can't contain spaces or
colons (:).
For example, if you enter the value X-This-is-my-custom-header , the X-header

that's added to the message is X-This-is-my-custom-header: This message
appears to be spam.
If you enter a value that contains spaces or colons (:), the value you enter is
ignored, and the default X-header is added to the message ( X-This-Is-Spam:
This message appears to be spam. ).
Prepend subject line with this text: This box is required and available only if
you selected Prepend subject line with text as the action for a spam filtering
verdict. Enter the text to add to the beginning of the message's subject line.
Redirect to this email address: This box is required and available only if you
selected the Redirect message to email address as the action for a spam
filtering verdict. Enter the email address where you want to deliver the
message. You can enter multiple values separated by semicolons (;).
Enable safety Tips: By default, Safety Tips are enabled, but you can disable
them by clearing the checkbox.
Enable zero-hour auto purge (ZAP): ZAP detects and takes action on
messages that have already been delivered to Exchange Online mailboxes.
For more information, see Zero-hour auto purge - protection against spam
and malware.
ZAP is turned on by default. When ZAP is turned on, the following settings
are available:
Enable ZAP for phishing messages: By default, ZAP is enabled for
phishing detections, but you can disable it by clearing the checkbox.
Enable ZAP for spam messages: By default, ZAP is enabled for spam
detections, but you can disable it by clearing the checkbox.
７ Note
End-user spam notifications have been replaced by quarantine notifications in

quarantine policies. Quarantine notifications contain information about
quarantined messages for all supported protection features (not just anti-
spam policy and anti-phishing policy verdicts). For more information, see
7. On the Allow & block list flyout that appears, you are able to configure message
senders by email address or email domain that are allowed to skip spam filtering.
In the Allowed section, you can configure allowed senders and allowed domains.
In the Blocked section, you can add blocked senders and blocked domains.
） Important
Think very carefully before you add domains to the allowed domains list. For
more information, see Create safe sender lists in EOP
As of September 2022, if an allowed sender, domain, or subdomain is in an

accepted domain in your organization, that sender, domain, or subdomain
must pass email authentication checks in order to skip anti-spam filtering.
Never add common domains (for example, microsoft.com or office.com) to

the allowed domains list. If these domains are allowed to bypass spam
filtering, attackers can easily send messages that spoof these trusted domains
into your organization.
Manually blocking domains by adding the domains to the blocked domains

list isn't dangerous, but it can increase your administrative workload. For more
information, see Create block sender lists in EOP.
There will be times when our filters will miss a message, you don't agree with
the filtering verdict, or it takes time for our systems to catch up to it. In these
cases, the allow list and block list are available to override the current filtering
verdicts. But, you should use these lists sparingly and temporarily: longs lists
can become unmanageable, and our filtering stack should be doing what it's
supposed to be doing. If you're going to keep an allowed domain for an
extended period of time, you should tell the sender to verify that their domain
is authenticated and set to DMARC reject appropriately.
The steps to add entries to any of the lists are the same:
a. Click the link for the list that you want to configure:
Allowed > Senders: Click Manage (nn) sender(s).

Allowed > Domains: Click Allow domains.
Blocked > Senders: Click Manage (nn) sender(s).
Blocked > Domains: Click Block domains.
b. In the flyout that appears, do the following steps:

i. Click Add senders or Add domains.
ii. In the Add senders or Add domains flyout that appears, enter the sender's
email address in the Sender box or the domain in the Domain box. As you're
typing, the value appears below the box. When you're finished typing the
email address or domain, select the value below the box.
iii. Repeat the previous step as many times as necessary. To remove an existing
value, click remove next to the value.
When you're finished, click Add senders or Add domains.
Back on the main flyout, the senders or domains that you added are listed on
the page. To remove an entry from this page, do the following steps:
i. Select one or more entries from the list. You can also use the Search box to
find values in the list.
ii. After you select at least one entry, the delete icon appears.
iii. Click the delete icon to remove the selected entries.
When you're finished, click Done.
Back on the Allow & block list page, click Next when you're read to continue.
8. On the Review page that appears, review your settings. You can select Edit in each
section to modify the settings within the section. Or you can click Back or select
the specific page in the wizard.
When you're finished, click Create.

anti-spam policies
2. On the Anti-spam policies page, look for one of the following values:
The Type value is Custom anti-spam policy

The Name value is Anti-spam inbound policy (Default)
The following properties are displayed in the list of anti-spam policies:
Name
Status
Priority
Type
3. When you select an anti-spam policy by clicking on the name, the policy settings
are displayed in a flyout.
modify anti-spam policies
2. On the Anti-spam policies page, select an anti-spam policy from the list by
clicking on the name:
A custom policy that you created where the value in the Type column is
Custom anti-spam policy.
The default policy named Anti-spam inbound policy (Default).
previous Use the Microsoft 365 Defender portal to create anti-spam policies
For the default anti-spam policy, the Applied to section isn't available (the policy
applies to everyone), and you can't rename the policy.
Enable or disable anti-spam policies

You can't disable the default anti-spam policy.

2. On the Anti-spam policies page, select a policy with the Type value of Custom
anti-spam policy from the list by clicking on the name.
values:


Set the priority of custom anti-spam policies

By default, anti-spam policies are given a priority that's based on the order they were
is applied.
multiple policies.
Notes:
spam policy after you create it. In PowerShell, you can override the default priority
when you create the spam filter rule (which can affect the priority of existing rules).
Anti-spam policies are processed in the order that they're displayed (the first policy
has the Priority value 0). The default anti-spam policy has the priority value
Lowest, and you can't change it.

2. On the Anti-spam policies page, select a select a policy with the Type value of
Custom anti-spam policy from the list by clicking on the name.
policies:
The anti-spam policy with the Priority value 0 has only the Decrease priority
option available.
The anti-spam policy with the lowest Priority value (for example, 3) has only
the Increase priority option available.
If you have three or more anti-spam policies, the policies between the
highest and lowest priority values have both the Increase priority and
Decrease priority options available.

remove custom anti-spam policies
When you use the Microsoft 365 Defender portal to remove a custom anti-spam policy,
the spam filter rule and the corresponding spam filter policy are both deleted. You can't
remove the default anti-spam policy.

anti-spam policy from the list by clicking on the name. At the top of the policy
details flyout that appears, click More actions > Delete policy.

EOP PowerShell to configure anti-spam policies
As previously described, an anti-spam policy consists of a spam filter policy and a spam
filter rule.

spam filter policies and spam filter rules is apparent. You manage spam filter policies by
using the *-HostedContentFilterPolicy cmdlets, and you manage spam filter rules by
using the *-HostedContentFilterRule cmdlets.
In PowerShell, you create the spam filter policy first, then you create the spam filter
rule that identifies the policy that the rule applies to.
In PowerShell, you modify the settings in the spam filter policy and the spam filter
rule separately.
When you remove a spam filter policy from PowerShell, the corresponding spam
filter rule isn't automatically removed, and vice versa.
The following anti-spam policy settings are only available in PowerShell:
The MarkAsSpamBulkMail parameter that's On by default. The effects of this

setting were explained in the Use the Microsoft 365 Defender portal to create anti-
spam policies section earlier in this article.
The following settings for end-user spam quarantine notifications:
The DownloadLink parameter that shows or hides the link to the Junk Email
Reporting Tool for Outlook.
The EndUserSpamNotificationCustomSubject parameter that you can use to
customize the subject line of the notification.
Use PowerShell to create anti-spam policies

Creating an anti-spam policy in PowerShell is a two-step process:
1. Create the spam filter policy.

2. Create the spam filter rule that specifies the spam filter policy that the rule applies
to.
Notes:
You can create a new spam filter rule and assign an existing, unassociated spam
filter policy to it. A spam filter rule can't be associated with more than one spam
filter policy.
You can configure the following settings on new spam filter policies in PowerShell
that aren't available in the Microsoft 365 Defender portal until after you create the
policy:
HostedContentFilterRule cmdlet).
HostedContentFilterRule cmdlet).
A new spam filter policy that you create in PowerShell isn't visible in the Microsoft
365 Defender portal until you assign the policy to a spam filter rule.
Step 1: Use PowerShell to create a spam filter policy

To create a spam filter policy, use this syntax:
PowerShell
New-HostedContentFilterPolicy -Name "<PolicyName>" [-AdminDisplayName "

<Comments>"] <Additional Settings>
This example creates a spam filter policy named Contoso Executives with the following
settings:
Quarantine messages when the spam filtering verdict is spam or high confidence
spam, and use the default quarantine policy for the quarantined messages (we
aren't using the SpamQuarantineTag or HighConfidenceSpamQuarantineTag
parameters).
BCL 7, 8, or 9 triggers the action for a bulk email spam filtering verdict.
PowerShell
New-HostedContentFilterPolicy -Name "Contoso Executives" -

HighConfidenceSpamAction Quarantine -SpamAction Quarantine -BulkThreshold 6
For detailed syntax and parameter information, see New-HostedContentFilterPolicy.
７ Note
For detailed instructions to specify the quarantine policy to use in a spam filter
policy, see Use PowerShell to specify the quarantine policy in anti-spam policies.
Step 2: Use PowerShell to create a spam filter rule
To create a spam filter rule, use this syntax:
PowerShell
New-HostedContentFilterRule -Name "<RuleName>" -HostedContentFilterPolicy "

<PolicyName>" <Recipient filters> [<Recipient filter exceptions>] [-Comments
"<OptionalComments>"]
This example creates a new spam filter rule named Contoso Executives with these
settings:
The spam filter policy named Contoso Executives is associated with the rule.
The rule applies to members of the group named Contoso Executives Group.
PowerShell
New-HostedContentFilterRule -Name "Contoso Executives" -
HostedContentFilterPolicy "Contoso Executives" -SentToMemberOf "Contoso
Executives Group"
For detailed syntax and parameter information, see New-HostedContentFilterRule.
Use PowerShell to view spam filter policies

To return a summary list of all spam filter policies, run this command:
PowerShell
Get-HostedContentFilterPolicy
To return detailed information about a specific spam filter policy, use the this syntax:
PowerShell
Get-HostedContentFilterPolicy -Identity "<PolicyName>" | Format-List

[<Specific properties to view>]
This example returns all the property values for the spam filter policy named Executives.
PowerShell
Get-HostedContentFilterPolicy -Identity "Executives" | Format-List
For detailed syntax and parameter information, see Get-HostedContentFilterPolicy.
Use PowerShell to view spam filter rules

To view existing spam filter rules, use the following syntax:
PowerShell
Get-HostedContentFilterRule [-Identity "<RuleIdentity>] [-State <Enabled |

Disabled]
To return a summary list of all spam filter rules, run this command:
PowerShell
Get-HostedContentFilterRule
PowerShell
Get-HostedContentFilterRule -State Disabled
PowerShell
Get-HostedContentFilterRule -State Enabled
To return detailed information about a specific spam filter rule, use this syntax:
PowerShell
Get-HostedContentFilterRule -Identity "<RuleName>" | Format-List [<Specific

This example returns all the property values for the spam filter rule named Contoso
Executives.
PowerShell
Get-HostedContentFilterRule -Identity "Contoso Executives" | Format-List
For detailed syntax and parameter information, see Get-HostedContentFilterRule.
Use PowerShell to modify spam filter policies

Other than the following items, the same settings are available when you modify a spam
filter policy in PowerShell as when you create the policy as described in the Step 1: Use
PowerShell to create a spam filter policy section earlier in this article.
(applied to everyone, always Lowest priority, and you can't delete it) is only
available when you modify a spam filter policy in PowerShell.
You can't rename a spam filter policy (the Set-HostedContentFilterPolicy cmdlet
has no Name parameter). When you rename an anti-spam policy in the Microsoft
365 Defender portal, you're only renaming the spam filter rule.
To modify a spam filter policy, use this syntax:
PowerShell
Set-HostedContentFilterPolicy -Identity "<PolicyName>" <Settings>
For detailed syntax and parameter information, see Set-HostedContentFilterPolicy.
７ Note
For detailed instructions to specify the quarantine policy to use in a spam filter
policy, see Use PowerShell to specify the quarantine policy in anti-spam policies.
Use PowerShell to modify spam filter rules

The only setting that isn't available when you modify a spam filter rule in PowerShell is
the Enabled parameter that allows you to create a disabled rule. To enable or disable
existing spam filter rules, see the next section.
Otherwise, no additional settings are available when you modify a spam filter rule in
Step 2: Use PowerShell to create a spam filter rule section earlier in this article.
To modify a spam filter rule, use this syntax:
PowerShell
Set-HostedContentFilterRule -Identity "<RuleName>" <Settings>
This example renames the existing spam filter rule named {Fabrikam Spam Filter} .
PowerShell
Set-HostedContentFilterRule -Identity "{Fabrikam Spam Filter}" -Name

"Fabrikam Spam Filter"
For detailed syntax and parameter information, see Set-HostedContentFilterRule.
Use PowerShell to enable or disable spam filter rules

Enabling or disabling a spam filter rule in PowerShell enables or disables the whole anti-
spam policy (the spam filter rule and the assigned spam filter policy). You can't enable or
disable the default anti-spam policy (it's always applied to all recipients).
To enable or disable a spam filter rule in PowerShell, use this syntax:
PowerShell
<Enable-HostedContentFilterRule | Disable-HostedContentFilterRule> -Identity
"<RuleName>"
This example disables the spam filter rule named Marketing Department.
PowerShell
Disable-HostedContentFilterRule -Identity "Marketing Department"
PowerShell
Enable-HostedContentFilterRule -Identity "Marketing Department"
For detailed syntax and parameter information, see Enable-HostedContentFilterRule and

Disable-HostedContentFilterRule.
Use PowerShell to set the priority of spam filter rules

To set the priority of a spam filter rule in PowerShell, use the following syntax:
PowerShell
Set-HostedContentFilterRule -Identity "<RuleName>" -Priority <Number>
PowerShell
Set-HostedContentFilterRule -Identity "Marketing Department" -Priority 2
Notes:
the New-HostedContentFilterRule cmdlet instead.
The default spam filter policy doesn't have a corresponding spam filter rule, and it
always has the unmodifiable priority value Lowest.
Use PowerShell to remove spam filter policies

When you use PowerShell to remove a spam filter policy, the corresponding spam filter
rule isn't removed.
To remove a spam filter policy in PowerShell, use this syntax:
PowerShell
Remove-HostedContentFilterPolicy -Identity "<PolicyName>"
This example removes the spam filter policy named Marketing Department.
PowerShell
Remove-HostedContentFilterPolicy -Identity "Marketing Department"
For detailed syntax and parameter information, see Remove-HostedContentFilterPolicy.
Use PowerShell to remove spam filter rules

When you use PowerShell to remove a spam filter rule, the corresponding spam filter
policy isn't removed.
To remove a spam filter rule in PowerShell, use this syntax:
PowerShell
Remove-HostedContentFilterRule -Identity "<PolicyName>"
This example removes the spam filter rule named Marketing Department.
PowerShell
Remove-HostedContentFilterRule -Identity "Marketing Department"
For detailed syntax and parameter information, see Remove-HostedContentFilterRule.

Send a GTUBE message to test your spam policy settings
７ Note
These steps will only work if the email organization that you're sending the GTUBE
message from doesn't scan for outbound spam. If it does, you can't send the test
message.
Generic Test for Unsolicited Bulk Email (GTUBE) is a text string that you include in a test
message to verify your organization's anti-spam settings. A GTUBE message is similar to
the European Institute for Computer Antivirus Research (EICAR) text file for testing
malware settings.
Include the following GTUBE text in an email message on a single line, without any
spaces or line breaks:
text
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
Advanced Spam Filter (ASF) settings in

EOP
Applies to

In all Microsoft 365 organizations, the Advanced Spam Filter (ASF) settings in anti-spam
policies in EOP allow admins to mark messages as spam based on specific message
properties. ASF specifically targets these properties because they're commonly found in
spam. Depending on the property, ASF detections will either mark the message as Spam
or High confidence spam.
７ Note
Enabling one or more of the ASF settings is an aggressive approach to spam

filtering. You can't report messages that are filtered by ASF as false positives. You
can identify messages that were filtered by ASF by:
Periodic quarantine notifications from spam and high confidence spam filter
verdicts.
The presence of filtered messages in quarantine.
The specific X-CustomSpam: X-header fields that are added to messages as
described in this article.
The following sections describe the ASF settings and options that are available in anti-
spam policies in the Microsoft 365 Defender portal, and in Exchange Online PowerShell
or standalone EOP PowerShell (New-HostedContentFilterPolicy and Set-
HostedContentFilterPolicy). For more information, see Configure anti-spam policies in
EOP.
Enable, disable, or test ASF settings

For each ASF setting, the following options are available in anti-spam policies:
On: ASF adds the corresponding X-header field to the message, and either marks
the message as Spam (SCL 5 or 6 for Increase spam score settings) or High
confidence spam (SCL 9 for Mark as spam settings).
Off: The ASF setting is disabled. This is the default value, and we recommend that
you don't change it.
Test: ASF adds the corresponding X-header field to the message. What happens to
the message is determined by the Test mode (TestModeAction) value:
None: Message delivery is unaffected by the ASF detection. The message is still
subject to other types of filtering and rules in EOP.
Add default X-header text (AddXHeader): The X-header value X-CustomSpam:
This message was filtered by the custom spam filter option is added to the
message. You can use this value in Inbox rules or mail flow rules (also known as
transport rules) to affect the delivery of the message.
Send Bcc message (BccMessage): The specified email addresses (the
TestModeBccToRecipients parameter value in PowerShell) are added to the Bcc
field of the message, and the message is delivered to the additional Bcc
recipients. In the Microsoft 365 Defender portal, you separate multiple email
addresses by semicolons (;). In PowerShell, you separate multiple email
addresses by commas.
Notes:
Test mode is not available for the following ASF settings:
Conditional Sender ID filtering: hard fail (MarkAsSpamFromAddressAuthFail)
NDR backscatter(MarkAsSpamNdrBackscatter)
SPF record: hard fail (MarkAsSpamSpfRecordHardFail)
The same test mode action is applied to all ASF settings that are set to Test. You
can't configure different test mode actions for different ASF settings.
Increase spam score settings

The following Increase spam score ASF settings set the spam confidence level (SCL) of
detected messages to 5 or 6, which corresponds to a Spam filter verdict and the
corresponding action in anti-spam policies.
Anti-spam policy setting Description X-header

added
added
Image links to remote websites Messages that contain <Img> HTML tag X-
links to remote sites (for example, using CustomSpam:
IncreaseScoreWithImageLinks http) are marked as spam. Image links
to remote
sites
Numeric IP address in URL Messages that contain numeric-based X-

URLs (typically, IP addresses) are marked CustomSpam:
IncreaseScoreWithNumericIps as spam. Numeric IP
in URL
URL redirect to other port Message that contain hyperlinks that X-

redirect to TCP ports other than 80 CustomSpam:
IncreaseScoreWithRedirectToOtherPort (HTTP), 8080 (alternate HTTP), or 443 URL redirect
(HTTPS) are marked as spam. to other
port
Links to .biz or .info websites Messages that contain .biz or .info X-

links in the body of the message are CustomSpam:
IncreaseScoreWithBizOrInfoUrls marked as spam. URL to .biz
or .info
websites
Mark as spam settings

The following Mark as spam ASF settings set the SCL of detected messages to 9, which
corresponds to a High confidence spam filter verdict and the corresponding action in
anti-spam policies.

added
Empty messages Messages with no subject, no content in the X-

message body, and no attachments are marked CustomSpam:
MarkAsSpamEmptyMessages as high confidence spam. Empty
Message
Embedded tags in HTML Message that contain <embed> HTML tags are X-
marked as high confidence spam. CustomSpam:
MarkAsSpamEmbedTagsInHtml
Embed tag in
This tag allows the embedding of different kinds html
of documents in an HTML document (for
example, sounds, videos, or pictures).
added
JavaScript or VBScript in Messages that use JavaScript or Visual Basic X-

HTML Script Edition in HTML are marked as high CustomSpam:
confidence spam. Javascript
MarkAsSpamJavaScriptInHtml These scripting languages are used in email or VBscript
messages to cause specific actions to tags in HTML
automatically occur.
Form tags in HTML Messages that contain <form> HTML tags are X-
MarkAsSpamFormTagsInHtml
Form tag in
This tag is used to create website forms. Email html
advertisements often include this tag to solicit
information from the recipient.
Frame or iframe tags in HTML Messages that contain <frame> or <iframe> X-

HTML tags are marked as high confidence spam. CustomSpam:
MarkAsSpamFramesInHtml IFRAME or
These tags are used in email messages to format FRAME in
the page for displaying text or graphics. HTML
Web bugs in HTML A web bug (also known as a web beacon) is a X-

graphic element (often as small as one pixel by CustomSpam:
MarkAsSpamWebBugsInHtml one pixel) that's used in email messages to Web bug
determine whether the message was read by the
recipient.
Messages that contain web bugs are marked as

high confidence spam.
Legitimate newsletters might use web bugs,

although many consider this an invasion of
privacy.
Object tags in HTML Messages that contain <object> HTML tags are X-
MarkAsSpamObjectTagsInHtml
Object tag
This tag allows plug-ins or applications to run in in html
an HTML window.
Sensitive words Microsoft maintains a dynamic but non-editable X-

list of words that are associated with potentially CustomSpam:
MarkAsSpamSensitiveWordList offensive messages. Sensitive
Messages that contain words from the sensitive word in
word list in the subject or message body are subject/body
marked as high confidence spam.
added
SPF record: hard fail Messages sent from an IP address that isn't X-
specified in the SPF Sender Policy Framework CustomSpam:
MarkAsSpamSpfRecordHardFail (SPF) record in DNS for the source email domain SPF Record
are marked as high confidence spam. Fail
Test mode is not available for this setting.
The following Mark as spam ASF settings set the SCL of detected messages to 6, which
corresponds to a Spam filter verdict and the corresponding action in anti-spam policies.

added
Sender ID filtering hard fail Messages that hard fail a conditional Sender ID X-
check are marked as spam. CustomSpam:
MarkAsSpamFromAddressAuthFail This setting combines an SPF check with a SPF From
Sender ID check to help protect against Record
message headers that contain forged senders. Fail

added
Backscatter Backscatter is useless non-delivery reports (also X-

known as NDRs or bounce messages) caused CustomSpam:
MarkAsSpamNdrBackscatter by forged senders in email messages. For more Backscatter
information, see Backscatter messages and NDR
EOP.
You don't need to configure this setting in the

following environments, because legitimate
NDRs are delivered, and backscatter is marked
as spam:
Microsoft 365 organizations with

Exchange Online mailboxes.
On-premises email organizations where
you route outbound email through EOP.
In standalone EOP environments that protect

inbound email to on-premises mailboxes,
turning this setting on or off has the following
result:
On: Legitimate NDRs are delivered, and

backscatter is marked as spam.
Off: Legitimate NDRs and backscatter go
through normal spam filtering. Most
legitimate NDRs will be delivered to the
original message sender. Some, but not
all, backscatter is marked as spam. By
definition, backscatter can only be
delivered to the spoofed sender, not to
the original sender.

What's the difference between junk
email and bulk email in EOP?
Applies to


customers sometimes ask: "what's the difference between junk email and bulk email?"
This topic explains the difference and describes the controls that are available in EOP.
Junk email is spam, which are unsolicited and universally unwanted messages
(when identified correctly). By default, the EOP rejects spam based on the
reputation of the source email server. If a message passes source IP inspection, it's
sent to spam filtering. If the message is classified as spam by spam filtering, the
message is (by default) delivered to the intended recipients and moved to their
Junk Email folder.
You can configure the actions to take on spam filtering verdicts. For instructions,
see Configure anti-spam policies in EOP.
If you disagree with the spam filtering verdict, you can report messages that you
consider to be spam or non-spam to Microsoft in several ways, as described in
Bulk email (also known as gray mail), is more difficult to classify. Whereas spam is
a constant threat, bulk email is often one-time advertisements or marketing
messages. Some users want bulk email messages (and in fact, they have
deliberately signed up to receive them), while other users consider bulk email to be
spam. For example, some users want to receive advertising messages from the
Contoso Corporation or invitations to an upcoming conference on cyber security,
while other users consider these same messages to be spam.
For more information about how bulk email is identified, see Bulk complaint level
(BCL) in EOP.
How to manage bulk email

Because of the mixed reaction to bulk email, there isn't universal guidance that applies
to every organization.
Anti-spam polices have a default BCL threshold that's used to identify bulk email as
spam. Admins can increase or decrease the threshold. For more information, see the
following topics:
Configure anti-spam policies in EOP.

EOP anti-spam policy settings
Another option that's easy to overlook: if a user complains about receiving bulk email,
but the messages are from reputable senders that pass spam filtering in EOP, have the
user check for a unsubscribe option in the bulk email message.
How to tune bulk email

In September 2022, Microsoft Defender for Office 365 Plan 2 customers can access BCL
from advanced hunting. This feature allows admins to look at all bulk senders who sent
mail to their organization, along with the corresponding BCL values and the email
volume received. You can drill down into the bulk senders by using other columns in
EmailEvents table in the Email & collaboration schema. For more information, see
EmailEvents.
For example, if Contoso has set their current bulk threshold to 7 in anti-spam policies,
Contoso recipients will receive email from all senders with BCL < 7 in their Inbox.
Admins can run the following query to get a list of all bulk senders in the organization:
Console
EmailEvents
| where BulkComplaintLevel >= 1 and Timestamp > datetime(2022-09-

XXT00:00:00Z)
| summarize count() by SenderMailFromAddress, BulkComplaintLevel
This query allows admins to identify wanted and unwanted senders. If a bulk sender has
a BCL score that doesn't meet the bulk threshold, admins can submit the sender's
messages to Microsoft for analysis, which adds the sender as an allow entry to the
Tenant Allow/Block List.
Organizations without Defender for Office 365 Plan 2 can try the features in Microsoft
365 Defender for Office 365 Plan 2 for free. Use the 90-day Defender for Office 365
evaluation at https://security.microsoft.com/atpEvaluation . Learn about who can sign
up and trial terms here or you can use the Threat protection status report to identify
wanted and unwanted bulk senders:
1. In the Threat protection status report, select View data by Email > Spam. To go
directly to the report, open one of the following URLs:
EOP: https://security.microsoft.com/reports/TPSAggregateReport
Defender for Office 365:
https://security.microsoft.com/reports/TPSAggregateReportATP
2. Filter for Bulk email, select an email to investigate and click on email entity to learn
more about the sender. Email entity is available only for Defender for Office 365
Plan 2 customers.
3. Once you have identified wanted and unwanted senders, adjust the bulk threshold
to your desired level. If there are bulk senders with BCL score that doesn't fit within
your bulk threshold, submit the messages to Microsoft for analysis, which adds the
sender as an allow entry to the Tenant Allow/Block List.
Admins can follow the recommended bulk threshold values or choose a bulk threshold
value that suits the needs of their organization.
Spam confidence level (SCL) in EOP
Applies to


inbound messages go through spam filtering in EOP and are assigned a spam score.
That score is mapped to an individual spam confidence level (SCL) that's added to the
message in an X-header. A higher SCL indicates a message is more likely to be spam.
EOP takes action on the message based on the SCL.
What the SCL means and the default actions that are taken on messages are described
in the following table. For more information about actions you can take on messages
based on the spam filtering verdict, see Configure anti-spam policies in EOP.
SCL Definition Default action
-1 The message skipped spam filtering. For example, the message is from a Deliver the
safe sender, was sent to a safe recipient, or is from an email source message to the
server on the IP Allow List. For more information, see Create safe sender recipients' inbox.
lists in EOP.
0, 1 Spam filtering determined the message was not spam. Deliver the
message to the
recipients' inbox.
5, 6 Spam filtering marked the message as Spam Deliver the

message to the
recipients' Junk
Email folder.
8, 9 Spam filtering marked the message as High confidence spam Deliver the
message to the
recipients' Junk
Email folder.
You'll notice that SCL 2, 3, 4, and 7 aren't used by spam filtering.
You can use mail flow rules (also known as transport rules) to stamp the SCL on
messages. If you use a mail flow rule to set the SCL, the values 5 or 6 trigger the spam
filtering action for Spam, and the values 7, 8, or 9 trigger the spam filtering action for
High confidence spam. For more information, see Use mail flow rules to set the spam
confidence level (SCL) in messages.
Similar to the SCL, the bulk complaint level (BCL) identifies bad bulk email (also known
as gray mail). A higher BCL indicates a bulk mail message is more likely to generate
complaints (and is therefore more likely to be spam). You configure the BCL threshold in
anti-spam policies. For more information, see Configure anti-spam policies in EOP, Bulk
complaint level (BCL) in EOP), and What's the difference between junk email and bulk
email?.
New to Microsoft 365? Discover free video courses for Microsoft 365 admins and
IT pros, brought to you by LinkedIn Learning.
Bulk complaint level (BCL) in EOP
Applies to


EOP assigns a bulk complaint level (BCL) to inbound messages from bulk mailers. The
BCL is added to the message in an X-header and is similar to the spam confidence level
(SCL) that's used to identify messages as spam. A higher BCL indicates a bulk message is
more likely to generate complaints (and is therefore more likely to be spam). Microsoft
uses both internal and third party sources to identify bulk mail and determine the
appropriate BCL.
Bulk mailers vary in their sending patterns, content creation, and recipient acquisition
practices. Good bulk mailers send desired messages with relevant content to their
subscribers. These messages generate few complaints from recipients. Other bulk
mailers send unsolicited messages that closely resemble spam and generate many
complaints from recipients. Messages from a bulk mailer are known as bulk mail or gray
mail.
Spam filtering marks messages as Bulk email based on the BCL threshold (the default
value or a value you specify) and takes the specified action on the message (the default
action is deliver the message to the recipient's Junk Email folder). For more information,
see Configure anti-spam policies and What's the difference between junk email and bulk
email?
The BCL thresholds are described in the following table.
BCL Description
0 The message isn't from a bulk sender.
1, 2, 3 The message is from a bulk sender that generates few complaints.
4, 5, 6, 7* The message is from a bulk sender that generates a mixed number of complaints.
8, 9 The message is from a bulk sender that generates a high number of complaints.
*
This is the default threshold value that's used in anti-spam policies.
Backscatter in EOP
Applies to

Backscatter is non-delivery reports (also known as NDRs or bounce messages) that you
receive for messages that you didn't send. Backscatter is caused by spammers forging
(spoofing) the From address (also known as the 5322.From or P2 address) in their
messages. Spammers will often use real email addresses as the From address to lend
credibility to their messages. When spam is sent to a non-existent recipient, the
destination email server is essentially tricked into returning the undeliverable message in
an NDR to the forged sender in the From address.

EOP makes every effort to identify and silently drop messages from dubious sources
without generating an NDR. But, based on the sheer volume email flowing through the
service, there's always the possibility that EOP will unintentionally send backscatter.
Backscatterer.org maintains a blocklist (also known as a DNS blocklist or DNSBL) of

email servers that were responsible for sending backscatter, and EOP servers might
appear on this list. But, we don't try to remove ourselves from the Backscatterer.org
blocklist because (by their own admission) their list isn't a list of spammers.
 Tip
The Backscatterer.org website (http://www.backscatterer.org/?target=usage )

recommends using their service in Safe mode instead of Reject mode, because
large email services almost always send some backscatter.
Configure junk email settings on
Exchange Online mailboxes
 Tip
Applies to

In Microsoft 365 organizations with mailboxes in Exchange Online, organizational anti-

spam settings are controlled by Exchange Online Protection (EOP). For more
information, see Anti-spam protection in EOP.
But, there are also specific anti-spam settings that admins can configure on individual
mailboxes in Exchange Online:
７ Note
EOP now uses its own mail flow delivery agent to route messages to the Junk Email
folder instead of using the junk email rule. The Enabled parameter on the Set-
MailboxJunkEmailConfiguration cmdlet no longer has any effect on mail flow. EOP
routes messages based on the actions set in anti-spam policies. The user's Safe
Sender list and Blocked Senders list will continue to work as usual.
Move messages to the Junk Email folder based on anti-spam policies: When an
anti-spam policy is configured with the action Move message to Junk Email folder
for a spam filtering verdict, the message is moved to the Junk Email folder after the
message is delivered to the mailbox. For more information about spam filtering
verdicts in anti-spam policies, see Configure anti-spam policies in EOP. Similarly, if
zero-hour auto purge (ZAP) determines a delivered message is spam or phish, the
message is moved to the Junk Email folder for Move message to Junk Email
folder spam filtering verdict actions. For more information about ZAP, see Zero-
hour auto purge (ZAP) in Exchange Online.
Junk email settings that users configure for themselves in Outlook or Outlook
on the web: The safelist collection is the Safe Senders list, the Safe Recipients list,
and the Blocked Senders list on each mailbox. The entries in these lists determine
whether the message is moved to the Inbox or the Junk Email folder. Users can
configure the safelist collection for their own mailbox in Outlook or Outlook on the
web (formerly known as Outlook Web App). Admins can configure the safelist
collection on any user's mailbox.
EOP is able to move messages to the Junk Email folder based on the spam filtering
verdict action Move message to Junk Email folder or the Blocked Senders list on the
mailbox, and prevent messages from being delivered to the Junk Email folder (based on
the Safe Senders list on the mailbox).
Admins can use Exchange Online PowerShell to configure entries in the safelist
collection on mailboxes (the Safe Senders list, the Safe Recipients list, and the Blocked
Senders list).
７ Note
Messages from senders that users have added to their own Safe Senders lists will
skip content filtering as part of EOP (the SCL is -1). To prevent users from adding
entries to their Safe Senders list in Outlook, use Group Policy as mentioned in the
About junk email settings in Outlook section later in this article. Policy filtering,
Content filtering and Defender for Office 365 checks will still be applied to the
messages.

You can only use Exchange Online PowerShell to do the procedures in this article.
PowerShell.
procedures in this article. Specifically, you need the Mail Recipients role (which is
assigned to the Organization Management, Recipient Management, and Custom
Mail Recipients role groups by default) or the User Options role (which is assigned
to the Organization Management and Help Desk role groups by default). To add
users to role groups in Exchange Online, see Modify role groups in Exchange
Online. Note that users with default permissions can do these same procedures on
their own mailbox, as long as they have access to Exchange Online PowerShell.
In hybrid environments where EOP protects on-premises Exchange mailboxes, you

need to configure mail flow rules (also known as transport rules) in on-premises
Exchange. These mail flow rules translate the EOP spam filtering verdict so the junk
email rule in the mailbox can move the message to the Junk Email folder. For
details, see Configure EOP to deliver spam to the Junk Email folder in hybrid
environments.
Safe senders for shared mailboxes are not synchronized to Azure AD and EOP by
design.
Use Exchange Online PowerShell to configure

the safelist collection on a mailbox
The safelist collection on a mailbox includes the Safe Senders list, the Safe Recipients list,
and the Blocked Senders list. By default, users can configure the safelist collection on
their own mailbox in Outlook or Outlook on the web. Administrators can use the
corresponding parameters on the Set-MailboxJunkEmailConfiguration cmdlet to
configure the safelist collection on a user's mailbox. These parameters are described in
the following table.
Parameter on Set- Outlook on the web setting

MailboxJunkEmailConfiguration
BlockedSendersAndDomains Move email from these senders or domains to my Junk

Email folder
ContactsTrusted Trust email from my contacts
TrustedListsOnly Only trust email from addresses in my Safe senders and

domains list and Safe mailing lists
TrustedSendersAndDomains* Don't move email from these senders to my Junk Email

folder
*
Notes:
In Exchange Online, whether entries in the Safe Senders list or

TrustedSendersAndDomains parameter work or don't work depends on the verdict
and action in the policy that identified the message:
Move messages to Junk Email folder: Domain entries and sender email address
entries are honored. Messages from those senders are not moved to the Junk
Email folder.
Quarantine: Domain entries are not honored (messages from those senders are
quarantined). Email address entries are honored (messages from those senders
are not quarantined) if either of the following statements are true:
The message is not identified as malware or high confidence phishing
(malware and high confidence phishing messages are quarantined).
The email address is not also in a block entry in the Tenant Allow/Block List
(messages from those senders will be quarantined).
In standalone EOP with directory synchronization, domain entries aren't
synchronized by default, but you can enable synchronization for domains. For
more information, see KB3019657 .
You can't directly modify the Safe Recipients list by using the Set-
MailboxJunkEmailConfiguration cmdlet (the TrustedRecipientsAndDomains
parameter doesn't work). You modify the Safe Senders list, and those changes are
synchronized to the Safe Recipients list.
To configure the safelist collection on a mailbox, use the following syntax:
PowerShell
Set-MailboxJunkEmailConfiguration <MailboxIdentity> -
BlockedSendersAndDomains <EmailAddressesOrDomains | $null> -ContactsTrusted
<$true | $false> -TrustedListsOnly <$true | $false> -
TrustedSendersAndDomains <EmailAddresses | $null>
To enter multiple values and overwrite any existing entries for the
BlockedSendersAndDomains and TrustedSendersAndDomains parameters, use the
following syntax: "<Value1>","<Value2>"... . To add or remove one or more values
without affecting other existing entries, use the following syntax: @{Add="<Value1>","
<Value2>"... ; Remove="<Value3>","<Value4>...}
This example configures the following settings for the safelist collection on Ori Epstein's
mailbox:
Add the value shopping@fabrikam.com to the Blocked Senders list.

Remove the value chris@fourthcoffee.com from the Safe Senders list and the Safe
Recipients list.
Configures contacts in the Contacts folder to be treated as trusted senders.
PowerShell
Set-MailboxJunkEmailConfiguration "Ori Epstein" -BlockedSendersAndDomains

@{Add="shopping@fabrikam.com"} -TrustedSendersAndDomains
@{Remove="chris@fourthcoffee.com"} -ContactsTrusted $true
This example removes the domain contoso.com from the Blocked Senders list in all user
mailboxes in the organization.
PowerShell
$All = Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize Unlimited;

$All | foreach {Set-MailboxJunkEmailConfiguration $_.Name -
BlockedSendersAndDomains @{Remove="contoso.com"}}
For detailed syntax and parameter information, see Set-MailboxJunkEmailConfiguration.
７ Note
If the user has never opened their mailbox, you might receive an error when
you run the previous commands. To suppress this error for bulk operations,
add -ErrorAction SilentlyContinue to the Set-
MailboxJunkEmailConfiguration command.
The Outlook Junk Email Filter has additional safelist collection settings (for
example, Automatically add people I email to the Safe Senders list). For
more information, see Use Junk Email Filters to control which messages you
see .
How do you know this worked?

To verify that you have successfully configured the safelist collection on a mailbox, use
any of following procedures:
Replace <MailboxIdentity> with the name, alias, or email address of the mailbox,
and run the following command to verify the property values:
PowerShell
Get-MailboxJunkEmailConfiguration -Identity "<MailboxIdentity>" |

Format-List trusted*,contacts*,blocked*
If the list of values is too long, use this syntax:
PowerShell
(Get-MailboxJunkEmailConfiguration -Identity
<MailboxIdentity>).BlockedSendersAndDomains
About junk email settings in Outlook

To enable, disable, and configure the client-side Junk Email Filter settings that are
available in Outlook, use Group Policy. For more information, see Administrative
Template files (ADMX/ADML) and Office Customization Tool for Microsoft 365 Apps for
enterprise, Office 2019, and Office 2016 and How to deploy junk email settings, such
as the Safe Senders list, by using Group Policy .
When the Outlook Junk Email Filter is set to the default value No automatic filtering in
Home > Junk > Junk E-Mail Options > Options, Outlook doesn't attempt to classify
messages as spam, but still uses the safelist collection (the Safe Senders list, Safe
Recipients list, and Blocked Senders list) to move messages to the Junk Email folder after
delivery. For more information about these settings, see Overview of the Junk Email
Filter .
７ Note
In Microsoft 365 organizations, we recommend that you leave the Junk Email Filter
in Outlook set to No automatic filtering to prevent unnecessary conflicts (both
positive and negative) with the spam filtering verdicts from EOP.
When the Outlook Junk Email Filter is set to Low or High, the Outlook Junk Email Filter
uses its own SmartScreen filter technology to identify and move spam to the Junk Email
folder. This spam classification is separate from the spam confidence level (SCL) that's
determined by EOP. In fact, Outlook ignores the SCL from EOP (unless EOP marked the
message to skip spam filtering) and uses its own criteria to determine whether the
message is spam. Of course, it's possible that the spam verdict from EOP and Outlook
might be the same. For more information about these settings, see Change the level of
protection in the Junk Email Filter .
７ Note
In November 2016, Microsoft stopped producing spam definition updates for the
SmartScreen filters in Exchange and Outlook. The existing SmartScreen spam
definitions were left in place, but their effectiveness will likely degrade over time.
For more information, see Deprecating support for SmartScreen in Outlook and
Exchange .
So, the Outlook Junk Email Filter is able to use the mailbox's safelist collection and its
own spam classification to move messages to the Junk Email folder.
Outlook and Outlook on the web both support the safelist collection. The safelist
collection is saved in the Exchange Online mailbox, so changes to the safelist collection
in Outlook appear in Outlook on the web, and vice-versa.
Limits for junk email settings

The safelist collection (the Safe Senders list, Safe Recipients list, and Blocked Senders
list) that's stored in the user's mailbox is also synchronized to EOP. With directory
synchronization, the safelist collection is synchronized to Azure AD.
The safelist collection in the user's mailbox has a limit of 510 KB, which includes all
lists, plus additional junk email filter settings. If a user exceeds this limit, they will
receive an Outlook error that looks like this:
Cannot/Unable add to the server Junk E-mail lists. You are over the size
allowed on the server. The Junk E-mail filter on the server will be disabled until
your Junk E-mail lists have been reduced to the size allowed by the server.
For more information about this limit and how to change it, see KB2669081 .
The synchronized safelist collection in EOP has the following synchronization limits:
1024 total entries in the Safe Senders list, the Safe Recipients list, and external
contacts if Trust email from my contacts is enabled.
500 total entries in the Blocked Senders list and Blocked Domains list.
When the 1024 entry limit is reached, the following things happen:
The list stops accepting entries in PowerShell and Outlook on the web, but no
error is displayed.
Outlook users can continue to add more than 1024 entries until they reach the
Outlook limit of 510 KB. Outlook can use these additional entries, as long as an
EOP filter doesn't block the message before delivery to the mailbox (mail flow
rules, anti-spoofing, etc.).
With directory synchronization, the entries are synchronized to Azure AD in the

following order:
1. Mail contacts if Trust email from my contacts is enabled.

2. The Safe Sender list and Safe Recipient list are combined, de-duplicated, and
sorted alphabetically whenever a change is made for the first 1024 entries.
The first 1024 entries are used, and relevant information is stamped in the message
headers.
Entries over 1024 that weren't synchronized to Azure AD are processed by Outlook
(not Outlook on the web), and no information is stamped in the message headers.
As you can see, enabling the Trust email from my contacts setting reduces the number
of Safe Senders and Safe Recipients that can be synchronized. If this is a concern, then
we recommend using Group Policy to turn this feature off:
File name: outlk16.opax

Policy setting: Trust e-mail from contacts
FAQ
 Tip
Applies to

This topic provides frequently asked questions and answers about anti-spam protection
for Microsoft 365 organizations with mailboxes in Exchange Online, or standalone
Exchange Online Protection (EOP) organizations without Exchange Online mailboxes.
For questions and answers about the quarantine, see Quarantine FAQ.
For questions and answers about anti-malware protection, see Anti-malware protection
FAQ.
FAQ.
By default, what happens to a spam-

detected message?
For inbound messages: The majority of spam is deleted via connection filtering, which is
based on the IP address of the source email server. Anti-spam policies (also known as
spam filter policies or content filter policies) inspect and classify messages as spam,
bulk, or phishing. By default, messages that are classified as spam or bulk are delivered
to the recipient's Junk Email folder, while messages classified as phishing are
quarantined. You can modify the default anti-spam policy (applies to all recipients), or
you can create custom anti-spam policies with stricter settings for specific groups of
users (for example, you can quarantine spam that's sent to executives). For more
information, see Configure anti-spam policies and Recommended anti-spam policy
settings.
） Important
In hybrid deployments where EOP protects on-premises Exchange mailboxes, you

need to configure two Exchange mail flow rules (also known as transport rules) in
your on-premises Exchange organization to detect the EOP spam filtering headers
that are added to messages. For details, see Configure EOP to deliver spam to the
Junk Email folder in hybrid environments.
For outbound messages: The message is either routed through the high-risk delivery
pool or is returned to the sender in a non-delivery report (also known as an NDR or
bounce message). For more information about outbound spam protection, see
Outbound spam controls.
What's a zero-day spam variant and

how is it handled by the service?
A zero-day spam variant is a first generation, previously unknown variant of spam that's
never been captured or analyzed, so our anti-spam filters don't yet have any information
available for detecting it. After a zero-day spam sample is captured and analyzed by our
spam analysts, if it meets the spam classification criteria, our anti-spam filters are
updated to detect it, and it's no longer considered "zero-day."
７ Note
If you receive a message that may be a zero-day spam variant, in order to help us
improve the service, please submit the message to Microsoft using one of the
methods described in Report messages and files to Microsoft.
Do I need to configure the service to

provide anti-spam protection?
After you sign up for the service and add your domain, spam filtering is automatically
enabled. By default, spam filtering is tuned to protect you without needing any
additional configuration (aside from the previously noted exception for standalone EOP
standalone customers in hybrid environments). As an admin, you can edit the default
spam filtering settings to best meet the needs of your organization. For greater
granularity, you can also create anti-spam policies and outbound anti-spam policies that
are applied to specified users, groups, or domains in your organization. Custom policies
always take precedence over the default policy, but you can change the priority (that is,
the running order) of your custom policies.
Recommended settings for EOP and Microsoft Defender for Office 365 security
Configure connection filtering in EOP
Configure the outbound spam policy
If I make a change to an anti-spam

policy, how long does it take after I save
my changes for them to take effect?
It may take up to 1 hour for the changes to take effect.
Is bulk email filtering automatically

enabled?
Yes. For more information about bulk email, see What's the difference between junk
email and bulk email?
Does the service provide URL filtering?

Yes, the service has a URL filter that checks for URLs within messages. If URLs associated
with known spam or malicious content are detected then the message is marked as
spam.
How can customers using the service

send false negative (spam) and false
positive (non-spam) messages to
Microsoft?
Spam and non-spam messages can be submitted to Microsoft for analysis in several
ways. For more information, see Report messages and files to Microsoft.
Can I get spam reports?

Yes, for example you can get a spam detection report in the Microsoft 365 admin center.
This report shows spam volume as a count of unique messages. For more information
about reporting, see the following links:
Exchange Online customers: Monitoring, Reporting, and Message Tracing in Exchange

Online
Standalone EOP customers: Reporting and message trace in Exchange Online Protection
Someone sent me a message and I can't

find it. I suspect that it may have been
detected as spam. Is there a tool that I
can use to find out?
Yes, the message trace tool enables you to follow email messages as they pass through
the service, in order to find out what happened to them. For more information about
how to use the message trace tool to find out why a message was marked as spam, see
Was a message marked as spam?
Will the service throttle (rate limit) my

mail if my users send outbound spam?
If more than half of the mail that is sent from a user through the service within a certain
time frame (for example, per hour), is determined to be spam by EOP, the user will be
blocked from sending messages. In most cases, if an outbound message is determined
to be spam, it is routed through the high-risk delivery pool, which reduces the
probability of the normal outbound-IP pool being added to a block list.
You can send a notification to a specified email address when a sender is blocked
sending outbound spam. For more information about this setting, see Configure the
outbound spam policy.
Can I use a third-party anti-spam and

anti-malware provider in conjunction
with Exchange Online?
Yes. Although we recommend that you point your MX record to Microsoft, we realize
that there are legitimate business reasons to route your email to somewhere other than
Microsoft first.
Inbound: Change your MX records to point to the third-party provider, and then
redirect the messages to EOP for additional processing. For more information, see
Enhanced Filtering for connectors in Exchange Online.
Outbound: Configure smart host routing from Microsoft 365 to the destination
third-party provider.
Does Microsoft have any

documentation about how I can protect
myself from phishing scams?
Yes. For more information, see Protect your privacy on the internet
Are spam and malware messages being

investigated as to who sent them, or
being transferred to law enforcement
entities?
The service focuses on spam and malware detection and removal, though we may
occasionally investigate especially dangerous or damaging spam or attack campaigns
and pursue the perpetrators. This may involve working with our legal and digital crime
units to take down a spammer botnet, blocking the spammer from using the service (if
they're using it for sending outbound email), and passing the information on to law
enforcement for criminal prosecution.
What are a set of best outbound

mailing practices that will ensure that
my mail is delivered?
The guidelines presented below are best practices for sending outbound email
messages.
The source email domain should resolve in DNS.
For example, if the sender is user@fabrikam, the domain fabrikam resolves to the
IP address 192.0.43.10.
If a sending domain has no A-record and no MX record in DNS, the service will
route the message through its higher risk delivery pool regardless of whether or
not the content of the message is spam. For more information about the higher
risk delivery pool, see High-risk delivery pool for outbound messages.
Outbound email server should have a reverse DNS (PTR) entry.
For example, if the email source IP address is 192.0.43.10, the reverse DNS entry
would be 43-10.any.icann.org .`
The HELO/EHLO and MAIL FROM commands should be consistent and be

present in the form of a domain name rather than an IP address.
The HELO/EHLO command should be configured to match the reverse DNS of the
sending IP address so that the domain remains the same across the various parts
of the message headers.
Ensure that proper SPF records are set up in DNS.
SPF records are a mechanism for validating that mail sent from a domain really is
coming from that domain and is not spoofed. For more information about SPF
records, see the following links:
Domains FAQ
Signing email with DKIM, sign with relaxed canonicalization.

If a sender wants to sign their messages using Domain Keys Identified Mail (DKIM)
and they want to send outbound mail through the service, they should sign using
the relaxed header canonicalization algorithm. Signing with strict header
canonicalization may invalidate the signature when it passes through the service.
Domain owners should have accurate information in the WHOIS database.
This identifies the owners of the domain and how to contact them by entering the
stable parent company, point of contact, and name servers.
For bulk mailers, the From: name should reflect who is sending the message,
while the subject line of the message should be a brief summary on what the
message is about.
The message body should have a clear indication of the offering, service, or
product. For example, if a sender is sending out a bulk mailing for the Contoso
company, the following is what the email From and Subject should resemble:
From: marketing@contoso.com
Subject: New updated catalog for the Christmas season!
The following is an example of what not to do because it is not descriptive:
From: user@hotmail.com
Subject: Catalogs
If sending a bulk mailing to many recipients and the message is in newsletter

format, there should be a way of unsubscribing at the bottom of the message.
The unsubscribe option should resemble the following:
This message was sent to example@contoso.com by sender@fabrikam.com.

Update Profile/Email Address | Instant removal with SafeUnsubscribe™ |
Privacy Policy
If sending bulk email, list acquisition should be performed using double opt-in.
If you are a bulk mailer, double opt-in is an industry best practice.
Double opt-in is the practice of requiring a user to take two actions to sign up for
marketing mail:
1. Once when the user clicks on a previously unchecked check box where they
opt-in to receive further offers or email messages from the marketer.
2. A second time when the marketer sends a confirmation email to the user's
provided email address asking them to click on a time-sensitive link that will
complete their confirmation.
Using double opt-in builds a good reputation for bulk email senders.
Bulk senders should create transparent content for which they can be held
accountable:
1. Verbiage requesting that recipients add the sender to the address book
should clearly state that such action is not a guarantee of delivery.
2. When constructing redirects in the body of the message, use a consistent link
style.
3. Don't send large images or attachments, or messages that are solely

composed of an image.
4. When employing tracking pixels (web bugs or beacons), clearly state their
presence in your public privacy or P3P settings.
Format outbound bounce messages.
When generating delivery status notification messages (also known as non-

delivery reports, NDRs, or bounce messages), senders should follow the format of
a bounce as specified in RFC 3464 .
Remove bounced email addresses for non-existent users.
If you receive an NDR indicating that an email address is no longer in use, remove
the non-existent email alias from your list. Email addresses change over time, and
people sometimes discard them.
Use Hotmail's Smart Network Data Services (SNDS) program.
Hotmail uses a program called Smart Network Data Services that allows senders to
check complaints submitted by end users. The SNDS is the primary portal for
troubleshooting delivery problems to Hotmail.
How do I turn off spam filtering?

If you use a third-party protection service or device to scan email before it's delivered to
Microsoft 365, you can use a mail flow rule (also known as a transport rule) to bypass
most spam filtering for incoming messages. For instructions, see Use mail flow rules to
set the spam confidence level (SCL) in messages.
If you use a mail flow rule to bypass spam filtering, high confidence phishing messages
are still filtered. Other features in EOP are not affected (for example, messages are
always scanned for malware).
If you use a third-party protection service or device to scan email before it's delivered to
Microsoft 365, you should also enable Enhanced Filtering for Connectors (also known as
skip listing) so detection, reporting, and investigation features in Microsoft 365 are able
to correctly identify messages sources. For more information, see Enhanced Filtering for
Connectors.
If you need to bypass spam filtering for SecOps mailboxes or phishing simulations, don't
use mail flow rules. For more information, see Configure the delivery of third-party
phishing simulations to users and unfiltered messages to SecOps mailboxes.
Mail flow rules (transport rules) in
Exchange Online
） Important
Effective from December 2022, the classic Exchange Admin Center will be
deprecated for
worldwide customers. Microsoft recommends using the new
Exchange Admin Center , if not
already doing so.
While most of the features have been migrated to new EAC, some have been
migrated to
other admin centers and remaining ones will soon be migrated to New
EAC. Find features
that are not yet there in new EAC at Other Features or use
Global Search that will help you
navigate across new EAC.
In Exchange Online organizations or standalone Exchange Online Protection (EOP)

organizations without Exchange Online mailboxes, you can use mail flow rules (also
known as transport rules) to identify and take action on messages that flow through
your organization.
７ Note
System-generated messages such as non-delivery reports (NDRs) do not get

processed by your organization's mail flow rules (or transport rules).
Mail flow rules are similar to the Inbox rules that are available in Outlook and Outlook
on the web (formerly known as Outlook Web App). The main difference is mail flow rules
take action on messages while they're in transit, not after the message is delivered to
the mailbox. Mail flow rules contain a richer set of conditions, exceptions, and actions,
which provides you with the flexibility to implement many types of messaging policies.
This article explains the components of mail flow rules, and how they work.
For steps to create, copy, and manage mail flow rules, see Manage mail flow rules. For
each rule, you have the option of enforcing it, testing it, or testing it and notifying the
sender. To learn more about the testing options, see Test mail flow rules in Exchange
Online and Policy Tips (policy tips aren't available in standalone EOP).
For summary and detail reports about messages that matched mail flow rules, see Use
mail protection reports to view data about malware, spam, and rule detections.
To implement specific messaging policies by using mail flow rules, see Mail flow rule
procedures in Exchange Online.
Mail flow rule components

A mail flow rule is made of conditions, exceptions, actions, and properties:
Conditions: Identify the messages that you want to apply the actions to. Some
conditions examine message header fields (for example, the To, From, or Cc fields).
Other conditions examine message properties (for example, the message subject,
body, attachments, message size, or message classification). Most conditions
require you to specify a comparison operator (for example, equals, doesn't equal,
or contains) and a value to match. If there are no conditions or exceptions, the rule
is applied to all messages.
For more information about mail flow rule conditions in Exchange Online, see Mail
flow rule conditions and exceptions (predicates) in Exchange Online.
Exceptions: Optionally identify the messages that the actions shouldn't apply to.
The same message identifiers that are available in conditions are also available in
exceptions. Exceptions override conditions and prevent the rule actions from being
applied to a message, even if the message matches all of the configured
conditions.
Actions: Specify what to do to messages that match the conditions in the rule, and
don't match any of the exceptions. There are many actions available, such as
rejecting, deleting, or redirecting messages, adding additional recipients, adding
prefixes in the message subject, or inserting disclaimers in the message body.
For more information about mail flow rule actions that are available in Exchange
Online, see Mail flow rule actions in Exchange Online.
Properties: Specify other rules settings that aren't conditions, exceptions or

actions. For example, when the rule should be applied, whether to enforce or test
the rule, and the time period when the rule is active.
For more information, see the Mail flow rule properties section in this article.
Multiple conditions, exceptions, and actions

The following table shows how multiple conditions, condition values, exceptions, and
actions are handled in a rule.
Component Logic Comments
Multiple AND A message must match all the conditions in the rule. If you need to match
conditions one condition or another, use separate rules for each condition. For
example, if you want to add the same disclaimer to messages with
attachments and messages that contain specific text, create one rule for
each condition. In the EAC, you can easily copy a rule.
One OR Some conditions allow you to specify more than one value. The message
condition must match any one (not all) of the specified values. For example, if an
with email message has the subject Stock price information, and the The
multiple subject includes any of these words condition is configured to match the
values words Contoso or stock, the condition is satisfied because the subject
contains at least one of the specified values.
Multiple OR If a message matches any one of the exceptions, the actions are not
exceptions applied to the message. The message doesn't have to match all the
exceptions.
Multiple AND Messages that match a rule's conditions get all the actions that are
actions specified in the rule. For example, if the actions Prepend the subject of
the message with and Add recipients to the Bcc box are selected, both
actions are applied to the message.
Keep in mind that some actions (for example, the Delete the message
without notifying anyone action) prevent subsequent rules from being
applied to a message. Other actions (for example, the Forward the
message) don't allow additional actions.
You can also set an action on a rule so that when that rule is applied,
subsequent rules are not applied to the message.
Mail flow rule properties

The following table describes the rule properties that are available in mail flow rules.
Property Parameter name in Description

name in the PowerShell
EAC
EAC
Priority Priority Indicates the order that the rules are applied to
messages. The default priority is based on when the rule
is created (older rules have a higher priority than newer
rules, and higher priority rules are processed before
lower priority rules).
You change the rule priority in the EAC by moving the
rule up or down in the list of rules. In the PowerShell, you
set the priority number (0 is the highest priority).
For example, if you have one rule to reject messages that

include a credit card number, and another one requiring
approval, you'll want the reject rule to happen first, and
stop applying other rules.
For more information, see Set the priority of a mail flow

rule.
Audit this SetAuditSeverity Sets the severity level of the incident report and the
rule with corresponding entry that's written to the message
severity tracking log when messages violate DLP policies. Valid
level values are DoNotAudit, Low, Medium, and High.
Mode Mode You can specify whether you want the rule to start
processing messages immediately, or whether you want
to test rules without affecting the delivery of the
message (with or without Data Loss Prevention or DLP
Policy Tips).
Policy Tips present a brief note in Outlook or Outlook on
the web that provides information about possible policy
violations to the person that's creating the message. For
more information, see Policy Tips.
For more information about the modes, see Test mail

flow rules in Exchange Online.
Activate this ActivationDate

Specifies the date range when the rule is active.
rule on the ExpiryDate
following
date
Deactivate
this rule on
the
following
date
EAC
On check New rules:Enabled You can create a disabled rule, and enable it when you're
box selected parameter on the ready to test it. Or, you can disable a rule without
or not New-TransportRule deleting it to preserve the settings.
selected cmdlet.
Existing rules: Use the

Enable-TransportRule
or Disable-
TransportRule
cmdlets.
The value is displayed

in the State property
of the rule.
Defer the RuleErrorAction You can specify how the message should be handled if
message if the rule processing can't be completed. By default, the
rule rule will be ignored, but you can choose to resubmit the
processing message for processing.
doesn't
complete
Match SenderAddressLocation If the rule uses conditions or exceptions that examine the
sender sender's email address, you can look for the value in the
address in message header, the message envelope, or both.
message
Stop StopRuleProcessing This is an action for the rule, but it looks like a property
processing in the EAC. You can choose to stop applying additional
more rules rules to a message after a rule processes a message.
Comments Comments You can enter descriptive comments about the rule.
How mail flow rules are applied to messages

All messages (except NDRs) that flow through your organization are evaluated against
the enabled mail flow rules in your organization. Rules are processed in the order listed
on the Mail flow > Rules page in EAC, or based on the corresponding Priority parameter
value in the PowerShell.
Each rule also offers the option of stopping processing more rules when the rule is
matched. This setting is important for messages that match the conditions in multiple
mail flow rules (which rule do you want applied to the message? All? Just one?).
Differences in processing based on message type
There are several types of messages that pass through an organization. The following
table shows which messages types can be processed by mail flow rules.
Type of message Can a rule be applied?
Regular messages: Messages that Yes

contain a single rich text format (RTF),
HTML, or plain text message body or a
multipart or alternative set of message
bodies.
Message Encryption: Messages Rules can always access envelope headers and process
encrypted by Message Encryption in messages based on conditions that inspect those
Microsoft 365 or Office 365. For more headers.
information, see Encryption. For a rule to inspect or modify the contents of an
encrypted message, you need to verify that transport
decryption is enabled (Mandatory or Optional; the
default is Optional). For more information, see Enable or
disable transport decryption.
You can also create a rule that automatically decrypts

encrypted messages. For more information, see Define
rules to encrypt email messages.
S/MIME encrypted messages Rules can only access envelope headers and process
messages based on conditions that inspect those
headers.
Rules with conditions that require inspection of the
message's content, or actions that modify the message's
content can't be processed.
RMS protected messages: Messages Rules can always access envelope headers and process
that had an Active Directory Rights messages based on conditions that inspect those
Management Services (AD RMS) or headers.
Azure Rights Management (RMS) For a rule to inspect or modify the contents of an RMS
policy applied. protected message, you need to verify that transport
decryption is enabled (Mandatory or Optional; the
default is Optional). For more information, see Enable or
disable transport decryption.
Clear-signed messages: Messages that Yes

have been signed but not encrypted.
Anonymous messages: Messages sent Yes

by anonymous senders.
Type of message Can a rule be applied?
Read reports: Reports that are Yes

generated in response to read receipt
requests by senders. Read reports have
a message class of IPM.Note*.MdnRead
or IPM.Note*.MdnNotRead .
What else should I know?

The Version or RuleVersion property value for a rule isn't important in Exchange
Online.
After you create or modify a mail flow rule, it can take up to 30 minutes for the
new or updated rule to be applied to messages.
You can create a transport rule to bypass EOP and allow mail to flow without delay
from internal senders such as scanners, faxes, and other trusted sources that send
attachments that are known to be safe. Do not bypass filtering for all internal
messages; in this situation, a compromised account could send malicious content.
History and changes to mail flow rules are not maintained, so you can't revert mail
flow rules back to previous states.

Manage mail flow rules
Journal, transport, and inbox rule limits

Mail flow rule conditions and exceptions
(predicates) in Exchange Online
Conditions and exceptions in mail flow rules (also known as transport rules) identify the messages that the
rule is applied to or not applied to. For example, if the rule adds a disclaimer to messages, you can configure
the rule to only apply to messages that contain specific words, messages sent by specific users, or to all
messages except those sent by the members of a specific distribution group. Collectively, the conditions and
exceptions in mail flow rules are also known as predicates, because for every condition, there's a
corresponding exception that uses the exact same settings and syntax. The only difference is conditions
specify messages to include, while exceptions specify messages to exclude.
Most conditions and exceptions have one property that requires one or more values. For example, the The
sender is condition requires the sender of the message. Some conditions have two properties. For example,
the A message header includes any of these words condition requires one property to specify the message
header field, and a second property to specify the text to look for in the header field. Some conditions or
exceptions don't have any properties. For example, the Any attachment has executable content condition
simply looks for attachments in messages that have executable content.
For more information about mail flow rules in Exchange Online, including how multiple
conditions/exceptions or multi-valued conditions/exceptions are handled, see Mail flow rules (transport
rules) in Exchange Online.
Conditions and exceptions for mail flow rules in Exchange

Online
The tables in the following sections describe the conditions and exceptions that are available in mail flow
rules in Exchange Online. The property types are described in the Property types section.
Senders
Recipients
Message subject or body
Attachments
Any recipients
Message sensitive information types, To and Cc values, size, and character sets
Sender and recipient
Message properties
Message headers
Notes:
After you select a condition or exception in the Exchange admin center (EAC), the value that's ultimately
shown in the Apply this rule if or Except if field is often different (shorter) than the click path value you
selected. Also, when you create new rules based on a template (a filtered list of scenarios), you can
often select a short condition name instead of following the complete click path. The short names and
full click path values are shown in the EAC column in the tables.
If you select [Apply to all messages] in the EAC, you can't specify any other conditions. The equivalent
in PowerShell is to create a rule without specifying any condition parameters.
The settings and properties are the same in conditions and exceptions, so the output of the Get-
TransportRulePredicate cmdlet doesn't list exceptions separately. Also, the names of some of the
predicates that are returned by this cmdlet are different than the corresponding parameter names, and
a predicate might require multiple parameters.
Senders
For conditions and exceptions that examine the sender's address, you can specify where rule looks for the
sender's address.
In the EAC, in the Properties of this rule section, click Match sender address in message. Note that you
might need to click More options to see this setting. In PowerShell, the parameter is SenderAddressLocation.
The available values are:
Header: Only examine senders in the message headers (for example, the From, Sender, or Reply-To
fields). This is the default value.
Envelope: Only examine senders from the message envelope (the MAIL FROM value that was used in
the SMTP transmission, which is typically stored in the Return-Path field). Note that message envelope
searching is only available for the following conditions (and the corresponding exceptions):
The sender is (From)
The sender is a member of (FromMemberOf)
The sender address includes (FromAddressContainsWords)
The sender address matches (FromAddressMatchesPatterns)
The sender's domain is (SenderDomainIs)
Header or envelope ( HeaderOrEnvelope ) Examine senders in the message header and the message
envelope.
Condition or Condition and exception parameters in Property type Description

exception in Exchange Online PowerShell
the EAC
The sender is From

Addresses Messages that are sent by the
ExceptIfFrom specified mailboxes, mail users, mail
The sender > is contacts, or Microsoft 365 groups in
this person the organization.
For more information about using
Microsoft 365 groups with this
condition, see the Addresses entry in
the Property types section.
The sender is FromScope

UserScopeFrom Messages that are sent by either
located ExceptIfFromScope internal senders or external senders.
The sender > is

external/internal
the EAC
The sender is a FromMemberOf

Addresses Messages that are sent by a member
member of ExceptIfFromMemberOf of the specified distribution group,
mail-enabled security group, or
The sender > is Microsoft 365 group.
a member of For more information about using
this group Microsoft 365 groups with this
condition, see the Addresses entry in
the Property types section.
The sender FromAddressContainsWords

Words Messages that contain the specified
address includes ExceptIfFromAddressContainsWords words in the sender's email address.
The sender >

address includes
any of these
words
The sender FromAddressMatchesPatterns

Patterns Messages where the sender's email
address matches ExceptIfFromAddressMatchesPatterns address contains text patterns that
match the specified regular
The sender > expressions.
address matches
any of these text
patterns
The sender is on SenderInRecipientList

SupervisionList Messages where the sender is on the
a recipient's list ExceptIfSenderInRecipientList recipient's Allow list or Block list.
The sender > is

on a recipient's
supervision list
The sender's SenderADAttributeContainsWords

First property: Messages where the specified Active
specified ExceptIfSenderADAttributeContainsWords ADAttribute Directory attribute of the sender
properties contains any of the specified words.
include any of Second Note that the Country attribute
these words property: Words requires the two-letter country code
value (for example, DE for Germany).
The sender >
has specific
properties
including any of
these words
The sender's SenderADAttributeMatchesPatterns

First property: Messages where the specified Active
specified ExceptIfSenderADAttributeMatchesPatterns ADAttribute Directory attribute of the sender
properties contains text patterns that match the
match these text Second specified regular expressions.
patterns property:
Patterns
The sender >
has specific
properties
matching these
text patterns
the EAC
The sender has HasSenderOverride

n/a Messages where the sender has
overridden the ExceptIfHasSenderOverride chosen to override a data loss
Policy Tip prevention (DLP) policy. For more
information about DLP policies, see
The sender > Data loss prevention.
has overridden
the Policy Tip Note: This condition/exception isn't
available in standalone Exchange
Online Protection (EOP) environments.
Sender's IP SenderIPRanges
IPAddressRanges Messages where the sender's IP
address is in the ExceptIfSenderIPRanges address matches the specified IP
range address, or falls within the specified IP
address range.
The sender > IP
address is in any
of these ranges
or exactly
matches
The sender's SenderDomainIs

DomainName Messages where the domain of the
domain is ExceptIfSenderDomainIs sender's email address matches the
specified value.
The sender > If you need to find sender domains
domain is that contain the specified domain (for
example, any subdomain of a domain),
use The sender address
matches(FromAddressMatchesPatterns)
condition and specify the domain by
using the syntax: '\.domain\.com$' .
Recipients
For conditions and exceptions that examine the recipient's address, you can specify where rule looks for the
recipient's address by using the RecipientAddressType parameter in PowerShell. Valid values are:
Original: Only examine the recipient's primary SMTP email address.

Resolved: Examine the recipient's primary SMTP email address and all proxy addresses. This is the
default value

exception in the Exchange Online PowerShell
EAC
EAC
The recipient is SentTo

Addresses Messages where one of the
ExceptIfSentTo recipients is the specified mailbox,
The recipient > mail user, or mail contact in the
is this person organization. The recipients can be
in the To, Cc, or Bcc fields of the
message.
Note: You can't specify distribution

groups, mail-enabled security
groups, or Microsoft 365 groups. If
you need to take action on
messages that are sent to a group,
use the To box
contains(AnyOfToHeader)
condition instead.
The recipient is SentToScope

UserScopeTo Messages that are sent to internal
located ExceptIfSentToScope or external recipients.
The recipient >

is
external/external
The recipient is a SentToMemberOf

Addresses Messages that contain recipients
member of ExceptIfSentToMemberOf who are members of the specified
distribution group, mail-enabled
The recipient > security group, or Microsoft 365
is a member of group. The group can be in the To,
this group Cc, or Bcc fields of the message.
For more information about using

Microsoft 365 groups with this
condition, see the Addresses entry
in the Property types section.
The recipient RecipientAddressContainsWords

Words Messages that contain the
address includes ExceptIfRecipientAddressContainsWords specified words in the recipient's
email address.
The recipient > Note: This condition doesn't
address includes consider messages that are sent to
any of these recipient proxy addresses. It only
words matches messages that are sent to
the recipient's primary email
address.
The recipient RecipientAddressMatchesPatterns

Patterns Messages where a recipient's email
address matches ExceptIfRecipientAddressMatchesPatterns address contains text patterns that
The recipient > expressions.
address matches Note: This condition doesn't
any of these text consider messages that are sent to
patterns recipient proxy addresses. It only
matches messages that are sent to
the recipient's primary email
address.
EAC
The recipient is RecipientInSenderList

SupervisionList Messages where the recipient is on
on the sender's ExceptIfRecipientInSenderList the sender's Allow list or Block list.
list
The recipient >

is on the
sender's
supervision list
The recipient's RecipientADAttributeContainsWords

First property: Messages where the specified
specified ExceptIfRecipientADAttributeContainsWords ADAttribute Active Directory attribute of a
properties recipient contains any of the
include any of Second specified words.
these words property: Words Note that the Country attribute
requires the two-letter country
The recipient > code value (for example, DE for
has specific Germany).
properties
including any of
these words
The recipient's RecipientADAttributeMatchesPatterns

specified ExceptIfRecipientADAttributeMatchesPatterns ADAttribute Active Directory attribute of a
properties match recipient contains text patterns
these text Second that match the specified regular
patterns property: expressions.
Patterns
The recipient >
has specific
properties
matching these
text patterns
A recipient's RecipientDomainIs
DomainName Messages where the domain of a
domain is ExceptIfRecipientDomainIs recipient's email address matches
the specified value.
The recipient > If you need to find recipient
domain is domains that contain the specified
domain (for example, any
subdomain of a domain), use The
recipient address matches
(RecipientAddressMatchesPatterns)
condition, and specify the domain
by using the syntax
'\.domain\.com$' .
Message subject or body
７ Note
The search for words or text patterns in the subject or other header fields in the message occurs after
the message has been decoded from the MIME content transfer encoding method that was used to
transmit the binary message between SMTP servers in ASCII text. You can't use conditions or exceptions
to search for the raw (typically, Base64) encoded values of the subject or other header fields in
messages.
Condition or exception in Condition and exception Property Description

the EAC parameters in Exchange Online type
PowerShell
The subject or body SubjectOrBodyContainsWords

Words Messages that have the specified
includes ExceptIfSubjectOrBodyContainsWords words in the Subject field or message
body.
The subject or body >
subject or body includes
any of these words
The subject or body SubjectOrBodyMatchesPatterns

Patterns Messages where the Subject field or
matches ExceptIfSubjectOrBodyMatchesPatterns message body contain text patterns
that match the specified regular
The subject or body > expressions.
subject or body matches
these text patterns
The subject includes SubjectContainsWords

Words Messages that have the specified
ExceptIfSubjectContainsWords words in the Subject field.
The subject or body >
subject includes any of
these words
The subject matches SubjectMatchesPatterns

Patterns Messages where the Subject field
ExceptIfSubjectMatchesPatterns contains text patterns that match the
The subject or body > specified regular expressions.
subject matches these text
patterns
Attachments
For more information about how mail flow rules inspect message attachments, see Use mail flow rules to
inspect message attachments in Exchange Online.

EAC
Any attachment's AttachmentContainsWords

Words Messages where an attachment
content includes ExceptIfAttachmentContainsWords contains the specified words.
Any attachment >

content includes
any of these
words
Any attachments AttachmentMatchesPatterns

Patterns Messages where an attachment
content matches ExceptIfAttachmentMatchesPatterns contains text patterns that
Any attachment > expressions.
content matches Note: Only the first 150
these text patterns kilobytes (KB) of the
attachments are scanned.
EAC
Any attachment's AttachmentIsUnsupported

n/a Messages where an attachment
content can't be ExceptIfAttachmentIsUnsupported isn't natively recognized by
inspected Exchange Online.
Any attachment >

content can't be
inspected
Any attachment's AttachmentNameMatchesPatterns

Patterns Messages where an
file name matches ExceptIfAttachmentNameMatchesPatterns attachment's file name
contains text patterns that
Any attachment > match the specified regular
file name matches expressions.
these text patterns
Any attachment's AttachmentExtensionMatchesWords

Words Messages where an
file extension ExceptIfAttachmentExtensionMatchesWords attachment's file extension
matches matches any of the specified
words.
Any attachment >
file extension
includes these
words
Any attachment is AttachmentSizeOver

Size Messages where any
greater than or ExceptIfAttachmentSizeOver attachment is greater than or
equal to equal to the specified value.
In the EAC, you can only
Any attachment > specify the size in kilobytes
size is greater (KB).
than or equal to
The message AttachmentProcessingLimitExceeded

n/a Messages where the rules
didn't complete ExceptIfAttachmentProcessingLimitExceeded engine couldn't complete the
scanning scanning of the attachments.
You can use this condition to
Any attachment > create rules that work together
didn't complete to identify and process
scanning messages where the content
couldn't be fully scanned.
Any attachment AttachmentHasExecutableContent

has executable ExceptIfAttachmentHasExecutableContent is an executable file. The
content system inspects the file's
properties rather than relying
Any attachment > on the file's extension.
has executable
content
Any attachment is AttachmentIsPasswordProtected

password ExceptIfAttachmentIsPasswordProtected is password protected (and
protected therefore can't be scanned).
Password detection only works
Any attachment > for Office documents, .zip files,
is password and .7z files.
protected
EAC
has these AttachmentPropertyContainsWords

properties, ExceptIfAttachmentPropertyContainsWords DocumentProperties property of an attached Office
including any of document contains the
these words Second property: specified words.
Words This condition helps you
Any attachment > integrate mail flow rules with
has these SharePoint, File Classification
properties, Infrastructure (FCI) in Windows
including any of Server 2012 R2 or later, or a
these words third-party classification
system.
You can select from a list of

built-in properties, or specify a
custom property.
Any recipients
The conditions and exceptions in this section provide a unique capability that affects all recipients when the
message contains at least one of the specified recipients. For example, let's say you have a rule that rejects
messages. If you use a recipient condition from the Recipients section, the message is only rejected for those
specified recipients. For example, if the rule finds the specified recipient in a message, but the message
contains five other recipients. The message is rejected for that one recipient, and is delivered to the five
other recipients.
If you add a recipient condition from this section, that same message is rejected for the detected recipient
and the five other recipients.
Conversely, a recipient exception from this section prevents the rule action from being applied to all
recipients of the message, not just for the detected recipients.
７ Note
These conditions don't consider messages that are sent to recipient proxy addresses. They only match
messages that are sent to the recipient's primary email address.
These conditions are applied to all recipients in the current fork of the message only. If the message was
bifurcated by any other action (for example, anti-malware or an erlier mail flow rule), the action will be
applied on the matching fork only.
Condition or exception Condition and exception parameters in Property Description

in the EAC Exchange Online PowerShell type
Any recipient address AnyOfRecipientAddressContainsWords

Words Messages that contain the
includes ExceptIfAnyOfRecipientAddressContainsWords specified words in the To, Cc,
or Bcc fields of the message.
Any recipient > address
includes any of these
words
Condition or exception Condition and exception parameters in Property Description
in the EAC Exchange Online PowerShell type
Any recipient address AnyOfRecipientAddressMatchesPatterns

Patterns Messages where the To, Cc, or
matches ExceptIfAnyOfRecipientAddressMatchesPatterns Bcc fields contain text patterns
that match the specified
Any recipient > address regular expressions.
matches any of these text
patterns
Message sensitive information types, To and Cc values, size, and

character sets
The conditions in this section that look for values in the To and Cc fields behave like the conditions in the
Any recipients section (all recipients of the message are affected by the rule, not just the detected
recipients).
Notes:
The recipient conditions in this section do not consider messages that are sent to recipient proxy
addresses. They only match messages that are sent to the recipient's primary email address.
For more information about using Microsoft 365 groups with the recipient conditions in this section,
see the Addresses entry in the Property types section.

EAC
The message MessageContainsDataClassifications

SensitiveInformationTypes Messages that
contains sensitive ExceptIfMessageContainsDataClassifications contain sensitive
information information as
defined by data loss
The message > prevention (DLP)
contains any of policies.
these types of This condition is
sensitive required for rules that
information use the Notify the
sender with a Policy
Tip (NotifySender)
action.
Note: This
condition/exception
isn't available in
standalone EOP
environments.
The To box contains AnyOfToHeader

Addresses Messages where the
ExceptIfAnyOfToHeader To field includes any
The message > To of the specified
box contains this recipients.
person
EAC
The To box contains AnyOfToHeaderMemberOf

a member of ExceptIfAnyOfToHeaderMemberOf To field contains a
recipient who is a
The message > To member of the
box contains a specified distribution
member of this group, mail-enabled
group security group, or
Microsoft 365 group.
The Cc box contains AnyOfCcHeader

ExceptIfAnyOfCcHeader Cc field includes any
The message > Cc of the specified
box contains this recipients.
person
The Cc box contains AnyOfCcHeaderMemberOf

a member of ExceptIfAnyOfCcHeaderMemberOf Cc field contains a
recipient who is a
The message > member of the
contains a member specified distribution
of this group group or mail-
enabled security
group.
The To or Cc box AnyOfToCcHeader

contains ExceptIfAnyOfToCcHeader To or Cc fields contain
any of the specified
The message > To recipients.
or Cc box contains
this person
The To or Cc box AnyOfToCcHeaderMemberOf

contains a member ExceptIfAnyOfToCcHeaderMemberOf To or Cc fields contain
of a recipient who is a
member of the
The message > To specified distribution
or Cc box contains a group or mail-
member of this enabled security
group group.
EAC
The message size is MessageSizeOver

Size Messages where the
greater than or ExceptIfMessageSizeOver total size (message
equal to plus attachments) is
greater than or equal
The message > size to the specified value.
is greater than or In the EAC, you can
equal to only specify the size
in kilobytes (KB).
Note: Message size

limits on mailboxes
are evaluated before
mail flow rules. A
message that's too
large for a mailbox
will be rejected
before a rule with this
condition is able to
act on the message.
The message ContentCharacterSetContainsWords

CharacterSets Messages that have
character set name ExceptIfContentCharacterSetContainsWords any of the specified
includes any of character set names.
these words
The message >

character set name
includes any of
these words
Sender and recipient
Condition or exception in Condition and exception parameters Property type Description

the EAC in Exchange Online PowerShell
The sender is one of the SenderManagementRelationship

ManagementRelationship Messages where
recipient's ExceptIfSenderManagementRelationship the either sender is
the manager of a
The sender and the recipient recipient, or the
> the sender's relationship to sender is managed
a recipient is by a recipient.
Condition or exception in Condition and exception parameters Property type Description
the EAC in Exchange Online PowerShell
The message is between BetweenMemberOf1 and Addresses Messages that are

members of these groups BetweenMemberOf2
sent between
ExceptIfBetweenMemberOf1 and members of the
The sender and the recipient ExceptIfBetweenMemberOf2 specified
> the message is between distribution groups
members of these groups or mail-enabled
security groups.
For more
information about
using Microsoft
365 groups with
this condition, see
the Addresses
entry in the
Property types
section.
The manager of the sender ManagerForEvaluatedUser and First property: Messages where
or recipient is ManagerAddress
EvaluatedUser either a specified
ExceptIfManagerForEvaluatedUser and user is the
The sender and the recipient ExceptIfManagerAddress Second property: manager of the
> the manager of the sender Addresses sender, or a
or recipient is this person specified user is
the manager of a
recipient.
The sender's and any ADAttributeComparisonAttribute and First property: Messages where
recipient's property ADComparisonOperator
ADAttribute the specified Active
compares as ExceptIfADAttributeComparisonAttribute Directory attribute
and ExceptIfADComparisonOperator Second property: for the sender and
The sender and the recipient Evaluation recipient either
> the sender and recipient match or don't
property compares as match.
Message properties
Condition or Condition and exception Property type Description

exception in parameters in Exchange
the EAC Online PowerShell
The message MessageTypeMatches

MessageType Messages of the specified type.
type is ExceptIfMessageTypeMatches Note: When Outlook or Outlook on the web

(formerly known as Outlook Web App) is
The message configured to forward a message, the
properties > ForwardingSmtpAddress property is added to
include the the message. In thin clients like Outlook on the
message type web, encryption as a message type is currently
not supported.
exception in parameters in Exchange
the EAC Online PowerShell
The message HasClassification

MessageClassification Messages that have the specified message
is classified ExceptIfHasClassification classification. This is a custom message
as classification that you can create in your
organization by using the New-
The message MessageClassification cmdlet.
properties >
include this Note: This condition/exception isn't available in
classification standalone EOP environments.
The message HasNoClassification

n/a Messages that don't have a message
isn't marked ExceptIfHasNoClassification classification.
with any Note: This condition/exception isn't available in
classifications standalone EOP environments.
The message
properties >
don't include
any
classification
The message WithImportance

Importance Messages that are marked with the specified
importance is ExceptIfWithImportance Importance level.
set to
The message
properties >
include the
importance
level
Message headers
７ Note
The search for words or text patterns in the subject or other header fields in the message occurs after
the message has been decoded from the MIME content transfer encoding method that was used to
transmit the binary message between SMTP servers in ASCII text. You can't use conditions or exceptions
to search for the raw (typically, Base64) encoded values of the subject or other header fields in
messages.

exception in the parameters in Exchange Online
EAC PowerShell
A message header HeaderContainsMessageHeader and First property: Messages that contain the specified
includes HeaderContainsWords
MessageHeaderField header field, and the value of that
ExceptIfHeaderContainsMessageHeader header field contains the specified
A message header and ExceptIfHeaderContainsWords Second property: words.
> includes any of Words The name of the header field and
these words the value of the header field are
always used together.
exception in the parameters in Exchange Online
EAC PowerShell
A message header HeaderMatchesMessageHeader and First property: Messages that contain the specified
matches HeaderMatchesPatterns
MessageHeaderField header field, and the value of that
ExceptIfHeaderMatchesMessageHeader header field contains the specified
A message header and ExceptIfHeaderMatchesPatterns Second property: regular expressions.
> matches these Patterns The name of the header field and
text patterns the value of the header field are
always used together.
Property types
The property types that are used in conditions and exceptions are described in the following table.
７ Note
If the property is a string, trailing spaces are not allowed.
Property type Valid values Description

ADAttribute Select from a predefined You can check against any of the following Active Directory attributes:
list of Active Directory City
attributes Company
Country
CustomAttribute1 - CustomAttribute15
Department
DisplayName
Email
FaxNumber
FirstName
HomePhoneNumber
Initials
LastName
Manager
MobileNumber
Notes
Office
OtherFaxNumber
OtherHomePhoneNumber
OtherPhoneNumber
PagerNumber
PhoneNumber
POBox
State
Street
Title
UserLogonName
ZipCode
In the EAC, to specify multiple words or text patterns for the same
attribute, separate the values with commas. For example, the value
San Francisco,Palo Alto for the City attribute looks for "City equals
San Francisco" or City equals Palo Alto".
In Exchange Online PowerShell, use the syntax

"AttributeName1:Value1,Value 2 with
spaces,Value3...","AttributeName2:Word4,Value 5 with
spaces,Value6..." , where Value is the word or text pattern that you
want to match. For example, "City:San Francisco,Palo Alto" or
"City:San Francisco,Palo Alto" , "Department:Sales,Finance" .
When you specify multiple attributes, or multiple values for the same
attribute, the or operator is used. Don't use values with leading or
trailing spaces.
Note that the Country attribute requires the two-letter ISO 3166-1
country code value (for example, DE for Germany). For more
information, see Country Codes - ISO 3166 .
Addresses Exchange Online Depending on the nature of the condition or exception, you might be
recipients able to specify any mail-enabled object in the organization (for
example, recipient-related conditions), or you might be limited to a
specific object type (for example, groups for group membership
conditions). And, the condition or exception might require one value,
or allow multiple values.
In Exchange Online PowerShell, separate multiple values by commas.
This condition doesn't consider messages that are sent to recipient

proxy addresses. It only matches messages that are sent to the
recipient's primary email address.
The recipient picker in the EAC doesn't allow you to select Microsoft
365 groups from the list of recipients. But, you can enter the email
address of a Microsoft 365 group in the box next to Check names,
and then validate the email address by clicking Check names, which
will add the group to the add box.
CharacterSets Array of character set One or more content character sets that exist in a message. For
names example:
Arabic/iso-8859-6
Chinese/big5
Chinese/euc-cn
Chinese/euc-tw
Chinese/gb2312
Chinese/iso-2022-cn
Cyrillic/iso-8859-5
Cyrillic/koi8-r
Cyrillic/windows-1251
Greek/iso-8859-7
Hebrew/iso-8859-8
Japanese/euc-jp
Japanese/iso-022-jp
Japanese/shift-jis
Korean/euc-kr
Korean/johab
Korean/ks_c_5601-1987
Turkish/windows-1254
Turkish/iso-8859-9
Vietnamese/tcvn
DomainName Array of SMTP domains For example, contoso.com or eu.contoso.com .
In Exchange Online PowerShell, you can specify multiple domains

separated by commas.
EvaluatedUser Single value of Sender or Specifies whether the rule is looking for the manager of the sender or
Recipient the manager of the recipient.
Evaluation Single value of Equal or When comparing the Active Directory attribute of the sender and
Not equal ( NotEqual ) recipients, this specifies whether the values should match, or not
match.
Importance Single value of Low, The Importance level that was assigned to the message by the sender
Normal, or High in Outlook or Outlook on the web.
IPAddressRanges Array of IP addresses or You enter the IPv4 addresses using the following syntax:
address ranges Single IP address: For example, 192.168.1.1 .
IP address range: For example, 192.168.0.1-192.168.0.254 .
Classless InterDomain Routing (CIDR) IP address range: For
example, 192.168.0.1/25 .
In Exchange Online PowerShell, you can specify multiple IP addresses

or ranges separated by commas.
ManagementRelationship Single value of Manager Specifies the relationship between the sender and any of the
or Direct report recipients. The rule checks the Manager attribute in Active Directory
( DirectReport ) to see if the sender is the manager of a recipient, or if the sender is
managed by a recipient.
MessageClassification Single message In the EAC, you select from the list of message classifications that
classification you've created.
In Exchange Online PowerShell, you use the Get-
MessageClassification cmdlet to identify the message classification.
For example, use the following command to search for messages with
the Company Internal classification and prepend the message subject
with the value CompanyInternal : New-TransportRule "Rule Name" -
HasClassification @(Get-MessageClassification "Company
Internal").Identity -PrependSubject "CompanyInternal"
MessageHeaderField Single string Specifies the name of the header field. The name of the header field is
always paired with the value in the header field (word or text pattern
match).The message header is a collection of required and optional
header fields in the message. Examples of header fields are To, From,
Received, and Content-Type. Official header fields are defined in RFC
5322. Unofficial header fields start with X- and are known as X-
headers.
MessageType Single message type value Specifies one of the following message types:
Automatic reply ( OOF )
Auto-forward ( AutoForward )
Encrypted
Calendaring
Permission controlled ( PermissionControlled )
Voicemail
Signed
Approval request ( ApprovalRequest )
Read receipt ( ReadReceipt )
Note: When Outlook or Outlook on the web is configured to forward

a message, the ForwardingSmtpAddress property is added to the
message.
Patterns Array of regular Specifies one or more regular expressions that are used to identify
expressions text patterns in values. For more information, see Regular Expression
Syntax.
In Exchange Online PowerShell, you specify multiple regular

expressions separated by commas, and you enclose each regular
expression in quotation marks (").
SCLValue One of the following Specifies the spam confidence level (SCL) that's assigned to a
values: message. A higher SCL value indicates that a message is more likely to
Bypass spam be spam.
filtering ( -1 )
Integers 0 through
9
SensitiveInformationTypes Array of sensitive Specifies one or more sensitive information types that are defined in
information types your organization. For a list of built-in sensitive information types, see
Sensitive information types in Exchange Server.
In Exchange Online PowerShell, use the syntax

@{<SensitiveInformationType1>},@{<SensitiveInformationType2>},... .
For example, to look for content that contains at least two credit card
numbers, and at least one ABA routing number, use the value
@{Name="Credit Card Number"; minCount="2"},@{Name="ABA Routing
Number"; minCount="1"} .
Size Single size value Specifies the size of an attachment or the whole message.
In the EAC, you can only specify the size in kilobytes (KB).
In Exchange Online PowerShell, when you enter a value, qualify the

value with one of the following units:
B (bytes)
KB (kilobytes)
MB (megabytes)
GB (gigabytes)
For example, 20 MB . Unqualified values are typically treated as bytes,

but small values may be rounded up to the nearest kilobyte.
SupervisionList Single value of Allow or Supervision policies were a feature in Live@edu that allowed you to
Block control who could send mail to and receive mail from users in your
organization (for example, the closed campus and anti-bullying
policies). In Microsoft 365 and Office 365, you can't configure
supervision list entries on mailboxes.
UserScopeFrom Single value of Inside the A sender is considered to be inside the organization if either of the
organization following conditions is true:
( InOrganization ) or The sender is a mailbox, mail user, group, or mail-enabled
Outside the organization public folder that exists inside the organization.
( NotInOrganization ) The sender's email address is in an accepted domain that's
configured as an authoritative domain or an internal relay
domain, and the message was sent or received over an
authenticated connection. For more information about
accepted domains, see Manage accepted domains in Exchange
Online.
A sender is considered to be outside the organization if either of the

following conditions is true:
The sender's email address isn't in an accepted domain.

The sender's email address is in an accepted domain that's
configured as an external relay domain.
Note: To determine whether mail contacts are considered to be inside

or outside the organization, the sender's address is compared with
the organization's accepted domains.
UserScopeTo One of the following A recipient is considered to be inside the organization if either of the
values: following conditions is true:
Inside the The recipient is a mailbox, mail user, group, or mail-enabled
organization public folder that exists inside the organization.
( InOrganization ) The recipient's email address is in an accepted domain that's
Outside the configured as an authoritative domain or an internal relay
organization domain, and the message was sent or received over an
( NotInOrganization ) authenticated connection.
A recipient is considered to be outside the organization if either of the

following conditions is true:
The recipient's email address isn't in an accepted domain.

The recipient's email address is in an accepted domain that's
configured as an external relay domain.
Words Array of strings Specifies one or more words to look for. The words aren't case-
sensitive, and can be surrounded by spaces and punctuation marks.
Wildcards and partial matches aren't supported. For example,
"contoso" matches " Contoso".
However, if the text is surrounded by other characters, it isn't
considered a match. For example, "contoso" doesn't match the
following values:
Acontoso
Contosoa
Acontosob
The asterisk (*) is treated as a literal character, and isn't used as a

wildcard character.
The at sign (@) is also treated as a literal character. Therefore if it is

used when searching Recipient Addresses it will not match. For
example:
@contoso.com will not match user@contoso.com

contoso.com will match user@contoso.com
In this scenario, the correct way to setup matching patterns is to use

either ExceptIfRecipientDomainIs or
ExceptIfRecipientAddressMatchesPatterns

New-TransportRule
In Exchange Online organizations or standalone Exchange Online Protection (EOP) organizations

without Exchange Online mailboxes, actions in mail flow rules (also known as transport rules)
specify what you want to do to messages that match conditions of the rule. For example, you can
create a rule that forwards message from specific senders to a moderator, or adds a disclaimer or
personalized signature to all outbound messages.
Actions typically require additional properties. For example, when the rule redirects a message, you
need to specify where to redirect the message. Some actions have multiple properties that are
available or required. For example, when the rule adds a header field to the message header, you
need to specify both the name and value of the header. When the rule adds a disclaimer to
messages, you need to specify the disclaimer text, but you can also specify where to insert the text,
or what to do if the disclaimer can't be added to the message. Typically, you can configure
multiple actions in a rule, but some actions are exclusive. For example, one rule can't reject and
redirect the same message.
For more information about mail flow rules, including how multiple actions are handled, see Mail
flow rules (transport rules) in Exchange Online.
For more information about conditions and exceptions in mail flow rules, see Mail flow rule
conditions and exceptions (predicates) in Exchange Online.
For more information about actions in mail flow rules in Exchange Server, see or Mail flow rule
actions in Exchange Server.
Actions for mail flow rules in Exchange Online

The actions that are available in mail flow rules in Exchange Online and standalone EOP are
described in the following table. Valid values for each property are described in the Property values
section.
Notes:
After you select an action in the Exchange admin center (EAC), the value that's ultimately
shown in the Do the following field is often different from the click path you selected. Also,
when you create new rules, you can sometimes (depending on the selections you make)
select a short action name from a template (a filtered list of actions) instead of following the
complete click path. The short names and full click path values are shown in the EAC column
in the table.
The names of some of the actions that are returned by the Get-TransportRuleAction cmdlet
are different than the corresponding parameter names, and multiple parameters might be
required for an action.
Action in Action parameter in PowerShell Property Description
the EAC
Forward the ModerateMessageByUser Addresses Forwards the message to the

message for specified moderators as an
approval to attachment wrapped in an
approval request. For more
Forward the information, see Use mail flow
message for rules for message approval
approval > scenarios in Exchange Online. You
to these can't use a distribution group as a
people moderator.
Note: This action isn't available in

standalone Exchange Online
Protection (EOP) environments.
Forward the ModerateMessageByManager n/a Forwards the message to the

message for sender's manager for approval.
approval to This action only works if the
the sender's sender's Manager attribute is
manager defined. Otherwise, the message is
delivered to the recipients without
Forward the moderation.
message for
approval > Note: This action isn't available in
to the standalone EOP environments.
sender's
manager
Redirect the RedirectMessageTo Addresses Redirects the message to the

message to specified recipients. The message
isn't delivered to the original
Redirect the recipients, and no notification is
message to sent to the sender or the original
> these recipients.
recipients
Deliver the Quarantine n/a Delivers the message to the

message to quarantine in EOP. For more
the hosted information, see Quarantined email
quarantine messages in EOP.
Redirect the
message to
> hosted
quarantine
the EAC
Use the RouteMessageOutboundConnector OutboundConnector Uses the specified outbound

following connector to deliver the message.
connector For more information about
connectors, see Configure mail
Redirect the flow using connectors.
message to
> the
following
connector
Reject the RejectMessageReasonText String Returns the message to the sender

message in a non-delivery report (also
with the known as an NDR or bounce
explanation message) with the specified text as
the rejection reason. The recipient
Block the doesn't receive the original
message > message or notification.
reject the The default enhanced status code
message that's used is 5.7.1 .
and include
an When you create or modify the
explanation rule in PowerShell, you can specify
the DSN code by using the
RejectMessageEnhancedStatusCode
parameter.
Reject the RejectMessageEnhancedStatusCode DSNEnhancedStatusCode Returns the message to the sender

message in an NDR with the specified
with the enhanced delivery status
enhanced notification (DSN) code. The
status code recipient doesn't receive the
original message or notification.
Block the Valid DSN codes are 5.7.1 or
message > 5.7.900 through 5.7.999 .
reject the
message The default reason text that's used
with the is Delivery not authorized,
enhanced message refused .
status code
of When you create or modify the
rule in PowerShell, you can specify
the rejection reason text by using
the RejectMessageReasonText
parameter.
the EAC
Delete the DeleteMessage n/a Silently drops the message without

message sending a notification to the
without recipient or the sender.
notifying
anyone
Block the
message >
delete the
message
without
notifying
anyone
Add BlindCopyTo Addresses Adds one or more recipients to the

recipients to Bcc field of the message. The
the Bcc box original recipients aren't notified,
and they can't see the additional
Add addresses.
recipients >
to the Bcc Note: In Exchange Online, you
box can't add a distribution group as a
recipient.
Add AddToRecipients Addresses Adds one or more recipients to the

recipients to To field of the message. The
the To box original recipients can see the
additional addresses.
Add
recipients > Note: In Exchange Online, you
to the To can't add a distribution group as a
box recipient.
Add CopyTo Addresses Adds one or more recipients to the

recipients to Cc field of the message. The
the Cc box original recipients can see the
additional address.
Add
recipients > Note: In Exchange Online, you
to the Cc can't add a distribution group as a
box recipient.
Add the AddManagerAsRecipientType AddedManagerAction Adds the sender's manager to the

sender's message as the specified recipient
manager as type (To, Cc, Bcc), or redirects the
a recipient message to the sender's manager
without notifying the sender or the
Add recipient.
recipients >
add the This action only works if the
sender's sender's Manager attribute is
manager as defined in Active Directory.
a recipient
the EAC
Append the ApplyHtmlDisclaimerText

First property: Applies the specified HTML
disclaimer ApplyHtmlDisclaimerFallbackAction DisclaimerText
disclaimer to the end of the
ApplyHtmlDisclaimerLocation Second property: message.
Apply a DisclaimerFallbackAction When you create or modify the

disclaimer rule in PowerShell, use the
Third property
to the (PowerShell only): ApplyHtmlDisclaimerLocation
message > parameter with the value Append .
DisclaimerTextLocation
append a
disclaimer
Prepend the ApplyHtmlDisclaimerText

First property: Applies the specified HTML
disclaimer ApplyHtmlDisclaimerFallbackAction DisclaimerText
disclaimer to the beginning of the
ApplyHtmlDisclaimerLocation Second property: message.
Apply a DisclaimerFallbackAction When you create or modify the

disclaimer rule in PowerShell, use the
Third property
to the ApplyHtmlDisclaimerLocation
(PowerShell only):
message > DisclaimerTextLocation parameter with the value Prepend .
prepend a
disclaimer
Remove this RemoveHeader MessageHeaderField Removes the specified header field

header from the message header.
Modify the
message
properties >
remove a
message
header
Set the SetHeaderName

First property: Adds or modifies the specified
message SetHeaderValue MessageHeaderField
header field in the message
header to Second property: String header, and sets the header field to
this value the specified value.
Modify the
message
properties >
set a
message
header
Apply a ApplyClassification MessageClassification Applies the specified message

message classification to the message.
classification Note: This action isn't available in
standalone EOP environments.
Modify the
message
properties >
apply a
message
classification
the EAC
Set the SetSCL SCLValue Sets the spam confidence level

spam (SCL) of the message to the
confidence specified value.
level (SCL)
to
Modify the
message
properties >
set the spam
confidence
level (SCL)
Apply Office ApplyRightsProtectionTemplate RMSTemplate Applies the specified Azure Rights

365 Management (Azure RMS)
Message template to the message. Azure
Encryption RMS is part of Azure Information
and rights Protection. For more information,
protection see Set up new Message
Encryption capabilities.
Apply
Message
Encryption
and rights
protection
to the
message
with
Modify the
message
security >
Message
Encryption
and rights
protection
Require TLS RouteMessageOutboundRequireTls n/a Forces the outbound messages to

encryption be routed over a TLS encrypted
connection.
Modify the
message
security >
require TLS
encryption
the EAC
Encrypt the ApplyOME n/a If you haven't moved your

messages Microsoft 365 or Office 365
with the organization to Microsoft Purview
previous Message Encryption that's built on
version of Azure Information Protection, this
OME action encrypts the message and
attachments with the previous
Modify the version of OME.
message Notes:
security >
Apply Office We recommend that you
the previous make a plan to move to OME
version of on Azure Information
OME Protection as soon as it's
reasonable for your
organization. For
instructions, see Set up new
Message Encryption
capabilities.
If you receive an error stating
that IRM licensing isn't
enabled, you can't setup the
previous version of OME. If
you setup OME now, you'll
setup the OME capabilities
that are built on Azure
Information Protection.
Remove the RemoveOME n/a Decrypt the message and

previous attachments from the previous
version of version of OME so users don't
OME from need to sign in to the encryption
the message portal in order to view them. This
action is only available for
Modify the messages that are sent within your
message organization.
security >
Remove the
previous
version of
OME
the EAC
Remove RemoveOMEv2 n/a Remove the Azure RMS template

Office 365 from the message.
Message
Encryption
and rights
protection
Modify the
message
security >
Message
Encryption
and rights
protection
Prepend the PrependSubject String Adds the specified text to the

subject of beginning of the Subject field of
the message the message. Consider using a
with space or a colon (:) as the last
character of the specified text to
differentiate it from the original
subject text.
To prevent the same string from

being added to messages that
already contain the text in the
subject (for example, replies), add
the The subject includes
(ExceptIfSubjectContainsWords)
exception to the rule.
the EAC
Notify the NotifySender

First property: Notifies the sender or blocks the
sender with RejectMessageReasonText
NotifySenderType
message when the message
a Policy Tip RejectMessageEnhancedStatusCode Second property: String
matches a DLP policy.
(PowerShell only) Third property When you use this action, you
(PowerShell only): need to use the The message
DSNEnhancedStatusCode contains sensitive information
(MessageContainsDataClassification
condition.
When you create or modify the

rule in PowerShell, the
RejectMessageReasonText
parameter is optional. If you don't
use this parameter, the default text
Delivery not authorized, message
refused is used.
In PowerShell, you can also use the

RejectMessageEnhancedStatusCode
parameter to specify the enhanced
status code. If you don't use this
parameter, the default enhanced
status code 5.7.1 is used. p> This
action limits the other conditions,
exceptions, and actions that you
can configure in the rule.
Note: This action isn't available in

standalone EOP environments.
Generate GenerateIncidentReport
First property: Addresses
Sends an incident report that
incident IncidentReportContent Second property: contains the specified content to
report and IncidentReportContent the specified recipients.
send it to An incident report is generated for
messages that match data loss
prevention (DLP) policies in your
organization.
Notify the GenerateNotification NotificationMessageText Specifies the text, HTML tags, and
recipient message keywords to include in
with a the notification message that's sent
message to the message's recipients. For
example, you can notify recipients
that the message was rejected by
the rule, or marked as spam and
delivered to their Junk Email folder.
the EAC
Properties SetAuditSeverity AuditSeverityLevel Specifies whether to:

of this rule Prevent the generation of an
section > incident report and the
Audit this corresponding entry in the
rule with message tracking log.
severity Generate an incident report
level and the corresponding entry
in the message tracking log
with the specified severity
level (low, medium, or high).
Properties StopRuleProcessing n/a Specifies that after the message is

of this rule affected by the rule, the message is
section > exempt from processing by other
Stop rules.
processing
more rules
More
options >
Properties
of this rule
section >
Stop
processing
more rules
Property values
The property values that are used for actions in mail flow rules are described in the following table.
Property Valid values Description
AddedManagerAction One of the following values: Specifies how to include the

To sender's manager in messages.
Cc If you select To, Cc, or Bcc, the
Bcc sender's manager is added as a
Redirect recipient in the specified field.
If you select Redirect, the message

is only delivered to the sender's
manager without notifying the
sender or the recipient.
This action only works if the

sender's Manager is defined.
Addresses Exchange recipients Depending on the action, you

might be able to specify any mail-
enabled object in the organization,
or you might be limited to a specific
object type. Typically, you can select
multiple recipients, but you can
only send an incident report to one
recipient.
AuditSeverityLevel One of the following values: The values Low, Medium, or High
Uncheck Audit this rule with specify the severity level that's
severity level, or select Audit this assigned to the incident report and
rule with severity level with the to the corresponding entry in the
value Not specified ( DoNotAudit ) message tracking log.
Low
Medium The other value prevents an
High incident report from being
generated, and prevents the
corresponding entry from being
written to the message tracking log.
DisclaimerFallbackAction One of the following values: Specifies what to do if the

Wrap disclaimer can't be applied to a
Ignore message (for example, encrypted or
Reject signed messages where the
contents can't be altered). The
available fallback actions are:
Wrap: A new message is
created and the original
message is added to it as an
attachment. The disclaimer
text is added to the new
message, which is delivered
to the recipients. This is the
default value.
If you want other rules to
examine and act on the
original message (which is
now an attachment in the
new message), make sure
those rules are applied
before the disclaimer rule
by using a lower priority
for the disclaimer rule and
higher priority for other
rules.
If the process of inserting
the original message as an
attachment in the new
message fails, the original
message isn't delivered.
The original message is
returned to the sender in
a non-delivery report (also
known as an NDR or a
bounce message).
Ignore: The rule is ignored
and the original message is
delivered without the
disclaimer.
Reject: The original message
is returned to the sender in
an NDR. We recommend
using the Reject fallback
option.
DisclaimerText HTML string Specifies the disclaimer text, which

can include HTML tags, inline
cascading style sheet (CSS) tags,
and images by using the IMG tag.
The maximum length is 5000
characters, including tags.
DisclaimerTextLocation Single value: Append or Prepend In PowerShell, you use the

ApplyHtmlDisclaimerLocation to
specify the location of the
disclaimer text in the message:
Append : Add the disclaimer to

the end of the message body.
This is the default value.
Prepend : Add the disclaimer
to the beginning of the
message body.
DSNEnhancedStatusCode Single DSN code value: Specifies the DSN code that's used.
5.7.1 You can create custom DSNs by
5.7.900 through 5.7.999 using the New-SystemMessage
cmdlet.
If you don't specify the rejection

reason text along with the DSN
code, the default reason text that's
used is Delivery not authorized,
message refused .
When you create or modify the rule

in PowerShell, you can specify the
rejection reason text by using the
RejectMessageReasonText
parameter.
IncidentReportContent One or more of the following values: Specifies the original message
Sender properties to include in the incident
Recipients report. You can choose to include
Subject any combination of these
Cc'd recipients ( Cc ) properties. In addition to the
Bcc'd recipients ( Bcc ) properties you specify, the message
Severity ID is always included. The available
Sender override information properties are:
( Override ) Sender: The sender of the
Matching rules ( RuleDetections ) original message.
False positive reports Recipients, Cc'd recipients,
( FalsePositive ) and Bcc'd recipients: All
Detected data classifications recipients of the message, or
( DataClassifications ) only the recipients in the Cc
Matching content ( IdMatch ) or Bcc fields. For each
Original mail ( AttachOriginalMail ) property, only the first 10
recipients are included in the
incident report.
Subject: The Subject field of
the original message.
Severity: The audit severity of
the rule that was triggered.
Message tracking logs
include all the audit severity

levels, and can be filtered by
audit severity.
In the EAC, if you clear the

Audit this rule with severity
level check box (in
PowerShell, the
SetAuditSeverity parameter
value DoNotAudit ), rule
matches won't appear in the
rule reports.
If a message is processed by
more than one rule, the
highest severity is included in
any incident reports.
Sender override information:
The override if the sender
chose to override a Policy Tip.
If the sender provided a
justification, the first 100
characters of the justification
are also included.
Matching rules: The list of
rules that the message
triggered.
False positive reports: The
false positive if the sender
marked the message as a
false positive for a Policy Tip.
Detected data classifications:
The list of sensitive
information types detected in
the message.
Matching content: The
sensitive information type
detected, the exact matched
content from the message,
and the 150 characters before
and after the matched
sensitive information.
Original mail: The entire
message that triggered the
rule is attached to the
incident report.
In PowerShell, you specify

multiple values separated by
commas.
MessageClassification Single message classification object In the EAC, you select from the list
of available message classifications.
In PowerShell, use the Get-
MessageClassification cmdlet to
see the message classification
objects that are available.
MessageHeaderField Single string Specifies the SMTP message header

field to add, remove, or modify.
The message header is a collection
of required and optional header
fields in the message. Examples of
header fields are To, From,
Received, and Content-Type.
Official header fields are defined in
RFC 5322. Unofficial header fields
start with X- and are known as X-
headers.
NotificationMessageText Any combination of plain text, HTML tags, Specified the text to use in a
and keywords recipient notification message.
In addition to plain text and HTML
tags, you can specify the following
keywords that use values from the
original message:
%%From%%
%%To%%
%%Cc%%
%%Subject%%
%%Headers%%
%%MessageDate%%
NotifySenderType One of the following values: Specifies the type of Policy Tip that
Notify the sender, but allow them the sender receives if the message
to send ( NotifyOnly ) violates a DLP policy. The settings
Block the message ( RejectMessage ) are described in the following list:
Block the message unless it's a false Notify the sender, but allow
positive them to send: The sender is
( RejectUnlessFalsePositiveOverride ) notified, but the message is
Block the message, but allow the delivered normally.
sender to override and send Block the message: The
( RejectUnlessSilentOverride ) message is rejected, and the
Block the message, but allow the sender is notified.
sender to override with a business Block the message unless it's
justification and send a false positive: The message
( RejectUnlessExplicitOverride ) is rejected unless it's marked
as a false positive by the
sender.
Block the message, but allow
the sender to override and
send: The message is rejected
unless the sender has chosen
to override the policy
restriction.
Block the message, but allow
the sender to override with a
business justification and
send: This is similar to Block
the message, but allow the
sender to override and send
type, but the sender also
provides a justification for
overriding the policy
restriction.
When you use this action, you need

to use the The message contains
sensitive information
(MessageContainsDataClassification)
condition.
OutboundConnector Single outbound connector Specifies the identity of outbound

connector that's used to deliver
messages. For more information
about connectors, see Configure
mail flow using connectors.
In the EAC, you select the connector

from a list.

OutboundConnector cmdlet to see
the connectors that are available.
RMSTemplate Single Azure RMS template object Specifies the Azure Rights
Management (Azure RMS) template
that's applied to the message.
In the EAC, you select the RMS
template from a list.

RMSTemplate cmdlet to see the
RMS templates that are available.
For more information about RMS in

Microsoft 365 or Office 365, see
What is Azure Information
Protection?.
SCLValue One of the following values: Specifies the spam confidence level
Bypass spam filtering ( -1 ) (SCL) that's assigned to the
Integers 0 through 9 message. A higher SCL value
indicates that a message is more
likely to be spam.
String Single string Specifies the text that's applied to

the specified message header field,
NDR, or event log entry.
In PowerShell, if the value contains
spaces, enclose the value in
quotation marks (").


Manage mail flow rules in Exchange
Online

known as transport rules) to look for specific conditions on messages that pass through
your organization and take action on them.
This article shows you how to create, copy, adjust the order, enable or disable, delete, or
import or export rules, and how to monitor rule usage.
 Tip
To make sure your rules work the way you expect, be sure to thoroughly test each
rule and interactions between rules.
Interested in scenarios where these procedures are used? See Mail flow rule procedures
in Exchange Online

Estimated time to complete each procedure: 5 minutes.
For information about how to access the Exchange admin center (EAC), see
Exchange admin center in Exchange Online. To connect to Exchange Online
PowerShell, see Connect to Exchange Online PowerShell. To connect to standalone
EOP PowerShell, see Connect to standalone Exchange Online Protection
PowerShell.
You need to be assigned permissions before you can perform these procedures. To
see what permissions you need, see the "Mail flow" entry in Feature permissions in
Exchange Online.
For information about keyboard shortcuts that may apply to the procedures in this
article, see Keyboard shortcuts for the Exchange admin center.
 Tip
Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .
Create a mail flow rule

You can create a mail flow rule by setting up a Data Loss Prevention (DLP) policy (in
Exchange Online only; not in standalone EOP), creating a new rule, or by copying a rule.
You can use the Exchange admin center (EAC) or PowerShell.
７ Note
After you create or modify a mail flow rule, it can take up to 30 minutes or more in
some cases for the new or updated rule to be applied to email.
Use a DLP policy to create mail flow rules
７ Note
This section does not apply to standalone EOP organizations.
Each DLP policy is a collection of mail flow rules. After you create the DLP policy, you
can fine-tune the rules using the procedures below.
1. Create a DLP policy.

2. Modify the mail flow rules created by the DLP policy.
Use the EAC to create a mail flow rule

The EAC allows you to create mail flow rules by using a template, copying an existing
rule, or from scratch.
1. Go to Mail flow > Rules.
2. Create the rule by using one of the following options:
To create a rule from a template, click Add and select a template.

To copy a rule, select the rule, and then select Copy .
To create a new rule from scratch, Add and then select Create a new rule.
3. In the New rule dialog box, name the rule, and then select the conditions and
actions for this rule:
a. In Apply this rule if..., select the condition you want from the list of available
conditions.
Some conditions require you to specify values. For example, if you select
The sender is... condition, you must specify a sender address. If you're
adding a word or phrase, note that trailing spaces are not allowed.
If the condition you want isn't listed, or if you need to add exceptions,
select More options. Additional conditions and exceptions will be listed.
If you don't want to specify a condition, and want this rule to apply to
every message in your organization, select [Apply to all messages]
condition.
b. In Do the following..., select the action you want the rule to take on messages
matching the criteria from the list of available actions.
Some of the actions will require you to specify values. For example, if you
select the Forward the message for approval to... condition, you will need
to select a recipient in your organization.
If the condition you want isn't listed, select More options. Additional
conditions will be listed.
c. Specify how rule match data for this rule is displayed in the Data Loss
Prevention (DLP) reports and the Mail protection reports.
Under Audit this rule with severity level, select a level to specify the severity
level for this rule. The activity reports for mail flow rules group rule matches by
severity level. Severity level is just a filter to make the reports easier to use. The
severity level has no impact on the priority in which the rule is processed.
７ Note
If you clear the Audit this rule with severity level checkbox, rule matches
will not show up in the rule reports.
d. Set the mode for the rule. You can use one of the two test modes to test the
rule without impacting mail flow. In both test modes, when the conditions are
met, an entry is added to the message trace.
Enforce: This turns on the rule and it starts processing messages

immediately. All actions on the rule will be performed.
Test with Policy Tips: This turns on the rule, and any Policy Tip actions (
Notify the sender with a Policy Tip) will be sent, but no actions related to
message delivery will be performed. Data loss prevention (DLP) is required
in order to use this mode. To learn more, see Policy Tips.
Test without Policy Tips: Only the Generate incident report action will be
enforced. No actions related to message delivery are performed.
4. If you are satisfied with the rule, go to step 5. If you want to add more conditions
or actions, or if you want to specify exceptions or set additional properties, click
More options. After you click More options, complete the following fields to
create your rule:
a. To add more conditions, click Add condition. If you have more than one
condition, you can remove any one of them by clicking Remove X next to it.
Note that there are a larger variety of conditions available once you click More
options.
b. To add more actions, click Add action. If you have more than one action, you
can remove any one of them by clicking Remove X next to it. Note that there
are a larger variety of actions available once you click More options.
c. To specify exceptions, click Add exception, then select exceptions using the
Except if... dropdown. You can remove any exceptions from the rule by clicking
the Remove X next to it.
d. If you want this rule to take effect after a certain date, click Activate this rule on
the following date: and specify a date. Note that the rule will still be enabled
prior to that date, but it won't be processed.
Similarly, you can have the rule stop processing at a certain date. To do so, click
Deactivate this rule on the following date: and specify a date. Note that the
rule will remain enabled, but it won't be processed.
e. You can choose to avoid applying additional rules once this rule processes a
message. To do so, click Stop processing more rules. If you select this, and a
message is processed by this rule, no subsequent rules are processed for that
message.
f. You can specify how the message should be handled if the rule processing can't
be completed. By default, the rule will be ignored and the message will be
processed regularly, but you can choose to resubmit the message for
processing. To do so, check the Defer the message if rule processing doesn't
complete check box.
g. If your rule analyzes the sender address, it only examines the message headers
by default. However, you can configure your rule to also examine the SMTP
message envelope. To specify what's examined, click one of the following values
for Match sender address in message:
Header: Only the message headers will be examined.

Envelope: Only the SMTP message envelope will be examined.
Header or envelope: Both the message headers and SMTP message
envelope will be examined.
h. You can add comments to this rule in the Comments box.
5. Click Save to complete creating the rule.
Use Exchange Online PowerShell to create a mail flow

rule
This example uses the New-TransportRule cmdlet to create a new mail flow rule that
prepends " External message to Sales DG: " to messages sent from outside the
organization to the Sales Department distribution group.
PowerShell
New-TransportRule -Name "Mark messages from the Internet to Sales DG" -

FromScope NotInOrganization -SentTo "Sales Department" -PrependSubject
"External message to Sales DG:"
The rule parameters and action used in the above procedure are for illustration only.
Review all the available mail flow rule conditions and actions to determine which ones
meet your requirements.

To verify that you have successfully created a new mail flow rule, do the following:
In the EAC, verify that the new mail flow rule you created is listed in the Rules list.
From Exchange Online PowerShell, verify that you created the new mail flow rule
successfully by running the following command (the example below verifies the
rule created in Exchange Online PowerShell example above):
PowerShell
Get-TransportRule "Mark messages from the Internet to Sales DG"
View or modify a mail flow rule
７ Note
After you create or modify a mail flow rule, it can take up to 30 minutes and more
in some case for the new or updated rule to be applied to email.
Use the EAC to view or modify a mail flow rule

1. In the EAC, go to Mail flow > Rules.
2. When you select a rule in the list, the conditions, actions, exceptions and select
properties of that rule are displayed in the details pane. To view all the properties
of a specific rule, double click it. This opens the rule editor window, where you can
make changes to the rule. For more information about rule properties, see Use the
EAC to create a mail flow rule section, earlier in this article.
Use Exchange Online PowerShell to view or modify a mail

flow rule
The following example gives you a list of all rules configured in your organization:
PowerShell
Get-TransportRule
To view the properties of a specific mail flow rule, you provide the name of that rule or
its GUID. It is usually helpful to send the output to the Format-List cmdlet to format the
properties. The following example returns all the properties of the mail flow rule named
Sender is a member of Marketing:
PowerShell
Get-TransportRule "Sender is a member of marketing" | Format-List
To modify the properties of an existing rule, use the Set-TransportRule cmdlet. This
cmdlet allows you to change any property, condition, action or exception associated
with a rule. The following example adds an exception to the rule "Sender is a member of
marketing" so that it won't apply to messages sent by the user Kelly Rollin:
PowerShell
Set-TransportRule "Sender is a member of marketing" -ExceptIfFrom "Kelly

Rollin"

To verify that you have successfully modified a mail flow rule, do the following:
From the rules list in the EAC, click the rule you modified in the Rules list and view
the details pane.
From Exchange Online PowerShell, verify that you modified the mail flow rule
successfully by running the following command to list the properties you modified
along with the name of the rule (the example below verifies the rule modified in
Exchange Online PowerShell example above):
PowerShell
Get-TransportRule "Sender is a member of marketing" | Format-List

Name,ExceptIfFrom
Mail flow rule properties

You can also use the Set-TransportRule cmdlet to modify existing mail flow rules in your
organization. Below is a list properties not available in the EAC that you can change. For
more information on using the Set-TransportRule cmdlet to make these changes see
Set-TransportRule
Condition Name Condition name in Description

in the EAC Exchange Online
PowerShell
Stop Processing StopRuleProcessing Enables you to stop processing additional rules

Rules
Header/Envelope SenderAddressLocation Enables you to examine the SMTP message

matching envelope to ensure the header and envelop
match
Audit severity SetAuditSeverity Enables you to select a severity level for the audit
Rule modes Mode Enables you to set the mode for the rule
Set the priority of a mail flow rule
The rule at the top of the list is processed first. This rule has a Priority of 0.
Use the EAC to set the priority of a rule

1. In the EAC, go to Mail flow > Rules. This displays the rules in the order in which
they are processed.
2. Select a rule, and use the arrows to move the rule up or down the list.
Use Exchange Online PowerShell to set the priority of a

rule
The following example sets the priority of "Sender is a member of Marketing" to 2:
PowerShell
Set-TransportRule "Sender is a member of Marketing" -Priority "2"

To verify that you have successfully modified a mail flow rule, do the following:
From the rules list in the EAC, look at the order of the rules.
From Exchange Online PowerShell, verify the priority of the rules (the example
below verifies the rule modified in Exchange Online PowerShell example above):
PowerShell
Get-TransportRule * | Format-List Name,Priority
Enable or disable a mail flow rule

Rules are enabled when you create them. You can disable a mail flow rule.
Use the EAC to enable or disable a mail flow rule

2. To disable a rule, clear the check box next to its name.
3. To enable a disabled rule, select the check box next to its name.
Use Exchange Online PowerShell to enable or disable a

mail flow rule
The following example disables the mail flow rule "Sender is a member of marketing":
PowerShell
Disable-TransportRule "Sender is a member of marketing"
The following example enables the mail flow rule "Sender is a member of marketing":
PowerShell
Enable-TransportRule "Sender is a member of marketing"

To verify that you have successfully enabled or disabled a mail flow rule, do the
following:
In the EAC, view the list of rules in the Rules list and check the status of the check
box in the ON column.
From Exchange Online PowerShell, run the following command which will return a
list of all rules in your organization along with their status:
PowerShell
Get-TransportRule | Format-Table Name,State
Remove a mail flow rule
Use the EAC to remove a mail flow rule

2. Select the rule you want to remove and then click Delete .
Use Exchange Online PowerShell to remove a mail flow
rule
The following example removes the mail flow rule "Sender is a member of marketing":
PowerShell
Remove-TransportRule "Sender is a member of marketing"

To verify that you have successfully removed the mail flow rule, do the following:
In the EAC, view the rules in the Rules list and verify that the rule you removed is
no longer shown.
From Exchange Online PowerShell, run the following command and verify that the
rule you remove is no longer listed:
PowerShell
Get-TransportRule
Monitor rule usage

If you're using Exchange Online or Exchange Online Protection, you can check the
number of times each rule is matched by using a rules report. In order to be included in
the reports, a rule must have the Audit this rule with severity level check box selected.
You can look at a report online, or download an Excel version of all the mail protection
reports.
７ Note
While most data is in the report within 24 hours, some data may take as long as 5
days to appear.
Use the new Exchange admin center to view a rules

report
1. In the new EAC (https://admin.exchange.microsoft.com ), go to Reports > Mail
flow.
2. On the Mail flow reports page, find and select Exchange Transport Rule report.
Download an Excel version of the reports

For steps to download reports, see Download existing reports in the Microsoft Purview
compliance portal.
Import or export a mail flow rule collection

You must use Exchange Online PowerShell to import or export a mail flow rule
collection. For information about how to import a mail flow rule collection from an XML
file, see Import-TransportRuleCollection.
For information about how to export a mail flow rule collection to an XML file, see
Export-TransportRuleCollection.
Need more help?

Journal, transport, and inbox rule limits

Best practices for configuring mail flow
rules in Exchange Online

organizations without Exchange Online mailboxes, follow these best practice
recommendations for mail flow rules (also known as transport rules) in order to avoid
common configuration errors. Each recommendation links to a article with an example
and step-by-step instructions.
Test your rules

To make sure unexpected things don't happen to email messages, and to make sure
you're really meeting the business, legal, or compliance intentions of your rule, be sure
to test it thoroughly. There are many options, and rules can interact with each other, so
it's important to test messages that you expect both will match the rule and won't
match the rule in case you inadvertently made a rule too general. To learn all the options
for testing rules, see Test mail flow rules in Exchange Online.
Scope your rule

Make sure your rule applies only to the messages you intend it to. For example:
Restrict a rule to messages either coming into or going out of the organization:
By default, a new rule applies to messages that are sent by and received by people
in your organization. So if you want the rule to apply only one way, be sure to
specify that in the conditions for the rule. For examples, see Use mail flow rules for
attachment blocking scenarios in Exchange Online
Restrict a rule based on the sender's or receiver's domain: By default, a new rule
applies to messages sent from or received by any domain. Sometimes you want a
rule to apply to all domains except for one, or to just one domain. See Create
blocked sender lists in EOP.
For a complete list of all the conditions and exceptions that are available for mail flow
rules, see Mail flow rule conditions and exceptions (predicates) in Exchange Online.
Know when you need two rules

Sometimes it takes two rules to do what you want. Mail flow rules are processed in
order, so multiple rules can apply to the same message. For example, if one of the
actions is to block the message, and you also have another action you'd like to apply,
such as copying the message to the sender's manager or changing the subject for the
notification message, you would need two rules. The first rule could copy the message
to the sender's manager and change the subject, and the second rule could block the
message.
If you use two rules like this, be sure that the conditions are identical. For example:
Set up a message approval chain

Modify the subject line for notifications
Don't repeat an action on every email in a

conversation
The chain of email in a conversation can include many individual messages, and
repeating the action on each message in the thread might get annoying. For example, if
you have an action such as adding a disclaimer, you might want it to apply only to the
first message in the thread. If so, add an exception for messages that already include the
disclaimer text. For an example, see Organization-wide message disclaimers, signatures,
footers, or headers in Exchange Online.
Know when to stop rule processing

Sometimes it makes sense to stop rule processing once a rule is matched. For example,
if you have one rule to block messages with attachments and one to insert a disclaimer
in messages that match a pattern, you probably should stop rule processing once the
message is blocked. There's no need for further action.
To stop rule processing after a rule is triggered, in the rule, select the Stop processing
more rules check box.
If you have lots of keywords or patterns to

match, load them from a file
For example, you might want to prevent emails from being sent if they contain a list of
unacceptable or bad words. You can create a text file containing these words and
phrases, and then use PowerShell to set up a mail flow rule that blocks messages that
use them.
The text file can contain regular expressions for patterns. These expressions are not
case-sensitive. Common regular expressions include:
Expression Matches
. Any single character
* Any additional characters
\d Any decimal digit
[character_group] Any single character in character_group.
For an example that shows a text file with regular expressions and the Exchange module
Windows PowerShell commands to use, see Use mail flow rules to route email based on
a list of words, phrases, or patterns in Exchange Online.
To learn how to specify patterns using regular expressions, see Regular Expression
Reference.
Test mail flow rules in Exchange Online

organizations without Exchange Online mailboxes, you should test new mail flow rules
(also known as transport rules) before you turn them on. This way, if you accidentally
create a condition that doesn't do exactly what you want or interacts with other rules in
unexpected ways, you won't have any unintended consequences.
） Important
Wait at least 30 minutes after creating a rule before you test it. If you test
immediately after you create the rule, you may get inconsistent behavior.
Step 1: Create a rule in test mode
７ Note
DLP and policy tips are not available in standalone EOP.
You can evaluate the conditions for a rule without taking any actions that impact mail
flow by choosing a test mode. You can set up a rule so that you get an email notification
any time the rule is matched, or you can look at the Look at the message trace for
messages that might match the rule. There are two test modes:
Test without Policy Tips: Use this mode together with an incident report action,
and you can receive an email message each time an email matches the rule.
Test with Policy Tips: This mode is only available if you're using Data loss
prevention (DLP), which is available with some Exchange Online and Exchange
Online Protection (EOP) subscription plans. With this mode, a message is set to the
sender when a message they are sending matches a policy, but no mail flow
actions are taken.
Here's what you'll see when a rule is matched if you include the incident report action:
Use a test mode with an incident report action
1. In the Exchange admin center (EAC), go to Mail flow > Rules.
2. Create a new rule, or select an existing rule, and then select Edit.
3. Scroll down to the Choose a mode for this rule section, and then select Test
without Policy Tips or Test with Policy Tips.
4. Add an incident report action:
a. Select Add action, or, if this isn't visible, select More options, and then select
Add action.
b. Select Generate incident report and send it to.
c. Click Select one... and select yourself or someone else.
d. Select Include message properties, and then select any message properties that
you want included in the email you receive. If you don't select any, you will still
get an email when the rule is matched.
5. Select Save.
Step 2: Evaluate whether your rule does what

you intend
To test a rule, you can either send enough test messages to confirm that what you
expect happens, or look at the message trace for messages that people in your
organization send. Be sure to evaluate the following types of messages:
Messages that you expect to match the rule

Messages that you don't expect to match the rule
Messages sent to and from people in your organization
Messages sent to and from people outside your organization
Replies to messages that match the rule
Messages that might cause interactions between multiple rules
Tips for sending test messages

One way to test is to sign in as both the sender and recipient of a test message.
If you don't have access to multiple accounts in your organization, you can test in a
trial account or create a few temporary fake users in your organization.
Because a web browser typically doesn't let you have simultaneous open sessions
on the same computer signed in to multiple accounts, you can use Internet
Explorer InPrivate Browsing , or a different computer, device, or web browser for
each user.
Look at the message trace

The message trace includes an entry for each rule that is matched for the message, and
an entry for each action the rule takes. This is useful for tracking what happens to test
messages, and also for tracking what happens to real messages going through your
organization.
1. In the EAC, go to Mail flow > Message trace.
2. Find the messages that you want to trace by using criteria such as the sender and
the date sent. For help specifying criteria, see Run a Message Trace and View
Results.
3. After locating the message you want to trace, double-click it to view details about
the message.
4. Look in the Event column for Transport rule. The Action column shows the specific
action taken.
Step 3: When you're done testing, set the rule

to enforce
2. Select a rule, and then select Edit.
3. Select Enforce.
4. If you used an action to generate an incident report, select the action and then
select Remove.
5. Select Save.
 Tip
To avoid surprises, inform your users about new rules.
Troubleshooting suggestions
Here are some common problems and resolutions:
Everything looks right, but the rule isn't working.
Occasionally it takes longer than 15 minutes for a new mail flow to be available.
Wait a few hours, and then test again. Also check to see if another rule might be
interfering. Try changing this rule to priority 0 by moving it to the top of the list.
Disclaimer is added to original message and all replies, instead of just the
original message.
To avoid this, you can add an exception to your disclaimer rule to look for a unique
phrase in the disclaimer.
My rule has two conditions, and I want the action to happen when either of the
conditions is met, but it only is matched when both conditions are met.
You need to create two rules, one for each condition. You can easily copy the rule
by selecting Copy and then remove one condition from the original and the other
condition from the copy.
I'm working with distribution groups, and The sender is ( SentTo) doesn't seem
to be working.
SentTo matches messages where one of the recipients is a mailbox, mail-enabled

user, or contact, but you can't specify a distribution group with this condition.
Instead, use To box contains a member of this group ( SentToMemberOf).
Other testing options

If you're using Exchange Online or Exchange Online Protection, you can check the
number of times each rule is matched by using a rules report. In order to be included in
the reports, a rule must have the Audit this rule with severity level check box selected.
These reports help you spot trends in rule usage and identify rules that are not matched.
To view a rules report, in the Microsoft 365 admin center, select Reports.
７ Note
While most data is in the report within 24 hours, some data may take as long as 5
days to appear.
To learn more, see View mail protection reports.
Need more help?

Manage mail flow rules

Mail flow rule procedures in Exchange
Online

known as transport rules) to meet the scenarios as described in this article.
To learn about concepts and objectives for mail flow rules, see Mail flow rules (transport
rules) in Exchange Online.
Mail flow rule procedures for anti-spam

features in Exchange Online and standalone
EOP
Use mail flow rules for attachment blocking scenarios: Learn how to use mail flow rules
to block all attachments.
Use mail flow rules to block messages with executable attachments: Learn how to use
mail flow rules to block messages that contain executable attachments.
Use mail flow rules to inspect message attachments: Learn how to use mail flow rule
conditions that allow you to inspect the content of message attachments.
Use mail flow rules to set the spam confidence level (SCL) in messages: Learn how to use
mail flow rules to mark specific messages as spam before they're even scanned by spam
filtering, or mark messages so they'll skip spam filtering.
Use mail flow rules to filter bulk email: Examples describing how to mark messages that
contain specific bulk indicator content as spam.
Use mail flow rules to see what users are reporting to Microsoft: Receive copies of
messages that users report as junk, not junk or phishing to Microsoft.
Mail flow rule procedures for other features in

Exchange Online and standalone EOP
Organization-wide message disclaimers, signatures, footers, or headers: Learn how to
set up a legal disclaimer, email disclaimer, consistent signature, email header, or email
footer by using mail flow rules.
Use mail flow rules so messages can bypass Clutter: Information to help you make sure
messages are sent to an inbox instead of the Clutter folder.
Use mail flow rules to route email based on a list of words, phrases, or patterns:
Information to help you comply with your organization's email policies.
Mail flow rule procedures for features in Exchange Online

only
Use mail flow rules for message approval scenarios in Exchange Online: Use mail flow
rules instead of enabling moderation on recipients to meet message approval scenarios.
Use mail flow rules to automatically add meetings to calendars in Exchange Online: Use
the Direct to Calendar feature in Exchange Online to add meetings directly to calendars
in Exchange Online.
Define rules to encrypt email messages in Exchange Online: Learn how to use mail flow
rules to encrypt messages using Microsoft Purview Message Encryption.

Manage mail flow rules in Exchange Online
Best practices for configuring mail flow rules in Exchange Online
Test mail flow rules in Exchange Online
Use mail protection reports to view data about malware, spam, and rule detections
Common attachment blocking scenarios
for mail flow rules in Exchange Online

organizations without Exchange Online mailboxes, you might need to block or reject
certain types of messages in order to meet legal or compliance requirements, or to meet
specific business needs. This article discusses examples of common scenarios for
blocking all attachments which you can set up using mail flow rules (also known mail
flow rules).
Notes:
For additional examples showing how to block specific attachments by using mail
flow rules, see Use mail flow rules to inspect message attachments in Exchange
Online.
Anti-malware polices EOP allow you to block specific file types by turning on and
configuring the common attachment types filter. For instructions, see Configure
anti-malware policies in EOP.
To get started using mail flow rules to block certain message types, do the following
steps:
1. Open the Exchange admin center (EAC). For more information, see Exchange
admin center in Exchange Online.
2. Go to Mail flow > Rules.
3. Click New ( ) and then select Create a new rule.
4. In the Name box, specify a name for the rule, and then click More options.
5. Select the conditions and actions you want.
７ Note
In the EAC, the smallest attachment size that you can enter is 1 kilobyte, which
should detect most attachments. However, if you want to detect every possible
attachment of any size, you need to use PowerShell to adjust the attachment size to
1 byte after you create the rule in the EAC. To connect to PowerShell, see Connect
to Exchange Online PowerShell or Connect to standalone Exchange Online
Protection PowerShell.
Embedded images are treated as attachments (for example, messages with a
picture in the signature). For this reason, we do not recommend using a very small
value for the attachment size since unexpected messages will be blocked.
Example 1: Block messages with attachments,

and notify the sender
If you don't want certain people in your organization to send or receive attachments
greater than 10 Megabytes, you can set up a mail flow rule to block messages with
attachments of this size.
In this example, all messages sent to or from the organization with attachments greater
than 10 Megabytes are blocked.
If all you want to do is block the message, you might want to stop rule processing once
this rule is matched. Scroll down the rule dialog box, and select the Stop processing
more rules check box.
Example 2: Notify intended recipients when an

inbound message is blocked
If you want to reject a message but let the intended recipient know what happened, you
can use the Notify the recipient with a message action.
You can include placeholders in the notification message so that it includes information
about the original message. The placeholders must be enclosed in two percent signs
(%%), and when the notification message is sent, the placeholders are replaced with
information from the original message. You can also use basic HTML such as <br>, <b>,
<i>, and <img> in the message.
Type of information Placeholder
Sender of the message. %%From%%
Recipients listed on the "To" line. %%To%%
Recipients listed on the "Cc" line. %%Cc%%
Subject of the original message. %%Subject%%
Headers from the original message. This is similar to the list of headers in %%Headers%%
a delivery status notification (DSN) generated for the original message.
Date the original message was sent. %%MessageDate%%
In this example, all messages that contain attachments and are sent to people inside
your organization are blocked, and the recipient is notified.
Example 3: Modify the subject line for

notifications
When a notification is sent to the recipient, the subject line is the subject of the original
message. If you want to modify the subject so that it is clearer to the recipient, you must
use two mail flow rules:
The first rule adds the word "undeliverable" to the beginning of the subject of any
messages with attachments.
The second rule blocks the message and sends a notification message to the
sender using the new subject of the original message.
） Important
The two rules must have identical conditions. Rules are processed in order, so the
first rule adds the word "undeliverable", and the second rule blocks the message
and notifies the recipient.
Here's what the first rule would look like if you want to add "undeliverable" to the
subject:
And the second rule does the blocking and notification (the same rule from Example 2):
Example 4: Apply a rule with a time limit
If you have a malware outbreak, you might want to apply a rule with a time limit so that
you temporarily block attachments. For example, the following rule has both a start and
stop day and time:
See also
Use mail flow rules to block messages
with executable attachments in
Exchange Online

organizations without Exchange Online mailboxes, messages with harmful attachments
are blocked by anti-malware policies, including messages with executable attachments.
For more information, see Anti-malware protection in EOP.
To further enhance protection, you can use mail flow rules (also known as transport
rules) to identify and block messages that contain executable attachments as described
in this article.
For example, following a malware outbreak, a company could apply this rule with a time
limit so that affected users can get back to sending attachments after a specified length
of time.

You need to be assigned permissions in Exchange Online or Exchange Online
Protection before you can do the procedures in this article. Specifically, you need
the Transport Rules role, which is assigned to the Organization Management,
Compliance Management, and Records Management role groups by default.

Permissions in Exchange Online
Permissions in standalone EOP
Use the EAC modify the list of members in role groups
To open the EAC in Exchange Online, see Exchange admin center in Exchange
Online. To open the EAC in standalone EOP, see Exchange admin center in
standalone EOP.

For more information about mail flow rules in Exchange Online and standalone
EOP, see the following topics:
Use the EAC to create a rule that blocks

messages with executable attachments
2. Click Add and then select Create a new rule.
3. In the New rule page that opens, configure the following settings:
Name: Enter a unique, descriptive name for the rule.
Click More Options.
Apply this rule if: Select Any attachment > has executable content.
Do the following: Select Block the message and then choose the action you
want:
reject the message and include an explanation: In the Specify reject

reason dialog that appears, enter the text you want to appear in the non-
delivery report (also known as an NDR or bounce message). The default
enhanced status code that's used is 5.7.1.
reject the message with the enhanced status code of: In the Enter
enhanced status code dialog that appears, enter the enhanced status
code that you want to appear in the NDR. Valid values are 5.7.1 or a value
from 5.7.900 to 5.7.999. The default rejection text is: Delivery not
authorized, message refused.
reject the message without notifying anyone
4. When you're finished, click Save. Your attachment blocking rule is now in force.
Use PowerShell to create a rule that blocks

messages with executable attachments
Use the following syntax to create a rule to block messages that contain executable
attachments:
PowerShell
New-TransportRule -Name "<UniqueName>" -AttachmentHasExecutableContent $true

[-RejectMessageEnhancedStatusCode <5.7.1 | 5.7.900 to 5.7.999>] [-
RejectMessageReasonText "<Text>"] [-DeleteMessage $true]
Notes:
If you use the RejectMessageEnhancedStatusCode parameter without the

RejectMessageReasonText parameter, the default text is: Delivery not authorized,
message refused.
If you use the RejectMessageReasonText parameter without the

RejectMessageEnhancedStatusCode parameter, the default code is 5.7.1.
This example creates a new rule named Block Executable Attachments that silently
deletes messages that contain executable attachments.
PowerShell
New-TransportRule -Name "Block Executable Attachments" -

AttachmentHasExecutableContent $true -DeleteMessage $true
For detailed syntax and parameter information, see New-TransportRule.

To verify that you've successfully create a mail flow rule to block messages that contain
executable attachments, do any of the following steps:
In the EAC, go to Mail flow > Rules > select the rule > click Edit , and verify the
settings.
In PowerShell, run the following command to verify the settings:
PowerShell
Get-TransportRule -Identity "<Rule Name>" | Format-List

Name,AttachmentHasExecutableContent,RejectMessage*,DeleteMessage
Use mail flow rules to inspect message

attachments in Exchange Online

organizations without Exchange Online mailboxes, you can inspect email attachments by
setting up mail flow rules (also known as transport rules). Mail flow rules allow you to
examine email attachments as a part of your messaging security and compliance needs.
When you inspect attachments, you can then take action on the messages based on the
content or characteristics of the attachments. Here are some attachment-related tasks
you can do by using mail flow rules:
Search for files with text that matches a pattern you specify, and add a disclaimer
to the end of the message.
Inspect content within attachments and, if there are any keywords you specify,
redirect the message to a moderator for approval before it's delivered.
Check for messages with attachments that can't be inspected and then block the
entire message from being sent.
Check for attachments that exceed a certain size and then notify the sender of the
issue, if you choose to prevent the message from being delivered.
Check whether the properties of an attached Office document match the values
that you specify. With this condition, you can integrate the requirements of your
mail flow rules and DLP policies with a third-party classification system, such as
SharePoint or the Windows Server File Classification Infrastructure (FCI).
Create notifications that alert users if they send a message that has matched a mail
flow rule.
Block all messages containing attachments. For examples, see Use mail flow rules
for attachment blocking scenarios in Exchange Online.
７ Note
All of these conditions will scan compressed archive attachments.
Exchange Online admins can create mail flow rules in the Exchange admin center (EAC)
at Mail flow > Rules. You need permissions to do this procedure. After you start to
create a new rule, you can see the full list of attachment-related conditions by clicking
More options > Any attachment under Apply this rule if. The attachment-related
options are shown in the following diagram.
For more information about mail flow rules, including the full range of conditions and
actions that you can choose, see Mail flow rules (transport rules) in Exchange Online.
Exchange Online Protection (EOP) and hybrid customers can benefit from the mail flow
rules best practices provided in Best Practices for Configuring EOP. If you're ready to
start creating rules, see Manage mail flow rules in Exchange Online.
Inspect the content within attachments

You can use the mail flow rule conditions in the following table to examine the content
of message attachments. For these conditions, only the first 1 megabyte (MB) of text
extracted from an attachment is inspected. The 1-MB limit refers to the extracted text,
not the file size of the attachment. For example, a 2-MB file may contain less than 1 MB
of text, so all of the text would be inspected.
To start using these conditions when inspecting messages, you need to add them to a
mail flow rule. Learn about creating or changing rules at Manage mail flow rules in
Exchange Online.
Condition Condition name in Description

name in the Exchange Online
EAC PowerShell
Condition Condition name in Description
name in the Exchange Online
EAC PowerShell
Any AttachmentContainsWords This condition matches messages with supported

attachment's file type attachments that contain a specified string
content or group of characters.
includes
Any
attachment >
content
includes any
of these
words
Any AttachmentMatchesPatterns This condition matches messages with supported

attachment's file type attachments that contain a text pattern
content that matches a specified regular expression.
matches
Any
attachment >
content
matches
these text
patterns
Any AttachmentIsUnsupported Mail flow rules only can inspect the content of
attachment's supported file types. If the mail flow rule finds an
content can't attachment that isn't supported, the
be inspected
AttachmentIsUnsupported condition is triggered.
Any The supported file types are described in the next
attachment > section.
content can't
be inspected
７ Note
The condition names in Exchange Online PowerShell are parameter names on

the New-TransportRule and Set-TransportRule cmdlets. For more
information, see New-TransportRule.
Learn more about property types for these conditions at Mail flow rule
To learn how to use Windows PowerShell to connect to Exchange Online, see

Connect to Exchange Online PowerShell.
Supported file types for mail flow rule content inspection
The following table lists the file types supported by mail flow rules. The system
automatically detects file types by inspecting file properties rather than the actual file
name extension, thus helping to prevent malicious hackers from being able to bypass
mail flow rule filtering by renaming a file extension. A list of file types with executable
code that can be checked within the context of mail flow rules is listed later in this
article.
Category File extension Notes
Adobe PDF .pdf None
Compressed .arj, .bz2, .cab, .chm, .gz, .gzip, None

archive files .lha, .lzh, .lzma, .mhtml, .msp,
.rar, .rar4, .tar, .xar, .xz, .zip, .7z
HTML .ascx, .asp, .aspx, .css, .hta, None

.htm, .html, .htw, .htx, .jhtml
JSON adaptivecard, .json, None

messagecard
Mail .eml, .msg, .nws None
Microsoft .doc, .docm, .docx, .dot, .dotm, The contents of any embedded parts
Office .dotx, .obd, .obt, .one, .pot, contained within these file types are also
.potm, .potx, .ppa, .ppam, .pps, inspected. However, any objects that aren't
.ppsm, .ppsx, .ppt, .pptm, embedded (for example, linked documents)
.pptx, .xlb, .xlc, .xls, .xlsb, .xlsm, aren't inspected. Content within the custom
.xlsx, .xlt properties is also scanned.
Microsoft .excelml, .powerpointml, None

Office xml .wordml
Microsoft Visio .vdw, .vdx, .vsd, .vsdm, .vsdx, None

.vss, .vssm, .vssx, .vst, .vstm,
.vstx, .vsx, .vtx
OpenDocument .odp, .ods, .odt No parts of .odf files are processed. For
example, if the .odf file contains an embedded
document, the contents of that embedded
document aren't inspected.
Other .dfx, .dxf, .encoffmetro, .fluid, None

.mime, .pointpub, .pub, .rtf,
.vtt, .xps
Category File extension Notes
Text .asm, .bat, .c, .cmd, .cpp, .cs, Other files that are text based are also
.csv, .cxx, .def, .dic, .h, .hpp, scanned. This list is representative.
.hxx, .ibq, .idl, .inc, .inf, .ini, .inx,
.java, .js, .lnk, .log, .m3u,
messagestorage, .mpx, .php,
.pl, .pos, .txt, .vcf, .vcs
XML .infopathml, .jsp, .mspx, .xml None
Inspect the file properties of attachments

The following conditions can be used in mail flow rules to inspect different properties of
files that are attached to messages. To start using these conditions when inspecting
messages, you need to add them to a mail flow rule. For more information about
creating or changing rules, see Manage mail flow rules.
７ Note
If you would like to block certain files using the file condition
AttachmentNameMatchesPatterns or AttachmentExtensionMatchesWords, be aware
that this condition is inspecting the actual file name extension and not the file
properties. Which is different, than the earlier mentioned file content inspection of
other conditions.
If you need to block a file based on the system file proterty
detection, e.g. the file is renamed, please use the "common attachment filter"
feature of the Anti-Mailware policy instead.
Condition Condition name in Exchange Description

name in the Online PowerShell
EAC
Any AttachmentNameMatchesPatterns This condition matches messages with

attachment's attachments whose file name contains the
file name characters you specify.
matches
Any
attachment >
file name
matches these
text patterns
EAC
Any AttachmentExtensionMatchesWords This condition matches messages with

attachment's attachments whose file name extension
file extension matches what you specify.
matches
Any
attachment >
file extension
includes these
words
Any AttachmentSizeOver This condition matches messages with

attachment is attachments when those attachments are
greater than greater than or equal to the size you
or equal to specify.
Note: This condition refers to the sizes of
Any individual attachments, not the cumulative
attachment > size. For example, if you set a rule to reject
size is greater any attachment that is 10 MB or greater, a
than or equal single attachment with a size of 15 MB will
to be rejected, but a message with three 5
MB attachments will be allowed.
The message AttachmentProcessingLimitExceeded This condition matches messages when an

didn't attachment is not inspected by the mail
complete flow rules agent.
scanning
Any
attachment >
didn't
complete
scanning
Any AttachmentHasExecutableContent This condition matches messages that

attachment contain executable files as attachments.
has The supported file types are listed here.
executable
content
Any
attachment >
has
executable
content
EAC
Any AttachmentIsPasswordProtected This condition matches messages with

attachment is attachments that are protected by a
password password. Password detection only works
protected for Office documents, .zip files, and .7z
files.
Any
attachment >
is password
protected
Any AttachmentPropertyContainsWords This condition matches messages where

attachment the specified property of the attached
has these Office document contains specified words.
properties, A property and its possible values are
including any separated with a colon. Multiple values are
of these separated with a comma. Multiple
words property/value pairs are also separated
with a comma.
Any
attachment >
has these
properties,
including any
of these
words
７ Note
The condition names in Exchange Online PowerShell are parameter names on

the New-TransportRule and Set-TransportRule cmdlets. For more
information, see New-TransportRule.
Learn more about property types for these conditions at Mail flow rule
To learn how to connect to Exchange Online PowerShell, see Connect to

Supported executable file types for mail flow rule

inspection
The mail flow rules use true type detection to inspect file properties rather than merely
the file extensions. This helps to prevent malicious hackers from being able to bypass
your rule by renaming a file extension. The following table lists the executable file types
supported by these conditions. If a file is found that isn't listed here, the
AttachmentIsUnsupported condition is triggered.
Type of file Native extension
32-bit Windows executable file with a dynamic link library extension. .dll
Self-extracting executable program file. .exe
Uninstallation executable file. .exe
Program shortcut file. .exe
32-bit Windows executable file. .exe
Microsoft Visio XML drawing file. .vxd
OS/2 operating system file. .os2
16-bit Windows executable file. .w16
Disk-operating system file. .dos
European Institute for Computer Antivirus Research standard antivirus test .com
file.
Windows program information file. .pif
Windows executable program file. .exe
） Important
.rar (self-extracting archive files created with the WinRAR archiver), .jar (Java archive
files), and .obj (compiled source code, 3D object, or sequence files) files are not
considered to be executable file types. To block these files, you can use mail flow
rules that look for files with these extensions as described earlier in this article, or
you can configure an antimalware policy that blocks these file types (the common
attachment types filter). For more information, see Configure anti-malware policies
in EOP.
Data loss prevention policies and attachment

mail flow rules
７ Note
This section does not apply to standalone EOP organizations.
To help you manage important business information in email, you can include any of the
attachment-related conditions along with the rules of a data loss prevention (DLP)
policy.
DLP policies and attachment-related conditions can help you enforce your business
needs by defining those needs as mail flow rule conditions, exceptions, and actions.
When you include the sensitive information inspection in a DLP policy, any attachments
to messages are scanned for that information only. However, attachment-related
conditions such as size or file type aren't included until you add the conditions listed in
this article. DLP isn't available with all versions of Exchange; learn more at Data loss
prevention.

For information on broadly blocking email with attachments, regardless of malware
status, see Common attachment blocking scenarios for mail flow rules in Exchange
Online.
Use mail flow rules to set the spam
confidence level (SCL) in messages in
Exchange Online

organizations without Exchange Online mailboxes, anti-spam policies (also known as
spam filter policies or content filter policies) scan inbound messages for spam. For more
information, see Configure anti-spam policies in EOP.
If you want to mark specific messages as spam before they're even scanned by spam
filtering, or mark messages so they'll skip spam filtering, you can create mail flow rules
(also known as transport rules) to identify the messages and set the spam confidence
level (SCL). For more information about the SCL, see Spam confidence level (SCL) in EOP.

Compliance Management (global admins), and Records Management role groups
by default.

standalone EOP.

Use the EAC to create a mail flow rule that sets

the SCL of a message
Click More Options.
Apply this rule if: Select one or more conditions to identify messages. For
more information, see Mail flow rule conditions and exceptions (predicates)
in Exchange Online.
Do the following: Select Modify the message properties > set the spam
confidence level (SCL). In the Specify SCL dialog that appears, configure one
of the following values:
Bypass spam filtering: The messages will skip spam filtering. High confidence
phishing messages are still filtered. Other features in EOP are not affected (for
example, messages are always scanned for malware).
If you need to bypass spam filtering for SecOps mailboxes or phishing

simulations, don't use mail flow rules. See Configure the delivery of third-
party phishing simulations to users and unfiltered messages to SecOps
mailboxes.
Ｕ Caution
Be very careful about allowing messages to skip spam filtering. The mail
flow rule should use more conditions than just the sender's email
address or domain. For more information, see Create safe sender lists in
EOP.
0 to 4: The message is sent through spam filtering for additional processing.
5 or 6: The message is marked as Spam. The action that you've configured

for Spam filtering verdicts in your anti-spam policies is applied to the
message (the default value is Move message to Junk Email folder).
7 to 9: The message is marked as High confidence spam. The action that

you've configured for High confidence spam filtering verdicts in your anti-
spam policies is applied to the message (the default value is Move message
to Junk Email folder).
4. Specify any additional properties that you want for the rule. When you're finished,
click Save.

To verify that you've correctly set the SCL in messages, send an email message to
someone inside your organization, and verify that the action performed on the message
is as expected. For example, if you set the spam confidence level (SCL) to Bypass spam
filtering, then the message should be sent to the specified recipient's Inbox. However, if
you set the spam confidence level (SCL) to 9, and the High confidence spam action for
your applicable anti-spam policies is to move the message to the Junk Email folder, then
the message should be sent to the specified recipient's Junk Email folder.
Use mail flow rules to filter bulk email in
Exchange Online

organizations without Exchange Online mailboxes, anti-spam policies (also known as
spam filter policies or content filter policies) scan inbound messages for spam and bulk
mail (also known as gray mail). For more information, see Configure anti-spam policies
in EOP.
If you want more options to filter bulk mail, you can create mail flow rules (also known
as transport rules) to search for text patterns or phrases that are frequently found in
bulk mail, and mark those messages as spam. For more information about bulk mail, see
What's the difference between junk email and bulk email? and Bulk complaint level
(BCL) in EOP.
This topic explains how create these mail flow rules in the Exchange admin center (EAC)
and PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with
mailboxes in Exchange Online; standalone EOP PowerShell for organizations without
Exchange Online mailboxes).

by default.

standalone EOP.

The list of words and text patterns that are used to identify bulk mail in the
examples aren't exhaustive; you can add and remove entries as necessary.
However, they are a good starting point.
The search for words or text patterns in the subject or other header fields in the
message occurs after the message has been decoded from the MIME content
transfer encoding method that was used to transmit the binary message between
SMTP servers in ASCII text. You can't use conditions or exceptions to search for the
raw (typically, Base64) encoded values of the subject or other header fields in
messages.
The following procedures mark a bulk message as spam for your entire
organization. However, you can add another condition to apply these rules only to
specific recipients, so you can use aggressive filtering on a few, highly targeted
users, while the rest of your users (who mostly get the bulk email they signed up
for) aren't impacted.
Use the EAC to create mail flow rules that filter

bulk email
Click More Options.
Apply this rule if: Configure one of the following settings to look for content
in messages using regular expressions (RegEx) or words or phrases:
The subject or body > subject or body matches these text patterns: In
the Specify words or phrases dialog that appears, enter one of the
following values, click Add , and repeat until you've entered all the
values.
If you are unable to view the content of this email\, please
\>(safe )?unsubscribe( here)?\</a\>

If you do not wish to receive further communications like this\,
please
<img height="?1"? width="?1"? src=.?http\://

To stop receiving these+emails\:http\://
To unsubscribe from \w+ (e\-?letter|e?-?mail|newsletter)

no longer (wish )?(to )?(be sent|receive) w+ email
If you are unable to view the content of this email\, please click
here
To ensure you receive (your daily deals|our e-?mails)\, add
If you no longer wish to receive these emails

to change your (subscription preferences|preferences or
unsubscribe)
click (here to|the) unsubscribe
To edit an entry, select it and click Edit . To remove an entry, select it and
click Remove .
When you're finished, click OK.
The subject or body > subject or body includes any of these words: In
the Specify words or phrases dialog that appears, enter one of the
following values, click Add , and repeat until you've entered all the
values.
to change your preferences or unsubscribe
Modify email preferences or unsubscribe

This is a promotional email
You are receiving this email because you requested a subscription
click here to unsubscribe

You have received this email because you are subscribed
If you no longer wish to receive our email newsletter

to unsubscribe from this newsletter
If you have trouble viewing this email
This is an advertisement
you would like to unsubscribe or change your
view this email as a webpage

You are receiving this email because you are subscribed
click Remove .
Do the following: Select Modify the message properties > set the spam
confidence level (SCL). In the Specify SCL dialog that appears, configure one
of the following settings:
To mark messages as Spam, select 6. The action that you've configured for
Spam filtering verdicts in your anti-spam policies is applied to the
messages (the default value is Move message to Junk Email folder).
To mark messages as High confidence spam select 9. The action that

you've configured for High confidence spam filtering verdicts in your anti-
spam policies is applied to the messages (the default value is Move
message to Junk Email folder).
For more information about SCL values, see Spam confidence level (SCL) in EOP.
Use PowerShell to create mail flow rules that

filter bulk email
Use the following syntax to create one or both of the mail flow rules (regular
expressions vs. words):
PowerShell
New-TransportRule -Name "<UniqueName>" [-SubjectOrBodyMatchesPatterns "

<RegEx1>","<RegEx2>"...] [-SubjectOrBodyContainsWords "<WordOrPhrase1>","
<WordOrPhrase2>"...] -SetSCL <6 | 9>
This example creates a new rule named "Bulk email filtering - RegEx" that uses the same
list of regular expressions from earlier in the topic to set messages as Spam.
PowerShell
New-TransportRule -Name "Bulk email filtering - RegEx" -

SubjectOrBodyMatchesPatterns "If you are unable to view the content of this
email\, please","\>(safe )?unsubscribe( here)?\</a\>","If you do not wish to
receive further communications like this\, please","\<img height\="?1"?
width\="?1"? src=.?http\://","To stop receiving these+emails\:http\://","To
unsubscribe from \w+ (e\-?letter|e?-?mail|newsletter)","no longer (wish )?
(to )?(be sent|receive) w+ email","If you are unable to view the content of
this email\, please click here","To ensure you receive (your daily deals|our
e-?mails)\, add","If you no longer wish to receive these emails","to change
your (subscription preferences|preferences or unsubscribe)","click (here
to|the) unsubscribe"... -SetSCL 6
This example creates a new rule named "Bulk email filtering - Words" that uses the same
list of words from earlier in the topic to set messages as High confidence spam.
PowerShell
New-TransportRule -Name "Bulk email filtering - Words" -

SubjectOrBodyContainsWords "to change your preferences or
unsubscribe","Modify email preferences or unsubscribe","This is a
promotional email","You are receiving this email because you requested a
subscription","click here to unsubscribe","You have received this email
because you are subscribed","If you no longer wish to receive our email
newsletter","to unsubscribe from this newsletter","If you have trouble
viewing this email","This is an advertisement","you would like to
unsubscribe or change your","view this email as a webpage","You are
receiving this email because you are subscribed" -SetSCL 9

To verify that you've configured mail flow rules to filter bulk email, do any of the
following steps:
settings.
In PowerShell, replace <Rule Name> with the name of the rule, and run the
following command to verify the settings:
PowerShell
Get-TransportRule -Identity "<Rule Name>" | Format-List
From an external account, send a test message to an affected recipient that

contains one of the phrases or text patterns, and verify the results.
Use mail flow rules to see what your
users are reporting to Microsoft in
Exchange Online

organizations without Exchange Online mailboxes, there are multiple ways for users to
report messages to Microsoft for analysis. For more information, see Report messages
and files to Microsoft.
You can create a mail flow rule (also known as a transport rule) that looks for messages
that users report to Microsoft, and you can configure Bcc recipients to receive copies of
these reported messages.
You can create the mail flow rule in the Exchange admin center (EAC) and PowerShell
(Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in
Exchange Online; standalone EOP PowerShell for organizations without Exchange Online
mailboxes).

by default.

standalone EOP.

Use the EAC to create a mail flow rule to

receive copies of reported messages
Name: Enter a unique, descriptive name for the rule. For example, Bcc
Messages Reported to Microsoft.
Click More Options.
Apply this rule if: Select The recipient > address includes any of these
words: In the Specify words or phrases dialog that appears, enter one of the
following values, click Add , and repeat until you've entered all the values.
junk@office365.microsoft.com
abuse@messaging.microsoft.com
phish@office365.microsoft.com
not_junk@office365.microsoft.com
click Remove .
Do the following: Select Add recipients > to the Bcc box. In the dialog that
appears, find and select the recipients that you want to add. When you're
finished, click OK.
4. You can make additional selections to audit the rule, test the rule, activate the rule
during a specific time period, and other settings. We recommend testing the rule
before you enforce it.
5. When you're finished, click Save.

Use PowerShell to create a mail flow rule to
receive copies of reported messages
This example creates a new mail flow rule named Bcc Messages Reported to Microsoft
that looks for email messages that are reported to Microsoft by using the methods
described in this article, and adds the users laura@contoso.com and julia@contoso.com
as Bcc recipients.
PowerShell
New-TransportRule -Name "Bcc Messages Reported to Microsoft" -

RecipientAddressContainsWords
"junk@office365.microsoft.com","abuse@messaging.microsoft.com","phish@office
365.microsoft.com","false_positive@messaging.microsoft.com" -BlindCopyTo
"laura@contoso.com","julia@contoso.com".

To verify that you've configured a mail flow rule to receive copies of reported messages,
do any of the following steps:
settings.
In PowerShell, run the following command to verify the settings:
PowerShell
Get-TransportRule -Identity "Bcc Messages Reported to Microsoft" |

Format-List
Send a test message to one of the reporting email addresses and verify the results.
Configure connection filtering
 Tip
Applies to

If you're a Microsoft 365 customer with mailboxes in Exchange Online or a standalone

Exchange Online Protection (EOP) customer without Exchange Online mailboxes, you
use connection filtering in EOP (specifically, the default connection filter policy) to
identify good or bad source email servers by their IP addresses. The key components of
the default connection filter policy are:
IP Allow List: Skip spam filtering for all incoming messages from the source email
servers that you specify by IP address or IP address range. For scenarios where
spam filtering might still occur on messages from these sources, see the Scenarios
where messages from sources in the IP Allow List are still filtered section later in
this article. For more information about how the IP Allow List should fit into your
overall safe senders strategy, see Create safe sender lists in EOP.
IP Block List: Block all incoming messages from the source email servers that you
specify by IP address or IP address range. The incoming messages are rejected, are
not marked as spam, and no additional filtering occurs. For more information
about how the IP Block List should fit into your overall blocked senders strategy,
see Create block sender lists in EOP.
Safe list: The safe list is a dynamic allow list in the Microsoft datacenter that
requires no customer configuration. Microsoft identifies these trusted email
sources from subscriptions to various third-party lists. You enable or disable the
use of the safe list; you can't configure the source email servers on the safe list.
Spam filtering is skipped on incoming messages from the email servers on the safe
list.
This article describes how to configure the default connection filter policy in the
Microsoft 365 Microsoft 365 Defender portal or in PowerShell (Exchange Online
PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online;
standalone EOP PowerShell for organizations without Exchange Online mailboxes). For
more information about how EOP uses connection filtering is part of your organization's
overall anti-spam settings, see Anti-spam protection.
７ Note
The IP Allow List, safe list, and the IP Block List are one part of your overall strategy
to allow or block email in your organization. For more information, see Create safe
sender lists and Create blocked sender lists.

go directly to the Anti-spam policies page, use

To modify the default connection filter policy, you need to be a member of the
For read-only access to the default connection filter policy, you need to be a
member of the Global Reader or Security Reader role groups.
Notes:
To find the source IP addresses of the email servers (senders) that you want to
allow or block, you can check the connecting IP (CIP) header field in the message
header. To view a message header in various email clients, see View internet
message headers in Outlook .
The IP Allow List takes precedence over the IP Block List (an address on both lists is
not blocked).
The IP Allow List and the IP Block List each support a maximum of 1273 entries,
where an entry is a single IP address, an IP address range, or a Classless
InterDomain Routing (CIDR) IP.

modify the default connection filter policy
2. On the Anti-spam policies page, select Connection filter policy (Default) from the
list by clicking on the name of the policy.
3. In the policy details flyout that appears, configure any of the following settings:
Description section: Click Edit name and description. In the Edit name and
description flyout that appears, enter optional descriptive text in the
Description box.
Connection filtering section: Click Edit connection filter policy. In the flyout
that appears, configure the following settings:
Always allow messages from the following IP addresses or address

range: This is the IP Allow list. Click in the box, enter a value, and then
press Enter or select the complete value that's displayed below the box.
Valid values are
Single IP: For example, 192.168.1.1.
IP range: For example, 192.168.0.1-192.168.0.254.
CIDR IP: For example, 192.168.0.1/25. Valid subnet mask values are /24
through /32. To skip spam filtering for /1 to /23, see the Skip spam
filtering for a CIDR IP outside of the available range section later in this
article.
Repeat this step as many times as necessary. To remove an existing value,
click remove next to the value.
To add the IP address or address range, click in the box and type itclick Add
. To remove an entry, select the entry in Allowed IP Address and then click
Remove . When you're finished, click Save.
Always block messages from the following IP addresses or address range:

This is the IP Block List. Enter a single IP, IP range, or CIDR IP in the box as
previously described in the Always allow messages from the following IP
addresses or address range setting.
Turn on safe list: Enable or disable the use of the safe list to identify known,
good senders that will skip spam filtering. To use the safe list, select the check
box.
4. Back on the policy details flyout, click Close.

the default connection filter policy
2. On the Anti-spam policies page, the following properties are displayed in the list
of policies:
Name: This value is Connection filter policy (Default) for the default
connection filter policy.
Status: This value is Always on for the default connection filter policy.
Priority: This value is Lowest for the default connection filter policy.
Type: This value is blank for the default connection filter policy.
3. When you select the default connection filter policy, the policy settings are
displayed in a flyout.

EOP PowerShell to modify the default
connection filter policy
PowerShell
Set-HostedConnectionFilterPolicy -Identity Default [-AdminDisplayName

<"Optional Comment">] [-EnableSafeList <$true | $false>] [-IPAllowList
<IPAddressOrRange1,IPAddressOrRange2...>] [-IPBlockList
<IPAddressOrRange1,IPAddressOrRange2...>]
Notes:
Valid IP address or address range values are:

CIDR IP: For example, 192.168.0.1/25. Valid network mask values are /24
through /32.
To overwrite any existing entries with the values you specify, use the following
syntax: IPAddressOrRange1,IPAddressOrRange2,...,IPAddressOrRangeN .
To add or remove IP addresses or address ranges without affecting other existing
entries, use the following syntax:
@{Add="IPAddressOrRange1","IPAddressOrRange2",...,"IPAddressOrRangeN";Remove="
IPAddressOrRange3","IPAddressOrRange4",...,"IPAddressOrRangeN"} .
To empty the IP Allow List or IP Block List, use the value $null .
This example configures the IP Allow List and the IP Block List with the specified IP
addresses and address ranges.
PowerShell
Set-HostedConnectionFilterPolicy -Identity Default -IPAllowList

192.168.1.10,192.168.1.23 -IPBlockList 10.10.10.0/25,172.17.17.0/24
This example adds and removes the specified IP addresses and address ranges from the
IP Allow List.
PowerShell
Set-HostedConnectionFilterPolicy -Identity Default -IPAllowList

@{Add="192.168.2.10","192.169.3.0/24","192.168.4.1-
192.168.4.5";Remove="192.168.1.10"}
For detailed syntax and parameter information, see Set-HostedConnectionFilterPolicy.

To verify that you've successfully modified the default connection filter policy, do any of
the following steps:
On the Anti-spam page in the Microsoft 365 Defender portal at

https://security.microsoft.com/antispam , select Connection filter policy
(Default) from the list by clicking on the name of the policy, and verify the settings.
In Exchange Online PowerShell or standalone EOP PowerShell, run the following

command and verify the settings:
PowerShell
Get-HostedConnectionFilterPolicy -Identity Default
Send a test message from an entry on the IP Allow List.
Additional considerations for the IP Allow List

The following sections identify additional items that you need to know about when you
configure the IP Allow List.
Skip spam filtering for a CIDR IP outside of the available

range
As described earlier in this article, you can only use a CIDR IP with the network mask /24
to /32 in the IP Allow List. To skip spam filtering on messages from source email servers
in the /1 to /23 range, you need to use Exchange mail flow rules (also known as
transport rules). But, we recommend that you don't do this if at all possible, because the
messages will be blocked if an IP address in the /1 to /23 CIDR IP range appears on any
of Microsoft's proprietary or third-party block lists.
Now that you're fully aware of the potential issues, you can create a mail flow rule with
the following settings (at a minimum) to ensure that messages from these IP addresses
will skip spam filtering:
Rule condition: Apply this rule if > The sender > IP address is in any of these
ranges or exactly matches > (enter your CIDR IP with a /1 to /23 network mask).
Rule action: Modify the message properties > Set the spam confidence level
(SCL) > Bypass spam filtering.
You can audit the rule, test the rule, activate the rule during a specific time period, and
other selections. We recommend testing the rule for a period before you enforce it. For
more information, see Manage mail flow rules in Exchange Online.
Skip spam filtering on selective email domains from the

same source
Typically, adding an IP address or address range to the IP Allow List means you trust all
incoming messages from that email source. But what if that source sends email from
multiple domains, and you want to skip spam filtering for some of those domains, but
not others? You can't use the IP Allow List alone to do this, but you can use the IP Allow
List in combination with a mail flow rule.
For example, the source email server 192.168.1.25 sends email from the domains
contoso.com, fabrikam.com, and tailspintoys.com, but you only want to skip spam
filtering for messages from senders in fabrikam.com. To do this, use the following steps:
1. Add 192.168.1.25 to the IP Allow List.
2. Configure a mail flow rule with the following settings (at a minimum):
Rule condition: Apply this rule if > The sender > IP address is in any of
these ranges or exactly matches > 192.168.1.25 (the same IP address or
address range that you added to the IP Allow List in the previous step).
Rule action: Modify the message properties > Set the spam confidence
level (SCL) > 0.
Rule exception: The sender > domain is > fabrikam.com (only the domain or
domains that you want to skip spam filtering).
Scenarios where messages from sources in the IP Allow

List are still filtered
Messages from an email server in your IP Allow List are still subject to spam filtering in
the following scenarios:
An IP address in your IP Allow List is also configured in an on-premises, IP-based

inbound connector in any tenant in Microsoft 365 (let's call this Tenant A), and
Tenant A and the EOP server that first encounters the message both happen to be
in the same Active Directory forest in the Microsoft datacenters. In this scenario,
IPV:CAL is added to the message's anti-spam message headers (indicating the
message bypassed spam filtering), but the message is still subject to spam filtering.
Your tenant that contains the IP Allow List and the EOP server that first encounters
the message both happen to be in different Active Directory forests in the
Microsoft datacenters. In this scenario, IPV:CAL is not added to the message
headers, so the message is still subject to spam filtering.
If you encounter either of these scenarios, you can create a mail flow rule with the
following settings (at a minimum) to ensure that messages from the problematic IP
addresses will skip spam filtering:
Rule condition: Apply this rule if > The sender > IP address is in any of these
ranges or exactly matches > (your IP address or addresses).
Rule action: Modify the message properties > Set the spam confidence level
(SCL) > Bypass spam filtering.
New to Microsoft 365?
New to Microsoft 365? Discover free video courses for Microsoft 365 admins and
IT pros, brought to you by LinkedIn Learning.
Outbound spam protection in EOP
 Tip
Applies to


Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, we
take managing outbound spam seriously. Even if one customer intentionally or
unintentionally sends spam from their organization, that action can degrade the
reputation of the whole service and can affect email delivery for other customers.
This article describes the controls and notifications that are designed to help prevent
outbound spam, and what you can do if you need to send mass mailings.
What admins can do to control outbound spam

Use built-in notifications: When a user exceeds sending limits of the service or
outbound spam policies and is restricted from sending email, the default alert
policy named User restricted from sending email sends email notifications to
members of the TenantAdmins (Global admins) group. To configure who else
receives these notifications, see Verify the alert settings for restricted users. Also,
the default alert policies named Email sending limit exceeded and Suspicious
email sending patterns detected send email notifications to members of the
TenantAdmins (Global admins) group. For more information about alert policies,
see Alert policies in Microsoft 365.
Review spam complaints from third-party email providers: Many email services
like Outlook.com, Yahoo, and AOL provide a feedback loop where if any user in
their service marks an email from Microsoft 365 as spam, the message is packaged
up and sent back to us for review. To learn more about sender support for
Outlook.com, go to
https://sendersupport.olc.protection.outlook.com/pm/services.aspx .
How EOP controls outbound spam

Segregation of outbound email traffic: Every outbound message that's sent
through the service is scanned for spam. If the message is determined to be spam,
it's delivered from a secondary, less reputable IP address pool named the high-risk
delivery pool. For more information, see High-risk delivery pool for outbound
messages.
Monitoring our source IP address reputation: Microsoft 365 queries various third-
party IP block lists. An alert is generated if any of the IP addresses that we use for
outbound email appear on these lists. This monitoring allows us to react quickly
when spam has caused our reputation to degrade. When an alert is generated, we
have internal documentation that outlines how to get our IP addresses remove
(delisted) from block lists.
Disable accounts that send too much spam*: Even though we segregate
outbound spam into the high-risk delivery pool, we can't allow an account (often, a
compromised account) to send spam indefinitely. We monitor accounts that are
sending spam, and when they exceed an undisclosed limit, the account is blocked
from sending email. There are different thresholds for individual users and the
entire tenant.
Disabling accounts that send too much email too quickly*: In addition to the
limits that look for messages marked as spam, there are also limits that block
accounts when they reach an overall outbound message limit, regardless the spam
filtering verdict on the outbound messages. A compromised account could send
zero-day (previously unrecognized) spam that is missed by the spam filter. Because
it can be difficult to identify a legitimate mass mailing campaign vs. a spam
campaign, these limits help to minimize any potential damage.
* We don't advertise the exact limits so spammers can't game the system, and so we can
increase or decrease the limits as necessary. The limits are high enough to prevent an
average business user from ever exceeding them, and low enough to help contain the
damage caused by a spammer.
Recommendations for customers who want to

send mass mailings through EOP
It's difficult to strike a balance between customers who want to send a large volume of
email vs. protecting the service from compromised accounts and bulk email senders
with poor recipient acquisition practices. The cost of a Microsoft 365 email source
landing on a third-party IP block list is greater than blocking a user who's sending too
much email.
As described in the Exchange Online Service Description, using EOP to send bulk email
is not a supported use of the service, and is only permitted on a "best-effort" basis. For
customers who do want to send bulk email, we recommend the following solutions:
Send bulk email through on-premises email servers: Customers maintain their
own email infrastructure for mass mailings.
Use a third-party bulk email provider: There are several third-party bulk email
solution providers that you can use to send mass mailings. These companies have
a vested interest in working with customers to ensure good email sending
practices.
The Messaging, Mobile, Malware Anti-Abuse Working Group (MAAWG) publishes its
membership roster at https://www.maawg.org/about/roster . Several bulk email
providers are on the list, and are known to be responsible internet citizens.
Configure outbound spam filtering in
EOP
 Tip
Applies to


outbound email messages that are sent through EOP are automatically checked for
spam and unusual sending activity.
Outbound spam from a user in your organization typically indicates a compromised

account. Suspicious outbound messages are marked as spam (regardless of the spam
confidence level or SCL) and are routed through the high-risk delivery pool to help
protect the reputation of the service (that is, keep Microsoft 365 source email servers off
of IP block lists). Admins are automatically notified of suspicious outbound email activity
and blocked users via alert policies.
EOP uses outbound spam policies as part of your organization's overall defense against
spam. For more information, see Anti-spam protection.
Admins can view, edit, and configure (but not delete) the default outbound spam policy.
For greater granularity, you can also create custom outbound spam policies that apply
to specific users, groups, or domains in your organization. Custom policies always take
precedence over the default policy, but you can change the priority (running order) of
your custom policies.
You can configure outbound spam policies in the Microsoft 365 Microsoft 365 Defender
portal or in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations
with mailboxes in Exchange Online; standalone EOP PowerShell for organizations
without Exchange Online mailboxes).
The basic elements of an outbound spam policy in EOP are:
The outbound spam filter policy: Specifies the actions for outbound spam filtering
verdicts and the notification options.
The outbound spam filter rule: Specifies the priority and sender filters (who the
policy applies to) for an outbound spam filter policy.
The difference between these two elements isn't obvious when you manage outbound
spam polices in the Microsoft 365 Defender portal:
When you create a policy, you're actually creating a outbound spam filter rule and
the associated outbound spam filter policy at the same time using the same name
for both.
When you modify a policy, settings related to the name, priority, enabled or
disabled, and sender filters modify the outbound spam filter rule. All other settings
modify the associated outbound spam filter policy.
When you remove a policy, the outbound spam filter rule and the associated
outbound spam filter policy are removed.
or standalone EOP PowerShell to configure outbound spam policies section later in this
article.
Every organization has a built-in outbound spam policy named Default that has these
properties:
The policy is applied to all senders in the organization, even though there's no
outbound spam filter rule (sender filters) associated with the policy.
priority than the policy named Default.
To increase the effectiveness of outbound spam filtering, you can create custom
outbound spam policies with stricter settings that are applied to specific users or groups
of users.

go directly to the Anti-spam settings page, use

To add, modify, and delete outbound spam policies, you need to be a member
of the Organization Management or Security Administrator role groups.
For read-only access to outbound spam policies, you need to be a member of
Notes:
For our recommended settings for outbound spam policies, see EOP outbound
spam filter policy settings.
The default alert policies named Email sending limit exceeded, Suspicious email
sending patterns detected, and User restricted from sending email already send
email notifications to members of the TenantAdmins (Global admins) group about
unusual outbound email activity and blocked users due to outbound spam. For
more information, see Verify the alert settings for restricted users. We recommend
that you use these alert policies instead of the notification options in outbound
spam policies.

create outbound spam policies
Creating a custom outbound spam policy in the Microsoft 365 Defender portal creates
the spam filter rule and the associated spam filter policy at the same time using the
same name for both.
Policies section. To go directly to the Anti-spam settings page, use
2. On the Anti-spam policies page, click Create policy and then select Outbound
from the drop down list.

senders that the policy applies to (recipient conditions):

Groups:
Domains: All senders in the specified accepted domains in your organization.
Multiple values in the same condition use OR logic (for example, <sender1> or
<sender2>). Different conditions use AND logic (for example, <sender1> and
senders that the policy applies to (recipient exceptions), select this option
conditions.
） Important
Groups: Executives

applied to him.
applies to him.
5. On the Protection settings page that opens, configure the following settings:
Message limits: The settings in this section configure the limits for outbound
email messages from Exchange Online mailboxes:
Set an external message limit: The maximum number of external
recipients per hour.
Set an internal message limit: The maximum number of internal recipients
per hour.
Set a daily message limit: The maximum total number of recipients per
day.
A valid value is 0 to 10000. The default value is 0, which means the service
defaults are used. For more information, see Sending limits.
Enter a value in the box, or use the increase/decrease arrows on the box.
Restriction placed on users who reach the message limit: Select an action
from the drop down list when any of the limits in the Protection settings
section are exceeded.
For all actions, the senders specified in the User restricted from sending
email alert policy (and in the now redundant Notify these users and groups
if a sender is blocked due to sending outbound spam setting later on this
page) receive email notifications.
Restrict the user from sending mail until the following day: This is the
default value. Email notifications are sent, and the user will be unable to
send any more messages until the following day, based on UTC time.
There is no way for the admin to override this block.
The alert policy named User restricted from sending email notifies
admins (via email and on the Incidents & alerts > View alerts page).
Any recipients specified in the Notify specific people if a sender is
blocked due to sending outbound spam setting in the policy are also
notified.
The user will be unable to send any more messages until the following
day, based on UTC time. There is no way for the admin to override this
block.
Restrict the user from sending mail: Email notifications are sent, the user
is added to Restricted users
https://security.microsoft.com/restrictedusers in the Microsoft 365
Defender portal, and the user can't send email until they're removed from
Restricted users by an admin. After an admin removes the user from the
list, the user won't be restricted again for that day. For instructions, see
Removing a user from the Restricted Users portal after sending spam
email.
No action, alert only: Email notifications are sent.
Forwarding rules: Use the settings in this section to control automatic email
forwarding by Exchange Online mailboxes to external senders. For more
information, see Control automatic external email forwarding in Microsoft
365.
７ Note
When automatic forwarding is disabled, the recipient will receive a non-

delivery report (also known as an NDR or bounce message) if external
senders send email to a mailbox that has forwarding in place. If the
message is sent by an internal sender and the forwarding method is
mailbox forwarding (also known as SMTP forwarding), the internal
sender will get the NDR. The internal sender does not get an NDR if the
forwarding occurred due to an inbox rule.
Select one of the following actions from the Automatic forwarding rules
drop down list:
Automatic - System-controlled: Allows outbound spam filtering to control
automatic external email forwarding. This is the default value.
On: Automatic external email forwarding is not disabled by the policy.
Off: All automatic external email forwarding is disabled by the policy.
Notifications: Use the settings in the section to configure additional

recipients who should receive copies and notifications of suspicious
outbound email messages:
Send a copy of suspicious outbound that exceed these limits to these

users and groups: This setting adds the specified recipients to the Bcc field
of suspicious outbound messages.
７ Note
This setting only works in the default outbound spam policy. It

doesn't work in custom outbound spam policies that you create.
To enable this setting, select the check box. In the box that appears, click in
the box, enter a valid email address, and then press Enter or select the
complete value that's displayed below the box.
Repeat this step as many times as necessary. To remove an existing value,

click remove next to the value.
Notify these users and groups if a sender is blocked due to sending

outbound spam
） Important
This setting is in the process of being deprecated from outbound

spam policies.
The default alert policy named User restricted from sending email
already sends email notifications to members of the TenantAdmins
(Global admins) group when users are blocked due to exceeding the
limits in the Recipient Limits section. We strongly recommend that
you use the alert policy rather than this setting in the outbound
spam policy to notify admins and other users. For instructions, see
Verify the alert settings for restricted users.

When you're finished, click Create.

outbound spam policies
2. On the Anti-spam policies page, look for one of the following values:
The Type value is Custom outbound spam policy

The Name value is Anti-spam outbound policy (Default)
The following properties are displayed in the list of anti-spam policies:
Name
Status
Priority
Type
3. When you select an outbound spam policy by clicking on the name, the policy
settings are displayed in a flyout.

modify outbound spam policies
1. In the Microsoft 365 Defender portal, go to Email & Collaboration > Policies &
Rules > Threat policies > Anti-spam in the Policies section.
2. On the Anti-spam policies page, select an outbound spam policy from the list by
clicking on the name:
A custom policy that you created where the value in the Type column is
Custom outbound spam policy.
The default policy named Anti-spam outbound policy (Default).
previous Use the Microsoft 365 Defender portal to create outbound spam policies
For the default outbound spam policy, the Applied to section isn't available (the
policy applies to everyone), and you can't rename the policy.
To enable or disable a policy, set the policy priority order, or configure the end-user
notifications, see the following sections.
Enable or disable custom outbound spam policies

You can't disable the default outbound spam policy.
outbound spam policy from the list by clicking on the name.
values:

Set the priority of custom outbound spam policies

By default, outbound spam policies are given a priority that's based on the order they
were created in (newer policies are lower priority than older policies). A lower priority
number indicates a higher priority for the policy (0 is the highest), and policies are
processed in priority order (higher priority policies are processed before lower priority
policies). No two policies can have the same priority, and policy processing stops after
the first policy is applied.
multiple policies.
Notes:
In the Microsoft 365 Defender portal, you can only change the priority of the
outbound spam policy after you create it. In PowerShell, you can override the
default priority when you create the spam filter rule (which can affect the priority
of existing rules).
Outbound spam policies are processed in the order that they're displayed (the first
policy has the Priority value 0). The default outbound spam policy has the priority
2. On the Anti-spam policies page, select a select a policy with the Type value of
Custom outbound spam policy from the list by clicking on the name.
policies:
The outbound spam policy with the Priority value 0 has only the Decrease
priority option available.
The outbound spam policy with the lowest Priority value (for example, 3) has
only the Increase priority option available.
If you have three or more outbound spam policies, the policies between the
highest and lowest priority values have both the Increase priority and
Decrease priority options available.

remove custom outbound spam policies
When you use the Microsoft 365 Defender portal to remove a custom outbound spam
policy, the spam filter rule and the corresponding spam filter policy are both deleted.
You can't remove the default outbound spam policy.
outbound spam policy from the list by clicking on the name. At the top of the
policy details flyout that appears, click More actions > Delete policy.

EOP PowerShell to configure outbound spam
policies
As previously described, an outbound spam policy consists of an outbound spam filter
policy and an outbound spam filter rule.

outbound spam filter policies and outbound spam filter rules is apparent. You manage
outbound spam filter policies by using the *-HostedOutboundSpamFilterPolicy
cmdlets, and you manage outbound spam filter rules by using the *-
HostedOutboundSpamFilterRule cmdlets.
In PowerShell, you create the outbound spam filter policy first, then you create the
outbound spam filter rule that identifies the policy that the rule applies to.
In PowerShell, you modify the settings in the outbound spam filter policy and the
outbound spam filter rule separately.
When you remove a outbound spam filter policy from PowerShell, the
corresponding outbound spam filter rule isn't automatically removed, and vice
versa.
Use PowerShell to create outbound spam policies

Creating an outbound spam policy in PowerShell is a two-step process:
1. Create the outbound spam filter policy.
2. Create the outbound spam filter rule that specifies the outbound spam filter policy
that the rule applies to.
Notes:
You can create a new outbound spam filter rule and assign an existing,
unassociated outbound spam filter policy to it. An outbound spam filter rule
can't be associated with more than one outbound spam filter policy.
You can configure the following settings on new outbound spam filter
policies in PowerShell that aren't available in the Microsoft 365 Defender
portal until after you create the policy:
HostedOutboundSpamFilterRule cmdlet).
Set the priority of the policy during creation (Priority <Number>) on the
New-HostedOutboundSpamFilterRule cmdlet).
A new outbound spam filter policy that you create in PowerShell isn't visible
in the Microsoft 365 Defender portal until you assign the policy to an
outbound spam filter rule.
Step 1: Use PowerShell to create an outbound spam filter policy

To create an outbound spam filter policy, use this syntax:
PowerShell
New-HostedOutboundSpamFilterPolicy -Name "<PolicyName>" [-AdminDisplayName "

<Comments>"] <Additional Settings>
This example creates a new outbound spam filter policy named Contoso Executives with
the following settings:
The recipient rate limits are restricted to smaller values that the defaults. For more
information, see Sending limits across Microsoft 365 options.
After one of the limits is reached, the user is prevented from sending messages.
PowerShell
New-HostedOutboundSpamFilterPolicy -Name "Contoso Executives" -

RecipientLimitExternalPerHour 400 -RecipientLimitInternalPerHour 800 -
RecipientLimitPerDay 800 -ActionWhenThresholdReached BlockUser
For detailed syntax and parameter information, see New-

HostedOutboundSpamFilterPolicy.
Step 2: Use PowerShell to create an outbound spam filter rule

To create an outbound spam filter rule, use this syntax:
PowerShell
New-HostedOutboundSpamFilterRule -Name "<RuleName>" -

HostedOutboundSpamFilterPolicy "<PolicyName>" <Sender filters> [<Sender
filter exceptions>] [-Comments "<OptionalComments>"]
This example creates a new outbound spam filter rule named Contoso Executives with
these settings:
The outbound spam filter policy named Contoso Executives is associated with the
rule.
The rule applies to members of the group named Contoso Executives Group.
PowerShell
New-HostedOutboundSpamFilterRule -Name "Contoso Executives" -

HostedOutboundSpamFilterPolicy "Contoso Executives" -FromMemberOf "Contoso
Executives Group"

HostedOutboundSpamFilterRule.
Use PowerShell to view outbound spam filter policies

To return a summary list of all outbound spam filter policies, run this command:
PowerShell
Get-HostedOutboundSpamFilterPolicy
To return detailed information about a specific outbound spam filter policy, use the this
syntax:
PowerShell
Get-HostedOutboundSpamFilterPolicy -Identity "<PolicyName>" | Format-List

This example returns all the property values for the outbound spam filter policy named
Executives.
PowerShell
Get-HostedOutboundSpamFilterPolicy -Identity "Executives" | Format-List
For detailed syntax and parameter information, see Get-

Use PowerShell to view outbound spam filter rules

To view existing outbound spam filter rules, use the following syntax:
PowerShell
Get-HostedOutboundSpamFilterRule [-Identity "<RuleIdentity>"] [-State

<Enabled | Disabled>]
To return a summary list of all outbound spam filter rules, run this command:
PowerShell
Get-HostedOutboundSpamFilterRule
PowerShell
Get-HostedOutboundSpamFilterRule -State Disabled
PowerShell
Get-HostedOutboundSpamFilterRule -State Enabled
To return detailed information about a specific outbound spam filter rule, use this
syntax:
PowerShell
Get-HostedOutboundSpamFilterRule -Identity "<RuleName>" | Format-List

This example returns all the property values for the outbound spam filter rule named
Contoso Executives.
PowerShell
Get-HostedOutboundSpamFilterRule -Identity "Contoso Executives" | Format-

List

Use PowerShell to modify outbound spam filter policies

The same settings are available when you modify a malware filter policy in PowerShell as
when you create the policy as described in the Step 1: Use PowerShell to create an
outbound spam filter policy section earlier in this article.
７ Note
You can't rename an outbound spam filter policy (the Set-

HostedOutboundSpamFilterPolicy cmdlet has no Name parameter). When you
rename an outbound spam policy in the Microsoft 365 Defender portal, you're only
renaming the outbound spam filter rule.
To modify an outbound spam filter policy, use this syntax:
PowerShell
Set-HostedOutboundSpamFilterPolicy -Identity "<PolicyName>" <Settings>
For detailed syntax and parameter information, see Set-

Use PowerShell to modify outbound spam filter rules

The only setting that isn't available when you modify an outbound spam filter rule in
PowerShell is the Enabled parameter that allows you to create a disabled rule. To enable
or disable existing outbound spam filter rules, see the next section.
Otherwise, no additional settings are available when you modify an outbound spam
filter rule in PowerShell. The same settings are available when you create a rule as
described in the Step 2: Use PowerShell to create an outbound spam filter rule section
earlier in this article.
To modify an outbound spam filter rule, use this syntax:
PowerShell
Set-HostedOutboundSpamFilterRule -Identity "<RuleName>" <Settings>
For detailed syntax and parameter information, see Set-

Use PowerShell to enable or disable outbound spam filter

rules
Enabling or disabling an outbound spam filter rule in PowerShell enables or disables the
whole outbound spam policy (the outbound spam filter rule and the assigned outbound
spam filter policy). You can't enable or disable the default outbound spam policy (it's
always applied to all senders).
To enable or disable an outbound spam filter rule in PowerShell, use this syntax:
PowerShell
<Enable-HostedOutboundSpamFilterRule | Disable-HostedOutboundSpamFilterRule>
-Identity "<RuleName>"
This example disables the outbound spam filter rule named Marketing Department.
PowerShell
Disable-HostedOutboundSpamFilterRule -Identity "Marketing Department"
PowerShell
Enable-HostedOutboundSpamFilterRule -Identity "Marketing Department"
For detailed syntax and parameter information, see Enable-

HostedOutboundSpamFilterRule and Disable-HostedOutboundSpamFilterRule.
Use PowerShell to set the priority of outbound spam filter

rules
To set the priority of an outbound spam filter rule in PowerShell, use the following
syntax:
PowerShell
Set-HostedOutboundSpamFilterRule -Identity "<RuleName>" -Priority <Number>
PowerShell
Set-HostedOutboundSpamFilterRule -Identity "Marketing Department" -Priority

2
Notes:
the New-HostedOutboundSpamFilterRule cmdlet instead.
The outbound default spam filter policy doesn't have a corresponding spam filter
rule, and it always has the unmodifiable priority value Lowest.
Use PowerShell to remove outbound spam filter policies

When you use PowerShell to remove an outbound spam filter policy, the corresponding
outbound spam filter rule isn't removed.
To remove an outbound spam filter policy in PowerShell, use this syntax:
PowerShell
Remove-HostedOutboundSpamFilterPolicy -Identity "<PolicyName>"
This example removes the outbound spam filter policy named Marketing Department.
PowerShell
Remove-HostedOutboundSpamFilterPolicy -Identity "Marketing Department"
For detailed syntax and parameter information, see Remove-

Use PowerShell to remove outbound spam filter rules
When you use PowerShell to remove an outbound spam filter rule, the corresponding
outbound spam filter policy isn't removed.
To remove an outbound spam filter rule in PowerShell, use this syntax:
PowerShell
Remove-HostedOutboundSpamFilterRule -Identity "<PolicyName>"
This example removes the outbound spam filter rule named Marketing Department.
PowerShell
Remove-HostedOutboundSpamFilterRule -Identity "Marketing Department"


Remove blocked users from the Restricted Users portal
High-risk delivery pool for outbound messages
Auto-forwarded messages report in the EAC

Control automatic external email
forwarding in Microsoft 365
 Tip
Applies to

As an admin, you might have company requirements to restrict or control automatically

forwarded messages to external recipients (recipients outside of your organization).
Email forwarding can be useful, but can also pose a security risk due to the potential
disclosure of information. Attackers might use this information to attack your
organization or partners.
The following types of automatic forwarding are available in Microsoft 365:
Users can configure Inbox rules to automatically forward messages to external

senders (deliberately or as a result of a compromised account).
Admins can configure mailbox forwarding (also known as SMTP forwarding) to
automatically forward messages to external recipients. The admin can choose
whether to simply forward messages, or keep copies of forwarded messages in the
mailbox.
７ Note
Users with automatic forwarding from on-premises email systems through

Microsoft 365 will be subject to the same policy controls as cloud mailboxes in an
upcoming update. This update will be communicated via Message Center post.
You can use outbound spam filter policies to control automatic forwarding to external
recipients. Three settings are available:
Automatic - System-controlled: This is the default setting. This setting is now the
same as Off. When this setting was originally introduced, it was equivalent to On.
Over time, thanks to the principles of secure by default, this setting was gradually
changed to Off for all customers. For more information, see this blog post .
On: Automatic external forwarding is allowed and not restricted.
Off: Automatic external forwarding is disabled and will result in a non-delivery
report (also known as an NDR or bounce message) to the sender.
For instructions on how to configure these settings, see Configure outbound spam
filtering in EOP.
７ Note
Disabling automatic forwarding disables any Inbox rules (users) or mailbox

forwarding (admins) that redirect messages to external addresses.
Automatic forwarding of messages between internal users isn't affected by
the settings in outbound spam filter policies.
How the outbound spam filter policy settings

work with other automatic email forwarding
controls
As an admin, you might have already configured other controls to allow or block
automatic email forwarding. For example:
Remote domains to allow or block automatic email forwarding to some or all

external domains.
Conditions and actions in Exchange mail flow rules (also known as transport rules)
to detect and block automatically forwarded messages to external recipients.
When one setting allows external forwarding, but another setting blocks external
forwarding, the block typically wins. Examples are described in the following table:
Scenario Result
Scenario Result
You configure remote domain Automatically forwarded messages to recipients in the

settings to allow automatic affected domains are blocked.
forwarding.
Automatic forwarding in the
outbound spam filter policy is set
to Off.
You configure remote domain Automatically forwarded messages to recipients in the

settings to allow automatic affected domains are blocked.
forwarding. As described earlier, Automatic - System-controlled
Automatic forwarding in the used to mean On, but the setting has changed over
outbound spam filter policy is set time to mean Off in all organizations.
to Automatic - System-
controlled. For absolute clarity, you should configure your
outbound spam filter policy to On or Off.
Automatic forwarding in the Automatically forwarded messages to affected

outbound spam filter policy is set recipients are blocked by mail flow rules or remote
to On domains.
You use mail flow rules or remote
domains to block automatically
forwarded email.
You can use this behavior (for example) to allow automatic forwarding in outbound
spam filter policies, but use remote domains to control the external domains that users
can forward messages to.
How to find users that are automatically

forwarding
You can see information about users that are automatically forwarding messages to
external recipients in the Auto forwarded messages report for cloud-based accounts. For
on-premises users that automatically forward from their on-premises email system
through Microsoft 365, you need to create a mail flow rule to track these users. For
instructions on how to create a mail flow rule, see Use the EAC to create a mail flow rule.
The following information is required to create the mail flow rule in the Exchange admin
center (EAC):
Apply this rule if (condition): A message header > matches these text patterns.
Note you might need to click More options to see this option.
Header name: X-MS-Exchange-Inbox-Rules-Loop
Header value: .
The condition looks like this: 'X-MS-Exchange-Inbox-Rules-Loop' header matches

'.'
This condition will match any value for the header.
(Optional) Do the following (action): You can configure an optional action. For
example, you can use the action Modify the message properties > set a message
header, with the header name X-Forwarded and the value True. But, configuring
an action is not required.
Set Audit this rue with severity level to the value Low, Medium, or High. This
setting allows you to use the Exchange transport rule report to get details of users
that are forwarding.
Blocked email forwarding messages

When a message is detected as automatically forwarded, and the outbound spam filter
policy blocks that activity, the message is returned to the sender in an NDR that contains
the following information:
5.7.520 Access denied, Your organization does not allow external forwarding. Please
contact your administrator for further assistance. AS(7555)
Outbound delivery pools
 Tip
Applies to

Email servers in the Microsoft 365 datacenters might be temporarily guilty of sending
spam. For example, a malware or malicious spam attack in an on-premises email
organization that sends outbound mail through Microsoft 365, or compromised
Microsoft 365 accounts. Attackers also try to avoid detection by relaying messages
through Microsoft 365 forwarding.
These scenarios can result in the IP address of the affected Microsoft 365 datacenter
servers appearing on third-party blocklists. Destination email organizations that use
these blocklists will reject email from those Microsoft 365 messages sources.
High-risk delivery pool

To prevent our IP addresses from being blocked, all outbound messages from Microsoft
365 datacenter servers that are determined to be spam are sent through the high-risk
delivery pool.
The high risk delivery pool is a separate IP address pool for outbound email that's only
used to send "low quality" messages (for example, spam and backscatter. Using the high
risk delivery pool helps prevent the normal IP address pool for outbound email from
sending spam. The normal IP address pool for outbound email maintains the reputation
sending "high quality" messages, which reduces the likelihood that these IP address will
appear on IP blocklists.
The very real possibility that IP addresses in the high-risk delivery pool will be placed on
IP blocklists remains, but this is by design. Delivery to the intended recipients isn't
guaranteed, because many email organizations won't accept messages from the high
risk delivery pool.
For more information, see Control outbound spam.
７ Note
Messages where the source email domain has no A record and no MX record
defined in public DNS are always routed through the high-risk delivery pool,
regardless of their spam or sending limit disposition.
Messages that exceed the following limits are blocked, so they aren't sent through
the high-risk delivery pool:
The sending limits of the service.

Outbound spam policies where the senders are restricted from sending mail.
Bounce messages
The outbound high-risk delivery pool manages the delivery for all non-delivery reports
(also known as NDRs, bounce messages, delivery status notifications, or DSNs).
Possible causes for a surge in NDRs include:
A spoofing campaign that affects one of the customers using the service.
A directory harvest attack.
A spam attack.
A rogue email server.
All of these issues can result in a sudden increase in the number of NDRs being
processed by the service. Many times, these NDRs appear to be spam to other email
servers and services (also known as backscatter).
Relay pool
Messages that are forwarded or relayed via Microsoft 365 in certain scenarios will be
sent using a special relay pool, because the destination should not consider Microsoft
365 as the actual sender. It's important for us to isolate this email traffic, because there
are legitimate and invalid scenarios for auto forwarding or relaying email out of
Microsoft 365. Similar to the high-risk delivery pool, a separate IP address pool is used
for relayed mail. This address pool is not published because it can change often, and it's
not part of published SPF record for Microsoft 365.
Microsoft 365 needs to verify that the original sender is legitimate so we can confidently
deliver the forwarded message.
The forwarded or relayed message should meet one of the following criteria to avoid
using the relay pool:
The outbound sender is in an accepted domain.

SPF passes when the message comes to Microsoft 365.
DKIM on the sender domain passes when the message comes to Microsoft 365.
You can tell that a message was sent via the relay pool by looking at the outbound
server IP (the relay pool will be in the 40.95.0.0/16 range), or by looking at the outbound
server name (will have "rly" in the name).
In cases where we can authenticate the sender, we use Sender Rewriting Scheme (SRS)
to help the recipient email system know that the forwarded message is from a trusted
source. You can read more about how that works and what you can do to help make
sure the sending domain passes authentication in Sender Rewriting Scheme (SRS) in
Office 365.
For DKIM to work, make sure you enable DKIM for sending domain. For example,
fabrikam.com is part of contoso.com and is defined in the accepted domains of the
organization. If the message sender is sender@fabrikam.com, DKIM needs to be
enabled for fabrikam.com. you can read on how to enable at Use DKIM to validate
outbound email sent from your custom domain.
To add a custom domains follow the steps in Add a domain to Microsoft 365.
If the MX record for your domain points to a third party service or an on-premises email
server, you should use Enhanced Filtering for Connectors. Enhanced Filtering ensures
SPF validation is correct for inbound mail and will avoid sending email through the relay
pool.
Anti-phishing protection in Microsoft
365
 Tip
Applies to

Phishing is an email attack that tries to steal sensitive information in messages that
appear to be from legitimate or trusted senders. There are specific categories of
phishing. For example:
Spear phishing uses focused, customized content that's specifically tailored to the
targeted recipients (typically, after reconnaissance on the recipients by the
attacker).
Whaling is directed at executives or other high value targets within an

organization for maximum effect.
Business email compromise (BEC) uses forged trusted senders (financial officers,
customers, trusted partners, etc.) to trick recipients into approving payments,
transferring funds, or revealing customer data. Learn more by watching this
video .
Ransomware that encrypts your data and demands payment to decrypt it almost
always starts out in phishing messages. Anti-phishing protection can't help you
decrypt encrypted files, but it can help detect the initial phishing messages that are
associated with the ransomware campaign. For more information about recovering
from a ransomware attack, see Recover from a ransomware attack in Microsoft
365.
With the growing complexity of attacks, it's even difficult for trained users to identify
sophisticated phishing messages. Fortunately, Exchange Online Protection (EOP) and the
additional features in Microsoft Defender for Office 365 can help.
Anti-phishing protection in EOP

EOP (that is, Microsoft 365 organizations without Microsoft Defender for Office 365)
contains features that can help protect your organization from phishing threats:
Spoof intelligence: Use the spoof intelligence insight to review detected spoofed
senders in messages from external and internal domains, and manually allow or
block those detected senders. For more information, see Spoof intelligence insight
in EOP.
Anti-phishing policies in EOP: Turn spoof intelligence on or off, turn

unauthenticated sender indicators in Outlook on or off, and specify the action for
blocked spoofed senders. For more information, see Configure anti-phishing
policies in EOP.
Allow or block spoofed senders in the Tenant Allow/Block List: When you
override the verdict in the spoof intelligence insight, the spoofed sender becomes
a manual allow or block entry that only appears on the Spoofed senders tab in the
Tenant Allow/Block List. You can also manually create allow or block entries for
spoof senders before they're detected by spoof intelligence. For more information,
see Manage the Tenant Allow/Block List in EOP.
Implicit email authentication: EOP enhances standard email authentication checks

for inbound email (SPF, DKIM, and DMARC with sender reputation, sender history,
recipient history, behavioral analysis, and other advanced techniques to help
identify forged senders. For more information, see Email authentication in
Microsoft 365.
Additional anti-phishing protection in

Microsoft Defender for Office 365 contains additional and more advanced anti-phishing
features:
Anti-phishing policies in Microsoft Defender for Office 365: Configure

impersonation protection settings for specific message senders and sender
domains, mailbox intelligence settings, and adjustable advanced phishing
thresholds. For more information, see Configure anti-phishing policies in Microsoft
Defender for Office 365. For more information about the differences between anti-
phishing policies in EOP and anti-phishing policies in Defender for Office 365, see
Anti-phishing policies in Microsoft 365.
Campaign Views: Machine learning and other heuristics identify and analyze
messages that are involved in coordinated phishing attacks against the entire
service and your organization. For more information, see Campaign Views in
Attack simulation training: Admins can create fake phishing messages and send
them to internal users as an education tool. For more information, see Simulate a
phishing attack.
Other anti-phishing resources

For end users: Protect yourself from phishing schemes and other forms of online
fraud .
How Microsoft 365 validates the From address to prevent phishing.

Anti-phishing policies in Microsoft 365
 Tip
Applies to

Policies to configure anti-phishing protection settings are available in Microsoft 365

organizations with Exchange Online mailboxes, standalone Exchange Online Protection
(EOP) organizations without Exchange Online mailboxes, and Microsoft Defender for
Office 365 organizations.
Examples of Microsoft Defender for Office 365 organizations include:
Microsoft 365 Enterprise E5, Microsoft 365 Education A5, etc.

Microsoft 365 Enterprise
Microsoft 365 Business
Microsoft Defender for Office 365 as an add-on
The high-level differences between anti-phishing policies in EOP and anti-phishing

policies in Defender for Office 365 are described in the following table:
Feature Anti-phishing policies Anti-phishing policies in Defender for

in EOP Office 365
Automatically created
default policy
Create custom policies
Common policy settings*
Spoof settings

Feature Anti-phishing policies Anti-phishing policies in Defender for
in EOP Office 365
Advanced phishing
thresholds
* In the default policy, the policy name, and description are read-only (the description is
blank), and you can't specify who the policy applies to (the default policy applies to all
recipients).
To configure anti-phishing policies, see the following articles:

The rest of this article describes the settings that are available in anti-phishing policies in
EOP and Defender for Office 365.
Common policy settings

The following policy settings are available in anti-phishing policies in EOP and Defender
for Office 365:
Name: You can't rename the default anti-phishing policy. After you create a
custom anti-phishing policy, you can't rename the policy in the Microsoft 365
Defender portal.
Description You can't add a description to the default anti-phishing policy, but you
can add and change the description for custom policies that you create.
Users, groups, and domains: Identifies internal recipients that the anti-phishing
policy applies to. This value is required in custom policies, and not available in the
default policy (the default policy applies to all recipients).
You can only use a condition or exception once, but you can specify multiple
values for the condition or exception. Multiple values of the same condition or
exception use OR logic (for example, <recipient1> or <recipient2>). Different
conditions or exceptions use AND logic (for example, <recipient1> and <member
of group 1>).
Users: One or more mailboxes, mail users, or mail contacts in your organization.
Groups:
Domains: One or more of the configured accepted domains in Microsoft 365.
Exclude these users, groups, and domains: Exceptions for the policy. The
settings and behavior are exactly like the conditions:
Users
Groups
Domains
７ Note
At least one selection in the Users, groups, and domains settings is required
in custom anti-phishing policies to identify the message recipients that the
policy applies to. Anti-phishing policies in Defender for Office 365 also have
impersonation settings where you can specify individual sender email
addresses or sender domains that will receive impersonation protection as
described later in this article.

Groups: Executives

applied to him.
applies to him.
Spoof settings
Spoofing is when the From address in an email message (the sender address that's
shown in email clients) doesn't match the domain of the email source. For more
information about spoofing, see Anti-spoofing protection in Microsoft 365.
The following spoof settings are available in anti-phishing policies in EOP and Defender
for Office 365:
Enable spoof intelligence: Turns spoof intelligence on or off. We recommend that

you leave it turned on.
When spoof intelligence is enabled, the spoof intelligence insight shows spoofed
senders that were automatically detected and allowed or blocked by spoof
intelligence. You can manually override the spoof intelligence verdict to allow or
block the detected spoofed senders from within the insight. But when you do, the
spoofed sender disappears from the spoof intelligence insight, and is now visible
only on the Spoofed senders tab in the Tenant Allow/Block List. You can also
manually create allow or block entries for spoofed senders in the Tenant
Allow/Block List. For more information, see the following articles:
Manage the Tenant Allow/Block List in EOP
７ Note
Anti-spoofing protection is enabled by default in the default anti-phishing
policy and in any new custom anti-phishing policies that you create.
You don't need to disable anti-spoofing protection if your MX record
doesn't point to Microsoft 365; you enable Enhanced Filtering for
Connectors instead. For instructions, see Enhanced Filtering for
Connectors in Exchange Online.
Disabling anti-spoofing protection only disables implicit spoofing
protection from composite authentication checks. If the sender fails
explicit DMARC checks where the policy is set to quarantine or reject, the
message is still quarantined or rejected.
Unauthenticated sender indicators: Available in the Safety tips & indicators

section only when spoof intelligence is turned on. See the details in the next
section.
Actions: For messages from blocked spoofed senders (automatically blocked by

spoof intelligence or manually blocked in the Tenant Allow/Block list), you can also
specify the action to take on the messages:
Move messages to the recipients' Junk Email folders: This is the default value.
The message is delivered to the mailbox and moved to the Junk Email folder.
For more information, see Configure junk email settings on Exchange Online
mailboxes in Microsoft 365.
Quarantine the message: Sends the message to quarantine instead of the

intended recipients. For information about quarantine, see the following articles:
Quarantine in Microsoft 365
Find and release quarantined messages as a user in Microsoft 365
If you select Quarantine the message, you can also select the quarantine policy
that applies to messages that were quarantined by spoof intelligence
protection. Quarantine policies define what users are able to do to quarantined
Unauthenticated sender indicators

Unauthenticated sender indicators are part of the Spoof settings that are available in the
Safety tips & indicators section in anti-phishing policies in both EOP and Defender for
Office 365. The following settings are available only when spoof intelligence is turned
on:
Show (?) for unauthenticated senders for spoof: Adds a question mark to the
sender's photo in the From box if the message does not pass SPF or DKIM checks
and the message does not pass DMARC or composite authentication. When this
setting is turned off, the question mark isn't added to the sender's photo.
Show "via" tag: Adds the via tag (chris@contoso.com via fabrikam.com) in the
From box if the domain in the From address (the message sender that's displayed
in email clients) is different from the domain in the DKIM signature or the MAIL
FROM address. For more information about these addresses, see An overview of
email message standards.
To prevent the question mark or via tag from being added to messages from specific
senders, you have the following options:
Allow the spoofed sender in the spoof intelligence insight or manually in the
Tenant Allow/Block List. Allowing the spoofed sender will prevent the via tag from
appearing in messages from the sender, even if the Show "via" tag setting is
turned on in the policy.
Configure email authentication for the sender domain.
For the question mark in the sender's photo, SPF or DKIM are the most
important.
For the via tag, confirm the domain in the DKIM signature or the MAIL FROM
address matches (or is a subdomain of) the domain in the From address.
For more information, see Identify suspicious messages in Outlook.com and Outlook on
the web

The Show first contact safety tip settings is available in EOP and Defender for Office
365 organizations, and has no dependency on spoof intelligence or impersonation
protection settings. The safety tip is shown to recipients in the following scenarios:
The first time they get a message from a sender

They don't often get messages from the sender.
This capability adds an extra layer of security protection against potential impersonation
attacks, so we recommend that you turn it on.
The first contact safety tip also replaces the need to create mail flow rules (also known
as transport rules) that add the header named X-MS-Exchange-
EnableFirstContactSafetyTip with the value Enable to messages (although this
capability is still available).
７ Note
If the message has multiple recipients, whether the tip is shown and to whom is
based on a majority model. If the majority of recipients have never or don't often
receive messages from the sender, then the affected recipients will receive the
Some people who received this message... tip. If you're concerned that this
behavior exposes the communication habits of one recipient to another, you
should not enable the first contact safety tip and continue to use mail flow rules
instead.
Exclusive settings in anti-phishing policies in

This section describes the policy settings that are only available in anti-phishing policies
in Defender for Office 365.
７ Note
The default anti-phishing policy in Defender for Office 365 provides spoof
protection and mailbox intelligence for all recipients. However, the other available
impersonation protection features and advanced settings are not configured or
enabled in the default policy. To enable all protection features, modify the default
anti-phishing policy or create additional anti-phishing policies.
Impersonation settings in anti-phishing policies in

Impersonation is where the sender or the sender's email domain in a message looks
similar to a real sender or domain:
An example impersonation of the domain contoso.com is ćóntoso.com.

User impersonation is the combination of the user's display name and email
address. For example, Valeria Barrios (vbarrios@contoso.com) might be
impersonated as Valeria Barrios, but with a completely different email address.
７ Note
Impersonation protection looks for domains that are similar. For example, if your
domain is contoso.com, we check for different top-level domains (.com, .biz, etc.) as
impersonation attempts, but also domains that are even somewhat similar. For
example, contosososo.com or contoabcdef.com might be seen as impersonation
attempts of contoso.com.
An impersonated domain might otherwise be considered legitimate (registered domain,
configured email authentication records, etc.), except its intent is to deceive recipients.
The following impersonation settings are only available in anti-phishing policies in

Enable users to protect: Prevents the specified internal or external email addresses
from being impersonated as message senders. For example, you receive an email
message from the Vice President of your company asking you to send her some
internal company information. Would you do it? Many people would send the
reply without thinking.
You can use protected users to add internal and external sender email addresses to
protect from impersonation. This list of senders that are protected from user
impersonation is different from the list of recipients that the policy applies to (all
recipients for the default policy; specific recipients as configured in the Users,
groups, and domains setting in the Common policy settings section).
７ Note
In each anti-phishing policy, you can specify a maximum of 350 protected

users (sender email addresses). You can't specify the same protected user in
multiple policies. So, regardless of how many policies apply to a recipient, the
maximum number of protected users (sender email addresses) for each
individual recipient is 350. For more information about policy priority and how
policy processing stops after the first policy is applied, see Order and
precedence of email protection.
By default, no sender email addresses are configured for impersonation protection

in Users to protect. Therefore, by default, no sender email addresses are covered
by impersonation protection, either in the default policy or in custom policies.
When you add internal or external email addresses to the Users to protect list,
messages from those senders are subject to impersonation protection checks. The
message is checked for impersonation if the message is sent to a recipient that the
policy applies to (all recipients for the default policy; Users, groups, and domains
recipients in custom policies). If impersonation is detected in the sender's email
address, the impersonation protections actions for users are applied to the
message (what to do with the message, whether to show impersonated users
safety tips, etc.).
Enable domains to protect: Prevents the specified domains from being
impersonated in the message sender's domain. For example, all domains that you
own (accepted domains) or specific custom domains (domains you own or partner
domains). This list of sender domains that are protected from impersonation is
different from the list of recipients that the policy applies to (all recipients for the
default policy; specific recipients as configured in the Users, groups, and domains
setting in the Common policy settings section).
７ Note
You can specify a maximum of 50 custom domains in each anti-phishing

policy.
By default, no sender domains are configured for impersonation protection in

Enable domains to protect. Therefore, by default, no sender domains are covered
by impersonation protection, either in the default policy or in custom policies.
When you add domains to the Enable domains to protect list, messages from
senders in those domains are subject to impersonation protection checks. The
message is checked for impersonation if the message is sent to a recipient that the
policy applies to (all recipients for the default policy; Users, groups, and domains
recipients in custom policies). If impersonation is detected in the sender's domain,
the impersonation protection actions for domains are applied to the message
(what to do with the message, whether to show impersonated users safety tips,
etc.).
Actions: Choose the action to take on inbound messages that contain

impersonation attempts against the protected users and protected domains in the
policy. You can specify different actions for impersonation of protected users vs.
impersonation of protected domains:
Don't apply any action
Redirect message to other email addresses: Sends the message to the specified
recipients instead of the intended recipients.
Move messages to the recipients' Junk Email folders: The message is delivered
to the mailbox and moved to the Junk Email folder. For more information, see
Configure junk email settings on Exchange Online mailboxes in Microsoft 365.
Quarantine the message: Sends the message to quarantine instead of the

intended recipients. For information about quarantine, see the following articles:
Quarantine in Microsoft 365
Find and release quarantined messages as a user in Microsoft 365
If you select Quarantine the message, you can also select the quarantine policy
that applies to messages that are quarantined by user impersonation or domain
impersonation protection. Quarantine policies define what users are able to do
to quarantined messages. For more information, see Quarantine policies.
Deliver the message and add other addresses to the Bcc line: Deliver the
message to the intended recipients and silently deliver the message to the
specified recipients.
Delete the message before it's delivered: Silently deletes the entire message,
including all attachments.
Impersonation safety tips: Turn on or turn off the following impersonation safety
tips that will appear messages that fail impersonation checks:
Show tip for impersonated users: The From address contains an Enable users
to protect user. Available only if Enable users to protect is turned on and
configured.
Show tip for impersonated domains: The From address contains an Enable
domains to protect domain. Available only if Enable domains to protect is
turned on and configured.
Show tip for unusual characters: The From address contains unusual character
sets (for example, mathematical symbols and text or a mix of uppercase and
lowercase letters) in an Enable users to protect sender or an Enable domains to
protect sender domain. Available only if Enable users to protect or Enable
domains to protect is turned on and configured.
Enable mailbox intelligence: Enables or disables artificial intelligence (AI) that

determines user email patterns with their frequent contacts. This setting helps the
AI distinguish between messages from legitimate and impersonated senders.
For example, Gabriela Laureano (glaureano@contoso.com) is the CEO of your

company, so you add her as a protected sender in the Enable users to protect
settings of the policy. But, some of the recipients that the policy applies to
communicate regularly with a vendor who is also named Gabriela Laureano
(glaureano@fabrikam.com). Because those recipients have a communication
history with glaureano@fabrikam.com, mailbox intelligence will not identify
messages from glaureano@fabrikam.com as an impersonation attempt of
glaureano@contoso.com for those recipients.
To use frequent contacts that were learned by mailbox intelligence (and lack
thereof) to help protect users from impersonation attacks, you can turn on Enable
intelligence impersonation protection after you turn on Enable mailbox
intelligence.
７ Note
Mailbox intelligence protection does not work if the sender and recipient have
previously communicated via email. If the sender and recipient have never
communicated via email, the message will be identified as an impersonation
attempt by mailbox intelligence.
Enable intelligence impersonation protection: Turn on this setting to specify the

action to take on messages for impersonation detections from mailbox intelligence
results:
Don't apply any action: Note that this value has the same result as turning on
Mailbox intelligence but turning off Enable intelligence impersonation
protection.
Redirect message to other email addresses
Move message to the recipients' Junk Email folders
Quarantine the message: If you select this action, you can also select the
quarantine policy that applies to messages that are quarantined by mailbox
intelligence protection. Quarantine policies define what users are able to do to
quarantined messages, and whether users receive quarantine notifications. For
more information, see Quarantine policies.
Deliver the message and add other addresses to the Bcc line
Delete the message before it's delivered
Add trusted senders and domains: Exceptions to the impersonation protection

settings. Messages from the specified senders and sender domains are never
classified as impersonation-based attacks by the policy. In other words, the action
for protected senders, protected domains, or mailbox intelligence protection aren't
applied to these trusted senders or sender domains. The maximum limit for these
lists is 1024 entries.
７ Note
If Microsoft 365 system messages from the following senders are identified
as impersonation attempts, you can add the senders to the trusted senders
list:
noreply@email.teams.microsoft.com
noreply@emeaemail.teams.microsoft.com
no-reply@sharepointonline.com
Trusted domain entries don't include subdomains of the specified domain.

You need to add an entry for each subdomain.
Advanced phishing thresholds in anti-phishing policies in

The following advanced phishing thresholds are only available in anti-phishing policies
in Defender for Office 365. These thresholds control the sensitivity for applying machine
learning models to messages to determine a phishing verdict:
1 - Standard: This is the default value. The severity of the action that's taken on the
message depends on the degree of confidence that the message is phishing (low,
medium, high, or very high confidence). For example, messages that are identified
as phishing with a very high degree of confidence have the most severe actions
applied, while messages that are identified as phishing with a low degree of
confidence have less severe actions applied.
2 - Aggressive: Messages that are identified as phishing with a high degree of
confidence are treated as if they were identified with a very high degree of
confidence.
3 - More aggressive: Messages that are identified as phishing with a medium or
high degree of confidence are treated as if they were identified with a very high
degree of confidence.
4 - Most aggressive: Messages that are identified as phishing with a low, medium,
or high degree of confidence are treated as if they were identified with a very high
degree of confidence.
The chance of false positives (good messages marked as bad) increases as you increase
this setting. For information about the recommended settings, see anti-phishing policy
in Microsoft Defender for Office 365 settings.
 Tip
Applies to

there's a default anti-phishing policy that contains a limited number of anti-spoofing
features that are enabled by default. For more information, see Spoof settings in anti-
phishing policies.
Admins can view, edit, and configure (but not delete) the default anti-phishing policy.
For greater granularity, you can also create custom anti-phishing policies that apply to
specific users, groups, or domains in your organization. Custom policies always take
Organizations with Exchange Online mailboxes can configure anti-phishing policies in

the Microsoft 365 Defender portal or in Exchange Online PowerShell. Standalone EOP
organizations can only use the Microsoft 365 Defender portal.
For information about creating and modifying the more advanced anti-phishing policies
that are available in Microsoft Defender for Office 365, see Configure anti-phishing
policies in Microsoft Defender for Office 365.
The basic elements of an anti-phishing policy are:
The anti-phish policy: Specifies the phishing protections to enable or disable, and
the actions to apply options.
The anti-phish rule: Specifies the priority and recipient filters (who the policy
applies to) for an anti-phish policy.
phishing policies in the Microsoft 365 Defender portal:
When you create an anti-phishing policy, you're actually creating an anti-phish rule
and the associated anti-phish policy at the same time using the same name for
both.
When you modify an anti-phishing policy, settings related to the name, priority,
enabled or disabled, and recipient filters modify the anti-phish rule. All other
settings modify the associated anti-phish policy.
When you remove an anti-phishing policy, the anti-phish rule and the associated
anti-phish policy are removed.
In Exchange Online PowerShell, you manage the policy and the rule separately. For more
information, see the Use Exchange Online PowerShell to configure anti-phishing policies
section later in this article.
Every organization has a built-in anti-phishing policy named Office365 AntiPhish Default
that has these properties:
anti-phish rule (recipient filters) associated with the policy.
priority.
To increase the effectiveness of anti-phishing protection, you can create custom anti-
phishing policies with stricter settings that are applied to specific users or groups of
users.

go directly to the Anti-phishing page, use

PowerShell.
You can't manage anti-phishing policies in standalone EOP PowerShell.
To add, modify, and delete anti-phishing policies, you need to be a member of
For read-only access to anti-phishing policies, you need to be a member of the
Notes:
gives read-only access to the feature*.
For our recommended settings for anti-phishing policies, see EOP anti-phishing
policy settings.
Allow up to 30 minutes for the updated policy to be applied.
For information about where anti-phishing policies are applied in the filtering
pipeline, see Order and precedence of email protection.

create anti-phishing policies
Creating a custom anti-phishing policy in the Microsoft 365 Defender portal creates the
anti-phish rule and the associated anti-phish policy at the same time using the same
name for both.

Email & Collaboration > Policies & Rules > Threat policies > Anti-phishing in the
Policies section. To go directly to the Anti-phishing page, use
2. On the Anti-phishing page, click Create.
3. The policy wizard opens. On the Policy name page, configure these settings:

Groups:
organization.
conditions.
） Important

Groups: Executives

applied to him.
applies to him.
5. On the Phishing threshold & protection page that appears, use the Enable spoof
intelligence check box to turn spoof intelligence on or off. The default value is on
(selected), and we recommend that you leave it on. You configure the action to
take on blocked spoofed messages on the next page.
To turn off spoof intelligence, clear the check box.
７ Note
You don't need to turn off anti-spoofing protection if your MX record doesn't
point to Microsoft 365; you enable Enhanced Filtering for Connectors instead.
For instructions, see Enhanced Filtering for Connectors in Exchange Online.
If message is detected as spoof: This setting is available only if you selected

Enable spoof intelligence on the previous page. Select one of the following
actions in the drop down list for messages from blocked spoofed senders:
Quarantine the message: If you select this action, an Apply quarantine

policy box appears where you select the quarantine policy that applies to
messages that are quarantined by spoof intelligence protection.
A blank Apply quarantine policy value means the default quarantine

policy is used (DefaultFullAccessPolicy for spoof intelligence detections).
When you later edit the anti-phishing policy or view the settings, the
default quarantine policy name is shown. For more information about
default quarantine policies that are used for supported protection filtering
verdicts, see this table.
Safety tips & indicators:

Show first contact safety tip: For more information, see First contact
safety tip.
Show (?) for unauthenticated senders for spoof*: Adds a question mark
(?) to the sender's photo in the From box in Outlook if the message does
not pass SPF or DKIM checks and the message does not pass DMARC or
composite authentication.
Show "via" tag*: Adds a via tag (chris@contoso.com via fabrikam.com) to
the From address if it's different from the domain in the DKIM signature or
the MAIL FROM address.
To turn on a setting, select the check box. To turn it off, clear the check box.
* This setting is available only if you selected Enable spoof intelligence on the
previous page. For more information, see Unauthenticated sender indicators.

anti-phishing policies
2. On the Anti-phishing page, the following properties are displayed in the list of
policies:
Name
Status
Priority
Last modified
in a flyout.
modify anti-phishing policies
2. On the Anti-phishing page, select a policy from the list by clicking on the name.
settings within the section. For more information about the settings, see the Use
the Microsoft 365 Defender portal to create anti-phishing policies section earlier in
this article.
For the default anti-phishing policy, the Users, groups, and domains section isn't
Enable or disable custom anti-phishing policies

You can't disable the default anti-phishing policy.

2. On the Anti-phishing page, select a custom policy from the list by clicking on the
name.
values:

Set the priority of custom anti-phishing policies
By default, anti-phishing policies are given a priority that's based on the order they were
is applied.
multiple policies.
Notes:
phishing policy after you create it. In PowerShell, you can override the default
priority when you create the anti-phish rule (which can affect the priority of
existing rules).
Anti-phishing policies are processed in the order that they're displayed (the first
policy has the Priority value 0). The default anti-phishing policy has the priority

name.
policies:
available.
options available.

remove custom anti-phishing policies
When you use the Microsoft 365 Defender portal to remove a custom anti-phishing
policy, the anti-phish rule and the corresponding anti-phish policy are both deleted. You
can't remove the default anti-phishing policy.

name.
Delete policy.

As previously described, an anti-phishing policy consists of an anti-phish policy and an
anti-phish rule.
In Exchange Online PowerShell, the difference between anti-phish policies and anti-
phish rules is apparent. You manage anti-phish policies by using the *-AntiPhishPolicy
cmdlets, and you manage anti-phish rules by using the *-AntiPhishRule cmdlets.
In PowerShell, you create the anti-phish policy first, then you create the anti-phish
In PowerShell, you modify the settings in the anti-phish policy and the anti-phish
rule separately.
When you remove an anti-phish policy from PowerShell, the corresponding anti-
phish rule isn't automatically removed, and vice versa.
７ Note
The following PowerShell procedures aren't available in standalone EOP

organizations using Exchange Online Protection PowerShell.
Use PowerShell to create anti-phishing policies

Creating an anti-phishing policy in PowerShell is a two-step process:
1. Create the anti-phish policy.

2. Create the anti-phish rule that specifies the anti-phish policy that the rule applies
to.
Notes:
You can create a new anti-phish rule and assign an existing, unassociated anti-
phish policy to it. An anti-phish rule can't be associated with more than one anti-
phish policy.
You can configure the following settings on new anti-phish policies in PowerShell
policy:
Create the new policy as disabled (Enabled $false on the New-AntiPhishRule
cmdlet).
AntiPhishRule cmdlet).
A new anti-phish policy that you create in PowerShell isn't visible in the Microsoft
365 Defender portal until you assign the policy to an anti-phish rule.
Step 1: Use PowerShell to create an anti-phish policy

To create an anti-phish policy, use this syntax:
PowerShell
New-AntiPhishPolicy -Name "<PolicyName>" [-AdminDisplayName "<Comments>"] [-

EnableSpoofIntelligence <$true | $false>] [-AuthenticationFailAction
<MoveToJmf | Quarantine>] [-EnableUnauthenticatedSender <$true | $false>] [-
EnableViaTag <$true | $false>] [-SpoofQuarantineTag <QuarantineTagName>]
This example creates an anti-phish policy named Research Quarantine with the following
settings:
The description is: Research department policy.

Changes the default action for spoofing detections to Quarantine and uses the
default quarantine policy for the quarantined messages (we aren't using the
SpoofQuarantineTag parameter).
PowerShell
New-AntiPhishPolicy -Name "Monitor Policy" -AdminDisplayName "Research

department policy" -AuthenticationFailAction Quarantine
For detailed syntax and parameter information, see New-AntiPhishPolicy.
７ Note
For detailed instructions to specify the quarantine policies to use in an anti-phish

policy, see Use PowerShell to specify the quarantine policy in anti-phishing
policies.
Step 2: Use PowerShell to create an anti-phish rule

To create an anti-phish rule, use this syntax:
PowerShell
New-AntiPhishRule -Name "<RuleName>" -AntiPhishPolicy "<PolicyName>"

This example creates an anti-phish rule named Research Department with the following
conditions:
The rule is associated with the anti-phish policy named Research Quarantine.
The rule applies to members of the group named Research Department.
Because we aren't using the Priority parameter, the default priority is used.
PowerShell
New-AntiPhishRule -Name "Research Department" -AntiPhishPolicy "Research

Quarantine" -SentToMemberOf "Research Department"
For detailed syntax and parameter information, see New-AntiPhishRule.
Use PowerShell to view anti-phish policies

To view existing anti-phish policies, use the following syntax:
PowerShell
Get-AntiPhishPolicy [-Identity "<PolicyIdentity>"] [| <Format-Table |

Format-List> <Property1,Property2,...>]
This example returns a summary list of all anti-phish policies along with the specified
properties.
PowerShell
Get-AntiPhishPolicy | Format-Table Name,IsDefault
This example returns all the property values for the anti-phish policy named Executives.
PowerShell
Get-AntiPhishPolicy -Identity "Executives"
For detailed syntax and parameter information, see Get-AntiPhishPolicy.
Use PowerShell to view anti-phish rules

To view existing anti-phish rules, use the following syntax:
PowerShell
Get-AntiPhishRule [-Identity "<RuleIdentity>"] [-State <Enabled | Disabled]

[| <Format-Table | Format-List> <Property1,Property2,...>]
This example returns a summary list of all anti-phish rules along with the specified
properties.
PowerShell
Get-AntiPhishRule | Format-Table Name,Priority,State
PowerShell
Get-AntiPhishRule -State Disabled | Format-Table Name,Priority
PowerShell
Get-AntiPhishRule -State Enabled | Format-Table Name,Priority
This example returns all the property values for the anti-phish rule named Contoso
Executives.
PowerShell
Get-AntiPhishRule -Identity "Contoso Executives"
For detailed syntax and parameter information, see Get-AntiPhishRule.
Use PowerShell to modify anti-phish policies

Other than the following items, the same settings are available when you modify an
anti-phish policy in PowerShell as when you create a policy as described in Step 1: Use
PowerShell to create an anti-phish policy earlier in this article.
available when you modify an anti-phish policy in PowerShell.
You can't rename an anti-phish policy (the Set-AntiPhishPolicy cmdlet has no
Name parameter). When you rename an anti-phishing policy in the Microsoft 365
Defender portal, you're only renaming the anti-phish rule.
To modify an anti-phish policy, use this syntax:
PowerShell
Set-AntiPhishPolicy -Identity "<PolicyName>" <Settings>
For detailed syntax and parameter information, see Set-AntiPhishPolicy.
７ Note
For detailed instructions to specify the quarantine policy to use in an anti-phish

policies.
Use PowerShell to modify anti-phish rules

The only setting that's not available when you modify an anti-phish rule in PowerShell is
existing anti-phish rules, see the next section.
Otherwise, the same settings are available when you create a rule as described in the
Step 2: Use PowerShell to create an anti-phish rule section earlier in this article.
To modify an anti-phish rule, use this syntax:
PowerShell
Set-AntiPhishRule -Identity "<RuleName>" <Settings>
For detailed syntax and parameter information, see Set-AntiPhishRule.
Use PowerShell to enable or disable anti-phish rules

Enabling or disabling an anti-phish rule in PowerShell enables or disables the whole
anti-phishing policy (the anti-phish rule and the assigned anti-phish policy). You can't
enable or disable the default anti-phishing policy (it's always applied to all recipients).
To enable or disable an anti-phish rule in PowerShell, use this syntax:
PowerShell
<Enable-AntiPhishRule | Disable-AntiPhishRule> -Identity "<RuleName>"
This example disables the anti-phish rule named Marketing Department.
PowerShell
Disable-AntiPhishRule -Identity "Marketing Department"
PowerShell
Enable-AntiPhishRule -Identity "Marketing Department"
For detailed syntax and parameter information, see Enable-AntiPhishRule and Disable-
AntiPhishRule.
Use PowerShell to set the priority of anti-phish rules

To set the priority of an anti-phish rule in PowerShell, use the following syntax:
PowerShell
Set-AntiPhishRule -Identity "<RuleName>" -Priority <Number>
PowerShell
Set-AntiPhishRule -Identity "Marketing Department" -Priority 2
Notes:
the New-AntiPhishRule cmdlet instead.
The default anti-phish policy doesn't have a corresponding anti-phish rule, and it
Use PowerShell to remove anti-phish policies

When you use PowerShell to remove an anti-phish policy, the corresponding anti-phish
rule isn't removed.
To remove an anti-phish policy in PowerShell, use this syntax:
PowerShell
Remove-AntiPhishPolicy -Identity "<PolicyName>"
This example removes the anti-phish policy named Marketing Department.
PowerShell
Remove-AntiPhishPolicy -Identity "Marketing Department"
For detailed syntax and parameter information, see Remove-AntiPhishPolicy.
Use PowerShell to remove anti-phish rules

When you use PowerShell to remove an anti-phish rule, the corresponding anti-phish
To remove an anti-phish rule in PowerShell, use this syntax:
PowerShell
Remove-AntiPhishRule -Identity "<PolicyName>"
This example removes the anti-phish rule named Marketing Department.
PowerShell
Remove-AntiPhishRule -Identity "Marketing Department"
For detailed syntax and parameter information, see Remove-AntiPhishRule.

To verify that you've successfully configured anti-phishing policies in EOP, do any of the
following steps:
On the Anti-phishing page in the Microsoft 365 Defender portal at

https://security.microsoft.com/antiphishing , verify the list of policies, their Status
values, and their Priority values. To view more details, select the policy from the list
by clicking on the name and viewing the details in the flyout that appears.
In Exchange Online PowerShell, replace <Name> with the name of the policy or
rule, run the following command, and verify the settings:
PowerShell
Get-AntiPhishPolicy -Identity "<Name>"
PowerShell
Get-AntiPhishRule -Identity "<Name>"
Configure anti-phishing policies in

 Tip
Applies to

Anti-phishing policies in Microsoft Defender for Office 365 can help protect your
organization from malicious impersonation-based phishing attacks and other types of
phishing attacks. For more information about the differences between anti-phishing
policies in Exchange Online Protection (EOP) and anti-phishing policies in Microsoft
Defender for Office 365, see Anti-phishing protection.
Admins can view, edit, and configure (but not delete) the default anti-phishing policy.
For greater granularity, you can also create custom anti-phishing policies that apply to
specific users, groups, or domains in your organization. Custom policies always take
You can configure anti-phishing policies in Defender for Office 365 in the Microsoft 365
Defender portal or in Exchange Online PowerShell.
For information about configuring the more limited in anti-phishing policies that are
available in Exchange Online Protection (that is, organizations without Defender for
Office 365), see Configure anti-phishing policies in EOP.
The basic elements of an anti-phishing policy are:
The anti-phish policy: Specifies the phishing protections to enable or disable, and
the actions to apply options.
The anti-phish rule: Specifies the priority and recipient filters (who the policy
applies to) for an anti-phish policy.
phishing policies in the Microsoft 365 Defender portal:
When you create a policy, you're actually creating an anti-phish rule and the
associated anti-phish policy at the same time using the same name for both.
When you modify a policy, settings related to the name, priority, enabled or
disabled, and recipient filters modify the anti-phish rule. All other settings modify
the associated anti-phish policy.
When you remove a policy, the anti-phish rule and the associated anti-phish policy
are removed.
In Exchange Online PowerShell, you manage the policy and the rule separately. For more
information, see the Use Exchange Online PowerShell to configure anti-phishing policies
Every Defender for Office 365 organization has a built-in anti-phishing policy named
Office 365 AntiPhish Default that has these properties:
anti-phish rule (recipient filters) associated with the policy.
priority.
To increase the effectiveness of anti-phishing protection in Defender for Office 365, you
can create custom anti-phishing policies with stricter settings that are applied to specific
users or groups of users.


PowerShell.
To add, modify, and delete anti-phishing policies, you need to be a member of
For read-only access to anti-phishing policies, you need to be a member of the
Global Reader or Security Reader role groups*.
Notes:
For our recommended settings for anti-phishing policies in Defender for Office
365, see Anti-phishing policy in Defender for Office 365 settings.
Allow up to 30 minutes for a new or updated policy to be applied.
For information about where anti-phishing policies are applied in the filtering
pipeline, see Order and precedence of email protection.

create anti-phishing policies
Creating a custom anti-phishing policy in the Microsoft 365 Defender portal creates the
anti-phish rule and the associated anti-phish policy at the same time using the same
name for both.

2. On the Anti-phishing page, click Create.
3. The policy wizard opens. On the Policy name page, configure these settings:

Groups:
organization.
conditions.
） Important

Groups: Executives

applied to him.
applies to him.
5. On the Phishing threshold & protection page that appears, configure the
following settings:
Phishing email threshold: Use the slider to select one of the following values:
1 - Standard (This is the default value.)
2 - Aggressive
3 - More aggressive
4 - Most aggressive
For more information, see Advanced phishing thresholds in anti-phishing

Impersonation: These settings are a condition for the policy that identifies
specific senders to look for (individually or by domain) in the From address of
inbound messages. For more information, see Impersonation settings in anti-
phishing policies in Microsoft Defender for Office 365.
７ Note
In each anti-phishing policy, you can specify a maximum of 350

protected users (sender email addresses). You can't specify the same
protected user in multiple policies.
Enable users to protect: The default value is off (not selected). To turn it
on, select the check box, and then click the Manage (nn) sender(s) link
that appears.
In the Manage senders for impersonation protection flyout that appears,

do the following steps:
Internal senders: Click Select internal. In the Add internal senders

flyout that appears, click in the box and select an internal user from the
list. You can filter the list by typing the user, and then selecting the user
from the results. You can use most identifiers (name, display name, alias,
email address, account name, etc.), but the corresponding display name
is shown in the results.
Repeat this step as many times as necessary. To remove an existing

When you're finished, click Add
External senders: Click Select external. In the Add external senders

flyout that appears, enter a display name in the Add a name box and an
email address in the Add a vaild email box, and then click Add.
Repeat this step as many times as necessary. To remove an existing

Back on the Manage senders for impersonation flyout, you can remove
entries by selecting one or more entries from the list. You can search for
entries using the Search box.
After you select at least one entry, the Remove selected users icon
appears, which you can use to remove the selected entries.
Enable domains to protect: The default value is off (not selected). To turn
it on, select the check box, and then configure one or both of the
following settings that appear:
Include the domains I own: To turn this setting on, select the check
box. To view the domains that you own, click View my domains.
Include custom domains: To turn this setting on, select the check box,
and then click the Manage (nn) custom domain(s) link that appears. In
the Manage custom domains for impersonation protection flyout that
appears, click Add domains.
In the Add custom domains flyout that appears, click in the Domain
box, enter a value, and then press Enter or select the value that's
displayed below the box. Repeat this step as many times as necessary.
To remove an existing value, click remove next to the value.
When you're finished, click Add domains
７ Note
You can specify a maximum of 50 custom domains in each anti-

phishing policy.
Back on the Manage custom domains for impersonation flyout, you can
remove entries by selecting one or more entries from the list. You can
search for entries using the Search box.
After you select at least one entry, the Delete icon appears, which you
can use to remove the selected entries.
Add trusted senders and domains: Specify impersonation protection

exceptions for the policy by clicking on Manage (nn) trusted sender(s) and
domain(s). In the Manage custom domains for impersonation protection
flyout that appears, configure the following settings:
Senders: Verify the Sender tab is selected and click . In the Add trusted
senders flyout that appears, enter an email address in the box and then
click Add. Repeat this step as many times as necessary. To remove an
existing entry, click for the entry.
When you're finished, click Add.
Domains: Select the Domain tab and click .
In the Add trusted domains flyout that appears, click in the Domain box,
enter a value, and then press Enter or select the value that's displayed
below the box. Repeat this step as many times as necessary. To remove an
existing value, click remove next to the value.
７ Note
If Microsoft 365 system messages from the following senders are

identified as impersonation attempts, you can add the senders to the
trusted senders list:
noreply@email.teams.microsoft.com
noreply@emeaemail.teams.microsoft.com
no-reply@sharepointonline.com
Trusted domain entries don't include subdomains of the specified

domain. You need to add an entry for each subdomain.
Back on the Manage custom domains for impersonation flyout, you can
remove entries from the Sender and Domain tabs by selecting one or more
entries from the list. You can search for entries using the Search box.
After you select at least one entry, the Delete icon appears, which you can
use to remove the selected entries.
７ Note
The maximum number of sender and domain entries is 1024.
Enable mailbox intelligence: The default value is on (selected), and we

recommend that you leave it on. To turn it off, clear the check box.
Enable intelligence based impersonation protection: This setting is

available only if Enable mailbox intelligence is on (selected). This setting
allows mailbox intelligence to take action on messages that are identified
as impersonation attempts. You specify the action to take in the If mailbox
intelligence detects an impersonated user setting on the next page.
We recommend that you turn this setting on by selecting the check box.
To turn this setting off, clear the check box.
７ Note
Mailbox intelligence protection does not work if the sender and

recipient have previously communicated via email. If the sender and
recipient have never communicated via email, the message will be
identified as an impersonation attempt by mailbox intelligence.
Spoof: In this section, use the Enable spoof intelligence check box to turn
spoof intelligence on or off. The default value is on (selected), and we
recommend that you leave it on. You specify the action to take on messages
from blocked spoofed senders in the If message is detected as spoof setting
on the next page.
To turn off spoof intelligence, clear the check box.
７ Note
You don't need to turn off anti-spoofing protection if your MX record

doesn't point to Microsoft 365; you enable Enhanced Filtering for
Connectors instead. For instructions, see Enhanced Filtering for
Message actions: Configure the following actions in this section:
If message is detected as an impersonated user: This setting is available

only if you selected Enable users to protect on the previous page. Select
one of the following actions in the drop down list for messages where the
sender is one of the protected users that you specified on the previous
page:

to messages that are quarantined by user impersonation protection.

policy is used (DefaultFullAccessPolicy for user impersonation
detections). When you later edit the anti-phishing policy or view the
settings, the default quarantine policy name is shown.
If the message is detected as an impersonated domain: This setting is

available only if you selected Enable domains to protect on the previous
page. Select one of the following actions in the drop down list for
messages where the sender's email address is in one of the protected
domains that you specified on the previous page:


to messages that are quarantined by domain impersonation protection.

policy is used (DefaultFullAccessPolicy for domain impersonation
If mailbox intelligence detects an impersonated user: This setting is

available only if you selected Enable intelligence for impersonation
protection on the previous page. Select one of the following actions in the
drop down list for messages that were identified as impersonation
attempts by mailbox intelligence:

to messages that are quarantined by mailbox intelligence protection.

policy is used (DefaultFullAccessPolicy for mailbox intelligence

If message is detected as spoof: This setting is available only if you
selected Enable spoof intelligence on the previous page. Select one of the
following actions in the drop down list for messages from blocked
spoofed senders:

to messages that are quarantined by spoof intelligence protection.

policy is used (DefaultFullAccessPolicy for spoof intelligence detections).
When you later edit the anti-phishing policy or view the settings, the
default quarantine policy name is shown.
Safety tips & indicators: Configure the following settings:

Show first contact safety tip: For more information, see First contact
safety tip.
Show user impersonation safety tip: This setting is available only if you
selected Enable users to protect on the previous page.
Show domain impersonation safety tip: This setting is available only if
you selected Enable domains to protect on the previous page.
Show user impersonation unusual characters safety tip This setting is
available only if you selected Enable users to protect or Enable domains
to protect on the previous page.
Show (?) for unauthenticated senders for spoof: This setting is available
only if you selected Enable spoof intelligence on the previous page. Adds
a question mark (?) to the sender's photo in the From box in Outlook if the
message does not pass SPF or DKIM checks and the message does not
pass DMARC or composite authentication.
Show "via" tag: This setting is available only if you selected Enable spoof
intelligence on the previous page. Adds a via tag (chris@contoso.com via
fabrikam.com) to the From address if it's different from the domain in the
DKIM signature or the MAIL FROM address. The default value is on
(selected). To turn it off, clear the check box.
To turn on a setting, select the check box. To turn it off, clear the check box.


Rules > Threat policies > Anti-phishing in the Policies section.
2. On the Anti-phishing page, the following properties are displayed in the list of
anti-phishing policies:
Name
Status
Priority
Last modified
in a flyout.

modify anti-phishing policies
2. On the Anti-phishing page, select a policy from the list by clicking on the name.
the Microsoft 365 Defender portal to create anti-phishing policies section earlier in
this article.
For the default anti-phishing policy, the Users, groups, and domains section isn't
Enable or disable custom anti-phishing policies

You can't disable the default anti-phishing policy.

name.
values:

Set the priority of custom anti-phishing policies

By default, anti-phishing policies are given a priority that's based on the order they were
is applied.
multiple policies.
Notes:
phishing policy after you create it. In PowerShell, you can override the default
priority when you create the anti-phish rule (which can affect the priority of
existing rules).
Anti-phishing policies are processed in the order that they're displayed (the first
policy has the Priority value 0). The default anti-phishing policy has the priority

name.
policies:
available.
options available.

remove custom anti-phishing policies
When you use the Microsoft 365 Defender portal to remove a custom anti-phishing
policy, the anti-phish rule and the corresponding anti-phish policy are both deleted. You
can't remove the default anti-phishing policy.

name of the policy.
Delete policy.

As previously described, an anti-spam policy consists of an anti-phish policy and an
anti-phish rule.
In Exchange Online PowerShell, the difference between anti-phish policies and anti-
phish rules is apparent. You manage anti-phish policies by using the *-AntiPhishPolicy
cmdlets, and you manage anti-phish rules by using the *-AntiPhishRule cmdlets.
In PowerShell, you create the anti-phish policy first, then you create the anti-phish
In PowerShell, you modify the settings in the anti-phish policy and the anti-phish
rule separately.
When you remove an anti-phish policy from PowerShell, the corresponding anti-
phish rule isn't automatically removed, and vice versa.
Use PowerShell to create anti-phishing policies

Creating an anti-phishing policy in PowerShell is a two-step process:
1. Create the anti-phish policy.

2. Create the anti-phish rule that specifies the anti-phish policy that the rule applies
to.
Notes:
You can create a new anti-phish rule and assign an existing, unassociated anti-
phish policy to it. An anti-phish rule can't be associated with more than one anti-
phish policy.
You can configure the following settings on new anti-phish policies in PowerShell
policy:
Create the new policy as disabled (Enabled $false on the New-AntiPhishRule
cmdlet).
AntiPhishRule cmdlet).
A new anti-phish policy that you create in PowerShell isn't visible in the Microsoft
365 Defender portal until you assign the policy to an anti-phish rule.
Step 1: Use PowerShell to create an anti-phish policy

To create an anti-phish policy, use this syntax:
PowerShell
New-AntiPhishPolicy -Name "<PolicyName>" [-AdminDisplayName "<Comments>"]

<Additional Settings>
This example creates an anti-phish policy named Research Quarantine with the following
settings:
The policy is enabled (we aren't using the Enabled parameter, and the default value
is $true ).
The description is: Research department policy.
Changes the default action for spoofing detections to Quarantine, and uses the
SpoofQuarantineTag parameter).
Enables organization domains protection for all accepted domains, and targeted
domains protection for fabrikam.com.
Specifies Quarantine as the action for domain impersonation detections, and uses
the default quarantine policy for the quarantined messages (we aren't using the
TargetedDomainQuarantineTag parameter).
Specifies Mai Fujito (mfujito@fabrikam.com) as the user to protect from
impersonation.
Specifies Quarantine as the action for user impersonation detections, and uses the
TargetedUserQuarantineTag parameter).
Enables mailbox intelligence (EnableMailboxIntelligence), allows mailbox
intelligence protection to take action on messages
(EnableMailboxIntelligenceProtection), specifies Quarantine as the action for
detected messages, and uses the default quarantine policy for the quarantined
messages (we aren't using the MailboxIntelligenceQuarantineTag parameter).
Enables all safety tips.
PowerShell
New-AntiPhishPolicy -Name "Monitor Policy" -AdminDisplayName "Research

department policy" -AuthenticationFailAction Quarantine -
EnableOrganizationDomainsProtection $true -EnableTargetedDomainsProtection
$true -TargetedDomainsToProtect fabrikam.com -TargetedDomainProtectionAction
Quarantine -EnableTargetedUserProtection $true -TargetedUsersToProtect "Mai
Fujito;mfujito@fabrikam.com" -TargetedUserProtectionAction Quarantine -
EnableMailboxIntelligence $true -EnableMailboxIntelligenceProtection $true -
MailboxIntelligenceProtectionAction Quarantine -EnableSimilarUsersSafetyTips
$true -EnableSimilarDomainsSafetyTips $true -
EnableUnusualCharactersSafetyTips $true
７ Note

policies.
Step 2: Use PowerShell to create an anti-phish rule
To create an anti-phish rule, use this syntax:
PowerShell
New-AntiPhishRule -Name "<RuleName>" -AntiPhishPolicy "<PolicyName>"

This example creates an anti-phish rule named Research Department with the following
conditions:
The rule is associated with the anti-phish policy named Research Quarantine.
The rule applies to members of the group named Research Department.
PowerShell
New-AntiPhishRule -Name "Research Department" -AntiPhishPolicy "Research

Quarantine" -SentToMemberOf "Research Department"
For detailed syntax and parameter information, see New-AntiPhishRule.

Use PowerShell to view anti-phish policies
To view existing anti-phish policies, use the following syntax:
PowerShell
Get-AntiPhishPolicy [-Identity "<PolicyIdentity>"] [| <Format-Table |

This example returns a summary list of all anti-phish policies along with the specified
properties.
PowerShell
Get-AntiPhishPolicy | Format-Table Name,IsDefault
This example returns all the property values for the anti-phish policy named Executives.
PowerShell
Get-AntiPhishPolicy -Identity "Executives"
For detailed syntax and parameter information, see Get-AntiPhishPolicy.
Use PowerShell to view anti-phish rules

To view existing anti-phish rules, use the following syntax:
PowerShell
Get-AntiPhishRule [-Identity "<RuleIdentity>"] [-State <Enabled | Disabled]

This example returns a summary list of all anti-phish rules along with the specified
properties.
PowerShell
Get-AntiPhishRule | Format-Table Name,Priority,State
PowerShell
Get-AntiPhishRule -State Disabled | Format-Table Name,Priority
PowerShell
Get-AntiPhishRule -State Enabled | Format-Table Name,Priority
This example returns all the property values for the anti-phish rule named Contoso
Executives.
PowerShell
Get-AntiPhishRule -Identity "Contoso Executives"
For detailed syntax and parameter information, see Get-AntiPhishRule.
Use PowerShell to modify anti-phish policies

Other than the following items, the same settings are available when you modify an
anti-phish policy in PowerShell as when you create the policy as described in the Step 1:
Use PowerShell to create an anti-phish policy section earlier in this article.
available when you modify an anti-phish policy in PowerShell.
You can't rename an anti-phish policy (the Set-AntiPhishPolicy cmdlet has no

Name parameter). When you rename an anti-phishing policy in the Microsoft 365
Defender portal, you're only renaming the anti-phish rule.
To modify an anti-phish policy, use this syntax:
PowerShell
Set-AntiPhishPolicy -Identity "<PolicyName>" <Settings>
７ Note

policies.
Use PowerShell to modify anti-phish rules
The only setting that isn't available when you modify an anti-phish rule in PowerShell is
existing anti-phish rules, see the next section.
Otherwise, no additional settings are available when you modify an anti-phish rule in
Step 2: Use PowerShell to create an anti-phish rule section earlier in this article.
To modify an anti-phish rule, use this syntax:
PowerShell
Set-AntiPhishRule -Identity "<RuleName>" <Settings>
For detailed syntax and parameter information, see Set-AntiPhishRule.
Use PowerShell to enable or disable anti-phish rules

Enabling or disabling an anti-phish rule in PowerShell enables or disables the whole
anti-phishing policy (the anti-phish rule and the assigned anti-phish policy). You can't
enable or disable the default anti-phishing policy (it's always applied to all recipients).
To enable or disable an anti-phish rule in PowerShell, use this syntax:
PowerShell
<Enable-AntiPhishRule | Disable-AntiPhishRule> -Identity "<RuleName>"
This example disables the anti-phish rule named Marketing Department.
PowerShell
Disable-AntiPhishRule -Identity "Marketing Department"
PowerShell
Enable-AntiPhishRule -Identity "Marketing Department"
For detailed syntax and parameter information, see Enable-AntiPhishRule and Disable-
AntiPhishRule.
Use PowerShell to set the priority of anti-phish rules

To set the priority of an anti-phish rule in PowerShell, use the following syntax:
PowerShell
Set-AntiPhishRule -Identity "<RuleName>" -Priority <Number>
PowerShell
Set-AntiPhishRule -Identity "Marketing Department" -Priority 2
Notes:
the New-AntiPhishRule cmdlet instead.
The default anti-phish policy doesn't have a corresponding anti-phish rule, and it
Use PowerShell to remove anti-phish policies

When you use PowerShell to remove an anti-phish policy, the corresponding anti-phish
rule isn't removed.
To remove an anti-phish policy in PowerShell, use this syntax:
PowerShell
Remove-AntiPhishPolicy -Identity "<PolicyName>"
This example removes the anti-phish policy named Marketing Department.
PowerShell
Remove-AntiPhishPolicy -Identity "Marketing Department"
For detailed syntax and parameter information, see Remove-AntiPhishPolicy.
Use PowerShell to remove anti-phish rules

When you use PowerShell to remove an anti-phish rule, the corresponding anti-phish
To remove an anti-phish rule in PowerShell, use this syntax:
PowerShell
Remove-AntiPhishRule -Identity "<PolicyName>"
This example removes the anti-phish rule named Marketing Department.
PowerShell
Remove-AntiPhishRule -Identity "Marketing Department"
For detailed syntax and parameter information, see Remove-AntiPhishRule.

To verify that you've successfully configured anti-phishing policies in Defender for Office
365, do any of the following steps:
On the Anti-phishing page in the Microsoft 365 Defender portal at

https://security.microsoft.com/antiphishing , verify the list of policies, their Status
values, and their Priority values. To view more details, select the policy from the list
by clicking on the name and viewing the details in the flyout that appears.
In Exchange Online PowerShell, replace <Name> with the name of the policy or
rule, and run the following command and verify the settings:
PowerShell
Get-AntiPhishPolicy -Identity "<Name>"
PowerShell
Get-AntiPhishRule -Identity "<Name>"
Anti-spoofing protection in EOP

 Tip
Applies to


EOP includes features to help protect your organization from spoofed (forged) senders.
When it comes to protecting its users, Microsoft takes the threat of phishing seriously.
Spoofing is a common technique that's used by attackers. Spoofed messages appear to
originate from someone or somewhere other than the actual source. This technique is
often used in phishing campaigns that are designed to obtain user credentials. The anti-
spoofing technology in EOP specifically examines forgery of the From header in the
message body (used to display the message sender in email clients). When EOP has high
confidence that the From header is forged, the message is identified as spoofed.
The following anti-spoofing technologies are available in EOP:
Email authentication: An integral part of any anti-spoofing effort is the use of

email authentication (also known as email validation) by SPF, DKIM, and DMARC
records in DNS. You can configure these records for your domains so destination
email systems can check the validity of messages that claim to be from senders in
your domains. For inbound messages, Microsoft 365 requires email authentication
for sender domains. For more information, see Email authentication in Microsoft
365.
EOP analyzes and blocks messages that can't be authenticated by the combination
of standard email authentication methods and sender reputation techniques.

Spoof intelligence insight: Review spoofed messages from senders in internal and
external domains during the last 7 days, and allow or block those senders. For
more information, see Spoof intelligence insight in EOP.
Allow or block spoofed senders in the Tenant Allow/Block List: When you
override the verdict in the spoof intelligence insight, the spoofed sender becomes
a manual allow or block entry that only appears on the Spoofed senders tab in the
Tenant Allow/Block List. You can also manually create allow or block entries for
spoof senders before they're detected by spoof intelligence. For more information,
see Manage the Tenant Allow/Block List in EOP.
Anti-phishing policies: In EOP and Microsoft Defender for Office 365, anti-
phishing policies contain the following anti-spoofing settings:
Turn spoof intelligence on or off.
Turn unauthenticated sender indicators in Outlook on or off.
Specify the action for blocked spoofed senders.
For more information, see Spoof settings in anti-phishing policies.
Note: Anti-phishing policies in Defender for Office 365 contain addition

protections, including impersonation protection. For more information, see
Exclusive settings in anti-phishing policies in Microsoft Defender for Office 365.
Spoof detections report: For more information, see Spoof Detections report.
Note: Defender for Office 365 organizations can also use Real-time detections
(Plan 1) or Threat Explorer (Plan 2) to view information about phishing attempts.
For more information, see Microsoft 365 threat investigation and response.
How spoofing is used in phishing attacks

Spoofing messages have the following negative implications for users:
Spoofed messages deceive users: A spoofed message might trick the recipient
into clicking a link and giving up their credentials, downloading malware, or
replying to a message with sensitive content (known as a business email
compromise or BEC).
The following message is an example of phishing that uses the spoofed sender
msoutlook94@service.outlook.com:
This message didn't come from service.outlook.com, but the attacker spoofed the
From header field to make it look like it did. This was an attempt to trick the
recipient into clicking the change your password link and giving up their
credentials.
The following message is an example of BEC that uses the spoofed email domain
contoso.com:
The message looks legitimate, but the sender is spoofed.
Users confuse real messages for fake ones: Even users who know about phishing
might have difficulty seeing the differences between real messages and spoofed
messages.
The following message is an example of a real password reset message from the
Microsoft Security account:
The message really did come from Microsoft, but users have been conditioned to
be suspicious. Because it's difficult to the difference between a real password reset
message and a fake one, users might ignore the message, report it as spam, or
unnecessarily report the message to Microsoft as phishing.
Different types of spoofing

Microsoft differentiates between two different types of spoofed messages:
Intra-org spoofing: Also known as self-to-self spoofing. For example:
The sender and recipient are in the same domain:
The sender and the recipient are in subdomains of the same domain:
From: laura@marketing.fabrikam.com
To: julia@engineering.fabrikam.com
The sender and recipient are in different domains that belong to the same
organization (that is, both domains are configured as accepted domains in the
same organization):
From: sender @ microsoft.com
To: recipient @ bing.com
Spaces are used in the email addresses to prevent spambot harvesting.
Messages that fail composite authentication due to intra-org spoofing contain the
following header values:
Authentication-Results: ... compauth=fail reason=6xx
X-Forefront-Antispam-Report: ...CAT:SPOOF;...SFTY:9.11
reason=6xx indicates intra-org spoofing.
SFTY is the safety level of the message. 9 indicates phishing, .11 indicates intra-
org spoofing.
Cross-domain spoofing: The sender and recipient domains are different, and have
no relationship to each other (also known as external domains). For example:
To: michelle@tailspintoys.com
Messages that fail composite authentication due to cross-domain spoofing contain

the following headers values:
Authentication-Results: ... compauth=fail reason=000/001
X-Forefront-Antispam-Report: ...CAT:SPOOF;...SFTY:9.22
reason=000 indicates the message failed explicit email authentication.

reason=001 indicates the message failed implicit email authentication.
SFTY is the safety level of the message. 9 indicates phishing, .22 indicates cross-
domain spoofing.
７ Note
If you've gotten a message like compauth=fail reason=### and need to know

about composite authentication (compauth), and the values related to spoofing,
see Anti-spam message headers in Microsoft 365. Or go directly to the reason
codes.
For more information about DMARC, see Use DMARC to validate email in Microsoft 365.
Problems with anti-spoofing protection

Mailing lists (also known as discussion lists) are known to have problems with anti-
spoofing due to the way they forward and modify messages.
For example, Gabriela Laureano (glaureano@contoso.com) is interested in bird

watching, joins the mailing list birdwatchers@fabrikam.com, and sends the following
message to the list:
From: "Gabriela Laureano" <glaureano@contoso.com>
To: Birdwatcher's Discussion List <birdwatchers@fabrikam.com>
Subject: Great viewing of blue jays at the top of Mt. Rainier this week
Anyone want to check out the viewing this week from Mt. Rainier?
The mailing list server receives the message, modifies its content, and replays it to the
members of list. The replayed message has the same From address
(glaureano@contoso.com), but a tag is added to the subject line, and a footer is added
to the bottom of the message. This type of modification is common in mailing lists, and
may result in false positives for spoofing.
From: "Gabriela Laureano" <glaureano@contoso.com>
To: Birdwatcher's Discussion List <birdwatchers@fabrikam.com>
Subject: [BIRDWATCHERS] Great viewing of blue jays at the top of Mt. Rainier this
week
Anyone want to check out the viewing this week from Mt. Rainier?
This message was sent to the Birdwatchers Discussion List. You can unsubscribe at
any time.
To help mailing list messages pass anti-spoofing checks, do following steps based on
whether you control the mailing list:
Your organization owns the mailing list:
Check the FAQ at DMARC.org: I operate a mailing list and I want to interoperate
with DMARC, what should I do? .
Read the instructions at this blog post: A tip for mailing list operators to
interoperate with DMARC to avoid failures.
Consider installing updates on your mailing list server to support ARC, see
http://arc-spec.org .
Your organization doesn't own the mailing list:
Ask the maintainer of the mailing list to configure email authentication for the
domain that the mailing list is relaying from.
When enough senders reply back to domain owners that they should set up
email authentication records, it spurs them into taking action. While Microsoft
also works with domain owners to publish the required records, it helps even
more when individual users request it.
Create inbox rules in your email client to move messages to the Inbox. You can
also ask your admins to configure overrides as described in Spoof intelligence
insight in EOP and Manage the Tenant Allow/Block List.
Use the Tenant Allow/Block List to create an override for the mailing list to treat
it as legitimate. For more information, see Create allow entries for spoofed
senders.
If all else fails, you can report the message as a false positive to Microsoft. For more
information, see Report messages and files to Microsoft.
Considerations for anti-spoofing protection

If you're an admin who currently sends messages to Microsoft 365, you need to ensure
that your email is properly authenticated. Otherwise, it might be marked as spam or
phishing. For more information, see Solutions for legitimate senders who are sending
unauthenticated email.
Senders in an individual user's (or admin's) Safe Senders list will bypass parts of the
filtering stack, including spoof protection. For more information, see Outlook Safe
Senders.
Admins should avoid (when possible) using allowed sender lists or allowed domain lists.
These senders bypass all spam, spoofing, and phishing protection, and also sender
authentication (SPF, DKIM, DMARC). For more information, see Use allowed sender lists
or allowed domain lists.
Anti-spoofing protection FAQ
FAQ
 Tip
Applies to

This article provides frequently asked questions and answers about anti-spoofing
protection for Microsoft 365 organizations with mailboxes in Exchange Online, or
mailboxes.
FAQ
Why did Microsoft choose to junk

unauthenticated inbound email?
Microsoft believes that the risk of continuing to allow unauthenticated inbound email is
higher than the risk of losing legitimate inbound email.
Does junking unauthenticated inbound

email cause legitimate email to be
marked as spam?
When Microsoft enabled this feature in 2018, some false positives happened (good
messages were marked as bad). However, over time, senders adjusted to the
requirements. The number of messages that were misidentified as spoofed became
negligible for most email paths.
Microsoft itself first adopted the new email authentication requirements several weeks
before deploying it to customers. While there was disruption at first, it gradually
declined.
Is spoof intelligence available to

Microsoft 365 customers without
Yes. As of October 2018, spoof intelligence is available to all organizations with
mailboxes in Exchange Online, and standalone EOP organizations without Exchange
Online mailboxes.
How can I report spam or non-spam

messages back to Microsoft?
See Report messages and files to Microsoft.
I'm an admin and I don't know all of

sources for messages in my email
domain!
See You don't know all sources for your email.
What happens if I disable anti-spoofing

protection for my organization?
We do not recommend disabling anti-spoofing protection. Disabling the protection will
allow more phishing and spam messages to be delivered in your organization. Not all
phishing is spoofing, and not all spoofed messages will be missed. However, your risk
will be higher.
Now that Enhanced Filtering for Connectors is available, we no longer recommended

turning off anti-spoofing protection when your email is routed through another service
before EOP.
Does anti-spoofing protection mean I

will be protected from all phishing?
Unfortunately, no. Attackers will adapt to use other techniques (for example,
compromised accounts or accounts in free email services). However, anti-phishing
protection works much better to detect these other types of phishing methods. The
protection layers in EOP are designed work together and build on top of each other.
Do other large email services block

unauthenticated inbound email?
Nearly all large email services implement traditional SPF, DKIM, and DMARC checks.
Some services have other, more strict checks, but few go as far as EOP to block
unauthenticated email and treat them as spoofed messages. However, the industry is
becoming more aware about issues with unauthenticated email, particularly because of
the problem of phishing.
Do I still need to enable the Advanced

Spam Filter setting "SPF record: hard
fail" ('MarkAsSpamSpfRecordHardFail')
if I enable anti-spoofing?
No. This ASF setting is no longer required. Anti-spoofing protection considers both SPF
hard fails and a much wider set of criteria. If you have anti-spoofing enabled and the
SPF record: hard fail (MarkAsSpamSpfRecordHardFail) turned on, you will probably get
more false positives.
We recommend that you disable this feature as it provides almost no additional benefit
for detecting spam or phishing message, and would instead generate mostly false
positives. For more information, see Advanced Spam Filter (ASF) settings in EOP.
Does Sender Rewriting Scheme help fix

forwarded email?
SRS only partially fixes the problem of forwarded email. By rewriting the SMTP MAIL
FROM, SRS can ensure that the forwarded message passes SPF at the next destination.
However, because anti-spoofing is based upon the From address in combination with
the MAIL FROM or DKIM-signing domain (or other signals), it's not enough to prevent
SRS forwarded email from being marked as spoofed.
How EOP validates the From address to
prevent phishing
 Tip
Applies to

Phishing attacks are a constant threat to any email organization. In addition to using
spoofed (forged) sender email addresses, attackers often use values in the From address
that violate internet standards. To help prevent this type of phishing, Exchange Online
Protection (EOP) and Outlook.com now require inbound messages to include an RFC-
compliant From address as described in this article. This enforcement was enabled in
November 2017.
Notes:
If you regularly receive email from organizations that have malformed From
addresses as described in this article, encourage these organizations to update
their email servers to comply with modern security standards.
The related Sender field (used by Send on Behalf and mailing lists) isn't affected by
these requirements. For more information, see the following blog post: What do
we mean when we refer to the 'sender' of an email?.
An overview of email message standards

A standard SMTP email message consists of a message envelope and message content.
The message envelope contains information that's required for transmitting and
delivering the message between SMTP servers. The message content contains message
header fields (collectively called the message header) and the message body. The
message envelope is described in RFC 5321 , and the message header is described in
RFC 5322 . Recipients never see the actual message envelope because it's generated
by the message transmission process, and it isn't actually part of the message.
The 5321.MailFrom address (also known as the MAIL FROM address, P1 sender, or
envelope sender) is the email address that's used in the SMTP transmission of the
message. This email address is typically recorded in the Return-Path header field in
the message header (although it's possible for the sender to designate a different
Return-Path email address).
The 5322.From (also known as the From address or P2 sender) is the email address
in the From header field, and is the sender's email address that's displayed in email
clients. The From address is the focus of the requirements in this article.
The From address is defined in detail across several RFCs (for example, RFC 5322
sections 3.2.3, 3.4, and 3.4.1, and RFC 3696 ). There are many variations on addressing
and what's considered valid or invalid. To keep it simple, we recommend the following
format and definitions:
From: "Display Name" <EmailAddress>
Display Name: An optional phrase that describes the owner of the email address.
We recommend that you always enclose the display name in double quotation
marks (") as shown. If the display name contains a comma, you must enclose the
string in double quotation marks per RFC 5322.
If the From address includes a display name, the EmailAddress value must be
enclosed in angle brackets (< >) as shown.
Microsoft strongly recommends that you insert a space between the display
name and the email address.
EmailAddress: An email address uses the format local-part@domain :

local-part: A string that identifies the mailbox associated with the address. This
value is unique within the domain. Often, the mailbox owner's username or
GUID is used.
domain: The fully qualified domain name (FQDN) of the email server that hosts
the mailbox identified by the local-part of the email address.
These are some additional considerations for the EmailAddress value:

Only one email address.
We recommend that you do not separate the angle brackets with spaces.
Don't include additional text after the email address.
Examples of valid and invalid From addresses

The following From email addresses are valid:
From: sender@contoso.com
From: <sender@contoso.com>
From: < sender@contoso.com > (Not recommended because there are spaces
between the angle brackets and the email address.)
From: "Sender, Example" <sender.example@contoso.com>
From: "Microsoft 365" <sender@contoso.com>
From: Microsoft 365 <sender@contoso.com> (Not recommended because the
display name is not enclosed in double quotation marks.)
The following From email addresses are invalid:
From: <firstname lastname@contoso.com> (The email address contains a space.)
No From address: Some automated messages don't include a From address. In the
past, when Microsoft 365 or Outlook.com received a message without a From
address, the service added the following default From: address to make the
message deliverable:
From: <>
Now, messages with a blank From address are no longer accepted.
From: Microsoft 365 sender@contoso.com (The display name is present, but the
email address is not enclosed in angle brackets.)
From: "Microsoft 365" <sender@contoso.com> (Sent by a process) (Text after the
email address.)
From: Sender, Example <sender.example@contoso.com> (The display name contains
a comma, but is not enclosed in double quotation marks.)
From: "Microsoft 365 <sender@contoso.com>" (The whole value is incorrectly

enclosed in double quotation marks.)
From: "Microsoft 365 <sender@contoso.com>" sender@contoso.com (The display

name is present, but the email address is not enclosed in angle brackets.)
From: Microsoft 365<sender@contoso.com> (No space between the display name
and the left angle bracket.)

From: "Microsoft 365"<sender@contoso.com> (No space between the closing
double quotation mark and the left angle bracket.)
Suppress auto-replies to your custom domain

You can't use the value From: <> to suppress auto-replies. Instead, you need to set up a
null MX record for your custom domain. Auto-replies (and all replies) are naturally
suppressed because there is no published address that the responding server can send
messages to.
Choose an email domain that can't receive email. For example, if your primary
domain is contoso.com, you might choose noreply.contoso.com.
The null MX record for this domain consists of a single period.
For example:
text
noreply.contoso.com IN MX .
For more information about setting up MX records, see Create DNS records at any DNS
hosting provider for Microsoft 365.
For more information about publishing a null MX, see RFC 7505 .
Override From address enforcement

To bypass the From address requirements for inbound email, you can use the IP Allow
List (connection filtering) or mail flow rules (also known as transport rules) as described
in Create safe sender lists in Microsoft 365.
You can't override the From address requirements for outbound email that you send
from Microsoft 365. In addition, Outlook.com will not allow overrides of any kind, even
through support.
Other ways to prevent and protect against

cybercrimes in Microsoft 365
For more information on how you can strengthen your organization against phishing,
spam, data breaches, and other threats, see Best practices for securing Microsoft 365 for
business plans.
Safe Attachments in Microsoft Defender
for Office 365
 Tip
Applies to

Safe Attachments in Microsoft Defender for Office 365 provides an additional layer of
protection for email attachments that have already been scanned by anti-malware
protection in Exchange Online Protection (EOP). Specifically, Safe Attachments uses a
virtual environment to check attachments in email messages before they're delivered to
recipients (a process known as detonation).
Safe Attachments protection for email messages is controlled by Safe Attachments

policies. Although there's no default Safe Attachments policy, the Built-in protection
preset security policy provides Safe Attachments protection to all recipients (users who
aren't defined in the Standard or Strict preset security policies or in custom Safe
Attachments policies). For more information, see Preset security policies in EOP and
Microsoft Defender for Office 365. You can also create Safe Attachments policies that
apply to specific users, group, or domains. For instructions, see Set up Safe Attachments
The following table describes scenarios for Safe Attachments in Microsoft 365 and Office
365 organizations that include Microsoft Defender for Office 365 (in other words, lack of
licensing is never an issue in the examples).
Scenario Result
Pat's Microsoft 365 E5 organization has no Pat is protected by Safe Attachments due to the
Safe Attachments policies configured. Built-in protection preset security policy that
applies to all recipients who are not otherwise
defined in Safe Attachments policies.
Scenario Result
Lee's organization has a Safe Attachments Lee and the rest of the sales department are
policy that applies only to finance employees. protected by Safe Attachments due to the Built-
Lee is a member of the sales department. in protection preset security policy that applies
to all recipients who are not otherwise defined in
Safe Attachments policies.
Yesterday, an admin in Jean's organization Jean is protected by Safe Attachments due to that
created a Safe Attachments policy that custom Safe Attachments policy.
applies to all employees. Earlier today, Jean

received an email message that included an Typically, it takes about 30 minutes for a new
attachment. policy to take effect.
Chris's organization has long-standing Safe Chis is protected by Safe Attachments.
Attachments policies for everyone in the

organization. Chris receives an email that has If the external recipients are in a Microsoft 365
an attachment, and then forwards the organization, then the forwarded messages are
message to external recipients. also protected by Safe Attachments.
Safe Attachments scanning takes place in the same region where your Microsoft 365
data resides. For more information about datacenter geography, see Where is your data
located?
７ Note
The following features are located in the global settings of Safe Attachments
policies in the Microsoft 365 Defender portal. But, these settings are enabled or
disabled globally, and don't require Safe Attachments policies:
Safe Attachments for SharePoint, OneDrive, and Microsoft Teams.

Safe Attachments policy settings

This section describes the settings in Safe Attachments policies:
Recipient filters: You need to specify the recipient conditions and exceptions that
determine who the policy applies to. You can use these properties for conditions
and exceptions:
Users
Groups
Domains
contain multiple values. Multiple values of the same condition or exception use OR
logic (for example, <recipient1> or <recipient2>). Different conditions or
exceptions use AND logic (for example, <recipient1> and <member of group 1>).
） Important

Groups: Executives

applied to him.
applies to him.
Safe Attachments unknown malware response: This setting controls the action for
Safe Attachments malware scanning in email messages. The available options are
described in the following table:
Option Effect Use when you want to:
Off Attachments aren't Turn scanning off for selected recipients.
scanned for malware

by Safe Attachments. Prevent unnecessary delays in routing internal mail.
Messages are still

scanned for malware This option is not recommended for most users. You
by anti-malware should only use this option to turn off Safe
protection in EOP. Attachments scanning for recipients who only receive
messages from trusted senders. ZAP will not
quarantine messages if Safe Attachments is turned
off and a malware signal is not received. For details,
see Zero-hour auto purge
Monitor Delivers messages See where detected malware goes in your

with attachments and organization.
then tracks what
happens with
detected malware.
Delivery of safe
messages might be
delayed due to Safe
Attachments
scanning.
Block Prevents messages Protects your organization from repeated attacks using
with detected the same malware attachments.
malware attachments
from being delivered.
This is the default value, and the recommended value
in Standard and Strict preset security policies.
Messages are
quarantined. By
default, only admins
(not users) can review,
release, or delete the
messages.*
Automatically blocks
future instances of the
messages and
attachments.
Delivery of safe
messages might be
delayed due to Safe
Attachments
scanning.
Replace Note: This action will Raise visibility to recipients that attachments were
be deprecated. For removed because of detected malware.
more information, see
MC424901 .
Removes detected
malware attachments.
Notifies recipients
that attachments have
been removed.
Messages that
contain malicious
attachments are
quarantined. By
messages.*
Delivery of safe
messages might be
delayed due to Safe
Attachments
scanning.
Dynamic Delivers messages Avoid message delays while protecting recipients from
Delivery immediately, but malicious files.
replaces attachments
with placeholders
until Safe
Attachments scanning
is complete.
Messages that
contain malicious
attachments are
quarantined. By
messages.*
For details, see the

Dynamic Delivery in
Safe Attachments
policies section later
in this article.
*
Quarantine policy: Admins can create and assign quarantine policies in Safe
Attachments policies that define what users are allowed to do to quarantined
messages. For more information, see Quarantine policies.
Redirect messages with detected attachments: Enable redirect and Send

messages that contain blocked, monitored, or replaced attachments to the
specified email address: For Block, Monitor, or Replace actions, send messages
that contain malware attachments to the specified internal or external email
address for analysis and investigation.
The recommendation for Standard and Strict policy settings is to enable

redirection. For more information, see Safe Attachments settings.
７ Note
Redirection will soon be available only for the Monitor action. For more
information, see MC424899 .
Apply the Safe Attachments detection response if scanning can't complete

(timeout or errors): The action specified by Safe Attachments unknown malware
response is taken on messages even when Safe Attachments scanning can't
complete. Always select this option if you select Enable redirect. Otherwise,
messages might be lost.
Priority: If you create multiple policies, you can specify the order that they're
applied. No two policies can have the same priority, and policy processing stops
after the first policy is applied.
Dynamic Delivery in Safe Attachments policies
７ Note
Dynamic Delivery works only for Exchange Online mailboxes.
The Dynamic Delivery action in Safe Attachments policies seeks to eliminate any email
delivery delays that might be caused by Safe Attachments scanning. The body of the
email message is delivered to the recipient with a placeholder for each attachment. The
placeholder remains until the attachment is found to be safe, and then the attachment
becomes available to open or download.
If an attachment is found to be malicious, the message is quarantined.
Most PDFs and Office documents can be previewed in safe mode while Safe
Attachments scanning is underway. If an attachment is not compatible with the Dynamic
Delivery previewer, the recipients will see a placeholder for the attachment until Safe
Attachments scanning is complete.
If you're using a mobile device, and PDFs aren't rendering in the Dynamic Delivery
previewer on your mobile device, try opening the message in Outlook on the web
(formerly known as Outlook Web App) using your mobile browser.
Here are some considerations for Dynamic Delivery and forwarded messages:
If the forwarded recipient is protected by a Safe Attachments policy that uses the
Dynamic Delivery option, then the recipient sees the placeholder, with the ability to
preview compatible files.
If the forwarded recipient is not protected by a Safe Attachments policy, the
message and attachments will be delivered without any Safe Attachments scanning
or attachment placeholders.
There are scenarios where Dynamic Delivery is unable to replace attachments in
messages. These scenarios include:
Messages in public folders.

Messages that are routed out of and then back into a user's mailbox using custom
rules.
Messages that are moved (automatically or manually) out of cloud mailboxes to
other locations, including archive folders.
Inbox rules move the message out of the Inbox into a different folder.
Deleted messages.
The user's mailbox search folder is in an error state.
Exchange Online organizations where Exclaimer is enabled. To resolve this issue,
see KB4014438 .
S/MIME) encrypted messages.
You configured the Dynamic Delivery action in a Safe Attachments policy, but the
recipient doesn't support Dynamic Delivery (for example, the recipient is a mailbox
in an on-premises Exchange organization). However, Safe Links in Microsoft
Defender for Office 365 is able to scan Office file attachments that contain URLs (if
Safe Links scanning of support Office apps is turned on in the applicable Safe Links
policy).
Submitting files for malware analysis

If you receive a file that you want to send to Microsoft for analysis, see Submit
malware and non-malware to Microsoft for analysis.
If you receive an email message (with or without an attachment) that you want to
submit to Microsoft for analysis, see Report messages and files to Microsoft.
Set up Safe Attachments policies in
 Tip
Applies to

） Important
This article is intended for business customers who have Microsoft Defender for
Office 365. If you're a home user looking for information about attachment
scanning in Outlook, see Advanced Outlook.com security .
Safe Attachments is a feature in Microsoft Defender for Office 365 that uses a virtual
environment to check attachments in inbound email messages after they've been
scanned by anti-malware protection in Exchange Online Protection (EOP), but before
delivery to recipients. For more information, see Safe Attachments in Microsoft Defender
for Office 365.
Although there's no default Safe Attachments policy, the Built-in protection preset
security policy provides Safe Attachments protection to all recipients (users who aren't
defined in the Standard or Strict preset security policies or custom Safe Attachments
policies). For more information, see Preset security policies in EOP and Microsoft
Defender for Office 365. You can also use the procedures in this article to create Safe
Attachments policies that apply to specific users, group, or domains.
You can configure Safe Attachments policies in the Microsoft 365 Defender portal or in
PowerShell (Exchange Online PowerShell for eligible Microsoft 365 organizations with
Exchange Online mailboxes, but with Defender for Office 365 add-on subscriptions).
The basic elements of a Safe Attachments policy are:

The safe attachment policy: Specifies the actions for unknown malware detections,
whether to send messages with malware attachments to a specified email address,
and whether to deliver messages if Safe Attachments scanning can't complete.
The safe attachment rule: Specifies the priority and recipient filters (who the policy
applies to).
The difference between these two elements isn't obvious when you manage Safe
Attachments policies in the Microsoft 365 Defender portal:
When you create a Safe Attachments policy, you're actually creating a safe
attachment rule and the associated safe attachment policy at the same time using
the same name for both.
When you modify a Safe Attachments policy, settings related to the name, priority,
enabled or disabled, and recipient filters modify the safe attachment rule. All other
settings modify the associated safe attachment policy.
When you remove a Safe Attachments policy, the safe attachment rule and the
associated safe attachment policy are removed.
or standalone EOP PowerShell to configure Safe Attachments policies section later in
this article.
７ Note
In the global settings area of Safe Attachments settings, you configure features that
are not dependent on Safe Attachments policies. For instructions see Turn on Safe
Attachments for SharePoint, OneDrive, and Microsoft Teams and Safe Documents
in Microsoft 365 E5.

go directly to the Safe Attachments page, use

You need permissions before you can do the procedures in this article:
To create, modify, and delete Safe Attachments policies, you need to be a
member of the Organization Management or Security Administrator role
groups in the Microsoft 365 Defender portal and a member of the Organization
Management role group in Exchange Online.
For read-only access to Safe Attachments policies, you need to be a member of
the Global Reader or Security Reader role groups in the Microsoft 365
Defender portal.
For more information, see Permissions in the Microsoft 365 Defender portal and
Permissions in Exchange Online.
Notes:
365 admin center gives users the required permissions in the Microsoft 365
Defender portal and permissions for other features in Microsoft 365. For more
information, see About admin roles.
For our recommended settings for Safe Attachments policies, see Safe
Attachments settings.

create Safe Attachments policies
Creating a custom Safe Attachments policy in the Microsoft 365 Defender portal creates
the safe attachment rule and the associated safe attachment policy at the same time
using the same name for both.

Email & Collaboration > Policies & Rules > Threat policies > Safe Attachments in
the Policies section. To go directly to the Safe Attachments page, use
2. On the Safe Attachments page, click Create.
3. The policy wizard opens. On the Name your policy page, configure the following
settings:

4. On the Users and domains page that appears, identify the internal recipients that
the policy applies to (recipient conditions):

Groups:
organization.
conditions.
） Important

Groups: Executives

applied to him.
applies to him.
5. On the Settings page, configure the following settings:
Safe Attachments unknown malware response: Select one of the following

values:
Off: Typically, we don't recommend this value.
Monitor
Block: This is the default value, and the recommended value in Standard
and Strict preset security policies.
Replace: This action will be deprecated. For more information, see
MC424901 .
Dynamic Delivery (Preview feature)
These values are explained in Safe Attachments policy settings.
Quarantine policy: Select the quarantine policy that applies to messages that
are quarantined by Safe Attachments (Block, Replace, or Dynamic Delivery).
A blank value means the default quarantine policy is used

(AdminOnlyAccessPolicy for email detections by Safe Attachments). When
you later edit the Safe Attachments policy or view the settings, the default
quarantine policy name is shown.
Redirect messages with detected attachments: If you select Enable redirect,

you can specify an email address in the Send messages that contain blocked,
monitored, or replaced attachments to the specified email address box to
send messages that contain malware attachments for analysis and
investigation.
７ Note
Redirection will soon be available only for the Monitor action. For more
information, see MC424899 .
Apply the Safe Attachments detection response if scanning can't complete
(timeout or errors): The action specified by Safe Attachments unknown
malware response is taken on messages even when Safe Attachments
scanning can't complete. If you selected this option, always select Enable
redirect and specify an email address to send messages that contain malware
attachments. Otherwise, messages might be lost.

Safe Attachments policies
2. On the Safe Attachments page, the following properties are displayed in the list of
policies:
Name
Status
Priority
in a flyout.

modify Safe Attachments policies
1. IIn the Microsoft 365 Defender portal at https://security.microsoft.com , go to
2. On the Safe Attachments page, select a policy from the list by clicking on the
name.
the Microsoft 365 Defender portal to create Safe Attachments policies section
Enable or disable Safe Attachments policies

name.
values:

Set the priority of Safe Attachments policies

By default, Safe Attachments policies are given a priority that's based on the order they
were created in (newer policies are lower priority than older policies). A lower priority
number indicates a higher priority for the policy (0 is the highest), and policies are
processed in priority order (higher priority policies are processed before lower priority
policies). No two policies can have the same priority, and policy processing stops after
the first policy is applied.
Safe Attachments policies are displayed in the order they're processed (the first policy
has the Priority value 0).
Note: In the Microsoft 365 Defender portal, you can only change the priority of the Safe
Attachments policy after you create it. In PowerShell, you can override the default
priority when you create the safe attachment rule (which can affect the priority of
existing rules).
multiple policies.
Rules > Threat policies > Safe Attachments in the Policies section.
name.
Decrease priority based on the current priority value and the number of policies:
available.
options available.

remove Safe Attachments policies
2. On the Safe Attachments page, select a custom policy from the list by clicking on
the name of the policy.
Delete policy.

EOP PowerShell to configure Safe Attachments
policies
As previously described, a Safe Attachments policy consists of a safe attachment policy
and a safe attachment rule.
In PowerShell, the difference between safe attachment policies and safe attachment
rules is apparent. You manage safe attachment policies by using the *-
SafeAttachmentPolicy cmdlets, and you manage safe attachment rules by using the *-
SafeAttachmentRule cmdlets.
In PowerShell, you create the safe attachment policy first, then you create the safe
attachment rule that identifies the policy that the rule applies to.
In PowerShell, you modify the settings in the safe attachment policy and the safe
attachment rule separately.
When you remove a safe attachment policy from PowerShell, the corresponding
safe attachment rule isn't automatically removed, and vice versa.
Use PowerShell to create Safe Attachments policies

Creating a Safe Attachments policy in PowerShell is a two-step process:
1. Create the safe attachment policy.

2. Create the safe attachment rule that specifies the safe attachment policy that the
rule applies to.
Notes:
You can create a new safe attachment rule and assign an existing, unassociated
safe attachment policy to it. A safe attachment rule can't be associated with more
than one safe attachment policy.
You can configure the following settings on new safe attachment policies in
PowerShell that aren't available in the Microsoft 365 Defender portal until after you
create the policy:
SafeAttachmentRule cmdlet).
SafeAttachmentRule cmdlet).
A new safe attachment policy that you create in PowerShell isn't visible in the
Microsoft 365 Defender portal until you assign the policy to a safe attachment rule.
Step 1: Use PowerShell to create a safe attachment policy
To create a safe attachment policy, use this syntax:
PowerShell
New-SafeAttachmentPolicy -Name "<PolicyName>" -Enable $true [-

AdminDisplayName "<Comments>"] [-Action <Allow | Block | Replace |
DynamicDelivery>] [-Redirect <$true | $false>] [-RedirectAddress
<SMTPEmailAddress>] [-ActionOnError <$true | $false>] [-QuarantineTag
<QuarantinePolicyName>]
This example creates a safe attachment policy named Contoso All with the following
values:
Block messages that are found to contain malware by Safe Documents scanning
(we aren't using the Action parameter, and the default value is Block ).
The default quarantine policy is used (AdminOnlyAccessPolicy), because we aren't
using the QuarantineTag parameter.
Redirection is enabled, and messages that are found to contain malware are sent
to sec-ops@contoso.com for analysis and investigation.
If Safe Attachments scanning isn't available or encounters errors, don't deliver the
message (we aren't using the ActionOnError parameter, and the default value is
$true ).
PowerShell
New-SafeAttachmentPolicy -Name "Contoso All" -Enable $true -Redirect $true -

RedirectAddress sec-ops@contoso.com
For detailed syntax and parameter information, see New-SafeAttachmentPolicy.

７ Note
For detailed instructions to specify the quarantine policy to use in a safe

attachment policy, see Use PowerShell to specify the quarantine policy in Safe
Attachments policies.
Step 2: Use PowerShell to create a safe attachment rule
To create a safe attachment rule, use this syntax:
PowerShell
New-SafeAttachmentRule -Name "<RuleName>" -SafeAttachmentPolicy "

<PolicyName>" <Recipient filters> [<Recipient filter exceptions>] [-Comments
"<OptionalComments>"] [-Enabled <$true | $false>]
This example creates a safe attachment rule named Contoso All with the following
conditions:
The rule is associated with the safe attachment policy named Contoso All.
The rule applies to all recipients in the contoso.com domain.
The rule is enabled (we aren't using the Enabled parameter, and the default value is
$true ).
PowerShell
New-SafeAttachmentRule -Name "Contoso All" -SafeAttachmentPolicy "Contoso

All" -RecipientDomainIs contoso.com
For detailed syntax and parameter information, see New-SafeAttachmentRule.
Use PowerShell to view safe attachment policies

To view existing safe attachment policies, use the following syntax:
PowerShell
Get-SafeAttachmentPolicy [-Identity "<PolicyIdentity>"] [| <Format-Table |

This example returns a summary list of all safe attachment policies.

PowerShell
Get-SafeAttachmentPolicy
This example returns detailed information for the safe attachment policy named
Contoso Executives.
PowerShell
Get-SafeAttachmentPolicy -Identity "Contoso Executives" | Format-List
For detailed syntax and parameter information, see Get-SafeAttachmentPolicy.
Use PowerShell to view safe attachment rules

To view existing safe attachment rules, use the following syntax:
PowerShell
Get-SafeAttachmentRule [-Identity "<RuleIdentity>"] [-State <Enabled |

Disabled>] [| <Format-Table | Format-List> <Property1,Property2,...>]
This example returns a summary list of all safe attachment rules.
PowerShell
Get-SafeAttachmentRule
PowerShell
Get-SafeAttachmentRule -State Disabled
PowerShell
Get-SafeAttachmentRule -State Enabled
This example returns detailed information for the safe attachment rule named Contoso
Executives.
PowerShell
Get-SafeAttachmentRule -Identity "Contoso Executives" | Format-List
For detailed syntax and parameter information, see Get-SafeAttachmentRule.
Use PowerShell to modify safe attachment policies

You can't rename a safe attachment policy in PowerShell (the Set-SafeAttachmentPolicy
cmdlet has no Name parameter). When you rename a Safe Attachments policy in the
Microsoft 365 Defender portal, you're only renaming the safe attachment rule.
Otherwise, the same settings are available when you create a safe attachment policy as
described in the Step 1: Use PowerShell to create a safe attachment policy section earlier
in this article.
To modify a safe attachment policy, use this syntax:
PowerShell
Set-SafeAttachmentPolicy -Identity "<PolicyName>" <Settings>
For detailed syntax and parameter information, see Set-SafeAttachmentPolicy.
７ Note
For detailed instructions to specify the quarantine policy to use in a safe

attachment policy, see Use PowerShell to specify the quarantine policy in Safe
Attachments policies.
Use PowerShell to modify safe attachment rules

The only setting that's not available when you modify a safe attachment rule in
PowerShell is the Enabled parameter that allows you to create a disabled rule. To enable
or disable existing safe attachment rules, see the next section.
Step 2: Use PowerShell to create a safe attachment rule section earlier in this article.
To modify a safe attachment rule, use this syntax:
PowerShell
Set-SafeAttachmentRule -Identity "<RuleName>" <Settings>

For detailed syntax and parameter information, see Set-SafeAttachmentRule.
Use PowerShell to enable or disable safe attachment rules

Enabling or disabling a safe attachment rule in PowerShell enables or disables the whole
Safe Attachments policy (the safe attachment rule and the assigned safe attachment
policy).
To enable or disable a safe attachment rule in PowerShell, use this syntax:
PowerShell
<Enable-SafeAttachmentRule | Disable-SafeAttachmentRule> -Identity "

<RuleName>"
This example disables the safe attachment rule named Marketing Department.
PowerShell
Disable-SafeAttachmentRule -Identity "Marketing Department"
PowerShell
Enable-SafeAttachmentRule -Identity "Marketing Department"
For detailed syntax and parameter information, see Enable-SafeAttachmentRule and

Disable-SafeAttachmentRule.
Use PowerShell to set the priority of safe attachment

rules
To set the priority of a safe attachment rule in PowerShell, use the following syntax:
PowerShell
Set-SafeAttachmentRule -Identity "<RuleName>" -Priority <Number>
PowerShell
Set-SafeAttachmentRule -Identity "Marketing Department" -Priority 2
Note: To set the priority of a new rule when you create it, use the Priority parameter on
the New-SafeAttachmentRule cmdlet instead.
For detailed syntax and parameter information, see Set-SafeAttachmentRule.
Use PowerShell to remove safe attachment policies

When you use PowerShell to remove a safe attachment policy, the corresponding safe
attachment rule isn't removed.
To remove a safe attachment policy in PowerShell, use this syntax:
PowerShell
Remove-SafeAttachmentPolicy -Identity "<PolicyName>"
This example removes the safe attachment policy named Marketing Department.
PowerShell
Remove-SafeAttachmentPolicy -Identity "Marketing Department"
For detailed syntax and parameter information, see Remove-SafeAttachmentPolicy.
Use PowerShell to remove safe attachment rules

When you use PowerShell to remove a safe attachment rule, the corresponding safe
attachment policy isn't removed.
To remove a safe attachment rule in PowerShell, use this syntax:

PowerShell
Remove-SafeAttachmentRule -Identity "<PolicyName>"
This example removes the safe attachment rule named Marketing Department.
PowerShell
Remove-SafeAttachmentRule -Identity "Marketing Department"
For detailed syntax and parameter information, see Remove-SafeAttachmentRule.

To verify that you've successfully created, modified, or removed Safe Attachments
policies, do any of the following steps:
On the Safe Attachments page in the Microsoft 365 Defender portal at

https://security.microsoft.com/safeattachmentv2 , verify the list of policies, their
Status values, and their Priority values. To view more details, select the policy from
the list by clicking on the name, and view the details in the fly out.
In Exchange Online PowerShell or Exchange Online Protection PowerShell, replace

<Name> with the name of the policy or rule, run the following command, and
verify the settings:
PowerShell
Get-SafeAttachmentPolicy -Identity "<Name>" | Format-List
PowerShell
Get-SafeAttachmentRule -Identity "<Name>" | Format-List
To verify that Safe Attachments is scanning messages, check the available Defender for
Office 365 reports. For more information, see View reports for Defender for Office 365
and Use Explorer in the Microsoft 365 Defender portal.
Safe Attachments for SharePoint,
 Tip
Applies to

Safe Attachments for SharePoint, OneDrive, and Microsoft Teams in Microsoft Defender
for Office 365 provides an additional layer of protection for files that have already been
scanned asynchronously by the common virus detection engine in Microsoft 365. Safe
Attachments for SharePoint, OneDrive, and Microsoft Teams helps detect and block
existing files that are identified as malicious in team sites and document libraries.
Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is not enabled by
default. To turn it on, see Turn on Safe Attachments for SharePoint, OneDrive, and
Microsoft Teams.
How Safe Attachments for SharePoint,

OneDrive, and Microsoft Teams works
When Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is enabled and
identifies a file as malicious, the file is locked using direct integration with the file stores.
The following image shows an example of a malicious file detected in a library.

Although the blocked file is still listed in the document library and in web, mobile, or
desktop applications, people can't open, copy, move, or share the file. But they can
delete the blocked file.
Here's an example of what a blocked file looks like on a mobile device:
By default, people can download a blocked file. Here's what downloading a blocked file
looks like on a mobile device:

SharePoint Online admins can prevent people from downloading malicious files. For
instructions, see Use SharePoint Online PowerShell to prevent users from downloading
malicious files.
To learn more about the user experience when a file has been detected as malicious, see
What to do when a malicious file is found in SharePoint Online, OneDrive, or Microsoft
Teams .
View information about malicious files

detected by Safe Attachments for SharePoint,
Files that are identified as malicious by Safe Attachments for SharePoint, OneDrive, and
Microsoft Teams will show up in reports for Microsoft Defender for Office 365 and in
Explorer (and real-time detections).
When a file is identified as malicious by Safe Attachments for SharePoint, OneDrive, and
Microsoft Teams, the file is also available in quarantine, but only to admins. For more
information, see Manage quarantined files in Defender for Office 365.
Keep these points in mind

Defender for Office 365 will not scan every single file in SharePoint Online,
OneDrive for Business, or Microsoft Teams. This is by design. Files are scanned
asynchronously. The process uses sharing and guest activity events along with
smart heuristics and threat signals to identify malicious files.
Make sure your SharePoint sites are configured to use the Modern experience.
Defender for Office 365 protection applies whether the Modern experience or the
Classic view is used; however, visual indicators that a file is blocked are available
only in the Modern experience.
Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is part of your
organization's overall threat protection strategy, which includes anti-spam and
anti-malware protection in Exchange Online Protection (EOP), as well as Safe Links
and Safe Attachments in Microsoft Defender for Office 365. To learn more, see
Protect against threats in Office 365.
Turn on Safe Attachments for
SharePoint, OneDrive, and Microsoft
Teams
 Tip
Applies to

Microsoft Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams
protects your organization from inadvertently sharing malicious files. For more
information, see Safe Attachments for SharePoint, OneDrive, and Microsoft Teams.
This article contains the steps for enabling and configuring Safe Attachments for
SharePoint, OneDrive, and Microsoft Teams.

To turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams, you
need to be a member of the Organization Management or Security Administrator
role groups in the Microsoft 365 Defender portal. For more information, see
Permissions in the Microsoft 365 Defender portal.
To use SharePoint Online PowerShell to prevent people from downloading

malicious files, you need to be member of the Global Administrator or SharePoint
Administrator roles in Azure AD.
Verify that audit logging is enabled for your organization. For more information,
see Turn audit log search on or off.
Allow up to 30 minutes for the settings to take effect.
Step 1: Use the Microsoft 365 Defender portal

to turn on Safe Attachments for SharePoint,
Policies & rules > Threat policies > Safe Attachments in the Policies section. To go
directly to the Safe Attachments page, use
2. On the Safe Attachments page, click Global settings.
3. In the Global settings fly out that appears, go to the Protect files in SharePoint,
OneDrive, and Microsoft Teams section.
Move the Turn on Defender for Office 365 for SharePoint, OneDrive, and
Microsoft Teams toggle to the right to turn on Safe Attachments for
SharePoint, OneDrive, and Microsoft Teams.
Use Exchange Online PowerShell to turn on Safe

Attachments for SharePoint, OneDrive, and Microsoft
Teams
If you'd rather use PowerShell to turn on Safe Attachments for SharePoint, OneDrive,
and Microsoft Teams, connect to Exchange Online PowerShell and run the following
command:
PowerShell
Set-AtpPolicyForO365 -EnableATPForSPOTeamsODB $true
For detailed syntax and parameter information, see Set-AtpPolicyForO365.

Step 2: (Recommended) Use SharePoint Online
PowerShell to prevent users from downloading
malicious files
By default, users can't open, move, copy, or share* malicious files that are detected by
Safe Attachments for SharePoint, OneDrive, and Microsoft Teams. However, they can
delete and download malicious files.
*
If users go to Manage access, the Share option is still available.
To prevent users from downloading malicious files, connect to SharePoint Online

PowerShell and run the following command:
PowerShell
Set-SPOTenant -DisallowInfectedFileDownload $true
Notes:
This setting affects both users and admins.

People can still delete malicious files.
For detailed syntax and parameter information, see Set-SPOTenant.
Step 3 (Recommended) Use the Microsoft 365

Defender portal to create an alert policy for
detected files
You can create an alert policy that notifies you and other admins when Safe Attachments
for SharePoint, OneDrive, and Microsoft Teams detects a malicious file. To learn more
about alerts, see Alert policies.

Policies & rules > Alert policy. To go directly to the Alert policy page, use
https://security.microsoft.com/alertpolicies .
2. On the Alert policy page, click New alert policy.
3. The New alert policy wizard opens in a fly out. On the Name your alert page,
Name: Type a unique and descriptive name. For example, Malicious Files in
Libraries.
Description: Type an optional description. For example, Notifies admins when
malicious files are detected in SharePoint Online, OneDrive, or Microsoft
Teams.
Severity: Select Low, Medium, or High from the drop down list.
Category: Select Threat management from the drop down list.
4. On the Create alert settings page, configure the following settings:
What do you want to alert on? section > Activity is > Select Detected
malware in file from the drop down list.
How do you want the alert to be triggered? section: Leave the default value
Every time an activity matches the rule selected.
5. On the Set your recipients page, configure the following settings:
Verify Send email notifications is selected. In the Email recipients box, select
one or more global administrators, security administrators, or security readers
who should receive notification when a malicious file is detected.
Daily notification limit: Leave the default value No limit selected.
6. On the Review your settings page, review your settings. You can select Edit in each
In the Do you want to turn the policy on right away? section, leave the default
value Yes, turn it on right away selected.
When you're finished, click Finish.
Use Security & Compliance PowerShell to create an alert

policy for detected files
If you'd rather use PowerShell to create the same alert policy as described in the
previous section, connect to Security & Compliance PowerShell and run the following
command:
PowerShell
New-ActivityAlert -Name "Malicious Files in Libraries" -Description

"Notifies admins when malicious files are detected in SharePoint Online,
OneDrive, or Microsoft Teams" -Category ThreatManagement -Operation
FileMalwareDetected -NotifyUser "admin1@contoso.com","admin2@contoso.com"
Note: The default Severity value is Low. To specify Medium or High, include the Severity
parameter and value in the command.
For detailed syntax and parameter information, see New-ActivityAlert.

To verify that you've successfully turned on Safe Attachments for SharePoint,
OneDrive, and Microsoft Teams, use either of the following steps:
In the Microsoft 365 Defender portal, go to Policies & rules > Threat Policies >
Policies section > Safe Attachments, select Global settings, and verify the value
of the Turn on Defender for Office 365 for SharePoint, OneDrive, and
Microsoft Teams setting.
In Exchange Online PowerShell, run the following command to verify the

property setting:
PowerShell
Get-AtpPolicyForO365 | Format-List EnableATPForSPOTeamsODB
For detailed syntax and parameter information, see Get-AtpPolicyForO365.
To verify that you've successfully blocked people from downloading malicious files,
open SharePoint Online PowerShell, and run the following command to verify the
property value:
PowerShell
Get-SPOTenant | Format-List DisallowInfectedFileDownload
For detailed syntax and parameter information, see Get-SPOTenant.
To verify that you've successfully configured an alert policy for detected files, use
any of the following steps:
In the Microsoft 365 Defender portal, go to Policies & rules > Alert policy >
select the alert policy, and verify the settings.
In Microsoft 365 Defender portal PowerShell, replace <AlertPolicyName> with

the name of the alert policy, run the following command, and verify the
property values:
PowerShell
Get-ActivityAlert -Identity "<AlertPolicyName>"
For detailed syntax and parameter information, see Get-ActivityAlert.
Use the Threat protection status report to view information about detected files in
SharePoint, OneDrive, and Microsoft Teams. Specifically, you can use the View data
by: Content > Malware view.
Safe Documents in Microsoft 365 A5 or
E5 Security
 Tip
Applies to
Safe Documents is a premium feature that uses the cloud backend of Microsoft
Defender for Endpoint to scan opened Office documents in Protected View or
Application Guard for Office .
Users don't need Defender for Endpoint installed on their local devices to get Safe
Documents protection. Users get Safe Documents protection if all of the following
requirements are met:
Safe Documents is enabled in the organization as described in this article.
Licenses from a required licensing plan are assigned to the users. Safe Documents
is controlled by the Office 365 SafeDocs (or SAFEDOCS or bf6f5520-59e3-4f82-
974b-7dbbc4fd27c7) service plan (also known as a service). This service plan is
available in the following licensing plans (also known as license plans, Microsoft
365 plans, or products):
Microsoft 365 A5 for Faculty
Microsoft 365 A5 for Students
Microsoft 365 E5 Security
Safe Documents is not included in Microsoft Defender for Office 365 licensing
plans.
For more information, see Product names and service plan identifiers for licensing.
They're using Microsoft 365 Apps for enterprise (formerly known as Office 365
ProPlus) version 2004 or later.

PowerShell.
You need permissions in Exchange Online before you can do the procedures in
this article:
To configure Safe Documents settings, you need to be a member of the
For read-only access to Safe Documents settings, you need to be a member of
７ Note
Adding users to the corresponding Azure Active Directory role in the

Microsoft 365 admin center gives users the required permissions and
About admin roles.

How does Microsoft handle your data?

To keep you protected, Safe Documents sends files to the Microsoft Defender for
Endpoint cloud for analysis. Details on how Microsoft Defender for Endpoint handles
your data can be found here: Microsoft Defender for Endpoint data storage and privacy.
Files sent by Safe Documents are not retained in Defender for Endpoint beyond the time
needed for analysis (typically, less than 24 hours).

configure Safe Documents
2. On the Safe Attachments page, click Global settings.
3. In the Global settings fly out that appears, configure the following settings:
Turn on Safe Documents for Office clients: Move the toggle to the right to
turn on the feature: .
Allow people to click through Protected View even if Safe Documents
identified the file as malicious: We recommend that you leave this option
turned off (leave the toggle to the left: ).
Use Exchange Online PowerShell to configure Safe

Documents
If you'd rather user PowerShell to configure Safe Documents, use the following syntax in
Exchange Online PowerShell:
PowerShell
Set-AtpPolicyForO365 -EnableSafeDocs <$true | $false> -AllowSafeDocsOpen

<$true | $false>
The EnableSafeDocs parameter enables or disables Safe Documents for the entire
organization.
The AllowSafeDocsOpen parameter allows or prevents users from leaving Protected
View (that is, opening the document) if the document has been identified as
malicious.
This example enables Safe Documents for the entire organization, and prevents users
from opening documents that have been identified as malicious from Protected View.
PowerShell
Set-AtpPolicyForO365 -EnableSafeDocs $true -AllowSafeDocsOpen $false
For detailed syntax and parameter information, see Set-AtpPolicyForO365.
Configure individual access to Safe Documents

If you want to selectively allow or block access to the Safe Documents feature, follow
these steps:
1. Turn on Safe Documents in the Microsoft 365 Defender portal or Exchange Online
PowerShell as previously described in this article.
2. Use Azure AD PowerShell to disable Safe Documents for specific users as described
in Disable specific Microsoft 365 services for specific users for a specific licensing
plan.
The name of the service plan to disable in PowerShell is SAFEDOCS.
View Microsoft 365 licenses and services with PowerShell

View Microsoft 365 account license and service details with PowerShell
Product names and service plan identifiers for licensing
Onboard to the Microsoft Defender for Endpoint service
to enable auditing capabilities
To enable auditing capabilities, the local device needs to have Microsoft Defender for
Endpoint installed. To deploy Microsoft Defender for Endpoint, you need to go through
the various phases of deployment. After onboarding, you can configure auditing
capabilities in the Microsoft 365 Defender portal.
To learn more, see Onboard to the Microsoft Defender for Endpoint service. If you need
additional help, refer to Troubleshoot Microsoft Defender for Endpoint onboarding
issues.
How do I know this worked?

To verify that you've enabled and configured Safe Documents, do any of the following
steps:
In the Microsoft 365 Defender portal, go to Email & Collaboration > Policies &
Rules > Threat policies > Safe Attachments in the Policies section > Global
settings, and verify the Turn on Safe Documents for Office clients and Allow
people to click through Protected View even if Safe Documents identifies the file
as malicious settings.
Run the following command in Exchange Online PowerShell and verify the
property values:
PowerShell
Get-AtpPolicyForO365 | Format-List *SafeDocs*
The following files are available to test Safe Documents protection. These files are
similar to the EICAR.TXT file for testing anti-malware and anti-virus solutions. The
files are not harmful, but they will trigger Safe Documents protection.
SafeDocsDemo.docx
SafeDocsDemo.pptx
SafeDocsDemo.xlsx
Safe Links in Microsoft Defender for
Office 365
 Tip
Applies to

） Important
Office 365. If you're using Outlook.com, Microsoft 365 Family, or Microsoft 365
Personal, and you're looking for information about Safelinks in Outlook, see
Advanced Outlook.com security .
Safe Links is a feature in Defender for Office 365 that provides URL scanning and
rewriting of inbound email messages in mail flow, and time-of-click verification of URLs
and links in email messages and other locations. Safe Links scanning occurs in addition
to the regular anti-spam and anti-malware in inbound email messages in Exchange
Online Protection (EOP). Safe Links scanning can help protect your organization from
malicious links that are used in phishing and other attacks.
Watch this short video on how to protect against malicious links with Safe Links in
https://www.microsoft.com/en-us/videoplayer/embed/RWGzjb?postJsllMsg=true
７ Note
Although there's no default Safe Links policy, the Built-in protection preset security
policy provides Safe Links protection in e-mail messages, Microsoft Teams, and files
in supported Office apps to all recipients who are licensed for Defender for Office
365 (users who aren't defined in the Standard or Strict preset security policies or in
custom Safe Links policies). For more information, see Preset security policies in
EOP and Microsoft Defender for Office 365. You can also create Safe Links policies
that apply to specific users, group, or domains. For instructions, see Set up Safe
Links policies in Microsoft Defender for Office 365.
Safe Links protection is available in the following locations:
Email messages: Safe Links protections for links in email messages is controlled by
For more information about Safe Links protection for email messages, see the Safe
Links settings for email messages section later in this article.
７ Note
Safe Links does not work on mail-enabled public folders.
Safe Links supports only HTTP(S) and FTP formats.
Using another service to wrap links before Defender for Office 365 might
invalidate the ability of Safe Links to process links, including wrapping,
detonating, or otherwise validating the "maliciousness" of the link.
Microsoft Teams: Safe Links protection for links in Teams conversations, group
chats, or from channels is controlled by Safe Links policies.
For more information about Safe Links protection in Teams, see the Safe Links
settings for Microsoft Teams section later in this article.
７ Note
Currently, Safe Links protection for Microsoft Teams is not available in

Microsoft 365 GCC High or Microsoft 365 DoD.
Office apps: Safe Links protection for supported Office desktop, mobile, and web
apps is controlled by Safe Links policies.
For more information about Safe Links protection in Office apps, see the Safe Links
settings for Office apps section later in this article.
This article includes detailed descriptions of the following types of Safe Links settings:
Settings in Safe Links policies: These settings apply only to the users who are
included in the specific policies, and the settings might be different between
policies. These settings include:
Safe Links settings for email messages
Safe Links settings for Microsoft Teams
Safe Links settings for Office apps
"Do not rewrite the following URLs" lists in Safe Links policies
Global Safe Links settings: These settings are configured globally, not in Safe Links
policies. These settings include:
"Block the following URLs" list for Safe Links
７ Note
The Global settings menu and the Block the following URLs list for Safe Links
are in the process of being deprecated. Use block entries for URLs in the
Tenant Allow/Block List instead.
The following table describes scenarios for Safe Links in Microsoft 365 and Office 365
organizations that include Defender for Office 365 (note that lack of licensing is never
an issue in the examples).
Scenario Result
Jean is a member of the marketing Jean is protected by Safe Links.

department. Safe Links protection for Office Jean is included in a Safe Links policy where Safe
apps is turned on in a Safe Links policy that Links protection for Office apps is turned on.
applies to members of the marketing
department. Jean opens a PowerPoint For more information about the requirements for
presentation in an email message, and then Safe Links protection in Office apps, see the Safe
clicks a URL in the presentation. Links settings for Office apps section later in this
article.
Chris's Microsoft 365 E5 organization has no Chris is protected by Safe Links.

Safe Links policies configured. Chris receives The Built-in protection preset security policy
an email from an external sender that provides Safe Links protection to all recipients
contains a URL to a malicious website that he (users who aren't defined in the Standard or Strict
ultimately clicks. preset security policies or in custom Safe Links
policies). For more information, see Preset
security policies in EOP and Microsoft Defender
for Office 365.
Scenario Result
In Pat's organization, admins have created a Pat is not protected by Safe Links.
Safe Links policy that applies Pat, but Safe Although Pat is included in an active Safe Links
Links protection for Office apps is turned off. policy, Safe Links protection for Office apps is
Pat opens a Word document and clicks a URL turned off in that policy, so the protection can't
in the file. be applied.
Jamie and Julia both work for contoso.com. A Julia is protected by Safe Links if the Safe Links
long time ago, admins configured Safe Links policy that applies to her is configured to apply
policies that apply to both of Jamie and Julia. to messages between internal recipients. For
Jamie sends an email to Julia, not knowing more information, see the Safe Links settings for
that the email contains a malicious URL. email messages section later in this article.
Recipient filters in Safe Links policies

You need to specify the recipient conditions and exceptions that determine who the
policy applies to. You can use these properties for conditions and exceptions:
Users
Groups
Domains
contain multiple values. Multiple values of the same condition or exception use OR logic
(for example, <recipient1> or <recipient2>). Different conditions or exceptions use AND
logic (for example, <recipient1> and <member of group 1>).
） Important

specified recipient filters. For example, you configure a recipient filter condition in
the policy with the following values:
Groups: Executives
The policy is applied to romain@contoso.com only if he's also a member of the

Executives group. If he's not a member of the group, then the policy is not applied
to him.
Likewise, if you use the same recipient filter as an exception to the policy, the policy
is not applied to romain@contoso.com only if he's also a member of the Executives
group. If he's not a member of the group, then the policy still applies to him.
Safe Links settings for email messages

Safe Links scans incoming email for known malicious hyperlinks. Scanned URLs are
rewritten or wrapped using the Microsoft standard URL prefix:
https://nam01.safelinks.protection.outlook.com . After the link is rewritten, it's
analyzed for potentially malicious content.
After Safe Links rewrites a URL, the URL remains rewritten even if the message is
manually forwarded or replied to (both to internal and external recipients). Additional
links that are added to the forwarded or replied-to message are not rewritten.
In the case of automatic forwarding by Inbox rules or SMTP forwarding, the URL will not
be rewritten in the message that's intended for the final recipient unless one of the
following statements is true:
The recipient is also protected by Safe Links.

The URL was already rewritten in a previous communication.
As long as Safe Links protection is turned on, URLs are scanned prior to message
delivery, regardless of whether the URLs are rewritten or not. In supported versions of
Outlook (Outlook for Desktop version 16.0.12513 or later), unwrapped URLs are checked
by a client-side API call to Safe Links at the time of click.
The settings in Safe Links policies that apply to email messages are described in the
following list:
On: Safe Links checks a list of known, malicious links when users click links in
email: Turn on or turn off Safe Links scanning in email messages. The
recommended value is selected (on), and results in the following actions:
Safe Links scanning is turned on in Outlook (C2R) on Windows.
URLs are rewritten and users are routed through Safe Links protection when
they click URLs in messages.
When clicked, URLs are checked against a list of known malicious URLs and the
"Block the following URLs" list.
URLs that don't have a valid reputation are detonated asynchronously in the
background.
The following settings are available only if Safe Links scanning in email messages is
turned on:
Apply Safe Links to email messages sent within the organization: Turn on or
turn off Safe Links scanning on messages sent between internal senders and
internal recipients within the same Exchange Online organization. The
recommended value is selected (on).
Apply real-time URL scanning for suspicious links and links that point to files:
Turns on real-time scanning of links, including links in email messages that
point to downloadable content. The recommended value is selected (on).
Wait for URL scanning to complete before delivering the message:
Selected (on): Messages that contain URLs are held until scanning is
finished. Messages are delivered only after the URLs are confirmed to be
safe. This is the recommended value.
Not selected (off): If URL scanning can't complete, deliver the message
anyway.
Do not rewrite URLs, do checks via SafeLinks API only: If this setting is selected
(on), no URL wrapping takes place. In supported versions of Outlook (Outlook
for Desktop version 16.0.12513 or later), Safe Links is called exclusively via APIs
at the time of URL click.
For more information about the recommended values for Standard and Strict
policy settings for Safe Links policies, see Safe Links policy settings.
How Safe Links works in email messages

At a high level, here's how Safe Links protection works on URLs in email messages:
1. All email goes through EOP, where internet protocol (IP) and envelope filters,
signature-based malware protection, anti-spam and anti-malware filters before the
message is delivered to the recipient's mailbox.
2. The user opens the message in their mailbox and clicks on a URL in the message.
3. Safe Links immediately checks the URL before opening the website:
If the URL points to a website that has been determined to be malicious, a

malicious website warning page (or a different warning page) opens.
If the URL points to a downloadable file, and the Apply real-time URL
scanning for suspicious links and links that point to files setting is turned on
in the policy that applies to the user, the downloadable file is checked.
If the URL is determined to be safe, the website opens.

Safe Links settings for Microsoft Teams
You turn on or turn off Safe Links protection for Microsoft Teams in Safe Links policies.
Specifically, you use the On: Safe Links checks a list of known, malicious links when
users click links in Microsoft Teams setting. The recommended value is on (selected).
７ Note
When you turn on or turn off Safe Links protection for Teams, it might take up to
24 hours for the change to take effect.
Currently, Safe Links protection for Microsoft Teams is not available in Microsoft
365 GCC High or Microsoft 365 DoD.
After you turn on Safe Links protection for Microsoft Teams, URLs in Teams are checked
against a list of known malicious links when the protected user clicks the link (time-of-
click protection). URLs are not rewritten. If a link is found to be malicious, users will have
the following experiences:
If the link was clicked in a Teams conversation, group chat, or from channels, the
warning page as shown in the screenshot below will appear in the default web
browser.
If the link was clicked from a pinned tab, the warning page will appear in the Teams
interface within that tab. The option to open the link in a web browser is disabled
for security reasons.
Depending on how the Let users click through to the original URL setting in the
policy is configured, the user will or will not be allowed to click through to the
original URL (Continue anyway (not recommended) in the screenshot). We
recommend that you don't select the Let users click through to the original URL
setting so users can't click through to the original URL.
If the user who sent the link isn't protected by a Safe Links policy where Teams
protection is turned on, the user is free to click through to the original URL on their
computer or device.

Clicking the Go Back button on the warning page will return the user to their original
context or URL location. However, clicking on the original link again will cause Safe Links
to rescan the URL, so the warning page will reappear.
How Safe Links works in Teams

At a high level, here's how Safe Links protection works for URLs in Microsoft Teams:
1. A user starts the Teams app.
2. Microsoft 365 verifies that the user's organization includes Microsoft Defender for
Office 365, and that the user is included in an active Safe Links policy where
protection for Microsoft Teams is turned on.
3. URLs are validated at the time of click for the user in chats, group chats, channels,
and tabs.
Safe Links settings for Office apps

Safe Links protection for Office apps checks links in Office documents, not links in email
messages. But, it can check links in attached Office documents in email messages after
the document is opened.
You turn on or turn off Safe Links protection for Office apps in Safe Links policies.
Specifically, you use the On: Safe Links checks a list of known, malicious links when
users click links in Microsoft Office apps setting. The recommended value is on
(selected).
Safe Links protection for Office apps has the following client requirements:
Microsoft 365 Apps or Microsoft 365 Business Premium.

Current versions of Word, Excel, and PowerPoint on Windows, Mac, or in a web
browser.
Office apps on iOS or Android devices.
Visio on Windows.
OneNote in a web browser.
Outlook for Windows when opening saved EML or MSG files.
Office apps are configured to use modern authentication. For more information,
see How modern authentication works for Office 2013, Office 2016, and Office
2019 client apps.
Users are signed in using their work or school accounts. For more information, see
Sign in to Office .
For more information about the recommended values for Standard and Strict policy
settings, see Global settings for Safe Links.
How Safe Links works in Office apps

At a high level, here's how Safe Links protection works for URLs in Office apps. The
supported Office apps are described in the previous section.
1. A user signs in using their work or school account in an organization that includes
Microsoft 365 Apps or Microsoft 365 Business Premium.
2. The user opens and clicks on a link an Office document in a supported Office app.
3. Safe Links immediately checks the URL before opening the target website:
If the URL is included in the list that skips Safe Links scanning (the Block the
following URLs list) a blocked URL warning page opens.
If the URL points to a website that has been determined to be malicious, a

malicious website warning page (or a different warning page) opens.
If the URL points to a downloadable file, and the Safe Links policy that applies
to the user is configured to scan links to downloadable content (Apply real-
time URL scanning for suspicious links and links that point to files), the
downloadable file is checked.
If the URL is considered safe, the user is taken to the website.
If Safe Links scanning is unable to complete, Safe Links protection does not
trigger. In Office desktop clients, the user will be warned before they proceed
to the destination website.
７ Note
It may take several seconds at the beginning of each session to verify that Safe
Links for Office apps is available to the user.
Click protection settings in Safe Links policies

These settings apply to Safe Links in email, Teams, and Office apps:
Track user clicks: Turn on or turn off storing Safe Links click data for URLs clicked.
We recommend that you leave this setting selected (on).
In Safe Links for Office apps, this setting applies to the desktop versions Word,
Excel, PowerPoint, and Visio.
If you select this setting, the following settings are available:
Let users click through to the original URL: Controls whether users can click
through the warning page to the original URL. The recommend value is not
selected (off).
In Safe Links for Office apps, this setting applies to the original URL in the
desktop versions Word, Excel, PowerPoint, and Visio.
Display the organization branding on notification and warning pages: This

option shows your organization's branding on warning pages. Branding helps
users identify legitimate warnings, because default Microsoft warning pages are
often used by attackers. For more information about customized branding, see
Customize the Microsoft 365 theme for your organization.
Priority of Safe Links policies

After you create multiple policies, you can specify the order that they're applied. No two
policies can have the same priority, and policy processing stops after the first policy is
applied. The Built-in protection policy is always applied last. The Safe Links policies
associated Standard and Strict preset security policies are always applied before custom
evaluated and applied, see Order of precedence for preset security policies and other
policies and Order and precedence of email protection.
"Block the following URLs" list for Safe Links
７ Note
The Block the following URLs list for Safe Links is in the process of being
deprecated. Use block entries for URLs in the Tenant Allow/Block List instead.
Messages containing the blocked URL are quarantined.
The Block the following URLs list defines the links that are always blocked by Safe Links
scanning in the following locations:
Email messages.
Documents in Office apps in Windows and Mac.
Documents in Office for iOS and Android.
When a user in an active Safe Links policy clicks a blocked link in a supported app,
they're taken to the Blocked URL warning page.
You configure the list of URLs in the global settings for Safe Links. For instructions, see
Configure the "Block the following URLs" list.
Notes:
For a truly universal list of URLs that are blocked everywhere, see Manage the
Limits for the Block the following URLs list:
The maximum number of entries is 500.
The maximum length of an entry is 128 characters.
All of the entries can't exceed 10,000 characters.
Don't include a forward slash ( / ) at the end of the URL. For example, use
https://www.contoso.com , not https://www.contoso.com/ .
A domain-only-URL (for example contoso.com or tailspintoys.com ) will block any
URL that contains the domain.
You can block a subdomain without blocking the full domain. For example,
toys.contoso.com* blocks any URL that contains the subdomain, but it doesn't
block URLs that contain the full domain contoso.com .
You can include up to three wildcards ( * ) per URL entry.
Entry syntax for the "Block the following URLs" list

Examples of the values that you can enter and their results are described in the
following table:
Value Result
contoso.com Blocks the domain, subdomains, and paths. For example,

https://www.contoso.com , https://sub.contoso.com , and
or https://contoso.com/abc are blocked.
*contoso.com*
https://contoso.com/a Blocks https://contoso.com/a but not additional subpaths like

https://contoso.com/a/b .
https://contoso.com/a* Blocks https://contoso.com/a and additional subpaths like

https://contoso.com/a/b .
https://toys.contoso.com* Blocks a subdomain ( toys in this example) but allow clicks to other
domain URLs (like https://contoso.com or
https://home.contoso.com ).
"Do not rewrite the following URLs" lists in Safe

Links policies
７ Note
Entries in the "Do not rewrite the following URLs" list are not scanned or wrapped
by Safe Links during mail flow but might still be blocked at time of click. Use allow
URL entries in the Tenant Allow/Block List to override the Safe Links URL verdict.
Each Safe Links policy contains a Do not rewrite the following URLs list that you can
use to specify URLs that are not rewritten by Safe Links scanning. In other words, the list
allows users who are included in the policy to access the specified URLs that would
otherwise be blocked by Safe Links. You can configure different lists in different Safe
Links policies. Policy processing stops after the first (likely, the highest priority) policy is
applied to the user. So, only one Do not rewrite the following URLs list is applied to a
user who is included in multiple active Safe Links policies.
To add entries to the list in new or existing Safe Links policies, see Create Safe Links
policies or Modify Safe Links policies.
Notes:
The following clients don't recognize the Do not rewrite the following URLs lists in
Safe Links policies. Users included in the policies can be blocked from accessing
the URLs based on the results of Safe Links scanning in these clients:
Microsoft Teams
Office web apps
For a truly universal list of URLs that are allowed everywhere, see Manage the
Tenant Allow/Block List. However, note that URLs added there will not be excluded
from Safe Links rewriting, as that must be done in a Safe Links policy.
Consider adding commonly used internal URLs to the list to improve the user
experience. For example, if you have on-premises services, such as Skype for
Business or SharePoint, you can add those URLs to exclude them from scanning.
If you already have Do not rewrite the following URLs entries in your Safe Links
policies, be sure to review the lists and add wildcards as required. For example,
your list has an entry like https://contoso.com/a and you later decide to include
subpaths like https://contoso.com/a/b . Instead of adding a new entry, add a
wildcard to the existing entry so it becomes https://contoso.com/a/* .
You can include up to three wildcards ( * ) per URL entry. Wildcards explicitly
include prefixes or subdomains. For example, the entry contoso.com is not the
same as *.contoso.com/* , because *.contoso.com/* allows people to visit
subdomains and paths in the specified domain.
If a URL uses automatic redirection for HTTP to HTTPS (for example, 302
redirection for http://www.contoso.com to https://www.contoso.com ), and you try
to enter both HTTP and HTTPS entries for the same URL to the list, you might
notice that the second URL entry replaces the first URL entry. This behavior does
not occur if the HTTP and HTTPS versions of the URL are completely separate.
Do not specify http:// or https:// (that is, contoso.com) in order to exclude both
HTTP and HTTPS versions.
*.contoso.com does not cover contoso.com, so you would need to exclude both to
cover both the specified domain and any child domains.
contoso.com/* covers only contoso.com, so there's no need to exclude both
contoso.com and contoso.com/* ; just contoso.com/* would suffice.
To exclude all iterations of a domain, two exclusion entries are needed;

contoso.com/* and *.contoso.com/* . These combine to exclude both HTTP and
HTTPS, the main domain contoso.com and any child domains, as well as any or not
ending part (for example, both contoso.com and contoso.com/vdir1 are covered).
Entry syntax for the "Do not rewrite the following URLs"
list
Examples of the values that you can enter and their results are described in the
following table:
Value Result
contoso.com Allows access to https://contoso.com but not subdomains or paths.
*.contoso.com/* Allows access to a domain, subdomains, and paths (for example,

https://www.contoso.com , https://www.contoso.com ,
https://maps.contoso.com , or https://www.contoso.com/a ).
This entry is inherently better than *contoso.com* , because it doesn't

allow potentially fraudulent sites, like https://www.falsecontoso.com
or https://www.false.contoso.completelyfalse.com
https://contoso.com/a Allows access to https://contoso.com/a , but not subpaths like

https://contoso.com/a/b
https://contoso.com/a/* Allows access to https://contoso.com/a and subpaths like

https://contoso.com/a/b
Warning pages from Safe Links

This section contains examples of the various warning pages that are triggered by Safe
Links protection when you click a URL.
Note that several warning pages have been updated. If you're not already seeing the
updated pages, you will soon. The updated pages include a new color scheme, more
detail, and the ability to proceed to a site despite the given warning and
recommendations.
Scan in progress notification
The clicked URL is being scanned by Safe Links. You might need to wait a few moments
before trying the link again.
The original notification page looked like this:
Suspicious message warning

The clicked URL was in an email message that's similar to other suspicious messages. We
recommend that you double-check the email message before proceeding to the site.

Phishing attempt warning

The clicked URL was in an email message that has been identified as a phishing attack.
As a result, all URLs in the email message are blocked. We recommend that you do not
proceed to the site.

Malicious website warning

The clicked URL points to a site that has been identified as malicious. We recommend
that you do not proceed to the site.
The original warning page looked like this:


Blocked URL warning

The clicked URL has been manually blocked by an admin in your organization (the Block
the following URLs list in the global settings for Safe Links). The link was not scanned by
Safe Links because it was manually blocked.
There are several reasons why an admin would manually block specific URLs. If you think
the site should not be blocked, contact your admin.


Error warning
Some kind of error has occurred, and the URL can't be opened.

Set up Safe Links policies in Microsoft
 Tip
Applies to

） Important
Office 365. If you are a home user looking for information about Safelinks in
Outlook, see Advanced Outlook.com security .
Safe Links in Microsoft Defender for Office 365 provides URL scanning of inbound email
messages in mail flow, and time of click verification of URLs and links in email messages
and in other locations. For more information, see Safe Links in Microsoft Defender for
Office 365.
Although there's no default Safe Links policy, the Built-in protection preset security
policy provides Safe Links protection to all recipients (users who aren't defined in the
Standard or Strict preset security policies or in custom Safe Links policies). For more
information, see Preset security policies in EOP and Microsoft Defender for Office 365.
You can also use the procedures in this article to create Safe Links policies that apply to
specific users, group, or domains.
７ Note
You configure the "Block the following URLs" list in the global settings for Safe
Links protection outside of Safe Links policies. For instructions, see Configure
global settings for Safe Links in Microsoft Defender for Office 365.
Admins should consider the different configuration settings for Safe Links. One of
the available options is to include user identifiable information in Safe Links. This
feature enables security operations (SecOps) teams to investigate potential user
compromise, take corrective action, and limit costly breaches.
You can configure Safe Links policies in the Microsoft 365 Defender portal or in
PowerShell (Exchange Online PowerShell for eligible Microsoft 365 organizations with
Exchange Online mailboxes, but with Microsoft Defender for Office 365 add-on
subscriptions).
The basic elements of a Safe Links policy are:
The safe links policy: Turn on Safe Links protection, turn on real-time URL
scanning, specify whether to wait for real-time scanning to complete before
delivering the message, turn on scanning for internal messages, specify whether to
track user clicks on URLs, and specify whether to allow users to click trough to the
original URL.
The safe links rule: Specifies the priority and recipient filters (who the policy
applies to).
The difference between these two elements isn't obvious when you manage Safe Links
policies in the Microsoft 365 Defender portal:
When you create a Safe Links policy, you're actually creating a safe links rule and
the associated safe links policy at the same time using the same name for both.
When you modify a Safe Links policy, settings related to the name, priority,
enabled or disabled, and recipient filters modify the safe links rule. All other
settings modify the associated safe links policy.
When you remove a Safe Links policy, the safe links rule and the associated safe
links policy are removed.
or standalone EOP PowerShell to configure Safe Links policies section later in this article.

go directly to the Safe Links page, use
https://security.microsoft.com/safelinksv2 .
You need to be assigned permissions before you can do the procedures in this
article:
To create, modify, and delete Safe Links policies, you need to be a member of
the Organization Management or Security Administrator role groups in the
Microsoft 365 Defender portal and a member of the Organization
For read-only access to Safe Links policies, you need to be a member of the
７ Note
Microsoft 365 admin center gives users the required permissions in the
Microsoft 365 Defender portal and permissions for other features in
Microsoft 365. For more information, see About admin roles.
. - The View-
Only Organization Management role group in Exchange Online also gives
read-only access to the feature.
For our recommended settings for Safe Links policies, see Safe Links policy
settings.
Allow up to 6 hours for a new or updated policy to be applied.
New features are continually being added to Microsoft Defender for Office 365. As
new features are added, you may need to make adjustments to your existing Safe
Links policies.

create Safe Links policies
Creating a custom Safe Links policy in the Microsoft 365 Defender portal creates the
safe links rule and the associated safe links policy at the same time using the same name
for both.
Email & Collaboration > Policies & Rules > Threat policies > Safe Links in the
Policies section. To go directly to the Safe Links page, use
2. On the Safe Links page, click Create.
3. The New Safe Links policy wizard opens. On the Name your policy page,

4. On the Users and domains page that appears, identify the internal recipients that
the policy applies to (recipient conditions):

Groups:
Members of the specified distribution groups (including non-mail-enabled
security groups within distribution groups) or mail-enabled security
organization.
conditions.
） Important

Groups: Executives

applied to him.
applies to him.
5. On the URL & click protection settings page that appears, configure the following
settings:
Action on potentially malicious URLs within Emails (Email & Time of Click)
section:
links in email: Select this option to turn on Safe Links protection for links
in email messages. If you select this option, the following settings are
available:
Apply Safe Links to email messages sent within the organization

(Email – Intraorg & Time of Click): Select this option to apply the Safe
Links policy to messages between internal senders and internal
recipients. Turning this on will enable link wrapping for all intraorg
messages.
Apply real-time URL scanning for suspicious links and links that point
to files (Email): Select this option to turn on real-time scanning of links
in email messages from external senders. If you select this option, the
following setting is available:
Wait for URL scanning to complete before delivering the message
(Email): Select this option to wait for real-time URL scanning to
complete before delivering the message from external senders. The
recommended setting is On.
Do not rewrite URLs, do checks via SafeLinks API only (Time of Click):
Select this option to prevent URL wrapping and skip reputation check
during mail flow. Safe Links is called exclusively via APIs at the time of
URL click by Outlook clients that support it.
Do not rewrite the following URLs in email section: Click Manage (nn)
URLs to allow access to specific URLs that would otherwise be blocked
by Safe Links.
７ Note
Entries in the "Do not rewrite the following URLs" list are not
scanned or wrapped by Safe Links during mail flow. Use URL allow
entries in the Tenant Allow/Block List to override the Safe Links
URL verdict.
a. In the Manage URLs to not rewrite flyout that appears, click Add URLs.
b. In the Add URLs flyout that appears, type the URL or value that you want,
select the entry that appears below the box, and then click Save. Repeat
this step as many times as necessary.
For entry syntax, see Entry syntax for the "Do not rewrite the following
URLs" list.
To remove an entry, click next to the entry.
c. Back on the Manage URLs to not rewrite flyout, click Done or do

maintenance on the list of entries:
To remove entries from the list, can use the Search box to find the
entry.
To select a single entry, click on the value in the URLs column.
To select multiple entries one at a time, click the blank area to the left of
the value.
To select all entries at one, click the blank area to the left of the URLs
column header.
With one or more entries selected, click the or icons that appear.
Actions for potentially malicious URLs in Microsoft Teams (Time of Click)

section:
links in Microsoft Teams: Select this option to enable Safe Links protection
for links in Teams. Note that this setting might take up to 24 hours to take
effect.
７ Note
Currently, Safe Links protection for Microsoft Teams is not available in

Microsoft 365 GCC High or Microsoft 365 DoD.
Actions for potentially malicious URLs in Microsoft Office apps (Time of

Click) section:
links in Microsoft Office apps: Select this option to enable Safe Links
protection for links in files in supported Office desktop, mobile, and web
apps.
Click protection settings section:

Track user clicks: Leave this option selected to enable the tracking user
clicks on URLs. If you select this option, the following options are available:
Let users click through to the original URL: Clear this option to block
users from clicking through to the original URL in warning pages.
Display the organization branding on notification and warning pages:
For more information about customized branding, see Customize the
Microsoft 365 theme for your organization.
For detailed information about these settings, see:
Safe Links settings for email messages.

Safe Links settings for Microsoft Teams.
Safe Links settings for Office apps.
Click protection settings in Safe Links policies
For more the recommended values for Standard and Strict policy settings, see Safe
Links policy settings.
6. On the Notification page that appears, select one of the following values for How
would you like to notify your users?:
Use the default notification text

Use custom notification text: If you select this value, the following settings
appear:
Use Microsoft Translator for automatic localization
Custom notification text: Enter the custom notification text in this box (the
length can't exceed 200 characters).

Safe Links policies
2. On the Safe Links page, the following properties are displayed in the list of Safe
Links policies:
Name
Status
Priority
in a flyout.
modify Safe Links policies
1. In the Microsoft 365 Defender portal, go to Policies & rules > Threat Policies >
Policies section > Safe Links.
2. On the Safe Links page, select a policy from the list by clicking on the name.
previous Use the Microsoft 365 Defender portal to create Safe Links policies
Enable or disable Safe Links policies

values:

Set the priority of Safe Links policies

By default, Safe Links are given a priority that's based on the order they were created in
(newer policies are lower priority than older policies). A lower priority number indicates
a higher priority for the policy (0 is the highest), and policies are processed in priority
order (higher priority policies are processed before lower priority policies). No two
policies can have the same priority, and policy processing stops after the first policy is
applied.
multiple policies.
Note:
In the Microsoft 365 Defender portal, you can only change the priority of the Safe
Links policy after you create it. In PowerShell, you can override the default priority
when you create the safe links rule (which can affect the priority of existing rules).
Safe Links policies are processed in the order that they're displayed (the first policy
has the Priority value 0). For more information about the order of precedence and
how multiple policies are evaluated and applied, see Order and precedence of
email protection.

policies:
available.
options available.

remove Safe Links policies
Rules > Threat policies > Safe Links in the Policies section.
2. On the Safe Links page, select a policy from the list by clicking on the name. At the
top of the policy details flyout that appears, click More actions > Delete
policy.

EOP PowerShell to configure Safe Links policies
As previously described, a Safe Links policy consists of a safe links policy and a safe links
rule.
In PowerShell, the difference between safe links policies and safe links rules is apparent.
You manage safe links policies by using the *-SafeLinksPolicy cmdlets, and you manage
safe links rules by using the *-SafeLinksRule cmdlets.
In PowerShell, you create the safe links policy first, then you create the safe links
In PowerShell, you modify the settings in the safe links policy and the safe links
rule separately.
When you remove a safe links policy from PowerShell, the corresponding safe links
rule isn't automatically removed, and vice versa.
Use PowerShell to create Safe Links policies

Creating a Safe Links policy in PowerShell is a two-step process:
1. Create the safe links policy.

2. Create the safe links rule that specifies the safe links policy that the rule applies to.
７ Note
You can create a new safe links rule and assign an existing, unassociated safe
links policy to it. A safe links rule can't be associated with more than one safe
links policy.
You can configure the following settings on new safe links policies in
PowerShell that aren't available in the Microsoft 365 Defender portal until
after you create the policy:
SafeLinksRule cmdlet).
Set the priority of the policy during creation (Priority <Number>) on the
New-SafeLinksRule cmdlet).
A new safe links policy that you create in PowerShell isn't visible in the
Microsoft 365 Defender portal until you assign the policy to a safe links rule.
Step 1: Use PowerShell to create a safe links policy

To create a safe links policy, use this syntax:
PowerShell
New-SafeLinksPolicy -Name "<PolicyName>" [-AdminDisplayName "<Comments>"] [-

EnableSafeLinksForEmail <$true | $false>] [-EnableSafeLinksForOffice <$true
| $false>] [-EnableSafeLinksForTeams <$true | $false>] [-ScanUrls <$true |
$false>] [-DeliverMessageAfterScan <$true | $false>] [-
EnableForInternalSenders <$true | $false>] [-AllowClickThrough <$true |
$false>] [-TrackUserClicks <$true | $false>] [-DoNotRewriteUrls
"Entry1","Entry2",..."EntryN"]
７ Note
For details about the entry syntax to use for the DoNotRewriteUrls parameter,
see Entry syntax for the "Do not rewrite the following URLs" list.
For additional syntax that you can use for the DoNotRewriteUrls parameter
when you modify existing safe links policies by using the Set-SafeLinksPolicy
cmdlet, see the Use PowerShell to modify safe links policies section later in
this article.
This example creates a safe links policy named Contoso All with the following values:
Turn on URL scanning and URL rewriting in email messages.

Turn on URL scanning and rewriting for internal messages.
Turn on real-time scanning of clicked URLs, including clicked links that point to
files.
Wait for URL scanning to complete before delivering the message.
Turn on URL scanning in Teams.
Turn on URL scanning in supported Office apps.
Track user clicks related to Safe Links protection (we aren't using the
TrackUserClicks parameter, and the default value is $true).
Do not allow users to click through to the original URL.
PowerShell
New-SafeLinksPolicy -Name "Contoso All" -EnableSafeLinksForEmail $true -

EnableSafeLinksForOffice $true -EnableSafeLinksForTeams $true -ScanUrls
$true -DeliverMessageAfterScan $true -EnableForInternalSenders $true -
AllowClickThrough $false
For detailed syntax and parameter information, see New-SafeLinksPolicy.
Step 2: Use PowerShell to create a safe links rule

To create a safe links rule, use this syntax:
PowerShell
New-SafeLinksRule -Name "<RuleName>" -SafeLinksPolicy "<PolicyName>"

<OptionalComments>"] [-Enabled <$true | $false>]
This example creates a safe links rule named Contoso All with the following conditions:
The rule is associated with the safe links policy named Contoso All.
The rule applies to all recipients in the contoso.com domain.
The rule is enabled (we aren't using the Enabled parameter, and the default value is
$true ).
PowerShell
New-SafeLinksRule -Name "Contoso All" -SafeLinksPolicy "Contoso All" -

RecipientDomainIs contoso.com
This example creates a safe links rule that's similar to the previous example, but in this
example, the rule applies to recipients in all accepted domains in the organization.
PowerShell

RecipientDomainIs (Get-AcceptedDomain).Name
This example creates a safe links rule that's similar to the previous examples, but in this
example, the rule applies to recipients in the domains specified in a .csv file.
PowerShell
$Data = Import-Csv -Path "C:\Data\SafeLinksDomains.csv"
$SLDomains = $Data.Domains

RecipientDomainIs $SLDomains
For detailed syntax and parameter information, see New-SafeLinksRule.
Use PowerShell to view safe links policies

To view existing safe links policies, use the following syntax:
PowerShell
Get-SafeLinksPolicy [-Identity "<PolicyIdentity>"] [| <Format-Table |

This example returns a summary list of all safe links policies.
PowerShell
Get-SafeLinksPolicy | Format-Table Name
This example returns detailed information for the safe links policy named Contoso
Executives.
PowerShell
Get-SafeLinksPolicy -Identity "Contoso Executives"
For detailed syntax and parameter information, see Get-SafeLinksPolicy.
Use PowerShell to view safe links rules

To view existing safe links rules, use the following syntax:
PowerShell
Get-SafeLinksRule [-Identity "<RuleIdentity>"] [-State <Enabled | Disabled]

This example returns a summary list of all safe links rules.
PowerShell
Get-SafeLinksRule | Format-Table Name,State
PowerShell
Get-SafeLinksRule -State Disabled
PowerShell
Get-SafeLinksRule -State Enabled
This example returns detailed information for the safe links rule named Contoso
Executives.
PowerShell
Get-SafeLinksRule -Identity "Contoso Executives"
For detailed syntax and parameter information, see Get-SafeLinksRule.
Use PowerShell to modify safe links policies

You can't rename a safe links policy in PowerShell (the Set-SafeLinksPolicy cmdlet has
no Name parameter). When you rename a Safe Links policy in the Microsoft 365
Defender portal, you're only renaming the safe links rule.
The only additional consideration for modifying safe links policies in PowerShell is the
available syntax for the DoNotRewriteUrls parameter (the "Do not rewrite the following
URLs" list):
To add values that will replace any existing entries, use the following syntax:
"Entry1","Entry2,..."EntryN" .
To add or remove values without affecting other existing entries, use the following
syntax: @{Add="Entry1","Entry2"...; Remove="Entry3","Entry4"...}
Otherwise, the same settings are available when you create a safe links policy as
described in the Step 1: Use PowerShell to create a safe links policy section earlier in this
article.
To modify a safe links policy, use this syntax:
PowerShell
Set-SafeLinksPolicy -Identity "<PolicyName>" <Settings>
For detailed syntax and parameter information, see Set-SafeLinksPolicy.
Use PowerShell to modify safe links rules

The only setting that's not available when you modify a safe links rule in PowerShell is
existing safe links rules, see the next section.
Step 2: Use PowerShell to create a safe links rule section earlier in this article.
To modify a safe links rule, use this syntax:
PowerShell
Set-SafeLinksRule -Identity "<RuleName>" <Settings>
This example adds all accepted domains in the organization as a condition to the safe
links rule named Contoso All.
PowerShell
Set-SafeLinksRule -Identity "Contoso All" -RecipientDomainIs (Get-

AcceptedDomain).Name
This example adds the domains from the specified .csv as a condition to the safe links
rule named Contoso All.
PowerShell
$Data = Import-Csv -Path "C:\Data\SafeLinksDomains.csv"
$SLDomains = $Data.Domains
Set-SafeLinksRule -Identity "Contoso All" -RecipientDomainIs $SLDomains
For detailed syntax and parameter information, see Set-SafeLinksRule.
Use PowerShell to enable or disable safe links rules

Enabling or disabling a safe links rule in PowerShell enables or disables the whole Safe
Links policy (the safe links rule and the assigned safe links policy).
To enable or disable a safe links rule in PowerShell, use this syntax:
PowerShell
<Enable-SafeLinksRule | Disable-SafeLinksRule> -Identity "<RuleName>"
This example disables the safe links rule named Marketing Department.
PowerShell
Disable-SafeLinksRule -Identity "Marketing Department"
PowerShell
Enable-SafeLinksRule -Identity "Marketing Department"
For detailed syntax and parameter information, see Enable-SafeLinksRule and Disable-
SafeLinksRule.
Use PowerShell to set the priority of safe links rules

To set the priority of a safe links rule in PowerShell, use the following syntax:
PowerShell
Set-SafeLinksRule -Identity "<RuleName>" -Priority <Number>
PowerShell
Set-SafeLinksRule -Identity "Marketing Department" -Priority 2
７ Note
the New-SafeLinksRule cmdlet instead.
For detailed syntax and parameter information, see Set-SafeLinksRule.
Use PowerShell to remove safe links policies

When you use PowerShell to remove a safe links policy, the corresponding safe links rule
isn't removed.
To remove a safe links policy in PowerShell, use this syntax:
PowerShell
Remove-SafeLinksPolicy -Identity "<PolicyName>"
This example removes the safe links policy named Marketing Department.
PowerShell
Remove-SafeLinksPolicy -Identity "Marketing Department"
For detailed syntax and parameter information, see Remove-SafeLinksPolicy.
Use PowerShell to remove safe links rules

When you use PowerShell to remove a safe links rule, the corresponding safe links policy
isn't removed.
To remove a safe links rule in PowerShell, use this syntax:
PowerShell
Remove-SafeLinksRule -Identity "<PolicyName>"
This example removes the safe links rule named Marketing Department.
PowerShell
Remove-SafeLinksRule -Identity "Marketing Department"
For detailed syntax and parameter information, see Remove-SafeLinksRule.
To verify that Safe Links is scanning messages, check the available Microsoft Defender
for Office 365 reports. For more information, see View reports for Defender for Office
365 and Use Explorer in the Microsoft 365 Defender portal.

To verify that you've successfully created, modified, or removed Safe Links policies, do
any of the following steps:
On the Safe Links page in the Microsoft 365 Defender portal at

https://security.microsoft.com/safelinksv2 , verify the list of policies, their Status
values, and their Priority values. To view more details, select the policy from the
list, and view the details in the fly out.
In Exchange Online PowerShell or Exchange Online Protection PowerShell, replace

<Name> with the name of the policy or rule, run the following command, and
verify the settings:
PowerShell
Get-SafeLinksPolicy -Identity "<Name>"
PowerShell
Get-SafeLinksRule -Identity "<Name>"
Configure global settings for Safe Links

in Microsoft Defender for Office 365
 Tip
Applies to

） Important
The Global settings menu and the Block the following URLs list for Safe Links are
in the process of being deprecated. Use block entries for URLs in the Tenant
Allow/Block List instead.
Office 365. If you are a home user looking for information about Safelinks in
Outlook, see Advanced Outlook.com security .
Safe Links is a feature in Microsoft Defender for Office 365 that provides URL scanning
of inbound email messages in mail flow, and time of click verification of URLs and links
in email messages and in other locations. For more information, see Safe Links in
You configure most Safe Links settings in Safe Links policies, including Safe Links
settings for supported Office Apps. For instructions, see Set up Safe Links policies in
But, Safe Links also uses the following global settings that you configure outside of the
Safe Links policies themselves:
The Block the following URLs list. This setting applies to all users who are included
in any active Safe Links policies. For more information, see "Block the following
URLs" list for Safe Links
You can configure the global Safe Links settings in the Microsoft 365 Defender portal or
in PowerShell (Exchange Online PowerShell for eligible Microsoft 365 organizations with
Exchange Online mailboxes, but with Microsoft Defender for Office 365 add-on
subscriptions).

Although there's no default Safe Links policy, the Built-in protection preset
security policy provides Safe Links protection to all recipients (users who aren't
defined in the Standard or Strict preset security policies or in custom Safe Links
policies). For more information, see Preset security policies in EOP and Microsoft
Defender for Office 365. You can also create Safe Links policies to apply to specific
users, group, or domains. For instructions, see Set up Safe Links policies in

go directly to the Safe Links page, use

To configure the global settings for Safe Links, you need to be a member of the
For read-only access to the global settings for Safe Links, you need to be a
Notes:
For our recommended values for the global settings for Safe Links, see Safe Links
settings.
New features are continually being added to Microsoft Defender for Office 365. As
new features are added, you may need to make adjustments to your existing Safe
Links policies.
Configure the "Block the following URLs" list in

the Microsoft 365 Defender portal
７ Note
You can now manage block URL entries in the Tenant Allow/Block List. The "Block
the following URLs" list is in the process of being deprecated. We'll attempt to
migrate existing entries from the "Block the following URLs" list to block URL
entries in the Tenant Allow/Block List. Messages containing the blocked URL will be
quarantined.
The Block the following URLs list identifies the links that should always be blocked by
Safe Links scanning in supported apps. For more information, see "Block the following
URLs" list for Safe Links.

2. On the Safe Links page, click Global settings. In the Safe Links policy for your
organization fly out that appears, go to the Block the following URLs box.
3. Configure one or more entries as described in Entry syntax for the "Block the
following URLs" list.
Configure the "Block the following URLs" list in

PowerShell
For details about the entry syntax, see Entry syntax for the "Block the following URLs"
list.
You can use the Get-AtpPolicyForO365 cmdlet to view existing entries in the BlockURLs
property.
To add values that will replace any existing entries, use the following syntax in
Exchange Online PowerShell or Exchange Online Protection PowerShell:
PowerShell
Set-AtpPolicyForO365 -BlockUrls "Entry1","Entry2",..."EntryN"
This example adds the following entries to the list:

Block the domain, subdomains, and paths for fabrikam.com.
Block the subdomain research, but not the parent domain or other subdomains
in tailspintoys.com
PowerShell
Set-AtpPolicyForO365 -BlockUrls
"fabrikam.com","https://research.tailspintoys.com*"
To add or remove values without affecting other existing entries, use the following
syntax:
PowerShell
Set-AtpPolicyForO365 -BlockUrls @{Add="Entry1","Entry2"...;

Remove="Entry3","Entry4"...}
This example adds a new entry for adatum.com, and removes the entry for
fabrikam.com.
PowerShell
Set-AtpPolicyForO365 -BlockUrls @{Add="adatum.com"; Remove="fabrikam"}

To verify that you've successfully configured the global settings for Safe Links (the Block
the following URLs list and the Office 365 app protection settings), do any of the
following steps:
On the Safe Links page in the Microsoft 365 Defender portal at

https://security.microsoft.com/safelinksv2 , click Global settings, and verify the
settings in the fly out that appears.
In Exchange Online PowerShell or Exchange Online Protection PowerShell, run the

following command and verify the settings:
PowerShell
Get-AtpPolicyForO365 | Format-List BlockUrls
For detailed syntax and parameter information, see Get-AtpPolicyForO365.

Zero-hour auto purge (ZAP) in Exchange
Online
Applies to

 Tip
Zero-hour auto purge (ZAP) basics

In Microsoft 365 organizations with mailboxes in Exchange Online, zero-hour auto
purge (ZAP) is an email protection feature that retroactively detects and neutralizes
malicious phishing, spam, or malware messages that have already been delivered to
ZAP doesn't work in standalone Exchange Online Protection (EOP) environments that
protect on-premises Exchange mailboxes.
How ZAP works

Spam and malware signatures are updated in the service real-time on a daily basis.
However, users can still receive malicious messages for a variety of reasons, including if
content is weaponized after being delivered to users. ZAP addresses this issue by
continually monitoring updates to the spam and malware signatures in the service. ZAP
can find and remove messages that are already in a user's mailbox.
The ZAP action is seamless for the user; they aren't notified if a message is detected and
moved.
Safe sender lists, mail flow rules (also known as transport rules), Inbox rules, or
additional filters take precedence over ZAP. Similar to what happens in mail flow, this
means that even if the service determines the delivered message needs ZAP, the
message is not acted on because of the safe senders configuration. This is another
reason to be careful about configuring messages to bypass filtering.
Watch this short video to learn how ZAP in Microsoft Defender for Office 365
automatically detects and neutralizes threats in email.
https://www.microsoft.com/en-us/videoplayer/embed/RWGrLg?postJsllMsg=true
Zero-hour auto purge (ZAP) for malware

For read or unread messages that are found to contain malware after delivery, ZAP
quarantines the message that contains the malware attachment. By default, only admins
can view and manage quarantined malware messages. But, admins can create and use
quarantine policies to define what users are allowed to do to messages that were
quarantined as malware. For more information, see Quarantine policies.
ZAP for malware is enabled by default in anti-malware policies. For more information,
see Configure anti-malware policies in EOP.
Zero-hour auto purge (ZAP) for phishing

For read or unread messages that are identified as phishing after delivery, the ZAP
outcome depends on the action that's configured for a Phishing email filtering verdict
in the applicable anti-spam policy. The available filtering verdict actions for phishing and
their possible ZAP outcomes are described in the following list:
Add X-Header, Prepend subject line with text, Redirect message to email
address, Delete message: ZAP takes no action on the message.
Move message to Junk Email: ZAP moves the message to the Junk Email folder.
Quarantine message: ZAP quarantines the message.
By default, ZAP for phishing is enabled in anti-spam policies, and the default action for
the Phishing email filtering verdict is Quarantine message, which means ZAP for
phishing quarantines the message by default.
For more information about configuring spam filtering verdicts, see Configure anti-spam
policies in Microsoft 365.
Zero-hour auto purge (ZAP) for high confidence phishing

For read or unread messages that are identified as high confidence phishing after
delivery, ZAP quarantines the message. By default, only admins can view and manage
quarantined high confidence phish messages. But, admins can create and use
quarantine policies to define what users are allowed to do to messages that were
quarantined as high confidence phishing. For more information, see Quarantine policies
ZAP for high confidence phish is enabled by default. For more information, see Secure
by Default in Office 365.
Zero-hour auto purge (ZAP) for spam

For unread messages that are identified as spam after delivery, the ZAP outcome
depends on the action that's configured for the Spam filtering verdict in the applicable
anti-spam policy. The available filtering verdict actions for spam and their possible ZAP
outcomes are described in the following list:
Add X-Header, Prepend subject line with text, Redirect message to email
address, Delete message: ZAP takes no action on the message.
Move message to Junk Email: ZAP moves the message to the Junk Email folder.
Quarantine message: ZAP quarantines the message. By default, end-users can

view and manage spam quarantined messages where they're a recipient. But,
admins can create and use quarantine policies to define what users are allowed to
do to messages that were quarantined as spam. For more information, see
Quarantine policies
By default, spam ZAP is enabled in anti-spam policies, and the default action for the
Spam filtering verdict is Move message to Junk Email folder, which means spam ZAP
moves unread messages to the Junk Email folder by default.
For more information about configuring spam filtering verdicts, see Configure anti-spam
policies in Microsoft 365.
Zero-hour auto purge (ZAP) considerations for Microsoft

ZAP will not quarantine any message that's in the process of Dynamic Delivery in Safe
Attachments policy scanning. If a phishing or spam signal is received for messages in
this state, and the filtering verdict in the anti-spam policy is set to take some action on
the message (Move to Junk, Redirect, Delete, or Quarantine) then ZAP will default to a
'Move to Junk' action.
How to see if ZAP moved your message

To determine if ZAP moved your message, you have the following options:
Number of messages: Use the Mailflow view in the Mailflow status report to see
the number of ZAP-affected messages for the specified date range.
Message details: Use Threat Explorer (and real-time detections) to filter All email
events by the value ZAP for the Additional action column.
７ Note
ZAP is not logged in the Exchange mailbox audit logs as a system action.
Zero-hour auto purge (ZAP) FAQ
What happens if a legitimate message is moved to the

Junk Email folder?
You should follow the normal reporting process for false positives. The only reason the
message would be moved from the Inbox to the Junk Email folder would be because the
service has determined that the message was spam or malicious.
What if I use the Quarantine folder instead of the Junk

Mail folder?
ZAP will take action on a message based on the configuration your anti-spam policies as
described earlier in this article.
What if I'm using safe senders, mail flow rules, or

allowed/blocked sender lists?
Safe senders, mail flow rules, or block and allow organizational settings take
precedence. These messages are excluded from ZAP since the service is doing what you
configured it to do. This is another reason to be careful about configuring messages to
bypass filtering.
What are the licensing Requirements for Zero-hour auto
purge (ZAP) to work?
There are no limitations on licenses. ZAP works on all mailboxes hosted on Exchange
online. ZAP doesn't work in standalone Exchange Online Protection (EOP) environments
that protect on-premises Exchange mailboxes.
What if a message is moved to another folder (e.g. Inbox

rules)?
Zero-hour auto purge still works as long as the message has not been deleted, or as
long as the same, or stronger, action has not already been applied. For example, if the
anti-phishing policy is set to quarantine and message is already in the Junk Email, then
ZAP will take action to quarantine the message.
How does ZAP affect mailboxes on hold?

Zero-hour auto purge will quarantine messages from mailboxes on hold. ZAP can move
messages to the Junk Email folder based on the action that's configured for a spam or
phishing verdict in anti-spam policies.
For more information about holds in Exchange Online, see In-Place Hold and Litigation
Hold in Exchange Online.
Manage your allows and blocks in the
Tenant Allow/Block List
 Tip
Applies to


you might disagree with the EOP filtering verdict. For example, a good message might
be marked as bad (a false positive), or a bad message might be allowed through (a false
negative).
The Tenant Allow/Block List in the Microsoft 365 Defender portal gives you a way to
manually override the Microsoft 365 filtering verdicts. The Tenant Allow/Block List is
used during mail flow for incoming messages from external senders. Note that it doesn't
apply to messages within the organization.
The Tenant Allow/Block list is available in the Microsoft 365 Defender portal at
https://security.microsoft.com > Policies & rules > Threat Policies > Tenant
Allow/Block Lists in the Rules section. To go directly to the Tenant Allow/Block Lists
page, use https://security.microsoft.com/tenantAllowBlockList .
For entry creation and configuration instructions, see the following topics:
Domains and email addresses and spoofed senders: Allow or block emails using
the Tenant Allow/Block List
Files: Allow or block files using the Tenant Allow/Block List
URLs: Allow or block URLs using the Tenant Allow/Block List.
These articles contain procedures in the Microsoft 365 Defender Portal and in
PowerShell.
７ Note
To allow phishing URLs that are part of third-party attack simulation training, use
the advanced delivery configuration to specify the URLs. Don't use the Tenant
Allow/Block List.
Block entries in the Tenant Allow/Block List
７ Note
In the Tenant Allow/Block List, block entries take precedence over allow entries.
Use the Submissions portal (also known as admin submission) at

https://security.microsoft.com/reportsubmission to create block entries for the
following types of items as you report them as false negatives to Microsoft:
Domains and email addresses:

Email messages from these senders are marked as high confidence spam (SCL =
9). What happens to the messages is determined by the anti-spam policy that
detected the message for the recipient. In the default anti-spam policy and new
custom policies, messages that are marked as high confidence spam are
delivered to the Junk Email folder by default. In Standard and Strict preset
security policies, high confidence spam messages are quarantined.
Users in the organization can't send email to these blocked domains and
addresses. They'll receive the following non-delivery report (also known as an
NDR or bounce message): '550 5.7.703 Your message can't be delivered because
one or more recipients are blocked by your organization's tenant recipient block
policy'. The entire message is blocked for all recipients of the message, even if
only one recipient email address or domain is defined in a block entry.
７ Note
To block only spam from a specific sender, add the email address or domain
to the block list in anti-spam policies. To block all email from the sender, use
Domains and email addresses in the Tenant Allow/Block List.
Files: Email messages that contain these blocked files are marked as malware and
moved to quarantine.
URLs: Email messages that contain these blocked URLs are blocked as high
confidence phishing. Messages containing the blocked URLs are quarantined.
In the Tenant Allow/Block List, you can also directly create block entries for the following
types of items:
Domains and email addresses, Files, and URLs.
Spoofed senders: If you manually override an existing allow verdict from spoof
intelligence, the blocked spoofed sender becomes a manual block entry that
appears only on the Spoofed senders tab in the Tenant Allow/Block List.
By default, block entries for domains and email addresses, files and URLs expire after
30 days, but you can set them to expire up 90 days or to never expire. Block entries for
spoofed senders never expire.
Allow entries in the Tenant Allow/Block List

In most cases, you can't directly create allow entries in the Tenant Allow/Block List:
Domains and email addresses, files, and URLs: You can't create allow entries
directly in the Tenant Allow/Block List. Instead you use the Submissions portal at
https://security.microsoft.com/reportsubmission to report the email, email
attachment, or URL to Microsoft as Should not have been blocked (False
positive).
Spoofed senders:
If spoof intelligence has already blocked the message as spoofing, use the
Submissions portal at https://security.microsoft.com/reportsubmission to
report the email to Microsoft as Should not have been blocked (False positive).
You can proactively create an allow entry for a spoofed sender on the Spoofed
sender tab in the Tenant Allow/Block List before spoof intelligence identifies
and blocks the message as spoofing.
The following list describes what happens in the Tenant Allow/Block List when you
report something to Microsoft as a false positive in the Submissions portal:
Email attachments and URLs: An allow entry is created and it appears on the Files
or URLs tab in the Tenant Allow/Block List.
Email: If a message was blocked by the Microsoft 365 filtering stack, an allow entry
might be created in the Tenant Allow/Block List:
If the message was blocked by spoof intelligence, an allow entry for the sender
is created, and it appears on the Spoofed senders tab in the Tenant Allow Block
List.
If the message was blocked by domain or user impersonation protection in

Defender for Office 365, an allow entry is not created in the Tenant Allow/Block
List. Instead, the domain or sender is added to the Trusted senders and
domains section in the anti-phishing policy that detected the message.
If the message was blocked for other reasons, an allow entry for the sender is
created, and it appears on the Domains & addresses tab in the Tenant Allow
Block List.
If the message was not blocked, and an allow entry for the sender is not
created, it won't show on the Spoofed senders tab or the Domains & addresses
tab.
By default, allow entries for domains and email addresses, files and URLs expire after 30
days, which is also the maximum. Allow entries for spoofed senders never expire.
７ Note
Microsoft does not allow you to create allow entries directly as it leads to creation
of allows that are not needed, thus exposing the customer's tenant to malicious
emails which might otherwise have been filtered by the system.
Microsoft manages the allow creation process from Submission by creating allows
for those entities (domains or email addresses, spoofed senders, URLs, files) which
were determined to be malicious by filters during mail flow. For example, if the
sender and a URL in the message were determined to be bad, an allow entry is
created for the sender, and an allow entry is created for the URL.
When that entity (domain or email address, URL, file) is encountered again, all
filters associated with that entity are skipped.
During mail flow, if messages from the domain or email address pass other checks
in the filtering stack, the messages will be delivered. For example, if email
authentication passes, a message from a sender in the allow entry will be delivered.
What to expect after you add an allow or block

entry
After you add an allow entry through the Submissions portal or a block entry in the
Tenant Allow/Block List, the entry should start working immediately 99.999% of the time.
For the rest, it could take up to 24 hours.
We recommend letting entries automatically expire after 30 days to see if the system has
learned about the allow or block. If not, you should make another entry to give the
system another 30 days to learn.
With allow expiry management, if Microsoft has not learned from the allow entry,
Microsoft will automatically extend the expiry time of allow entries that will soon expire
by another 30 days. This extension helps to prevent legitimate email from going to junk
or quarantine again. If Microsoft does not learn within 90 calendar days from the date of
the original creation of the allow entry, Microsoft will remove the allow entry.
If Microsoft has learned from the allow entry, the entry will be removed, and you'll get
an alert informing you about it.
Allow or block email using the Tenant
Allow/Block List
 Tip
Applies to

This article describes how to create and manage allow and block entries for domains
and email addresses (including spoofed senders) that are available in the Tenant
Allow/Block List. For more information about the Tenant Allow/Block List, see Manage
your allows and blocks in the Tenant Allow/Block List.
You manage allow and block entries for email in the Microsoft 365 Defender Portal or in

go directly to the Tenant Allow/Block List page, use
https://security.microsoft.com/tenantAllowBlockList . To go directly to the
Submissions page, use https://security.microsoft.com/reportsubmission .

For domains and email addresses, the maximum number of allow entries is 500,
and the maximum number of block entries is 500 (1000 domain and email address
entries total).
For spoofed senders, the maximum number of entries is 1024.

Entries for spoofed senders never expire.
For details about the syntax for spoofed sender entries, see the Domain pair syntax
for spoofed sender entries section later in this article.
An entry should be active within 30 minutes, but it might take up to 24 hours for
the entry to be active.
To add and remove values from the Tenant Allow/Block List, you need to be a
member of one of the following role groups:
Organization Management or Security Administrator role group (Security
admin role)
Security Operator role group (Tenant AllowBlockList Manager).
For read-only access to the Tenant Allow/Block List, you need to be a member
of one of the following role groups:
Global Reader role group
Security Reader role group
View-Only configuration role group
７ Note
About admin roles.
Domains and email addresses in the Tenant

Allow/Block List
Create block entries for domains and email addresses

You have the following options to create block entries for domains and email addresses:
The Submissions page in the Microsoft 365 Defender portal

The Tenant Allow/Block List in the Microsoft 365 Defender portal or in PowerShell
To create block entries for spoofed senders, see the Use the Microsoft 365 Defender
portal to view allow or block entries for spoofed senders in the Tenant Allow/Block List
Use the Microsoft 365 Defender portal to create block entries for
domains and email addresses in the Submissions portal
When you use the Submissions portal at
https://security.microsoft.com/reportsubmission to report email messages as Should
have been blocked (False negative), you can select Block all emails from this recipient
to add a block entry for the sender on the Domains & addresses tab in the Tenant
Allow/Block List.
For instructions, see Report questionable email to Microsoft.
Use the Microsoft 365 Defender portal to create block entries for
domains and email addresses in the Tenant Allow/Block List
You can create block entries for domains and email addresses directly in the Tenant
Allow/Block List.
Email messages from these senders are marked as high confidence spam (SCL = 9). What
happens to the messages is determined by the anti-spam policy that detected the
message for the recipient. In the default anti-spam policy and new custom policies,
messages that are marked as high confidence spam are delivered to the Junk Email
folder by default. In Standard and Strict preset security policies, high confidence spam
messages are quarantined.
７ Note
Users in the organization can't send email to these blocked domains and addresses.
They'll receive the following non-delivery report (also known as an NDR or bounce
message): 550 5.7.703 Your message can't be delivered because one or more
recipients are blocked by your organization's tenant recipient block policy.
The entire message is blocked for all recipients of the message, even if only one
recipient email address or domain is defined in a block entry.

Policies & rules > Threat Policies > Rules section > Tenant Allow/Block Lists. Or,
to go directly to the Tenant Allow/Block List page, use
https://security.microsoft.com/tenantAllowBlockList .
2. On the Tenant Allow/Block List page, verify that the Domains & addresses tab is
selected.
3. On the Domains & addresses tab, click Block.
4. In the Block domains & addresses flyout that appears, configure the following
settings:
Domains & addresses: Enter one email address or domain per line, up to a
maximum of 20.
Remove block entry after: The default value is 30 days, but you can select
from the following values:
1 day
7 days
30 days
Never expire
Specific date: The maximum value is 90 days from today.
Optional note: Enter descriptive text for the entries.
5. When you're finished, click Add.
Use PowerShell to create block entries for domains and email

addresses in the Tenant Allow/Block List
In Exchange Online PowerShell, use the following syntax:
PowerShell
New-TenantAllowBlockListItems -ListType Sender -Block -Entries

"DomainOrEmailAddress1","DomainOrEmailAddress1",..."DomainOrEmailAddressN"
<-ExpirationDate Date | -NoExpiration> [-Notes <String>]
This example adds a block entry for the specified email address that expires on a specific
date.
PowerShell
New-TenantAllowBlockListItems -ListType Sender -Block -Entries

"test@badattackerdomain.com","test2@anotherattackerdomain.com" -
ExpirationDate 8/20/2022
For detailed syntax and parameter information, see New-TenantAllowBlockListItems.
Use the Microsoft 365 Defender portal to create allow

entries for domains and email addresses in the
Submissions portal
You can't create allow entries for domains and email addresses directly in the Tenant
Allow/Block List. Instead, you use the Submissions portal at
https://security.microsoft.com/reportsubmission to report the message as a false
positive, which also adds an allow entry for the sender on the Domains & addresses tab
in the Tenant Allow/Block List.
For instructions, see Report good email to Microsoft.
７ Note
Microsoft does not allow you to create allow entries directly as it leads to creation
of allows that are not needed, thus exposing your organization to malicious email
which might otherwise have been filtered by the system.
Microsoft manages the allow creation process from Submission by creating allows
for those entities (domains or email addresses, spoofed senders, URLs, files) which
were determined to be malicious by filters during mail flow. For example, if the
sender and a URL in the message were determined to be bad, an allow entry is
created for the sender, and an allow entry is created for the URL.
filters associated with that entity are skipped.
During mail flow, if messages from the domain or email address pass other checks
in the filtering stack, the messages will be delivered. For example, if email
authentication passes, a message from a sender in the allow entry will be delivered.
Use the Microsoft 365 Defender portal to view allow or

block entries for domains and email addresses in the
Policies & rules > Threat Policies > Tenant Allow/Block Lists in the Rules section.
Or, to go directly to the Tenant Allow/Block Lists page, use
2. Verify the Domains & addresses tab is selected. The following columns are
available:
Value: The domain or email address.

Action: The value Allow or Block.
Modified by
Last updated
Remove on: The expiration date.
Notes
You can click on a column heading to sort in ascending or descending order.
Click Group to group the results by None or Action.
Click Search, enter all or part of a value, and then press ENTER to find a specific
value. When you're finished, click Clear search.
Click Filter to filter the results. The following values are available in the Filter
flyout that appears:
Action: Allow and Block.

Never expire: or
Last updated: Select From and To dates.
Remove on: Select From and To dates.
When you're finished, click Apply. To clear existing filters, click Clear filters in
the Filter flyout.
Use PowerShell to view allow or block entries for domains and

email addresses in the Tenant Allow/Block List
PowerShell
Get-TenantAllowBlockListItems -ListType Sender [-Allow] [-Block] [-Entry

<Domain or Email address value>] [<-ExpirationDate Date | -NoExpiration>]
This example returns all allow and block entries for domains and email addresses.
PowerShell
Get-TenantAllowBlockListItems -ListType Sender
This example filters the results for block entries for domains and email addresses.
PowerShell
Get-TenantAllowBlockListItems -ListType Sender -Block
For detailed syntax and parameter information, see Get-TenantAllowBlockListItems.
Use the Microsoft 365 Defender portal to modify allow or

block entries for domains and email addresses in the
You can make the following modifications to entries for domains and email addresses in
the Tenant Allow/Block list:
Block entries: The expiration date and notes.

Allow entries: Notes.

2. Verify the Domains & addresses tab is selected.
3. On the Domains & addresses tab, select the check box of the entry that you want
to modify, and then click the Edit button that appears.
4. The following settings are available in the Edit domain & addresses flyout that
appears:
Remove block entry after: You can extend block entries for a maximum of 90
days after the creation date or set them to Never expire.
Optional note
Note that with allow expiry management, if Microsoft has not learned from the allow,
Microsoft will automatically extend the expiry time of allows, which are going to expire
soon, by 30 days to prevent legitimate email from going to junk or quarantine again. If
Microsoft does not learn within 90 calendar days from the date of allow creation,
Microsoft will remove the allow.
If Microsoft has learned from the allow, the allow will be removed and you will get an
alert informing you about it.
７ Note
For allow entries only, if you select the entry by clicking anywhere in the row other
than the check box, you can select View submission in the details flyout that
appears to go to the Submissions page at
https://security.microsoft.com/reportsubmission .
Use PowerShell to modify allow or block entries for domains and

email addresses in the Tenant Allow/Block List
PowerShell
Set-TenantAllowBlockListItems -ListType Sender <-Ids <Identity value> | -

Entries <Value value>> [<-ExpirationDate Date | -NoExpiration>] [-Notes
<String>]
This example changes the expiration date of the specified block entry for domains and
email addresses.
PowerShell
Set-TenantAllowBlockListItems -ListType Sender -Entries "julia@fabrikam.com"

-ExpirationDate "9/1/2022"
For detailed syntax and parameter information, see Set-TenantAllowBlockListItems.
Use the Microsoft 365 Defender portal to remove allow

or block entries for domains and email addresses in the
2. Verify the Domains & addresses tab is selected.
3. On Domains & addresses tab, do one of the following steps:
Select the check box of the entry that you want to remove, and then click the
Delete icon that appears.
Select the entry that you want to remove by clicking anywhere in the row
other than the check box. In the details flyout that appears, click Delete.
4. In the warning dialog that appears, click Delete.
７ Note
You can select multiple entries by selecting each check box, or select all entries by
selecting the check box next to the Value column header.
Use PowerShell to remove allow or block entries for domains and

email addresses from the Tenant Allow/Block List
PowerShell
Remove-TenantAllowBlockListItems -ListType Sender <-Ids <Identity value> | -

Entries <Value value>>
This example removes the specified block entry for domains and email addresses from
the Tenant Allow/Block List.
PowerShell
Remove-TenantAllowBlockListItems -ListType Sender -Entries "adatum.com"
For detailed syntax and parameter information, see Remove-TenantAllowBlockListItems.
Spoofed senders in the Tenant Allow/Block List
Create allow entries for spoofed senders

You have the following options to create block entries for spoofed senders:

７ Note
Allow entries for spoofed senders take care of intra-org, cross-org, and DMARC
spoofing.
Only the combination of the spoofed user and the sending infrastructure as defined
in the domain pair is allowed to spoof.
When you configure an allow entry for a domain pair, messages from that domain
pair no longer appear in the spoof intelligence insight.
Allow entries for spoofed senders never expire.
Use the Microsoft 365 Defender portal to create allow entries for
spoofed senders in the Submissions portal
Submitting messages that were blocked by spoof intelligence to Microsoft in the
Submissions portal at https://security.microsoft.com/reportsubmission adds the
sender as an allow entry for the sender on the Spoofed senders tab in Tenant
Allow/Block List.
For instructions, see Report good email to Microsoft.
７ Note
When you override the verdict in the spoof intelligence insight, the spoofed sender
becomes a manual allow or block entry that only appears on the Spoofed senders
tab in the Tenant Allow/Block List.
If the sender has not been blocked by spoof intelligence, submitting the email
message to Microsoft won't create an allow entry in the Tenant Allow/Block List.
Use the Microsoft 365 Defender portal to create allow entries for
spoofed senders in the Tenant Allow/Block List
In the Tenant Allow/Block List, you can create allow entries for spoofed senders before
they're detected and blocked by spoof intelligence.

2. On the Tenant Allow/Block List page, select the Spoofed senders tab, and then
click Add.
3. In the Add new domain pairs flyout that appears, configure the following settings:
Add domain pairs with wildcards: Enter domain pair per line, up to a
maximum of 20. For details about the syntax for spoofed sender entries, see
the Domain pair syntax for spoofed sender entries section later in this article.
Spoof type: Select one of the following values:

Internal: The spoofed sender is in a domain that belongs to your
organization (an accepted domain).
External: The spoofed sender is in an external domain.
Action: Select Allow or Block.
Use PowerShell to create allow entries for spoofed senders in the

PowerShell
New-TenantAllowBlockListSpoofItems -Identity Default -Action Allow -

SpoofedUser <Domain | EmailAddress> -SendingInfrastructure <Domain |
IPAddress/24> -SpoofType <External | Internal>
This example creates an allow entry for the sender bob@contoso.com from the source
contoso.com.
PowerShell

SendingInfrastructure contoso.com -SpoofedUser bob@contoso.com -SpoofType
External

TenantAllowBlockListSpoofItems.
Use the Microsoft 365 Defender portal to create block

entries for spoofed senders in the Tenant Allow/Block List
You create block entries for spoofed senders directly in the Tenant Allow/Block List.
７ Note
Email messages from these senders are blocked as phishing.
Only the combination of the spoofed user and the sending infrastructure as defined
in the domain pair is blocked from spoofing.
When you configure a block entry for a domain pair, messages from that domain
pair no longer appear in the spoof intelligence insight.
Block entries for spoofed senders never expire.
The instructions to report the message are nearly identical to the steps in Use the
Microsoft 365 Defender portal to create allow entries for domains and email addresses
in the Submissions portal.
The only difference is: for the Action value in Step 4, choose Block instead of Allow.
Use PowerShell to create block entries for spoofed senders in the

PowerShell
New-TenantAllowBlockListSpoofItems -Identity Default -Action Block -

SpoofedUser <Domain | EmailAddress> -SendingInfrastructure <Domain |
IPAddress/24> -SpoofType <External | Internal>
This example creates a block entry for the sender laura@adatum.com from the source
172.17.17.17/24.
PowerShell
SendingInfrastructure 172.17.17.17/24 -SpoofedUser laura@adatum.com -
SpoofType External

Use the Microsoft 365 Defender portal to view allow or

block entries for spoofed senders in the Tenant
Allow/Block List
2. Verify the Spoofed senders tab is selected. The following columns are available:
Spoofed user
Sending infrastructure
Spoof type: The value Internal or External.
Action: The value Block or Allow.
Click Group to group the results by None, Action, or Spoof type.

Spoof type: Internal and External.
the Filter flyout.
Use PowerShell to view allow or block entries for spoofed senders

in the Tenant Allow/Block List
PowerShell
Get-TenantAllowBlockListSpoofItems [-Action <Allow | Block>] [-SpoofType

<External | Internal>
This example returns all spoofed sender entries in the Tenant Allow/Block List.
PowerShell
Get-TenantAllowBlockListSpoofItems
This example returns all allow spoofed sender entries that are internal.
PowerShell
Get-TenantAllowBlockListSpoofItems -Action Allow -SpoofType Internal
This example returns all blocked spoofed sender entries that are external.
PowerShell
Get-TenantAllowBlockListSpoofItems -Action Block -SpoofType External

Use the Microsoft 365 Defender portal to modify allow or

block entries for spoofed senders in the Tenant
Allow/Block List
When you modify an allow or block entry for spoofed senders in the Tenant Allow/Block
list, you can only change the entry from Allow to Block, or vice-versa.

2. Select the Spoofed senders tab.
3. On the Spoofed senders tab, select the entry that you want to modify, and then
click the Edit button that appears.
4. In the Edit spoofed sender flyout that appears, choose Allow or Block.
Use PowerShell to modify allow or block entries for spoofed

senders in the Tenant Allow/Block List
PowerShell
Set-TenantAllowBlockListSpoofItems -Identity Default -Ids <Identity value> -

Action <Allow | Block>
This example changes spoofed sender entry from allow to block.
PowerShell
Set-TenantAllowBlockListItems -Identity Default -Ids 3429424b-781a-53c3-

17f9-c0b5faa02847 -Action Block
For detailed syntax and parameter information, see Set-TenantAllowBlockListSpoofItems.
Use the Microsoft 365 Defender portal to remove allow

or block entries for spoofed senders in the Tenant
Allow/Block List
2. Select the Spoofed senders tab.
3. On the Spoofed senders tab, select the entry that you want to remove, and then
click the Delete icon that appears.
７ Note
You can select multiple entries by selecting each check box, or selecting all entries
by selecting the check box next to the Spoofed user column header.
Use PowerShell to remove allow or block entries for spoofed
senders from the Tenant Allow/Block List
PowerShell
Remove-TenantAllowBlockListSpoofItems -Identity domain.com\Default -Ids

<Identity value>
PowerShell
Remove-TenantAllowBlockListSpoofItems -Identity domain.com\Default -Ids

d86b3b4b-e751-a8eb-88cc-fe1e33ce3d0c
This example removes the specified spoofed sender. You get the Ids parameter value
from the Identity property in the output of Get-TenantAllowBlockListSpoofItems
command.

Domain pair syntax for spoofed sender entries

A domain pair for a spoofed sender in the Tenant Allow/Block List uses the following
syntax: <Spoofed user>, <Sending infrastructure> .
Spoofed user: This value involves the email address of the spoofed user that's
displayed in the From box in email clients. This address is also known as the
5322.From address. Valid values include:
An individual email address (for example, chris@contoso.com).
An email domain (for example, contoso.com).
The wildcard character (for example, *).
Sending infrastructure: This value indicates the source of messages from the
spoofed user. Valid values include:
The domain found in a reverse DNS lookup (PTR record) of the source email
server's IP address (for example, fabrikam.com).
If the source IP address has no PTR record, then the sending infrastructure is
identified as <source IP>/24 (for example, 192.168.100.100/24).
Here are some examples of valid domain pairs to identify spoofed senders:
contoso.com, 192.168.100.100/24
chris@contoso.com, fabrikam.com
*, contoso.net
Adding a domain pair only allows or blocks the combination of the spoofed user and the
sending infrastructure. It does not allow email from the spoofed user from any source,
nor does it allow email from the sending infrastructure source for any spoofed user.
For example, you add an allow entry for the following domain pair:
Domain: gmail.com
Sending infrastructure: tms.mx.com
Only messages from that domain and sending infrastructure pair are allowed to spoof.
Other senders attempting to spoof gmail.com aren't allowed. Messages from senders in
other domains originating from tms.mx.com are checked by spoof intelligence.
７ Note
You can specify wildcards in the sending infrastructure or in the spoofed user, but
not in both at the same time. For example, *, * is not permitted.
About impersonated domains or senders

In organizations with Microsoft Defender for Office 365, you can't create allow entries in
the Tenant/Allow/Block List for messages that were detected as impersonation by
domain or sender impersonation protection.
Reporting a message that was incorrectly blocked as impersonation in the Submissions

portal at https://security.microsoft.com/reportsubmission does not add the sender or
domain as an allow entry in the Tenant Allow/Block List.
Instead, the domain or sender is added to the Trusted senders and domains section in
the anti-phishing policy that detected the message.
The instructions to report the message are identical to the steps in Use the Microsoft
365 Defender portal to create allow entries for domains and email addresses in the
Submissions portal.
７ Note
Currently, Graph Impersonation is not taken care from here.
Related articles
Use the Submissions portal to submit suspected spam, phish, URLs, legitimate
email getting blocked, and email attachments to Microsoft
Report false positives and false negatives
Manage your allows and blocks in the Tenant Allow/Block List
Allow or block files in the Tenant Allow/Block List
Allow or block URLs in the Tenant Allow/Block List
Allow or block files using the Tenant
Allow/Block List
 Tip
Applies to

This article describes how to manage file allow and block entries that are available in the
Tenant Allow/Block List. For more information about the Tenant Allow/Block List, see
Manage your allows and blocks in the Tenant Allow/Block List.
You manage allow and block entries for files in the Microsoft 365 Defender Portal or in


You specify files by using the SHA256 hash value of the file. To find the SHA256
hash value of a file in Windows, run the following command in a Command
Prompt:
DOS
certutil.exe -hashfile "<Path>\<Filename>" SHA256
An example value is
768a813668695ef2483b2bde7cf5d1b2db0423a0d3e63e498f3ab6f2eb13ea3a . Perceptual
hash (pHash) values are not supported.
For files, the maximum number of allow entries is 500, and the maximum number
of block entries is 500 (1000 file entries total).
You can enter a maximum of 64 characters in a file entry.
admin role)
Notes:
Create block entries for files

You have the following options to create block entries for files:

entries for files in the Submissions portal
https://security.microsoft.com/reportsubmission to report files as Should have been
blocked (False negative), you can select Block this file to add a block entry on the Files
tab in the Tenant Allow/Block List.
For instructions, see Report questionable email attachments to Microsoft.

entries for files in the Tenant Allow/Block List
You can create block entries for files directly in the Tenant Allow/Block List.
Email messages that contain these blocked files are blocked as malware.

2. On the Tenant Allow/Block List page, select the Files tab.
3. On the Files tab, click Block.
4. In the Block files flyout that appears, configure the following settings:
Add file hashes: Enter one SHA256 hash value per line, up to a maximum of
20.
1 day
7 days
30 days
Never expire

Use PowerShell to create block entries for files in the Tenant
Allow/Block List
PowerShell
New-TenantAllowBlockListItems -ListType <FileHash> -Block -Entries

"Value1","Value2",..."ValueN" <-ExpirationDate Date | -NoExpiration> [-Notes
<String>]
This example adds a block entry for the specified files that never expires.
PowerShell
New-TenantAllowBlockListItems -ListType FileHash -Block -Entries

"768a813668695ef2483b2bde7cf5d1b2db0423a0d3e63e498f3ab6f2eb13ea3","2c0a35409
ff0873cfa28b70b8224e9aca2362241c1f0ed6f622fef8d4722fd9a" -NoExpiration

create allow entries for files in the Submissions
portal
You can't create allow entries for files directly in the Tenant Allow/Block List. Instead, you
use the Submissions portal at https://security.microsoft.com/reportsubmission to
report the message attachment as a false positive, which also adds an allow entry on the
Files tab in the Tenant Allow/Block List.
For instructions, see Report good email attachments to Microsoft.
） Important
Because Microsoft manages allow entries for you, unneeded allow entries for files
will be removed. This behavior protects your organization and helps prevent
misconfigured allow entries. If you disagree with the verdict, you might need to
open a support case to help determine why a file is still considered bad.
allow or block entries for files in the Tenant
Allow/Block List
2. Select the Files tab. The following columns are available:
Value: The file hash.

Modified by
Last updated
Notes

Never expire: or
the Filter flyout.
Use PowerShell to view allow or block entries for files in

PowerShell
Get-TenantAllowBlockListItems -ListType FileHash [-Allow] [-Block] [-Entry
<FileHashValue>] [<-ExpirationDate Date | -NoExpiration>]
This example returns all allowed and blocked files.
PowerShell
Get-TenantAllowBlockListItems -ListType FileHash
This example returns information for the specified file hash value.
PowerShell
Get-TenantAllowBlockListItems -ListType FileHash -Entry

"9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08"
This example filters the results by blocked files.
PowerShell
Get-TenantAllowBlockListItems -ListType FileHash -Block

modify allow or block entries for files in the
You can make the following modifications to entries for files in the Tenant Allow/Block
list:
Block enries: The expiration date and notes.


2. Select the Files tab

3. On the Files tab, select the check box of the entry that you want to modify, and
then click the Edit button that appears.
4. The following settings are available in the Edit file flyout that appears:
Optional note
７ Note
Use PowerShell to modify allow or block entries for files

PowerShell
Set-TenantAllowBlockListItems -ListType <FileHash> <-Ids <Identity value> |

-Entries <Value value>> [<-ExpirationDate Date | -NoExpiration>] [-Notes
<String>]
This example changes the expiration date of the specified file block entry.
PowerShell
Set-TenantAllowBlockListItems -ListType FileHash -Entries

"27c5973b2451db9deeb01114a0f39e2cbcd2f868d08cedb3e210ab3ece102214" -
ExpirationDate "9/1/2022"

remove allow or block entries for files from the
2. Select the Files tab.
3. On the Files tab, do one of the following steps:
７ Note
Use PowerShell to remove allow or block entries for files

from the Tenant Allow/Block List
PowerShell
Remove-TenantAllowBlockListItems -ListType FileHash <-Ids <Identity value> |

-Entries <Value value>>
This example removes the specified file block from the Tenant Allow/Block List.
PowerShell
Remove-TenantAllowBlockListItems -ListType FileHash -Entries

"27c5973b2451db9deeb01114a0f39e2cbcd2f868d08cedb3e210ab3ece102214"

Related articles
Allow or block emails in the Tenant Allow/Block List
Allow or block URLs in the Tenant Allow/Block List
Allow or block URLs using the Tenant
Allow/Block List
 Tip
Applies to

This article describes how to create and manage URL allow and block entries that are
available in the Tenant Allow/Block List. For more information about the Tenant
Allow/Block List, see Manage your allows and blocks in the Tenant Allow/Block List.
You manage allow and block entries for URLs in the Microsoft 365 Defender Portal or in
Exchange Online PowerShell. Messages containing the blocked URLs are quarantined.
７ Note
To allow phishing URLs that are part of third-party attack simulation training, use
the advanced delivery configuration to specify the URLs. Don't use the Tenant
Allow/Block List.


For URL entry syntax, see the URL syntax for the Tenant Allow/Block List section
later in this article.
For URLs, the maximum number of allow entries is 500, and the maximum number
of block entries is 500 (1000 URL entries total).
You can enter a maximum of 250 characters in a URL entry.
admin role)
Notes:
Create block entries for URLs

You have the following options to create block entries for URLs:


entries for URLs in the Submissions portal
https://security.microsoft.com/reportsubmission to report URLs as Should have been
blocked (False negative), you can select Block this URL to add a block entry on the
URLs tab in the Tenant Allow/Block List.
For instructions, see Report questionable URLs to Microsoft.

entries for URLs in the Tenant Allow/Block List
You can create block entries for URLs directly in the Tenant Allow/Block List.
Email messages that contain these blocked URLs are blocked as high confidence
phishing.

2. On the Tenant Allow/Block List page, select the URLs tab.
3. On the URLs tab, click Block.
4. In the Block URLs flyout that appears, configure the following settings:
Add URLs with wildcards: Enter one URL per line, up to a maximum of 20. For
details about the syntax for URL entries, see the URL syntax for the Tenant
Allow/Block List section later in this article.
Never expire
1 day
7 days
30 days

Use PowerShell to create block entries for URLs in the Tenant
Allow/Block List
PowerShell
New-TenantAllowBlockListItems -ListType Url -Block -Entries

"Value1","Value2",..."ValueN" <-ExpirationDate <Date> | -NoExpiration> [-
Notes <String>]
This example adds a block entry for the URL contoso.com and all subdomains (for
example, contoso.com and xyz.abc.contoso.com). Because we didn't use the
ExpirationDate or NoExpiration parameters, the entry expires after 30 days.
PowerShell
New-TenantAllowBlockListItems -ListType Url -Block -Entries ~contoso.com

create allow entries for URLs in the
Submissions portal
You can't create URL allow entries directly in the Tenant Allow/Block List. Instead, you
use the Submissions portal at https://security.microsoft.com/reportsubmission to
report the URL as a false positive, which also adds an allow entry on the URLs tab in the
For instructions, see Report good URLs to Microsoft.
） Important
Because Microsoft manages allow entries for you, unneeded URL allow entries will
be removed. This behavior protects your organization and helps prevent
misconfigured allow entries. If you disagree with the verdict, you might need to
open a support case to help determine why a URL is still considered bad.
allow or block entries for URLs in the Tenant
Allow/Block List
2. Select the URL tab. The following columns are available:
Value: The URL.

Modified by
Last updated
Notes
Click on a column heading to sort in ascending or descending order.
value. When you're finished, click to clear the search.

Never expire: or
the Filter flyout.
Use PowerShell to view allow or block entries for URLs in

PowerShell
Get-TenantAllowBlockListItems -ListType Url [-Allow] [-Block] [-Entry
<URLValue>] [<-ExpirationDate <Date> | -NoExpiration>]
This example returns all allowed and blocked URLs.
PowerShell
Get-TenantAllowBlockListItems -ListType Url
This example filters the results by blocked URLs.
PowerShell
Get-TenantAllowBlockListItems -ListType Url -Block

modify allow or block entries for URLs in the
You can make the following modifications to entries for URLs in the Tenant Allow/Block
list:
Block enries: The expiration date and notes.


2. Select the URLs tab
3. On the URLs tab, select the check box of the entry that you want to modify, and
then click the Edit button that appears.
4. The following values are available in the Edit URL flyout that appears:
Optional note
７ Note
Use PowerShell to modify allow or block entries for URLs

PowerShell
Set-TenantAllowBlockListItems -ListType Url <-Ids <Identity value> | -

Entries <Value value>> [<-ExpirationDate Date | -NoExpiration>] [-Notes
<String>]
This example changes the expiration date of the block entry for the specified URL.
PowerShell
Set-TenantAllowBlockListItems -ListType Url -Entries "~contoso.com" -

ExpirationDate "9/1/2022"

remove allow or block entries for URLs from
2. Select the URLs tab.

3. On the URLs tab, do one of the following steps:
７ Note
Use PowerShell to remove allow or block entries for URLs

from the Tenant Allow/Block List
PowerShell
Remove-TenantAllowBlockListItems -ListType Url <-Ids <Identity value> | -

Entries <Value value>>
This example removes the block entry for the specified URL from the Tenant Allow/Block
List.
PowerShell
Remove-TenantAllowBlockListItems -ListType Url -Entries "~cohovineyard.com
URL syntax for the Tenant Allow/Block List

IPv4 and IPv6 addresses are allowed, but TCP/UDP ports are not.
Filename extensions are not allowed (for example, test.pdf).
Unicode is not supported, but Punycode is.
Hostnames are allowed if all of the following statements are true:

The hostname contains a period.
There is at least one character to the left of the period.
There are at least two characters to the right of the period.
For example, t.co is allowed; .com or contoso. are not allowed.
Subpaths are not implied for allows.
For example, contoso.com does not include contoso.com/a .
Wildcards (*) are allowed in the following scenarios:
A left wildcard must be followed by a period to specify a subdomain. (only

applicable for blocks)
For example, *.contoso.com is allowed; *contoso.com is not allowed.
A right wildcard must follow a forward slash (/) to specify a path.
For example, contoso.com/* is allowed; contoso.com* or contoso.com/ab* are

not allowed.
*.com* is invalid (not a resolvable domain and the right wildcard does not
follow a forward slash).
Wildcards are not allowed in IP addresses.
The tilde (~) character is available in the following scenarios:
A left tilde implies a domain and all subdomains.
For example ~contoso.com includes contoso.com and *.contoso.com .
A username or password isn't supported or required.
Quotes (' or ") are invalid characters.
A URL should include all redirects where possible.
URL entry scenarios

Valid URL entries and their results are described in the following sections.
Scenario: No wildcards
Entry: contoso.com
Allow match: contoso.com
Allow not matched:

abc-contoso.com
contoso.com/a
payroll.contoso.com
test.com/contoso.com
test.com/q=contoso.com
www.contoso.com
www.contoso.com/q=a@contoso.com
Block match:
contoso.com
contoso.com/a
payroll.contoso.com
www.contoso.com
Block not matched: abc-contoso.com
Scenario: Left wildcard (subdomain)
７ Note
This scenario applies only to blocks.
Entry: *.contoso.com
Block match:
www.contoso.com
xyz.abc.contoso.com
Block not matched:

123contoso.com
contoso.com
www.contoso.com/abc
Scenario: Right wildcard at top of path

Entry: contoso.com/a/*
Allow match and Block match:

contoso.com/a/b
contoso.com/a/b/c
contoso.com/a/?q=joe@t.com
Allow not matched and Block not matched:

contoso.com
contoso.com/a
www.contoso.com
Scenario: Left tilde

Entry: ~contoso.com

contoso.com
www.contoso.com
xyz.abc.contoso.com

123contoso.com
contoso.com/abc
www.contoso.com/abc
Scenario: Right wildcard suffix

Entry: contoso.com/*

contoso.com/?q=whatever@fabrikam.com
contoso.com/a
contoso.com/a/b/c
contoso.com/ab
contoso.com/b
contoso.com/b/a/c
contoso.com/ba
Allow not matched and Block not matched: contoso.com

Scenario: Left wildcard subdomain and right wildcard suffix
７ Note
This scenario applies only to blocks.
Entry: *.contoso.com/*
Block match:
abc.contoso.com/ab
abc.xyz.contoso.com/a/b/c
www.contoso.com/a
www.contoso.com/b/a/c
xyz.contoso.com/ba
Block not matched: contoso.com/b
Scenario: Left and right tilde
Entry: ~contoso.com~

contoso.com
contoso.com/a
www.contoso.com
www.contoso.com/b
xyz.abc.contoso.com
abc.xyz.contoso.com/a/b/c
contoso.com/b/a/c

123contoso.com
contoso.org
Scenario: IP address
Entry: 1.2.3.4
Allow match and Block match: 1.2.3.4

1.2.3.4/a
11.2.3.4/a
IP address with right wildcard

Entry: 1.2.3.4/*

1.2.3.4/b
1.2.3.4/baaaa
Examples of invalid entries

The following entries are invalid:
Missing or invalid domain values:

contoso
*.contoso.*
*.com
*.pdf
Wildcard on text or without spacing characters:

*contoso.com
contoso.com*
*1.2.3.4
1.2.3.4*
contoso.com/a*
contoso.com/ab*
IP addresses with ports:

contoso.com:443
abc.contoso.com:25
Non-descriptive wildcards:
*
*.*
Middle wildcards:
conto*so.com
conto~so.com
Double wildcards
contoso.com/**
contoso.com/*/*
Related articles
Allow or block files in the Tenant Allow/Block List
Allow or block emails in the Tenant Allow/Block List
Create blocked sender lists in EOP
 Tip
Applies to


EOP offers multiple ways of blocking email from unwanted senders. Collectively, you can
think of these options as blocked sender lists.
The available blocked sender lists are described in the following list in order from most
recommended to least recommended:
1. Block entries for domains and email addresses (including spoofed senders) in the
2. Outlook Blocked Senders (the Blocked Senders list that's stored in each mailbox).
3. Blocked sender lists or blocked domain lists (anti-spam policies).
4. Mail flow rules (also known as transport rules).
5. The IP Block List (connection filtering).
The rest of this article contains specifics about each method.
７ Note
Always submit messages in your blocked sender lists to Microsoft for analysis. For
instructions, see Report questionable email to Microsoft. If the messages or
message sources are determined to be harmful, Microsoft can automatically block
the messages, and you won't need to manually maintain the entry in blocked
sender lists.
Instead of blocking email, you also have several options to allow email from specific
sources using safe sender lists. For more information, see Create safe sender lists.
Email message basics

message envelope is described in RFC 5321, and the message header is described in
RFC 5322. Recipients never see the actual message envelope because it's generated by
the message transmission process, and it isn't actually part of the message.
Return-Path email address). If the message can't be delivered, it's the recipient for
the non-delivery report (also known as an NDR or bounce message).
clients.
Frequently, the 5321.MailFrom and 5322.From addresses are the same (person-to-person
communication). However, when email is sent on behalf of someone else, the addresses
can be different.
Blocked sender lists and blocked domain lists in anti-spam policies in EOP inspect only
the 5322.From addresses. This behavior is similar to Outlook Blocked Senders that use
the 5322.From address.
Use block entries in the Tenant Allow/Block List

Our number one recommended option for blocking mail from specific senders or
domains is the Tenant Allow/Block List. For instructions, see Allow or block email using
Email messages from these senders are marked as high confidence spam (SCL = 9). What
happens to the messages is determined by the anti-spam policy that detected the
message for the recipient. In the default anti-spam policy and new custom policies,
messages that are marked as high confidence spam are delivered to the Junk Email
folder by default. In Standard and Strict preset security policies, high confidence spam
messages are quarantined.
As an added benefit, users in the organization can't send email to these blocked
domains and addresses. They'll receive the following non-delivery report (also known as
an NDR or bounce message): 5.7.1 Your message can't be delivered because one or
more recipients are blocked by your organization's tenant allow/block list policy.
The entire message is blocked to all recipients if email is sent to any of the entries in the
list.
Only if you can't use the Tenant Allow/Block List for some reason should you consider
using a different method to block senders.
Use Outlook Blocked Senders

When only a small number of users received unwanted email, users or admins can add
the sender email addresses to the Blocked Senders list in the mailbox. For instructions,
see Configure junk email settings on Exchange Online mailboxes.
When messages are successfully blocked due to a user's Blocked Senders list, the X-
Forefront-Antispam-Report header field will contain the value SFV:BLK .
７ Note
If the unwanted messages are newsletters from a reputable and recognizable

source, unsubscribing from the email is another option to stop the user from
receiving the messages.
Use blocked sender lists or blocked domain

lists
When multiple users are affected, the scope is wider, so the next best option is blocked
sender lists or blocked domain lists in anti-spam policies. Messages from senders on the
lists are marked as High confidence spam, and the action that you've configured for the
High Confidence Spam filter verdict is taken on the messages. For more information,
see Configure anti-spam policies.
The maximum limit for these lists is approximately 1000 entries.

Use mail flow rules
Mail flow rules can also look for keywords or other properties in the unwanted
messages.
Regardless of the conditions or exceptions that you use to identify the messages, you
configure the action to set the spam confidence level (SCL) of the message to 9, which
marks the message as High confidence spam. For more information, see Use mail flow
rules to set the SCL in messages.
） Important
It's easy to create rules that are overly aggressive, so it's important that you identify
only the messages you want to block using very specific criteria. Also, be sure to
monitor the usage of the rule to ensure everything works as expected.
Use the IP Block List

When it's not possible to use one of the other options to block a sender, only then
should you use the IP Block List in the connection filter policy. For more information, see
Configure the connection filter policy. It's important to keep the number of blocked IPs
to a minimum, so blocking entire IP address ranges is not recommended.
You should especially avoid adding IP address ranges that belong to consumer services
(for example, outlook.com) or shared infrastructures, and also ensure that you review
the list of blocked IP addresses as part of regular maintenance.
Create safe sender lists in EOP
 Tip
Applies to

If you're a Microsoft 365 customer with mailboxes in Exchange Online or a standalone

Exchange Online Protection (EOP) customer without Exchange Online mailboxes, EOP
offers multiple ways of ensuring that users will receive email from trusted senders.
Collectively, you can think of these options as safe sender lists.
The available safe sender lists are described in the following list in order from most
recommended to least recommended:
1. Allow entries for domains and email addresses (including spoofed senders) in the
2. Mail flow rules (also known as transport rules).
3. Outlook Safe Senders (the Safe Senders list that's stored in each mailbox that
affects only that mailbox).
4. IP Allow List (connection filtering)
5. Allowed sender lists or allowed domain lists (anti-spam policies)
The rest of this article contains specifics about each method.
） Important
Messages that are identified as malware or high confidence phishing are always
quarantined, regardless of the safe sender list option that you use. For more
information, see Secure by default in Office 365.
Be careful to closely monitor any exceptions that you make to spam filtering using
safe sender lists.
Always submit messages in your safe sender lists to Microsoft for analysis. For
instructions, see Report good email to Microsoft. If the messages or message
sources are determined to be benign, Microsoft can automatically allow the
messages, and you won't need to manually maintain the entry in safe sender lists.
Instead of allowing email, you also have several options to block email from specific
sources using blocked sender lists. For more information, see Create block sender
lists in EOP.
Use allow entries in the Tenant Allow/Block List

Our number one recommended option for allowing mail from senders or domains is the
Tenant Allow/Block List. For instructions, see Allow or block email using the Tenant
Allow/Block List.
Only if you can't use the Tenant Allow/Block List for some reason should you consider
using a different method to allow senders.
Use mail flow rules
７ Note
You can't use message headers and mail flow rules to designate an internal sender
as a safe sender. The procedures in this section work for external senders only.
Mail flow rules in Exchange Online and standalone EOP use conditions and exceptions
to identify messages, and actions to specify what should be done to those messages.
For more information, see Mail flow rules (transport rules) in Exchange Online.
The following example assumes you need email from contoso.com to skip spam
filtering. To do this, configure the following settings:
1. Condition: The sender > domain is > contoso.com.
2. Configure either of the following settings:
Mail flow rule condition: The message headers > includes any of these
words:
Header name: Authentication-Results
Header value: dmarc=pass or dmarc=bestguesspass (add both values).
This condition checks the email authentication status of the sending email
domain to ensure that the sending domain is not being spoofed. For more
information about email authentication, see SPF, DKIM, and DMARC.
IP Allow List: Specify the source IP address or address range in the

connection filter policy. For instructions, see Configure connection filtering.
Use this setting if the sending domain does not use email authentication. Be
as restrictive as possible when it comes to the source IP addresses in the IP
Allow List. We recommend an IP address range of /24 or less (less is better).
Do not use IP address ranges that belong to consumer services (for example,
outlook.com) or shared infrastructures.
） Important
Never configure mail flow rules with only the sender domain as the
condition to skip spam filtering. Doing so will significantly increase the
likelihood that attackers can spoof the sending domain (or impersonate
the full email address), skip all spam filtering, and skip sender
authentication checks so the message will arrive in the recipient's Inbox.
Do not use domains you own (also known as accepted domains) or

popular domains (for example, microsoft.com) as conditions in mail flow
rules. Doing so is considered high risk because it creates opportunities
for attackers to send email that would otherwise be filtered.
If you allow an IP address that's behind a network address translation

(NAT) gateway, you need to know the servers that are involved in the
NAT pool in order to know the scope of your IP Allow List. IP addresses
and NAT participants can change. You need to periodically check your IP
Allow List entries as part of your standard maintenance procedures.
3. Optional conditions:
The sender > is internal/external > Outside the organization: This condition
is implicit, but it's OK to use it to account for on-premises email servers that
might not be correctly configured.
The subject or body > subject or body includes any of these words >
<keywords>: If you can further restrict the messages by keywords or phrases
in the subject line or message body, you can use those words as a condition.
4. Action: Configure both of the following actions in the rule:
a. Modify the message properties > set the spam confidence level (SCL) >
Bypass spam filtering.
b. Modify the message properties > set a message header:
Header name: For example, X-ETR .

Heaver value: For example, Bypass spam filtering for authenticated
sender 'contoso.com' .
If you have more than one domain in the rule, you can customize the header
text as appropriate.
When a message skips spam filtering due to a mail flow rule, the value SFV:SKN value is
stamped in the X-Forefront-Antispam-Report header. If the message is from a source
that's on the IP Allow List, the value IPV:CAL is also added. These values can help you
with troubleshooting.

Use Outlook Safe Senders
Ｕ Caution
This method creates a high risk of attackers successfully delivering email to the
Inbox that would otherwise be filtered; however, if a message from an entry in the
user's Safe Senders or Safe Domains lists is determined to be malware or high
confidence phishing, the message will be filtered.
Instead of an organizational setting, users or admins can add the sender email
addresses to the Safe Senders list in the mailbox. For instructions, see Configure junk
email settings on Exchange Online mailboxes in Office 365. Safe Senders list entries in
the mailbox affect that mailbox only.
This method is not desirable in most situations since senders will bypass parts of the
filtering stack. Although you trust the sender, the sender can still be compromised and
send malicious content. You should let our filters check every message and then report
the false positive/negative to Microsoft if we got it wrong. Bypassing the filtering stack
also interferes with zero-hour auto purge (ZAP).
When messages skip spam filtering due to entries in a user's Safe Senders list, the X-
Forefront-Antispam-Report header field will contain the value SFV:SFE , which indicates
that filtering for spam, spoof, and phishing (not high confidence phishing) was
bypassed.
Notes:
In Exchange Online, whether entries in the Safe Senders list work or don't work
depends on the verdict and action in the policy that identified the message:
Move messages to Junk Email folder: Domain entries and sender email address
entries are honored. Messages from those senders are not moved to the Junk
Email folder.
Quarantine: Domain entries are not honored (messages from those senders are
quarantined). Email address entries are honored (messages from those senders
are not quarantined) if either of the following statements are true:
The message is not identified as malware or high confidence phishing
(malware and high confidence phishing messages are quarantined).
The email address is not also in a block entry in the Tenant Allow/Block List
(messages from those senders will be quarantined).
Entries for blocked senders and blocked domains are honored (messages from
those senders are moved to the Junk Email folder). Safe mailing list settings are
ignored.
Use the IP Allow List
Ｕ Caution
Without additional verification like mail flow rules, email from sources in the IP
Allow List skips spam filtering and sender authentication (SPF, DKIM, DMARC)
checks. This result creates a high risk of attackers successfully delivering email to
the Inbox that would otherwise be filtered; however, if a message from an entry in
the IP Allow List is determined to be malware or high confidence phishing, the
message will be filtered.
The next best option is to add the source email server or servers to the IP Allow List in
the connection filter policy. For details, see Configure connection filtering in EOP.
Notes:
It's important that you keep the number of allowed IP addresses to a minimum, so
avoid using entire IP address ranges whenever possible.
Do not use IP address ranges that belong to consumer services (for example,
outlook.com) or shared infrastructures.
Regularly review the entries in the IP Allow List and remove the entries that you no
longer need.
Use allowed sender lists or allowed domain lists
Ｕ Caution
This method creates a high risk of attackers successfully delivering email to the
Inbox that would otherwise be filtered; however, if a message from an entry in the
allowed senders or allowed domains lists is determined to be malware or high
confidence phishing, the message will be filtered.
Do not use popular domains (for example, microsoft.com) in allowed domain lists.
The least desirable option is to use the allowed sender list or allowed domain list in anti-
spam policies. You should avoid this option if at all possible because senders bypass all
spam, spoof, phishing protection (except high confidence phishing), and sender
authentication (SPF, DKIM, DMARC). This method is best used for temporary testing
only. The detailed steps can be found in Configure anti-spam policies in EOP topic.
The maximum limit for these lists is approximately 1000 entries; although, you will only
be able to enter 30 entries into the portal. You must use PowerShell to add more than 30
entries.
７ Note
As of September 2022, if an allowed sender, domain, or subdomain is in an

accepted domain in your organization, that sender, domain, or subdomain must
pass email authentication checks in order to skip anti-spam filtering.
Considerations for bulk email

message envelope is described in RFC 5321, and the message header is described in
RFC 5322. Recipients never see the actual message envelope because it's generated by
the message transmission process, and it isn't actually part of the message.
Return-Path email address). If the message can't be delivered, it's the recipient for
the non-delivery report (also known as an NDR or bounce message).
clients.
Frequently, the 5321.MailFrom and 5322.From addresses are the same (person-to-person
communication). However, when email is sent on behalf of someone else, the addresses
can be different. This happens most often for bulk email messages.
For example, suppose that Blue Yonder Airlines has hired Margie's Travel to send
advertising email messages. The message you receive in your Inbox has the following
properties:
The 5321.MailFrom address is blueyonder.airlines@margiestravel.com.

The 5322.From address is blueyonder@news.blueyonderairlines.com, which is what
you'll see in Outlook.
Safe sender lists and safe domain lists in anti-spam policies in EOP inspect only the
5322.From addresses. This behavior is similar to Outlook Safe Senders that use the
5322.From address.
To prevent this message from being filtered, you can take the following steps:
Add blueyonder@news.blueyonderairlines.com (the 5322.From address) as an
Outlook Safe Sender.
Use a mail flow rule with a condition that looks for messages from
blueyonder@news.blueyonderairlines.com (the 5322.From address),
blueyonder.airlines@margiestravel.com (the 5321.MailFrom address), or both.
Get started using Attack simulation
training in Defender for Office 365
 Tip
Applies to
Microsoft Defender for Office 365 plan 2
If your organization has Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2,
which includes Threat Investigation and Response capabilities, you can use Attack
simulation training in the Microsoft 365 Defender portal to run realistic attack scenarios
in your organization. These simulated attacks can help you identify and find vulnerable
users before a real attack impacts your bottom line. Read this article to learn more.
Watch this short video to learn more about Attack simulation training.
https://www.microsoft.com/en-us/videoplayer/embed/RWMhvB?postJsllMsg=true
７ Note
Attack simulation training replaces the old Attack Simulator v1 experience that was
available in the Security & Compliance Center at Threat management > Attack
simulator or https://protection.office.com/attacksimulator .

Attack simulation training requres a Microsoft 365 E5 or Microsoft Defender for
Office 365 Plan 2 license.
To open the Microsoft 365 Defender portal, go to https://security.microsoft.com .

Attack simulation training is available at Email and collaboration > Attack
simulation training. To go directly to Attack simulation training, use
https://security.microsoft.com/attacksimulator .
For more information about the availability of Attack simulation training across
different Microsoft 365 subscriptions, see Microsoft Defender for Office 365 service
description.
You need to be assigned permissions in Azure Active Directory before you can do
the procedures in this article. Specifically, you need to be a member of one of the
following roles:
Global Administrator
Security Administrator
Attack Simulation Administrators*: Create and manage all aspects of attack
simulation campaigns.
Attack Payload Author*: Create attack payloads that an admin can initiate later.
* Adding users to this role in the Microsoft 365 Defender portal is currently
unsupported.
For more information, see Permissions in the Microsoft 365 Defender portal or
About admin roles.
There are no corresponding PowerShell cmdlets for Attack simulation training.
Attack simulation and training related data is stored with other customer data for
Microsoft 365 services. For more information see Microsoft 365 data locations.
Attack simulation is available in the following regions: NAM, APC, EUR, IND, CAN,
AUS, FRA, GBR, JPN, KOR, BRA, LAM, CHE, NOR, ZAF, ARE and DEU.
７ Note
NOR, ZAF, ARE and DEU are the latest additions. All features except reported
email telemetry will be available in these regions. We are working to enable
this and will notify our customers as soon as reported email telemetry
becomes available.
As of June 15 2021, Attack simulation training is available in GCC. If your

organization has Office 365 G5 GCC or Microsoft Defender for Office 365 (Plan 2)
for Government, you can use Attack simulation training in the Microsoft 365
Defender portal to run realistic attack scenarios in your organization as described
in this article. Attack simulation training is not yet available in GCC High or DoD
environments.
７ Note
Attack simulation training offers a subset of capabilities to E3 customers as a trial.

The trial offering contains the ability to use a Credential Harvest payload and the
ability to select 'ISA Phishing' or 'Mass Market Phishing' training experiences. No
other capabilities are part of the E3 trial offering.
Simulations
Phishing is a generic term for email attacks that try to steal sensitive information in
messages that appear to be from legitimate or trusted senders. Phishing is a part of a
subset of techniques we classify as social engineering.
In Attack simulation training, multiple types of social engineering techniques are

available:
Credential harvest: An attacker sends the recipient a message that contains a URL.
When the recipient clicks on the URL, they're taken to a website that typically
shows a dialog box that asks the user for their username and password. Typically,
the destination page is themed to represent a well-known website in order to build
trust in the user.
Malware attachment: An attacker sends the recipient a message that contains an

attachment. When the recipient opens the attachment, arbitrary code (for example,
a macro) is run on the user's device to help the attacker install additional code or
further entrench themselves.
Link in attachment: This is a hybrid of a credential harvest. An attacker sends the

recipient a message that contains a URL inside of an attachment. When the
recipient opens the attachment and clicks on the URL, they're taken to a website
that typically shows a dialog box that asks the user for their username and
password. Typically, the destination page is themed to represent a well-known
website in order to build trust in the user.
Link to malware: An attacker sends the recipient a message that contains a link to
an attachment on a well-known file sharing site (for example, SharePoint Online or
Dropbox). When the recipient clicks on the URL, the attachment opens and
arbitrary code (for example, a macro) is run on the user's device to help the
attacker install additional code or further entrench themselves.
Drive-by-url: An attacker sends the recipient a messages that contains a URL.

When the recipient clicks on the URL, they're taken to a website that tries to run
background code. This background code attempts to gather information about the
recipient or deploy arbitrary code on their device. Typically, the destination website
is a well-known website that has been compromised or a clone of a well-known
website. Familiarity with the website helps convince the user that the link is safe to
click. This technique is also known as a watering hole attack.
OAuth Consent Grant: An attacker creates a malicious Azure Application that seeks
to gain access to data. The application sends an email request that contains a URL.
When the recipient clicks on the URL, the consent grant mechanism of the
application asks for access to the data (for example, the user's Inbox).
The URLs that are used by Attack simulation training are described in the following list:
https://www.mcsharepoint.com
https://www.attemplate.com
https://www.doctricant.com
https://www.mesharepoint.com
https://www.officence.com
https://www.officenced.com
https://www.officences.com
https://www.officentry.com
https://www.officested.com
https://www.prizegives.com
https://www.prizemons.com
https://www.prizewel.com
https://www.prizewings.com
https://www.shareholds.com
https://www.sharepointen.com
https://www.sharepointin.com
https://www.sharepointle.com
https://www.sharesbyte.com
https://www.sharession.com
https://www.sharestion.com
https://www.templateau.com
https://www.templatent.com
https://www.templatern.com
https://www.windocyte.com
７ Note
Check the availability of the simulated phishing URL in your supported web
browsers before you use the URL in a phishing campaign. While we work with many
URL reputation vendors to always allow these simulation URLs, we don't always
have full coverage (for example, Google Safe Browsing). Most vendors provide
guidance that allows you to always allow specific URLs (for example,
https://support.google.com/chrome/a/answer/7532419 ).
Create a simulation
For step by step instructions on how to create and send a new simulation, see Simulate
a phishing attack.
Create a payload
For step by step instructions on how to create a payload for use within a simulation, see
Create a custom payload for Attack simulation training.
Gaining insights
For step by step instructions on how to gain insights with reporting, see Gain insights
through Attack simulation training.
７ Note
Attack Simulator uses Safe Links in Defender for Office 365 to securely track click
data for the URL in the payload message that's sent to targeted recipients of a
phishing campaign, even if the Track user clicks setting in Safe Links policies is
turned off.
Simulate a phishing attack with Attack
simulation training in Defender for
Office 365
 Tip
Applies to
Attack simulation training in Microsoft Defender for Office 365 Plan 2 or Microsoft 365
E5 lets you run benign cyberattack simulations in your organization. These simulations
test your security policies and practices, as well as train your employees to increase their
awareness and decrease their susceptibility to attacks. This article walks you through
creating a simulated phishing attack using Attack simulation training.
For getting started information about Attack simulation training, see Get started using
Attack simulation training.
To launch a simulated phishing attack, do the following steps:

Email & collaboration > Attack simulation training > Simulations tab.
To go directly to the Simulations tab, use

https://security.microsoft.com/attacksimulator?viewid=simulations .
2. On the Simulations tab, select Launch a simulation.

3. The simulation creation wizard opens. The rest of this article describes the pages
and the settings they contain.
７ Note
At any point during the simulation creation wizard, you can click Save and close to
save your progress and continue configuring the simulation later. The incomplete
simulation has the Status value Draft on the Simulations tab. You can pick up
where you left off by selecting the simulation and clicking Edit simulation.
Select a social engineering technique

On the Select technique page, select an available social engineering technique, which
was curated from the MITRE ATT&CK® framework . Different payloads are available
for different techniques. The following social engineering techniques are available:
Credential harvest: Attempts to collect credentials by taking users to a well-known

looking website with input boxes to submit a username and password.
Malware attachment: Adds a malicious attachment to a message. When the user
opens the attachment, arbitrary code is run that will help the attacker compromise
the target's device.
Link in attachment: A type of credential harvest hybrid. An attacker inserts a URL
into an email attachment. The URL within the attachment follows the same
technique as credential harvest.
Link to malware: Runs some arbitrary code from a file hosted on a well-known file
sharing service. The message sent to the user will contain a link to this malicious
file. Opening the file will help the attacker compromise the target's device.
Drive-by URL: The malicious URL in the message takes the user to a familiar-
looking website that silently runs and/or installs code on the user's device.
OAuth Consent Grant: The malicious URL asks users to grant permissions to data
for a malicious Azure Application.
If you click the View details link in the description, a details flyout opens that describes
the technique and the simulation steps that result from the technique.

Name and describe the simulation

On the Name simulation page, configure the following settings:
Name: Enter a unique, descriptive name for the simulation.

Description: Enter an optional detailed description for the simulation.

Select a payload and login page
On the Select payload and login page, you need to select an existing payload from the
list, or create a new payload.
You can also view the login page that's used in the payload, select a different login page
to use, or create a new login page to use.
Payload
The following details are shown for each payload:
Payload name
Language: The language of the payload content. Microsoft's payload catalog
(global) provides payloads in 10+ languages which can also be filtered.
Click rate: How many people have clicked on this payload.
Predicted compromise rate: Historical data across Microsoft 365 that predicts the
percentage of people who will be compromised by this payload (users
compromised / total number of users who receive the payload).
Simulations launched counts the number of times this payload was used in other
simulations.
In the Search box, you can type part of the payload name and press Enter to filter the
results.
If you click Filter, the following filters are available:
Complexity: Calculated based on the number of indicators in the payload that

indicate a possible attack (spelling errors, urgency, etc.). More indicators are easier
to identify as an attack and indicate lower complexity. The available values are:
High
Medium
Low
Language: The available values are: English, Spanish, German, Japanese, French,
Portuguese, Dutch, Italian, Swedish, Chinese (Simplified), Norwegian Bokmål,
Polish, Russian, Finnish, Korean, Turkish, Hungarian, Hebrew, Thai, Arabic,
Vietnamese, Slovak, Greek, Indonesian, Romanian, Slovenian, Croatian, Catalan,
or Other.
Add tag(s)
Filter by theme: The available values are: Account activation, Account verification,
Billing, Clean up mail, Document received, Expense, Fax, Finance report,
Incoming messages, Invoice, Items received, Login alert, Mail received, Password,
Payment, Payroll, Personalized offer, Quarantine, Remote work, Review message,
Security update, Service suspended, Signature required, Upgrade mailbox
storage Verify mailbox, Voicemail, and Other.
Filter by brand: The available values are: American Express, Capital One, DHL,
DocuSign, Dropbox, Facebook, First American, Microsoft, Netflix, Scotiabank,
SendGrid, Stewart Title, Tesco, Wells Fargo, Syrinx Cloud, and Other.
Filter by industry: The available values are: Banking, Business services, Consumer
services, Education, Energy, Construction, Consulting, Financial services,
Government, Hospitality, Insurance, Legal, Courier services, IT, Healthcare,
Manufacturing, Retail, Telecom, Real estate, and Other.
Current event: The available values are Yes or No.
Controversial: The available values are Yes or No.
When you're finished configuring the filters, click Apply, Cancel, or Clear filters.
If you select a payload from the list by selecting the check box, a Send a test button
appears on the main page where you can send a copy of the payload email to yourself
(the currently logged in user) for inspection.
To create your own payload, click Create a payload. For more information, see Create
custom payloads for Attack simulation training.
If you select a payload from the list by clicking anywhere in the row other than the check
box, details about the payload are shown in a flyout:
The Payload tab contains an example and other details about the payload.
The Login page tab is available only in Credential Harvest or Link in attachment
payloads and is described in the next section.
The Simulations launched tab contains the Simulation name, Click rate,
Compromised rate, and Action.
Login page
７ Note
payloads.
Select the payload from the list by clicking anywhere in the row other than the check
box to open the details flyout.
The Login page tab in the payload details flyout shows the login page that's currently
selected for the payload.
To view the complete login page, use the Page 1 and Page 2 links at the bottom of the
page for two-page login pages.

To change the login page that's used in the payload, click Change login page.
On the Select login page flyout that appears, The following information is shown for
each login page:
Name
Language
Source: For built-in login pages, the value is Global. For custom login pages, the
value is Tenant.
Status: Ready or Draft.
Created by: For built-in login pages, the value is Microsoft. For custom login
pages, the value is the UPN of the user who created the login page.
Last modified
Actions: Click Preview to preview the login page.
To find a login page in the list, use the Search box to find the name of the login
page.
Click Filter to filter the login pages by Source or Language.


To create a new login page, click Create new icon. Create new to start the create end
user login page wizard. The steps are the same as at Login pages at Attack simulation
training > Simulated content library tab. For instructions, see Create login pages.
Back on the Select login page, verify the new login page you created is selected, and
then click Save.
Back on the payload details flyout, click Close icon. Close.
When you're finished on the Select a payload and login page, click Next.
Configure OAuth Payload
７ Note
This page is available only if you selected OAuth Consent Grant on the Select
technique page. Otherwise, you're taken to the Target users page.
On the Configure OAuth payload page, configure the following settings:
App name
App logo: Click Browse to select a .png, .jpeg, or .gif file to use. To remove a file
after you've selected it, click Remove.
Select app scope: Choose one of the following values:

Read user calendars
Read user contacts
Read user mail
Read all chat messages
Read all files that user can access
Read and write access to user mail
Send mail as a user
Target users
On the Target users page, select who will receive the simulation. Configure one of the
following settings:
Include all users in your organization: The affected users are show in lists of 10.
You can use the Next and Previous buttons directly below the list of users to scroll
through the list. You can also use the Search icon on the page to find affected
users.
Include only specific users and groups: Choose one of the following options:
Add users: In the Add users flyout that appears, you can find users and
groups based on the following criteria:
７ Note
You can't use dynamic distribution groups to target users.
Search for users or groups: In box, you can type part of the Name or Email
address of the user or group and then press Enter. You can select some or all of
the results. When you're finished, click Add x users.
７ Note
Clicking the Add filters button to return to the Filter users by categories
options will clear any users or groups that you selected in the search
results.
Filter users by categories: Select from none, some, or all of the following
options:
Suggested user groups: Select from the following values:

All suggested user groups
Users not targeted by a simulation in the last three months
Repeat offenders
User tags: User tags are identifiers for specific groups of users (for example,
Priority accounts). For more information, see User tags in Microsoft Defender
for Office 365.
Use the following options:

Search: In Search by user tags, you can type part of the user tag and
then press Enter. You can select some or all of the results.
Select All user tags
Select existing user tags.
Department: Use the following options:

Search: In Search by Department, you can type part the Department
value and then press Enter. You can select some or all of the results.
Select All Department
Select existing Department values.
Title: Use the following options:

Search: In Search by Title, you can type part of the Title value and then
press Enter. You can select some or all of the results.
Select All Title
Select existing Title values.

After you identify your criteria, the affected users are shown in the User list
section that appears, where you can select some or all of the discovered
recipients.
When you're finished, click Apply(x), and then click Add x users.
Back on the main Target users page, you can use the Search box to find
affected users. You can also click Delete to remove specific users.
Import: In the dialog that opens, specify a CSV file that contains one email
address per line.
After you find a select the CSV file, the list of users are imported and shown on the
Targeted users page. You can use the Search box to find affected users. You can
also click Delete to remove specific users.
Assign training
On the Assign training page, you can assign trainings for the simulation. We
recommend that you assign training for each simulation, as employees who go through
training are less susceptible to similar attacks. The following settings are available:
Select training content preference: Choose one of the following options:

Microsoft training experience: This is the default value that has the following
associated options to configure:
Select one of the following options:
Assign training for me: This is the default and recommended value. We
assign training based on a user's previous simulation and training results,
and you can review the selections in the next steps of the wizard.
Select training courses and modules myself: If you select this value, you'll
still be able to see the recommended content as well as all available
courses and modules in the next step of the wizard.
Due date: Choose one of the following values:
30 days after simulation ends: This is the default value.
15 days after simulation ends
Redirect to a custom URL: This value has the following associated options to
configure:
Custom training URL (required)
Custom training name (required)
Custom training description
Custom training duration (in minutes): The default value is 0, which means
there is no specified duration for the training.
No training: If you select this value, the only option on the page is the Next
button that takes you to the Landing page page.
Training assignment
７ Note
The Training assignment page is available only if you selected Microsoft training
experience > Select training courses and modules myself on the previous page.
On the Training assignment page, select the trainings that you want to add to the
simulation by clicking Add trainings.
On the Add training flyout that appears, you can select the trainings to use on the
following tabs that are available:
Recommended tab: Shows the recommended built-in trainings based on the

simulation configuration. These are the same trainings that would have been
assigned if you selected Assign training for me on the previous page.
All trainings tab: Shows all built-in trainings that are available.
The following information is shown for each training:

Training name
Source: The value is Global.
Duration (mins)
Preview: Click the Preview button to see the training.
In the Search box, you can type part of the training name and press Enter to
filter the results on the current tab.
Select all trainings that you want to include from the current tab, and then click
Add.
Back on the main Training assignment page, the trainings that you selected are shown.
Training name
Source
Duration (mins)
For each training in the list, you need to select who gets the training by selecting values
in the Assign to column:
All users
or one or both of the following values:
Clicked payload
Compromised
If you don't want to use a training that's shown, click Delete.


Landing page
On the Landing page page, you configure the web page that users are taken to if they
open the payload in the simulation.
Microsoft-curated landing pages are available in 12 languages: Chinese (Simplified),

Chinese (Traditional), English, French, German, Italian, Japanese, Korean, Portuguese,
Russian, Spanish, and Dutch.
Select landing page preference: The available values are:
Use Microsoft default landing page: This is the default value that has the
following associated options to configure:
Select landing page layout: Select one of the available templates.
Add logo: Click Browse to find and select a .png, .jpeg, or .gif file. The logo
size should be a maximum of 210 x 70 to avoid distortion. To remove the
logo, click Remove.
Add payload indicators to email: This setting is not available if you
previously selected Malware attachment or Link to malware on the Select
technique page.
You can preview the results by clicking the Open preview panel button at the
bottom of the page.
Use a custom URL: This setting is not available if you previously selected
Malware attachment or Link to malware on the Select technique page.
If you select Use a custom URL, you need to add the URL in the Enter the
custom landing page URL box that appears. No other options are available on
the page.
Create your own landing page: This value has the following associated options
to configure:
Add payload indicators to email:This setting is available to select only if both

of the following statements are true:
You selected Credential harvest, Link in attachment, Drive-by URL, or
OAuth Consent Grant on the Select technique page.
You've added the Dynamic tag named Insert Payload content in the
landing page content on this page.
Landing page content: Two tabs are available:

Text: A rich text editor is available to create your landing page. In addition
to the typical font and formatting settings, the following settings are
available:
Dynamic tag: Select from the following tags:
Tag name Tag value
Insert User name ${userName}
Insert First name ${firstName}
Insert Last name ${lastName}
Insert UPN ${upn}
Insert Email ${emailAddress}
Insert Department ${department}
Insert Manager ${manager}
Insert Mobile phone ${mobilePhone}
Insert City ${city}
Insert sender name ${FromName}
Insert sender email ${FromEmail}
Insert Payload subject ${EmailSubject}
Insert Payload content ${EmailContent}

Tag name Tag value
Insert Date ${date|MM/dd/yyyy|offset}
Use from default: Select an available template to start with. You can
modify the text and layout in the editing area. To reset the landing
page back to the default text and layout of the template, click Reset to
default.
Code: You can view and modify the HTML code directly.
You can preview the results by clicking the Open preview panel button in the
middle of the page.
７ Note
Certain trademarks, logos, symbols, insignias and other source identifiers receive
heightened protection under local, state and federal statutes and laws.
Unauthorized use of such indicators can subject the users to penalties, including
criminal fines. Though not an extensive list, this includes the Presidential, Vice
Presidential, and Congressional seals, the CIA, the FBI, Social Security, Medicare and
Medicaid, the United States Internal Revenue Service, and the Olympics. Beyond
these categories of trademarks, use and modification of any third-party trademark
carries an inherent amount of risk. Using your own trademarks and logos in a
payload would be less risky, particularly where your organization permits the use. If
you have any further questions about what is or is not appropriate to use when
creating or configuring a payload, you should consult with your legal advisors.
Select end user notification

On the Select end user notification page, select from the following notification options:
Do not deliver notifications: Click Proceed in the alert dialog that appears. If you
select this option, you're taken to the Launch details page when you click Next.
Microsoft default notification (recommended): The following additional settings

are available on the page:
Select default language: The available values are: English, Spanish, German,
Japanese, French, Portuguese, Dutch, Italian, Swedish, Chinese (Simplified),
Norwegian Bokmål, Polish, Russian, Finnish, Korean, Turkish, Hungarian,
Hebrew, Thai, Arabic, Vietnamese, Slovak, Greek, Indonesian, Romanian,
Slovenian, Croatian, Catalan, or Other.
By default, the following notifications are included:

Microsoft positive reinforcement notification
Microsoft default training assignment notification
Microsoft default training reminder notification
For each notification, the following information is available:

Notifications: The name of the notification.
Language: If the notification contains multiple translations, the first two
languages are shown directly. To see the remaining languages, hover over
the numeric icon (for example, +10).
Type: One of the following values:
Positive reinforcement notification
Training assignment notification
Training reminder notification
Delivery preferences: For Positive reinforcement notification and Training
reminder notification types, the following values are available
Do not deliver
Deliver after campaign ends
Deliver during campaign
Actions: If you click on the View icon, the Review notification page
appears with the following information:
Preview tab: View the notification message as users will see it.
To view the message in different languages, use the Select language
box.
Use the Select payload to preview box to select the notification
message for simulations that contain multiple payloads.
Details tab: View details about the notification:

Notification description
Source: For built-in notifications, the value is Global. For custom
notifications, the value is Tenant.
Notification type: One of the following types base on the notification
you originally selected:
Modified by
Last modified
When you're finished, click Close.
You're taken to the Launch details page when you click Next.
Customized end user notifications: When you click Next, you're taken to the
Training assignment notification page as described in the next sections.

The Training assignment notification page is available only if you selected Customized
end user notifications on the Select end user notification page.
This page shows the following notifications and their configured languages:
Any custom training assignment notifications that you previously created.
These notifications are also available in End user notifications on the Simulation
content library tab in Attack simulation training at
https://security.microsoft.com/attacksimulator?viewid=simulationcontentlibrary .
Microsoft default training assignment notification is available on the Global
notifications tab. Custom training assignment notifications are available on the
Tenant notifications tab. For more information, see End-user notifications for
You can select an existing training assignment notification or create a new notification to
use:
To select an existing notification, click in the blank area next to the notification
name. If you click on the notification name, the notification is selected and a
preview flyout appears. To deselect the notification, clear the check box next to the
notification.
To search for an existing notification, use the Search box to search for the
name.
Select the notification that you want to use, and then click Next.
To create and use a new notification, click Create new.
Create new training assignment notification wizard

If you clicked Create new on the Training assignment notification page, a
notification creation wizard opens.
The creation steps are identical as described in Create end-user notifications.
７ Note
On the Define details page, be sure to select the value Training assignment
notification for Select notification type.
When you're finished, you're taken back to the Training assignment notification page
where the notification that you just created now appears in the list.

The Training reminder notification page is available only if you selected Customized
Set frequency for reminder notification: Select Weekly (default) or Twice a week.
Select a reminder notification: This section shows the following notifications and
their configured languages:
Any custom training reminder notifications that you previously created.
These notifications are also available in End user notifications on the

Simulation content library tab in Attack simulation training at
https://security.microsoft.com/attacksimulator?
viewid=simulationcontentlibrary . Microsoft default training reminder
notification is available on the Global notifications tab. Custom training
reminder notifications are available on the Tenant notifications tab. For more
information, see End-user notifications for Attack simulation training.
You can select an existing training reminder notification or create a new

notification to use:
preview flyout appears. To deselect the notification, clear the check box next to
the notification.
name.
Create new training reminder notification wizard
If you clicked Create new on the Training reminder notification page, a notification
creation wizard opens.
７ Note
On the Define details page, be sure to select the value Training reminder
When you're finished, you're taken back to the Training reminder notification page

The Positive reinforcement notification page is available only if you selected
Customized end user notifications on the Select end user notification page.
Delivery preferences: Select one of the following values:
Do not deliver: If you select this option, you're taken to the Launch details page
when you click Next.
Deliver after the user reports a phish and campaign ends or Deliver
immediately after the user reports a phish: These sections show the following
notifications and their configured languages in the Select a positive
reinforcement notification section that appears:
Microsoft default positive reinforcement notification
Any custom positive reinforcement notifications that you previously created.

viewid=simulationcontentlibrary . Microsoft default positive reinforcement
notification is available on the Global notifications tab. Custom positive
reinforcement notifications are available on the Tenant notifications tab. For
more information, see End-user notifications for Attack simulation training.
You can select an existing positive reinforcement notification or create a new

the notification.
name.
Create new positive reinforcement notification wizard
If you clicked Create new on the Positive reinforcement notification page, a

７ Note
On the Define details page, be sure to select the value Positive reinforcement
When you're finished, you're taken back to the Positive reinforcement notification page
Launch details
On the Launch details page, you choose when to launch the simulation and when to
end the simulation. We'll stop capturing interaction with this simulation after the end
date you specify.
The following settings are available:
Choose one of the following values:

Launch this simulation as soon as I'm done
Schedule this simulation to be launched later: This value has the following
Select launch date
Select launch time
Configure number of days to end simulation after: The default value is 2.
Enable region aware time zone delivery: Deliver simulated attack messages to
your employees during their working hours based on their region.
Display the drive-by technique interstitial data gathered page: You can show the
overlay that appears for the drive-by URL technique attacks. To hide this overlay
and directly go to the landing page, de-select this option.
Display the drive-by technique interstitial data gathered page: This setting is
available only if you selected Drive-by URL on the select a technique page page.
You can show the overlay that comes up for drive-by URL technique attacks. To
hide the overlay and go directly to the landing page, don't select this option.
Review simulation
On the Review simulation page, you can review the details of your simulation.
Click the Send a test button to send a copy of the payload email to yourself (the
currently logged in user) for inspection.
You can select Edit in each section to modify the settings within the section. Or you can
click Back or select the specific page in the wizard.


Payloads in Attack simulation training in
 Tip
Applies to
In Attack simulation training, a payload is the phishing email message and links or
attachment content that's are presented to users in simulations. Attack simulation
training in Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2 offers a robust
built-in payload catalog for the available social engineering techniques. However, you
might want to create custom payloads that will work better for your organization.
To see the available payloads, open the Microsoft 365 Defender portal at
https://security.microsoft.com , go to Email & collaboration > Attack simulation
training > Simulation content library tab > and then select Payloads. To go directly to
the Simulation content library tab where you can select Payloads, use
Payloads in the Simulation content library tab has two tabs:
Global payloads: Contains the built-in, non-modifiable payloads.

Tenant payloads: Contains the custom payloads that you've created.
The following information is shown for each payload:
Payload name
Type: Currently, this value is always Social engineerings.
Language: If the payload contains multiple translations, the first two languages are
shown directly. To see the remaining languages, hover over the numeric icon (for
example, +10).
Source: For built-in payloads, the value is Global. For custom payloads, the value is
Tenant.
Simulations launched: The number of launched simulations that use the payload.
Compromised rate (%): For built-in payloads, this value is the predicted average
compromise rate for Attack simulation training simulations that use the same type
of payload across all other Microsoft 365 organizations.
Created by: For built-in payloads, the value is Microsoft. For custom payloads, the
value is the UPN of the user who created the payload.
Last modified
Technique: One of the available social engineering techniques:
Credential harvest
Malware attachment
Link in attachment
Link to malware
Drive-by URL
OAuth consent grant
Status: The value is Ready or Draft. On the Global payloads tab, the value is always
Ready.
To find a payload in the list, use the Search box to find the name of the payload.
Click to filter the payloads by one or of the following values:
Complexity: High, Medium, and Low.

Language
Add tag(s)
Theme
Brand
Industry
Current event: Yes or No.
Controversial: Yes or No.
To remove one or more columns that are displayed, click Customize columns. By
default, the only column that's not shown is Platform, and that value is currently always
Email.
When you select a payload from the list, a details flyout appears with the following
information:
Overview tab: View the payload as users will see it. Payload properties are also
visible:
Payload description
From name
From email
Email subject
Source: For built-in payloads, the value is Global. For custom payloads, the
value is Tenant.
Theme
Brand
Industry
Controversial
Current event
Tags
Simulations launched tab:

Simulation name
Click rate
Compromised rate
Action
Create payloads
７ Note
Certain trademarks, logos, symbols, insignias and other source identifiers receive
heightened protection under local, state and federal statutes and laws.
Unauthorized use of such indicators can subject the users to penalties, including
criminal fines. Though not an extensive list, this includes the Presidential, Vice
Presidential, and Congressional seals, the CIA, the FBI, Social Security, Medicare and
Medicaid, the United States Internal Revenue Service, and the Olympics. Beyond
these categories of trademarks, use and modification of any third-party trademark
carries an inherent amount of risk. Using your own trademarks and logos in a
payload would be less risky, particularly where your organization permits the use. If
you have any further questions about what is or is not appropriate to use when
creating or configuring a payload, you should consult with your legal advisors.

Email & collaboration > Attack simulation training > Simulation content library
tab > Payloads > Tenant payloads tab. To go directly to the Simulation content
library tab where you can select Payloads and the Tenant payloads tab, use
Click Create a payload on the Tenant payloads tab in Payloads to start the
create payload wizard.
７ Note
Create a payload is also available on the Select payload and login page
step of the simulation creation wizard. For more information, see Create a
simulation: Select a payload and login page.
At any point during the creation wizard, you can click Save and close to save
your progress and continue configuring the payload later. You can pick up
where you left off by selecting the notification on the Tenant payloads tab in
Payloads, and then clicking Edit payload. The partially-completed payload
will have the Status value Draft.
2. On the Select type page, the only value that you can currently select is Email.
Click Next.
3. On the Select technique page, the available options are the same as on the Select
technique page in the simulation creation wizard:
Credential harvest
Malware attachment
Link in attachment
Link to malware
Drive-by URL
OAuth Consent Grant
For more information, see Simulate a phishing attack with Attack simulation
training in Defender for Office 365.
4. On the Payload name page, configure the following settings:
Name: Enter a unique, descriptive name for the payload.

Description: Enter an optional detailed description for the payload.
5. On the Configure payload page, it's time to build your payload. Many of the
available settings are determined by the selection you made on the Select
technique page (for example, links vs. attachments).
Sender details section: Configure the following settings:

From name
Use first name as display name: By default, this setting is not selected.
From email: If you choose an internal email address for your payload's
sender, the payload will appear to come from a fellow employee. This
sender email address will increase a user's susceptibility to the payload,
and will help educate employees on the risk of internal threats.
Email subject
Add External tag to email: By default, this setting is not selected.
Attachment details section: This section is available only if you selected

Malware attachment, Link in attachment, or Link to malware on the Select
technique page. Configure the following settings:
Name your attachment
Select an attachment type: Currently, the only available value is Docx.
Link for attachment section: This section is available only if you selected Link
to malware on the Select technique page. In the Select a URL you want to
be your malware attachment link box, select one of the available URLs (the
same URLs that are described for the Phishing link section).
Later, you'll embed the URL in the body of the message.
Phishing link section: This section is available only if you selected Credential
harvest, Link in attachment, Drive-by URL, or OAuth Consent Grant on the
Select technique page.
For Credential harvest, Drive-by URL, or OAuth Consent Grant, the name of
the box is Select a URL you want to be your phishing link. Later, you'll
embed the URL in the body of the message.
For Link in attachment, the name of the box is Select a URL in this
attachment that you want to be your phishing link. Later, you'll embed the
URL in the attachment.
Select one of the available URL values:

https://www.mcsharepoint.com
https://www.attemplate.com
https://www.doctricant.com
https://www.mesharepoint.com
https://www.officence.com
https://www.officenced.com
https://www.officences.com
https://www.officentry.com
https://www.officested.com
https://www.prizegives.com
https://www.prizemons.com
https://www.prizewel.com
https://www.prizewings.com
https://www.shareholds.com
https://www.sharepointen.com
https://www.sharepointin.com
https://www.sharepointle.com
https://www.sharesbyte.com
https://www.sharession.com
https://www.sharestion.com
https://www.templateau.com
https://www.templatent.com
https://www.templatern.com
https://www.windocyte.com
７ Note
A URL reputation service might identify one or more of these URLs as

unsafe. Check the availability of the URL in your supported web browsers
before you use the URL in a simulation. For more information, see
Phishing simulation URLs blocked by Google Safe Browsing.
Attachment content section: This section is available only if you selected Link
in attachment on the Select technique page.
A rich text editor is available for you to create the content in your file
attachment payload.
Use the Phishing link control to add the previously selected phishing URL
into the attachment.
Common settings on the Configure payload page:
Add tag(s)
Theme: The available values are: Account Activation, Account Verification,
Billing, Clean up Mail, Document Received, Expense, Fax, Finance Report,
Incoming Messages, Invoice, Item Received, Login Alert, Mail Received,
Other, Password, Payment, Payroll, Personalized Offer, Quarantine,
Remote Work, Review Message, Security Update, Service Suspended,
Signature Required, Upgrade Mailbox Storage, Verify mailbox, or
Voicemail.
Brand: The available values are: American Express, Capital One, DHL,
DocuSign, Dropbox, Facebook, First American, Microsoft, Netflix,
Scotiabank, SendGrid, Stewart Title, Tesco, Wells Fargo, Syrinx Cloud, or
Other.
Industry: The available values are: Banking, Business services, Consumer

Government, Hospitality, Insurance, Legal, Courier services, IT,
Healthcare, Manufacturing, Retail, Telecom, Real estate, or Other.
Language section: Select the language for the payload. The available values
are: English, Spanish, German, Japanese, French, Portuguese, Dutch, Italian,
Swedish, Chinese (Simplified), Norwegian Bokmål, Polish, Russian, Finnish,
Korean, Turkish, Hungarian, Hebrew, Thai, Arabic, Vietnamese, Slovak,
Greek, Indonesian, Romanian, Slovenian, Croatian, Catalan, or Other.
Email message section:
You can click Import email and then Choose file to import an existing
plain text message file.
On the Text tab, a rich text editor is available for you to create your email
message payload.
Use the Dynamic tag control to personalize the email message for each
user by inserting the available tags:
Insert user name: The value that's added in the message body is
${userName} .
Insert first name: The value that's added in the message body is
${firstName} .
Insert last name: The value that's added in the message body is
${lastName} .
Insert UPN: The value that's added in the message body is ${upn} .
Insert email: The value that's added in the message body is
${emailAddress} .
Insert Department: The value that's added in the message body is

${department} .
Insert Manager: The value that's added in the message body is

${manager} .
Insert Mobile phone: The value that's added in the message body is
${mobilePhone} .
Insert City: The value that's added in the message body is ${city} .
Insert date: The value that's added in the message body is
${date|MM/dd/yyyy|offset} .
Phishing link control: This control is available only if you selected

Credential harvest, Link in attachment, Drive-by URL, or OAuth
Consent Grant on the Select technique page. Use this control to name
and insert the URL that you previously selected in the Phishing link
section.
Malware attachment link control: This control is available only if you

selected Link to malware on the Select technique page. Use this
control to name and insert the URL that you previously selected in the
Link for attachment section.
When you click Phishing link or Malware attachment link, a dialog opens
that asks you to name the link. When you're finished, click Confirm.
The value that's added in the message body (visible on the Code tab) is <a
href="${phishingUrl}" target="_blank">Name value you specified</a> .
On the Code tab, you can view and modify the HTML code directly.
Formatting and other controls like Dynamic tag and Phishing link or
Malware attachment link aren't available.
The Replace all links in the email message with the phishing link toggle
is available only if you selected Credential harvest, Link to malware,
Drive-by URL, or OAuth Consent Grant on the Select technique page.
This toggle can save time by replacing all links in the message with the
previously selected Phishing link or Link for attachment URL. To do this,
toggle the setting to on .
6. The Add indicators page is available only if you selected Credential harvest, Link
in attachment, Drive-by URL, or OAuth Consent Grant on the Select technique
page.
Indicators help employees identify the tell-tale signs of phishing messages.
On the Add indicators page, click Add indicator. In the flyout that appears,
Select and indicator you would like to use and Where do you want to place
this indicator on the payload?:
These values are interrelated. Where you can place the indicator depends on
the type of indicator. The available values are described in the following
table:
Indicator type Indicator location
Attachment type Message body
Distracting detail Message body
Domain spoofing Message body
From email address
Generic greeting Message body

Indicator type Indicator location
Humanitarian appeals Message body
Inconsistency Message body
Lack of sender details Message body
Legal language Message body
Limited time offer Message body
Logo imitation or dated branding Message body
Mimics a work or business process Message body
No/minimal branding Message body
Poses as friend, colleague, supervisor, or authority figure Message body
Request for sensitive information Message body
Security indicators and icons Message body
Message subject
Sender display name and email address From name
From email address
Sense of urgency Message body
Message subject
Spelling and grammar irregularities Message body
Message subject
Threatening language Message body
Message subject
Too good to be true offers Message body
Unprofessional looking design or formatting Message body
URL hyperlinking Message body
You're special Message body
This list is curated to contain the most common clues that appear in phishing
messages.
If you select the email message subject or the message body as the location
for the indicator, a Select text button appears. Click this button to select the
text in the message subject or message body where you want the indicator to
appear. When you're finished, click Select.
Indicator description: You can accept the default description for the
indicator or you can customize it.
Indicator preview: To see what the current indicator looks like, click
anywhere within the section.
Repeat these steps to add multiple indicators.
Back on the Add indicators page, you can review the indicators you selected:
To edit an existing indicator, select it from the list and then click Edit
indicator.
To delete an existing indicator, select it from the list and then click Delete.
To move indicators up or down in the list, select the indicator from the list,
and then click Move up or Move down.
7. On the Review payload page, you can review the details of your payload.
Click the Send a test button to send a copy of the payload email to yourself
(the currently logged in user) for inspection.
Click the Preview indicator button open the payload in a preview flyout. The
preview includes all payload indicators that you've created.
On the main Review payload page, you can select Edit in each section to modify
the settings within the section. Or you can click Back or select the specific page in
the wizard.
When you're finished, click Submit. On the confirmation page that appears, click
Done.
Modify payloads
You can't modify built-in payloads on the Global payloads tab. You can only modify
custom payloads on the Tenant payloads tab.
To modify an existing payload on the Tenant payloads tab, do one of the following
steps:
Select the payload from the list by clicking the check box. Click the Edit payload
icon that appears.
Select the payload from the list by clicking anywhere in the row except the check
box. In the details flyout that opens, click Edit payload.
The payload wizard opens with the settings and values of the selected payload. The
steps are the same as described in the Create payloads section.
Copy payloads
To copy an existing payload on the Tenant payloads or Global payloads tabs, select the
payload from the list by clicking the check box, and then click the Copy payload icon
that appears.
The create payload wizard opens with the settings and values of the selected payload.
The steps are the same as described in the Create payloads section.
７ Note
When you copy a built-in payload on the Global payloads tab, be sure to change
the Name value. If you don't, the payload will appear on the Tenant payloads page
with the same name as the built-in payload.
Send a test
On the Tenant payloads or Global payloads tabs, you can send a copy of the payload
email to yourself (the currently logged in user) for inspection.
Select the payload from the list by clicking the check box, and then click the Send a
test button that appears.
Related links
Get started using Attack simulation training
Create a phishing attack simulation

Simulation automations for Attack
simulation training
 Tip
Applies to
To create a simulation automation, do the following steps:
1. In the Microsoft 365 Defender portal at https://security.microsoft.com/ , go to

Email & collaboration > Attack simulation training > Automations tab >
Simulation automations.
To go directly to the Automations tab where you can select Simulation

automations, use https://security.microsoft.com/attacksimulator?
viewid=automations .
2. On Simulation automations, select Create automation.
3. The creation wizard opens. The rest of this article describes the pages and the
settings they contain.
７ Note
At any point during the simulation creation wizard, you can click Save and close to
save your progress and continue configuring the simulation later. The incomplete
simulation has the Status value Draft on the Simulations tab. You can pick up
where you left off by selecting the simulation and clicking Edit simulation.##
Name and describe the simulation.
Name and describe the simulation automation

On the Automation name page, configure the following settings:
Name: Enter a unique, descriptive name for the simulation.

Description: Enter an optional detailed description for the simulation.
Select one or more social engineering

techniques
On the Select social engineering techniques page, select one or more of the available
social engineering techniques, which were curated from the MITRE ATT&CK®
framework . Different payloads are available for different techniques. The following
social engineering techniques are available:
Credential harvest: Attempts to collect credentials by taking users to a well-known

looking website with input boxes to submit a username and password.
Malware attachment: Adds a malicious attachment to a message. When the user
opens the attachment, arbitrary code is run that will help the attacker compromise
the target's device.
Link in attachment: A type of credential harvest hybrid. An attacker inserts a URL
into an email attachment. The URL within the attachment follows the same
technique as credential harvest.
Link to malware: Runs some arbitrary code from a file hosted on a well-known file
sharing service. The message sent to the user will contain a link to this malicious
file, opening the file and helping the attacker compromise the target's device.
Drive-by URL: The malicious URL in the message takes the user to a familiar-
looking website that silently runs and/or installs code on the user's device.
OAuth Consent Grant: The malicious URL asks users to grant permissions to data
for a malicious Azure Application.
If you click the View details link in the description, a details flyout opens that describes
the technique and the simulation steps that result from the technique.

Select a payload and login page

On the Select payload and login page, you need to select an existing payload from the
list, or create a new payload.
You can also view the login page that's used in the payload, select a different login page
to use, or create a new login page to use.
Payload
On the Select payloads page, select one of the following options:
Manually select
Randomize
If you select Randomize, there's nothing to configure on this page, so click Next to
continue.
If you select Manually select, you need to select one or more payloads from the list. The
following details are shown for each payload:
Payload name
Technique: You need to select at least one payload per technique that you selected
on the previous page.
Language: The available values are: English, Spanish, German, Japanese, French,
Portuguese, Dutch, Italian, Swedish, Chinese (Simplified), Norwegian Bokmål,
Polish, Russian, Finnish, Korean, Turkish, Hungarian, Hebrew, Thai, Arabic,
Vietnamese, Slovak, Greek, Indonesian, Romanian, Slovenian, Croatian, Catalan,
or Other.
Click rate: How many people have clicked on this payload.
percentage of people who will be compromised by this payload (users
compromised / total number of users who receive the payload).
Simulations launched counts the number of times this payload was used in other
simulations.
In the Search box, you can type part of the payload name and press Enter to filter the
results.
Complexity: Calculated based on the number of indicators in the payload that

indicate a possible attack (spelling errors, urgency, etc.). More indicators are easier
to identify as an attack and indicate lower complexity. The available values are:
High
Medium
Low
Language
Add tag(s)
Filter by theme: The available values are: Account activation, Account verification,
Billing, Clean up mail, Document received, Expense, Fax, Finance report,
Incoming messages, Invoice, Items received, Login alert, Mail received, Password,
Payment, Payroll, Personalized offer, Quarantine, Remote work, Review message,
Security update, Service suspended, Signature required, Upgrade mailbox
storage Verify mailbox, Voicemail, and Other.
Filter by brand: The available values are: American Express, Capital One, DHL,
DocuSign, Dropbox, Facebook, First American, Microsoft, Netflix, Scotiabank,
SendGrid, Stewart Title, Tesco, Wells Fargo, Syrinx Cloud, and Other.
Filter by industry: The available values are: Banking, Business services, Consumer
Government, Hospitality, Insurance, Legal, Courier services, IT, Healthcare,
Manufacturing, Retail, Telecom, Real estate, and Other.
If you select a payload from the list by clicking anywhere in the row other than the check
box, details about the payload are shown in a flyout:
The Payload tab contains an example and other details about the payload.
payloads and is described in the next section.
The Simulations launched tab contains the Simulation name, Click rate,
Compromised rate, and Action.

Login page
７ Note
payloads.
Select the payload from the list by clicking anywhere in the row other than the check
box to open the details flyout.
The Login page tab in the payload details flyout shows the login page that's currently
selected for the payload.
To view the complete login page, use the Page 1 and Page 2 links at the bottom of the
page for two-page login pages.

To change the login page that's used in the payload, click Change login page.
On the Select login page flyout that appears, The following information is shown for
each login page:
Name
Language
value is Tenant.
Last modified
Actions: Click Preview to preview the login page.
page.
Click Filter to filter the login pages by Source or Language.


To create a new login page, click Create new icon. Create new to start the create end
user login page wizard. The steps are the same as at Login pages at Attack simulation
training > Simulated content library tab. For instructions, see Create login pages.
Back on the Select login page, verify the new login page you created is selected, and
then click Save.
Back on the payload details flyout, click Close icon. Close.
When you're finished on the Select a payload and login page, click Next.
Configure OAuth Payload
７ Note
This page is available only if you selected OAuth Consent Grant on the Select
social engineering techniques page. Otherwise, you're taken to the Target users
page.
On the Configure OAuth payload page, configure the following settings:
App name
App logo: Click Browse to select a .png, .jpeg, or .gif file to use. To remove a file
after you've selected it, click Remove.
Select app scope: Choose one of the following values:

Read user calendars
Read user contacts
Read user mail
Read all chat messages
Read all files that user can access
Read and write access to user mail
Send mail as a user
When you're finished on the Configure OAuth payload page, click Next.
Target users
On the Target users page, select who will receive the simulation. Configure one of the
following settings:
Include all users in your organization: The affected users are show in lists of 10.
You can use the Next and Previous buttons directly below the list of users to scroll
through the list. You can also use the Search icon on the page to find affected
users.
Include only specific users and groups: Choose one of the following options:
Add users: In the Add users flyout that appears, you can find users and
groups based on the following criteria:
Users or groups: In the Search for users and groups box, you can type
part of the Name or Email address of the user or group, and then press
Enter. You can select some or all of the results. When you're finished, click
Add x users.
７ Note
Clicking the Add filters button to return to the Filter users by categories
options will clear any users or groups that you selected in the search
results.
Filter users by categories: Select from none, some, or all of the following
options:
Suggested user groups: Select from the following values:
All suggested user groups
Users not targeted by a simulation in the last three months
Repeat offenders
Department: Use the following options:
Search: In the Search by Department box, you can type part of the
Department value, and then press Enter. You can select some or all of
the results.
Select All Department
Select existing Department values.
Title: Use the following options:
Search: In the Search by Title box, you can type part of the Title
value, and then press Enter. You can select some or all of the results.
Select All Title
Select existing Title values.

After you identify your criteria, the affected users are shown in the User list
section that appears, where you can select some or all of the discovered
recipients.
When you're finished, click Apply(x), and then click Add x users.
Back on the main Target users page, you can use the Search box to find
affected users. You can also click Delete to remove specific users.
Import: In the dialog that opens, specify a CSV file that contains one email
address per line.
After you find and select the CSV file, the list of users are imported and shown on
the Targeted users page. You can use the Search box to find affected users. You
can also click Delete to remove specific users.
Assign training
On the Assign training page, you can assign trainings for the simulation. We
recommend that you assign training for each simulation, as employees who go through
training are less susceptible to similar attacks. The following settings are available:
Select training content preference: Choose one of the following options:

Microsoft training experience: This is the default value that has the following
Assign training for me: This is the default and recommended value. We
assign training based on a user's previous simulation and training results,
and you can review the selections in the next steps of the wizard.
Select training courses and modules myself: If you select this value, you'll
still be able to see the recommended content as well as all available
courses and modules in the next step of the wizard.
Redirect to a custom URL: This value has the following associated options to
configure:
Custom training URL (required)
Custom training name (required)
Custom training description
Custom training duration (in minutes): The default value is 0, which means
there is no specified duration for the training.
No training: If you select this value, the only option on the page is the Next
button that takes you to the Landing page page.
Training assignment
７ Note
The Training assignment page is available only if you selected Microsoft training
experience > Select training courses and modules myself on the previous page.
On the Training assignment page, select the trainings that you want to add to the
simulation by clicking Add trainings.
On the Add training flyout that appears, you can select the trainings to use on the
following tabs that are available:
Recommended tab: Shows the recommended built-in trainings based on the

simulation configuration. These are the same trainings that would have been
assigned if you selected Assign training for me on the previous page.
All trainings tab: Shows all built-in trainings that are available.

Training name
Source: The value is Global.
Duration (mins)
Preview: Click the Preview button to see the training.
In the Search box, you can type part of the training name and press Enter to
filter the results on the current tab.
Select all trainings that you want to include from the current tab, and then click
Add.
Back on the main Training assignment page, the trainings that you selected are shown.
Training name
Source
Duration (mins)
For each training in the list, select one or more of the following values in the Assign to
column to configure who gets the training:
All users
Clicked payload
Compromised
If you don't want to use a training that's shown, click Delete.


Landing page
On the Landing page page, you configure the web page that users are taken to if they
open the payload in the simulation.
Select landing page preference: The available values depend on your previous
payload selections on the Select a payload and login page page as described in
the following table:
Payload Available values for Select landing page preference

selection
Manually Use Microsoft default landing page
select
Create your own landing page
Use a custom URL
Note: The Use a custom URL value is not available if you previously selected
Malware attachment or Link to malware on the Select social engineering
techniques page.
Randomize Use Microsoft default landing page
The available Select landing page preference values and their associated settings
are described in the following list:
Use Microsoft default landing page. This is the default value, and results in one
Microsoft default template, logo, and payload indicator action that's applicable
to all payloads.
You need to configure the following additional settings on the Landing page
page:
Select landing page layout: Select one of the 5 available landing page
templates.
Add logo: Click Browse to find and select a .png, .jpeg, or .gif file to add to
all payloads that are selected by Microsoft. The logo size should be a
maximum of 210 x 70 to avoid distortion. To remove the logo, click Remove.
Payload indicators: This setting is not available if you previously selected

Malware attachment or Link to malware on the Select social engineering
techniques page.
Select Add payload indicators to email to help users learn how to identify
phishing messages.
middle of the page. In the preview flyout that appears, you can use Select
payload to preview to see what each payload looks like.
Create your own landing page: This value results in a single payload indicator
action that's applied to the selected payloads.
You need to configure the following additional settings on the Landing page
page:
Add payload indicators to email: This setting is available to select only if

both of the following statements are true:
You selected Credential harvest, Link in attachment, Drive-by URL, or
OAuth Consent Grant on the Select social engineering techniques page.
You've added the Dynamic tag named Insert Payload content in the
landing page content on this page.
Landing page content: Two tabs are available:

Text: A rich text editor is available to create your landing page. In addition
to the typical font and formatting settings, the following settings are
available:

Tag name Tag value
Insert User name ${userName}
Insert First name ${firstName}
Insert Last name ${lastName}
Insert UPN ${upn}
Insert Email ${emailAddress}
Insert Department ${department}
Insert Manager ${manager}
Insert Mobile phone ${mobilePhone}
Insert City ${city}
Insert sender name ${FromName}
Insert sender email ${FromEmail}
Insert Payload subject ${EmailSubject}
Insert Payload content ${EmailContent}
Insert Date ${date|MM/dd/yyyy|offset}
Use from default: Select one of the 5 available landing page templates
to start with. You can modify the text and layout in the editing area. To
reset the landing page back to the default text and layout of the
template, click Reset to default.
Training link: In the Name training URL dialog that appears, enter a
link title for the training link, and then click Confirm to add the link to
the landing page.
Code: You can view and modify the HTML code directly.
middle of the page. In the preview flyout that appears, you can use Select
payload to preview to see what each payload looks like.
Use a custom URL: Add the URL in the Enter the custom landing page URL box
that appears. No other options are available on the page.

Select end user notification
On the Select end user notification page, select from the following notification options:
Do not deliver notifications: Click Proceed in the alert dialog that appears. If you
select this option, you're taken to the Simulation schedule page when you click
Next.
Microsoft default notification (recommended): The following additional settings

are available on the page:
Select default language: The available values are: Chinese (Simplified), Chinese
(Traditional), English, French, German, Italian, Japanese, Korean, Portuguese,
Russian, Spanish, and Dutch.
By default, the following notifications are included:

Microsoft positive reinforcement notification
For each notification, the following information is available:

Language: If the notification contains multiple translations, the first two
languages are shown directly. To see the remaining languages, hover over
the numeric icon (for example, +10).
Type: One of the following values:
Delivery preferences: For Positive reinforcement notification and Training
reminder notification types, the following values are available
Do not deliver
Deliver after campaign ends
Deliver during campaign
Actions: If you click on the View icon, the Review notification page
appears with the following information:
Preview tab: View the notification message as users will see it.
To view the message in different languages, use the Select language
box.
Use the Select payload to preview box to select the notification
message for simulations that contain multiple payloads.
Source: For built-in notifications, the value is Global. For custom
notifications, the value is Tenant.
Notification type: One of the following types base on the notification
you originally selected:
Modified by
Last modified
You're taken to the Simulation schedule page when you click Next.
Customized end user notifications: When you click Next, you're taken to the
Training assignment notification page as described in the next sections.

The Training assignment notification page is available only if you selected Customized
This page shows the following notifications and their configured languages:
Any custom training assignment notifications that you previously created.
These notifications are also available in End user notifications on the Simulation
content library tab in Attack simulation training at
Microsoft default training assignment notification is available on the Global
notifications tab. Custom training assignment notifications are available on the
Tenant notifications tab. For more information, see End-user notifications for
You can select an existing training assignment notification or create a new notification to
use:
preview flyout appears. To deselect the notification, clear the check box next to the
notification.
name.
Create new training assignment notification wizard

If you clicked Create new on the Training assignment notification page, a
７ Note
On the Define details page, be sure to select the value Training assignment
When you're finished, you're taken back to the Training assignment notification page

The Training reminder notification page is available only if you selected Customized
Set frequency for reminder notification: Select Weekly (default) or Twice a week.
Select a reminder notification: This section shows the following notifications and
their configured languages:
Any custom training reminder notifications that you previously created.

viewid=simulationcontentlibrary . Microsoft default training reminder
notification is available on the Global notifications tab. Custom training
reminder notifications are available on the Tenant notifications tab. For more
information, see End-user notifications for Attack simulation training.
You can select an existing training reminder notification or create a new

the notification.
name.
Create new training reminder notification wizard
If you clicked Create new on the Training reminder notification page, a notification
creation wizard opens.
７ Note
On the Define details page, be sure to select the value Training reminder
When you're finished, you're taken back to the Training reminder notification page

The Positive reinforcement notification page is available only if you selected
Customized end user notifications on the Select end user notification page.
Delivery preferences: Select one of the following values:

Do not deliver: If you select this option, you're taken to the Simulation schedule
page when you click Next.
Deliver after the user reports a phish and campaign ends or Deliver
immediately after the user reports a phish: These sections show the following
notifications and their configured languages in the Select a positive
reinforcement notification section that appears:
Microsoft default positive reinforcement notification
Any custom positive reinforcement notifications that you previously created.

viewid=simulationcontentlibrary . Microsoft default positive reinforcement
notification is available on the Global notifications tab. Custom positive
reinforcement notifications are available on the Tenant notifications tab. For
more information, see End-user notifications for Attack simulation training.
You can select an existing positive reinforcement notification or create a new

the notification.
name.
Create new positive reinforcement notification wizard

If you clicked Create new on the Positive reinforcement notification page, a
７ Note
On the Define details page, be sure to select the value Positive reinforcement
When you're finished, you're taken back to the Positive reinforcement notification page
Simulation schedule
On the Simulation schedule page, select one of the following values:
Randomized: You still need to select the schedule on the next page, but the
simulations will launch at random times with the schedule.
Fixed
Schedule details
What you see on the Schedule details page depends on whether you selected
Randomized or Fixed on the previous page.
Randomized: The following settings are available:

Simulation start section: Configure the following setting:
Select the date you want the simulations to start from
Simulation scoping section: Configure the following settings:
Select the days of the week that simulations are allowed to start on: Select
one or more days of the week.
Enter the maximum number of simulations that can be started between
the start and end dates: Enter a value from 1 to 10.
Randomize send times: Select this setting to randomize the send times.
Simulation end section: Configure the following setting:
Select the date you want the simulations to end
Fixed: The following settings are available:

Simulation start section: Configure the following setting:
Select the date you want the simulations to start from
Simulation recurrence section: Configure the following settings:
Select if you want simulations to launch weekly or monthly: Select one of
the following values:
Weekly: This is the default value.
Monthly
Enter how often in weeks you want the simulations to recur for: Enter a
value from 1 to 99 weeks.
Select the day of the week you want the simulations to start from
Simulation end section: Selection one of the following values:
Select the date you want the simulations to end
Enter the number of occurrences of the simulations to run before ending:
Enter a value from 1 to 10.
Launch details
On the Launch details page, configure the following additional settings for the
automation:
Use unique payloads across simulations within an automation: By default, this

setting is not selected.
Target all selected users in every simulation run: By default, this setting is not
selected.
Target repeat offenders: By default, this setting is not selected. If you select it,
configure the following setting that appears:
Enter the maximum number of times a user can be targeted within this
automation: Enter a value from 1 to 10.
Send simulation email based upon the user's current time zone setting from
Outlook web app: By default, this setting is not selected.
Display the drive-by technique interstitial data gathered page: This setting is
available only if you selected Drive-by URL on the Select social engineering
techniques page. You can show the overlay that comes up for drive-by URL
technique attacks. By default, the setting is on . To hide the overlay and go
directly to the landing page, turn this setting off .
Review simulation automation

On the Review simulation automation page, you can review the details of your
simulation automation.
You can select Edit in each section to modify the settings within the section. Or you can
click Back or select the specific page in the wizard.
Frequently asked questions (FAQ)

This section contains some of the most common questions about Simulation
automations.
Why is the Status value under Automation showing

Completed, but the Status value under Simulation
showing In progress?
Completed on the Simulation automation page means the job of simulation
automation is complete, and no more simulations will be created by it. Simulation is a
separate entity that will complete after 30 days of simulation launch time.
Why is the simulation end date 30 days after creation,

even though I selected an automation end date of one
week?
A one week end date for the simulation automation means no new simulations will be
created by it after one week. For simulations created by a simulation automation, the
default end date is 30 days after the creation of the simulation.
If we have multiple payload techniques (for example,

Credential harvest, Link to Malware, and Drive by URL)
targeting 300 users, how are the techniques sent to
users? Do all payload techniques go to all users, or is the
selection random?
If you don't select the Target All Selected Users In Every Run option, all targeted users
will be distributed over the maximum number of simulations that are created by the
simulation automation.
If you select Target All Selected Users In Every Run, all targeted users will be part of
every simulation that's created by the simulation automation.
How does the Randomize option on the Simulation
schedule page work?
The **Randomize launch&& option optimally selects a day within the start date and end
date range to launch simulations.
How does the Randomize option on the Select payloads

page work?
For every run, a technique from the list of selected techniques is chosen, and then a
random payload from both Tenant and Global payloads will be chosen. This behavior
helps to ensure that the selected payload wasn't part of any previous run for this
particular automation.
With a randomized schedule, the maximum number of

simulations is between 1 and 10. How does this work?
This number is the maximum number of runs that can be created by this automation.
For example, if you select 10, the maximum number of simulations that will be created
by this automation is 10. The number of simulations can be fewer depending on the
number of targeted users and the availability of payloads.
If I select only one specific day between two days (for

example, Wednesday), how many simulations will I see on
the Simulation tab?
If there's only one Wednesday between the start date and end date, the automation will
have only one valid day to send out the simulation. Even if you selected a higher value
for Max number of simulations, this value will get overwritten to one.
How does randomize send times currently work?

Randomize send time works in batches of 1000 users and is meant to be used with a
large number of targeted users. If less than 1000 users are involved in simulations
created by automations, a randomize send time will not trigger.
Payload automations for Attack
simulation training
 Tip
Applies to
In Attack simulation training in Microsoft 365 E5 or Microsoft Defender for Office 365
Plan 2, payload automations (also known as payload harvesting) collect information
from real-world phishing attack messages that were reported by users in your
organization. Although the numbers of these messages are likely low in your
organization, you can specify the conditions to look for in phishing attacks (for example,
recipients, social engineering technique, sender information, etc.). Attack simulation
training will then mimic the messages and payloads used in the attack to automatically
launch harmless simulations to targeted users.
To see the available payload automations, open the Microsoft 365 Defender portal at
training > Automations tab > and then select Payload automations. To go directly to
the Automations tab where you can select Payload automations, use
https://security.microsoft.com/attacksimulator?viewid=automations .
The following information is shown for each payload automation:
Automation name
Type: The value is Payload.
Items collected
Last modified
Status: The value is Ready or Draft.
When you select a payload automation from the list, a details flyout appears with the
following information:
General tab: Displays basic information about the simulation automation.

Run history tab: This tab is available only for payload automations with the Status
value Ready.
Create payload automations

To create a payload automation, do the following steps:
1. In the Microsoft 365 Defender portal at https://security.microsoft.com/ , go to

Email & collaboration > Attack simulation training > Automations tab > Payload
automations. To go directly to the Automations tab where you can select Payload
automations, use https://security.microsoft.com/attacksimulator?
viewid=automations .
Click Create automation.
７ Note
your progress and continue configuring the payload automation later. You can
pick up where you left off by selecting the payload automation in Payload
automations, and then clicking Edit automation. The partially-completed
payload automation will have the Status value Draft.
Currently, payload harvesting is enabled in GCC environments due to data

gathering restrictions.
2. On the Automation name page, configure the following settings:
Name: Enter a unique, descriptive name for the payload automation.

Description: Enter an optional detailed description for the payload
automation.

3. On the Run conditions page, select the conditions of the real phishing attack that
determines when the automation will run.
Click Add condition and select from one of the following conditions:
No. of users targeted in the campaign: Configure the following settings:

Equal to, Less than, Greater than, Less than or equal to, or Greater than
or equal to.
Enter value: The number of users that were targeted by the phishing
campaign.
Campaigns with a specific phish technique: Select one of the available
values:
Credential harvest
Malware attachment
Link in attachment
Link to malware
Drive-by URL
Specific sender domain: Enter a sender email domain value (for example,
contoso.com).
Specific sender name: Enter a sender name value.
Specific sender email: Enter a sender email address.
Specific user and group recipients: Start typing the name or email address of
the user or group. When it appears, select it.
You can use each condition only once. Multiple conditions use AND logic
(<Condition1> and <Condition2>).
To add another condition, click Add condition.
To remove a condition after you've added it, click .
4. On the Review automation page, you can review the details of your payload
automation.
You can select Edit in each section to modify the settings within the section. Or you
can click Back or select the specific page in the wizard.
5. On the New automation created page, you can use the links to turn on the
automation or go to the Simulations page.

Back on the Payload automations in Automations, the login page that you created is
now list.
Turn payload automations on or off

You can only turn on or turn off payload automations where the Status value is Ready.
You can't turn on or turn off incomplete payload automations where the Status value is
Draft.
To turn on a payload automation, select it from the list by clicking the check box. Click
the Turn on icon that appears, and then click Confirm in the dialog.
To turn off a payload automation, select it from the list by clicking the check box. Click
the Turn on icon that appears, and then click Confirm in the dialog.
Modify payload automations

To modify an existing payload automation in Payload automations, do one of the
following steps:
Select the payload automation from the list by clicking the check box. Click the
Edit automation icon that appears.
Select the payload automation from the list by clicking anywhere in the row except
the check box. In the details flyout that opens, on the General tab, click Edit in the
Name, Description, or Run conditions sections.
The payload automation wizard opens with the settings and values of the selected
payload automation. The steps are the same as described in the Create payload
automations section.
Remove payload automations

To remove a payload automation, select the payload automation from the list by clicking
the check box. Click the Delete icon that appears, and then click Confirm in the
dialog.
Related links
Simulation automations for Attack simulation training

End-user notifications for Attack
simulation training
 Tip
Applies to
Plan 2, end-user notifications are email messages that are sent to users as a result of
simulations or simulation automations. The following types of end-user notifications are
available:
Positive reinforcement notification: Sent when users report a simulated phishing

message.
Simulation notification: Sent when users are included in a simulation or simulation
automation, but no trainings are selected.
Training assignment notification: Sent when users are assigned required trainings
as a result of a simulation or simulation automations.
Training reminder notification: Sent as reminders for required trainings.
To see the available end-user notifications, open the Microsoft 365 Defender portal at
training > Simulation content library tab > and then select End user notifications. To
go directly to the Simulation content library tab where you can select End user
notifications, use https://security.microsoft.com/attacksimulator?
viewid=simulationcontentlibrary .
End user notifications has two tabs:
Global notifications: Contains the built-in, non-modifiable notifications.

Tenant notifications: Contains the custom notifications that you've created.
The following information is shown for each notification:

Language: If the notification contains multiple translations, the first two languages
are shown directly. To see the remaining languages, hover over the numeric icon
(for example, +10).
Type: The value is Positive reinforcement notification, Simulation notification,
Training assignment notification, or Training reminder notification.
Source: For built-in notifications, the value is Global. For custom notifications, the
value is Tenant.
Status: The value is Ready or Draft. On the Global notifications tab, the value is
always Ready.
Linked simulations: The total number of simulations or simulation automations
that use the notification.
Created by: For built-in notifications, the value is Microsoft. For custom
notifications, the value is the UPN of the user who created the notification.
Created time
Modified by
Last modified time
To find a notification in the list, use the Search box to find the name of the
notification.
To group the notifications by type, click Group and then select Notification type. To
ungroup the notifications, select None.
On the Tenant notifications tab only, click to filter the notifications by one or more
languages.
To remove one or more columns that are displayed, click Customize columns.
When you select a notification from the list, a details flyout appears with the following
information:
Preview tab: View the notification message as users will see it. To view the message
in different languages, use the Select language box.
Source: For built-in notifications, the value is Global. For custom notifications,
the value is Tenant.
Notification type
Modified by
Last modified
Simulations
Simulation names
Simulation status
End by
On the details flyout from the Tenant notifications tab only, click Edit notification to
modify the notification.
Create end-user notifications

tab > and then select End user notifications. To go directly to the Simulation
content library tab where you can select End user notifications, use
2. On the Tenant notifications tab, click Create new to start the end user
notification wizard.
７ Note
your progress and continue configuring the notification later. You can pick up
where you left off by selecting the notification on the Tenant notifications tab
in End user notifications, and then clicking Edit automation. The partially-
completed notification will have the Status value Draft.
3. On the Define details page**, configure the following settings:
Select notification type: Select one of the following values:

Simulation notification
Name: Enter a unique name.
4. On the Define content page, the only setting that's available is the Add content in
business language button. When you click it, an Add content in default language
flyout appears that contains the following settings:
From display name

From email address
Select the language of the email: Select a language from the list.
Mark this as the default language: Because this is the first and only language
for the notification, this value is selected and you can't change it.
Subject: The default value is Thanks for reporting phish, but you can change
it.
Import email: You can optionally click this button and then click Choose file
to import an existing plain text message file.
Email content area: Two tabs are available:
Text tab: A rich text editor is available to create your notification email. In
addition to the typical font and formatting settings, the following settings
are available:
Insert first name
Insert last name
Insert UPN
Insert email address
Insert payload
Code tab: You can view and modify the HTML code directly.
You can preview the results by clicking the Preview email button at the top of the
page.
You're taken back to the Define content page where the notification that you just
created is summarized with the following information:
Language
Subject
Category
Actions: The following icons are available:
Edit
View
Delete: If there's only language version of the notification, you can't
delete it.
To add a version of the notification in a different language, click . In the Add

translation flyout that appears, the same settings are available as in the Add
content in default language flyout that was previously described. The only
difference is you can select Mark this as the default language in additional
translations.
You can repeat this steps as many times as necessary to create translated versions
of the notification in the 12 supported languages.
5. On the Review notification page, you can review the details of your notification.
On the New simulation notification created page, you can use the links to create a
new notification, launch a simulation, or view all notifications.
Back on the Tenant notifications tab in End user notifications, the notification that you
created is now list.
Modify end-user notifications

You can't modify built-in notifications on the Global notifications tab. You can only
modify custom notifications on the Tenant notifications tab.
To modify an existing custom notification on the Tenant notifications tab, do one of the
following steps:
Select the notification from the list by clicking the check box. Click the Edit icon
that appears.
Click ⋮ (Actions) between the Notifications and Language values of the notification
in the list, and then select Edit.
Select the notification from the list by clicking anywhere in the row except the
check box. In the details flyout that opens, click Edit notification.
The end-user notification wizard opens with the settings and values of the selected
notification. The steps are the same as described in the Create end-user notifications
section.
Copy end-user notifications

To copy an existing notification on the Tenant notifications or Global notifications tabs,
do one of the following steps:
Select the notification from the list by clicking the check box, and then click the
Create a copy icon that appears.
in the list, and then select Create a copy.
When you copy a custom notification on the Tenant notifications tab, a copy of the
notification named "<OriginalName> - Copy" is available in the list.
When you copy a built-in notification on the Global notifications tab, a Create copy
dialog appears. The dialog confirms that a copy of the notification has been created,
and is available on the Tenant notifications tab. If you click Go to Tenant notification
you're taken to the Tenant notifications tab, where the copied built-in notification is
named "<OriginalName> - Copy" is available in the list. If you click Stay here in the
dialog, you return to the Global notifications tab.
After the copy is created, you can modify it as previously described.
７ Note
The Use from default control on the Add content in default language flyout in the
notification wizard allows you to copy the contents of a built-in notification.
Remove notifications
You can't remove built-in notifications from the Global notifications tab. You can only
remove custom notifications on the Tenant notifications tab.
To remove an existing custom notification from the Tenant notifications tab, do one of
Select the notification from the list by clicking the check box, and then click the
in the list, and then select Delete.
Related links

Login pages in Attack simulation
training
Applies to
Plan 2, login pages are displayed to users in simulations that use the Credential harvest
and Link in attachment social engineering techniques.
To see the available login pages, open the Microsoft 365 Defender portal at
training > Simulation content library tab > and then select Login pages. To go directly
to the Simulation content library tab where you can select Login pages, use
Login pages has two tabs:
Global login pages: Contains the built-in, non-modifiable login pages. There are
four built-in login pages localized into 12+ languages:
GitHub login page
LinkedIn login page
Microsoft login page
Non-branded login page
Tenant login pages: Contains the custom login pages that you've created.
The following information is shown for each login page:
Name
Language
value is Tenant.
Last modified
page.
Click Filter to filter the login pages by Language or Status.

To remove one or more columns that are displayed, click Customize columns.
When you select a login page from the list, a details flyout appears with the following
information:
Edit is available only in custom login pages on the Tenant login pages tab.
Mark as default to make this login page the default selection in Credential
harvest or Link in attachment payloads or payload automations. If the login page
is already the default, Mark as default isn't available.
Preview tab: View the login page as users will see it. Page 1 and Page 2 links are
available at the bottom of the page for two-page login pages.
Details tab: View details about the login page:
Description
Login page source: For built-in login pages, the value is Global. For custom
login pages, the value is Tenant.
Modified by
Language
Last modified
Create login pages

tab > and then select Login pages. To go directly to the Simulation content library
tab where you can select Login pages, use
You can create custom login pages in the following locations:
Click Create new to start the create end user login page wizard.
７ Note
Create new is also available during the payload selection step of creating a
simulation or simulation automation. For more information, see Create a
simulation: Select a payload and login page and Create a simulation
automation: Select a payload and login page.
your progress and continue configuring the login page later. You can pick up
where you left off by selecting the login page on the Tenant login pages tab
in Login pages, and then clicking Edit. The partially-completed login page
will have the Status value Draft.
2. On the Define details for login page page, configure the following settings:
Name: Enter a unique name.

3. On the Configure login page page, configure the following settings:
Select a language: The available values are: Chinese (Simplified), Chinese

(Traditional), English, French, German, Italian, Japanese, Korean,
Portuguese, Russian, Spanish, and Dutch.
Make this the default login page: If you select this option, the login page will
be the default selection in Credential harvest or Link in attachment payloads
or payload automations.
Create a two-page login: If you don't select this option, the login page is one
page. If you select this option, Page 1 and Page 2 tabs appear for you to
configure separately.
On the Text tab, a rich text editor is available for you to create your login
page.
Use the Dynamic tag control to customize the login page by inserting
the available tags:
Insert user name: The value that's added in the message body is
${userName} .
Insert email: The value that's added in the message body is

${emailAddress} .
Insert date: The value that's added in the message body is
${date|MM/dd/yyyy|offset} .
Use the Use from default control to select a built-in login page to start
with as a template.
The Add Next button control is available only on Page 1 of two-page

logins. The default text on the button is Next but you can change it.
The Add compromise button control in available on one-page logins or

on Page 2 of two-page logins. The default text on the button is Submit,
but you can change it.
On the Code tab, you can view and modify the HTML code directly.
Formatting and other controls like Dynamic tag and Use from default or
Add compromise button aren't available.
Use the Preview login page button at the top of the page to review the login
page.
4. On the Review login page page, you can review the details of your login page.
5. On the New login page <Name> created page, you can use the links to create a
new login page, launch a simulation, or view all login pages.
Back on the Tenant login pages tab in Login pages, the login page that you created is
now list.
Modify login pages

You can't modify built-in login pages on the Global login pages tab. You can only
modify custom login pages on the Tenant login pages tab.
To modify an existing custom login page on the Tenant login pages tab, do one of the
following steps:
Select the login page from the list by clicking the check box. Click the Edit icon
that appears.
Click ⋮ (Actions) between the Name and Language values of the login page in the
list, and then select Edit.
Select the login page from the list by clicking the name. In the details flyout that
opens, click Edit.
The login page wizard opens with the settings and values of the selected login page.
The steps are the same as described in the Create login pages section.
Copy login pages
To copy an existing login page on the Tenant login pages or Global login pages tabs,
Select the login page from the list by clicking the check box, and then click the
Create a copy icon that appears.
list, and then select Create a copy.
The login page wizard opens with the settings and values of the selected login page.
The steps are the same as described in the Create login pages section.
７ Note
When you copy a built-in login page on the Global login pages tab, be sure to
change the Name value. This step ensures the copy is saved as a custom login page
on the Tenant login pages tab.
The Use from default control on the Configure login page page in the login page
wizard allows you to copy the contents of a built-in login page.
Remove login pages

You can't remove built-in login pages from the Global login pages tab. You can only
remove custom login pages on the Tenant login pages tab.
To remove an existing custom login page from the Tenant login pages tab, do one of
Select the login page from the list by clicking the check box, and then click the
list, and then select Delete.
Make a login page the default

The default login page is the default selection that's used in Credential harvest or Link
in attachment payloads or payload automations.
To make a login page the default on the Tenant login pages or Global login pages tabs,
Select the login page from the list by clicking the check box. Click the Mark as
default icon that appears.
list, and then select Mark as default.
Select the login page from the list by clicking the name. In the details flyout that
opens, click Mark as default.
Select Make this the default login page on the Configure login page page in the
wizard when you create or modify a login page.
７ Note
The previous procedures are not available if the login page is already the default.
The default login page is also marked in the list, although you might need to widen
the Name column to see it:
Related links

Insights and reports for Attack
simulation training in Defender for
Office 365
 Tip
Applies to
In Attack simulation training in Microsoft Defender for Office Plan 2 or Microsoft 365 E5,
Microsoft provides insights and reports from the results of simulations and the
corresponding trainings. This information keeps you informed on the threat readiness
progress of your users, as well as recommended next steps to better prepare your users
for future attacks.
Insights and reports are available in the following locations in Attack simulation training
in the Microsoft 365 Defender portal:
The Overview tab.

Simulation details on the Simulations tab.
The rest of this article describes the available information.
Insights and reports on the Overview tab of

To go to the Overview tab, open the Microsoft 365 Defender portal at
training, and verify that the Overview tab is selected (it's the default). To go directly to
the Overview tab on the Attack simulation training page, use
https://security.microsoft.com/attacksimulator?viewid=overview .
The rest of this section describes the information that's available on the Overview tab of
Recent simulations card

The Recent simulations card on the Overview tab shows the last three simulations that
you've created or run in your organization.
You can select a simulation to view details.
Selecting View all simulations takes you to the Simulations tab.
Selecting Launch a simulation starts the simulation creation wizard. For more
information, see Simulate a phishing attack in Defender for Office 365.
Behavior impact on compromise rate card

The Behavior impact on compromise rate card on the Overview tab shows how your
users responded to your simulations as compared to the historical data in Microsoft 365.
You can use these insights to track progress in users threat readiness by running
multiple simulations against the same groups of users.
The chart data itself shows the following information:
percentage of people who will be compromised by this simulation (users
compromised / total number of users who receive the simulation).
Actual compromise rate: The actual percentage of people who were compromised
by the simulation (actual users compromised / total number of users in your
organization who received the simulation).
If you hover over a data point in the chart, the actual percentage values are shown.
The following summary information is also shown on the card:
users less susceptible to phishing: The difference between the actual number of
users compromised by the simulated attack and the predicted compromise rate.
This number of users is less likely to be compromised by similar attacks in the
future.
x% better than predicted rate: Indicates how users did overall in contrast with the
predicted compromise rate.
To see a more detailed report, click View simulations and training efficacy report. This
report is explained later in this article.
Simulation coverage card

The Simulation coverage card on the Overview tab shows the percentage of users in
your organization who've received a simulation (Simulated users) vs. those who haven't
received a simulation (Non-simulated users). You can hover over a section in the chart
to see the actual number of users in each category.
Selecting Launch simulation for non-simulated users starts the simulation creation
wizard where the users who didn't receive the simulation are automatically selected on
the Target user page. For more information, see Simulate a phishing attack in Defender
for Office 365.
Selecting View simulation coverage report takes you to the User coverage tab for the
Attack simulation report.

Training completion card

The Training completion card on the Overview tab organizes the percentages of users
who received trainings based on the results of simulations into the following categories:
Completed
In progress
Incomplete
You can hover over a section in the chart to see the actual number of users in each
category.
Selecting View training completion report takes you to the Training completion tab for
the Attack simulation report.
Repeat offenders card

The Repeat offenders card on the Overview tab shows the information about repeat
offenders. A repeat offender is a user who was compromised by consecutive simulations.
The default number of consecutive simulations is two, but you can change the value on
the Settings tab of Attack simulation training at
https://security.microsoft.com/attacksimulator?viewid=setting .
The chart organizes repeat offender data by simulation type:
All
Malware attachment
Link to malware
Credential harvest
Link in attachments
Drive-by URL
Selecting View repeat offender report takes you to the Repeat offenders tab for the
Attack simulation report.
Recommendations card
The Recommendations card on the Overview tab suggests different types of
simulations to run.
Selecting Launch now starts the simulation creation wizard with the specified simulation
type automatically selected on the Select technique page. For more information, see
Simulate a phishing attack in Defender for Office 365.
Attack simulation report

You can open the Attack simulation report from the Overview tab by clicking on the
View ... report buttons that are available in many of the cards that are described in this
article. To go directly to the report, use
https://security.microsoft.com/attacksimulationreport
Training efficacy tab for the Attack simulation report

On the Attack simulation report page, the Training efficacy tab is selected by default.
This tab provides the same information that's available in the Behavior impact on
compromise rate card, with additional context from the simulation itself.

The chart shows the Predicted compromise rate and Actual compromised rate. If you
hover over a section in the chart, the actual percentage values for are shown.
The details table below the chart shows the following information:
Simulation name
Simulation technique
Simulation tactics
Predicted compromised rate
Actual compromised rate
Total users targeted
Count of clicked users
You can sort the results by clicking on an available column header.
Click Customize columns to remove the columns that are shown. When you're finished,
click Apply.
Use Search box to filter the results by Simulation name or Simulation Technique.
Wildcards aren't supported.
If you click the Export report button, report generation progress is shown as a
percentage of complete. In the dialog that opens, you can choose to open the .csv file,
save the .csv file, and remember the selection.
User coverage tab for the Attack simulation report


On the User coverage tab, the chart shows the Simulated users and Non-simulated
users. If you hover over a data point in the chart, the actual values are shown.
Username
Email address
Included in simulation
Date of last simulation
Last simulation result
Count of clicked
Count of compromised
click Apply.
Use Search box to filter the results by Username or Email address. Wildcards aren't
supported.
Training completion tab for the Attack simulation report


On the Training completion tab, the chart shows the number of Completed, In
progress, and Incomplete simulations. If you hover over a section in the chart, the actual
values are shown.
Username
Email address
Included in simulation
Date of last simulation
Last simulation result
Name of most recent training completed
Date completed
All trainings
click Apply.
Click Filter to filter the chart and details table by one or more of the following values:
Completed
In progress
All
Use Search box to filter the results by Username or Email address. Wildcards aren't
supported.
Repeat offenders tab for the Attack simulation report
A repeat offender is a user who was compromised by consecutive simulations. The

default number of consecutive simulations is two, but you can change the value on the
Settings tab of Attack simulation training at
https://security.microsoft.com/attacksimulator?viewid=setting .
On the Repeat offenders tab, the chart organizes repeat offender data by simulation
type:
All
Credential harvest
Malware attachment
Link in attachment
Link to malware
Drive-by URL
If you hover over a data point in the chart, the actual values are shown.
User
Repeat count
Simulation types
Simulations
click Apply.
Click Filter to filter the chart and details table by some or all of the simulation type
values:
Credential harvest
Malware attachment
Link in attachment
Link to malware
Use Search box to filter the results by any of the column values. Wildcards aren't
supported.
Insights and reports in the simulation details of

To go to the Simulations tab, open the Microsoft 365 Defender portal at
training, and then select the Simulations tab. To go directly to the Simulations tab on
the Attack simulation training page, use https://security.microsoft.com/attacksimulator?
viewid=simulations .
When you select a simulation from the list, a details page opens. This page contains the
configuration settings of the simulation that you would expect to see (status, launch
date, payload used, etc.).
The rest of this section describe the insights and reports that are available on the
simulation details page.
Simulation impact section

The Simulation impact section on the simulation details page shows how many users
were completely tricked by the simulation and the total number of users in the
simulation. The information that's shown varies based on the simulation type. For
example:
Links: Entered credentials and Did not enter credentials.


Attachments: Opened attachment and Did not open attachment.
If you hover over a section in the chart, the actual numbers for each category are shown.
All user activity section

The All user activity section on the simulation details page shows numbers for the
possible outcomes of the simulation. The information that's shown varies based on the
simulation type. For example:
SuccessfullyDeliveredEmail
ReportedEmail: How many users reported the simulation message as suspicious.
Links:
EmailLinkClicked: How many users clicked on the link in the simulation

message.
CredSupplied: After clicking on the link, how many users supplied their
credentials.

Attachments:
AttachmentOpened: How many users opened the attachment in the simulation

message.
Training completion section

The Training completion section on the simulation details page shows the trainings that
are required for the simulation, and how many users have completed the trainings.
Recommended actions section

The Recommended actions section on the simulation details page shows
recommendation actions from Microsoft Secure Score and the effect the action will have
on your Secure Score. These recommendations are based on the payload that was used
in the simulation, and will help protect your users and your environment. Selecting an
Improvement action from the list takes you to the location to implement the suggested
action.
Related Links
create a payload for training your people

Attack simulation training deployment
considerations and FAQ
 Tip
Applies to
Attack simulation training enables Microsoft 365 E5 or Microsoft Defender for Office 365
Plan 2 organizations to measure and manage social engineering risk by allowing the
creation and management of phishing simulations that are powered by real-world, de-
weaponized phishing payloads. Hyper-targeted training, delivered in partnership with
Terranova security, helps improve knowledge and change employee behavior.
For more information about getting started with Attack simulation training, see Get
started using Attack simulation training.
While the whole simulation creation and scheduling experience has been designed to be
free-flowing and frictionless, running simulations at an enterprise scale often requires
planning. This article helps address specific challenges that we see as our customers run
simulations in their own environments.
Issues with end user experiences
Phishing simulation URLs blocked by Google Safe

Browsing
A URL reputation service might identify one or more of the URLs that are used by Attack
simulation training as unsafe. Google Safe Browsing in Google Chrome blocks some of
the simulated phishing URLs with a Deceptive site ahead message. While we work with
many URL reputation vendors to always allow our simulation URLs, we don't always have
full coverage.

Note that this issue does not affect Microsoft Edge.
As part of the planning phase, be sure to check the availability of the URL in your
supported web browsers before you use the URL in a phishing campaign. If the URLs are
blocked by Google Safe Browsing, follow this guidance from Google to allow access
to the URLs.
Refer to Get started using Attack simulation training for the list of URLs that are
currently used by Attack simulation training.
Phishing simulation and admin URLs blocked by network

proxy solutions and filter drivers
Both phishing simulation URLs and admin URLs might be blocked or dropped by your
intermediate security devices or filters. For example:
Firewalls
Web Application Firewall (WAF) solutions
Third-party filter drivers (for example, kernel mode filters)
While we have seen few customers being blocked at this layer, it does happen. If you
encounter problems, consider configuring the following URLs to bypass scanning by
your security devices or filters as required:
The simulated phishing URLs as described in Get started using Attack simulation
training.
https://security.microsoft.com/attacksimulator
https://security.microsoft.com/attacksimulationreport
https://security.microsoft.com/trainingassignments
Simulation messages not delivered to all targeted users
It's possible that the number of users who actually receive the simulation email
messages is less than the number of users who were targeted by the simulation. The
following types of users will be excluded as part of target validation:
Invalid recipient email addresses.

Guest users.
Users that are no longer active in Azure Active Directory (Azure AD).
Only valid, non-guest users with a valid mailbox will be included in simulations. If you
use distribution groups or mail-enabled security groups to target users, you can use the
Get-DistributionGroupMember cmdlet in Exchange Online PowerShell to view and
validate distribution group members.
Issues with Attack simulation training reporting
Attack simulation training reports do not contain any

activity details
Attack simulation training comes with rich, actionable insights that keep you informed
of the threat readiness progress of your employees. If Attack simulation training reports
are not populated with data, verify that audit log search is turned on in your
organization (it's on by default).
Audit log search is required by Attack simulation training so events can be captured,
recorded, and read back. Turning off audit log search has the following consequences
for Attack simulation training:
Reporting data is not available across all reports. The reports will appear empty.
Training assignments are blocked, because data is not available.
To turn on audit log search, see Turn audit log search on or off.
７ Note
Empty activity details can also be caused by no E5 licenses being assigned to users.
Verify at least one E5 license is assigned to an active user to ensure that reporting
events are captured and recorded.
Simulation reports are not updated immediately
Detailed simulation reports are not updated immediately after you launch a campaign.
Don't worry; this behavior is expected.
Every simulation campaign has a lifecycle. When first created, the simulation is in the
Scheduled state. When the simulation starts, it transitions to the In progress state.
When completed, the simulation transitions to the Completed state.
While a simulation is in the Scheduled state, the simulation reports will be mostly
empty. During this stage, the simulation engine is resolving the target user email
addresses, expanding distribution groups, removing guest users from the list, etc.:
Once the simulation enters the In progress stage, you will notice information starting to
trickle into the reporting:
It can take up to 30 minutes for the individual simulation reports to update after the
transition to the In progress state. The report data continues to build until the
simulation reaches the Completed state. Reporting updates occur at the following
intervals:
Every 10 minutes for the first 60 minutes.

Every 15 minutes after 60 minutes until 2 days.
Every 30 minutes after 2 days until 7 days.
Every 60 minutes after 7 days.
Widgets on the Overview page provide a quick snapshot of your organization's

simulation-based security posture over time. Because these widgets reflect your overall
security posture and journey over time, they're updated after each simulation campaign
is completed.
７ Note
You can use the Export option on the various reporting pages to extract data.
Messages reported as phishing by users aren't appearing

in simulation reports
Simulation reports in Attack simulator training provide details on user activity. For
example:
Users who clicked on the link in the message.

Users who gave up their credentials.
Users who reported the message as phishing.
If messages that users reported as phishing aren't captured in Attack simulation training
simulation reports, there might be an Exchange mail flow rule (also known as a transport
rule) that's blocking the delivery of the reported messages to Microsoft. Verify that any
mail flow rules aren't blocking delivery to the following email addresses:
junk@office365.microsoft.com
abuse@messaging.microsoft.com
phish@office365.microsoft.com
not_junk@office365.microsoft.com
Users are assigned training after they report a simulated

message
If users are assigned training after they report a phishing simulation message, check to
see if your organization uses a reporting mailbox to receive user reported messages at
https://security.microsoft.com/securitysettings/userSubmission . The reporting mailbox
needs to be configured to skip many security checks as described in the reporting
mailbox prerequisites.
If you don't configure the required exclusions for the custom reporting mailbox, these
messages might be detonated by Safe Links or Safe Attachments protection, which will
cause training assignments.
Other frequently asked questions
Q: What is the recommended method to target users for

simulation campaigns?
A: Several options are available to target users:
Include all users (currently available to organizations with less than 40,000 users).
Choose specific users.
Select users from a CSV file (one email address per line).
Azure AD group-based targeting.
We've found that campaigns where the targeted users are identified by Azure AD
groups are generally easier to manage.
Q: Are there any limits in targeting users while importing

from a CSV or adding users?
A: The limit for importing recipients from a CSV file or adding individual recipients to a
simulation is 40,000.
A recipient can be an individual user or a group. A group might contain hundreds or

thousands of recipients, so an actual limit isn't placed on the number of individual users.
Managing a large CSV file or adding many individual recipients can be cumbersome.
Using Azure AD groups will simplify the overall management of the simulation.
Q: Does Microsoft provide payloads in other languages?

A: Currently, there are 40+ localized payloads available in 10+ languages: Chinese
(Simplified), Chinese (Traditional), English, French, German, Italian, Japanese, Korean,
Portuguese, Russian, Spanish and Dutch. We've noticed that any direct or machine
translations of existing payloads to other languages will lead to inaccuracies and
decreased relevance.
That being said, you can create your own payload in the language of your choice using
the custom payload authoring experience. We also strongly recommend that you
harvest existing payloads that were used to target users in a specific geography. In other
words, let the attackers localize the content for you.
Q: How can I switch to other languages for my admin

portal and training experience?
A: In Microsoft 365 or Office 365, language configuration is specific and centralized for
each user account. For instructions on how to change your language setting, see
Change your display language and time zone in Microsoft 365 for Business .
Note that the configuration change might take up to 30 minutes to synchronize across
all services.
Q: Can I trigger a test simulation to understand what it

looks like prior to launching a full-fledged campaign?
A: Yes you can! On the very last Review Simulation page in the wizard to create a new
simulation, there's an option to Send a test. This option will send a sample phishing
simulation message to the currently logged in user. After you validate the phishing
message in your Inbox, you can submit the simulation.
Q: Can I target users that belong to a different tenant as

part of the same simulation campaign?
A: No. Currently, cross-tenant simulations are not supported. Verify that all of your
targeted users are in the same tenant. Any cross-tenant users or guest users will be
excluded from the simulation campaign.
Q: How does region aware delivery work?

A: Region aware delivery uses the TimeZone attribute of the targeted user's mailbox and
'not before' logic to determine when to deliver the message. For example, consider the
following scenario:
At 7:00 AM in the Pacific time zone (UTC-8), an admin creates and schedules a
campaign to start at 9:00 AM on the same day.
UserA is in the Eastern time zone (UTC-5).
UserB is also in the Pacific time zone.
At 9:00 AM on the same day, the simulation message is sent to UserB. With region-
aware delivery, the message is not sent to UserA on the same day, because 9:00 AM
Pacific time is 12:00 PM Eastern time. Instead, the message is sent to UserA at 9:00 AM
Eastern time on the following day.
So, on the initial run of a campaign with region aware delivery enabled, it might appear
that the simulation message was sent only to users in a specific time zone. But, as time
passes and more users come into scope, the targeted users will increase.
Q: Does Microsoft collect or store any information that

users enter at the Credential Harvest sign-in page, used
in the Credential Harvest simulation technique?
A: No. Any information entered at the credential harvest login page is discarded silently.
Only the 'click' is recorded to capture the compromise event. Microsoft does not collect,
log or store any details that users enter at this step.
Configure the delivery of third-party
phishing simulations to users and
unfiltered messages to SecOps
mailboxes
 Tip
Applies to

To keep your organization secure by default, Exchange Online Protection (EOP) does not
allow safe lists or filtering bypass for messages that are identified as malware or high
confidence phishing. But, there are specific scenarios that require the delivery of
unfiltered messages. For example:
Third-party phishing simulations: Simulated attacks can help you identify

vulnerable users before a real attack impacts your organization.
Security operations (SecOps) mailboxes: Dedicated mailboxes that are used by
security teams to collect and analyze unfiltered messages (both good and bad).
You use the advanced delivery policy in Microsoft 365 to prevent inbound messages in
these specific scenarios from being filtered*. The advanced delivery policy ensures that
messages in these scenarios achieve the following results:
Filters in EOP and Microsoft Defender for Office 365 take no action on these
messages.*
Zero-hour Purge (ZAP) for spam and phishing take no action on these messages**.
Default system alerts aren't triggered for these scenarios.
AIR and clustering in Defender for Office 365 ignores these messages.
Specifically for third-party phishing simulations:
Admin submissions generates an automatic response saying that the message is
part of a phishing simulation campaign and isn't a real threat. Alerts and AIR will
not be triggered. The admin submissions experience will show these messages
as a simulated threat.
When a user reports a phishing simulation message using the built-in Report
button in Outlook on the web or the Microsoft Report Message or Report
Phishing add-ins, the system will not generate an alert, investigation, or
incident. The links or files will not be detonated, but the message will appear on
the User reported tab of the Submissions page.
Safe Links in Defender for Office 365 doesn't block or detonate the specifically
identified URLs in these messages at time of click. URLs are still wrapped, but
they aren't blocked.
Safe Attachments in Defender for Office 365 doesn't detonate attachments in
these messages.
*
You can't bypass malware filtering.
** You can bypass ZAP for malware by creating an anti-malware policy for the SecOps
mailbox where ZAP for malware is turned off. For instructions, see Configure anti-
malware policies in EOP.
Messages that are identified by the advanced delivery policy aren't security threats, so
the messages are marked with system overrides. Admin experiences will show these
messages as due to either a Phishing simulation system override or a SecOps mailbox
system override. Admins can filter and analyze on these system overrides in the
following experiences:
Threat Explorer/Real-time detections in Defender for Office 365 plan 2: Admin can
filter on System override source and select either Phishing simulation or SecOps
Mailbox.
The Email entity Page in Threat Explorer/Real-time detections: Admin can view a
message that was allowed by organization policy by either SecOps mailbox or
Phishing simulation under Tenant override in the Override(s) section.
The Threat protection status report: Admin can filter by view data by System
override in the drop down menu and select to see messages allowed due to a
phishing simulation system override. To see messages allowed by the SecOps
mailbox override, you can select chart breakdown by delivery location in the
chart breakdown by reason drop down menu.
Advanced hunting in Microsoft Defender for Endpoint: Phishing simulation and
SecOps mailbox system overrides will show as options within OrgLevelPolicy in
EmailEvents.
Campaign Views: Admin can filter on System override source and select either
Phishing simulation or SecOps Mailbox.

go directly to the Advanced delivery page, open
https://security.microsoft.com/advanceddelivery .

PowerShell.
You need to be assigned permissions before you can do the procedures in this
article:
To create, modify, or remove configured settings in the advanced delivery
policy, you need to be a member of the Security Administrator role group in
the Microsoft 365 Defender portal and a member of the Organization
For read-only access to the advanced delivery policy, you need to be a member
of the Global Reader or Security Reader role groups.
７ Note
Adding users to the corresponding Azure Active Directory role gives users the
required permissions in the Microsoft 365 Defender portal and permissions
for other features in Microsoft 365. For more information, see About admin
roles.

configure SecOps mailboxes in the advanced
delivery policy
Email & Collaboration > Policies & Rules > Threat policies > Advanced delivery
in the Rules section. To go directly to the Advanced delivery page, use
2. On the Advanced delivery page, verify that the SecOps mailbox tab is selected,
and then do one of the following steps:
Click Edit.
If there are no configured SecOps mailboxes, click Add.
3. In the Edit SecOps mailboxes flyout that opens, enter an existing Exchange Online
mailbox that you want to designate as SecOps mailbox by doing one of the
following steps:
Click in the box, let the list of mailboxes resolve, and then select the mailbox.
Click in the box start typing an identifier for the mailbox (name, display name,
alias, email address, account name, etc.), and select the mailbox (display
name) from the results.
Repeat this step as many times as necessary. Distribution groups are not
allowed.
4. When you're finished, click Add, and then click Close.
The SecOps mailbox entries that you configured are displayed on the SecOps mailbox
tab.

modify or remove SecOps mailboxes in the
advanced delivery policy
2. On the Advanced delivery page, verify that the SecOps mailbox tab is selected,
and then click Edit.
3. In the Edit SecOps mailboxes flyout that opens, you add or remove mailboxes as
described in the previous section.
To remove all mailboxes, click remove next to each value until there are no more
mailboxes selected.
4. When you're finished, click Save and then click Close.
The SecOps mailbox entries that you configured are displayed on the SecOps mailbox
tab. If you removed all SecOps mailbox entries, the list will be empty.

configure third-party phishing simulations in
the advanced delivery policy
2. On the Advanced delivery page, select the Phishing simulation tab, and then do
one of the following steps:
Click Edit.
If there are no configured phishing simulations, click Add.
3. In the Edit third-party phishing simulation flyout that opens, configure the
following settings:
Domain: Expand this setting and enter at least one email address domain (for
example, contoso.com) by clicking in the box, entering a value, and then
pressing Enter or selecting the value that's displayed below the box. Repeat
this step as many times as necessary. You can add up to 20 entries.
７ Note
Use the domain from the 5321.MailFrom address (also known as the
MAIL FROM address, P1 sender, or envelope sender) that's used in the
SMTP transmission of the message or a DomainKeys Identified Mail
(DKIM) domain as specified by your phishing simulation vendor.
Sending IP: Expand this setting and enter at least one valid IPv4 address by
clicking in the box, entering a value, and then pressing Enter or selecting the
value that's displayed below the box. Repeat this step as many times as
necessary. You can add up to 10 entries. Valid values are:
CIDR IP: For example, 192.168.0.1/25.
Simulation URLs to allow: Expand this setting and optionally enter specific
URLs that are part of your phishing simulation campaign that should not be
blocked or detonated by clicking in the box, entering a value, and then
pressing Enter or selecting the value that's displayed below the box. You can
add up to 30 entries. For the URL syntax format, see URL syntax for the
Tenant Allow/Block List. These URLs are wrapped at the time of click, but they
aren't blocked.
７ Note
To configure a third-party phishing simulation in Advanced Delivery, you need

to provide the following information:
At least one Domain from either of the following sources:

The 5321.MailFrom address (also known as the MAIL FROM address,
P1 sender, or envelope sender).
The DKIM domain.
At least one Sending IP.
You can optionally include Simulation URLs to allow to ensure that URLs in
simulation messages are not blocked.
You can specify up to 10 entries for each field.
There must be a match on at least one Domain and one Sending IP, but no
association between values is maintained.
4. When you're finished, click Add, and then click Close.
The third-party phishing simulation entries that you configured are displayed on the
Phishing simulation tab.

modify or remove third-party phishing
simulations in the advanced delivery policy
2. On the Advanced delivery page, select the Phishing simulation tab, and then click
Edit.
3. In the Edit third-party phishing simulation flyout that opens, you add or remove
entries for Domain, Sending IP, and Simulation URLs as described in the previous
section.
To remove all entries, click remove next to each value until there are no more
domains, IPs, or URLs selected.
4. When you're finished, click Save and then click Close.
Additional scenarios that require filtering

bypass
In addition to the two scenarios that the advanced delivery policy can help you with,
there are other scenarios where you might need to bypass filtering:
Third-party filters: If your domain's MX record doesn't point to Office 365

(messages are routed somewhere else first), secure by default is not available. If
you'd like to add protection, you'll need to enable Enhanced Filtering for
Connectors (also known as skip listing). For more information, see Manage mail
flow using a third-party cloud service with Exchange Online. If you don't want
Enhanced Filtering for Connectors, use mail flow rules (also known as transport
rules) to bypass Microsoft filtering for messages that have already been evaluated
by third-party filtering. For more information, see Use mail flow rules to set the SCL
in messages.
False positives under review: You might want to temporarily allow certain
messages that are still being analyzed by Microsoft via admin submissions to
report known good messages that are incorrectly being marked as bad to
Microsoft (false positives). As with all overrides, we highly recommended that
these allowances are temporary.
PowerShell procedures for SecOps mailboxes in

the advanced delivery policy
In PowerShell, the basic elements of SecOps mailboxes in the advanced delivery policy
are:
The SecOps override policy: Controlled by the *-SecOpsOverridePolicy cmdlets.

The SecOps override rule: Controlled by the *-SecOpsOverrideRule cmdlets.
This behavior has the following results:
You create the policy first, then you create the rule that identifies the policy that
the rule applies to.
When you remove a policy from PowerShell, the corresponding rule is also
removed.
When you remove a rule from PowerShell, the corresponding policy is not
removed. You need to remove the corresponding policy manually.
Use PowerShell to configure SecOps mailboxes

Configuring a SecOps mailbox in the advanced delivery policy in PowerShell is a two-
step process:
1. Create the SecOps override policy.

2. Create the SecOps override rule that specifies the policy that the rule applies to.
Step 1: Use PowerShell to create the SecOps override policy

PowerShell
New-SecOpsOverridePolicy -Name SecOpsOverridePolicy -SentTo <EmailAddress1>,

<EmailAddress2>,...<EmailAddressN>
７ Note
Regardless of the Name value you specify, the policy name will be
SecOpsOverridePolicy, so you might as well use that value.
This example creates the SecOps mailbox policy.
PowerShell
New-SecOpsOverridePolicy -Name SecOpsOverridePolicy -SentTo

secops@contoso.com
For detailed syntax and parameter information, see New-SecOpsOverridePolicy.
Step 2: Use PowerShell to create the SecOps override rule

In Exchange Online PowerShell, run the following command:
PowerShell
New-SecOpsOverrideRule -Name SecOpsOverrideRule -Policy SecOpsOverridePolicy
７ Note
Regardless of the Name value you specify, the rule name will be
SecOpsOverrideRule<GUID> where <GUID> is a unique GUID value (for example,
6fed4b63-3563-495d-a481-b24a311f8329).
For detailed syntax and parameter information, see New-SecOpsOverrideRule.
Use PowerShell to view the SecOps override policy

In Exchange Online PowerShell, this example returns detailed information about the one
and only SecOps mailbox policy.
PowerShell
Get-SecOpsOverridePolicy
For detailed syntax and parameter information, see Get-SecOpsOverridePolicy.
Use PowerShell to view SecOps override rules

In Exchange Online PowerShell, this example returns detailed information about SecOps
override rules.
PowerShell
Get-SecOpsOverrideRule
Although the previous command should return only one rule, any rules that are pending
deletion might also be included in the results.
This example identifies the valid rule (one) and any invalid rules.
PowerShell
Get-SecOpsOverrideRule | Format-Table Name,Mode
After you identify the invalid rules, you can remove them by using the Remove-
SecOpsOverrideRule cmdlet as described later in this article.
For detailed syntax and parameter information, see Get-SecOpsOverrideRule.
Use PowerShell to modify the SecOps override policy

PowerShell
Set-SecOpsOverridePolicy -Identity SecOpsOverridePolicy [-AddSentTo

<EmailAddress1>,<EmailAddress2>,...<EmailAddressN>] [-RemoveSentTo
<EmailAddress1>,<EmailAddress2>,...<EmailAddressN>]
This example adds secops2@contoso.com to the SecOps override policy.
PowerShell
Set-SecOpsOverridePolicy -Identity SecOpsOverridePolicy -AddSentTo

secops2@contoso.com
７ Note
If an associated, valid SecOps override rule exists, the email addresses in the rule
will also be updated.
For detailed syntax and parameter information, see Set-SecOpsOverridePolicy.
Use PowerShell to modify a SecOps override rule

The Set-SecOpsOverrideRule cmdlet does not modify the email addresses in the
SecOps override rule. To modify the email addresses in the SecOps override rule, use the
Set-SecOpsOverridePolicy cmdlet.
For detailed syntax and parameter information, see Set-SecOpsOverrideRule.

Use PowerShell to remove the SecOps override policy
In Exchange Online PowerShell, this example removes the SecOps Mailbox policy and
the corresponding rule.
PowerShell
Remove-SecOpsOverridePolicy -Identity SecOpsOverridePolicy
For detailed syntax and parameter information, see Remove-SecOpsOverridePolicy.
Use PowerShell to remove SecOps override rules

PowerShell
Remove-SecOpsOverrideRule -Identity <RuleIdentity>
This example removes the specified SecOps override rule.
PowerShell
Remove-SecOpsOverrideRule -Identity SecOpsOverrideRule6fed4b63-3563-495d-

a481-b24a311f8329
For detailed syntax and parameter information, see Remove-SecOpsOverrideRule.
PowerShell procedures for third-party phishing

simulations in the advanced delivery policy
In PowerShell, the basic elements of third-party phishing simulations in the advanced
delivery policy are:
The phishing simulation override policy: Controlled by the *-

PhishSimOverridePolicy cmdlets.
The phishing simulation override rule: Controlled by the *-PhishSimOverrideRule
cmdlets.
The allowed (unblocked) phishing simulation URLs: Controlled by the *-
TenantAllowBlockListItems cmdlets.
This behavior has the following results:

You create the policy first, then you create the rule that identifies the policy that
the rule applies to.
You modify the settings in the policy and the rule separately.
When you remove a policy from PowerShell, the corresponding rule is also
removed.
When you remove a rule from PowerShell, the corresponding policy is not
removed. You need to remove the corresponding policy manually.
Use PowerShell to configure third-party phishing

simulations
Configuring a third-party phishing simulation in PowerShell is a multi-step process:
1. Create the phishing simulation override policy.

2. Create the phishing simulation override rule that specifies:
The policy that the rule applies to.

The source IP address of the phishing simulation messages.
3. Optionally, identity the phishing simulation URLs that should be allowed (that is,
not blocked or scanned).
Step 1: Use PowerShell to create the phishing simulation override

policy
In Security & Compliance PowerShell, this example creates the phishing simulation
override policy.
PowerShell
New-PhishSimOverridePolicy -Name PhishSimOverridePolicy
Note: Regardless of the Name value you specify, the policy name will be
PhishSimOverridePolicy, so you might as well use that value.
For detailed syntax and parameter information, see New-PhishSimOverridePolicy.
Step 2: Use PowerShell to create the phishing simulation override

rule
In Security & Compliance PowerShell, use the following syntax:

PowerShell
New-PhishSimOverrideRule -Name PhishSimOverrideRule -Policy

PhishSimOverridePolicy -Domains <Domain1>,<Domain2>,...<Domain10> -
SenderIpRanges <IPAddressEntry1>,<IPAddressEntry2>,...<IPAddressEntry10>
Regardless of the Name value you specify, the rule name will be
PhishSimOverrideRule<GUID> where <GUID> is a unique GUID value (for example,
a0eae53e-d755-4a42-9320-b9c6b55c5011).
A valid IP address entry is one of the following values:

CIDR IP: For example, 192.168.0.1/25.
This example creates the phishing simulation override rule with the specified settings.
PowerShell
New-PhishSimOverrideRule -Name PhishSimOverrideRule -Policy

PhishSimOverridePolicy -Domains fabrikam.com,wingtiptoys.com -SenderIpRanges
192.168.1.55
For detailed syntax and parameter information, see New-PhishSimOverrideRule.
Step 3: (Optional) Use PowerShell to identify the phishing

simulation URLs to allow
PowerShell
New-TenantAllowBlockListItems -Allow -ListType Url -ListSubType

AdvancedDelivery -Entries "<URL1>","<URL2>",..."<URL10>" <[-NoExpiration] |
[-ExpirationDate <DateTime>]>
For details about the URL syntax, see URL syntax for the Tenant Allow/Block List
This example adds a URL allow entry for the specified third-party phishing simulation
URL with no expiration.
PowerShell
New-TenantAllowBlockListItems -Allow -ListType Url -ListSubType

AdvancedDelivery -Entries *.fabrikam.com -NoExpiration
Use PowerShell to view the phishing simulation override

policy
In Security & Compliance PowerShell, this example returns detailed information about
the one and only phishing simulation override policy.
PowerShell
Get-PhishSimOverridePolicy
For detailed syntax and parameter information, see Get-PhishSimOverridePolicy.
Use PowerShell to view phishing simulation override rules

In Security & Compliance PowerShell, this example returns detailed information about
phishing simulation override rules.
PowerShell
Get-PhishSimOverrideRule
Although the previous command should return only one rule, any rules that are pending
deletion might also be included in the results.
This example identifies the valid rule (one) and any invalid rules.
PowerShell
Get-PhishSimOverrideRule | Format-Table Name,Mode
After you identify the invalid rules, you can remove them by using the Remove-
PhishSimOverrideRule cmdlet as described later in this article.
For detailed syntax and parameter information, see Get-PhishSimOverrideRule.
Use PowerShell to view the allowed phishing simulation

URL entries
In Exchange Online PowerShell, run the following command:
PowerShell
Get-TenantAllowBlockListItems -ListType Url -ListSubType AdvancedDelivery
Use PowerShell to modify the phishing simulation

override policy
PowerShell
Set-PhishSimOverridePolicy -Identity PhishSimOverridePolicy [-Comment "

<DescriptiveText>"] [-Enabled <$true | $false>]
This example disables the phishing simulation override policy.
PowerShell
Set-PhishSimOverridePolicy -Identity PhishSimOverridePolicy -Enabled $false
For detailed syntax and parameter information, see Set-PhishSimOverridePolicy.
Use PowerShell to modify phishing simulation override

rules
PowerShell
Set-PhishSimOverrideRule -Identity PhishSimOverrideRulea0eae53e-d755-4a42-

9320-b9c6b55c5011 [-Comment "<DescriptiveText>"] [-AddSenderDomainIs
<DomainEntry1>,<DomainEntry2>,...<DomainEntryN>] [-RemoveSenderDomainIs
<DomainEntry1>,<DomainEntry2>,...<DomainEntryN>] [-AddSenderIpRanges
<IPAddressEntry1>,<IPAddressEntry2>,...<IPAddressEntryN>] [-
RemoveSenderIpRanges <IPAddressEntry1>,<IPAddressEntry2>,...
<IPAddressEntryN>]
This example modifies the specified phishing simulation override rule with the following
settings:
Add the domain entry blueyonderairlines.com.

Remove the IP address entry 192.168.1.55.
Note that these changes don't affect existing entries.
PowerShell
Set-PhishSimOverrideRule -Identity PhishSimOverrideRulea0eae53e-d755-4a42-

9320-b9c6b55c5011 -AddSenderDomainIs blueyonderairlines.com -
RemoveSenderIpRanges 192.168.1.55
For detailed syntax and parameter information, see Set-PhishSimOverrideRule.
Use PowerShell to modify the allowed phishing

simulation URL entries
You can't modify the URL values directly. You can remove existing URL entries and add
new URL entries as described in this article.
In Exchange Online PowerShell, to modify other properties of an allowed phishing

simulation URL entry (for example, the expiration date or comments), use the following
syntax:
PowerShell
Set-TenantAllowBlockListItems <-Entries "<URL1>","<URL2>",..."<URLN>" | -Ids

<Identity>> -ListType URL -ListSubType AdvancedDelivery <[-NoExpiration] |
[-ExpirationDate <DateTime>]> [-Notes <String>]
You identify the entry to modify by its URL values (the Entries parameter) or the Identity
value from the output of the Get-TenantAllowBlockListItems cmdlet (the Ids parameter).
This example modified the expiration date of the specified entry.
PowerShell
Set-TenantAllowBlockListItems -ListType Url -ListSubType AdvancedDelivery -

Entries "*.fabrikam.com" -ExpirationDate 9/11/2021
Use PowerShell to remove a phishing simulation override

policy
In Security & Compliance PowerShell, this example removes the phishing simulation
override policy and the corresponding rule.
PowerShell
Remove-PhishSimOverridePolicy -Identity PhishSimOverridePolicy
For detailed syntax and parameter information, see Remove-PhishSimOverridePolicy.
Use PowerShell to remove phishing simulation override

rules
PowerShell
Remove-PhishSimOverrideRule -Identity <RuleIdentity>
This example removes the specified phishing simulation override rule.
PowerShell
Remove-PhishSimOverrideRule -Identity PhishSimOverrideRulea0eae53e-d755-

4a42-9320-b9c6b55c5011
For detailed syntax and parameter information, see Remove-PhishSimOverrideRule.
Use PowerShell to remove the allowed phishing

simulation URL entries
PowerShell
Remove-TenantAllowBlockListItems <-Entries "<URL1>","<URL2>",..."<URLN>" | -

Ids <Identity>> -ListType URL -ListSubType AdvancedDelivery
You identify the entry to modify by its URL values (the Entries parameter) or the Identity
value from the output of the Get-TenantAllowBlockListItems cmdlet (the Ids parameter).
This example modified the expiration date of the specified entry.
PowerShell
Remove-TenantAllowBlockListItems -ListType Url -ListSubType AdvancedDelivery

-Entries "*.fabrikam.com" -ExpirationDate 9/11/2021

User tags in Microsoft Defender for
Office 365
 Tip
Applies to:

User tags are identifiers for specific groups of users in Microsoft Defender for Office 365.
There are two types of user tags:
System tags: Currently, Priority accounts is the only type of system tag.
Custom tags: You create these user tags yourself.
If your organization has Defender for Office 365 Plan 2 (included in your subscription or
as an add-on), you can create custom user tags in addition to using the priority
accounts tag.
７ Note
Currently, you can only apply user tags to mailbox users.
After you apply system tags or custom tags to users, you can use those tags as filters in
alerts, reports, and investigations:
Alerts
Custom alert policies
Threat Explorer and real-time detections
Compromised user report
Email entity page
Top senders and recipients report
Attack simulation
Campaign Views
Admin submissions and user reported messages
Quarantine
For priority accounts, you can use the Email issues for priority accounts report in
the Exchange admin center (EAC).
This article explains how to configure user tags in the Microsoft 365 Defender portal.
There are no cmdlets in Microsoft 365 Defender portal to manage user tags.
To see how user tags are part of the strategy to help protect high-impact user accounts,
see Security recommendations for priority accounts in Microsoft 365.

go directly to the User tags page, use
https://security.microsoft.com/securitysettings/userTags .
To create, modify, and delete custom user tags, you need to be a member of the
To add and remove members from the Priority Account system tag, you need to
be a member of the Security Administrator and Exchange Admin role groups.
To add and remove members from existing custom user tags, you need to be a
groups.
For read-only access to user tags, you need to be a member of the Global
Reader, Security Operator, or Security Reader role groups.
７ Note

Microsoft 365 admin center gives users the required permissions in the
Microsoft 365 Defender portal and permissions for other features in
Microsoft 365. For more information, see About admin roles.
User tag management is controlled by the Tag Reader and Tag Manager
roles.
You can also manage and monitor priority accounts in the Microsoft 365 admin
center. For instructions, see Manage and monitor priority accounts.
For information about securing privileged accounts (admin accounts), see this topic.

create user tags
Settings > Email & collaboration > User tags. To go directly to the User tags
page, use https://security.microsoft.com/securitysettings/userTags .
2. On the User tags page, click Create tag.
3. The Create tag wizard opens in a new flyout. On the Define tag page, configure
Name: Enter a unique, descriptive name for the tag. This is the value that
you'll see and use. Note that you can't rename a tag after you create it.
Description: Enter an optional description for the tag.
4. On the Assign members page, do either of the following steps:
Click Add members. In the fly out that appears, do any of the following
steps to add individual users or groups:
Click in the box and scroll through the list to select a user or group.
Click in the box and start typing to filter the list and select a user or group.
To add additional values, click in an empty area in the box.
To remove individual entries, click next to the entry in the box.
To remove all entries, click on the Selected nn users and nn groups
item below the box.
Back on the Assign members page, you can also remove entries by clicking
next to the entry.
Click Import to select a text file that contains the email addresses of the users
or groups. Be sure the text file contains one entry per line.

5. On the Review tag page that appears, review your settings. You can select Edit in
each section to modify the settings within the section. Or you can click Back or
select the specific page in the wizard.
When you're finished, click Submit, and then click Done.

user tags
2. On the User tags page, the following properties are displayed in the list of user
tags:
Tag: The name of the user tag. Note that this includes the built-in Priority
account system tag.
Applied to: The number of members
Last modified
Created on
3. When you select a user tag by clicking on the name, the details are displayed in a
flyout.

modify user tags
2. On the User tags page, select the user tag from the list, and then click Edit tag.
3. In the details flyout that appears, the same wizard and settings are available as
described in the Use the Microsoft 365 Defender portal to create user tags section
Notes:
The Define tag page is not available for the built-in Priority account system
tag, so you can't rename this tag or change the description.
You can't rename a custom tag, but you can change the description.

remove user tags
７ Note
You can't remove the built-in Priority account system tag.

2. On the User tags page, select the user tag from the list, and then click Delete
tag.
3. Read the warning in the confirmation dialog that appears, and then click Yes,
remove.
More information
Configure and review priority accounts in Microsoft Defender for Office 365
Configure and review Priority accounts
in Microsoft Defender for Office 365
 Tip
Applies to

In every organization, there are people that are critical, like executives, leaders,
managers, or other users who have access to sensitive, proprietary, or high priority
information. You can tag these users within Microsoft Defender for Office 365 as priority
accounts, allowing security teams to prioritize their focus on these critical individuals.
With differentiated protection for priority accounts, users tagged as priority accounts
will receive a higher level of protection against threats.
Priority accounts are targeted by attackers more often and are generally attacked with
more sophisticated techniques. Differentiated protection for priority accounts focuses
on this specific user set and provides higher level of protection using enhanced machine
learning models. This differentiation in learning and message handling provides the
highest level of protection for these accounts and helps maintain a low false positive
rate, as a high rate of false positives can also have a negative impact on these users.
Configure Priority account protection

Priority account protection is turned on by default for pre-identified critical users.
However, the security administrator of your organization can also turn on priority
account protection by following these steps:

Settings > Email & collaboration > Priority account protection. To go directly to
the Priority account protection page, use
https://security.microsoft.com/securitysettings/priorityAccountProtection .
2. On the Priority account protection page, turn on Priority account protection (

).
７ Note
We don't recommend disabling or turning off priority account protection.
If you want to use Exchange Online PowerShell to turn on priority account protection,
do the following steps:
1. Connect to Exchange Online PowerShell and run the following command:
PowerShell
Set-EmailTenantSettings -EnablePriorityAccountProtection $true
2. To verify that priority account protection is turned on, run the following command
to verify the EnablePriorityAccountProtection property value:
PowerShell
Get-EmailTenantSettings | Format-List
Identity,EnablePriorityAccountProtection
The value True means priority account protection is turned on. The value False
means priority account protection is turned off.
Assign the Priority account tag to users

Microsoft Defender for Office 365 supports priority accounts as tags that can be used as
filters in alerts, reports, incidents, and more.
For more information, see User tags in Microsoft Defender for Office 365.
Review differentiated protection from priority
account protection
The affects of priority account protection are visible in the following features:
Alerts
Custom alert policies
Threat Explorer and real-time detections
Compromised user report
Email entity page
Attack simulation
Campaign Views
Admin submissions and user reported messages
Quarantine

The Threat protection status report is a single view that brings together information
about malicious content and malicious email detected and blocked by Microsoft
To view the report, do the following steps:

Reports > Email & collaboration > Email & collaboration reports > find Threat
protection status and then click View details. To go directly to the report, use
https://security.microsoft.com/reports/TPSAggregateReportATP .
2. The default view is View data by Overview. Click on this value to change the view
by selecting one of the following values:
View data by Email > Phish

View data by Email > Malware
View data by Email > Spam
3. Click Filter.
4. On the Filters flyout that opens, in the Priority accounts section, select Yes, No or
both values.
Threat Explorer
Context filter within Threat Explorer helps search for emails where priority account
protection was involved in the detection of the message. This allows security operations
teams to be able to see the value provided by this protection. You can still filter
messages by priority account tag to find all messages for the specific set of users.
To view the extra protection in Threat Explorer, do the following steps:

Email & collaboration > Explorer. To go directly to the Threat Explorer page, use
https://security.microsoft.com/threatexplorer .
2. Select Context from the dropdown, and then select the checkbox next to Priority
account protection.
Email entity page
The email entity page is available in Threat Explorer. Select the subject of an email
you're investigating. A gold bar will display at the top of the email flyout for that mail.
Select to view the new page.
The tabs along the top of the entity page will allow you to investigate email efficiently.
Click the Analysis tab. Priority account protection is now listed under Threat detection
details.
More information
User tags in Microsoft Defender for Office 365
Manage and monitor priority accounts
The Email entity page
 Tip
Applies to:

In this article:
Reach the email entity page

Read the email entity page
Use email entity page tabs
New to the email entity page
Admins of Microsoft Defender for Office 365 E5, and Defender for Office P1 and P2 have
a 360-degree view of email using the Email entity page. This go-to email page was
created to enhance information delivered throughout Microsoft Defender for Office 365
and Microsoft 365 Defender.
See email details in the experiences below, including previewing and downloading the
email, the email headers with the option to copy, Detection details, Threats detected,
Latest and Original delivery locations, Delivery actions, and IDs like Alert ID, Network
Message ID and more.
How to get to the email entity page

Anywhere you find email details throughout the Microsoft Defender for Office 365, the
email entity details are available. This includes:
Threat Explorer
Advanced Hunting
Alerts
Quarantine
Submissions
Reporting
Action Center
One way to get to the email entity page is Threat Explorer, but the steps remain the
same from wherever you find email details. Navigate to the Microsoft 365 Defender
portal at https://security.microsoft.com , Email & collaboration > Explorer. Or, to go
directly to the Explorer page, use https://security.microsoft.com/threatexplorer .
1. In Explorer, select the subject of an email you're investigating.

2. The email fly-out for that mail will open.
3. You'll see Open email entity.
4. Select it for your email deep dive.
７ Note
The permissions needed to view and use this page are the same as to view
Explorer. The admin must be a member of Global admin or global reader, or
Security admin or Security Reader. For more information, see Permissions in the
How to read the email entity page
The structure is designed to be easy to read and navigate through at a glance. Various
tabs along the top of the page allow you to investigate in more detail. Here's how the
layout works:
1. The most required fields are on the left side of the fly-out. These details are 'sticky',
meaning they're anchored to the left no matter the tab you navigate to in the rest
of the fly-out.
2. On the top-right corner are the actions that can be taken on an email. Any actions
that can be taken through Explorer will also be available through email entity
page.
3. Deeper analysis can be done by sorting through the rest of the page. Check the
email detection details, email authentication status, and header. This area should
be looked on a case-by-case basis, but the info in these tabs is available for any
email.
How to use the email entity page tabs

The tabs along the top of the entity page will allow you to investigate email efficiently.
1. Timeline: The timeline view for an email (per Explorer timeline) shows the original
delivery to post-delivery events that happen on an email. For emails that have no
post-delivery actions, the view shows the original delivery row in timeline view.
Events like: Zero-hour auto purge (ZAP), Remediations, User and Admin
submissions, Quarantine information, URL clicks and more, from sources like:
system, admin, and user, show up here, in the order in which they occurred.
2. Analysis: Analysis shows fields that help admins analyze an email in depth. For
cases where admins need to understand more about detection, sender / recipient,
and email authentication details, they should use the Analysis tab. Links for
Attachments and URLs are also found on this page, under 'Related Entities'. Both
attachments and identified threats are numbered here, and clicking will take you
straight to the Attachments and URL pages. This tab also has a View header option
to show the email header. Admins can compare any detail from email headers, side
by side with information on the main panel, for clarity.
3. Attachments: This examines attachments found in the email with other details
found on attachments. The number of attachments shown is currently limited to
10. Notice that detonation details for attachments found to be malicious is also
shown here.
4. URLs: This tab lists URLs found in the email with other details about the URLs. The
number of URLs is limited to 10 right now, but these 10 are prioritized to show
malicious URLs first. Prioritization saves you time and guess-work. The URLs that
were found to be malicious and detonated will also be shown here.
5. Similar emails: This tab lists all emails similar to the network message id + recipient
combination specific to this email. Similarity is based on the body of the message,
only. The determinations made on mails to categorize them as 'similar' don't
include a consideration of attachments.
Available on the email entity page

Here are some helpful specifics to get started.
Email preview and download for Cloud mailboxes

Admins can preview and download emails in Cloud mailboxes, if the mails are still
accessible to Microsoft in an Exchange Online mailbox. In case of a soft delete (by an
admin, or user), or ZAP (to quarantine), the emails are no longer present in the Exchange
Online mailbox. In that case, admins won't be able to preview or download those
specific emails. Emails that were dropped, or where delivery failed, never made it into
the mailbox and as a result, admins won't be able to preview or download those emails
either.
２ Warning
Previewing and downloading emails requires a special role called Preview. You can
add this role in the Microsoft 365 Defender portal as described in Email &
collaboration roles in the Microsoft 365 Defender portal. You might need to
create a new Email & collaboration role group there and add the Preview role to
that new role group or add the Preview role to a role group that allows admins in
your organization to work in Explorer.
Detonation details
These details are specific to email attachments and URLs. Users can see these details by
going to Explorer and applying the detection technology filter set to file detonation or
URL detonation. Emails filtered for file detonation will contain a malicious file with
detonation details, and those filtered for URLs contain a malicious URL and its
detonation details.
Users will see enriched detonation details for known malicious attachments or URLs
found in their emails, which got detonated for their specific tenant. It will include the
Detonation chain, Detonation summary, Screenshot, and Observed behavior details to
help customers understand why the attachment or URL was deemed malicious and
detonated.
1. Detonation chain. A single file or URL detonation can trigger multiple detonations.
The Detonation chain tracks the path of detonations, including the original
malicious file or URL that caused the verdict, and all other files or URLs affected by
the detonation. These URLs or attached files may not be directly present in the
email, but including that analysis is important to determining why the file or URL
was found to be malicious.
７ Note
This may show just the top level item if none of the entities linked to it were
found to be problematic, or were detonated.
2. Detonation Summary gives a basic summary for detonation such as analysis time,
the time when detonation occurred, OS and application, the operating system and
application in which the detonation occurred, file size, and verdict reason.
3. Screenshots show the screenshots captured during detonation. There can be

multiple screenshots during detonation. No screenshots are captured for
Container type files like .zip or .rar.

If a URL opens into a link that directly downloads a file. However, you'll see
the downloaded file in the detonation chain.
4. Behavior Details are an export that shows behavior details like exact events that
took place during detonation, and observables that contain URLs, IPs, domains,
and files that were found during detonation (and can either be problematic or
benign). Be aware, there may be no behavior details for:
Container files like .zip or .rar that are holding other files.

Other features that make the Email entity page helpful

Tags: These are tags applied to users. If the user is a recipient, admins will see a recipient
tag. Likewise, if the user is a sender, a sender tag. This will appear in the left side of the
email entities page (in the part that's described as sticky and, thus, anchored to the
page).
Latest delivery location: The latest delivery location is the location where an email landed
after system actions like ZAP, or admin actions like Move to Deleted Items, finish. Latest
delivery location isn't intended to inform admins of the message's current location. For
example, if a user deletes a message, or moves it to archive, the delivery location won't
be updated. However, if a system action has taken place and updated the location (like a
ZAP resulting in an email moving to quarantine) this would update the Latest delivery
location to quarantine.
Email details: Details required for a deeper understanding of email available in the
Analysis tab.
Exchange transport rules (also known as mail flow rules or ETRs): These rules are
applied to a message at the transport layer and take precedence over phish and
spam verdicts. Mail flow rules are created and modified in the Exchange admin
center at https://admin.exchange.microsoft.com/#/transportrules , but if any mail
flow rule applies to a message, the rule name and GUID will be shown here.
Valuable information for tracking purposes.
Primary Override: Source: Primary override and source refer to the tenant or user
setting which impacted the delivery of the email, overriding the delivery location
given by the system (as per the threat and detection technology). As an example,
this could be an email blocked due to a tenant configured transport rule or an
email allowed due to an end-user setting for Safe Senders.
All Overrides: All Overrides refer to the list of overrides (tenant or user settings)
that was applied on the email, which may or may not have impacted the delivery of
an email. As an example, if a tenant configured transport rule, as well as a tenant
configured policy setting (for example, from the Tenant Allow Block lists), is applied
to an email, then both will be listed in this field. You can check the primary override
field to determine the setting that impacted the delivery of the email.
Bulk Complaint Level (BCL): The bulk complaint level (BCL) of the message. A
higher BCL indicates a bulk mail message is more likely to generate complaints
(the natural result if the email is likely to be spam).
Spam Confidence Level (SCL): The spam confidence level (SCL) of the message. A
higher value indicates the message is more likely to be spam.
Client type: Indicates the Client type from which the email was sent like REST.
Forwarding: For scenarios with autoforwarding, it indicates the forwarding user as

well as the forwarding type like ETR or SMTP forwarding.
Distribution list: Shows the distribution list, if the recipient received the email as a
member of the list. It shows the top level distribution list if there are nested
distribution lists involved.
To, Cc: Indicates the addresses that are listed in To, Cc fields of an email. The
information in these fields is restricted to 5000 characters.
Domain Name: Is the sender domain name.
Domain Owner: Specifies the owner of the sending domain.
Domain Location: Specifies the location of the sending domain.
Domain Created Date: Specifies the date of creation of the sending domain. A
newly created domain is something you could be cautious of if other signals
indicate some suspicious behavior.
Email Authentication: Email authentication methods used by Microsoft 365 include SPF,
DKIM, and DMARC.
Sender Policy Framework (SPF): Describes results for SPF check for the message.
Possible values can be:
Pass (IP address): The SPF check for the message passed and includes the
sender's IP address. The client is authorized to send or relay email on behalf of
the sender's domain.
Fail (IP address): The SPF check for the message failed, and includes the sender's
IP address. This is sometimes called hard fail.
Softfail (reason): The SPF record designated the host as not being allowed to
send but is in transition.
Neutral: The SPF record explicitly states that it does not assert whether the IP
address is authorized to send.
None: The domain doesn't have an SPF record, or the SPF record doesn't
evaluate to a result.
Temperror: A temporary error has occurred. For example, a DNS error. The same
check later might succeed.
Permerror: A permanent error has occurred. For example, the domain has a
badly formatted SPF record.
DomainKeys Identified Mail (DKIM):

Pass: Indicates the DKIM check for the message passed.
Fail (reason): Indicates the DKIM check for the message failed and why. For
example, if the message was not signed or the signature was not verified.
None: Indicates that the message wasn't signed. This may or may not indicate
that the domain has a DKIM record or the DKIM record doesn't evaluate to a
result, only that this message was not signed.
Domain-based Message Authentication, Reporting, and Conformance (DMARC):

Pass: Indicates the DMARC check for the message passed.
Fail: Indicates the DMARC check for the message failed.
Bestguesspass: Indicates that no DMARC TXT record for the domain exists, but if
one had existed, the DMARC check for the message would have passed.
None: Indicates that no DMARC TXT record exists for the sending domain in
DNS.
Composite Authentication: This is a value used by Microsoft 365 to combine email

authentication like SPF, DKIM, and DMARC, to determine if the message is authentic. It
uses the From: domain of the mail as the basis of evaluation.
Actions you can take on the Email entity Page

Security teams can now take email actions like soft delete and hard delete, move to
junk, move to inbox, trigger an investigation, submit to Microsoft for review in line, and
et cetera. Tenant level block actions like file and URL or sender can also be triggered
from the Email entity page.
You will be able to select Take actions from the top right corner of the entity page and
this will open the Action wizard for you to select the specific action you need.
In the Action wizard you can take email actions, email submissions, block sender and
sender domain, investigative actions and two step approval (add to remediation) in the
same side pane. This follows a consistent flow for ease of use. The Action wizard uses
the same system as is used by Explorer actions (for Delete, Submissions, and
Investigation actions), for example. You will be able to see and track these actions in the
Unified action center (for deleted emails), in the
Submission portal (for
submissions), and in Tenant Allow/Block Lists page for (TABL blocks).
We are also bringing Tenant level block URL and attachment to the respective Email
entity URL and Attachments tabs. Upon approval, all the Tenant Allow and Block Lists (or
TABL) block URL and block attachments can be tracked under TABL/URL and TABL/file
pages.
See permissions required to take these actions.

The Email summary panel
The email summary panel is a summarized view of the full email entity page. It contains
standardized details about the email (for example, detections), as well as context-
specific information (for example, for Quarantine or Submissions metadata). The email
summary panel replaces the traditional email flyouts throughout Microsoft Defender for
Office 365.
７ Note
To view all the components, click on the Open email entity link to open the full
email entity page.
The email summary panel is divided into the following sections:
Delivery details: Contains information about threats and corresponding confidence

level, detection technologies, and original and latest delivery location.
Email details: Contains information about email properties like sender name,
sender address, time received, authentication details, and other several other
details.
URLs: By default, you will see 3 URLs and their corresponding threats. You can
always select View all URLs to expand and see all URLs and export them.
Attachments: By default, you will see 3 attachments. You can always select View all
attachments to expand and see all attachments.
In addition to the above sections, you will also see sections specific to few experiences
that are integrated with the summary panel:
Submissions:
Submission details: Contains information about the specific submissions such as:
Date submitted
Subject
Submission type
Reason for submitting
Submission ID
Submitted by
Result details: Messages that are submitted are reviewed. You can see the result
of your submission as well as any recommended next steps.
Quarantine:
Quarantine details: Contains quarantine-specific details. For more information,

see Manage quarantined messages.
Expires: The date/time when the message will be automatically and
permanently deleted from quarantine.
Released to: All email addresses (if any) to which the message has been
released.
Not yet released to: All email addresses (if any) to which the message has not
yet been released.
Quarantine actions: For more information on different quarantine actions, see

Manage quarantined messages.
Threat Trackers - New and Noteworthy
 Tip
Applies to

Office 365 Threat Investigation and Response capabilities enable your organization's
security team to discover and take action against cybersecurity threats. Office 365 Threat
Investigation and Response capabilities include Threat Tracker features, including
Noteworthy trackers. Read this article to get an overview of these new features and next
steps.
） Important
Office 365 Threat Intelligence is now Microsoft Defender for Office 365 Plan 2,
along with additional threat protection capabilities. To learn more, see Microsoft
Defender for Office 365 plans and pricing and the Microsoft Defender for
Office 365 Service Description.
What are Threat Trackers?

Threat Trackers are informative widgets and views that provide you with intelligence on
different cybersecurity issues that might impact your company. For example, you can
view information about trending malware campaigns using Threat Trackers.
Trackers are just a few of the many great features you get with Microsoft Defender for
Office 365 Plan 2. Threat Trackers include Noteworthy trackers, Trending trackers,
Tracked queries, and Saved queries.
To view and use your Threat Trackers for your organization, open the Microsoft 365
Defender portal at https://security.microsoft.com , and go to Email & collaboration >
Threat tracker. To go directly to the Threat tracker page, use
https://security.microsoft.com/threattrackerv2 .
７ Note
To use Threat Trackers, you must be a global administrator, security administrator,

or security reader. See Permissions in the Microsoft 365 Defender portal.
Noteworthy trackers
Noteworthy trackers are where you'll find big and smaller threats and risks that we think
you should know about. Noteworthy trackers help you find whether these issues exist in
your Microsoft 365 environment, plus link to articles (like this one) that give you more
details on what is happening, and how they'll impact your organization's use of Office
365. Whether it's a big new threat (e.g. Wannacry, Petya) or an existing threat that might
create some new challenges (like our other inaugural Noteworthy item - Nemucod), this
is where you'll find important new items you and your security team should review and
examine periodically.
Typically Noteworthy trackers will be posted for just a couple of weeks when we identify
new threats and think you might need the extra visibility that this feature provides. Once
the biggest risk for a threat has passed, we'll remove that Noteworthy item. This way, we
can keep the list fresh and up to date with other relevant new items.
Trending trackers
Trending trackers (formerly called Campaigns) highlight new threats received in your
organization's email in the past week. The Trending trackers view provides dynamic
assessments of email threats impacting your organization's Office 365 environment. This
view shows tenant level malware trends, identifying malware families on the rise, flat, or
declining, giving admins greater insight into which threats require further attention.

Trending trackers give you an idea of new threats you should review to ensure your
broader corporate environment is prepared against attacks.
Tracked queries
Tracked queries leverage your saved queries to periodically assess Microsoft 365 activity
in your organization. This gives you event trending, with more to come in the coming
months. Tracked queries run automatically, giving you up-to-date information without
having to remember to re-run your queries.
Saved queries
Saved queries are also found in the Trackers section. You can use Saved queries to store
the common Explorer searches that you want to get back to quicker and repeatedly,
without having to re-create the search every time.
You can always save a Noteworthy tracker query or any of your own Explorer queries
using the Save query button at the top of the Explorer page. Anything saved there will
show up in the Saved queries list on the Tracker page.
Trackers and Explorer
Whether you're reviewing email, content, or Office activities (coming soon), Explorer and
Trackers work together to help you investigate and track security risks and threats. All
together, Trackers provide you with information to protect your users by highlighting
new, notable, and frequently searched issues - ensuring your business is better
protected as it moves to the cloud.
And remember that you can always provide us feedback on this or other Microsoft 365
security features by clicking on the Feedback button in the lower-right corner.
Trackers and Microsoft Defender for Office 365

With our inaugural Noteworthy threat, we're highlighting advanced malware threats
detected by Safe Attachments. If you're an Office 365 Enterprise E5 customer and you're
not using Microsoft Defender for Office 365, you should be - it's included in your
subscription. Defender for Office 365 provides value even if you have other security
tools filtering email flow with your Office 365 services. However, anti-spam and Safe
Links features work best when your main email security solution is through Office 365.

In today's threat-riddled world, running only traditional anti-malware scans means you
are not protected well enough against attacks. Today's more sophisticated attackers use
commonly available tools to create new, obfuscated, or delayed attacks that won't be
recognized by traditional signature-based anti-malware engines. The Safe Attachments
feature takes email attachments and detonates them in a virtual environment to
determine whether they're safe or malicious. This detonation process opens each file in
a virtual computer environment, then watches what happens after the file is opened.
Whether it's a PDF, and compressed file, or an Office document, malicious code can be
hidden in a file, activating only once the victim opens it on their computer. By
detonating and analyzing the file in the email flow, Defender for Office 365 capabilities
finds these threats based on behaviors, file reputation, and a number of heuristic rules.
The new Noteworthy threat filter highlights items that were recently detected through
Safe Attachments. These detections represent items that are new malicious files, not
previously found by Microsoft 365 in either your email flow or other customers' email.
Pay attention to the items in the Noteworthy Threat Tracker, see who was targeted by
them, and review the detonation details shown on the Advanced Analysis tab (found by
clicking on the subject of the email in Explorer). Note you'll only find this tab on emails
detected by the Safe Attachments capability - this Noteworthy tracker includes that
filter, but you can also use that filter for other searches in Explorer.
Next steps
If your organization doesn't already have these Office 365 Threat Investigation and
Response capabilities, see How do we get Office 365 Threat Investigation and
Response capabilities?.
Make sure that your security team has the correct roles and permissions assigned.
You must be a global administrator, or have the Security Administrator or Search
and Purge role assigned in the Microsoft 365 Defender portal. See Permissions in
the Microsoft 365 Defender portal.
Watch for the new Trackers to show up in your Microsoft 365 environment. When
available, you'll find your Trackers on the Threat tracker page in the Microsoft 365
Defender portal at https://security.microsoft.com/threattracker .
If you haven't already done so, learn more about and configure Microsoft
Defender for Office 365 for your organization, including Safe links and Safe
Attachments.
Alert policies in Microsoft 365
You can use alert policies and the alert dashboard in the Microsoft Purview compliance
portal or the Microsoft 365 Defender portal to create alert policies and then view the
alerts generated when users perform activities that match the conditions of an alert
policy. There are several default alert policies that help you monitor activities such as
assigning admin privileges in Exchange Online, malware attacks, phishing campaigns,
and unusual levels of file deletions and external sharing.
 Tip
Go to the Default alert policies section in this article for a list and description of
the available alert policies.
Alert policies let you categorize the alerts that are triggered by a policy, apply the policy
to all users in your organization, set a threshold level for when an alert is triggered, and
decide whether to receive email notifications when alerts are triggered. There's also a
Alerts page where you can view and filter alerts, set an alert status to help you manage
alerts, and then dismiss alerts after you've addressed or resolved the underlying
incident.
７ Note
Alert policies are available for organizations with a Microsoft 365 Enterprise, Office
365 Enterprise, or Office 365 US Government E1/F1/G1, E3/F3/G3, or E5/G5
subscription. Advanced functionality is only available for organizations with an
E5/G5 subscription, or for organizations that have an E1/F1/G1 or E3/F3/G3
subscription and a Microsoft Defender for Office 365 P2 or a Microsoft 365 E5
Compliance or an E5 eDiscovery and Audit add-on subscription. The functionality
that requires an E5/G5 or add-on subscription is highlighted in this topic. Also note
that alert policies are available in Office 365 GCC, GCC High, and DoD US
government environments.
 Tip
If you're not an E5 customer, you can try all the premium features in Microsoft
Purview for free. Use the 90-day Purview solutions trial to explore how robust
Purview capabilities can help your organization manage data security and
compliance needs. Start now at the Microsoft Purview compliance portal trials
hub . Learn details about signing up and trial terms.
How alert policies work

Here's a quick overview of how alert policies work and the alerts that are triggers when
user or admin activity matches the conditions of an alert policy.
1. An admin in your organization creates, configures, and turns on an alert policy by

using the Alert policies page in the compliance portal or the Microsoft 365
Defender portal. You can also create alert policies by using the New-
ProtectionAlert cmdlet in Security & Compliance PowerShell.
To create alert policies, you have to be assigned the Manage Alerts role or the
Organization Configuration role in the compliance portal or the Defender portal.
７ Note
It takes up to 24 hours after creating or updating an alert policy before alerts

can be triggered by the policy. This is because the policy has to be synced to
the alert detection engine.
2. A user performs an activity that matches the conditions of an alert policy. In the
case of malware attacks, infected email messages sent to users in your
organization trigger an alert.
3. Microsoft 365 generates an alert that's displayed on the Alerts page in compliance
portal or Defender portal. Also, if email notifications are enabled for the alert
policy, Microsoft sends a notification to a list of recipients. The alerts that an admin
or other users can see that on the Alerts page is determined by the roles assigned
to the user. For more information, see RBAC permissions required to view alerts.
4. An admin manages alerts in the Microsoft Purview compliance portal. Managing

alerts consists of assigning an alert status to help track and manage any
investigation.
Alert policy settings

An alert policy consists of a set of rules and conditions that define the user or admin
activity that generates an alert, a list of users who trigger the alert if they perform the
activity, and a threshold that defines how many times the activity has to occur before an
alert is triggered. You also categorize the policy and assign it a severity level. These two
settings help you manage alert policies (and the alerts that are triggered when the
policy conditions are matched) because you can filter on these settings when managing
policies and viewing alerts in the Microsoft Purview compliance portal. For example, you
can view alerts that match the conditions from the same category or view alerts with the
same severity level.
To view and create alert policies:
Microsoft Purview compliance portal:
Go to the compliance portal , and then select Policies > Alert > Alert policies.
Microsoft 365 Defender portal:
Go to the Microsoft 365 Defender portal and under Email & collaboration select
Policies & rules > Alert policy. Alternatively, you can go directly to
https://security.microsoft.com/alertpolicies .
７ Note
You have to be assigned the View-Only Manage Alerts role to view alert policies in
the Microsoft Purview compliance portal or the Microsoft 365 Defender portal. You
have to be assigned the Manage Alerts role to create and edit alert policies. For
more information, see Permissions in the Microsoft Purview compliance portal.
An alert policy consists of the following settings and conditions.
Activity the alert is tracking. You create a policy to track an activity or in some
cases a few related activities, such a sharing a file with an external user by sharing
it, assigning access permissions, or creating an anonymous link. When a user
performs the activity defined by the policy, an alert is triggered based on the alert
threshold settings.
７ Note
The activities that you can track depend on your organization's Office 365
Enterprise or Office 365 US Government plan. In general, activities related to
malware campaigns and phishing attacks require an E5/G5 subscription or an
E1/F1/G1 or E3/F3/G3 subscription with an Defender for Office 365 Plan 2
add-on subscription.
Activity conditions. For most activities, you can define additional conditions that
must be met to trigger an alert. Common conditions include IP addresses (so that
an alert is triggered when the user performs the activity on a computer with a
specific IP address or within an IP address range), whether an alert is triggered if a
specific user or users perform that activity, and whether the activity is performed
on a specific file name or URL. You can also configure a condition that triggers an
alert when the activity is performed by any user in your organization. The available
conditions are dependent on the selected activity.
You can also define user tags as a condition of an alert policy. This results in the alerts
triggered by the policy to include the context of the impacted user. You can use system
user tags or custom user tags. For more information, see User tags in Microsoft
When the alert is triggered. You can configure a setting that defines how often an
activity can occur before an alert is triggered. This allows you to set up a policy to
generate an alert every time an activity matches the policy conditions, when a
certain threshold is exceeded, or when the occurrence of the activity the alert is
tracking becomes unusual for your organization.
If you select the setting based on unusual activity, Microsoft establishes a baseline
value that defines the normal frequency for the selected activity. It takes up to
seven days to establish this baseline, during which alerts won't be generated. After
the baseline is established, an alert is triggered when the frequency of the activity
tracked by the alert policy greatly exceeds the baseline value. For auditing-related
activities (such as file and folder activities), you can establish a baseline based on a
single user or based on all users in your organization; for malware-related
activities, you can establish a baseline based on a single malware family, a single
recipient, or all messages in your organization.
７ Note
The ability to configure alert policies based on a threshold or based on

unusual activity requires an E5/G5 subscription, or an E1/F1/G1 or E3/F3/G3
subscription with a Microsoft Defender for Office 365 P2, Microsoft 365 E5
Compliance, or Microsoft 365 eDiscovery and Audit add-on subscription.
Organizations with an E1/F1/G1 and E3/F3/G3 subscription can only create
alert policies where an alert is triggered every time that an activity occurs.
Alert category. To help with tracking and managing the alerts generated by a
policy, you can assign one of the following categories to a policy.
Data loss prevention
Information governance
Mail flow
Permissions
Threat management
Others
When an activity occurs that matches the conditions of the alert policy, the alert
that's generated is tagged with the category defined in this setting. This allows you
to track and manage alerts that have the same category setting on the Alerts page
in the Microsoft Purview portal because you can sort and filter alerts based on
category.
Alert severity. Similar to the alert category, you assign a severity attribute (Low,
Medium, High, or Informational) to alert policies. Like the alert category, when an
activity occurs that matches the conditions of the alert policy, the alert that's
generated is tagged with the same severity level that's set for the alert policy.
Again, this allows you to track and manage alerts that have the same severity
setting on the Alerts page. For example, you can filter the list of alerts so that only
alerts with a High severity are displayed.
 Tip
When setting up an alert policy, consider assigning a higher severity to

activities that can result in severely negative consequences, such as detection
of malware after delivery to users, viewing of sensitive or classified data,
sharing data with external users, or other activities that can result in data loss
or security threats. This can help you prioritize alerts and the actions you take
to investigate and resolve the underlying causes.
Automated investigations. Some alerts will trigger automated investigations to
identify potential threats and risks that need remediation or mitigation. In most
cases these alerts are triggered by detection of malicious emails or activities, but in
some cases the alerts are triggered by administrator actions in the security portal.
For more information about automated investigations, see Automated
investigation and response (AIR) in Microsoft Defender for Office 365.
Email notifications. You can set up the policy so that email notifications are sent
(or not sent) to a list of users when an alert is triggered. You can also set a daily
notification limit so that once the maximum number of notifications has been
reached, no more notifications are sent for the alert during that day. In addition to
email notifications, you or other administrators can view the alerts that are
triggered by a policy on the Alerts page. Consider enabling email notifications for
alert policies of a specific category or that have a higher severity setting.
Default alert policies

Microsoft provides built-in alert policies that help identify Exchange admin permissions
abuse, malware activity, potential external and internal threats, and information
governance risks. On the Alert policies page, the names of these built-in policies are in
bold and the policy type is defined as System. These policies are turned on by default.
You can turn off these policies (or back on again), set up a list of recipients to send email
notifications to, and set a daily notification limit. The other settings for these policies
can't be edited.
The following tables list and describe the available default alert policies and the
category each policy is assigned to. The category is used to determine which alerts a
user can view on the Alerts page. For more information, see RBAC permissions required
to view alerts.
The tables also indicate the Office 365 Enterprise and Office 365 US Government plan
required for each one. Some default alert policies are available if your organization has
the appropriate add-on subscription in addition to an E1/F1/G1 or E3/F3/G3
subscription.
７ Note
The unusual activity monitored by some of the built-in policies is based on the
same process as the alert threshold setting that was previously described. Microsoft
establishes a baseline value that defines the normal frequency for "usual" activity.
Alerts are then triggered when the frequency of activities tracked by the built-in
alert policy greatly exceeds the baseline value.
Information governance alert policies
７ Note
The alert policies in this section are in the process of being deprecated based on
customer feedback as false positives. To retain the functionality of these alert
policies, you can create custom alert policies with the same settings.
Name Description Severity Automated Enterprise

investigation subscription
Unusual Generates an alert when an unusually large High No E5/G5,

external number of activities are performed on files Microsoft
user file in SharePoint or OneDrive by users outside Defender for
activity of your organization. This includes Office 365
activities such as accessing files, P2, or
downloading files, and deleting files. Microsoft
365 E5 add-
on
subscription
Unusual Generates an alert when an unusually large Medium No E5/G5,

volume number of files in SharePoint or OneDrive Defender for
of are shared with users outside of your Office 365
external organization. P2, or
file Microsoft
sharing 365 E5 add-
on
subscription
Unusual Generates an alert when an unusually large Medium No E5/G5,

volume number of files are deleted in SharePoint Defender for
of file or OneDrive within a short time frame. Office 365
deletion P2, or
Microsoft
365 E5 add-
on
subscription
Mail flow alert policies

Messages Generates an alert when Microsoft can't High No E1/F1/G1,

have deliver email messages to your on- E3/F3/G3, or
been premises organization or a partner server E5/G5
delayed by using a connector. When this happens,
the message is queued in Office 365. This
alert is triggered when there are 2,000
messages or more that have been
queued for more than an hour.
Permissions alert policies

Elevation Generates an alert when someone is Low No E1/F1/G1,

of assigned administrative permissions in E3/F3/G3, or
Exchange your Exchange Online organization. For E5/G5
admin example, when a user is added to the
privilege Organization Management role group in
Exchange Online.
Threat management alert policies

A potentially Generates an alert when a High Yes E5/G5 or

malicious URL click user protected by Safe Links Defender for
was detected in your organization clicks a Office 365
malicious link. This alert is P2 add-on
generated when a user clicks subscription
on a link and this event
triggers a URL verdict
change identification by
Microsoft Defender for
Office 365. It also checks for
any clicks in the past 48
hours from the time the
malicious URL verdict is
identified, and generates
alerts for the clicks that
happened in the 48-hour
timeframe for that malicious
link. This alert automatically
triggers automated
investigation and response
in Office 365. For more
information on events that
trigger this alert, see Set up
A user clicked Generates an alert when a High Yes E5/G5 or

through to a user protected by Safe Links Defender for
potentially in your organization clicks a Office 365
malicious URL malicious link. This event is P2 add-on
triggered when user clicks subscription
on a URL (which is identified
as malicious or pending
validation) and overrides the
Safe Links warning page
(based on your
organization's Microsoft 365
for business Safe Links
policy) to continue to the
URL hosted page / content.
For Defender for Office 365
P2, E5, G5 customers, this
alert automatically triggers
automated investigation and
response in Office 365. For
more information on events
that trigger this alert, see Set
up Safe Links policies.
Admin submission Generates an alert when an Informational No E1/F1, E3/F3,

result completed Admin Submission or E5
completes the rescan of the
submitted entity. An alert
will be triggered every time a
rescan result is rendered
from an Admin Submission.
These alerts are meant to

remind you to review the
results of previous
submissions , submit user
reported messages to get
the latest policy check and
rescan verdicts, and help you
determine if the filtering
policies in your organization
are having the intended
impact.
Admin triggered Generates an alert when an Informational Yes E5/G5 or

manual admin triggers the manual Microsoft
investigation of investigation of an email Defender for
email from Threat Explorer. For Office 365
more information, see P2 add-on
Example: A security subscription
administrator triggers an
investigation from Threat
Explorer.
This alert notifies your

organization that the
investigation was started.
The alert provides
information about who
triggered it and includes a
link to the investigation.
Admin triggered Generates an alert when an Medium Yes E5/G5 or

user compromise admin triggers the manual Microsoft
investigation user compromise Defender for
investigation of either an Office 365
email sender or recipient P2 add-on
from Threat Explorer. For subscription
more information, see
Example: A security
administrator triggers an
investigation from Threat
Explorer, which shows the
related manual triggering of
an investigation on an email.
This alert notifies your
organization that the user
compromise investigation
was started.
The alert provides

information about who
triggered it and includes a
link to the investigation.
Administrative Admins can take manual Informational Yes E5/G5 or

action submitted email actions on email Defender for
by an entities using various Office 365
Administrator surfaces. For example, Threat P2 add-on
Explorer, advanced hunting subscription
or through custom
detection. When the
remediation starts, it
generates an alert. This alert
shows up in the alerts queue
with the name
Administrative action
submitted by an
Administrator to indicate
that an admin took the
action of remediating an
entity. The alert contains
details like the action type,
supporting investigation link,
time, etc. It's helpful to know
whenever a sensitive action
like remediation is
performed on entities.
Creation of Generates an alert when Informational No E1/F1/G1,

forwarding/redirect someone in your E3/F3/G3, or
rule organization creates an E5/G5
inbox rule for their mailbox
that forwards or redirects
messages to another email
account. This policy only
tracks inbox rules that are
created using Outlook on
the web (formerly known as
Outlook Web App) or
For more information about
using inbox rules to forward
and redirect email in
Outlook on the web, see Use
rules in Outlook on the web
to automatically forward
messages to another
account .
eDiscovery search Generates an alert when Informational No E1/F1/G1,

started or exported someone uses the Content E3/F3/G3, or
search tool in the Microsoft E5/G5
Purview portal. An alert is
triggered when the following
content search activities are
performed:
A content search is
started
The results of a content
search are exported
A content search report is
exported
Alerts are also triggered

when the previous content
search activities are
performed in association
with an eDiscovery case. For
more information about
content search activities, see
Search for eDiscovery
activities in the audit log.
Email messages Generates an alert when any Informational Yes E5/G5 or

containing messages containing a Microsoft
malicious file malicious file are delivered Defender for
removed after to mailboxes in your Office 365
delivery organization. If this event P2 add-on
occurs, Microsoft removes subscription
the infected messages from
using Zero-hour auto purge.
This policy automatically
triggers automated
information on this new
policy, see New alert policies
in Microsoft Defender for
Office 365.

containing messages containing a Defender for
malicious URL malicious URL are delivered Office 365
removed after to mailboxes in your P2 add-on
delivery organization. If this event subscription
occurs, Microsoft removes
triggers automated
Office 365.
Email messages Note: This alert policy has Informational Yes E5/G5 or
containing malware been replaced by Email Microsoft
removed after messages containing Defender for
delivery malicious file removed after Office 365
delivery. This alert policy will P2 add-on
eventually go away, so we subscription
recommend disabling this
alert policy and using Email
messages containing
malicious file removed after
delivery instead. For more
information, see New alert
policies in Microsoft
Email messages Note: This alert policy has Informational Yes E5/G5 or
containing phish been replaced by Email Defender for
URLs removed after messages containing Office 365
delivery malicious URL removed P2 add-on
after delivery. This alert subscription
policy will eventually go
away, so we recommend
disabling this alert policy
and using Email messages
containing malicious URL
removed after delivery
instead. For more
information, see New alert

from a campaign messages associated with a Defender for
removed after Campaign are delivered to Office 365
delivery mailboxes in your P2 add-on
organization. If this event subscription
triggers automated
Office 365.

removed after malicious messages that do Defender for
delivery not contain a malicious Office 365
entity (URL or File), or P2 add-on
associated with a Campaign, subscription
are delivered to mailboxes in
your organization. If this
event occurs, Microsoft
removes the infected
messages from Exchange
Online mailboxes using
Zero-hour auto purge. This
policy automatically triggers
response in Office 365. For
more information on this
new policy, see New alert
Email reported by Generates an alert when Low Yes E1/F1/G1,

user as malware or users in your organization E3/F3/G3, or
phish report messages as phishing E5/G5
email using the Report
Message add-in. For more
information about this add-
in, see Use the Report
Message add-in . For
Defender for Office 365 P2,
E5, G5 customers, this alert
automatically triggers
response in Office 365.
Email sending limit Generates an alert when Medium No E1/F1/G1,

exceeded someone in your E3/F3/G3, or
organization has sent more E5/G5
mail than is allowed by the
outbound spam policy. This
is usually an indication the
user is sending too much
email or that the account
may be compromised. If you
get an alert generated by
this alert policy, it's a good
idea to check whether the
user account is
compromised.
Form blocked due Generates an alert when High No E1, E3/F3, or

to potential someone in your E5
phishing attempt organization has been
restricted from sharing forms
and collecting responses
using Microsoft Forms due
to detected repeated
phishing attempt behavior.
Form flagged and Generates an alert when a High No E1, E3/F3, or

confirmed as form created in Microsoft E5
phishing Forms from within your
organization has been
identified as potential
phishing through Report
Abuse and confirmed as
phishing by Microsoft.
Malware campaign Generates an alert when an High No E5/G5 or

detected after unusually large number of Microsoft
delivery* messages containing Defender for
malware are delivered to Office 365
mailboxes in your P2 add-on
organization. If this event subscription
Malware campaign Generates an alert when Low No E5/G5 or

detected and someone has attempted to Defender for
blocked* send an unusually large Office 365
number of email messages P2 add-on
containing a certain type of subscription
malware to users in your
organization. If this event
occurs, the infected
messages are blocked by
Microsoft and not delivered
to mailboxes.
Malware campaign Generates an alert when an High No E5/G5 or

detected in unusually high volume of Defender for
SharePoint and malware or viruses is Office 365
OneDrive* detected in files located in P2 add-on
SharePoint sites or OneDrive subscription
accounts in your
organization.
Malware not Generates an alert when Informational No E5/G5 or

zapped because Microsoft detects delivery of Defender for
ZAP is disabled a malware message to a Office 365
mailbox because Zero-Hour P2 add-on
Auto Purge for Phish subscription
messages is disabled.
Messages Generates an alert when any Medium Yes E5/G5 or

containing message containing Defender for
malicious entity not malicious content (file, URL, Office 365
removed after campaign, no entity), is P2 add-on
delivery delivered to mailboxes in subscription
your organization. If this
event occurs, Microsoft
attempted to remove the
infected messages from
using Zero-hour auto purge,
but the message was not
removed due to a failure.
Additional investigation is
recommended. This policy
automatically triggers
response in Office 365.
Phish delivered Note: This alert policy is in Informational No E1/F1/G1,

because a user's the process of being E3/F3/G3, or
Junk Mail folder is deprecated. Mailbox settings E5/G5
disabled no longer determine
whether detected messages
can be moved to the Junk
Email folder. For more
information, see Configure
junk email settings on
Phish delivered due Generates an alert when Informational No E1/F1/G1,

to an ETR override** Microsoft detects an E3/F3/G3, or
Exchange transport rule (also E5/G5
known as a mail flow rule)
that allowed delivery of a
high confidence phishing
message to a mailbox. For
more information about
Exchange Transport Rules
(Mail flow rules), see Mail
flow rules (transport rules) in
Exchange Online.
Phish delivered due Generates an alert when Informational No E1/F1/G1,

to an IP allow Microsoft detects an IP allow E3/F3/G3, or
policy** policy that allowed delivery E5/G5
of a high confidence
phishing message to a
mailbox. For more
information about the IP
allow policy (connection
filtering), see Configure the
default connection filter
policy - Office 365.
Phish not zapped Generates an alert when Informational No E5/G5 or

because ZAP is Microsoft detects delivery of Defender for
disabled** a high confidence phishing Office 365
message to a mailbox P2 add-on
because Zero-Hour Auto subscription
Purge for Phish messages is
disabled.
Potential nation- Microsoft Threat Intelligence High No E5/G5 or

state activity Center detected an attempt Defender for
to compromise accounts Office 365
from your tenant. P2 add-on
subscription
Remediation action Note: This alert policy has Informational Yes E5/G5 or
taken by admin on been replaced by the Defender for
emails or URL or Administrative action Office 365
sender submitted by an P2 add-on
Administrator alert policy. subscription
This alert policy will
eventually go away, so we
recommend disabling this
alert policy and using
Administrative action
submitted by an
Administrator instead.
This alert is triggered when

an admin takes remediation
action on the selected entity
Suspicious Generates an alert when a High No E1/F1/G1,

connector activity suspicious activity is E3/F3/G3, or
detected on an inbound E5/G5
connector in your
organization. Mail is blocked
from using the inbound
connector. The admin will
receive an email notification
and an alert. This alert
provides guidance on how
to investigate, revert
changes, and unblock a
restricted connector. To learn
how to respond to this alert,
see Respond to a
compromised connector.
Suspicious email Generates an alert when High No E1/F1/G1,

forwarding activity someone in your E3/F3/G3, or
organization has E5/G5
autoforwarded email to a
suspicious external account.
This is an early warning for
behavior that may indicate
the account is compromised,
but not severe enough to
restrict the user. Although
it's rare, an alert generated
by this policy may be an
anomaly. It's a good idea to
check whether the user
account is compromised.
Suspicious email Generates an alert when Medium Yes E1/F1/G1,

sending patterns someone in your E3/F3/G3, or
detected organization has sent E5/G5
suspicious email and is at
risk of being restricted from
sending email. This is an
early warning for behavior
that may indicate that the
account is compromised, but
not severe enough to restrict
the user. Although it's rare,
an alert generated by this
policy may be an anomaly.
However, it's a good idea to
check whether the user
Tenant Allow/Block Generates an alert when a Informational No E5/G5 or

List entry is about Tenant Allow/Block List entry Defender for
to expire is about to be removed. This Office 365
event is triggered three days P2 add-on
prior to expiration date, subscription
which is based when the
entry was created or last
updated.
For blocks, you can extend

the expiration date to keep
the block in place. For
allows, you need to resubmit
the item so that our analysts
can take another look.
However, if the allow has
already been graded as a
false positive, then the entry
will only expire when the
system filters have been
updated to naturally allow
the entry. For more
information on events that
trigger this alert, see
Manage the Tenant
Allow/Block list.
Suspicious tenant Generates an alert when High No E1/F1/G1,

sending patterns Suspicious sending patterns E3/F3/G3, or
observed have been observed in your E5/G5
organization, which may lead
to your organization being
blocked from sending
emails. Investigate any
potentially compromised
user and admin accounts,
new connectors, or open
relays to avoid tenant
exceed threshold blocks. For
more information about why
organizations are blocked,
see Fix email delivery issues
for error code 5.7.7xx in
Exchange Online.
Tenant restricted Generates an alert when High No E1/F1/G1,

from sending email most of the email traffic E3/F3/G3, or
from your organization has E5/G5
been detected as suspicious
and Microsoft has restricted
your organization from
sending email. Investigate
any potentially compromised
user and admin accounts,
new connectors, or open
relays, and then contact
Microsoft Support to
unblock your organization.
For more information about
why organizations are
blocked, see Fix email
delivery issues for error code
5.7.7xx in Exchange Online.
Tenant restricted Generates an alert when too High No E1/F1/G1,

from sending much email is being sent E3/F3/G3, or
unprovisioned from unregistered domains E5/G5
email (also known as unprovisioned
domains). Office 365 allows a
reasonable amount of email
from unregistered domains,
but you should configure
every domain that you use
to send email as an accepted
domain. This alert indicates
that all users in the
organization can no longer
send email. For more
information about why
organizations are blocked,
see Fix email delivery issues
for error code 5.7.7xx in
Exchange Online.
Unusual increase in Generates an alert when Medium No E5/G5 or

email reported as there's a significant increase Defender for
phish* in the number of people in Office 365
your organization using the P2 add-on
Report Message add-in in subscription
Outlook to report messages
as phishing mail. For more
information about this add-
in, see Use the Report
Message add-in .
User requested to Generates an alert when a Informational No Microsoft

release a user requests release for a Business
quarantined quarantined message. To Basic,
message request the release of Microsoft
quarantined messages, the Business
Allow recipients to request Standard,
a message to be released Microsoft
from quarantine Business
(PermissionToRequestRelease) Premium,
permission is required in the E1/F1/G1,
quarantine policy (for E3/F3/G3, or
example, from the Limited E5/G5
access preset permissions
group). For more
information, see Allow
recipients to request a
message to be released from
quarantine permission.
User restricted Generates an alert when High Yes Microsoft

from sending email someone in your Business
organization is restricted Basic,
from sending outbound Microsoft
mail. This typically results Business
when an account is Standard,
compromised, and the user Microsoft
is listed on the Restricted Business
Users page in the Premium,
compliance portal. (To access E1/F1/G1,
this page, go to Threat E3/F3/G3, or
management > Review > E5/G5
Restricted Users). For more
information about restricted
users, see Removing a user,
domain, or IP address from a
block list after sending spam
email.
User restricted Generates an alert when High No E1, E3/F3, or

from sharing forms someone in your E5
and collecting organization has been
responses restricted from sharing forms
and collecting responses
using Microsoft Forms due
to detected repeated
phishing attempt behavior.
* This alert policy is in the process of being deprecated based on customer feedback as
a false positive. To retain the functionality of this alert policy, you can create a custom
alert policy with the same settings.
** This alert policy is part of the replacement functionality for the Phish delivered due to
tenant or user override and User impersonation phish delivered to inbox/folder alert
policies that were removed based on user feedback. For more information about anti-
phishing in Office 365, see Anti-phishing policies.
View alerts
When an activity performed by users in your organization matches the settings of an
alert policy, an alert is generated and displayed on the Alerts page in the Microsoft
Purview portal or the Defender portal. Depending on the settings of an alert policy, an
email notification is also sent to a list of specified users when an alert is triggered. For
each alert, the dashboard on the Alerts page displays the name of the corresponding
alert policy, the severity and category for the alert (defined in the alert policy), and the
number of times an activity has occurred that resulted in the alert being generated. This
value is based on the threshold setting of the alert policy. The dashboard also shows the
status for each alert. For more information about using the status property to manage
alerts, see Managing alerts.
To view alerts:
Microsoft Purview compliance portal

Go to https://compliance.microsoft.com and then select Alerts. Alternatively, you can
go directly to https://compliance.microsoft.com/compliancealerts .

Go to Microsoft 365 Defender portal and then select Incidents & alerts > Alerts.
Alternatively, you can go directly to https://security.microsoft.com/alerts .
You can use the following filters to view a subset of all the alerts on the Alerts page:
Status: Show alerts that are assigned a particular status. The default status is
Active. You or other administrators can change the status value.
Policy: Show alerts that match the setting of one or more alert policies. Or you can
display all alerts for all alert policies.
Time range: Show alerts that were generated within a specific date and time range.
Severity: Show alerts that are assigned a specific severity.
Category: Show alerts from one or more alert categories.
Tags:Show alerts from one or more user tags. Tags are reflected based on tagged
mailboxes or users that appear in the alerts. See User tags in Defender for Office
365 to learn more.
Source: Use this filter to show alerts triggered by alert policies in the Microsoft
Purview portal or alerts triggered by Microsoft Defender for Cloud Apps policies,
or both. For more information about Defender for Cloud Apps alerts, see the View
Defender for Cloud Apps alerts section in this article.
） Important
Filtering and sorting by user tags is currently in Public Preview, and might be
substantially modified before it's generally available. Microsoft makes no
warranties, express or implied, with respect to the information provided about it.
Alert aggregation
When multiple events that match the conditions of an alert policy occur with a short
period of time, they are added to an existing alert by a process called alert aggregation.
When an event triggers an alert, the alert is generated and displayed on the Alerts page
and a notification is sent. If the same event occurs within the aggregation interval, then
Microsoft 365 adds details about the new event to the existing alert instead of
triggering a new alert. The goal of alert aggregation is to help reduce alert "fatigue" and
let you focus and take action on fewer alerts for the same event.
The length of the aggregation interval depends on your Office 365 or Microsoft 365
subscription.
Subscription Aggregation
interval
Office 365 or Microsoft 365 E5/G5 1 minute
Defender for Office 365 Plan 2 1 minute
E5 Compliance add-on or E5 Discovery and Audit add-on 1 minute
Office 365 or Microsoft 365 E1/F1/G1 or E3/F3/G3 15 minutes
Defender for Office 365 Plan 1 or Exchange Online Protection 15 minutes
When events that match the same alert policy occur within the aggregation interval,
details about the subsequent event are added to the original alert. For all events,
information about aggregated events is displayed in the details field and the number of
times an event occurred with the aggregation interval is displayed in the activity/hit
count field. You can view more information about all aggregated events instances by
viewing the activity list.
The following screenshot shows an alert with four aggregated events. The activity list
contains information about the four email messages relevant to the alert.
Keep the following things in mind about alert aggregation:
Alerts triggered by the A potentially malicious URL click was detected default
alert policy are not aggregated. This is because alerts triggered by this policy are
unique to each user and email message.
At this time, the Hit count alert property doesn't indicate the number of
aggregated events for all alert policies. For alerts triggered by these alert policies,
you can view the aggregated events by clicking View message list or View activity
on the alert. We're working to make the number of aggregated events listed in the
Hit count alert property available for all alert policies.
RBAC permissions required to view alerts

The Role Based Access Control (RBAC) permissions assigned to users in your
organization determine which alerts a user can see on the Alerts page. How is this
accomplished? The management roles assigned to users (based on their membership in
role groups in the compliance portal or the Microsoft 365 Defender portal) determine
which alert categories a user can see on the Alerts page. Here are some examples:
Members of the Records Management role group can view only the alerts that are
generated by alert policies that are assigned the Information governance
category.
Members of the Compliance Administrator role group can't view alerts that are
generated by alert policies that are assigned the Threat management category.
Members of the eDiscovery Manager role group can't view any alerts because
none of the assigned roles provide permission to view alerts from any alert
category.
This design (based on RBAC permissions) lets you determine which alerts can be viewed
(and managed) by users in specific job roles in your organization.
The following table lists the roles that are required to view alerts from the six different
alert categories. A check mark indicates that a user who is assigned that role can view
alerts from the corresponding alert category listed in the title row.
To see which category a default alert policy is assigned to, see the tables in Default alert
policies.
Role Information
Data loss
Mail
Permissions Threat
Others
governance prevention flow management
Compliance ✔ ✔ ✔ ✔
Administrator
DLP Compliance ✔
Management
Information ✔
Protection Admin
Information ✔
Protection Analyst
Information ✔
Protection
Investigator
Manage Alerts ✔
Organization ✔
Configuration
Privacy
Management
Quarantine
Record ✔
Management
Role Information
Data loss
Mail
Permissions Threat
Others
governance prevention flow management
Retention ✔
Management
Role Management ✔
Security ✔ ✔ ✔ ✔
Administrator
Security Reader ✔ ✔ ✔ ✔
Transport Hygiene
View-Only DLP ✔
Compliance
Management
View-Only
Configuration
View-Only Manage ✔
Alerts
View-Only ✔
Recipients
View-Only Record ✔
Management
View-Only ✔
Retention
Management
 Tip
To view the roles that are assigned to each of the default role groups, run the
following commands in Security & Compliance PowerShell:
PowerShell
$RoleGroups = Get-RoleGroup
$RoleGroups | foreach {Write-Output -InputObject `r`n,$_.Name,("-"*25);

Get-RoleGroup $_.Identity | Select-Object -ExpandProperty Roles}
You can also view the roles assigned to a role group in the compliance portal or the
Microsoft 365 Defender portal. Go to the Permissions page, and select a role
group. The assigned roles are listed on the flyout page.
Manage alerts
After alerts have been generated and displayed on the Alerts page in the Microsoft
Purview portal, you can triage, investigate, and resolve them. The same RBAC
permissions that give users access to alerts also give them the ability to manage alerts.
Here are some tasks you can perform to manage alerts.
Assign a status to alerts: You can assign one of the following statuses to alerts:
Active (the default value), Investigating, Resolved, or Dismissed. Then, you can
filter on this setting to display alerts with the same status setting. This status
setting can help track the process of managing alerts.
View alert details: You can select an alert to display a flyout page with details
about the alert. The detailed information depends on the corresponding alert
policy, but it typically includes the following information:
The name of the actual operation that triggered the alert, such as a cmdlet or an
audit log operation.
A description of the activity that triggered the alert.
The user (or list of users) who triggered the alert. This is included only for alert
policies that are set up to track a single user or a single activity.
The number of times the activity tracked by the alert was performed. This
number may not match that actual number of related alerts listed on the Alerts
page because more alerts may have been triggered.
A link to an activity list that includes an item for each activity that was
performed that triggered the alert. Each entry in this list identifies when the
activity occurred, the name of the actual operation (such as "FileDeleted"), the
user who performed the activity, the object (such as a file, an eDiscovery case, or
a mailbox) that the activity was performed on, and the IP address of the user's
computer. For malware-related alerts, this links to a message list.
The name (and link) of the corresponding alert policy.
Suppress email notifications: You can turn off (or suppress) email notifications
from the flyout page for an alert. When you suppress email notifications, Microsoft
won't send notifications when activities or events that match the conditions of the
alert policy occur. But alerts will be triggered when activities performed by users
match the conditions of the alert policy. You can also turn off email notifications by
editing the alert policy.
Resolve alerts: You can mark an alert as resolved on the flyout page for an alert
(which sets the status of the alert to Resolved). Unless you change the filter,
resolved alerts aren't displayed on the Alerts page.
View Defender for Cloud Apps alerts

Alerts that are triggered by Defender for Cloud Apps policies are now displayed on the
Alerts page in the Microsoft Purview portal. This includes alerts that are triggered by
activity policies and alerts that are triggered by anomaly detection policies in Defender
for Cloud Apps. This means you can view all alerts in the Microsoft Purview portal.
Defender for Cloud Apps is only available for organizations with an Office 365 Enterprise
E5 or Office 365 US Government G5 subscription. For more information, see Overview of
Defender for Cloud Apps.
Organizations that have Microsoft Defender for Cloud Apps as part of an Enterprise
Mobility + Security E5 subscription or as a standalone service can also view Defender for
Cloud Apps alerts that are related to Microsoft 365 apps and services in the compliance
portal or the Microsoft 365 Defender portal.
To display only Defender for Cloud Apps alerts in the Microsoft Purview portal or the
Defender portal, use the Source filter and select Defender for Cloud Apps.
Similar to an alert triggered by an alert policy in the Microsoft Purview portal, you can
select a Defender for Cloud Apps alert to display a flyout page with details about the
alert. The alert includes a link to view the details and manage the alert in the Defender
for Cloud Apps portal and a link to the corresponding Defender for Cloud Apps policy
that triggered the alert. See Monitor alerts in Defender for Cloud Apps.
） Important
Changing the status of a Defender for Cloud Apps alert in the Microsoft Purview
portal won't update the resolution status for the same alert in the Defender for
Cloud Apps portal. For example, if you mark the status of the alert as Resolved in
the Microsoft Purview portal, the status of the alert in the Defender for Cloud Apps
portal is unchanged. To resolve or dismiss a Defender for Cloud Apps alert, manage
the alert in the Defender for Cloud Apps portal.
Search for role group changes or admin
audit logs in Exchange Online
７ Note
Classic Exchange admin center is in the process of being deprecated in worldwide

deployment. We recommend that you search the audit log in the Microsoft Purview
compliance portal. For more information, see Deprecation of the classic Exchange
admin center in WW service and Search the audit log in the compliance portal.

organizations without Exchange Online mailboxes, you can use the following options to
search the admin audit logs to discover who made changes to the organization and
recipient configuration:
Run an administrator role group report in the Exchange admin center (EAC).
Use PowerShell to search for admin audit log entries and send the results to a
recipient.
These options can be helpful when you're trying to track the cause of unexpected
behavior, to identify a malicious administrator, or to verify that compliance requirements
are being met. Both of these options are described in this article.
 Tip
You can also use the EAC to view entries in the admin audit log. For more
information, see View the admin audit log.

Estimated time to complete each procedure: less than 5 minutes
You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "View-only administrator
audit logging" entry in the Feature permissions in Exchange Online topic.
To open the Exchange admin center (EAC), see Exchange admin center in Exchange
Online.
PowerShell. To connect to standalone Exchange Online Protection PowerShell see
Connect to Exchange Online Protection PowerShell.
topic, see Keyboard shortcuts for the Exchange admin center.
 Tip
Use the EAC to run an administrator role group

report
Use the administrator role group report to see the changes in membership that have
been made to management roles.
1. In the EAC, go to Compliance management > Auditing, and then choose Run an
administrator role group report.
2. In the Search for changes to administrator role groups page that opens,
Start date and End date: Enter a date range. By default, the report searches
for changes made to administrator role groups in the past two weeks.
Select role groups: By default, all role groups are searched. To filter the
results by specific role groups, click Select role groups. In the dialog that
appears, select a role group and click add ->. Repeat this step as many times
as necessary, and then click OK when you're finished.
3. When you're finished, click Search.
If any changes are found using the specified criteria, they will appear in the results pane.
Click a role group in the search results to see the changes in the details pane.
Monitor changes to role group membership

When members are added to or removed from a role group, the search results
displayed in the details pane indicate that the role group membership was updated and
lists the current members. The results don't explicitly state which user was added or
removed.
To determine if a user was added or removed, you have to compare two separate entries
in the report. For example, let's look at the following log entries for the HelpDesk role
group:
1/27/2021 4:43 PM
Administrator
Updated members: Administrator;annb,florencef;pilarp
2/06/2018 10:09 AM
Administrator
Updated members: Administrator;annb;florencef;pilarp;tonip
2/19/2021 2:12 PM
Administrator
Updated members: Administrator;annb;florencef;tonip
In this example, the Administrator user account made the following changes:
On 2/06/2021, they added the user tonip.

On 2/19/2021, they removed the user pilarp.
Use the EAC to export the admin audit log
７ Note
In standalone EOP, you can't export the admin audit log from the EAC. But, you can
Use PowerShell to search for audit log entries and send results to a recipient
If you're going to use Outlook on the web (formerly known as Outlook Web App)
to view the exported entries, you need to enable .xml attachments in Outlook on
the web. For details, see Configure Outlook on the web to allow XML
attachments.
Exporting the admin audit log writes the information to an XML file and sends it to you
as an attachment in an email message. The maximum size of the XML file is 10
megabytes (MB).
1. In the EAC, select Compliance management > Auditing, and then click Export the
admin audit log.
2. Select a date range using the Start date and End date fields.
3. In the Send the auditing report to field, click Select users and then select the
recipient you want to send the report to.
4. Click Export.
If any log entries are found using the criteria you specified, an XML file will be created
and sent as an email attachment to the recipient you specified.
Use PowerShell to search for audit log entries

You can use Exchange Online PowerShell or standalone Exchange Online Protection
PowerShell to search for audit log entries that meet the criteria you specify. For a list of
search criteria, see Search-AdminAuditLog cmdlet. This procedure uses the Search-
AdminAuditLog cmdlet and displays search results in PowerShell. You can use this
cmdlet when you need to return a set of results that exceeds the limits defined on the
New-AdminAuditLogSearch cmdlet or in the EAC auditing reports.
To search the audit log for criteria you specify, use the following syntax.
PowerShell
Search-AdminAuditLog - Cmdlets <cmdlet 1, cmdlet 2, ...> -Parameters

<parameter 1, parameter 2, ...> -StartDate <start date> -EndDate <end date>
-UserIds <user IDs> -ObjectIds <object IDs> -IsSuccess <$True | $False >
７ Note
The Search-AdminAuditLog cmdlet returns a maximum of 1,000 log entries by

default. Use the ResultSize parameter to specify up to 250,000 log entries. Or, use
the value Unlimited to return all entries.
This example performs a search for all audit log entries with the following criteria:
Start date: 08/04/2020

End date: 10/03/2020
User IDs: davids , chrisd , kima
Cmdlets: Set-Mailbox
Parameters: ProhibitSendQuota, ProhibitSendReceiveQuota, IssueWarningQuota,
MaxSendSize, MaxReceiveSize
PowerShell
Search-AdminAuditLog -Cmdlets Set-Mailbox -Parameters

ProhibitSendQuota,ProhibitSendReceiveQuota,IssueWarningQuota,MaxSendSize,Max
ReceiveSize -StartDate 08/04/2020 -EndDate 10/03/2020 -UserIds
davids,chrisd,kima
This example searches for changes made to a specific mailbox. This is useful if you're
troubleshooting or you need to provide information for an investigation. The following
criteria are used:

End date: 10/03/2020
Object ID: contoso.com/Users/DavidS
PowerShell
Search-AdminAuditLog -StartDate 05/01/2020 -EndDate 10/03/2020 -ObjectID

contoso.com/Users/DavidS
If your searches return many log entries, we recommend that you use the procedure
provided in Use PowerShell to search for audit log entries and send results to a recipient
later in this article. The procedure in that section sends an XML file as an email
attachment to the recipients you specify, enabling you to more easily extract the data
you're interested in.
For detailed syntax and parameter information, see Search-AdminAuditLog.
View details of audit log entries

The Search-AdminAuditLog cmdlet returns the fields described in Audit log contents.
Of the fields returned by the cmdlet, two fields, CmdletParameters and
ModifiedProperties, contain additional information that isn't viewable by default.
To view the contents of the CmdletParameters and ModifiedProperties fields, use the
following steps. Or, you can use the procedure in Use PowerShell to search for audit log
entries and send results to a recipient later in this article to create an XML file.
This procedure uses the following concepts:
PowerShell arrays
PowerShell variables
1. Decide the criteria you want to search for, run the Search-AdminAuditLog cmdlet,
and store the results in a variable using the following command.
PowerShell
$Results = Search-AdminAuditLog <search criteria>
2. Each audit log entry is stored as an array element in the variable $Results . You can
select an array element by specifying its array element index. Array element
indexes start at zero (0) for the first array element. For example, to retrieve the 5th
array element, which has an index of 4, use the following command.
PowerShell
$Results[4]
3. The previous command returns the log entry stored in array element 4. To see the
contents of the CmdletParameters and ModifiedProperties fields for this log
entry, use the following commands.
PowerShell
$Results[4].CmdletParameters
$Results[4].ModifiedProperties
4. To view the contents of the CmdletParameters or ModifiedParameters fields in

another log entry, change the array element index.
Use PowerShell to search for audit log entries

and send results to a recipient
７ Note
The report that the New-AdminAuditLogSearch cmdlet generates can be a

maximum of 10 MB in size. If your search returns a report larger than 10 MB,
change the search criteria you specified. For example, reduce the date range and
run multiple reports to cover the original date range.
If you're going to use Outlook on the web (formerly known as Outlook Web App)
to view the exported entries, you need to enable .xml attachments in Outlook on
the web. For details, see Configure Outlook on the web to allow XML
attachments.
PowerShell to search for audit log entries that meet the criteria you specify, and then
send those results to a recipient you specify as an XML file attachment. The results are
sent to the recipient within 15 minutes. For a list of search criteria, see Search-
AdminAuditLog cmdlet criteria.
To search the audit log for criteria you specify, use the following syntax.
PowerShell
New-AdminAuditLogSearch -Cmdlets <cmdlet1, cmdlet2, ...> -Parameters

<parameter1, parameter2, ...> -StartDate <start date> -EndDate <end date> -
UserIds <user IDs> -ObjectIds <object IDs> -IsSuccess <$true | $false > -
StatusMailRecipients <recipient1, recipient2, ...> -Name <string to include
in subject>

End date: 10/03/2020
User IDs davids, chrisd, kima
Cmdlets: Set-Mailbox
Parameters: ProhibitSendQuota, ProhibitSendReceiveQuota, IssueWarningQuota,
MaxSendSize, MaxReceiveSize
The command sends the results to the davids@contoso.com SMTP address with
"Mailbox limit changes" included in the subject line of the message.
PowerShell
New-AdminAuditLogSearch -Cmdlets Set-Mailbox -Parameters

ProhibitSendQuota,ProhibitSendReceiveQuota,IssueWarningQuota,MaxSendSize,Max
ReceiveSize -StartDate 08/04/2020 -EndDate 10/03/2020 -UserIds
davids,chrisd,kima -StatusMailRecipients davids@contoso.com -Name "Mailbox
limit changes"
For more information about the format of the XML file, see admin audit log structure.
For detailed syntax and parameter information, see New-AdminAuditLogSearch.

Manage incidents and alerts from
Microsoft Defender for Office 365 in
 Tip
Applies to:

An incident in Microsoft 365 Defender is a collection of correlated alerts and associated

data that define the complete story of an attack. Defender for Office 365 alerts,
automated investigation and response (AIR), and the outcome of the investigations are
natively integrated and correlated on the Incidents page in Microsoft 365 Defender at
https://security.microsoft.com/incidents-queue . We'll refer to this page as the
Incidents queue.
Alerts are created when malicious or suspicious activity affects an entity (for example,
email, users, or mailboxes). Alerts provide valuable insights about in-progress or
completed attacks. However, an ongoing attack can affect multiple entities, which
results in multiple alerts from different sources. Some built-in alerts will automatically
trigger AIR playbooks. These playbooks do a series of investigation steps to look for
other impacted entities or suspicious activity.
Watch this short video on how to manage Microsoft Defender for Office 365 alerts in
Microsoft 365 Defender.
https://www.microsoft.com/en-us/videoplayer/embed/RWGrL2?postJsllMsg=true
Defender for Office 365 alerts, investigations, and their data are automatically
correlated. When a relationship is determined, an incident is created by the system to
give security teams visibility for the entire attack.
We strongly recommend that SecOps teams manage incidents and alerts from Defender
for Office 365 in the Incidents queue at https://security.microsoft.com/incidents-
queue . This approach has the following benefits:
Multiple options for management:

Prioritization
Filtering
Classification
Tag management
You can take incidents directly from the queue or assign them to someone.
Comments and comment history can help track progress.
If the attack impacts other workloads that are protected by Microsoft Defender*,
the related alerts, investigations, and their data are also correlated to the same
incident.
*Microsoft Defender for Endpoint, Microsoft Defender for Identity, and Microsoft
Defender for Cloud Apps.
Complex correlation logic isn't required, because the logic is provided by the
system.
If the correlation logic doesn't fully meet your needs, you can add alerts to existing
incidents or create new incidents.
Related Defender for Office 365 alerts, AIR investigations, and pending actions
from investigations are automatically added to incidents.
If the AIR investigation finds no threat, the related alerts are automatically resolved
by the system. If all alerts within an incident are resolved, the incident status also
changes to Resolved.
Related evidence and response actions are automatically aggregated on the

Evidence and response tab of the incident.
Security team members can take response actions directly from the incidents. For
example, they can soft-delete email in mailboxes or remove suspicious Inbox rules
from mailboxes.
Recommended email actions are created only when the latest delivery location of a
malicious email is a cloud mailbox.
Pending email actions are updated based on the latest delivery location. If the
email was already remediated by a manual action, the status will reflect that.
Recommended actions are created only for email and email clusters that are
determined to be the most critical threats:
Malware
Malicious URLs
Malicious files
７ Note
Incidents don't just represent static events. They also represent attack stories that
happen over time. As the attack progresses, new Defender for Office 365 alerts, AIR
investigations, and their data are continuously added to the existing incident.
Manage incidents on the Incidents page in the Microsoft 365 Defender portal at
https://security.microsoft.com/incidents-queue :
Manage incidents on the Incidents page in Microsoft Sentinel at
https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsof
t.securityinsightsarg%2Fsentinel :
Response actions to take
Security teams can take wide variety of response actions on email using Defender for
Office 365 tools:
You can delete messages, but you can also take the following actions on email:
Move to Inbox
Move to Junk
Move to Deleted Items
Soft delete
Hard delete.
You can take these actions from the following locations:

The Evidence and response tab from the details of the incident on the Incidents
page** at https://security.microsoft.com/incidents-queue (recommended).
Threat Explorer at https://security.microsoft.com/threatexplorer .
The unified Action center at https://security.microsoft.com/action-
center/pending .
You can start an AIR playbook manually on any email message using the Trigger
investigation action in Threat Explorer.
You can report false positive or false negative detections directly to Microsoft
using Threat Explorer or admin submissions.
You can block undetected malicious files, URLs, or senders using the Tenant
Allow/Block List.
Defender for Office 365 actions are seamlessly integrated into hunting experiences and
the history of actions are visible on the History tab in the unified Action center at
https://security.microsoft.com/action-center/history .
The most effective way to take action is to use the built-in integration with Incidents in
Microsoft 365 Defender. You can simply approve the actions that were recommended by
AIR in Defender for Office 365 on the Evidence and response tab of an Incident in
Microsoft 365 Defender. This method of tacking action is recommended for the
following reasons:
You investigate the complete attack story.

You benefit from the built-in correlation with other workloads: Microsoft Defender
for Endpoint, Microsoft Defender for Identity, and Microsoft Defender for Cloud
Apps.
You take actions on email from a single place.
You take action on email based on the result of a manual investigation or hunting
activity. Threat Explorer allows security team members to take action on any email
messages that might still exist in cloud mailboxes. They can take action on intra-org
messages that were sent between users in your organization. Threat Explorer data is
available for the last 30 days.
Watch this short video to learn how Microsoft 365 Defender combines alerts from
various detection sources, like Defender for Office 365, into incidents.
https://www.microsoft.com/en-us/videoplayer/embed/RWGpcs?postJsllMsg=true
Threat investigation and response
 Tip
Applies To
Threat investigation and response capabilities in Microsoft Defender for Office 365 help
security analysts and administrators protect their organization's Microsoft 365 for
business users by:
Making it easy to identify, monitor, and understand cyberattacks.

Helping to quickly address threats in Exchange Online, SharePoint Online,
OneDrive for Business and Microsoft Teams.
Providing insights and knowledge to help security operations prevent cyberattacks
against their organization.
Employing automated investigation and response in Office 365 for critical email-
based threats.
Threat investigation and response capabilities provide insights into threats and related
response actions that are available in the Microsoft 365 Defender portal. These insights
can help your organization's security team protect users from email- or file-based
attacks. The capabilities help monitor signals and gather data from multiple sources,
such as user activity, authentication, email, compromised PCs, and security incidents.
Business decision makers and your security operations team can use this information to
understand and respond to threats against your organization and protect your
intellectual property.
Get acquainted with threat investigation and

response tools
Threat investigation and response capabilities in the Microsoft 365 Defender portal at
https://security.microsoft.com are a set of tools and response workflows that include:
Explorer
Incidents
Explorer
Use Explorer (and real-time detections) to analyze threats, see the volume of attacks
over time, and analyze data by threat families, attacker infrastructure, and more. Explorer
(also referred to as Threat Explorer) is the starting place for any security analyst's
investigation workflow.
To view and use this report in the Microsoft 365 Defender portal at
https://security.microsoft.com , go to Email & collaboration > Explorer. Or, to go
directly to the Explorer page, use https://security.microsoft.com/threatexplorer .
Office 365 Threat Intelligence connection

This feature is only available if you have an active Office 365 E5 subscription or the
Threat Intelligence add-on. For more information, see the Office 365 Enterprise E5
product page.
When you turn on this feature, you'll be able to incorporate data from Microsoft
Defender for Office 365 into Microsoft 365 Defender to conduct a comprehensive
security investigation across Office 365 mailboxes and Windows devices.
７ Note
You'll need to have the appropriate license to enable this feature.
To receive contextual device integration in Office 365 Threat Intelligence, you'll need to
enable the Defender for Endpoint settings in the Security & Compliance dashboard.
Incidents
Use the Incidents list (this is also called Investigations) to see a list of in flight security
incidents. Incidents are used to track threats such as suspicious email messages, and to
conduct further investigation and remediation.
To view the list of current incidents for your organization in the Microsoft 365 Defender
portal at https://security.microsoft.com , go to Incidents & alerts > Incidents. Or, to go
directly to the Incidents page, use https://security.microsoft.com/incidents .

Use Attack simulation training to set up and run realistic cyberattacks in your
organization, and identify vulnerable people before a real cyberattack affects your
business. To learn more, see Simulate a phishing attack.
To view and use this feature in the Microsoft 365 Defender portal at
training. Or, to go directly to the Attack simulation training page, use
https://security.microsoft.com/attacksimulator?viewid=overview .

Use automated investigation and response (AIR) capabilities to save time and effort
correlating content, devices, and people at risk from threats in your organization. AIR
processes can begin whenever certain alerts are triggered, or when started by your
security operations team. To learn more, see automated investigation and response in
Office 365.
Threat intelligence widgets
As part of the Microsoft Defender for Office 365 Plan 2 offering, security analysts can
review details about a known threat. This is useful to determine whether there are
additional preventative measures/steps that can be taken to keep users safe.
How do we get these capabilities?

Microsoft 365 threat investigation and response capabilities are included in Microsoft
Defender for Office 365 Plan 2, which is included in Enterprise E5 or as an add-on to
certain subscriptions. To learn more, see Defender for Office 365 Plan 1 and Plan 2.
Required roles and permissions

Microsoft Defender for Office 365 uses role-based access control. Permissions are
assigned through certain roles in Azure Active Directory, the Microsoft 365 admin
center, or the Microsoft 365 Defender portal.
 Tip
Although some roles, such as Security Administrator, can be assigned in the

Microsoft 365 Defender portal, consider using either the Microsoft 365 admin
center or Azure Active Directory instead. For information about roles, role groups,
and permissions, see the following resources:
Permissions in the Microsoft 365 Defender portal

Azure AD built-in roles
Activity Roles and permissions

Activity Roles and permissions
Use the Microsoft Defender One of the following:

Vulnerability Management Global Administrator
dashboard Security Administrator
View information about Security Reader
recent or current threats
These roles can be assigned in either Azure Active Directory
(https://portal.azure.com ) or the Microsoft 365 admin center
(https://admin.microsoft.com ).
Use Explorer (and real-time One of the following:

detections) to analyze Global Administrator
threats Security Administrator
Security Reader

View Incidents (also One of the following:

referred to as Global Administrator
Investigations) Security Administrator
Add email messages to an Security Reader
incident
Trigger email actions in an One of the following:

incident Global Administrator
Find and delete suspicious Security Administrator plus the Search and Purge role
email messages
The Global Administrator and Security Administrator roles can be
assigned in either Azure Active Directory
The Search and Purge role must be assigned in the Email &
collaboration roles in the Microsoft 36 Defender portal
(https://security.microsoft.com ).
Integrate Microsoft Either the Global Administrator or the Security Administrator role
Defender for Office 365 assigned in either Azure Active Directory
Plan 2 with Microsoft (https://portal.azure.com ) or the Microsoft 365 admin center
Defender for Endpoint (https://admin.microsoft.com ).
Integrate Microsoft
Defender for Office 365 --- plus ---
Plan 2 with a SIEM server
An appropriate role assigned in additional applications (such as
Microsoft Defender Security Center or your SIEM server).
Next steps
Learn about Threat Trackers - New and Noteworthy
Find and investigate malicious email that was delivered (Office 365 Threat
Investigation and Response)
Integrate Office 365 Threat Investigation and Response with Microsoft Defender
for Endpoint
Simulate a phishing attack
Investigate malicious email that was
delivered in Microsoft 365
 Tip
Applies to:

Microsoft Defender for Office 365 enables you to investigate activities that put people in
your organization at risk, and to take action to protect your organization. For example, if
you are part of your organization's security team, you can find and investigate
suspicious email messages that were delivered. You can do this by using Threat Explorer
(or real-time detections).
７ Note
Jump to the remediation article here.
Before you begin

Make sure that the following requirements are met:
Your organization has Microsoft Defender for Office 365 and licenses are assigned
to users.
Audit logging is turned on for your organization.
Your organization has policies defined for anti-spam, anti-malware, anti-phishing,

and so on. See Protect against threats in Office 365.
You are a global administrator, or you have either the Security Administrator or the
Search and Purge role assigned in the Microsoft 365 Defender portal. For more
information, see Permissions in the Microsoft 365 Defender portal. For some
actions, you must also have the Preview role assigned.
Preview role permissions

To perform certain actions, such as viewing message headers or downloading email
message content, you must have the Preview role added to another appropriate role
group. The following table clarifies required roles and permissions.
Activity Role group Preview

role
needed?
Use Threat Explorer (and Real-time detections) to analyze threats Global No

Administrator
Security
Administrator
Security
Reader
Use Threat Explorer (and Real-time detections) to view headers for Global No
email messages as well as preview and download quarantined email Administrator
messages Security
Administrator
Security
Reader
Use Threat Explorer to view headers, preview email (only in the email Global Yes
entity page) and download email messages delivered to mailboxes Administrator
Security
Administrator
Security
Reader
Preview
７ Note
Preview is a role, not a role group. The Preview role must be added to an existing
role group or a new role group in the Microsoft 365 Defender portal. For more
information, see Permissions in the Microsoft 365 Defender portal.
The Global Administrator role is assigned the Microsoft 365 admin center at
https://admin.microsoft.com . The Security Administrator and Security Reader
roles are assigned in Microsoft 365 Defender portal.
We understand previewing and downloading email are sensitive activities, so auditing is

enabled for these activities. Once an admin performs these activities on email, audit logs
are generated for the same and can be seen in the Microsoft 365 Defender portal at
https://security.microsoft.com at Audit > Search tab, and filter on the admin name in
Users box. The filtered results will show activity AdminMailAccess. Select a row to view
details in the More information section about previewed or downloaded email.
Find suspicious email that was delivered

Threat Explorer is a powerful report that can serve multiple purposes, such as finding
and deleting messages, identifying the IP address of a malicious email sender, or
starting an incident for further investigation. The following procedure focuses on using
Explorer to find and delete malicious email from recipient's mailboxes.
７ Note
Default searches in Explorer don't currently include delivered items that were
removed from the cloud mailbox by zero-hour auto purge (ZAP). This limitation
applies to all views (for example, the Email > Malware or Email > Phish views). To
include items removed by ZAP, you need to add a Delivery action set to include
Removed by ZAP. If you include all options, you'll see all delivery action results,
including items removed by ZAP.

Email & collaboration > Explorer . To go directly to the Explorer page, use
On the Explorer page, the Additional actions column shows admins the outcome
of processing an email. The Additional actions column can be accessed in the
same place as Delivery action and Delivery location. Special actions might be
updated at the end of Threat Explorer's email timeline, which is a new feature
aimed at making the hunting experience better for admins.
2. In the View menu, choose Email > All email from the drop down list.

The Malware view is currently the default, and captures emails where a malware
threat is detected. The Phish view operates in the same way, for Phish.
However, All email view lists every mail received by the organization, whether
threats were detected or not. As you can imagine, this is a lot of data, which is why
this view shows a placeholder that asks a filter be applied. (This view is only
available for Defender for Office 365 P2 customers.)
Submissions view shows up all mails submitted by admin or user that were
reported to Microsoft.
3. Search and filter in Threat Explorer: Filters appear at the top of the page in the
search bar to help admins in their investigations. Notice that multiple filters can be
applied at the same time, and multiple comma-separated values added to a filter
to narrow down the search. Remember:
Filters do exact matching on most filter conditions.

Subject filter uses a CONTAINS query.
URL filters work with or without protocols (ex. https).
URL domain, URL path, and URL domain and path filters don't require a
protocol to filter.
You must click the Refresh icon every time you change the filter values to get
relevant results.
4. Advanced filters: With these filters, you can build complex queries and filter your
data set. Clicking on Advanced Filters opens a flyout with options.
Advanced filtering is a great addition to search capabilities. A boolean NOT on the

Recipient, Sender and Sender domain filters allows admins to investigate by
excluding values. This option is the Equals none of selection. This option allows
admins to exclude unwanted mailboxes from investigations (for example, alert
mailboxes and default reply mailboxes), and is useful for cases where admins
search for a specific subject (for example, Attention) where the Recipient can be set
to Equals none of: defaultMail@contoso.com. This is an exact value search.
Adding a time filter to the start date and end date helps your security team to drill
down quickly. The shortest allowed time duration is 30 minutes. If you can narrow
the suspicious action by time-frame (e.g., it happened 3 hours ago), this will limit
the context and help pinpoint the problem.
5. Fields in Threat Explorer: Threat Explorer exposes a lot more security-related mail
information such as Delivery action, Delivery location, Special action, Directionality,
Overrides, and URL threat. It also allows your organization's security team to
investigate with a higher certainty.
Delivery action is the action taken on an email due to existing policies or
detections. Here are the possible actions an email can take:
Delivered – email was delivered to inbox or folder of a user and the user can
directly access it.
Junked (Delivered to junk)– email was sent to either user's junk folder or
deleted folder, and the user has access to email messages in their Junk or
Deleted folder.
Blocked – any email messages that are quarantined, that failed, or were
dropped.
Replaced – any email where malicious attachments are replaced by .txt files
that state the attachment was malicious
Delivery location: The Delivery location filter is available in order to help admins
understand where suspected malicious mail ended-up and what actions were
taken on it. The resulting data can be exported to spreadsheet. Possible delivery
locations are:
Inbox or folder – The email is in the Inbox or a specific folder, according to

your email rules.
On-prem or external – The mailbox doesn't exist in the Cloud but is on-
premises.
Junk folder – The email is in a user's Junk mail folder.
Deleted items folder – The email is in a user's Deleted items folder.
Quarantine – The email in quarantine, and not in a user's mailbox.
Failed – The email failed to reach the mailbox.
Dropped – The email was lost somewhere in the mail flow.
Directionality: This option allows your security operations team to filter by the
'direction' a mail comes from, or is going. Directionality values are Inbound,
Outbound, and Intra-org (corresponding to mail coming into your org from
outside, being sent out of your org, or being sent internally to your org,
respectively). This information can help security operations teams spot spoofing
and impersonation, because a mismatch between the Directionality value (ex.
Inbound), and the domain of the sender (which appears to be an internal domain)
will be evident! The Directionality value is separate, and can differ from, the
Message Trace. Results can be exported to spreadsheet.
Overrides: This filter takes information that appears on the mail's details tab and
uses it to expose where organizational, or user policies, for allowing and blocking
mails have been overridden. The most important thing about this filter is that it
helps your organization's security team see how many suspicious emails were
delivered due to configuration. This gives them an opportunity to modify allows
and blocks as needed. This result set of this filter can be exported to spreadsheet.
Threat Explorer What they mean

Overrides
Allowed by Org Policy Mail was allowed into the mailbox as directed by the
organization policy.
Blocked by Org policy Mail was blocked from delivery to the mailbox as directed by
the organization policy.
File extension blocked by File was blocked from delivery to the mailbox as directed by
Org Policy the organization policy.
Allowed by User Policy Mail was allowed into the mailbox as directed by the user
policy.
Blocked by User Policy Mail was blocked from delivery to the mailbox as directed by
the user policy.
URL threat: The URL threat field has been included on the details tab of an email to
indicate the threat presented by a URL. Threats presented by a URL can include
Malware, Phish, or Spam, and a URL with no threat will say None in the threats
section.
6. Email timeline view: Your security operations team might need to deep-dive into
email details to investigate further. The email timeline allows admins to view
actions taken on an email from delivery to post-delivery. To view an email timeline,
click on the subject of an email message, and then click Email timeline. (It appears
among other headings on the panel like Summary or Details.) These results can be
exported to spreadsheet.
Email timeline will open to a table that shows all delivery and post-delivery events
for the email. If there are no further actions on the email, you should see a single
event for the original delivery that states a result, such as Blocked, with a verdict
like Phish. Admins can export the entire email timeline, including all details on the
tab and email (such as, Subject, Sender, Recipient, Network, and Message ID). The
email timeline cuts down on randomization because there is less time spent
checking different locations to try to understand events that happened since the
email arrived. When multiple events happen at, or close to, the same time on an
email, those events show up in a timeline view.
7. Preview / download: Threat Explorer gives your security operations team the
details they need to investigate suspicious email. Your security operations team
can either:
Check the delivery action and location.
View the timeline of your email.
Check the delivery action and location

In Threat Explorer (and real-time detections), you now have Delivery Action and
Delivery Location columns instead of the former Delivery Status column. This results in
a more complete picture of where your email messages land. Part of the goal of this
change is to make investigations easier for security operations teams, but the net result
is knowing the location of problem email messages at a glance.
Delivery Status is now broken out into two columns:
Delivery action - What is the status of this email?

Delivery location - Where was this email routed as a result?
Delivery action is the action taken on an email due to existing policies or detections.
Here are the possible actions an email can take:
Delivered – email was delivered to inbox or folder of a user and the user can
directly access it.
Junked – email was sent to either user's junk folder or deleted folder, and the user
has access to email messages in their Junk or Deleted folder.
Blocked – any email messages that are quarantined, that failed, or were dropped.
Replaced – any email where malicious attachments are replaced by .txt files that
state the attachment was malicious.
Delivery location shows the results of policies and detections that run post-delivery. It's
linked to a Delivery Action. This field was added to give insight into the action taken
when a problem mail is found. Here are the possible values of delivery location:
Inbox or folder – The email is in the inbox or a folder (according to your email
rules).
On-prem or external – The mailbox doesn't exist on cloud but is on-premises.
Junk folder – The email is in a user's Junk folder.
Deleted items folder – The email is in a user's Deleted items folder.
Quarantine – The email in quarantine, and not in a user's mailbox.
Failed – The email failed to reach the mailbox.
Dropped – The email gets lost somewhere in the mail flow.
View the timeline of your email
Email Timeline is a field in Threat Explorer that makes hunting easier for your security
operations team. When multiple events happen at or close to the same time on an
email, those events show up in a timeline view. Some events that happen post-delivery
to email are captured in the Special actions column. Combining information from the
timeline of an email message with any special actions that were taken post-delivery
gives admins insight into policies and threat handling (such as where the mail was
routed, and, in some cases, what the final assessment was).
） Important
Jump to a remediation topic here.
Related topics
Remediate malicious email delivered in Office 365
Protect against threats in Office 365
View reports for Defender for Office 365

How do I report a suspicious email or
file to Microsoft?
 Tip
Applies to

Wondering what to do with suspicious emails or files? In Microsoft 365 organizations

with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP)
organizations without Exchange Online mailboxes, users and admins have different ways
to report a suspicious email message, URL, or email attachment to Microsoft.
In addition, admins in Microsoft 365 organizations with Microsoft Defender for Endpoint
also have several methods for reporting files.
Watch this video that shows more information about the unified submissions
experience.
https://www.microsoft.com/en-us/videoplayer/embed/RE50HhM?postJsllMsg=true
Report suspicious email messages to Microsoft

Method Submission Comments
type
The built-in User Currently, this method is available only in Outlook on the web
Report (formerly known as Outlook Web App or OWA).
button
Method Submission Comments
type
The User These free add-ins work in Outlook on all available platforms. For
Microsoft installation instructions, see Enable the Report Message or the
Report Report Phishing add-ins.
Message
and Report
Phishing
add-ins
The Admin Admins use this method to submit good (false positive) and bad
Submissions (false negative) entities including user-reported messages to
page in the Microsoft for further analysis. Tabs include Email, Email
Microsoft attachments, URLs, and Files. Note that Files is only available to
365 users with Microsoft Defender for Endpoint P2 license, Microsoft
Defender Defender for Office P2 license, and Microsoft 365 Defender E5
portal license.. The Submissions page is available to organizations who
have Exchange Online mailboxes as part of a Microsoft 365
subscription (not available in standalone EOP).
User reported message settings allow admins to configure whether user reported
messages go to a specified reporting mailbox, to Microsoft, or both. Depending on your
subscription, user reported messages are available in the following locations in the
Microsoft 365 Defender portal:
The Submissions page

Automated investigation and response (AIR) results
The User-reported messages report
Threat Explorer
Admins can use mail flow rules (also known as transport rules) to notify specified email
address when users report messages to Microsoft for analysis. For more information, see
Use mail flow rules to see what users are reporting to Microsoft.
Admins can also submit email attachments and other suspected files to Microsoft for
analysis using the sample submission portal at
https://www.microsoft.com/wdsi/filesubmission . For more information, see Submit
files for analysis.
 Tip
Information is blocked from going outside the organization when data isn't
supposed to leave the tenant boundary for compliance purposes (for example, in
U.S. Government organizations: Microsoft 365 GCC, GCC High, and DoD). Reporting
a message or file to Microsoft from one of these organizations will have the
following message in the result details:
Further investigation needed. Your tenant doesn't allow data to leave the
environment, so nothing was found during the initial scan. You'll need to contact
Microsoft support to have this item reviewed.
７ Note
When you report an email entity to Microsoft, everything associated with the email
is copied to include it in the continual algorithm reviews. This copy includes the
email content, email headers, and related data about email routing. Any message
attachments are also included.
Microsoft treats your feedback as your organization's permission to analyze all the
information to fine tune the message hygiene algorithms. Your message is held in
secured and audited data centers in the USA. The submission is deleted as soon as
it's no longer required. Microsoft personnel might read your submitted messages
and attachments, which is normally not permitted for email in Microsoft 365.
However, your email is still treated as confidential between you and Microsoft, and
your email or attachments isn't shared with any other party as part of the review
process.
Use the Submissions portal to submit
suspected spam, phish, URLs, legitimate
email getting blocked, and email
attachments to Microsoft
 Tip
Applies to

In Microsoft 365 organizations with Exchange Online mailboxes, admins can use the
Submissions portal in the Microsoft 365 Defender portal to submit email messages,
URLs, and attachments to Microsoft for scanning.
When you submit an email message for analysis, you will get:
Email authentication check: Details on whether email authentication passed or

failed when it was delivered.
Policy hits: Information about any policies that may have allowed or blocked the
incoming email into your tenant, overriding our service filter verdicts.
Payload reputation/detonation: Up-to-date examination of any URLs and
attachments in the message.
Grader analysis: Review done by human graders in order to confirm whether or
not messages are malicious.
） Important
Payload reputation/detonation and grader analysis are not done in all tenants.
Information is blocked from going outside the organization when data is not
supposed to leave the tenant boundary for compliance purposes.
For other ways to submit email messages, URLs, and attachments to Microsoft, see
Watch this short video to learn how to use admin submissions in Microsoft Defender for
Office 365 to submit messages to Microsoft for evaluation.
https://www.microsoft.com/en-us/videoplayer/embed/RWBLPn?postJsllMsg=true

You open the Microsoft 365 Defender portal at https://security.microsoft.com/ .
To go directly to the Submissions page, use
To submit messages and files to Microsoft, you need to have one of following
roles:
Security Administrator or Security Reader in the Microsoft 365 Defender portal.
Note that one of these roles is required to View user reported messages as
described later in this article.
Admins can submit messages as old as 30 days if it is still available in the mailbox
and not purged by the user or another admin.
Admin submissions are throttled at the following rates:

Maximum submissions in any 15 minutes period: 150 submissions
Same submissions in a 24 hour period: 3 submissions
Same submissions in a 15 minute period: 1 submission
For more information about how users can submit messages and files to Microsoft,
see Report messages and files to Microsoft.
Report questionable email to Microsoft

1. In the Microsoft 365 Defender portal at https://security.microsoft.com , go to the
Submissions page at Actions & submissions > Submissions. To go directly to the
2. On the Submissions page, verify that the Emails tab is selected.
3. On the Emails tab, click Submit to Microsoft for analysis.
4. In the Submit to Microsoft for analysis flyout that appears, enter the following
information:
Select the submission type: Verify the value Email is selected.
Add the network message ID or upload the email file: Select one of the
following options:
Add the email network message ID: This is a GUID value that's available in
the X-MS-Exchange-Organization-Network-Message-Id header in the
message or in the X-MS-Office365-Filtering-Correlation-Id header in
quarantined messages.
Upload the email file (.msg or .eml): Click Browse files. In the dialog that
opens, find and select the .eml or .msg file, and then click Open.
Choose a recipient who had an issue: Specify the recipient that you would
like to run a policy check against. The policy check will determine if the email
bypassed scanning due to user or organization policies.
Select a reason for submitting to Microsoft: Verify Should not have been
blocked (False positive) is selected.
The email should have been categorized as: Select Phish, Malware, or
Spam. If you're not sure, use your best judgment.
Block all emails from this sender or domain: Select this option to create a
block entry for the sender in the Tenant Allow/Block List. For more
information about the Tenant Allow/Block List, see Manage your allows
and blocks in the Tenant Allow/Block List.
After you select this option, the following settings are available:
By default, Sender is selected but you can select Domain instead.
Remove block entry after: The default value is 30 days, but you can
select from the following values:
1 day
7 days
30 days
90 days
Never expire
Specific date
Block entry note: Enter optional information about why you're allowing
this email.


７ Note
For messages that were incorrectly blocked by spoof intelligence, a block entry for
the domain pair is not created in the Tenant Allow/Block List.
For messages that were incorrectly blocked by domain or user impersonation

protection, a block entry for the domain or sender is not created in the Tenant
Allow/Block List. Instead, the domain or sender is added to the Trusted senders
and domains section in the anti-phishing policy that detected the message.
Report questionable email attachments to

Microsoft
2. On the Submissions page, select the Email attachments tab.
3. On the Email attachments tab, click Submit to Microsoft for analysis.
4. On the Submit to Microsoft for analysis flyout that appears, enter the following
information:
Select the submission type: Verify the value Email attachment is selected.
File: Click Browse files to find and select the file to submit.
Select a reason for submitting to Microsoft: Verify Should have been

blocked (False negative) is selected.
The email should have been categorized as: Select Phish or Malware. If
you're not sure, use your best judgment.
Block this file: Select this option to create a block entry for the sender in
the Tenant Allow/Block List. For more information about the Tenant
Allow/Block List, see Manage your allows and blocks in the Tenant
Allow/Block List.
1 day
7 days
30 days
90 days
Never expire
Specific date
this email.
Report questionable URLs to Microsoft

2. On the Submissions page, select the URLs tab.
3. On the URLs tab, click Submit to Microsoft for analysis.

information:
Select the submission type: Verify the value URL is selected.
URL: Enter the full URL (for example,

https://www.fabrikam.com/marketing.html ), and then select it in the box that
appears.
Select a reason for submitting to Microsoft: Verify Should have been

blocked (False negative) is selected.
The email should have been categorized as: Select Phish or Malware. If
you're not sure, use your best judgment.
Block this URL: Select this option to create a block entry for the sender in
the Tenant Allow/Block List. For more information about the Tenant
Allow/Block List, see Manage your allows and blocks in the Tenant
Allow/Block List.
1 day
7 days
30 days
90 days
Never expire
Specific date
this email.


Report questionable files to Microsoft

2. On the Submissions page, select the Files tab.
3. On the Files tab, click Add new submission.
4. On the Add new submission flyout that appears, enter the following information:
Click Browse files to find and select the file to submit.
Select the submission type: You can choose the value Files or File hash.
This file should have been categorized as: Select Malware or Unwanted
Software.
Choose the priority: Select Low - bulk file or file hash submission or
Medium - standard submission or High - need immediate attention (3
allowed per org per day). If you're not sure, use your best judgment. This
option is only available if you choose the option Files in Select the
submission type.
Note for Microsoft: Enter optional information in case there is anything else
that needs to be added.
Click on Share feedback and relevant content with Microsoft.
Report good email to Microsoft

3. On the Emails tab, click Submit to Microsoft for analysis.
information:
Select the submission type: Verify the value Email is selected.
following options:
Add the email network message ID: This is a GUID value that's available in
the X-MS-Exchange-Organization-Network-Message-Id header in the
message or in the X-MS-Office365-Filtering-Correlation-Id header in
Upload the email file (.msg or .eml): Click Browse files. In the dialog that
opens, find and select the .eml or .msg file, and then click Open.
Choose a recipient who had an issue: Specify the recipient that you would
like to run a policy check against. The policy check will determine if the email
was blocked due to user or organization policies.
Select a reason for submitting to Microsoft: Select Should not have been
blocked (False positive), and then configure the following settings:
Allow emails with similar attributes (URL, sender, etc.): Turn on this
setting .
Remove allow entry after: The default value is 30 days, but you can
1 day
7 days
30 days
For spoofed senders, this value is meaningless, because entries for

spoofed senders never expire.
Allow entry note: Enter optional information about why you're allowing
this email.
For spoofed senders, any value you enter here is not shown in the allow
entry on the Spoofed senders tab on the Tenant Allow/Block List.


After a few moments, the allow entry will appear on the Domains & addresses or
Spoofed senders tab on the Tenant Allow/Block List page.
７ Note
When you override the verdict in the spoof intelligence insight, the spoofed
sender becomes a manual allow or block entry that only appears on the
Spoofed senders tab in the Tenant Allow/Block List.
If the sender has not already been blocked, submitting the email message to
Microsoft won't create an allow entry in the Tenant Allow/Block List.
Allows are added during mail flow, based on which filters determined the
message to be malicious. For example, if the sender and a URL in the message
were determined to be bad, an allow entry is created for the sender, and an
allow entry is created for the URL.
filters associated with that entity are skipped. For an email, all other entities
are still evaluated by the filtering system before making a decision.
During mail flow, if messages from the domain or email address pass other
checks in the filtering stack, the messages will be delivered. For example, if
email authentication passes, a message from a sender in the allow entry will
be delivered.
Report good email attachments to Microsoft

2. On the Submissions page, select the Email attachments tab.
3. On the Email attachments tab, click Submit to Microsoft for analysis.
4. On the Submit to Microsoft for analysis flyout that appears, enter the following
information:
Select the submission type: Verify the value Email attachment is selected.
File: Click Browse files to find and select the file to submit.
Allow this file: Turn on this setting .
1 day
7 days
30 days
this file.
After a few moments, an allow entry will appear on the Files tab on the Tenant
Allow/Block List page.
７ Note
When the file is encountered again, it's not sent for Safe Attachments detonation
or file reputation checks, and all other file-based filters are skipped. During mail
flow, if messages containing the file pass other non-file checks in the filtering stack,
the messages will be delivered.
Report good URLs to Microsoft

2. On the Submissions page, select the URLs tab
3. On the URLs tab, click Submit to Microsoft for analysis.
information:
Select the submission type: Verify the value URL is selected.
URL: Enter the full URL (for example,

https://www.fabrikam.com/marketing.html ), and then select it in the box that
appears. You can also provide a top level domain (for example,
https://www.fabrikam.com/* ), and then select it in the box that appears.
Allow this URL: Turn on this setting .
1 day
7 days
30 days
this URL.


After a few moments, an allow entry will appear on the URL tab on the Tenant
Allow/Block List page. For more information about the Tenant Allow/Block List, see
Manage your allows and blocks in the Tenant Allow/Block List.
７ Note
When the URL is detected again, it's not sent for Safe Links detonation or URL
reputation checks, and all other URL-based filters are skipped.
During mail flow, if messages containing the URL pass other non-URL checks
in the filtering stack, the messages will be delivered.
Report good files to Microsoft
2. On the Submissions page, select the Files tab.
3. On the Files tab, click Add new submission.
4. On the Add new submission flyout that appears, enter the following information:
Click Browse files to find and select the file to submit.
Select the submission type: You can choose the value Files or File hash.
This file should have been categorized as: Verify the value Clean is selected.
Choose the priority: Select Low - bulk file or file hash submission or
Medium - standard submission or High - need immediate attention (3
allowed per org per day). If you're not sure, use your best judgment. This
option is only available if you choose the option Files in Select the
submission type.
Note for Microsoft: Enter optional information in case there is anything else
that needs to be added.
Click on Share feedback and relevant content with Microsoft.
View email admin submissions to Microsoft

You can sort the entries by clicking on an available column header.
Click Customize columns to select the columns that you want to view. The
default values are marked with an asterisk (*):
Submission name*
Sender*
Recipient
Date submitted*
Reason for submitting*
Status*
Result*
Filter verdict
Delivery/Block reason
Submission ID
Network Message ID/Object ID
Direction
Sender IP
Bulk compliant level (BCL)
Destination
Policy action
Submitted by
Phish simulation
Tags*
Allow


To filter the entries, click Filter. The following values are available in the
Filter flyout that appears:
Date submitted: Start date and End date values.
Submission ID: A GUID value that's assigned to every submission.
Network Message ID
Sender
Recipient
Name
Submitted by
Reason for submitting: The values Not junk, Phish, Malware, and Spam.
Status: The values Pending and Completed.
Tags: The default value is All or select a user tag from the drop-down list.
When you're finished, click Apply. To clear existing filters, click Clear filters
in the Filter flyout.

To group the entries, click Group and select one of the following values
from the dropdown list:
None
Reason
Status
Result
Tags
To export the entries, click Export. In the dialog that appears, save the .csv
file.
View email attachment admin submissions to

Microsoft
2. On the Submissions page, verify that the Email attachments tab is selected.
Attachment filename*
Date submitted*
Status*
Result*
Filter verdict
Submission ID
Object ID
Policy action
Submitted by
Tags*
Allow

Date submitted: Start date and End date.
Attachment filename
Submitted by
Status

from the drop-down list:
None
Reason
Status
Result
Tags
file.
View URLs admin submissions to Microsoft

2. On the Submissions page, verify that the URLs tab is selected.
URL*
Date submitted*
Status*
Result*
Filter verdict
Submission ID
Object ID
Policy action
Submitted by
Tags*
Allow

Date submitted: Start date and End date.
URL
Submitted by
Status
None
Reason
Status
Result
Tags
file.
View files admin submissions to Microsoft

2. On the Submissions page, verify that the Files tab is selected.
Submission name*
Submission ID*
Submitted by
Date submitted*
Submission Type
Status*
Priority*
Customer comment
Researcher comment
Date submitted: Start date and End date values.
Submitted as: The values Unknown, Clean, False positive, Experimental
false positive, Malware, Spyware, Unwanted Software, Pua false positive,
and Night watch unknown.
Status: The values New, Unassigned, Assigned, Pending, Resolved,
Closed, Downloading, Sample collection, Sample collection failure,
Rejected, and Review timed out.
Priority: The values Low, Medium, or High.
None
Submission Type
Status
Priority
file.
Admin submission result details

Messages that are submitted in admin submissions are reviewed by Microsoft and
results shown in the submissions detail flyout:
If there was a failure in the sender's email authentication at the time of delivery.
Information about any policy hits that could have affected or overridden the
verdict of a message.
Current detonation results to see if the URLs or files contained in the message
were malicious or not.
Feedback from graders.
If an override was found, the result should be available in several minutes. If there wasn't
a problem in email authentication or delivery wasn't affected by an override, then the
feedback from graders could take up to a day.
View user reported messages to Microsoft

If you've deployed the Microsoft Report Message or Report Phishing add-ins or if
people use the built-in Report button in Outlook on the web, you can see what users are
reporting on the User reported tab on the Submissions page.

Submissions page at Actions & submissions > Submissions > User reported tab.
To go directly to the User reported tab, use
https://security.microsoft.com/reportsubmission?viewid=user .
2. On the User reported tab, the following settings are available:
Email subject*
Reported by*
Date reported*
Sender*
Reported reason*
Original verdict*
Result*
Message reported ID
Network Message ID
Sender IP
Reported from
Phish simulation
Converted to admin submission
Tags*
Marked as*
Marked by
Date marked
Date reported: Start date and End date.
Reported by
Email subject
Message reported ID
Network Message ID
Sender
Reported reason: The values Not junk, Phish, or Spam.
Reported from: The values Microsoft add-in or Third party add-in.
Phish simulation: The values Yes or No.
Converted to admin submission: The values Yes or No.
None
Reason
Sender
Reported by
Original verdict
Result
Reported from
Phish simulation
Converted to admin submission
Tags
file.
To notify users, see Admin Review for Reported messages
７ Note
User reported messages that are sent only to the reporting mailbox (not to
Microsoft) appear on the User reported tab on the Submissions page, but the
Result value for those entries is always blank (because the messages aren't
rescanned).
Undo user reported messages

Once a user reports a suspicious message that's delivered to the reporting mailbox, the
user and admins can't undo the reported message. The user can recover the messages
from their Deleted Items or Junk Email folders.
Convert user reported messages in the

reporting mailbox into admin submissions
If you've configured the reporting mailbox to intercept user reported messages without
sending the messages to Microsoft, admins can find and manually send specific
messages to Microsoft for analysis.
On the User reported tab at https://security.microsoft.com/reportsubmission?

viewid=user , select a message from the list, click Submit to Microsoft for analysis,
and then select one of the following values from the dropdown list:
Report clean
Report phishing
Report malware
Report spam
Trigger investigation
If the message is reported to Microsoft, the Converted to admin submission value turns
from no to yes. You can directly access the admin submission by clicking View the
converted admin submission from the More options menu on the submission flyout
of the message.
View associated alert for user and admin email
submissions
） Important
The information in this section applies only to Defender for Office 365 Plan 2 or
higher.
Currently, user reported messages generate alerts only for messages that are
reported as phishing.
For each user reported phishing message and admin email submission, a corresponding
alert is generated.
To view the corresponding alert for a user reported phishing message, go to the User
reported tab at https://security.microsoft.com/reportsubmission?viewid=user , and
then double-click the message to open the submission flyout. Click More options
and then select View alert.
To view the corresponding alert for admin email submissions, go to the Emails tab at
https://security.microsoft.com/reportsubmission?viewid=email , and then double-click
the message to open the submission flyout. Select View alert on the Open email entity
option.
Enable the Microsoft Report Message or
the Report Phishing add-ins
 Tip
Applies to

７ Note
If you're an admin in a Microsoft 365 organization with Exchange Online mailboxes,

we recommend that you use the Submissions page in the Microsoft 365 Defender
portal. For more information, see Use Admin Submission to submit suspected
spam, phish, URLs, and files to Microsoft.
The Microsoft Report Message and Report Phishing add-ins for Outlook and Outlook on
the web (formerly known as Outlook Web App or OWA) makes it easy to report false
positives (good email marked as bad) or false negatives (bad email allowed) to
Microsoft and its affiliates for analysis.
Microsoft uses these user reported messages to improve the effectiveness of email
protection technologies. For example, suppose that people are reporting many
messages using the Report Phishing add-in. This information surfaces in the Security
Dashboard and other reports. Your organization's security team can use this information
as an indication that anti-phishing policies might need to be updated.
You can install either the Report Message or the Report Phishing add-in. If you want
your users to report both spam and phishing messages, deploy the Report Message
add-in in your organization.
The Report Message add-in provides the option to report both spam and phishing
messages. Admins can enable the Report Message add-in for the organization, and
individual users can install it for themselves.
The Report Phishing add-in provides the option to report only phishing messages.
Admins can enable the Report Phishing add-in for the organization, and individual users
can install it for themselves.
If you're an individual user, you can enable both the add-ins for yourself.
If you're a global administrator or an Exchange Online administrator, and Exchange is

configured to use OAuth authentication, you can enable the Report Message and Report
Phishing add-ins for your organization. Both add-ins are now available through
Centralized Deployment.
After the add-in is installed and enabled, users will see the following icons:
Outlook for Windows:
The Report Message icon in the Classic Ribbon:
The Report Message icon in the Simplified Ribbon: Click More commands >
Protection section > Report Message.
The Report Phishing icon in the Classic Ribbon:


The Report Phishing icon in the Simplified Ribbon: Click More commands >
Protection section > Report Phishing.
Outlook on the web:
The Report Message add-in:


The Report Phishing add-in:

The Report Message and Report Phishing add-ins work with most Microsoft 365
subscriptions and the following products:
Outlook on the web
Outlook 2013 SP1 or later
Outlook 2016 for Mac
Outlook included with Microsoft 365 apps for Enterprise
Outlook for iOS and Android
The add-ins are not available for shared, group, or delegated mailboxes (Report
message will be greyed out).
The add-ins are not available for on-premises Exchange mailboxes.
Your existing web browser should work with the Report Message and Report
Phishing add-ins. But, if you notice an add-in isn't available or not working as
expected, try a different browser.
For organizational installs, the organization needs to be configured to use OAuth

authentication. For more information, see Determine if Centralized Deployment of
add-ins works for your organization.
Admins need to be a member of the Global admins role group. For more
information, see Permissions in the Microsoft 365 Defender portal.
For more information on how to report a message using the Report Message
feature, see Report false positives and false negatives in Outlook.
Organizations that have a URL filtering or security solution (such as a proxy and/or
firewall) in place, must have ipagave.azurewebsites.net and outlook.office.com
endpoints allowed to be reached on HTTPS protocol.
Currently, reporting messages in shared mailboxes or other mailboxes by a

delegate using the add-ins is not supported. Messages are not sent to the
reporting mailbox or to Microsoft. Built-in reporting in Outlook on the web sends
messages reported by a delegate to the reporting mailbox and/or to Microsoft.
） Important
To view messages reported to Microsoft on the User reported tab on the

Submissions page at https://security.microsoft.com/reportsubmission?
viewid=user , leave the toggle On ( ) at the top of the User reported page at
https://security.microsoft.com/securitysettings/userSubmission .
Admin instructions
Install and configure the Report Message or Report Phishing add-ins for the
organization.
７ Note
It could take up to 12 hours for the add-in to appear in your organization.
Get the Report Message or Report Phishing add-in for

your organization
1. In the Microsoft 365 admin center at https://admin.microsoft.com , expand Show
all if necessary, and then go to Settings > Integrated apps. Or, to directly to the
Integrated apps page, use
https://admin.microsoft.com/Adminportal/Home#/Settings/IntegratedApps .
2. On the Integrated apps page, click Get apps.
3. In the Microsoft 365 Apps page that opens, enter Report Message in the
Search box.
In the search results, click Get it now in the Report Message entry or the Report
Phishing entry.

７ Note
Although the screenshots in the remaining steps show the Report Message
add-in, the steps are identical for the Report Phishing add-in.
4. The Deploy New App wizard opens. On the Add users page, configure the
following settings:
Is this a test deployment?: Leave the toggle at No, or set the toggle to
Yes.
Assign users: Select one of the following values:

Just me
Entire organization
Specific users/groups: Find and select users and groups in the search box.
After each selection, the user or group appears in the To be added section
that appears below the search box. To remove a selection, click on the
entry.
Email notification: By default the Send email notification to assigned users

is selected. Click View email sample to open the Add-in deployment email
alerts](/microsoft-365/admin/manage/add-in-deployment-email-alerts)
article.

5. On the Accept permissions requests page, read the app permissions and
capabilities information carefully before you click Next.

6. On the Review and finish deployment page, review your settings. Click Back to
make changes.
When you're finished, click Finish deployment.

7. A progress indicator appears on the Review and finish deployment page. If
deployment of the add-in is successful, the page title changes to Deployment
completed.
If you click View this deployment, the page closes and you're taken to the details
of the add-in as described in the next section.
Get the Report Message or the Report Phishing add-ins

for your Microsoft 365 GCC or GCC High organization
Admins in Microsoft 365 Government Community Cloud (GCC) or GCC High need to use
the steps in this section to get the Report Message or Report Phishing add-ins for their
organizations.
７ Note
It could take up to 24 hours for the add-in to appear in your organization.
1. In the Microsoft 365 admin center at https://portal.office365.us/adminportal , go

to Organization > Add-ins, and select Deploy Add-In.
2. In the Deploy a new add-in flyout that opens, click Next, and then select Upload
custom apps.
3. Select I have a URL for the manifest file. Use the following URLs:
Report Message:
https://ipagave.azurewebsites.net/ReportMessageManifest/ReportMessageAz
ure.xml
Report Phishing:
https://ipagave.azurewebsites.net/ReportPhishingManifest/ReportPhishingAz
ure.xml
4. Choose which users will have access to the add-in, select a deployment method,
and then select Deploy.
5. To fully configure the settings, see User reported message settings.
View and edit settings for the Report Message or Report

Phishing add-ins
1. In the Microsoft 365 admin center at https://admin.microsoft.com , expand Show
all if necessary, and then go to Settings > Integrated apps. Or, to directly to the
Integrated apps page, use
https://admin.microsoft.com/Adminportal/Home#/Settings/IntegratedApps .
７ Note
2. On the Integrated apps page, select the Report Message add-in or the Report
Phishing add-in by doing one of the following steps:
In the Name column, click the icon or text for the add-in. This selection takes
you to the Overview tab in the details flyout as described in the next steps.
In the Name column, click ⋮ Edit row, and then select Edit users. This
selection takes you to the Users tab in the details flyout as described in the
next steps.
In the Name column, click ⋮ Edit row, and then select Check usage data.
This selection takes you to the Usage tab in the details flyout as described in
the next steps.

3. The details flyout that opens contains the following tabs:
Overview tab:
Basic info section:
Status
Type: Add-in
Test deployment: Yes or No, depending on the option you selected
when you deployed the add-in or the selection you change on the
Users tab.
Description
Host product: Outlook
Actions section: Click Remove app to remove the app.
Assigned users section: Click Edit users to go to the Users tab.
Usage section: Click Check usage data to got to the Usage tab.

Users tab:
Is this a test deployment?: Leave the toggle at No, or set the toggle
to Yes.
Assign users section: Select one of the following values:

Just me
Entire organization
Specific users/groups: Find and select users and groups in the search
box. After each selection, the user or group appears in the Added users
section that appears below the search box. To remove a selection, click
on the entry.
Email notification section: Send email notification to assigned users and

View email sample are not selectable.
If you made any updates on this tab, click Update to save your changes.
Usage tab: The chart and details table shows the number of active users over
time.
Filter the Date range to 7 days, 30 days (default), or 90 days.
In the Report column, click Download to download the information
filtered by Date range to the file named UsageData.csv.
When you're finished viewing the information on the tabs, click Close to close
the details flyout.
User instructions
Get the Report Message or Report Phishing add-ins for
yourself
1. Do one of the following steps:
Open the Microsoft AppSource at

https://appsource.microsoft.com/marketplace/apps . On the AppSource
page, enter Report message in the Search box, and then select the Report
Message or Report Phishing in the results.
Use one of the following URLs to go directly to the download page for the
add-in:
Report Message:
https://appsource.microsoft.com/product/office/WA104381180
Report Phishing:
https://appsource.microsoft.com/product/office/WA200002469
７ Note
2. On the details page of the add-in, click Get it now.


3. If prompted, sign in with your Microsoft account credentials.
4. When the installation is finished, you'll see the following Launch page:
Get the Report Message or the Report Phishing add-ins

for yourself in Microsoft 365 GCC or GCC High
Individual users in Microsoft 365 GCC or GCC High can't get the Report Message or
Report Phishing add-ins using the Microsoft AppSource.
Use the Report Message or the Report Phishing

add-ins
You can use the Report Message or the Report Phishing add-ins to submit false positives
(good email that was blocked or sent to the Junk Email folder) and false negatives
(unwanted email or phishing that was delivered to the Inbox) in Outlook. For more
information, see Report false positives and false negatives in Outlook.
Report false positives and false
negatives in Outlook
 Tip
Applies to

In Microsoft 365 organizations with mailboxes in Exchange Online or in on-premises

mailboxes that use hybrid modern authentication, users can report false positives (good
email that was blocked or sent to their Junk Email folder) and false negatives (unwanted
email or phishing that was delivered to their Inbox) from Outlook on all platforms using
free tools from Microsoft.
Admins configure user reported messages to go to a designated reporting mailbox, to

Microsoft, or both. For more information, see User reported message settings.
Microsoft provides the following tools for users to report good and bad messages:
Built-in reporting in Outlook on the web (formerly known as Outlook Web App or
OWA).
The Microsoft Report Message or Report Phishing add-ins. The add-ins work on all
virtually all Outlook platforms, including Outlook on the web. For more
information, see Enable the Microsoft Report Message or Report Phishing add-ins.
For more information about reporting messages to Microsoft, see Report messages and
files to Microsoft.
７ Note
Admins in Microsoft 365 organizations with Exchange Online mailboxes use the
Submissions page in the Microsoft 365 Defender portal to submit messages to
Microsoft. For instructions, see Use the Submissions portal to submit suspected
spam, phish, URLs, and files to Microsoft.
Admins can view reported messages on the Submissions page at

https://security.microsoft.com/reportsubmission only if both of the following
settings are configured on the User reported page at
https://security.microsoft.com/securitysettings/userSubmission :
The toggle on the User reported page is On .

Use the built-in "Report" button with "Phishing", "Junk", and "Not Junk
options is selected.
Use the built-in Report button in Outlook on

the web
７ Note
The built-in Report button is available in Outlook on the web only if both of
the following settings are configured on the User reported page at
https://security.microsoft.com/securitysettings/userSubmission :
The toggle on the User reported page is On .
Use the built-in "Report" button with "Phishing", "Junk", and "Not Junk
options is selected.
If the toggle is Off or if Use a non-Microsoft add-in button is selected,

then the Report button is not available in Outlook on the web.
Currently, the Report button in Outlook on the web does not honor the
Before a message is reported and After a message is reported settings
(notification pop-ups) in the user reported message settings.
Use the built-in Report button in Outlook on the web to

report junk and phishing messages
You can report junk messages from the Inbox or any email folder other than Junk
Email.
You can report phishing messages from any email folder.
In Outlook on the web, select one or more messages, click Report, and then select
Report phishing or Report junk in the dropdown list.
Based on the user reported message settings in your organization, the messages are
sent to the reporting mailbox, to Microsoft, or both. The following actions are also taken
on the reported messages in the mailbox:
Reported as junk: The messages are moved to the Junk Email folder.
Reported as phishing: The messages are deleted.
Use the built-in Report button in Outlook on the web to

report messages that aren't junk
In Outlook on the web, select one or more messages in the Junk Email folder, click
Report, and then select Not junk in the dropdown list.

sent to the reporting mailbox, to Microsoft, or both. The messages are also moved out
of Junk Email to the Inbox or another specified folder.
Use the Report Message and Report Phishing

add-ins in Outlook
７ Note
The procedures in this section require the Microsoft Report Message or

Report Phishing add-ins to be installed. For more information, see Enable the
Microsoft Report Message or the Report Phishing add-in installed.
The versions of Outlook that are supported by the Report Message and
Report Phishing add-ins are described here.
Use the Report Message add-in to report junk and

phishing messages in Outlook
You can report junk messages from the Inbox or any email folder other than Junk
Email.
1. In Outlook, do one of the following steps:
Select an email message from the list.

Open a message.
2. Do one of the following steps based on your Ribbon Layout configuration in

Outlook:
Classic Ribbon: Click Report Message, and then select Junk or Phishing in
the dropdown list.
Simplified Ribbon: Click More commands > Protection section > Report
Message > select Junk or Phishing.

sent to the reporting mailbox, to Microsoft, or both. The following actions are also taken
on the reported messages in the mailbox:
Reported as junk: The messages are moved to the Junk Email folder.
Reported as phishing: The messages are deleted.
Use the Report Message add-in to report messages that

aren't junk in Outlook
1. In Outlook, open a message in the Junk Email folder.

Outlook:
Classic Ribbon: Click Report Message, and then select Not Junk in the
dropdown list.

Simplified Ribbon: Click More commands > Protection section > Report
Message > select Not Junk.
sent to the reporting mailbox, to Microsoft, or both. The messages are also moved out
of Junk Email to the Inbox or another specified folder.
Use the Report Phishing add-in to report phishing

messages in Outlook
1. In Outlook, do one of the following steps:
Select an email message from the list.

Open a message.

Outlook:
Classic Ribbon: Click Report Phishing.
Simplified Ribbon: Click More commands > Protection section >

Phishing
Review reported messages

To review messages that users have reported to Microsoft, admins have these options:
Use the User reported tab on the Submissions page in the Microsoft 365 Defender
portal at https://security.microsoft.com/reportsubmission . For more information,
see View user reported messages to Microsoft.
Create a mail flow rule (also known as a transport rule) to send copies of reported
messages to a recipient for review. For instructions, see Use mail flow rules to see
what users are reporting to Microsoft.
More information
Admins can watch this short video to learn how to use Microsoft Defender for Office
365 to easily investigate user reported messages. Admins can determine the contents of
a message and how to respond by applying the appropriate remediation action.
https://www.microsoft.com/en-us/videoplayer/embed/RWBHof?postJsllMsg=true
User reported message settings
 Tip
Applies to

In Microsoft 365 organizations with Exchange Online mailboxes, you can identify a
reporting mailbox (formerly known as a custom mailbox or submissions mailbox) to hold
messages that users report as malicious or not malicious using supported reporting
tools in Outlook. For Microsoft reporting tools, you can decide whether to send user
reported messages to the reporting mailbox, to Microsoft, or to the reporting mailbox
and Microsoft. These selections were formerly part of the User submissions policy or User
submissions.
User reported message settings and the reporting mailbox work with the following
message reporting tools:
The built-in Report button in Outlook on the web

The Microsoft Report Message or Report Phishing add-ins
Third-party reporting tools
Delivering user reported messages to a reporting mailbox instead of directly to

Microsoft allows admins to selectively and manually report messages to Microsoft from
the Emails tab on the Submissions page at
https://security.microsoft.com/reportsubmission?viewid=email . For more information,
see Admin submission.
７ Note
The ReportJunkEmailEnabled parameter on the Set-OwaMailboxPolicy cmdlet no

longer controls whether user message reporting is enabled or disabled. User
reporting of messages is now controlled on the User reported page at
https://security.microsoft.com/securitysettings/userSubmission as described in
this article.
Configuration requirements for the reporting

mailbox
Before you get started, you need to configure Exchange Online Protection and Defender
for Office 365 so user reported messages are delivered to the reporting mailbox without
being filtered as described in the following steps:
Identify the reporting mailbox as a SecOps mailbox. For instructions, see Use the
Microsoft 365 Defender portal to configure SecOps mailboxes in the advanced
delivery policy.
Create a custom anti-malware policy for the reporting mailbox with the following
settings:
Turn off Zero-hour auto purge (ZAP) for malware (Protection settings section >
Enable zero-hour auto purge for malware is not selected or -ZapEnabled
$false in PowerShell).
Turn off common attachments filtering (Protection settings section > Enable
the common attachments filter is not selected or -EnableFileFilter $false in
PowerShell).
For instructions, see Create an anti-malware policy.
Verify that the reporting mailbox is not included in the Standard or Strict preset
security policies. For instructions, see Preset security policies.
Defender for Office 365: Configure the following additional settings:
Exclude the reporting mailbox from the Built-in protection preset security
policy. For instructions, see Preset security policies.
Create a Safe Attachments policy for the mailbox where Safe Attachments
scanning, including Dynamic Delivery, is turned off (Settings > Safe
Attachments unknown malware response section > Off or -Enable $false in
PowerShell). For instructions, see Set up Safe Attachments policies in Microsoft
Create a Safe Links policy for the reporting mailbox where Safe Links scanning
in email is turned off (URL & click protection settings > On: Safe Links checks a
list of known, malicious links when users click links in email is not selected or
EnableSafeLinksForEmail $false in PowerShell). For instructions, see Set up Safe
Links policies in Microsoft Defender for Office 365.
If you have data loss prevention (DLP), exclude the reporting mailbox from DLP.
For instructions, see Creating exceptions in DLP.
After you've verified that the reporting mailbox meets all of these requirements, use the
rest of the instructions in this article to identify the reporting mailbox to configure
related settings for user reported message.

go directly to the User reported page, use

PowerShell.
To modify the settings for user reported messages, you need to be a member of
one of the following role groups:
Organization Management or Security Administrator in the Permissions in the
You need access to Exchange Online PowerShell. If the account that you're trying
to use doesn't have access to Exchange Online PowerShell, you'll receive an error
that looks like this when specifying the submissions mailbox:
Specify an email address in your domain
For more information about enabling or disabling access to Exchange Online

PowerShell, see the following topics:
Enable or disable access to Exchange Online PowerShell
Client Access Rules in Exchange Online
Use the Microsoft 365 Defender portal to user

reported message settings
Settings > Email & collaboration > User reported tab. To go directly to the User
reported page, use
2. On the User reported page, what you see and can configure is determined entirely
by the toggle at the top of the page:
On : The following configurations are supported:
Users in your organization can see and use the the built-in Report button
in Outlook on the web or the Microsoft Report Message or Report
Phishing add-ins in virtually all Outlook platforms to report messages.
You can configure user reported messages to go to the reporting
mailbox, to Microsoft, or both.
You decide whether users receive Before a message is reported and
After a message is reported pop-ups in Outlook.
You decide how to customize the feedback email that's sent to users
from Mark and notify on the Submissions page at
You decide whether users can report messages from quarantine.
You choose this configuration by selecting Use the built-in "Report"

button with "Phishing", "Junk", and "Not Junk options in the Outlook
report button configuration section. The available configuration options
from this selection are explained in the Options for Microsoft reporting
tools section in this article.
Users in your organization use a third-party, non-Microsoft add-in to

report messages.
You decide whether Microsoft can read end user report from the third-
party reporting mailbox.
You decide whether users can report messages from quarantine to
third-party reporting mailbox.
You choose this configuration by selecting Use a non-Microsoft add-in

button in the Outlook report button configuration section. The available
configuration options from this selection are explained in the Options for
third-party reporting tools section in this article.
Off : The Microsoft-integrated reporting experience is turned off, and all

other settings on the User reported page are unavailable, including the
ability for users to report messages from quarantine.
Options for Microsoft reporting tools
When the toggle is On and you've selected Use the built-in "Report" button with
"Phishing", "Junk", and "Not Junk options, the following options are available on the
User reported page:
Send the reported messages to in the Reported message destinations section:

Microsoft only: User reported messages go directly to Microsoft for analysis.

Only metadata from the user reported messages (for example, senders,
recipients, reported by, and message details) is available on the User reported
tab on the Submissions page at
My reporting mailbox only: User reported messages go only to the specified

reporting mailbox for an admin or the security operations team to analyze.
In the Add a mailbox to send reported messages to box that appears, enter the
email address of an existing Exchange Online mailbox to use as the reporting
mailbox that holds user reported messages from Microsoft reporting tools.
Distribution groups are not allowed.
Messages don't go to Microsoft for analysis unless an admin manually submits

the message from the Emails tab on the Submissions page at
https://security.microsoft.com/reportsubmission?viewid=email .
Microsoft and my reporting mailbox: User reported messages go to Microsoft

for analysis and to the reporting mailbox for an admin or security operations
team to analyze.
In the Add a mailbox to send reported messages to box that appears, enter the
email address of an existing Exchange Online mailbox to use as the reporting
mailbox. Distribution groups are not allowed.
） Important
In U.S. Government organizations (Microsoft 365 GCC, GCC High, and DoD),
the only available selection in the Send the reported messages to section is
My reporting mailbox only. The other two options are grayed out.
If you select My reporting mailbox only, the Result value of messages entries
on the User reported tab on the Submissions page at
https://security.microsoft.com/reportsubmission?viewid=user will always
be empty, because the messages were not rescanned.
If you use Attack simulation training or a third-party product to do phishing

simulations, you must configure the reporting mailbox as a SecOps mailbox as
previously described in the Configuration requirements for the reporting
mailbox section earlier in this article. If you don't, a user reporting a message
might trigger a training assignment in the phishing simulation product.
The following settings are also available on the page:
７ Note
Currently, users who report messages from Outlook on the web using the built-in
Report button don't get these before or after pop-up messages. The pop-ups work
for users who report messages using the Microsoft Report Message and Report
Phishing add-ins.
Show a pop-up message in Outlook to confirm it the user want's to report the
message in the Before a message is reported section: This setting controls
whether users see a pop-up before they report a message.
If this setting is selected, click Customize before message to enter the the Title
and Message text in the Customize text before message is reported flyout that
opens. Use the variable %type% to include the submission type (junk, not junk,
phishing, etc.).
When you're finished, click Confirm to return to the User reported page.
Show a success pop-up message in Outlook after the user reports in the After a
message is reported section: This setting controls whether users see a pop-up
after they report a message.
If this setting is selected, click Customize after message to enter the the Title and
Message text in the Customize text after message is reported flyout that opens.
Use the variable %type% to include the submission type (junk, not junk, phishing,
etc.).
When you're finished, click Confirm to return to th User reported page.
Email sent to user after admin review section: The following settings are available:
Specify an Office 365 mailbox to send email notifications from: Select this
option and enter the sender's email address in the box that appears.
Replace the Microsoft logo with my company logo: Select this option to
replace the default Microsoft logo that's used in notifications. Before you do
this step, you need to follow the instructions in Customize the Microsoft 365
theme for your organization to upload your custom logo. This option is not
supported if your organization has a custom logo pointing to a URL instead of
an uploaded image file.
Customize email notification messages: Click this link to customize the email
notification that's sent after an admin reviews and marks a reported message. In
the Customize admin review email notifications flyout that appears, configure
the following settings on the Phishing, Junk and No threats found tabs:
Email body results text: Enter the custom text to use. You can use different
text for Phishing, Junk and No threats found.
Email footer text: Enter the custom message footer text to use. The same
text is used for Phishing, Junk and No threats found.
When you're finished, click Confirm to return to the User reported page.
When you're finished on the User reported page, click Save. To restore all settings on
the page to their immediately previous values, click Restore.
Options for third-party reporting tools

When the toggle is On and you've selected Use a non-Microsoft add-in button,
the following options are available on the User reported page:
Add a mailbox to send reported messages to in the Reported message

destinations section: Enter the email address of an existing Exchange Online
mailbox to use as the reporting mailbox that holds user reported messages from
third-party reporting tools. These messages are not submitted to Microsoft.
These user reported messages appear on the User reported tab of the
Submissions page at https://security.microsoft.com/reportsubmission?
viewid=user . The Result value for these entries is Not Submitted to Microsoft.
A messages sent to the reporting mailbox must include the original user reported
message as an uncompressed .EML or .MSG attachment. Don't forward the original
user reported message to the reporting mailbox.
７ Note
Messages that contain multiple attached messages will be discarded. We
support only one attached original message in a user reported message.
The message formatting requirements are described in the next section. This
formatting is optional, but if user reported messages don't follow the prescribed
format, they're always identified as phishing.
Let your organization report messages from quarantine in the Report from
quarantine section: Verify that this setting is selected to let users report messages
from quarantine. Otherwise, uncheck this setting.
When you're finished on the User reported page, click Save. To restore all settings on
the page to their immediately previous values, click Restore.
Message submission format

To correctly identify the original attached messages, messages sent to the custom
mailbox require specific formatting. If the messages don't use this format, the original
attached messages are always identified as phishing.
To specify the reason why the original, attached messages were reported, messages sent
to the reporting mailbox must meet the following criteria:
The user reported message is unmodified and is included as an attachment.
The user reported message should contain the following required headers:
1. X-Microsoft-Antispam-Message-Info
2. Message-Id
3. X-Ms-Exchange-Organization-Network-Message-Id
4. X-Ms-Exchange-Crosstenant-Id
７ Note
TenantId in X-Ms-Exchange-Crosstenant-Id should be the same as the tenant.
X-Microsoft-Antispam-Message-Info should be a valid xmi.
The Subject line (Envelope Title) of messages sent to the reporting mailbox must
start with one of the following prefix values:
1| or Junk: .
2| or Not junk: .
3| or Phishing: .
For example:
3|This text in the Subject line is ignored by the system
Not Junk:This text in the Subject line is also ignored by the system
Messages that don't follow this format will not display properly on the
Submissions page at https://security.microsoft.com/reportsubmission .

the user reported message settings
After you connect to Exchange Online PowerShell, you use the *-
ReportSubmissionPolicy and *-ReportSubmissionRule cmdlets to manage and
configure the user reported message settings.
In Exchange Online PowerShell, the basic elements of the user reported message
settings are:
The report submission policy: Turns the Microsoft integrated reporting experience
on or off, turns sending reported messages to Microsoft on or off, turns sending
reported messages to the reporting mailbox on or off, and most other settings.
The report submission rule: Specifies the email address of the reporting mailbox
or a blank value when the reporting mailbox isn't used (report messages to
Microsoft only).
The difference between these two elements isn't obvious when you manage the user
reported message settings in the Microsoft 365 Defender portal:
There's only one report submission policy named DefaultReportSubmissionPolicy

and one report submission rule named DefaultReportSubmissionRule by default.
If you've never gone to

https://security.microsoft.com/securitysettings/userSubmission , there's no report
submission policy or report submission rule (the Get-ReportSubmissionPolicy and
Get-ReportSubmissionRule cmdlets return nothing).
As soon as you visit

https://security.microsoft.com/securitysettings/userSubmission and even before
you configure any settings, the report submission policy is created with the default
values and is visible in PowerShell.
Only after you specify a reporting mailbox (used by Microsoft or third-party

reporting tools) and save the changes is the report submission rule named
DefaultReportSubmissionRule automatically created. It takes several seconds
before the rule is visible in PowerShell.
You can delete the report submission rule and recreate it with a different name, but
the rule is always associated with the report submission policy whose name you
can't change. So, we recommend that you name the rule
DefaultReportSubmissionRule whenever you create or recreate the rule.
When you specify the email address of the reporting mailbox in the Microsoft 365
Defender portal, that value is primarily set in the report submission rule, but the
value is also copied into the related properties in the report submission policy. In
PowerShell, when you set the email address in the rule, the value isn't copied into
the related properties in the policy. For consistency with the Microsoft 365
Defender portal and for clarity, we recommend that you add or update the email
address in the policy and the rule.
Use PowerShell to view the report submission policy and

the report submission rule
To view the report submission policy, run the following command in Exchange Online
PowerShell:
PowerShell
Get-ReportSubmissionPolicy
To view the report submission rule, run the following command:
PowerShell
Get-ReportSubmissionRule
To view both the policy and the rule at the same time, run the following commands:
PowerShell
Write-Output -InputObject `r`n,"Report Submission Policy",("-"*79); Get-

ReportSubmissionPolicy; Write-Output -InputObject `r`n,"Report Submission
Rule",("-"*79); Get-ReportSubmissionRule
Remember, if you've never gone to

https://security.microsoft.com/securitysettings/userSubmission or manually created
the report submission policy or the report submission rule in PowerShell, there is no
report submission policy or report submission rule, so the Get-ReportSubmissionPolicy
and Get-ReportSubmissionRule cmdlets return nothing.
For detailed syntax and parameter information, see Get-ReportSubmissionPolicy and

Get-ReportSubmissionRule.
Use PowerShell to create the report submission policy

and the report submission rule
If the Get-ReportSubmissionPolicy and Get-ReportSubmissionRule cmdlets return no
output, you can create the report submission policy and the report submission rule. If
you try to create them after they already exist, you'll get an error.
Always create the report submission policy first, because you specify the report
submission policy in the report submission rule.
For detailed syntax and parameter information, see New-ReportSubmissionPolicy and

New-ReportSubmissionRule.
Use PowerShell to configure the Microsoft integrated reporting

experience with report messages to Microsoft only
This example creates the report submission policy with the default settings (the same
settings as when you first visit
https://security.microsoft.com/securitysettings/userSubmission , but before you save
any setting changes):
The Microsoft integrated reporting experience is turned on: toggle On ( ) and

Use the built-in "Report" button with "Phishing", "Junk", and "Not Junk options
is selected ( -EnableReportToMicrosoft $true -EnableThirdPartyAddress $false are
the default values).
Reported message destinations section: Send messages to > Microsoft only is

selected ( -ReportJunkToCustomizedAddress $false -
ReportNotJunkToCustomizedAddress $false -ReportPhishToCustomizedAddress $false
are the default values).
Other settings:
Before a message is reported section:
Show a pop-up message in Outlook to confirm if the user wants to report the
message is selected ( -PreSubmitMessageEnabled $true | $false is available only
on Set-ReportSubmissionPolicy; the unconfigurable value on New-
ReportSubmissionPolicy is $true ).
Customize before message link: Nothing is entered in the Title or Message
boxes in the flyout.( -EnableCustomizedMsg $false is the default value).
After a message is reported section:

Show a success pop-up message in Outlook after the user reports message is
selected ( -PostSubmitMessageEnabled $true | $false is available only on Set-
ReportSubmissionPolicy; the unconfigurable value on New-
ReportSubmissionPolicy is $true ).
Customize after message link: Nothing is entered in the Title or Message boxes
in the flyout ( -EnableCustomizedMsg $false is the default value).
７ Note
Currently, pop-up messages before or after a user reports a message are

supported only by the Microsoft Report Message and Report Phishing add-
ins. Users who report messages with the built-in Report button in Outlook on
the web don't see these pop-ups.
Email sent to user after admin review section:

Specify an Office 365 mailbox to send email notifications from is not selected
( -EnableCustomNotificationSender $false is the default value).
Replace the Microsoft logo with my company logo is not selected ( -
EnableOrganizationBranding $false is the default value).
Customize email notification messages link: Nothing is entered in the Email
body results text or Email footer text boxes on the Phishing, Junk, or No
threats found tabs in the flyout ( -EnableCustomizedMsg $false is the default
value).
Report from quarantine section: Let your organization report messages from
quarantine is selected ( -DisableQuarantineReportingOption $false is the default
value).
PowerShell
New-ReportSubmissionPolicy
Because a reporting mailbox isn't use, the report submission rule is not needed or
created.

experience with report messages to Microsoft and the reporting
mailbox
This example creates the report submission policy and the report submission rule with
The Microsoft integrated reporting experience is On ( ) and Use the built-in

"Report" button with "Phishing", "Junk", and "Not Junk options is selected ( -
EnableReportToMicrosoft $true -EnableThirdPartyAddress $false are the default
values).
Reported message destinations section:
Send messages to > Microsoft and my reporting mailbox is selected.
Add a mailbox to send reported messages to specifies the email address of the
reporting mailbox.
New-ReportSubmissionPolicy: -ReportJunkToCustomizedAddress $true -
ReportJunkAddresses <emailaddress> -ReportNotJunkToCustomizedAddress
$true -ReportNotJunkAddresses <emailaddress> -

ReportPhishToCustomizedAddress $true -ReportPhishAddresses
<emailaddress> .
New-ReportSubmissionRule: -SentTo <emailaddress> .
In this example, the email address of the reporting mailbox is

reportedmessages@contoso.com in Exchange Online (you can't specify an
external email address).
７ Note
You must use the same email address value in all parameters that identify
the reporting mailbox.
The remaining settings are the default values in "Other settings" as described in Use
PowerShell to configure the Microsoft integrated reporting experience with report to
Microsoft only.
PowerShell
$usersub = "reportedmessages@contoso.com"
New-ReportSubmissionPolicy -ReportJunkToCustomizedAddress $true -

ReportJunkAddresses $usersub -ReportNotJunkToCustomizedAddress $true -
ReportNotJunkAddresses $usersub -ReportPhishToCustomizedAddress $true -
ReportPhishAddresses $usersub
New-ReportSubmissionRule -Name DefaultReportSubmissionRule -

ReportSubmissionPolicy DefaultReportSubmissionPolicy -SentTo $usersub

experience with report messages to the reporting mailbox only
The Microsoft integrated reporting experience is On ( ) and Use the built-in

"Report" button with "Phishing", "Junk", and "Not Junk options is selected (you
need to set -EnableReportToMicrosoft $false ; -EnableThirdPartyAddress $false is
the default value).
Reported message destinations section:
Send messages to > Microsoft and my reporting mailbox is selected.
Add a mailbox to send reported messages to specifies the email address of the
reporting mailbox.
New-ReportSubmissionPolicy: -ReportJunkToCustomizedAddress $true -
ReportJunkAddresses <emailaddress> -ReportNotJunkToCustomizedAddress
$true -ReportNotJunkAddresses <emailaddress> -
ReportPhishToCustomizedAddress $true -ReportPhishAddresses

<emailaddress> .

userreportedmessages@fabrikam.com in Exchange Online (you can't specify an
７ Note
The remaining settings are the default values in "Other settings" as described in Use
PowerShell to configure the Microsoft integrated reporting experience with report to
Microsoft only.
PowerShell
$usersub = "userreportedmessages@fabrikam.com"
New-ReportSubmissionPolicy -EnableReportToMicrosoft $false -

ReportJunkToCustomizedAddress $true -ReportJunkAddresses $usersub -
ReportNotJunkToCustomizedAddress $true -ReportNotJunkAddresses $usersub -
ReportPhishToCustomizedAddress $true -ReportPhishAddresses $usersub


experience to use third-party reporting tools
The Microsoft integrated reporting experience is On ( ) and Use a non-

Microsoft add-in button is selected ( -EnableReportToMicrosoft $false -
EnableThirdPartyAddress $true ).
Reported message destinations section: Add a mailbox to send reported

messages to specifies the email address of the reporting mailbox.
New-ReportSubmissionPolicy: -ThirdPartyReportAddresses <emailaddress> .

thirdpartyreporting@wingtiptoys.com in Exchange Online (you can't specify an
７ Note
Other settings:
Report from quarantine section: Let your organization report messages from
quarantine is selected ( -DisableQuarantineReportingOption $false is the default
value).
PowerShell
$usersub = "thirdpartyreporting@wingtiptoys.com"
New-ReportSubmissionPolicy -EnableReportToMicrosoft $false -

EnableThirdPartyAddress $true -ThirdPartyReportAddresses $usersub

Use PowerShell to turn off the Microsoft integrated reporting

experience
Turning off the Microsoft integrated reporting experiences has the following
consequences:
The Report button in Outlook on the web and the Microsoft Report Message and
Report Phishing add-ins are unavailable in all Outlook platforms.
Third-party reporting tools still work, but reported messages do not appear on the
Submissions page in the Microsoft 365 Defender portal.
This example creates the report submission policy with the Microsoft integrated
reporting experience turned Off ( ) ( -EnableReportToMicrosoft $false ; -
EnableThirdPartyAddress $false -ReportJunkToCustomizedAddress $false -
ReportNotJunkToCustomizedAddress $false -ReportPhishToCustomizedAddress $false are
the default values).
PowerShell
New-ReportSubmissionPolicy -EnableReportToMicrosoft $false
Use PowerShell to modify the report submission policy

Virtually all of the same settings are available when you modify the report submission
policy in PowerShell as when you created the policy as described in the previous section.
The exceptions is:
You can turn off Show a pop-up message in Outlook to confirm if the user wants
to report the message and Show a success pop-up message in Outlook after the
user reports using the PreSubmitMessageEnabled and PostSubmitMessageEnabled
parameters on Set-ReportSubmissionPolicy.
７ Note
Currently, users who report messages from Outlook on the web using the
built-in Report button don't get these pop-up messages. The pop-ups work
for users who report messages using the Microsoft Report Message and
Report Phishing add-ins.
When you modify the existing settings in the report submission policy, you might need
to undo or nullify some important settings that you previously configured or didn't
configure. And, you might need to create or delete the report submission rule to allow
or prevent message reporting to a reporting mailbox.
For detailed syntax and parameter information, see Set-ReportSubmissionPolicy.
The following examples show how to change the user reporting experience without
concern for the existing settings or values:
Change to Use built-in "Report" button with "Phishing", "Junk" and "Not Junk"
options and Send messages to > Microsoft only:
PowerShell
Set-ReportSubmissionPolicy -Identity DefaultReportSubmissionPolicy -

EnableReportToMicrosoft $true -EnableThirdPartyAddress $false -
ThirdPartyReportAddresses $null -ReportJunkToCustomizedAddress $false -
ReportJunkAddresses $null -ReportNotJunkToCustomizedAddress $false -
ReportNotJunkAddresses $null -ReportPhishToCustomizedAddress $false -
ReportPhishAddresses $null
Get-ReportSubmissionRule | Remove-ReportSubmissionRule
options and Send messages to > Microsoft and my reporting mailbox* (for
example, reportedmessages@contoso.com):
PowerShell
$usersub = "reportedmessages@contoso.com"

EnableReportToMicrosoft $true -EnableThirdPartyAddress $false -
ThirdPartyReportAddresses $null -ReportJunkToCustomizedAddress $true -
The following command is required only if you don't already have the report
submission rule:
PowerShell

options and Send messages to > Microsoft and my reporting mailbox (for
example, userreportedmessages@fabrikam.com):
PowerShell
$usersub = "userreportedmessages@fabrikam.com"

EnableReportToMicrosoft $false -EnableThirdPartyAddress $false -
ThirdPartyReportAddresses $null -ReportJunkToCustomizedAddress $true -
submission rule:
PowerShell

Change to Use a non-Microsoft add-in button (for example,

thirdpartyreporting@wingtiptoys.com):
PowerShell
$usersub = "thirdpartyreporting@wingtiptoys.com"

EnableReportToMicrosoft $false -EnableThirdPartyAddress $true -
ThirdPartyReportAddresses $usersub -ReportJunkToCustomizedAddress
$false -ReportJunkAddresses $null -ReportNotJunkToCustomizedAddress
$false -ReportNotJunkAddresses $null -ReportPhishToCustomizedAddress
$false -ReportPhishAddresses $null
submission rule:
PowerShell

Turn off the Microsoft integrated reporting experience Off ( ):
PowerShell

EnableReportToMicrosoft $false -EnableThirdPartyAddress $false -
ThirdPartyReportAddresses $null -ReportJunkToCustomizedAddress $false -
ReportJunkAddresses $null -ReportNotJunkToCustomizedAddress $false -
ReportNotJunkAddresses $null -ReportPhishToCustomizedAddress $false -
ReportPhishAddresses $null
submission rule:
PowerShell
The only meaningful setting that you can modify in the report submission rule is the
email address of the reporting mailbox (the SentTo parameter value). For example:
PowerShell
Get-ReportSubmissionRule | Set-ReportSubmissionRule -SentTo

newemailaddress@contoso.com
７ Note
If you change the email address of the reporting mailbox in the report submission
rule, be sure to change the corresponding values in the report submissions policy.
For example:
ThirdPartyReportAddresses
ReportJunkAddresses, ReportNotJunkAddresses, and ReportPhishAddresses
For detailed syntax and parameter information, see Set-ReportSubmissionRule.
To temporarily disable sending email messages to the reporting mailbox without deleing
the report submission rule, use Disable-ReportSubmissionRule. For example:
PowerShell
Get-ReportSubmissionRule | Disable-ReportSubmissionRule -Confirm:$false
To enable the report submission rule again, use Enable-ReportSubmissionRule. For

example:
PowerShell
Get-ReportSubmissionRule | Disable-ReportSubmissionRule -Confirm:$false
Use PowerShell to remove the report submission policy

To start over with the default settings of the report submission policy, you can delete it
and recreate it. Removing the report submission policy does not remove the report
submission rule, and vice-versa.
To remove the report submission policy, run the following command in Exchange Online
PowerShell:
PowerShell
Remove-ReportSubmissionPolicy -Identity DefaultReportSubmissionPolicy
To remove the report submission rule, run the following command:
PowerShell
To remove both the report submission policy and report submission rule in the same
command without prompts, run the following command:
PowerShell
Remove-ReportSubmissionPolicy -Identity DefaultReportSubmissionPolicy; Get-
ReportSubmissionRule | Remove-ReportSubmissionRule -Confirm:$false
For detailed syntax and parameter information, see Remove-ReportSubmissionPolicy

and Remove-ReportSubmissionRule.
Submit malware, non-malware, and
other suspicious files to Microsoft for
analysis
Applies to

７ Note
If you're an admin in an organization with Exchange Online mailboxes, we

recommend that you use the Submissions page in the Microsoft 365 Defender
portal. For more information, see Use the Submissions portal to submit suspected
spam, phish, URLs, legitimate email getting blocked, and email attachments to
Microsoft.

EOP includes anti-malware protection that's automatically enabled. For more
information, see Anti-malware protection in EOP.
You've probably heard the following best practices for years:
Avoid opening messages that look suspicious.

Never open an attachment from someone you don't know.
Avoid opening attachments in messages that urge you to open or click them.
Avoid opening files downloaded from the internet unless they're from a verified
source.
Don't use anonymous USB drives.
But what can you do if you receive a message with a suspicious attachment or have a
suspicious file on your system? Or what if you suspect that your computer or device was
infected by an email attachment that made it past our filters or a file you downloaded
from the internet? In these cases, you should submit the suspicious attachment or file to
Microsoft. Conversely, if an attachment in an email message or file was incorrectly
identified as malware or some other threat, you can submit that, too.
Messages with attachments that contain scripts or other malicious executables are
considered malware, and you can use the procedures in this article to report them.
Messages with links to malicious sites are considered spam. For more information
about reporting spam and non-spam, see Report messages and files to Microsoft.
Files that block you from your accessing your system and demand money to open
them are considered ransomware.
Submit malware files to Microsoft

Organizations that have a Microsoft 365 Defender subscription, Microsoft 365 Defender
for Endpoint Plan 2, or Microsoft 365 Defender for Office Plan 2 can submit files using
the Submissions page in the Microsoft 365 Defender portal. For more information, see
Use admin submission for submitting files in Microsoft Defender for Endpoint.
Or, you can go to the Microsoft Security Intelligence page at

https://www.microsoft.com/wdsi/filesubmission to submit the file. To receive analysis
updates, sign in or enter a valid email address. We recommend using your Microsoft
work or school account.
After you've uploaded the file or files, note the Submission ID that's created for your
sample submission (for example, 7c6c214b-17d4-4703-860b-7f1e9da03f7f ).

After we receive the sample, we'll investigate. If we determine that the sample file is
malicious, we'll take corrective action to prevent the malware from going undetected.
If you continue receiving infected messages or attachments, then you should copy the
message headers from the email message, and contact Microsoft Customer Service and
Support for further assistance. Be sure to have your Submission ID ready as well.
Submit non-malware files to Microsoft

Organizations that have a Microsoft 365 Defender Subscription, Microsoft 365 Defender
for Endpoint Plan 2, or Microsoft 365 Defender for Office Plan 2 can submit files using
the Submissions page in the Microsoft 365 Defender portal. For more information, see
Use admin submission for submitting files in Microsoft Defender for Endpoint.
Or, you can go to the Microsoft Security Intelligence page at

https://www.microsoft.com/wdsi/filesubmission to submit the file. To receive analysis
updates, sign in or enter a valid email address. We recommend using your Microsoft
work or school account.
You can also submit a file that you believe was incorrectly identified as malware to the
website. (Just select No for the question Do you believe this file contains malware?)
After we receive the sample, we'll investigate. If we determine that the sample file is
clean, we'll take corrective action to prevent the file from being detected as malware.
Admin review for reported messages
 Tip
Applies to

In Microsoft 365 organizations with Exchange Online mailboxes and Microsoft Defender
for Office 365, admins can send templated messages back to end users after they review
reported messages. The templates can be customized for your organization and based
on your admin's verdict as well.
The feature is designed to give feedback to your users but doesn't change the verdicts
of messages in the system. To help Microsoft update and improve its filters, you need to
submit messages for analysis using Admin submission.
You will only be able to mark and notify users of review results if the message was
reported as a false positives or false negatives.

go directly to the Submissions page, use
https://security.microsoft.com/reportsubmission . To go directly to the User
reported page, use https://security.microsoft.com/reportsubmission?
viewid=user .
To modify the configuration for User reported messages, you need to be a

Organization Management or Security Administrator in the Microsoft 365
Defender portal.
Organization Management in Exchange Online.
You'll also need access to Exchange Online PowerShell. If the account that you're
trying to use doesn't have access to Exchange Online PowerShell, you'll receive an
error that says Specify an email address in your domain. For more information
about enabling or disabling access to Exchange Online PowerShell, see the
following topics:
Enable or disable access to Exchange Online PowerShell
Client Access Rules in Exchange Online
Notify users from within the portal

Submissions page at Email & collaboration > Submissions > User reported tab.
To go directly to the User reported tab, use
2. On the User reported tab, find and select the message, select Mark as and notify,
and then select one of the following values from the dropdown list:
No threats found
Phishing
Junk
The reported message will be marked as either false positive or false negative, and an
email will be automatically sent from within the portal notifying the user who reported
the message.
Customize the messages used to notify users

User reported page at Settings > Email & collaboration > User reported tab. To
go directly to the User reported page, use
2. On the User reported page, verify that the toggle at the top of the page is
On.
3. Find the Email sent to user after admin review section and configure one or more
of the following settings:
Specify an Office 365 mailbox to send email notifications from: Select this
option and enter the sender's email address in the box that appears.
Replace the Microsoft logo with my company logo: Select this option to
replace the default Microsoft logo that's used in notifications. Before you do
this step, you need to follow the instructions in Customize the Microsoft 365
supported if your organization has a custom logo pointing to a URL instead
of an uploaded image file.
Customize email notification messages: Click this link to customize the email
notification that's sent after an admin reviews and marks a reported message.
In the Customize admin review email notifications flyout that appears,
configure the following settings on the Phishing, Junk and No threats found
tabs:
Email box results text: Enter the custom text to use.
Footer tab: The following options are available:
Email footer text: Enter the custom message footer text to use.
When you're finished on the Customize admin review email notifications

flyout, click Confirm.

4. When you're finished, click Save. To clear these values, click Restore on the User
reported page.
Errors during admin submissions
Applies to

 Tip
This article attempts to explain the common error messages tha you might receive as
you try to report emails, URLs, and email attachments to Microsoft
This message didn't pass through our mail flow

system, or the message metadata isn't available
yet error
If you encounter this error message, then either of the following conditions might have
occured:
You tried to submit an email message that wasn't filtered by Exchange Online
Protection (EOP) or Microsoft Defender for Office 365 at the time of delivery.
It's hard for us to determine why the message was missed or delivered when it
wasn't filtered by Microsoft's protection stack.
You tried to submit an email message that was filtered by EOP or Defender for
Office 365, but we're still in the process of collecting the required metadata
(descriptive data) about the message.
If you wait "a while" and submit the message again, the submission will be
successful.
Campaigns in Microsoft Defender for
Office 365
 Tip
Applies to
Campaigns in the Microsoft 365 Defender portal identifies and categorizes coordinated
email attacks including phishing and malware. Campaigns can help you to:
Efficiently investigate and respond to phishing and malware attacks, delivered via
email.
Better understand the scope of the email attack targetting your organization.
Show value of Microsoft Defender for Office to decision makers in preventing
email threats.
Campaigns lets you see the big picture of an email attack faster and more complete
than any human.
Watch this short video on how campaigns in Microsoft Defender for Office 365 help you
understand coordinated email attacks targeting your organization.
https://www.microsoft.com/en-us/videoplayer/embed/RWGBL8?postJsllMsg=true
What is a campaign?
A campaign is a coordinated email attack against one or many organizations. Email
attacks that steal credentials and company data are a large and lucrative industry. As
technologies increase in an effort to stop attacks, attackers modify their methods in an
effort to ensure continued success.
Microsoft leverages the vast amounts of anti-phishing, anti-spam, and anti-malware

data across the entire service to help identify campaigns. We analyze and classify the
attack information according to several factors. For example:
Attack source: The source IP addresses and sender email domains.
Message properties: The content, style, and tone of the messages.
Message recipients: How recipients are related. For example, recipient domains,
recipient job functions (admins, executives, etc.), company types (large, small,
public, private, etc.), and industries.
Attack payload: Malicious links, attachments, or other payloads in the messages.
A campaign might be short-lived, or could span several days, weeks, or months with
active and inactive periods. A campaign might be launched against your specific
organization, or your organization might be part of a larger campaign across multiple
companies.
Campaigns in the Microsoft 365 Defender

portal
Campaigns is available in the Microsoft 365 Defender portal at
https://security.microsoft.com at Email & collaboration > Campaigns, or directly at
https://security.microsoft.com/campaigns .
You can also view Campaigns from:
Email & collaboration > Explorer > View > Campaigns

Email & collaboration > Explorer > View > All email > Campaign tab
Email & collaboration > Explorer > View > Phish > Campaign tab
Email & collaboration > Explorer > View > Malware > Campaign tab
Required licenses and permissions
Campaigns is available in Defender for Office 365 Plan 2 (add-on licenses or
included in subscriptions like Microsoft 365 E5).
To access Campaigns, you need to be a member of the Organization
Management, Security Administrator, or Security Reader role groups in the
Microsoft 365 Defender portal. For more information, see Permissions in the
Campaigns overview
The main Campaigns page is a threat report with all campaigns targeting your
organizations.
On the default Campaign tab, the Campaign type area shows a bar graph that shows
the number of recipients per day. By default, the graph shows both Phish and Malware
data.
 Tip
If you don't see any campaign data, or very limited data, try changing the date
range or filters.
The table below the graph on the overview page shows the following information on
the Campaign tab:
Name
Sample subject: The subject line of one of the messages in the campaign. Note
that all messages in the campaign will not necessarily have the same subject.
Targeted: The percentage as calculated by: (the number of campaign recipients in

your organization) / (the total number of recipients in the campaign across all
organizations in the service). This value indicates the degree to which the
campaign is directed only at your organization (a higher value) vs. also directed at
other organizations in the service (a lower value).
Type: This value is either Phish or Malware.
Subtype: This value contains more details about the campaign. For example:
Phish: Where available, the brand that is being phished by this campaign. For
example, Microsoft , 365 , Unknown , Outlook , or DocuSign .
Malware: For example, HTML/PHISH or HTML/<MalwareFamilyName> .
Where available, the brand that is being phished by this campaign. When the
detection is driven by Defender for Office 365 technology, the prefix ATP- is added
to the subtype value.
Recipients: The number of users that were targeted by this campaign.
Inboxed: The number of users that received messages from this campaign in their
Inbox (not delivered to their Junk Email folder).
Clicked: The number of users that clicked on the URL or opened the attachment in
the phishing message.
Click rate: The percentage as calculated by "Clicked / Inboxed". This value is an

indicator of the effectiveness of the campaign. In other words, if the recipients
were able to identify the message as phishing, and if they didn't click on the
payload URL.
Note that Click rate isn't used in malware campaigns.
Visited: How many users actually made it through to the payload website. If there
are Clicked values, but Safe Links blocked access to the website, this value will be
zero.
The Campaign origin tab shows the message sources on a map of the world.
Filters and settings

At the top of the Campaign page, there are several filter and query settings to help you
find and isolate specific campaigns.
The most basic filtering that you can do is the start date/time and the end date/time.
To further filter the view, you can do single property with multiple values filtering by
clicking the Campaign type button, making your selection, and then clicking Refresh.
The filterable campaign properties that are available in the Campaign type button are
described in the following list:
Basic:
Campaign type: Select Malware or Phish. Clearing the selections has the same
result as selecting both.
Campaign name
Campaign subtype
Sender
Recipients
Sender domain
Subject
Attachment filename
Malware family
Tags: Users or groups that have had the specified user tag applied (including
priority accounts). For more information about user tags, see User tags.
Delivery action
Additional action
Directionality
Detection technology
Original delivery location
Latest delivery location
System overrides
Advanced:
Internet message ID: Available in the Message-ID header field in the message
header. An example value is <08f1e0f6806a47b4ac103961109ae6ef@server.domain>
(note the angle brackets).
Network message ID: A GUID value that's available in the X-MS-Exchange-
Organization-Network-Message-Id header field in the message header.
Sender IP
Attachment SHA256: To find the SHA256 hash value of a file in Windows, run
the following command in a Command Prompt: certutil.exe -hashfile "
<Path>\<Filename>" SHA256 .
Cluster ID
Alert ID
Alert Policy ID
Campaign ID
ZAP URL signal
URLs:
URL domain
URL domain and path
URL
URL path
Click verdict
For more advanced filtering, including filtering by multiple properties, you can click the
Advanced filter button to build a query. The same campaign properties are available,
but with the following enhancements:
You can click Add a condition to select multiple conditions.

You can choose the And or Or operator between conditions.
You can select the Condition group item at the bottom of the conditions list to
form complex compound conditions.
When you're finished, click the Query button.
After you create a basic or advanced filter, you can save it by using Save query or Save
query as. Later, when you return to the Campaigns page, you can load a saved filter by
clicking Saved query settings.
To export the graph or the list of campaigns, click Export and select Export chart data
or Export campaign list.
If you have a Microsoft Defender for Endpoint subscription, you can click MDE Settings
to connect or disconnect the campaigns information with Microsoft Defender for
Endpoint. For more information, see Integrate Microsoft Defender for Office 365 with
Microsoft Defender for Endpoint.
Campaign details
When you click on the name of a campaign, the campaign details appear in a flyout.
Campaign information
At the top of the campaign details view, the following campaign information is available:
Campaign ID: The unique campaign identifier.

Activity: The duration and activity of the campaign.
The following data for the date range filter you selected (or that you select in the
timeline):
Impact
Messages: The total number of recipients.
Inboxed: The number of messages that were delivered to the Inbox, not to the
Junk Email folder.
Clicked link: How many users clicked on the URL payload in the phishing message.
Visited link: How many users visited the URL.
Targeted(%): The percentage as calculated by: (the number of campaign recipients
in your organization) / (the total number of recipients in the campaign across all
organizations in the service). Note that this value is calculated over the entire
lifetime of the campaign, and doesn't change based on date filters.
Start date/time and end data/time filters for the campaign flow as described in the
next section.
An interactive timeline of campaign activity: The timeline shows activity over the
entire lifetime of the campaign. You can hover over the data points in the graph to
see the amount of detected messages.

Campaign flow
In the middle of the campaign details view, important details about the campaign are
presented in a horizontal flow diagram (known as a Sankey diagram). These details will
help you to understand the elements of the campaign and the potential impact in your
organization.
 Tip
The information that's displayed in the flow diagram is controlled by the date range
filter in the timeline as described in the previous section.
If you hover over a horizontal band in the diagram, you'll see the number of related
messages (for example, messages from a particular source IP, messages from the source
IP using the specified sender domain, etc.).
The diagram contains the following information:
Sender IPs
Sender domains
Filter verdicts: Verdict values are related to the available phishing and spam
filtering verdicts as described in Anti-spam message headers. The available values
are described in the following table:
Value Spam Description

filter
verdict
Allowed SFV:SKN The message was marked as not spam and/or skipped filtering
before being evaluated by spam filtering. For example, the message
SFV:SKI was marked as not spam by a mail flow rule (also known as a
transport rule).
The message skipped spam filtering for other reasons. For example,
the sender and recipient appear to be in the same organization.
Blocked SFV:SKS The message was marked as spam before being evaluated by spam
filtering. For example, by a mail flow rule.
Detected SFV:SPM The message was marked as spam by spam filtering.
Not SFV:NSPM The message was marked as not spam by spam filtering.
Detected
Released SFV:SKQ The message skipped spam filtering because it was released from
quarantine.
Tenant SFV:SKA The message skipped spam filtering because of the settings in an
Allow* anti-spam policy. For example, the sender was in the allowed
sender list or allowed domain list.
Tenant SFV:SKA The message was blocked by spam filtering because of the settings
Block** in an anti-spam policy. For example, the sender was in the allowed
sender list or allowed domain list.
User SFV:SFE The message skipped spam filtering because the sender was in a
Allow* user's Safe Senders list.
User SFV:BLK The message was blocked by spam filtering because the sender was
Block** in a user's Blocked Senders list.
Value Spam Description
filter
verdict
ZAP n/a Zero-hour auto purge (ZAP) moved the delivered message to the
Junk Email folder or quarantine. You configure the action in anti-
spam policies.
* Review your anti-spam policies, because the allowed message would have likely
been blocked by the service.
**
Review your anti-spam policies, because these messages should be quarantined,
not delivered.
Message destinations: You'll likely want to investigate messages that were

delivered to recipients (either to the Inbox or the Junk Email folder), even if users
didn't click on the payload URL in the message. You can also remove the
quarantined messages from quarantine. For more information, see Quarantined
email messages in EOP.
Deleted folder
Dropped
External: The recipient is located in your on-premises email organization in
hybrid environments.
Failed
Forwarded
Inbox
Junk folder
Quarantine
Unknown
URL clicks: These values are described in the next section.
７ Note
In all layers that contain more than 10 items, the top 10 items are shown, while the
rest are bundled together in Others.
URL clicks
When a phishing message is delivered to a recipient's Inbox or Junk Email folder, there's
always a chance that the user will click on the payload URL. Not clicking on the URL is a
small measure of success, but you need to determine why the phishing message was
even delivered to the mailbox.
If a user clicked on the payload URL in the phishing message, the actions are displayed
in the URL clicks area of the diagram in the campaign details view.
Allowed
BlockPage: The recipient clicked on the payload URL, but their access to the
malicious website was blocked by a Safe Links policy in your organization.
BlockPageOverride: The recipient clicked on the payload URL in the message, Safe
Links tried to stop them, but they were allowed to override the block. Inspect your
Safe Links policies to see why users are allowed to override the Safe Links verdict
and continue to the malicious website.
PendingDetonationPage: Safe Attachments in Microsoft Defender for Office 365 is
in the process of opening and investigating the payload URL in a virtual computer
environment.
PendingDetonationPageOverride: The recipient was allowed to override the
payload detonation process and open the URL without waiting for the results.
Tabs
The tabs in the campaign details view allow you to further investigate the campaign.
 Tip
The information that's displayed on the tabs is controlled by the date range filter in
the timeline as described in Campaign information section.
URL clicks: If users didn't click on the payload URL in the message, this section will
be blank. If a user was able to click on the URL, the following values will be
populated:
User*
URL*
Click time
Click verdict
Sender IPs
Sender IP*
Total count
Inboxed
Not Inboxed
SPF passed: The sender was authenticated by the Sender Policy Framework
(SPF). A sender that doesn't pass SPF validation indicates an unauthenticated
sender, or the message is spoofing a legitimate sender.
Senders
Sender: This is the actual sender address in the SMTP MAIL FROM command,
which is not necessarily the From: email address that users see in their email
clients.
Total count
Inboxed
Not Inboxed
DKIM passed: The sender was authenticated by Domain Keys Identified Mail
(DKIM). A sender that doesn't pass DKIM validation indicates an
unauthenticated sender, or the message is spoofing a legitimate sender.
DMARC passed: The sender was authenticated by Domain-based Message
Authentication, Reporting, and Conformance (DMARC). A sender that doesn't
pass DMARC validation indicates an unauthenticated sender, or the message is
spoofing a legitimate sender.
Attachments
Filename
SHA256
Malware family
Total count
URL
URL*
Total Count
*
Clicking on this value opens a new flyout that contains more details about the
specified item (user, URL, etc.) on top of the campaign details view. To return to the
campaign details view, click Done in the new flyout.
Attitional Actions
The buttons at the bottom the campaign details view allows you to investigate and
record details about the campaign:
Explore messages: Use the power of Threat Explorer to further investigate the
campaign:
All messages: Opens a new Threat Explorer search tab using the Campaign ID
value as the search filter.
Inboxed messages: Opens a new Threat Explorer search tab using the
Campaign ID and Delivery location: Inbox as the search filter.
Internal messages: Opens a new Threat Explorer search tab using the Campaign
ID and Directionality: Intra-org as the search filter.
Download threat report: Download the campaign details to a Word document (by
default, named CampaignReport.docx). Note that the download contains details
over the entire lifetime of the campaign (not just the filter dates you selected).
Threat Explorer and Real-time
detections
 Tip
Applies to

If your organization has Microsoft Defender for Office 365, and you have the necessary
permissions, you have either Explorer or Real-time detections (formerly Real-time
reports — see what's new!). Go to Threat management, and then choose Explorer or
Real-time detections.
With Microsoft Defender for Office 365 Plan With Microsoft Defender for Office 365 Plan
2, you see: 1, you see:
Explorer or Real-time detections helps your security operations team investigate and
respond to threats efficiently. With this report, you can:
See malware detected by Microsoft 365 security features

View phishing URL and click verdict data
Start an automated investigation and response process from a view in Explorer
(Defender for Office 365 Plan 2 only)
Investigate malicious email, and more
Improvements to Threat Hunting Experience
Introduction of Alert ID for Defender for Office 365 alerts

within Explorer/Real-time detections
Today, if you navigate from an alert to Threat Explorer, it opens a filtered view within the
Explorer, with the view filtered by Alert policy ID (policy ID being a unique identifier for
an Alert policy).
We are making this integration more relevant by introducing the alert ID
(see an example of alert ID below) in Threat Explorer and Real-time detections so that
you see messages which are relevant to the specific alert, as well as a count of emails.
You will also be able to see if a message was part of an alert, as well as navigate from
that message to the specific alert.
Extending the Explorer (and Real-time detections) data

retention and search limit for trial tenants from 7 to 30
days
As part of this change, you will be able to search for, and filter email data across 30 days
(an increase from the previous 7 days) in Threat Explorer/Real-time detections for both
Defender for Office P1 and P2 trial tenants.
This does not impact any production tenants
for both P1 and P2/E5 customers, which already have the 30 day data retention and
search capabilities.
Updated limits for Export of records for Threat Explorer

As part of this update, the number of rows for Email records that can be exported from
Threat Explorer is increased from 9990 to 200,000 records. The set of columns that can
be exported currently will remain the same, but the number of rows will increase from
the current limit.
Tags in Threat Explorer
７ Note
The user tags feature is in Preview, isn't available to everyone, and is subject to
change. For information about the release schedule, check out the Microsoft 365
roadmap.
User tags identify specific groups of users in Microsoft Defender for Office 365. For
more information about tags, including licensing and configuration, see User tags.
In Threat Explorer, you can see information about user tags in the following experiences.
Email grid view

The Tags column in the email grid contains all the tags that have been applied to the
sender or recipient mailboxes. By default, system tags like priority accounts are shown
first.
Filtering
You can use tags as a filter. Hunt just across priority accounts or specific user tags
scenarios. You can also exclude results that have certain tags. Combine this functionality
with other filters to narrow your scope of investigation.

Email detail flyout

To view the individual tags for sender and recipient, select the subject to open the
message details flyout. On the Summary tab, the sender and recipient tags are shown
separately, if they're present for an email.
The information about individual tags for
sender and recipient also extends to exported CSV data, where you can see these details
in two separate columns.

Tags information is also shown in the URL clicks flyout. To view it, go to Phish or All
Email view and then to the URLs or URL Clicks tab. Select an individual URL flyout to
view additional details about clicks for that URL, including tags associated with that click.
Updated Timeline View
Improvements to the threat hunting experience

(upcoming)
Updated threat information for emails

We've focused on platform and data-quality improvements to increase data accuracy
and consistency for email records. Improvements include consolidation of pre-delivery
and post-delivery information, such as actions executed on an email as part of the ZAP
process, into a single record. Additional details like spam verdict, entity-level threats (for
example, which URL was malicious), and latest delivery locations are also included.
After these updates, you'll see a single entry for each message, regardless of the
different post-delivery events that affect the message. Actions can include ZAP, manual
remediation (which means admin action), Dynamic Delivery, and so on.
In addition to showing malware and phishing threats, you see the spam verdict
associated with an email. Within the email, see all the threats associated with the email
along with the corresponding detection technologies. An email can have zero, one, or
multiple threats. You'll see the current threats in the Details section of the email flyout.
For multiple threats (such as malware and phishing), the Detection tech field shows the
threat-detection mapping, which is the detection technology that identified the threat.
The set of detection technologies now includes new detection methods, as well as
spam-detection technologies. You can use the same set of detection technologies to
filter the results across the different email views (Malware, Phish, All Email).
７ Note
Verdict analysis might not necessarily be tied to entities. As an example, an email

might be classified as phish or spam, but there are no URLs that are stamped with a
phish/spam verdict. This is because the filters also evaluate content and other
details for an email before assigning a verdict.
Threats in URLs
You can now see the specific threat for a URL on the email flyout Details tab. The threat
can be malware, phish, spam, or none.)

Updated timeline view (upcoming)
Timeline view identifies all delivery and post-delivery events. It includes information
about the threat identified at that point of time for a subset of these events. Timeline
view also provides information about any additional action taken (such as ZAP or
manual remediation), along with the result of that action. Timeline view information
includes:
Source: Source of the event. It can be admin/system/user.

Event: Includes top-level events like original delivery, manual remediation, ZAP,
submissions, and Dynamic Delivery.
Action: The specific action that was taken either as part of ZAP or admin action (for
example, soft delete).
Threats: Covers the threats (malware, phish, spam) identified at that point of time.
Result/Details: More information about the result of the action, such as whether it
was performed as part of ZAP/admin action.
Original and latest delivery location

Currently, we surface delivery location in the email grid and email flyout. The Delivery
location field is getting renamed Original delivery location. And we're introducing
another field, Latest delivery location.
Original delivery location will give more information about where an email was
delivered initially. Latest delivery location will state where an email landed after system
actions like ZAP or admin actions like Move to deleted items. Latest delivery location is
intended to tell admins the message's last-known location post-delivery or any
system/admin actions. It doesn't include any end-user actions on the email. For
example, if a user deleted a message or moved the message to archive/pst, the message
"delivery" location won't be updated. But if a system action updated the location (for
example, ZAP resulting in an email moving to quarantine), Latest delivery location
would show as "quarantine."

７ Note
There are a few cases where Delivery location and Delivery action may show as
"unknown":
You might see Delivery location as "delivered" and Delivery location as

"unknown" if the message was delivered, but an Inbox rule moved the
message to a default folder (such as Draft or Archive) instead of to the Inbox
or Junk Email folder.
Latest delivery location can be unknown if an admin/system action (such as

ZAP) was attempted, but the message wasn't found. Typically, the action
happens after the user moved or deleted the message. In such cases, verify
the Result/Details column in timeline view. Look for the statement "Message
moved or deleted by the user."
Additional actions
Additional actions were applied after delivery of the email. They can include ZAP, manual
remediation (action taken by an Admin such as soft delete), Dynamic Delivery, and
reprocessed (for an email that was retroactively detected as good).
７ Note
As part of the pending changes, the "Removed by ZAP" value currently surfaced in
the Delivery Action filter is going away. You'll have a way to search for all email with
the ZAP attempt through Additional actions.

System overrides
System overrides enable you to make exceptions to the intended delivery location of a
message. You override the delivery location provided by the system, based on the
threats and other detections identified by the filtering stack. System overrides can be set
through tenant or user policy to deliver the message as suggested by the policy.
Overrides can identify unintentional delivery of malicious messages due to
configurations gaps, such as an overly broad Safe Sender policy set by a user. These
override values can be:
Allowed by user policy: A user creates policies at the mailbox level to allow
domains or senders.
Blocked by user policy: A user creates policies at the mail box level to block
domains or senders.
Allowed by org policy: The organization's security teams set policies or Exchange
mail flow rules (also known as transport rules) to allow senders and domains for
users in their organization. This can be for a set of users or the entire organization.
Blocked by org policy: The organization's security teams set policies or mail flow
rules to block senders, domains, message languages, or source IPs for users in their
organization. This can be applied to a set of users or the entire organization.
File extension blocked by org policy: An organization's security team blocks a file
name extension through the anti-malware policy settings. These values will now be
displayed in email details to help with investigations. Secops teams can also use
the rich-filtering capability to filter on blocked file extensions.


Improvements for the URL and clicks experience

The improvements include:
Show the full clicked URL (including any query parameters that are part of the URL)
in the Clicks section of the URL flyout. Currently, the URL domain and path appear
in the title bar. We're extending that information to show the full URL.
Fixes across URL filters (URL versus URL domain versus URL domain and path): The
updates affect searching for messages that contain a URL/click verdict. We enabled
support for protocol-agnostic searches, so you can search for a URL without using
http . By default, the URL search maps to http, unless another value is explicitly
specified. For example:
Search with and without the http:// prefix in the URL, URL Domain, and URL
Domain and Path filter fields. The searches should show the same results.
Search for the https:// prefix in URL. When no value is specified, the http://
prefix is assumed.
/ is ignored at the beginning and end of the URL path, URL Domain, URL
domain and path fields. / at the end of the URL field is ignored.
Phish confidence level

Phish confidence level helps identify the degree of confidence with which an email was
categorized as "phish." The two possible values are High and Normal. In the initial
stages, this filter will be available only in the Phish view of Threat Explorer.
ZAP URL signal

The ZAP URL signal is typically used for ZAP Phish alert scenarios where an email was
identified as Phish and removed after delivery. This signal connects the alert with the
corresponding results in Explorer. It's one of the IOCs for the alert.
To improve the hunting process, we've updated Threat Explorer and Real-time
detections to make the hunting experience more consistent. The changes are outlined
here:
Timezone improvements
Update in the refresh process
Chart drilldown to add to filters
In product information updates
Filter by user tags

You can now sort and filter on system or custom user tags to quickly grasp the scope of
threats. To learn more, see User tags.
） Important
Filtering and sorting by user tags is currently in public preview. This functionality
may be substantially modified before it's commercially released. Microsoft makes
no warranties, express or implied, with respect to the information provided about it.
Timezone improvements
You'll see the time zone for the email records in the Portal as well as for Exported data. It
will be visible across experiences like Email Grid, Details flyout, Email Timeline, and
Similar Emails, so the time zone for the result set is clear.
Update in the refresh process

Some users have commented about confusion with automatic refresh (for example, as
soon as you change the date, the page refreshes) and manual refresh (for other filters).
Similarly, removing filters leads to automatic refresh. Changing filters while modifying
the query can cause inconsistent search experiences. To resolve these issues, we're
moving to a manual-filtering mechanism.
From an experience standpoint, the user can apply and remove the different range of
filters (from the filter set and date) and select the refresh button to filter the results after
they've defined the query. The refresh button is also now emphasized on the screen.
We've also updated the related tooltips and in-product documentation.

Chart drilldown to add to filters

You can now chart legend values to add them as filters. Select the Refresh button to
filter the results.
In-product information updates

Additional details are now available within the product, such as the total number of
search results within the grid (see below). We've improved labels, error messages, and
tooltips to provide more information about the filters, search experience, and result set.

Extended capabilities in Threat Explorer
Top targeted users

Today we expose the list of the top targeted users in the Malware view for emails, in the
Top Malware Families section. We'll be extending this view in the Phish and All Email
views as well. You'll be able to see the top-five targeted users, along with the number of
attempts for each user for the corresponding view. For example, for Phish view, you'll
see the number of Phish attempts.
You'll be able to export the list of targeted users, up to a limit of 3,000, along with the
number of attempts for offline analysis for each email view. In addition, selecting the
number of attempts (for example, 13 attempts in the image below) will open a filtered
view in Threat Explorer, so you can see more details across emails and threats for that
user.
Exchange transport rules

As part of data enrichment, you'll be able to see all the different Exchange transport
rules (ETR) that were applied to a message. This information will be available in the
Email grid view. To view it, select Column options in the grid and then Add Exchange
Transport Rule from the column options. It will also be visible on the Details flyout in
the email.
You'll be able to see both the GUID and the name of the transport rules that were
applied to the message. You'll be able to search for the messages by using the name of
the transport rule. This is a "Contains" search, which means you can do partial searches
as well.
） Important
ETR search and name availability depend on the specific role that's assigned to you.
You need to have one of the following roles/permissions to view the ETR names
and search. If you don't have any of these roles assigned to you, you can't see the
names of the transport rules or search for messages by using ETR names. However,
you could see the ETR label and GUID information in the Email Details. Other
record-viewing experiences in Email Grids, Email flyouts, Filters, and Export are not
affected.
EXO Only - data loss prevention: All

EXO Only - O365SupportViewConfig: All
Microsoft Azure Active Directory or EXO - Security Admin: All
AAD or EXO - Security Reader: All
EXO Only - Transport Rules: All
EXO Only - View-Only Configuration: All
Within the email grid, Details flyout, and Exported CSV, the ETRs are presented with
a Name/GUID as shown below.

Inbound connectors
Connectors are a collection of instructions that customize how your email flows to and
from your Microsoft 365 or Office 365 organization. They enable you to apply any
security restrictions or controls. Within Threat Explorer, you can now view the
connectors that are related to an email and search for emails by using connector names.
The search for connectors is "contains" in nature, which means partial keyword searches
should work as well. Within the Main grid view, the Details flyout, and the Exported CSV,
the connectors are shown in the Name/GUID format as shown here:
New features in Threat Explorer and Real-time

detections
View phishing emails sent to impersonated users and domains
Preview email header and download email body
Email timeline
Export URL click data
View phishing emails sent to impersonated users and

domains
To identify phishing attempts against users and domains that are impersonated users
must be added to the list of Users to protect. For domains, admins must either enable
Organization domains, or add a domain name to Domains to protect. The domains to
protect are found on the Anti-Phishing policy page in the Impersonation section.
To review phish messages and search for impersonated users or domains, use the Email
> Phish view of Explorer.
This example uses Threat Explorer.
1. In the Microsoft 365 Defender portal (https://security.microsoft.com ), choose

Threat management > Explorer (or Real-time detections).
2. In the View menu, choose Email > Phish.
Here you can choose impersonated domain or impersonated user.
3. EITHER select Impersonated domain, and then type a protected domain in the
textbox.
For example, search for protected domain names like contoso, contoso.com, or
contoso.com.au.
4. Select the Subject of any message under the Email tab > Details tab to see
additional impersonation information like Impersonated Domain / Detected
location.
OR
Select Impersonated user and type a protected user's email address in the textbox.
 Tip
For best results, use full email addresses to search protected users. You will
find your protected user quicker and more successfully if you search for
firstname.lastname@contoso.com, for example, when investigating user
impersonation. When searching for a protected domain the search will take
the root domain (contoso.com, for example), and the domain name (contoso).
Searching for the root domain contoso.com will return both impersonations of
contoso.com and the domain name contoso.
5. Select the Subject of any message under Email tab > Details tab to see additional
impersonation information about the user or domain, and the Detected location.

７ Note
In step 3 or 5, if you choose Detection Technology and select Impersonation

domain or Impersonation user respectively, the information in the Email tab >
Details tab about the user or domain, and the Detected location will be shown only
on the messages that are related to the user or domain listed on the Anti-Phishing
policy page.
Preview email header and download email body

You can now preview an email header and download the email body in Threat Explorer.
Admins can analyze downloaded headers/email messages for threats. Because
downloading email messages can risk exposure of information, this process is controlled
by role-based access control (RBAC). A new role, Preview, is required to grant the ability
to download mails in all-email messages view. However, viewing the email header does
not require any additional role (other than what is required to view messages in Threat
Explorer). To create a new role group with the Preview role:
1. Select a built-in role group that only has the Preview role, such as Data Investigator
or eDiscovery Manager.
2. Select Copy role group.
3. Choose a name and description for your new role group and select Next.
4. Modify the roles by adding and removing roles as necessary but leaving the
Preview role.
5. Add members and then select Create role group.
Explorer and Real-time detections will also get new fields that provide a more complete
picture of where your email messages land. These changes make hunting easier for
Security Ops. But the main result is you can know the location of problem email
messages at a glance.
How is this done? Delivery status is now broken out into two columns:
Delivery action - Status of the email.

Delivery location - Where the email was routed.
Delivery action is the action taken on an email due to existing policies or detections.
Here are the possible actions for an email:
Delivered Junked Blocked Replaced
Email was delivered Email was sent to Emails that are Email had malicious
to the inbox or the user's Junk or quarantined, that failed, attachments replaced by
folder of a user, Deleted folder, and or were dropped. These .txt files that state the
and the user can the user can access mails are inaccessible to attachment was
access it. it. the user. malicious.
Here is what the user can and can't see:
Accessible to end users Inaccessible to end users
Delivered Blocked
Junked Replaced
Delivery location shows the results of policies and detections that run post-delivery. It's
linked to Delivery action. These are the possible values:
Inbox or folder: The email is in the inbox or a folder (according to your email rules).
On-prem or external: The mailbox doesn't exist on cloud but is on-premises.
Junk folder: The email is in a user's Junk folder.
Deleted items folder: The email in a user's Deleted items folder.
Quarantine: The email is in quarantine and not in a user's mailbox.
Failed: The email failed to reach the mailbox.
Dropped: The email got lost somewhere in the mail flow.
Email timeline
The Email timeline is a new Explorer feature that improves the hunting experience for
admins. It cuts the time spent checking different locations to try to understand the
event. When multiple events happen at or close to the same time an email arrives, those
events are displayed in a timeline view. Some events that happen to your email post-
delivery are captured in the Special action column. Admins can combine information
from the timeline with the special action taken on the mail post-delivery to get insight
into how their policies work, where the mail was finally routed, and, in some cases, what
the final assessment was.
For more information, see Investigate and remediate malicious email that was delivered
in Office 365.
Export URL click data

You can now export reports for URL clicks to Microsoft Excel to view their network
message ID and click verdict, which helps explain where your URL click traffic
originated. Here's how it works: In Threat Management on the Office 365 quick-launch
bar, follow this chain:
Explorer > View Phish > Clicks > Top URLs or URL Top Clicks > select any record to
open the URL flyout.
When you select a URL in the list, you'll see a new Export button on the fly-out panel.
Use this button to move data to an Excel spreadsheet for easier reporting.
Follow this path to get to the same location in the Real-time detections report:
Explorer > Real-time detections > View Phish > URLs > Top URLs or Top Clicks >
Select any record to open the URL flyout > navigate to the Clicks tab.
 Tip
The Network Message ID maps the click back to specific mails when you search on
the ID through Explorer or associated third-party tools. Such searches identify the
email associated with a click result. Having the correlated Network Message ID
makes for quicker and more powerful analysis.
See malware detected in email by technology

Suppose you want to see malware detected in email sorted by Microsoft 365
technology. To do this, use the Email > Malware view of Explorer (or Real-time
detections).

Threat management > Explorer (or Real-time detections). (This example uses
Explorer.)
2. In the View menu, choose Email > Malware.
3. Click Sender, and then choose Basic > Detection technology.
Your detection technologies are now available as filters for the report.
4. Choose an option. Then select the Refresh button to apply that filter.
The report refreshes to show the results that malware detected in email, using the
technology option you selected. From here, you can conduct further analysis.

Suppose that you want to see phishing attempts through URLs in email, including a list
of URLs that were allowed, blocked, and overridden. To identify URLs that were clicked,
Safe Links must be configured. Make sure that you set up Safe Links policies for time-of-
click protection and logging of click verdicts by Safe Links.
To review phish URLs in messages and clicks on URLs in phish messages, use the Email >
Phish view of Explorer or Real-time detections.

Explorer.)
2. In the View menu, choose Email > Phish.
3. Click Sender, and then choose URLs > Click verdict.
4. Select one or more options, such as Blocked and Block overridden, and then
select the Refresh button on the same line as the options to apply that filter. (Don't
refresh your browser window.)
The report refreshes to show two different URL tables on the URL tab under the
report:
Top URLs are the URLs in the messages that you filtered down to and the
email delivery action counts for each URL. In the Phish email view, this list
typically contains legitimate URLs. Attackers include a mix of good and bad
URLs in their messages to try to get them delivered, but they make the
malicious links look more interesting. The table of URLs is sorted by total
email count, but this column is hidden to simplify the view.
Top clicks are the Safe Links-wrapped URLs that were clicked, sorted by total
click count. This column also isn't displayed, to simplify the view. Total counts
by column indicate the Safe Links click verdict count for each clicked URL. In
the Phish email view, these are usually suspicious or malicious URLs. But the
view could include URLs that aren't threats but are in phish messages. URL
clicks on unwrapped links don't show up here.
The two URL tables show top URLs in phishing email messages by delivery action
and location. The tables show URL clicks that were blocked or visited despite a
warning, so you can see what potential bad links were presented to users and that
the user's clicked. From here, you can conduct further analysis. For example, below
the chart you can see the top URLs in email messages that were blocked in your
organization's environment.
Select a URL to view more detailed information.
７ Note
In the URL flyout dialog box, the filtering on email messages is removed to
show the full view of the URL's exposure in your environment. This lets you
filter for email messages you're concerned about in Explorer, find specific
URLs that are potential threats, and then expand your understanding of the
URL exposure in your environment (via the URL details dialog box) without
having to add URL filters to the Explorer view itself.
Interpretation of click verdicts

Within the Email or URL flyouts, Top Clicks as well as within our filtering experiences,
you'll see different click verdict values:
None: Unable to capture the verdict for the URL. The user might have clicked
through the URL.
Allowed: The user was allowed to navigate to the URL.
Blocked: The user was blocked from navigating to the URL.
Pending verdict: The user was presented with the detonation-pending page.
Blocked overridden: The user was blocked from navigating directly to the URL. But
the user overrode the block to navigate to the URL.
Pending verdict bypassed: The user was presented with the detonation page. But
the user overrode the message to access the URL.
Error: The user was presented with the error page, or an error occurred in
capturing the verdict.
Failure: An unknown exception occurred while capturing the verdict. The user
might have clicked through the URL.
Review email messages reported by users

Suppose that you want to see email messages that users in your organization reported
as Junk, Not Junk, or Phishing through the Microsoft Report Message or Report Phishing
add-ins, use the Email > Submissions view of Explorer (or Real-time detections).

Explorer.)
2. In the View menu, choose Email > Submissions.
3. Click Sender, and then choose Basic > Report type.
4. Select an option, such as Phish, and then select the Refresh button.

The report refreshes to show data about email messages that people in your
organization reported as a phishing attempt. You can use this information to conduct
further analysis, and, if necessary, adjust your anti-phishing policies in Microsoft
Start automated investigation and response
７ Note
Automated investigation and response capabilities are available in Microsoft

Defender for Office 365 Plan 2 and Office 365 E5.
Automated investigation and response can save your security operations team time and
effort spent investigating and mitigating cyberattacks. In addition to configuring alerts
that can trigger a security playbook, you can start an automated investigation and
response process from a view in Explorer. For details, see Example: A security
administrator triggers an investigation from Explorer.
More ways to use Explorer and Real-time

detections
In addition to the scenarios outlined in this article, you have many more reporting
options available with Explorer (or Real-time detections). See the following articles:
Find and investigate malicious email that was delivered

View malicious files detected in SharePoint Online, OneDrive, and Microsoft Teams
Get an overview of the views in Threat Explorer (and Real-time detections)
Automated investigation and response in Microsoft 365 Defender

You must have Microsoft Defender for Office 365 to use Explorer or Real-time
detections.
Explorer is included in Defender for Office 365 Plan 2.
The Real-time detections report is included in Defender for Office 365 Plan 1.
Plan to assign licenses for all users who should be protected by Defender for Office
365. Explorer and Real-time detections show detection data for licensed users.
To view and use Explorer or Real-time detections, you must have appropriate
permissions, such as those granted to a security administrator or security reader.
For the Microsoft 365 Defender portal, you must have one of the following roles
assigned:
Security Administrator (this can be assigned in the Azure Active Directory admin
center (https://aad.portal.azure.com )
Security Reader
For Exchange Online, you must have one of the following roles assigned in either
the Exchange admin center (EAC) or Exchange Online PowerShell:
View-Only Organization Management
View-Only Recipients
Compliance Management
To learn more about roles and permissions, see the following resources:

Feature permissions in Exchange Online
Differences between Threat Explorer and Real-

time detections
The Real-time detections report is available in Defender for Office 365 Plan 1.
Threat Explorer is available in Defender for Office 365 Plan 2.
The Real-time detections report allows you to view detections in real time. Threat
Explorer does this as well, but it also provides additional details for a given attack.
An All email view is available in Threat Explorer but not in the Real-time detections
report.
More filtering capabilities and available actions are included in Threat Explorer. For
more information, see Microsoft Defender for Office 365 Service Description:
Feature availability across Defender for Office 365 plans.
Other articles
Investigate emails with the Email Entity Page
Threat hunting in Threat Explorer for
 Tip
Applies to:

In this article:
Threat Explorer walk-through

Email investigation
Email remediation
Improvements to threat hunting experience
７ Note
This is part of a 3-article series on Threat Explorer (Explorer), email security, and
Explorer and Real-time detections (such as differences between the tools, and
permissions needed to operate them). The other two articles in this series are Email
security with Threat Explorer and Threat Explorer and Real-time detections.
Applies to

If your organization has Microsoft Defender for Office 365, and you have the
permissions, you can use Explorer or Real-time detections to detect and remediate
threats.

collaboration, and then choose Explorer or Real-time detections. To go directly to the
page, use https://security.microsoft.com/threatexplorer or
https://security.microsoft.com/realtimereports .
With these tools, you can:
See malware detected by Microsoft 365 security features

Start an automated investigation and response process from a view in Explorer
Investigate malicious email, and more
For more information, see Email security with Threat Explorer.
Watch this short video to learn how to hunt and investigate email and collaboration-
based threats using Microsoft Defender for Office 365.
https://www.microsoft.com/en-us/videoplayer/embed/RWyPRU?postJsllMsg=true
Threat Explorer walk-through

In Microsoft Defender for Office 365, there are two subscription plans—Plan 1 and Plan
2. Manually operated Threat hunting tools exist in both plans, under different names
and with different capabilities.
Defender for Office 365 Plan 1 uses Real-time detections, which is a subset of the Threat
Explorer (also called Explorer) hunting tool in Plan 2. In this series of articles, most of the
examples were created using the full Threat Explorer. Admins should test any steps in
Real-time detections to see where they apply.
After you go to Explorer, by default, you'll arrive on the All email page, but use the tabs
to navigate to the available views. If you're hunting phish or digging into a threat
campaign, choose those views.
Once a security operations (Sec Ops) person selects the data they want to see, they can
further narrow down the data by applying filters such as Sender, Recipient, and Subject,
or select an appropriate date range to get the desired results. Remember to select
Refresh to complete your filtering actions.

Refining focus in Explorer or Real-time detection can be thought of in layers. The first is
View. The second can be thought of as a filtered focus. For example, you can retrace the
steps you took in finding a threat by recording your decisions like this: To find the issue
in Explorer, I chose the Malware View with a Recipient filter focus. This makes retracing
your steps easier.
 Tip
If Sec Ops uses Tags to mark accounts they consider high valued targets, they can
make selections like Phish View with a Tags filter focus (include a date range if used).
This will show them any phishing attempts directed at their high value user targets
during a time-range (like dates when certain phishing attacks are happening a lot
for their industry).
With the new version of Threat Explorer, users can use the following new dropdown
options with four new operators on the filters:
Equals any of – returns values matching the exact user input.

Equals none of – returns values not matching the exact user input.
Contains any of – returns values partially matching user input.
Contains none of – returns values not partially matching user input.
Note that these filter conditions are available based on filter types and input types.
Use the Column options button to get the kind of information on the table that would
be most helpful:
In the same mien, make sure to test your display options. Different audiences will react
well to different presentations of the same data. For some viewers, the Email Origins
map can show that a threat is widespread or discreet more quickly than the Campaign
display option right next to it. Sec Ops can make use of these displays to best make
points that underscore the need for security and protection, or for later comparison, to
demonstrate the effectiveness of their actions.
Email investigation
When you see a suspicious email, click the name to expand the flyout on the right. Here,
the banner that lets Sec Ops see the email entity page is available.
The email entity page pulls together contents that can be found under Details,
Attachments, Devices, but includes more organized data. This includes things like
DMARC results, plain text display of the email header with a copy option, verdict
information on attachments that were securely detonated, and files those detonations
dropped (can include IP addresses that were contacted and screenshots of pages or
files). URLs and their verdicts are also listed with similar details reported.
When you reach this stage, the email entity page will be critical to the final step—
remediation.
 Tip
To learn more about the rich email entity page (seen below on the Analysis tab),
including the results of detonated Attachments, findings for included URLs, and
safe Email preview, click here.
Email remediation
Once a Sec Ops person determines that an email is a threat, the next Explorer or Real-
time detection step is dealing with the threat and remediating it. This can be done by
returning to Threat Explorer, selecting the checkbox for the problem email, and using
the Actions button.
Here, the analyst can take actions like reporting the mail as Spam, Phishing, or Malware,
contacting recipients, or further investigations that can include triggering Automated
Investigation and Response (or AIR) playbooks (if you have Plan 2). Or, the mail can also
be reported as clean.
Improvements to threat hunting experience
Alert ID
When navigating from an alert into Threat Explorer, the View will be filtered by Alert ID.
This also applies in Real-time detection. Messages relevant to the specific alert, and an
email total (a count) are shown. You will be able to see if a message was part of an alert,
as well as navigate from that message to the related alert.
Finally, alert ID is included in the URL, for example:
https://https://security.microsoft.com/viewalerts
Extending Explorer (and Real-time detections) data

retention and search limit for trial tenants
As part of this change, analysts will be able to search for, and filter email data across 30
days (increased from seven days) in Threat Explorer and Real-time detections for both
Defender for Office P1 and P2 trial tenants. This doesn't impact any production tenants
for both P1 and P2 E5 customers, where the retention default is already 30 days.
Updated Export limit

The number of Emails records that can be exported from Threat Explorer is now 200,000
(was 9990). The set of columns that can be exported is unchanged.
Tags in Threat Explorer
７ Note
The user tags feature is in Preview and may not be available to everyone. Also,
Previews are subject to change. For information about the release schedule, check
out the Microsoft 365 roadmap.
User tags identify specific groups of users in Microsoft Defender for Office 365. For
more information about tags, including licensing and configuration, see User tags.
In Threat Explorer, you can see information about user tags in the following experiences.
Email grid view

When analysts look at the Tags column the email grid, they are seeing all tags that have
been applied to sender or recipient mailboxes. By default, system tags like priority
accounts are shown first.
Filtering
Tags can be used as filters. Hunt among priority accounts only, or use specific user tags
scenarios this way. You can also exclude results that have certain tags. Combine Tags
with other filters and date ranges to narrow your scope of investigation.


Email detail flyout

To view the individual tags for sender and recipient, select an email to open the
message details flyout. On the Summary tab, the sender and recipient tags are shown
separately. The information about individual tags for sender and recipient can be
exported as CSV data.
Tags information is also shown in the URL clicks flyout. To see it, go to Phish or All Email
view > URLs or URL Clicks tab. Select an individual URL flyout to see additional details
about clicks for that URL, including any Tags associated with that click.
Updated Timeline View


Extended capabilities
Top targeted users

Top Malware Families shows the top targeted users in the Malware section. Top
targeted users will be extended through Phish and All Email views too. Analysts will be
able to see the top-five targeted users, along with the number of attempts for each user
in each view.
Security operations people be able to export the list of targeted users, up to a limit of
3,000, along with the number of attempts made, for offline analysis for each email view.
Also, selecting the number of attempts (for example, 13 attempts in the image below)
will open a filtered view in Threat Explorer, so you can see more details across emails,
and threats for that user.
Exchange transport rules

The security operations team will be able to see all the Exchange transport rules (or Mail
flow rules) applied to a message, in the Email grid view. Select Column options in the
grid and then Add Exchange Transport Rule from the column options. The Exchange
transport rules option is also visible on the Details flyout in the email.
Names and GUIDs of the transport rules applied to the message appear. Analysts will be
able to search for messages by using the name of the transport rule. This is a CONTAINS
search, which means you can do partial searches as well.
） Important
Exchange transport rule search and name availability depend on the specific role
assigned to you. You need to have one of the following roles or permissions to view
the transport rule names and search. However, even without the roles or
permissions below, an analyst may see the transport rule label and GUID
information in the Email Details. Other record-viewing experiences in Email Grids,
Email flyouts, Filters, and Export are not affected.
Exchange Online Only - data loss prevention: All

Exchange Online Only - O365SupportViewConfig: All
Microsoft Azure Active Directory or Exchange Online - Security Admin: All
Azure Active Directory or Exchange Online - Security Reader: All
Exchange Online Only - Transport Rules: All
Exchange Online Only - View-Only Configuration: All
Within the email grid, Details flyout, and Exported CSV, the ETRs are presented with
a Name/GUID as shown below.

Inbound connectors
Connectors are a collection of instructions that customize how your email flows to and
from your Microsoft 365 or Office 365 organization. They enable you to apply any
security restrictions or controls. In Threat Explorer, you can view the connectors that are
related to an email and search for emails using connector names.
The search for connectors is a CONTAINS query, which means partial keyword searches
can work:


You must have Microsoft Defender for Office 365 to use Explorer or Real-time
detections.
Explorer is included in Defender for Office 365 Plan 2.

Plan to assign licenses for all users who should be protected by Defender for Office
365. Explorer and Real-time detections show detection data for licensed users.
To view and use Explorer or Real-time detections, you must have the following
permissions:
In the Microsoft 365 Defender portal:

Security Reader
In Exchange Online:
To learn more about roles and permissions, see the following resources:

Exchange Online PowerShell
More information
Get an overview of the views in Threat Explorer (and Real-time detections)
Automated investigation and response in Microsoft Threat Protection
Email security with Threat Explorer in
 Tip
Applies to:

In this article:
View malware detected in email

７ Note
This is part of a 3-article series on Threat Explorer (Explorer), email security, and
Explorer and Real-time detections (such as differences between the tools, and
permissions needed to operate them). The other two articles in this series are
Threat hunting in Threat Explorer and Threat Explorer and Real-time detections.
This article explains how to view and investigate malware and phishing attempts that are
detected in email by Microsoft 365 security features.
View malware detected in email

To see malware detected in email sorted by Microsoft 365 technology, use the Email >
Malware view of Explorer (or Real-time detections). Malware is the default view, so it
might be selected as soon as you open Explorer.

Email & collaboration, and then choose Explorer or Real-time detections. To go
directly to the page, use https://security.microsoft.com/threatexplorer or
This example uses Explorer.
From here, start at the View, choose a particular frame of time to investigate (if
needed), and focus your filters, as per the Explorer walk- through.
2. In the View drop down list, verify that Email > Malware is selected.
3. Click Sender, and then choose Basic > Detection technology in the drop down list.
Your detection technologies are now available as filters for the report.
4. Choose an option, and then click Refresh to apply that filter (don't refresh your
browser window).
The report refreshes to show the results that malware detected in email, using the
technology option you selected. From here, you can conduct further analysis.
Report a message as clean in Explorer

You can use the Report clean option in Explorer to report a message as false positive.
1. In the Microsoft 365 Defender portal, go to Email & collaboration > Explorer, and
then, in the View drop down list, verify that Phish is selected.
2. Verify that you're on the Email tab, and then from the list of reported messages,
select the one you'd like to report as clean.
3. Click Actions to expand the list of options.
4. Scroll down the list of options to go to the Start new submission section, and then
select Report clean. A flyout appears.
5. Toggle the slider to On. From the drop down list, specify the number of days you
want the message to be removed, add a note if needed, and then select Submit.

You can view phishing attempts through URLs in email, including a list of URLs that were
allowed, blocked, and overridden. To identify URLs that were clicked, Safe Links must be
configured. Make sure that you set up Safe Links policies for time-of-click protection
and logging of click verdicts by Safe Links.

Email & collaboration, and then choose Explorer or Real-time detections. To go
directly to the page, use https://security.microsoft.com/threatexplorer or
This example uses Explorer.

2. In the View drop down list, choose Email > Phish.
3. Click Sender, and then choose URLs > Click verdict in the drop down list.
4. In options that appear, select one or more options, such as Blocked and Block
overridden, and then click Refresh (don't refresh your browser window).
The report refreshes to show two different URL tables on the URLs tab under the
report:
Top URLs are the URLs in the messages that you filtered down to and the
email delivery action counts for each URL. In the Phish email view, this list
typically contains legitimate URLs. Attackers include a mix of good and bad
URLs in their messages to try to get them delivered, but they make the
malicious links look more interesting. The table of URLs is sorted by total
email count, but this column is hidden to simplify the view.
Top clicks are the Safe Links-wrapped URLs that were clicked, sorted by total
click count. This column also isn't displayed, to simplify the view. Total counts
by column indicate the Safe Links click verdict count for each clicked URL. In
the Phish email view, these are usually suspicious or malicious URLs. But the
view could include URLs that aren't threats but are in phish messages. URL
clicks on unwrapped links don't show up here.
The two URL tables show top URLs in phishing email messages by delivery action
and location. The tables show URL clicks that were blocked or visited despite a
warning, so you can see what potential bad links were presented to users and that
the users clicked. From here, you can conduct further analysis. For example, below
the chart you can see the top URLs in email messages that were blocked in your
organization's environment.
Select a URL to view more detailed information.
７ Note
In the URL flyout dialog box, the filtering on email messages is removed to
show the full view of the URL's exposure in your environment. This lets you
filter for email messages you're concerned about in Explorer, find specific
URLs that are potential threats, and then expand your understanding of the
URL exposure in your environment (via the URL details dialog box) without
having to add URL filters to the Explorer view itself.
Interpretation of click verdicts

In the Email or URL flyouts, Top Clicks, and in our filtering experiences, you'll see
different click verdict values:
None: Unable to capture the verdict for the URL. The user might have clicked
through the URL.
Allowed: The user was allowed to navigate to the URL.
Blocked: The user was blocked from navigating to the URL.
Pending verdict: The user was presented with the detonation-pending page.
Blocked overridden: The user was blocked from navigating directly to the URL. But
the user overrode the block to navigate to the URL.
Pending verdict bypassed: The user was presented with the detonation page. But
the user overrode the message to access the URL.
Error: The user was presented with the error page, or an error occurred in
capturing the verdict.
Failure: An unknown exception occurred while capturing the verdict. The user
might have clicked through the URL.
７ Note
Automated investigation and response capabilities are available in Microsoft

Defender for Office 365 Plan 2 and Office 365 E5.
Automated investigation and response can save your security operations team time and
effort spent investigating and mitigating cyberattacks. In addition to configuring alerts
that can trigger a security playbook, you can start an automated investigation and
response process from a view in Explorer. For details, see Example: A security
administrator triggers an investigation from Explorer.
Other articles
Explorer and Real-time detections
 Tip
Applies to

In this article:
Differences between Explorer and Real-time detections

Updated experience for Explorer and Real-time detections
７ Note
This is part of a 3-article series on Explorer (also known as Threat Explorer), email
security, and Explorer and Real-time detections basics (such as differences
between the tools, and permissions needed to operate them). The other two
articles in this series are Threat hunting in Explorer and Email security with
Explorer.
This article explains the difference between Explorer and real-time detections reporting,
updated experience with Explorer and real-time detections where you can toggle
between old and new experiences, and the licenses and permissions that are required.
If your organization has Microsoft Defender for Office 365, and you have the
permissions, you can use Explorer (also known as Threat Explorer) or Real-time
detections to detect and remediate threats.

collaboration, and then choose Explorer or Real-time detections. To go directly to the
page, use https://security.microsoft.com/threatexplorer or
With these tools, you can:
See malware detected by Microsoft 365 security features.

View phishing URL and click verdict data.
Start an automated investigation and response process from a view in Explorer.
Investigate malicious email, and more.
For more information, see Email security with Explorer.
Differences between Explorer and Real-time

detections
Real-time detections is a reporting tool available in Defender for Office 365 Plan 1.
Threat Explorer is a threat hunting and remediation tool available in Defender for
Office 365 Plan 2.
The Real-time detections report allows you to view detections in real time. Threat
Explorer does this as well, but it provides additional details for a given attack, such
as highlighting attack campaigns, and gives security operations teams the ability to
remediate threats (including triggering an Automated Investigation and Response
investigation.
An All email view is available in Threat Explorer, but not included in the Real-time
detections report.
Rich filtering capabilities and remediation actions are included in Threat Explorer.
For more information, see Microsoft Defender for Office 365 Service Description:
Feature availability across Defender for Office 365 plans.
Updated experience for Explorer and Real-time

detections
The experience for Threat Explorer and Real-time detections is updated to align with
modern accessibility standards, and to optimize the workflow. For a short while, you will
be able to toggle between the old experience and the new one.
７ Note
Toggling impacts only your account and does not impact anyone else within your
tenant.
Threat Explorer and Real-time detections is divided into the following views:
All email: Shows all email analyzed by Defender for office 365 and contains both
good and malicious emails. This feature is only present in Threat Explorer and is
not available for Real-time detections. By default, it is set to show data for two
days, which can be expanded up to 30 days. This is also the default view for Threat
Explorer.
Malware view: Shows emails on which a malware threat was identified. This is the
default view for Real-time detections, and shows data for two days (can be
expanded to 30 days).
Phish view: Shows emails on which a phish threat was identified.
Content malware view: Shows malicious detections identified in files shared

through OneDrive, SharePoint, or Teams.
Here are the common components within these experiences:
Filters
You can use the various filters to view the data based on email or file attributes.
By default, the time filter is applied to the records, and is applied for two days.
If you are applying multiple filters, they are applied in 'AND' mode and you can
use the advanced filter to change it to 'OR' mode.
You can use commas to add multiple values for the same filter.
Charts
Charts provide a visual, aggregate view of data based on filters. You can use
different filters to view the data by different dimensions.
７ Note
You may see no results in chart view even if you are seeing an entry in the list
view. This happens if the filter does not produce any data. For example, if you
have applied the filter malware family, but the underlying data does not have
any malicious emails, then you may see the message no data available for this
scenario.
Results grid
Results grid shows the email results based on the filters you have applied.
Based on the configuration set in your tenant, data will be shown in UTC or local
timezone, with the timezone information available in the first column.
You can navigate to the individual email entity page from the list view by
clicking the Open in new window icon.
You can also customize your columns to add or remove columns to optimize
your view.
７ Note
You can toggle between the Chart View and the List View to maximize your
result set.
Detailed flyout
You can click on hyperlinks to get to the email summary panel (entries in
Subject column), recipient, or IP flyout.
The email summary panel replaces the legacy email flyout, and also provides a
path to access the email entity panel.
The individual entity flyouts like IP, recipient, and URL would reflect the same
information, but presented in a single tab-based view, with the ability to expand
and collapse the different sections based on requirement.
For flyouts like URLs, you can click View all Email or View all Clicks to view the
full set of emails/clicks containing that URL, as well as export the result set.
Actions
From Threat Explorer, you can trigger remediation actions like Delete an email.
For more information on remediation, remediation limits, and tracking
remediation see Remediate malicious email.
Export
You can click Export chart data to export the chart details. Similarly, click Export
email list to export email details.
You can export up to 200K records for email list. However, for better system
performance and reduced download time, you should use various email filters.
In addition to these features, you will also get updated experiences like Top URLs, Top
clicks, Top targeted users, and Email origin. Top URLs, Top clicks, and Top targeted users
can be further filtered based on the filter that you apply within Explorer.

You must have Microsoft Defender for Office 365 to use either of Explorer or Real-time
detections:
Explorer is only included in Defender for Office 365 Plan 2.

Security Operations teams need to assign licenses for all users who should be protected
by Defender for Office 365 and be aware that Explorer and Real-time detections show
detection data for licensed users.
To view and use Explorer or Real-time detections, you need the following permissions:
In Defender for Office 365:

Security Reader
In Exchange Online:
To learn more about roles and permissions, see the following articles:

More information
Threat Explorer collect email details on the email entity page
Automated investigation and response in Microsoft Threat Protection
Views in Threat Explorer and real-time
detections
 Tip
Applies to

Threat Explorer (and the real-time detections report) is a powerful, near real-time tool to
help Security Operations teams investigate and respond to threats in the Microsoft 365
Defender portal. Explorer (and the real-time detections report) displays information
about suspected malware and phish in email and files in Office 365, as well as other
security threats and risks to your organization.
If you have Microsoft Defender for Office 365 Plan 2, then you have Explorer.
If you have Microsoft Defender for Office 365 Plan 1, then you have real-time
detections.
When you first open Explorer (or the real-time detections report), the default view
shows email malware detections for the past 7 days. This report can also show Microsoft
Defender for Office 365 detections, such as malicious URLs detected by Safe Links, and
malicious files detected by Safe Attachments. This report can be modified to show data
for the past 30 days (with a Microsoft Defender for Office 365 P2 paid subscription). Trial
subscriptions will include data for the past seven days only.
Subscription Utility Days of
Data
Microsoft Defender for Office 365 P1 trial Real-time 7

detections
Microsoft Defender for Office 365 P1 paid Real-time 30

detections
Microsoft Defender for Office 365 P1 paid testing Defender for Threat Explorer 7
Office 365 P2 trial
Microsoft Defender for Office 365 P2 trial Threat Explorer 7
Microsoft Defender for Office 365 P2 paid Threat Explorer 30
７ Note
We will soon be extending the Explorer (and Real-time detections) data retention
and search limit for trial tenants from 7 to 30 days. This change is being tracked as
part of roadmap item no. 70544, and is currently in a roll-out phase.
Use the View menu to change what information is displayed. Tooltips help you
determine which view to use.
Once you have selected a view, you can apply filters and set up queries to conduct
further analysis. The following sections provide a brief overview of the various views
available in Explorer (or real-time detections).
Email > Malware

To view this report, in Explorer (or real-time detections), choose View > Email >
Malware. This view shows information about email messages that were identified as
containing malware.

Click Sender to open your list of viewing options. Use this list to view data by sender,
recipients, sender domain, subject, detection technology, protection status, and more.
For example, to see what actions were taken on detected email messages, choose
Protection status in the list. Select an option, and then click the Refresh button to apply
that filter to your report.
Below the chart, view more details about specific messages. When you select an item in
the list, a fly-out pane opens, where you can learn more about the item you selected.

Email > Phish

To view this report, in Explorer (or real-time detections), choose View > Email > Phish.
This view shows email messages identified as phishing attempts.
Click Sender to open your list of viewing options. Use this list to view data by sender,
recipients, sender domain, sender IP, URL domain, click verdict, and more.
For example, to see what actions were taken when people clicked on URLs that were
identified as phishing attempts, choose Click verdict in the list, select one or more
options, and then click the Refresh button.

Below the chart, view more details about specific messages, URL clicks, URLs, and email
origin.
When you select an item in the list, such as a URL that was detected, a fly-out pane
opens, where you can learn more about the item you selected.

Email > Submissions

To view this report, in Explorer (or real-time detections), choose View > Email >
Submissions. This view shows email that users have reported as junk, not junk, or
phishing email.
Click Sender to open your list of viewing options. Use this list to view information by
sender, recipients, report type (the user's determination that the email was junk, not
junk, or phish), and more.
For example, to view information about email messages that were reported as phishing
attempts, click Sender > Report type, select Phish, and then click the Refresh button.
Below the chart, view more details about specific email messages, such as subject line,
the sender's IP address, the user that reported the message as junk, not junk, or phish,
and more.
Select an item in the list to view additional details.
Email > All email

To view this report, in Explorer, choose View > Email > All mail. This view shows an all-
up view of email activity, including email identified as malicious due to phishing or
malware, as well all non-malicious mail (normal email, spam, and bulk mail).
７ Note
If you get an error that reads Too much data to display, add a filter and, if
necessary, narrow the date range you're viewing.
To apply a filter, choose Sender, select an item in the list, and then click the Refresh
button. In our example, we used Detection technology as a filter (there are several
options available). View information by sender, sender's domain, recipients, subject,
attachment filename, malware family, protection status (actions taken by your threat
protection features and policies in Office 365), detection technology (how the malware
was detected), and more.
Below the chart, view more details about specific email messages, such as subject line,
recipient, sender, status, and so on.
Content > Malware

To view this report, in Explorer (or real-time detections), choose View > Content >
Malware. This view shows files that were identified as malicious by Microsoft Defender
for Office 365 in SharePoint Online, OneDrive for Business, and Microsoft Teams.
View information by malware family, detection technology (how the malware was
detected), and workload (OneDrive, SharePoint, or Teams).

Below the chart, view more details about specific files, such as attachment filename,
workload, file size, who last modified the file, and more.
Click-to-filter capabilities
With Explorer (and real-time detections), you can apply a filter in a click. Click an item in
the legend, and that item becomes a filter for the report. For example, clicking ATP
Detonation in this chart results in a view like this:
In this view, we are now looking at data for files that were detonated by Safe
Attachments. Below the chart, we can see details about specific email messages that had
attachments that were detected by Safe Attachments.

Selecting one or more items activates the Actions menu, which offers several choices
from which to choose for the selected item(s).
The ability to filter in a click and navigate to specific details can save you a lot of time in
investigating threats.
Queries and filters

Explorer (as well as the real-time detections report) has several powerful filters and
querying capabilities that enable you to drill into details, such as top targeted users, top
malware families, detection technology and more. Each kind of report offers a variety of
ways to view and explore data.
） Important
Do not use wildcard characters, such as an asterisk or a question mark, in the query
bar for Explorer (or real-time detections). When you search on the Subject field for
email messages, Explorer (or real-time detections) will perform partial matching
and yield results similar to a wildcard search.
Impersonation insight in Defender for
Office 365
 Tip
Applies to

Impersonation is where the sender of an email message looks very similar to a real or
expected sender email address. Attackers often user impersonated sender email
addresses in phishing or other types of attacks in an effort to gain the trust of the
recipient. There are basically two types of impersonation:
Domain impersonation: Instead of lila@contoso.com, the impersonated sender's

email address is lila@ćóntoso.com.
User impersonation: Instead of michelle@contoso.com, the impersonated sender's
email address is rnichell@contoso.com.
Domain impersonation is different from domain spoofing, because the impersonated

domain is typically a real, registered domain. Messages from senders in the
impersonated domain can and often do pass regular email authentication checks that
would otherwise identify spoofing attempts (SPF, DKIM, and DMARC).
Impersonation protection is part of the anti-phishing policy settings that are exclusive to
Microsoft Defender for Office 365. For more information about these settings, see
Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365.
You can use the impersonation insight in the Microsoft 365 Defender portal to quickly
identify messages from impersonated senders or sender domains that you've
configured for impersonation protection.

https://security.microsoft.com/antiphishing . To go directly to the Impersonation
insight page, use https://security.microsoft.com/impersonationinsight .
Security Reader
Global Reader
Note: Adding users to the corresponding Azure Active Directory role in the
Microsoft 365 admin center gives users the required permissions in the Microsoft
365 Defender portal and permissions for other features in Microsoft 365. For more
information, see About admin roles.
You enable and configure impersonation protection in anti-phishing policies in

Microsoft Defender for Office 365. Impersonation protection is not enabled by
default. For more information, see Configure anti-phishing policies in Microsoft
Open the impersonation insight in the

2. On the Anti-phishing page, the impersonation insight looks like this:
The insight has two modes:
Insight mode: If impersonation protection is enabled and configured in any

anti-phishing policies, the insight shows the number of detected messages
from impersonated domains and impersonated users (senders) over the past
seven days. This is the total of all detected impersonated senders from all
anti-phishing policies.
What if mode: If impersonation protection is not enabled and configured in
any active anti-phishing policies, the insight shows you how many messages
would have been detected by our impersonation protection capabilities over
the past seven days.
To view information about the impersonation detections, click View impersonations in

the impersonation insight.
View information about messages from

senders in impersonated domains
On the Impersonation insight page that appears after you click View impersonations in
the impersonation insight, verify that the Domains tab is selected. The Domains tab
contains the following information:
Sender Domain: The impersonating domain, which is the domain that was used to
send the email message.
Message count: The number of messages from impersonating sender domain over
the last 7 days.
Impersonation type: This value shows the detected location of the impersonation
(for example, Domain in address).
Impersonated domain(s): The impersonated domain, which should closely
resemble the domain that's configured for impersonation protection in the anti-
phishing policy.
Domain type: This value is Company domain for internal domains or Custom
domain for custom domains.
Policy: The anti-phishing policy that detected the impersonated domain.
Allowed to impersonate: One of the following values:
Yes: The domain was configured as trusted domain (an exception for
impersonation protection) in the anti-phishing policy. Messages from senders in
the impersonated domain were detected, but allowed.
No: The domain was configured for impersonation protection in the anti-
phishing policy. Messages from senders in the impersonated domain were
detected and acted upon based on the action for impersonated domains in the
anti-phishing policy.
You can click selected column headings to sort the results.

To filter the results, you can use the Search box to enter a comma-separated list of
values to filter the results.
View details about messages from senders in

impersonated domains
On the Domains tab on the Impersonation insight page, select one of the available
impersonation detections. The details flyout that appears contains the following
information and features:
Selection impersonation policy to modify: Select the affected anti-phishing policy

that you want to modify. Only polices where the impersonated domain is defined
in the policy are available. Refer to the previous page to see which policy was
actually responsible for detecting the impersonated domain (likely based on the
recipient and the priority of the policy).
Add to the allowed to impersonation list: Use this toggle to add or remove the
sender from the Trusted senders and domains (impersonation exceptions) for the
anti-phishing policy that you selected:
If the Allowed to impersonate value for this entry was No, the toggle is off. To
exempt all senders in this domain from evaluation by impersonation protection,
slide the toggle to on: . The domain is added to the Trusted domains list in
the impersonation protection settings of the anti-phishing policy.
If the Allowed to impersonate value for this entry was Yes, the toggle is on. To
return all senders in this domain to evaluation by impersonation protection,
slide the toggle to off: . The domain is removed from the Trusted domains
list in the impersonation protection settings of the anti-phishing policy.
Why we caught this.
What you need to do.
A domain summary that list the impersonated domain.
WhoIs data about the sender.
A link to open Threat Explorer to see additional details about the sender.
Similar messages from the same sender that were delivered to your organization.
View information about messages from

impersonated senders
On the Impersonation insight page that appears after you click View impersonations in
the impersonation insight, click the Users tab. The Users tab contains the following
information:
Sender: The email address of the impersonating sender that sent the email
message.
Message count: The number of messages from the impersonating sender over the
last 7 days.
Impersonation type: This value is User in display name.
Impersonated user(s): The email address of the impersonated sender, which
should closely resemble the user that's configured for impersonation protection in
the anti-phishing policy.
User type: This value shows the type of protection applied (for example, Protected
user or Mailbox Intelligence).
Policy: The anti-phishing policy that detected the impersonated sender.
Allowed to impersonate: One of the following values:
Yes: The sender was configured as trusted user (an exception for impersonation
protection) in the anti-phishing policy. Messages from the impersonated sender
were detected, but allowed.
No: The sender was configured for impersonation protection in the anti-
phishing policy. Messages from the impersonated sender were detected and
acted upon based on the action for impersonated users in the anti-phishing
policy.
To filter the results, you can use the Filter sender box to enter a comma-separated list of
values to filter the results.
View details about messages from impersonated senders

On the Users tab on the Impersonation insight page, select one of the available
impersonation detections. The details flyout that appears contains the following
information and features:
Selection impersonation policy to modify: Select the affected anti-phishing policy

that you want to modify. Only polices where the impersonated sender is defined in
the policy are available. Refer to the previous page to see which policy was actually
responsible for detecting the impersonated sender (likely based on the recipient
and the priority of the policy).
Add to the allowed to impersonation list: Use this toggle to add or remove the
sender from the Trusted senders and domains (impersonation exceptions) for the
anti-phishing policy that you selected:
If the Allowed to impersonate value for this entry was No, the toggle is off. To
exempt the sender from evaluation by impersonation protection, slide the
toggle to on: . The sender is added to the Trusted users list in the
impersonation protection settings of the anti-phishing policy.
If the Allowed to impersonate value for this entry was Yes, the toggle is on. To
return the sender to evaluation by impersonation protection, slide the toggle to
off: . The sender is removed from the Trusted users list in the
impersonation protection settings of the anti-phishing policy.
Why we caught this.
A sender summary that list the impersonated sender.
A link to open Threat Explorer to see additional details about the sender.
Similar messages from the same sender that were delivered to your organization.
 Tip
Applies to


inbound email messages are automatically protected against spoofing. EOP uses spoof
intelligence as part of your organization's overall defense against phishing. For more
information, see Anti-spoofing protection in EOP.
When a sender spoofs an email address, they appear to be a user in one of your
organization's domains, or a user in an external domain that sends email to your
organization. Attackers who spoof senders to send spam or phishing email need to be
blocked. But there are scenarios where legitimate senders are spoofing. For example:
Legitimate scenarios for spoofing internal domains:

Third-party senders use your domain to send bulk mail to your own employees
for company polls.
An external company generates and sends advertising or product updates on
your behalf.
An assistant regularly needs to send email for another person within your
organization.
An internal application sends email notifications.
Legitimate scenarios for spoofing external domains:

The sender is on a mailing list (also known as a discussion list), and the mailing
list relays email from the original sender to all the participants on the mailing
list.
An external company sends email on behalf of another company (for example,
an automated report or a software-as-a-service company).
You can use the spoof intelligence insight in the Microsoft 365 Defender portal to
quickly identify spoofed senders who are legitimately sending you unauthenticated
email (messages from domains that don't pass SPF, DKIM, or DMARC checks), and
manually allow those senders.
By allowing known senders to send spoofed messages from known locations, you can
reduce false positives (good email marked as bad). By monitoring the allowed spoofed
senders, you provide an additional layer of security to prevent unsafe messages from
arriving in your organization.
Likewise, you can review spoofed senders that were allowed by spoof intelligence and
manually block those senders from the spoof intelligence insight.
The rest of this article explains how to use the spoof intelligence insight in the Microsoft
365 Defender portal and in PowerShell (Exchange Online PowerShell for Microsoft 365
organizations with mailboxes in Exchange Online; standalone EOP PowerShell for
organizations without Exchange Online mailboxes).
７ Note
Only spoofed senders that were detected by spoof intelligence appear in the
spoof intelligence insight. When you override the allow or block verdict in the
insight, the spoofed sender becomes a manual allow or block entry that
appears only on the Spoofed senders tab in the Tenant Allow/Block List. You
can also manually create allow or block entries for spoofed senders before
they're detected by spoof intelligence. For more information, see Manage the
Tenant Allow/Block List in EOP.
The spoof intelligence insight and the Spoofed senders tab in the Tenant
Allow/Block list replace the functionality of the spoof intelligence policy that
was available on the anti-spam policy page in the Security & Compliance
Center.
The spoof intelligence insight shows 7 days worth of data. The Get-
SpoofIntelligenceInsight cmdlet shows 30 days worth of data.
The latest available data is 3 to 4 days old.

go directly to the Spoofed senders tab on the Tenant Allow/Block List page, use
https://security.microsoft.com/tenantAllowBlockList?viewid=SpoofItem . To go
directly to the Spoof intelligence insight page, use
https://security.microsoft.com/spoofintelligence .

To modify the spoof intelligence policy or enable or disable spoof intelligence,
you need to be a member of one of the following role groups:
Security Administrator and View-Only Configuration or View-Only
Organization Management.
For read-only access to the spoof intelligence policy, you need to be a member
７ Note
About admin roles.
You enable and disable spoof intelligence in anti-phishing policies in EOP and
Microsoft Defender for Office 365. Spoof intelligence is enabled by default. For
more information, see Configure anti-phishing policies in EOP or Configure anti-
phishing policies in Microsoft Defender for Office 365.
For our recommended settings for spoof intelligence, see EOP anti-phishing policy
settings.
Open the spoof intelligence insight in the
Email & Collaboration > Policies & Rules > Threat policies > Tenant Allow/Block
Lists in the Rules section. To go directly to the Spoofed senders tab on the Tenant
Allow/Block List page, use https://security.microsoft.com/tenantAllowBlockList?
viewid=SpoofItem .
2. On the Tenant Allow/Block Lists page, the spoof intelligence insight looks like this:
The insight has two modes:
Insight mode: If spoof intelligence is enabled, the insight shows you how
many messages were detected by spoof intelligence during the past seven
days.
What if mode: If spoof intelligence is disabled, then the insight shows you
how many messages would have been detected by spoof intelligence during
the past seven days.
To view information about the spoof intelligence detections, click View spoofing activity
in the spoof intelligence insight.
View information about spoofed messages
７ Note
Remember, only spoofed senders that were detected by spoof intelligence appear
on this page. When you override the allow or block verdict in the insight, the
spoofed sender becomes a manual allow or block entry that appears only on the
Spoofed senders tab in the Tenant Allow/Block List.
On the Spoof intelligence insight page that appears after you click View spoofing
activity in the spoof intelligence insight, the page contains the following information:
Spoofed user: The domain of the spoofed user that's displayed in the From box in
email clients. The From address is also known as the 5322.From address.
Sending infrastructure: Also known as the infrastructure. The sending
infrastructure will be one of the following values:
The domain found in a reverse DNS lookup (PTR record) of the source email
server's IP address.
If the source IP address has no PTR record, then the sending infrastructure is
identified as <source IP>/24 (for example, 192.168.100.100/24).
Message count: The number of messages from the combination of the spoofed
domain and the sending infrastructure to your organization within the last 7 days.
Last seen: The last date when a message was received from the sending
infrastructure that contains the spoofed domain.
Spoof type: One of the following values:
Internal: The spoofed sender is in a domain that belongs to your organization
(an accepted domain).
External: The spoofed sender is in an external domain.
Action: This value is Allowed or Blocked:
Allowed: The domain failed explicit email authentication checks SPF, DKIM, and
DMARC. However, the domain passed our implicit email authentication checks
(composite authentication). As a result, no anti-spoofing action was taken on
the message.
Blocked: Messages from the combination of the spoofed domain and sending
infrastructure are marked as bad by spoof intelligence. The action that's taken
on the spoofed messages is controlled by the default anti-phishing policy or
custom anti-phishing policies (the default value is Move message to Junk Email
folder). For more information, see Configure anti-phishing policies in Microsoft
To filter the results, you have the following options:
Click the Filter button. In the Filter flyout that appears, you can filter the results by:
Spoof type
Action
Use the Search box to enter a comma-separated list of spoofed domain values or
sending infrastructure values to filter the results.
View details about spoofed messages

When you select an entry from the list, a details flyout appears that contains the
following information and features:
Allow to spoof or Block from spoofing: Select one of these values to override the
original spoof intelligence verdict and move the entry from the spoof intelligence
insight to the Tenant Allow/Block List as an allow or block entry for spoof.
Why we caught this.
A domain summary that includes most of the same information from the main
spoof intelligence page.
A link to open Threat Explorer to see additional details about the sender under
View > Phish in Microsoft Defender for Office 365.
Similar messages we have seen in your tenant from the same sender.
About allowed spoofed senders

An allowed spoofed sender in the spoof intelligence insight or a blocked spoofed
sender that you manually changed to Allow to spoof only allows messages from the
combination of the spoofed domain and the sending infrastructure. It does not allow
email from the spoofed domain from any source, nor does it allow email from the
sending infrastructure for any domain.
For example, the following spoofed sender is allowed to spoof:
Domain: gmail.com
Infrastructure: tms.mx.com
Only email from that domain/sending infrastructure pair will be allowed to spoof. Other
senders attempting to spoof gmail.com aren't automatically allowed. Messages from
senders in other domains that originate from tms.mx.com are still checked by spoof
intelligence, and might be blocked.
Use the spoof intelligence insight in Exchange

Online PowerShell or standalone EOP
PowerShell
In PowerShell, you use the Get-SpoofIntelligenceInsight cmdlet to view allowed and
blocked spoofed senders that were detected by spoof intelligence. To manually allow or
block the spoofed senders, you need to use the New-TenantAllowBlockListSpoofItems
cmdlet. For more information, see Use PowerShell to manage spoofed sender entries to
To view the information in the spoof intelligence insight, run the following command:
PowerShell
Get-SpoofIntelligenceInsight
For detailed syntax and parameter information, see Get-SpoofIntelligenceInsight.
Other ways to manage spoofing and phishing

Be diligent about spoofing and phishing protection. Here are related ways to check on
senders who are spoofing your domain and help prevent them from damaging your
organization:
Check the Spoof Mail Report. You can use this report often to view and help
manage spoofed senders. For information, see Spoof Detections report.
Review your Sender Policy Framework (SPF) configuration. For a quick introduction
to SPF and to get it configured quickly, see Set up SPF in Microsoft 365 to help
prevent spoofing. For a more in-depth understanding of how Office 365 uses SPF,
or for troubleshooting or non-standard deployments such as hybrid deployments,
start with How Office 365 uses Sender Policy Framework (SPF) to prevent spoofing.
Review your DomainKeys Identified Mail (DKIM) configuration. You should use
DKIM in addition to SPF and DMARC to help prevent attackers from sending
messages that look like they are coming from your domain. DKIM lets you add a
digital signature to email messages in the message header. For information, see
Use DKIM to validate outbound email sent from your custom domain in Office 365.
Review your Domain-based Message Authentication, Reporting, and Conformance

(DMARC) configuration. Implementing DMARC with SPF and DKIM provides
additional protection against spoofing and phishing email. DMARC helps receiving
mail systems determine what to do with messages sent from your domain that fail
SPF or DKIM checks. For information, see Use DMARC to validate email in Office
365.
Manage spoofed senders using the
spoof intelligence policy and spoof
intelligence insight in EOP
Applies to

） Important
Spoofed sender management in the Microsoft 365 Defender portal is now available
only on the Spoofed senders tab in the Tenant Allow/Block List. For current
procedures in the Microsoft 365 Defender portal, see Spoof intelligence insight in
EOP.
Spoofed sender management in Exchange Online PowerShell or Standalone EOP

PowerShell is in the process of being migrated exclusively to the related *-
TenantAllowBlockListSpoofItems, Get-SpoofIntelligenceInsight, and Get-
SpoofMailReport cmdlets. For procedures using these cmdlets, see the following
articles:
Use PowerShell to view allow or block entries for spoofed senders in the
Use PowerShell to create allow entries for spoofed senders
Use PowerShell to create block entries for spoofed senders
Use PowerShell to modify allow or block entries for spoofed senders in the
Use PowerShell to remove allow or block entries for spoofed senders from
The older spoofed sender management experience using the Get-PhishFilterPolicy

and Set-PhishFilterPolicy cmdlets is in the process of being deprecated, but is still
presented in this article for completeness until the cmdlets are removed
everywhere.
To modify the spoof intelligence policy or enable or disable spoof intelligence,
you need to be a member of:
Security Administrator and View-Only Configuration or View-Only
Organization Management.
For read-only access to the spoof intelligence policy, you need to be a member
Notes:
The options for spoof intelligence are described in Spoof settings in anti-phishing
policies.
You can enable, disable, and configure the spoof intelligence settings in anti-
phishing policies. For instructions based on your subscription, see one of the
following topics:
Configure anti-phishing policies in EOP.
Configure anti-phishing policies in Microsoft Defender for Office 365.
For our recommended settings for spoof intelligence, see EOP anti-phishing policy
settings.
Use PowerShell to manage spoofed senders

To view allowed and blocked senders in spoof intelligence, use the following syntax:
PowerShell
Get-PhishFilterPolicy [-AllowedToSpoof <Yes | No | Partial>] [-
ConfidenceLevel <Low | High>] [-DecisionBy <Admin | SpoofProtection>] [-
Detailed] [-SpoofType <Internal | External>]
This example returns detailed information about all senders that are allowed to spoof
users in your domains.
PowerShell
Get-PhishFilterPolicy -AllowedToSpoof Yes -Detailed -SpoofType Internal
For detailed syntax and parameter information, see Get-PhishFilterPolicy.
To configure allowed and blocked senders in spoof intelligence, follow these steps:
1. Capture the current list of detected spoofed senders by writing the output of the
Get-PhishFilterPolicy cmdlet to a CSV file by running the following command:
PowerShell
Get-PhishFilterPolicy -Detailed | Export-CSV "C:\My Documents\Spoofed

Senders.csv"
2. Edit the CSV file to add or modify the following values:
Sender (domain in source server's PTR record, IP/24 address, or verified DKIM
domain)
SpoofedUser: One of the following values:
The internal user's email address.
The external user's email domain.
A blank value that indicates you want to block or allow any and all spoofed
messages from the specified Sender, regardless of the spoofed email
address.
AllowedToSpoof (Yes or No)
SpoofType (Internal or External)
Save the file, read the file, and store the contents as a variable named
$UpdateSpoofedSenders by running the following command:
PowerShell
$UpdateSpoofedSenders = Get-Content -Raw "C:\My Documents\Spoofed

Senders.csv"
3. Use the $UpdateSpoofedSenders variable to configure the spoof intelligence policy

by running the following command:
PowerShell
Set-PhishFilterPolicy -Identity Default -SpoofAllowBlockList

$UpdateSpoofedSenders
For detailed syntax and parameter information, see Set-PhishFilterPolicy.

To verify that you've configured spoof intelligence with senders who are allowed and
not allowed to spoof, run the following commands in PowerShell to view the senders
who are allowed and not allowed to spoof:
PowerShell
Get-PhishFilterPolicy -AllowedToSpoof Yes -SpoofType Internal
Get-PhishFilterPolicy -AllowedToSpoof No -SpoofType Internal
Get-PhishFilterPolicy -AllowedToSpoof Yes -SpoofType External
Get-PhishFilterPolicy -AllowedToSpoof No -SpoofType External
In PowerShell, run the following command to export the list of all spoofed senders
to a CSV file:
PowerShell
Get-PhishFilterPolicy -Detailed | Export-CSV "C:\My Documents\Spoofed

Senders.csv"
View the admin audit log in Exchange

Online
７ Note
Classic Exchange admin center is in the process of being deprecated in worldwide

deployment. We recommend that you search the audit log in the Microsoft Purview
compliance portal. For more information, see Deprecation of the classic Exchange
admin center in WW service and Search the audit log in the compliance portal.

organizations without Exchange Online mailboxes, you can use the Exchange admin
center (EAC) or PowerShell to search for and view entries in the admin audit log.
The admin audit log records specific actions, based on Exchange Online PowerShell or
standalone Exchange Online Protection PowerShell cmdlets, done by admins and users
who have been assigned administrative privileges. Entries in the admin audit log provide
you with information about what cmdlet was run, which parameters were used, who ran
the cmdlet, and what objects were affected.
Notes:
Admin auditing logging is enabled by default, and you can't disable it.
The admin audit log doesn't record actions based on cmdlets that begins with the
verbs Get, Search, or Test.
When a change is made in your organization, it may take up to 15 minutes to
appear in audit log search results. If a change doesn't appear in the admin audit
log, wait a few minutes and run the search again.
Audit log entries are kept for 90 days. When an entry is older than 90 days, it's
deleted.

To open the Exchange admin center (EAC), see Exchange admin center in Exchange
Online.

PowerShell. To connect to standalone Exchange Online Protection PowerShell see
Connect to Exchange Online Protection PowerShell.
You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "View-only administrator
audit logging" entry in the Feature permissions in Exchange Online topic.
article, see Keyboard shortcuts for the Exchange admin center in Exchange Online.
 Tip
Use the EAC to view the admin audit log

1. In the EAC, go to Compliance management > Auditing, and then choose Run the
admin audit log report.
2. In the Search for changes to administrator role groups page that opens, choose a
Start date and End date (the default range is the past two weeks), and then choose
Search. All configuration changes made during the specified time period are
displayed, and can be sorted, using the following information:
Date: The date and time that the configuration change was made. The date
and time are stored in Coordinated Universal Time (UTC) format.
Cmdlet: The name of the cmdlet that was used to make the configuration
change.
User: The name of the user account of the user who made the configuration
change.
Up to 5000 entries will be displayed on multiple pages. Specify a smaller date

range if you need to narrow your results. If you select an individual search
result, the following additional information is displayed in the details pane:
Object modified: The object that was modified by the cmdlet.
Parameters (Parameter:Value): The cmdlet parameters that were used, and

any value specified with the parameter.
3. If you want to print a specific audit log entry, choose the Print button in the details
pane.
Use PowerShell to view the admin audit log

PowerShell to search for audit log entries that meet the criteria you specify. Use the
following syntax:
PowerShell
Search-AdminAuditLog [-Cmdlets <Cmdlet1,Cmdlet2,...CmdletN>] [-Parameters

<Parameter1,Parameter2,...ParameterN>] [-StartDate <UTCDateTime>] [-EndDate
<UTCDateTime>] [-UserIds <"User1","User2",..."UserN">] [-ObjectIds
<"Object1","Object2",..."ObjectN">] [-IsSuccess <$true | $false>]
Notes:
You can only use the Parameters parameter together with the Cmdlets parameter.
The ObjectIds parameter filters the results by the object that was modified by the
cmdlet. A valid value depends on how the object is represented in the audit log.
For example:
Name
Canonical distinguished name (for example, contoso.com/Users/Akia Al-Zuhairi)
You'll likely need to use other filtering parameters on this cmdlet to narrow down
the results and identify the types of objects that you're interested in.
The UserIds parameter filters the results by the user who made the change (who
ran the cmdlet).
For the StartDate and EndDate parameters, if you specify a date/time value without
a time zone, the value is in Coordinated Universal Time (UTC). To specify a
date/time value for this parameter, use either of the following options:
Specify the date/time value in UTC: For example, "2016-05-06 14:30:00z".
Specify the date/time value as a formula that converts the date/time in your
local time zone to UTC: For example, (Get-Date "5/6/2016 9:30
AM").ToUniversalTime() . For more information, see Get-Date.
The cmdlet returns a maximum of 1,000 log entries by default. Use the ResultSize
parameter to specify up to 250,000 log entries. Or, use the value Unlimited to
return all entries.
Start date: August 4, 2019

End date: October 3, 2019
Cmdlets: Update-RoleGroupMember
PowerShell
Search-AdminAuditLog -Cmdlets Update-RoleGroupMember -StartDate (Get-Date

"08/04/2019").ToUniversalTime() -EndDate (Get-Date
"10/03/2019").ToUniversalTime()
For detailed syntax and parameter information, see Search-AdminAuditLog.
View details of audit log entries

The Search-AdminAuditLog cmdlet returns the fields described in the Audit log
contents section later in this article. Of the fields returned by the cmdlet, two fields,
CmdletParameters and ModifiedProperties, contain additional information that isn't
returned by default.
To view the contents of the CmdletParameters and ModifiedProperties fields, use the
following steps.
1. Decide the criteria you want to search for, run the Search-AdminAuditLog cmdlet,
and store the results in a variable using the following command.
PowerShell
$Results = Search-AdminAuditLog <search criteria>
2. Each audit log entry is stored as an array element in the variable $Results . You can
select an array element by specifying its array element index. Array element
indexes start at zero (0) for the first array element. For example, to retrieve the 5th
array element, which has an index of 4, use the following command.
PowerShell
$Results[4]
3. The previous command returns the log entry stored in array element 4. To see the
contents of the CmdletParameters and ModifiedProperties fields for this log
entry, use the following commands.
PowerShell
$Results[4].CmdletParameters
$Results[4].ModifiedProperties
4. To view the contents of the CmdletParameters or ModifiedParameters fields in

another log entry, change the array element index.
Audit log contents

Each audit log entry contains the information described in the following table. The audit
log contains one or more audit log entries.
Field Description
RunspaceId This field is used internally.
ObjectModified This field contains the object that was modified by the cmdlet specified in
the CmdletName field.
CmdletName This field contains the name of the cmdlet that was run by the user in the
Caller field.
CmdletParameters This field contains the parameters that were specified when the cmdlet in
the CmdletName field was run. Also stored in this field, but not visible in the
default output, is the value specified with the parameter, if any.
ModifiedProperties This field contains the properties that were modified on the object in the
ObjectModified field. Also stored in this field, but not visible in the default
output, are the old value of the property and the new value that was
stored.
Caller This field contains the user account of the user who ran the cmdlet in the
CmdletName field.
ExternalAccess This field is used internally.
Succeeded This field specifies whether the cmdlet in the CmdletName field ran
successfully. The value is either True or False .
Error This field contains the error message generated if the cmdlet in the
CmdletName field failed to complete successfully.
RunDate This field contains the date and time when the cmdlet in the CmdletName
field was run. The date and time are stored in Coordinated Universal Time
(UTC) format.
Field Description
OriginatingServer This field indicates the server on which the cmdlet specified in the
CmdletName field was run.
ClientIP This field is used internally.
SessionId This field is used internally.
AppId This field is used internally.
ClientAppId This field is used internally.
Identity This field is used internally.
IsValid This field is used internally.
ObjectState This field is used internally.

View email security reports in the
 Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2
for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365 Defender
portal trials hub . Learn about who can sign up and trial terms here.
Applies to

A variety of reports are available in the Microsoft 365 Defender portal at

https://security.microsoft.com to help you see how email security features, such as anti-
spam and anti-malware features in Microsoft 365 are protecting your organization. If you
have the necessary permissions, you can view and download these reports as described in
this article.
７ Note
Some of the reports on the Email & collaboration reports page require Microsoft
Defender for Office 365. For information about these reports, see View Defender for
Office 365 reports in the Microsoft 365 Defender portal.
Reports that are related to mail flow are now in the Exchange admin center. For more
information about these reports, see Mail flow reports in the new Exchange admin
center.
Watch this short video to learn how you can use reports to understand the effectiveness of
Defender for Office 365 in your organization.
https://www.microsoft.com/en-us/videoplayer/embed/RWBkxB?postJsllMsg=true
Email security report changes in the Microsoft

365 Defender portal
The Exchange Online Protection (EOP) and Microsoft Defender for Office 365 reports in the
Microsoft 365 Defender portal that have been replaced, moved, or deprecated are
described in the following table.
Deprecated report and cmdlets New report and cmdlets Message Date
Center ID
URL trace
URL protection report
MC239999 June
2021
Get-URLTrace Get-SafeLinksAggregateReport
Get-SafeLinksDetailReport
Sent and received email report

MC236025 June
Mailflow status report
2021
Get-MailTrafficReport
Get-MailDetailReport Get-MailTrafficATPReport
Get-MailDetailATPReport
Get-MailFlowStatusReport
Forwarding report
Auto-forwarded messages report in MC250533 June
the EAC
2021
no cmdlets
no cmdlets
Safe Attachments file types report

Threat protection status report: View MC250532 June
data by Email > Malware
2021
Get-AdvancedThreatProtectionTrafficReport
Get-MailDetailMalwareReport Get-MailTrafficATPReport
Safe Attachments message disposition Threat protection status report: View MC250531 June
report
2021
Get-AdvancedThreatProtectionTrafficReport Get-MailTrafficATPReport
Get-MailDetailMalwareReport Get-MailDetailATPReport
Malware detected in email report

Threat protection status report: View MC250530 June
2021
Get-MailDetailMalwareReport Get-MailTrafficATPReport
Spam detection report

Threat protection status report: View MC250529 October
data by Email > Spam
2021
Get-MailDetailSpamReport Get-MailTrafficATPReport
Deprecated report and cmdlets New report and cmdlets Message Date
Center ID
Get- Get- MC343433 May

AdvancedThreatProtectionDocumentReport ContentMalwareMdoAggregateReport 2022
Get- Get-ContentMalwareMdoDetailReport
AdvancedThreatProtectionDocumentDetail
Exchange transport rule report

Exchange transport rule report in the MC316157 April
EAC
2022
Get-MailTrafficPolicyReport
Get-MailDetailTransportRuleReport Get-MailTrafficPolicyReport
Get-MailDetailTransportRuleReport
Get-MailTrafficTopReport Top senders and recipient report

MC315742 April
2022
Get-MailTrafficSummaryReport
Note: There is no replacement for the

encryption reporting capabilities in
Get-MailTrafficTopReport.
Compromised users report
７ Note
This report is available in Microsoft 365 organizations with Exchange Online

mailboxes. It's not available in standalone Exchange Online Protection (EOP)
organizations.
The Compromised users report shows the number of user accounts that were marked as
Suspicious or Restricted within the last 7 days. Accounts in either of these states are
problematic or even compromised. With frequent use, you can use the report to spot
spikes, and even trends, in suspicious or restricted accounts. For more information about
compromised users, see Responding to a compromised email account.

The aggregate view shows data for the last 90 days and the detail view shows data for the
last 30 days.
To view the report in the Microsoft 365 Defender portal at https://security.microsoft.com ,

go to Reports > Email & collaboration > Email & collaboration reports. On the Email &
collaboration reports page, find Compromised users and then click View details. To go
directly to the report, open https://security.microsoft.com/reports/CompromisedUsers .
On the Compromised users page, the chart shows the following information for the
specified date range:
Restricted: The user account has been restricted from sending email due to highly
suspicious patterns.
Suspicious: The user account has sent suspicious email and is at risk of being
restricted from sending email.
The details table below the graph shows the following information:
Creation time
User ID
Action
Tags: For more information about user tags, see User tags.
You can filter both the chart and the details table by clicking Filter and selecting one or
more of the following values in the flyout that appears:
Date (UTC): Start date and End date.

Activity: Restricted or Suspicious
Tag: All or the specified user tag (including priority accounts).
On the Compromised users page, the Create schedule, Request report, and
Export buttons are available.
Exchange transport rule report

The Exchange transport rule report shows the effect of mail flow rules (also known as
transport rules) on incoming and outgoing messages in your organization.
To view the report in the Microsoft 365 Defender portal, go to Reports > Email &
collaboration > Email & collaboration reports. On the Email & collaboration reports
page, find Exchange transport rule and then click View details. To go directly to the report,
open https://security.microsoft.com/reports/ETRRuleReport .

On the Exchange transport rule report page, the available charts and data are described in
the following sections.
７ Note
The Exchange transport rule report is now available in the EAC. For more information,
see Exchange transport rule report in the new EAC.
Chart breakdown by Direction
If you select Chart breakdown by Direction, the follow charts are available:
View data by Exchange transport rules: The number of Inbound and Outbound
messages that were affected by mail flow rules.
View data by DLP Exchange transport rules: The number of Inbound and Outbound
messages that were affected by data loss prevention (DLP) mail flow rules.
The following information is shown in the details table below the graph:
Date
DLP policy (View data by DLP Exchange transport rules only)
Transport rule
Subject
Sender address
Recipient address
Severity
Direction
Date (UTC) Start date and End date.
Direction: Outbound and Inbound.
Severity: High severity, Medium severity, and Low severity
On the Exchange transport rule report page, the Create schedule, Request report,
and Export buttons are available.
Chart breakdown by Severity
If you select Chart breakdown by Severity, the follow charts are available:
View data by Exchange transport rules: The number of High severity, Medium
severity, and Low severity messages. You set the severity level as an action in the rule
(Audit this rule with severity level or SetAuditSeverity). For more information, see
Mail flow rule actions in Exchange Online.
View data by DLP Exchange transport rules: The number of High severity, Medium
severity, and Low severity messages that were affected by DLP mail flow rules.
The following information is shown in the details table below the graph:
Date
DLP policy (View data by DLP Exchange transport rules only)
Transport rule
Subject
Sender address
Recipient address
Severity
Direction
Date (UTC) Start date and End date

Direction: Outbound and Inbound
Severity: High severity, Medium severity, and Low severity
On the Exchange transport rule report page, the Create schedule, Request report,
and Export buttons are available.
Forwarding report
７ Note
This report is now available in the EAC. For more information, see Auto forwarded
messages report in the new EAC.
Mailflow status report

The Mailflow status report is a smart report that shows information about incoming and
outgoing email, spam detections, malware, email identified as "good", and information
about email allowed or blocked on the edge. This is the only report that contains edge
protection information, and shows just how much email is blocked before being allowed
into the service for evaluation by Exchange Online Protection (EOP). It's important to
understand that if a message is sent to five recipients we count it as five different messages
and not one message.

collaboration reports page, find Mailflow status summary and then click View details. To
go directly to the report, open
https://security.microsoft.com/reports/mailflowStatusReport .

Type view for the Mailflow status report
On the Mailflow status report page, the Type tab is selected by default. The chart shows
the following information for the specified date range:
Good mail: Email that's determined not to be spam or are allowed by user or
organizational policies.
Total
Malware: Email that's blocked as malware by various filters.
Phishing email: Email that's blocked as phishing by various filters.
Spam: Email that's blocked as spam by various filters.
Edge protection: Email that's rejected at the edge/perimeter before being evaluated
by EOP or Defender for Office 365.
Rule messages: Email messages that were acted upon by mail flow rules (also known
as transport rules).
Direction
Type
24 hours
3 days
7 days
15 days
30 days

Mail direction: Inbound and Outbound.
Type:
Good mail
Malware
Spam
Edge protection
Rule messages
Phishing email
Back on the Mailflow status report page, if you click Choose a category for more details,
you can select from the following values:
Phishing email: This selection takes you to the Threat protection status report.
Malware in email: This selection takes you to the Threat protection status report.
Spam detections: This selection takes you to the Spam Detections report.
Edge blocked spam: This selection takes you to the Spam Detections report.
On the Mailflow status report page, the Create schedule and Export buttons are
available.
Direction view for the Mailflow status report


If you click the Direction tab, the chart shows the following information for the specified
date range:
Inbound
Outbound

Mail direction: Inbound and Outbound.
Type:
Good mail
Malware
Spam
Edge protection
Rule messages
Phishing email
Back on the Mailflow status report page, if you click Choose a category for more details,
you can select from the following values:
Phishing email: This selection takes you to the Threat protection status report.
Malware in email: This selection takes you to the Threat protection status report.
Spam detections: This selection takes you to the Spam Detections report.
Edge blocked spam: This selection takes you to the Spam Detections report.
On the Mailflow status report page, the Create schedule and Export buttons are
available.
Mailflow view for the Mailflow status report

The Mailflow view shows you how Microsoft's email threat protection features filter
incoming and outgoing email in your organization. This view uses a horizontal flow
diagram (known as a Sankey diagram) to provide details on the total email count, and how
the configured threat protection features, including edge protection, anti-malware, anti-
phishing, anti-spam, and anti-spoofing affect this count.
The aggregate view and details table view allow for 90 days of filtering.
The information in the diagram is color-coded by EOP or Defender for Office 365
technologies.
The diagram is organized into the following horizontal bands:
Total email band: This value is always shown first.

Edge block and Processed band:
Edge block: Messages that are filtered at the edge and identified as Edge
Protection.
Processed: Messages that are handled by the filtering stack.
Outcomes band:
Rule Block: Messages that are processed by Exchange mail flow rules (transport
rules).
Malware block: Messages that are identified as malware by various filters.*
Phish block: Messages identified as phish during processing by various filters.*
Spam block: Messages identified as spam during processing by various filters.*
Impersonation block: Messages detected as user impersonation or domain
impersonation in Defender for Office 365.*
Detonation block: Messages detected during file or URL detonation by Safe
Attachments policies or Safe Links policies in Defender for Office 365.*
ZAP removed: Messages that are removed by zero-hour auto purge (ZAP).*
Delivered: Messages delivered to users due to an allow.*
If you hover over a horizontal band in the diagram, you'll see the number of related
messages.
*
If you click on this element, the diagram is expanded to show further details. For a
description of each element in the expanded nodes, see Detection technologies.
The details table below the diagram shows the following information:
Date
Total email
Edge filtered
Rule messages
Anti-malware engine, Safe Attachments, rule filtered
DMARC impersonation, spoof, phish filtered
Detonation detection
Anti-spam filtered
ZAP removed
Messages where not threats were detected
If you select a row in the details table, a further breakdown of the email counts is shown in
the details flyout that appears.
Direction: Outbound and Inbound.
Back on the Mailflow status report page, you can click Show trends to see trend graphs in
the Mailflow trends flyout that appears.


On the Mailflow status report page, the Export button is available.
Malware detections report
７ Note
This report has been deprecated. The same information is available in the Threat
Mail latency report

The Mail latency report in Defender for Office 365 contains information on the mail
delivery and detonation latency experienced within your organization. For more
information, see Mail latency report.
Spam detections report
７ Note
Spoof detections report

The Spoof detections report shows information about messages that were blocked or
allowed due to spoofing. For more information about spoofing, see Anti-spoofing
protection in EOP.
The aggregate and detail views of the report allows for 90 days of filtering.
page, find Spoof detections and then click View details. To go directly to the report, open
https://security.microsoft.com/reports/SpoofMailReport .

The chart shows the following information:
Pass
Fail
SoftPass
None
Other
When you hover over a day (data point) in the chart, you can see how many spoofed
messages were detected and why.

Result:
Pass
Fail
SoftPass
None
Other
Spoof type: Internal and External

Date
Spoofed user
Sending infrastructure
Spoof type
Result
Result code
SPF
DKIM
DMARC
Message count
For more information about composite authentication result codes, see Anti-spam
message headers in Microsoft 365.
On the Spoof detections page, the Create schedule, Request report, and Export
buttons are available.
Submissions report
The Submissions report shows information about items that admins have reported to
Microsoft for analysis. For more information, see Use Admin Submission to submit
suspected spam, phish, URLs, and files to Microsoft.

collaboration reports page, find Submissions and then click View details. To go directly to
the report, open https://security.microsoft.com/adminSubmissionReport . To go to admin
submissions in the Microsoft 365 Defender portal, click Go to Submissions. Admins will be
able to view the report for last 30 days.
The chart shows the following information:
Pending
Completed
Date reported: Start time and End time

Submission type:
Email
URL
File
Submission ID
Network Message ID
Sender
Name
Submitted by
Reason for submitting:
Not junk
Phish
Malware
Spam
Rescan status:
Pending
Completed
The details table below the graph shows the same information and has the same Group or
Customize columns options as on the Submitted for analysis tab at Email & collaboration
> Submissions. For more information, see View email admin submissions to Microsoft.
On the Submissions page, the Export button is available.

The Threat protection status report is available in both EOP and Defender for Office 365;
however, the reports contain different data. For example, EOP customers can view
information about malware detected in email, but not information about malicious files
detected by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams.
The report provides the count of email messages with malicious content, such as files or
website addresses (URLs) that were blocked by the anti-malware engine, zero-hour auto
purge (ZAP), and Defender for Office 365 features like Safe Links, Safe Attachments, and
impersonation protection features in anti-phishing policies. You can use this information to
identify trends or determine whether organization policies need adjustment.
Note: It's important to understand that if a message is sent to five recipients we count it as
five different messages and not one message.
page, find Threat protection status and then click View details. To go directly to the report,
open one of the following URLs:
https://security.microsoft.com/reports/TPSAggregateReportATP
EOP: https://security.microsoft.com/reports/TPSAggregateReport
By default, the chart shows data for the past 7 days. If you click Filter on the Threat
protection status report page, you can select a 90 day date range (trial subscriptions
might be limited to 30 days). The details table allows filtering for 30 days.
The available views are described in the following sections.
View data by Overview
In the View data by Overview view, the following detection information is shown in the
chart:
Email malware
Email phish
Email spam
Content malware
No details table is available below the chart.

Detection: The same values as in the chart.
Protected by: MDO (Defender for Office 365) and EOP.
Tag: All or the specified user tag (including priority accounts). For more information
about user tags, see User tags.
Direction:
All
Inbound
Outbound
Domain: All or an accepted domain.
Policy type:
All
Anti-malware
Safe Attachments
Anti-phish
Anti-spam
Mail flow rule (transport rule)
Others
View data by Email > Phish and Chart breakdown by

Detection Technology

７ Note
Starting in May 2021, phishing detections in email were updated to include message
attachments that contain phishing URLs. This change might shift some of the
detection volume out of the View data by Email > Malware view and into the View
data by Email > Phish view. In other words, message attachments with phishing URLs
that were traditionally identified as malware now might be identified as phishing
instead.
In the View data by Email > Phish and Chart breakdown by Detection Technology view,
the following information is shown in the chart:
Advanced filter: Phishing signals based on machine learning.

Campaign*: Messages identified as part of a campaign.
File detonation*: Safe Attachments detected a malicious attachment during
detonation analysis.
File detonation reputation*: File attachments previously detected by Safe
Attachments detonations in other Microsoft 365 organizations.
File reputation: The message contains a file that was previously identified as
malicious in other Microsoft 365 organizations.
Fingerprint matching: The message closely resembles a previous detected malicious
message.
General filter: Phishing signals based on analyst rules.
Impersonation brand: Sender impersonation of well-known brands.
Impersonation domain*: Impersonation of sender domains that you own or specified
for protection in anti-phishing policies.
Impersonation user*: Impersonation of protected senders that you specified in anti-
phishing policies or learned through mailbox intelligence.
Mailbox intelligence impersonation*: Impersonation detections from mailbox
intelligence in anti-phishing policies.
Mixed analysis detection: Multiple filters contributed to the message verdict.
Spoof DMARC: The message failed DMARC authentication.
Spoof external domain: Sender email address spoofing using a domain that's
external to your organization.
Spoof intra-org: Sender email address spoofing using a domain that's internal to
your organization.
URL detonation*: Safe Links detected a malicious URL in the message during
URL detonation reputation*: URLs previously detected by Safe Links detonations in
other Microsoft 365 organizations.
URL malicious reputation: The message contains a URL that was previously identified
as malicious in other Microsoft 365 organizations.
*
Defender for Office 365 only
In the details table below the chart, the following information is available:
Date
Subject
Sender
Recipients
Detection technology: The same detection technology values from the chart.
Delivery status
Sender IP

Protected by: MDO (Defender for Office 365) or EOP
Direction:
All
Inbound
Outbound
Policy type:
All
Anti-malware
Safe Attachments
Anti-phish
Anti-spam
Others
Policy name (details table view only): All or the specified policy.
Recipients
On the Threat protection status page, the Create schedule, Request report, and
View data by Email > Spam and Chart breakdown by
In the View data by Email > Spam and Chart breakdown by Detection Technology view,
the following information is shown in the chart:
Advanced filter: Phishing signals based on machine learning.

Bulk: The bulk complaint level (BCL) of the message exceeds the defined threshold for
spam.
Domain reputation: The message was from a domain that was previously identified
as sending spam in other Microsoft 365 organizations.
Fingerprint matching: The message closely resembles a previous detected malicious
message.
IP reputation: The message was from a source that was previously identified as
sending spam in other Microsoft 365 organizations.
Mixed analysis detection: Multiple filters contributed to the verdict for the message.
URL malicious reputation: The message contains a URL that was previously identified
as malicious in other Microsoft 365 organizations.
Date
Subject
Sender
Recipients
Delivery status
Sender IP

Direction:
All
Inbound
Outbound
Policy type:
All
Anti-malware
Safe Attachments
Anti-phish
Anti-spam
Others
Recipients
View data by Email > Malware and Chart breakdown by

７ Note
Starting in May 2021, malware detections in email were updated to include harmful
URLs in messages attachments. This change might shift some of the detection volume
out of the View data by Email > Phish view and into the View data by Email >
Malware view. In other words, harmful URLs in message attachments that were
traditionally identified as phishing now might be identified as malware instead.
In the View data by Email > Malware and Chart breakdown by Detection Technology
view, the following information is shown in the chart:
File detonation*: Safe Attachments detected a malicious attachment during

File detonation reputation*: File attachments previously detected by Safe
Attachments detonations in other Microsoft 365 organizations.
Anti-malware engine*: Detection from anti-malware engines.
Anti-malware policy file type block: The message was blocked due to the file type of
the attachment (common attachment filtering in anti-malware policies).
URL detonation*: Safe Links detected a malicious URL in the message during
URL detonation reputation*>: URLs previously detected by Safe Links detonations in
other Microsoft 365 organizations.
Campaign*: Messages identified as part of a campaign.
*
Date
Subject
Sender
Recipients
Delivery Status
Sender IP

Direction:
All
Inbound
Outbound
Policy type:
All
Anti-malware
Safe Attachments
Anti-phish
Anti-spam
Others
Recipients
On theThreat protection status page, the Create schedule, Request report, and
Chart breakdown by Policy type
In the View data by Email > Phish, View data by Email > Spam, or View data by Email >
Malware views, selecting Chart breakdown by Policy type shows the following information
in the chart:
Anti-malware
Safe Attachments*
Anti-phish
Anti-spam
Mail flow rule (also known as a transport rule)
Others
Date
Subject
Sender
Recipients
Delivery status
Sender IP

Detection: Detection technology values as previously described in this article and at
Detection technologies.
Direction:
All
Inbound
Outbound
Policy type:
All
Anti-malware
Safe Attachments
Anti-phish
Anti-spam
Others
Recipients
*
Chart breakdown by Delivery status


In the View data by Email > Phish, View data by Email > Spam, or View data by Email >
Malware views, selecting Chart breakdown by Delivery status shows the following
information in the chart:
Hosted mailbox: Inbox

Hosted mailbox: Junk
Hosted mailbox: Custom folder
Hosted mailbox: Deleted Items
Forwarded
On-premises server: Delivered
Quarantine
Delivery failed
Dropped
Date
Subject
Sender
Recipients
Delivery status
Sender IP

Detection: Detection technology values as previously described in this article and at
Detection technologies.
Direction:
All
Inbound
Outbound
Policy type:
All
Anti-malware
Safe Attachments
Anti-phish
Anti-spam
Others
Recipients
*
View data by Content > Malware
In the View data by Content > Malware view, the following information is shown in the
chart for Microsoft Defender for Office 365 organizations:
Anti-malware engine: Malicious files detected in SharePoint, OneDrive, and Microsoft
Teams by the built-in virus detection in Microsoft 365.
MDO detonation: Malicious files detected by Safe Attachments for SharePoint,
Date (UTC)
Attachment filename
Workload
File size
Last modifying user

Workload: Teams, SharePoint, and OneDrive
View data by System override and Chart breakdown by

Reason

In the View data by System override and Chart breakdown by Reason view, the following
override reason information is shown in the chart:
On-premises skip
IP allow
Exchange transport rule (mail flow rule)
Organization allowed senders
Organization allowed domains
ZAP not enabled
User Safe Sender
User Safe Domain
Phishing simulation: For more information, see Configure the delivery of third-party
Third party filter
Date
Subject
Sender
Recipients
System override
Sender IP

Reason: The same values as the chart.
Delivery Location: Junk Mail folder not enabled or SecOps mailbox.
Direction:
All
Inbound
Outbound
Policy type: All
Policy name (details table view only): All
Recipients
On the Threat protection status page, the Export button is available.

View data by System override and Chart breakdown by
Delivery location
In the View data by System override and Chart breakdown by Delivery location view, the
following override reason information is shown in the chart:
Junk Mail folder not enabled

SecOps mailbox: For more information, see Configure the delivery of third-party
Date
Subject
Sender
Recipients
System override
Sender IP

Reason
On-premises skip
IP allow
Exchange transport rule (mail flow rule)
Organization allowed senders
Organization allowed domains
ZAP not enabled
User Safe Sender
User Safe Domain
Phishing simulation: For more information, see Configure the delivery of third-
party phishing simulations to users and unfiltered messages to SecOps mailboxes.
Third party filter
Delivery Location: Junk Mail folder not enabled or SecOps mailbox.
Direction:
All
Inbound
Outbound
Tag: All or the specified user tag (including priority accounts). For more information
about user tags, see User tags.
Policy type:
All
Anti-malware
Safe Attachments*
Anti-phish
Anti-spam
Others
Policy name (details table view only): All
Recipients
*
On the Threat protection status page, the Export button is available.
Top malware report

The Top malware report shows the various kinds of malware that was detected by anti-
malware protection in EOP.
page, find Top malware and then click View details. To go directly to the report, open
https://security.microsoft.com/reports/TopMalware .

When you hover over a wedge in the pie chart, you can see the name of a kind of malware
and how many messages were detected as having that malware.
On the Top malware report page, a larger version of the pie chart is displayed. The details
table below the chart shows the following information:
Top malware
Count
If you click Filter, you can specify a date range with Start date and End date.
On the Top malware page, the Create schedule and Export buttons are available.

The Top senders and recipients report is available in both EOP and Defender for Office
365; however, the reports contain different data. For example, EOP customers can view
information about top malware, spam, and phishing (spoofing) recipients, but not
information about malware detected by Safe Attachments or phishing detected by
impersonation protection.
The Top senders and recipients shows the top messages senders in your organization, as
well as the top recipients for messages that were detected by EOP and Defender for Office
365 protection features. By default, the report shows data for the last week, but data is
available for the last 90 days.

collaboration reports page, find Top senders and recipients report and then click View
details. To go directly to the report, open one of the following URLs:

https://security.microsoft.com/reports/TopSenderRecipientsATP
EOP: https://security.microsoft.com/reports/TopSenderRecipient
When you hover over a wedge in the pie chart, you can see the number of messages for
the sender or recipient.
On the Top senders and recipients page, a larger version of the pie chart is displayed. The
following charts are available:
Show data for Top mail senders (this is the default view)
Show data for Top mail recipients
Show data for Top spam recipients
Show data for Top malware recipients (EOP)
Show data for Top phishing recipients
Show data for Top malware recipients (MDO)
Show data for Top phish recipients (MDO)
The data changes based on your selection.
When you hover over a wedge in the pie chart, you can see the message count for that
specific sender or recipient.
The details table below the graph shows the senders or recipients and message counts
based on the view you selected.
You can filter both the chart and the details table by clicking Filter and selecting Start date
and End date. Users can also filter by user tags.
On the Top senders and recipients page, the Export button is available.

The URL protection report is available only in Microsoft Defender for Office 365. For more
information, see URL protection report.
User reported messages report
） Important
In order for the User reported messages report to work correctly, audit logging must
be turned on for your Microsoft 365 environment. This is typically done by someone
who has the Audit Logs role assigned in Exchange Online. For more information, see
Turn Microsoft 365 audit log search on or off.
The User reported messages report shows information about email messages that users
have reported as junk, phishing attempts, or good mail by using the built-in Report button
in Outlook on the web or the Microsoft Report Message or Report Phishing add-ins.
page, find User reported messages and then click View details. To go directly to the
report, open https://security.microsoft.com/reports/userSubmissionReport . To go to
admin submissions in the Microsoft 365 Defender portal, click Go to Submissions.
Date reported: Start time and End time

Reported by
Email subject
Message reported ID
Network Message ID
Sender
Reported reason
Not junk
Phish
Spam
Phish simulation: Yes or No
To group the entries, click Group and select one of the following values from the drop-
down list:
None
Reason
Sender
Reported by
Rescan result
Phish simulation
Email subject
Reported by
Date reported
Sender
Reported reason
Rescan result
To submit a message to Microsoft for analysis, select the message entry from the table,
click Submit to Microsoft for analysis and then select one of the following values from the
drop-down list:
Report clean
Report phishing
Report malware
Report spam'
Trigger investigation (Defender for Office 365)
On the User reported messages page, the Export button is available.
What permissions are needed to view these

reports?
In order to view and use the reports described in this article, you need to be a member of
one of the following role groups in the Microsoft 365 Defender portal:
Security Reader
Global Reader
Note: Adding users to the corresponding Azure Active Directory role in the Microsoft 365
admin center gives users the required permissions in the Microsoft 365 Defender portal
and permissions for other features in Microsoft 365. For more information, see About
admin roles.
What if the reports aren't showing data?

If you are not seeing data in your reports, check the filters that you're using and double-
check that your policies are set up correctly. To learn more, see Protect against threats.
Schedule report
７ Note
To create or manage report schedules, you need to be a member of the Organization

management role.
1. On the main page for the specific report, select

Create schedule.
2. The Create scheduled report wizard opens. On the Name scheduled report page,
review or customize the Name value, and then click Next.
3. On the Set preferences page, configure the following settings:
Frequency: Select one of the following values:

Weekly (default)
Monthly
Start date: When generation of the report begins. The default value is today.
Expiry date: When generation of the report ends. The default value is one year
from today.
4. On the Recipients page, choose recipients for the report. The default value is your
email address, but you can add others.
5. On the Review page, review your selections. You can click the Back button or the Edit
link in the respective sections to make changes.
Managed existing scheduled reports

To manage scheduled reports that you've already created, do the following steps:

Reports > expand Email & collaboration > select Manage schedules.
To go directly to the Manage schedules page, use

https://security.microsoft.com/ManageSubscription .
2. On the Manage schedules page, the following information is shown for each
scheduled report:
Schedule start date

Schedule name
Report type
Frequency
Last sent
Find the existing scheduled report that you want to modify.
3. After you select the scheduled report do any of the following actions in the details
flyout that opens:
Edit name: Click this button, change the name of the report in the flyout that
appears, and then click Save.
Delete schedule: Click this button, read the warning that appears (previous
reports will no longer be available for download), and then click Save.
Schedule details section: Click Edit preferences to change the following
settings:
Frequency: Weekly or Monthly
Start date
Expiry date
Recipients section: Click Edit recipients to add or remove recipients for the
scheduled report. When you're finished, click Save
Request report
1. On the main page for the specific report, click Request report.
2. The Create on-demand report wizard opens. On the Name on-demand report page,
review or customize the Name value, and then click Next.
3. On the Set preferences page, review or configure the following settings:
Start date: When generation of the report begins. The default value is one
month ago.
Expiry date: When generation of the report ends. The default value is today.
4. On the Recipients page, choose recipients for the report. The default value is your
email address, but you can add others.
5. On the Review page, review your selections. You can click the Back button or the Edit
link in the respective sections to make changes.
6. After the report has been successfully created, you're taken to the New on-demand
report created page, where you can click Create another report or Done.
The report is also available on the Reports for download page as described in the
next section.
Download reports
Reports > expand Email & collaboration > select Reports for download.
To go directly to the Reports for download page, use

https://security.microsoft.com/ReportsForDownload .
2. On the Reports for download page, the following information is shown for each
available report:
Start date
Name
Report type
Last sent
Direction
Find and select the report you want to download.
Export report
On the main page for the specific report, click Export (if that link is available). An Export
conditions flyout appears where you can configure the following settings:
Select a view to export: Select one of the following values:

Summary: Data is available for the last 90 days.
Details: Data is available for the last 30 days.
When you're finished configuring the filters, click Export. In the dialog that opens, you can
choose to open the file, save the file, or remember the selection.
Each exported .csv file is limited to 150,000 rows. If the data contains more than 150,000
rows, multiple .csv files are created.
Related topics
Anti-malware protection in EOP
View mail flow reports in the EAC
View reports for Defender for Office 365

View Defender for Office 365 reports in
the Microsoft 365 Defender portal
 Tip
Applies to

Microsoft Defender for Office 365 organizations (for example, Microsoft 365 E5
subscriptions or Microsoft Defender for Office 365 Plan 1 or Microsoft Defender for
Office 365 Plan 2 add-ons) contain a variety of security-related reports. If you have the
necessary permissions, you can view and download these reports in the Microsoft 365
Defender portal.
View and download reports
View reports
Reports > Email & collaboration > Email & collaboration reports. To go directly
to the Email & collaboration reports page, use
https://security.microsoft.com/emailandcollabreport .
2. Choose the report you want to view, and then select View details.
Download reports
In the Microsoft 365 Defender portal at https://security.microsoft.com , go to Reports
> Email & collaboration > Reports for download. To go directly to the Reports for
download page, use https://security.microsoft.com/ReportsForDownload?
viewid=custom .

７ Note
Email security reports that don't require Defender for Office 365 are described in
View email security reports in the Microsoft 365 Defender portal.
Reports that are related to mail flow are now in the Exchange admin center (EAC).
For more information about these reports, see Mail flow reports in the new
Exchange admin center.
Safe Attachments file types report
７ Note
Safe Attachments message disposition report
７ Note
Mail latency report
The Mail latency report shows you an aggregate view of the mail delivery and
detonation latency experienced within your organization. Mail delivery times in the
service are affected by a number of factors, and the absolute delivery time in seconds is
often not a good indicator of success or a problem. A slow delivery time on one day
might be considered an average delivery time on another day, or vice-versa. This tries to
qualify message delivery based on statistical data about the observed delivery times of
other messages.
Client side and network latency are not included.
To view the report, open the Microsoft 365 Defender portal at

https://security.microsoft.com , go to Reports > Email & collaboration > Email &
collaboration reports. To go directly to the Email & collaboration reports page, use
https://security.microsoft.com/emailandcollabreport .
On the Email & collaboration reports page, find Mail latency report and then click View
details. To go directly to the report, use
https://security.microsoft.com/mailLatencyReport .
On the Mail latency report page, the following tabs are available on the Mail latency
report page:
50th percentile: This is the middle for message delivery times. You can consider
this value as an average delivery time. This tab is selected by default.
90th percentile: This indicates a high latency for message delivery. Only 10% of
messages took longer than this value to deliver.
99th percentile: This indicates the highest latency for message delivery.
Regardless of the tab you select, the chart shows messages organized into the following
categories:
Overall
Detonation
When you hover over a category in the chart, you can see a breakdown of the latency in
each category.
If you click Filter, you can filter both the chart and the details table by the following
values:
Date (UTC): Start date and End date

Message view: One of the following values:
All messages
Detonated messages: One of the following values:
Inline detonation: Includes messages that are fully tested before delivery.
Asynchronous detonation
Date (UTC)
Latency
Message count
50th percentile
90th percentile
99th percentile
On the main report page, the Export button is available.

The Threat protection status report is a single view that brings together information
about malicious content and malicious email detected and blocked by Exchange Online
Protection (EOP) and Microsoft Defender for Office 365. For more information, see
Threat protection status report.

The Top senders and recipients report show the top recipients for EOP and Defender for
Office 365 protection features. For more information, see Top senders and recipients
report.

The URL protection report provides summary and trend views for threats detected and
actions taken on URL clicks as part of Safe Links. This report will not have click data from
users where the Safe Links policy was applied when the Track user clicks option is not
selected.
To view the report, open the Microsoft 365 Defender portal , go to Reports > Email &
page, find URL protection page and then click View details. To go directly to the report,
open https://security.microsoft.com/reports/URLProtectionActionReport .

The available views on the URL protection report page are described in the following
sections.
７ Note
This is a protection trend report, meaning data represents trends in a larger dataset.
As a result, the data in the charts is not available in real time here, but the data in
the details table is, so you may see a slight discrepancy between the two. The
charts are refreshed once every four hours and contain data for the last 90 days.
View data by URL click protection action
The View data by URL click protection action view shows the number of URL clicks by
users in the organization and the results of the click:
Allowed: Clicks allowed.
Allowed by tenant admin: Clicks allowed in Safe Links policies.
Blocked: Click blocked.
Blocked by tenant admin: The Clicks blocked in Safe Links policies.
Blocked and clicked through: Blocked clicks where users click through to the
blocked URL.
Blocked by tenant admin and clicked through: Admin has blocked the link, but
the user clicked through.
Clicked through during scan: Clicks where users click through the pending scan
page to the URL.
Pending scan: Clicks on URLs that are pending a scan verdict.
A click indicates that the user has clicked through the block page to the malicious
website (admins can disable click through in Safe Links policies).
If you click Filters, you can modify the report and the details table by selecting one or

Action:
Allowed
Blocked
Allowed by tenant admin
Blocked and clicked through
Blocked by tenant admin and clicked through
Clicked through during scan
Pending scan
Domains: The URL domains listed in the report results.
Recipients
The details table below the chart provides the following near-real-time view of all clicks
that happened within the organization for the last 7 days:
Click time
User
URL
Action
App
On the main report page, the Create schedule, Request report, and Export
View data by URL click by application
The View data by URL click by application view shows the number of URL clicks by
apps that support Safe Links:
Email client
Office document
Teams
If you click Filters, you can modify the report and the details table by selecting one or

Detection: Available apps from the chart.
Domains: The URL domains listed in the report results.
Recipients
The details table below the chart provides the following near-real-time view of all clicks
that happened within the organization for the last 7 days:
Click time
User
URL
Action
App
On the main report page, the Create schedule, Request report, and Export
Additional reports to view
In addition to the reports described in this article, several other reports are available, as
described in the following table:
Report Topic
Explorer (Microsoft Defender for Office 365 Plan 2) or real- Threat Explorer (and real-time
time detections (Microsoft Defender for Office 365 Plan 1) detections)
Email security reports that don't require Defender for Office View email security reports in the
365 Microsoft 365 Defender portal
Mail flow reports in the Exchange admin center (EAC) Mail flow reports in the new
Exchange admin center
PowerShell reporting cmdlets:
Report Topic
Top senders and recipients Get-MailTrafficSummaryReport
Top malware Get-MailTrafficSummaryReport
Mail traffic Get-MailTrafficATPReport
Safe Links Get-SafeLinksAggregateReport
Get-SafeLinksDetailReport
Compromised users Get-CompromisedUserAggregateReport
Get-CompromisedUserDetailReport
Mail flow status Get-MailflowStatusReport
Spoofed users Get-SpoofMailReport
What permissions are needed to view the

Defender for Office 365 reports?
In order to view and use the reports described in this article, you need to be a member
of one of the following role groups in the Microsoft 365 Defender portal:
Security Reader
Global Reader
Note: Adding users to the corresponding Azure Active Directory role in the Microsoft
365 admin center gives users the required permissions in the Microsoft 365 Defender
portal and permissions for other features in Microsoft 365. For more information, see
About admin roles.
What if the reports aren't showing data?

If you are not seeing data in your Defender for Office 365 reports, double-check that
your policies are set up correctly. Your organization must have Safe Links policies and
Safe Attachments policies defined in order for Defender for Office 365 protection to be
in place. Also see anti-spam and anti-malware protection.
Message trace in the Microsoft 365
Defender portal
 Tip
Applies to

Message trace follows email messages as they travel through your Exchange Online
organization. You can determine if a message was received, rejected, deferred, or
delivered by the service. It also shows what actions were taken on the message before it
reached its final status.
You can use the information from message trace to efficiently answer user questions
about what happened to messages, troubleshoot mail flow issues, and validate policy
changes.
７ Note
Message trace in the Microsoft 365 Defender portal is just a pass through to
Message trace in the Exchange admin center. For more information, see Message
trace in the modern Exchange admin center.

You need to be a member of the Organization Management, Compliance
Management or Help Desk role groups in Exchange Online to use message trace.
Notes: Membership in the corresponding Azure Active Directory role in the

Microsoft 365 admin center gives users the required permissions and permissions
for other features in Microsoft 365. For more information, see About admin roles.
The maximum number of messages that are displayed in the results of a message
trace depends on the report type you selected (see the Choose report type section
for details). The Get-HistoricalSearch cmdlet in Exchange Online PowerShell or
standalone EOP PowerShell returns all messages in the results.
Open message trace

collaboration > Exchange message trace. To go directly to the message trace page, use
https://admin.exchange.microsoft.com/#/messagetrace .
At this point, message trace in the EAC opens. For more information, see Message trace
in the modern Exchange admin center.
Responding to a Compromised Email
Account
 Tip
Applies to

Summary Learn how to recognize and respond to a compromised email account in

Microsoft 365.
What is a Compromised Email Account in

Microsoft 365?
Access to Microsoft 365 mailboxes, data and other services, is controlled by using
credentials, for example a user name and password or PIN. When someone other than
the intended user steals those credentials, the stolen credentials are considered to be
compromised. With them the attacker can sign in as the original user and perform illicit
actions.
Using the stolen credentials, the attacker can access the user's Microsoft 365 mailbox,
SharePoint folders, or files in the user's OneDrive. One action commonly seen is the
attacker sending emails as the original user to recipients both inside and outside of the
organization. When the attacker emails data to external recipients, this is called data
exfiltration.
Symptoms of a Compromised Microsoft Email

Account
Users might notice and report unusual activity in their Microsoft 365 mailboxes. Here are
some common symptoms:
Suspicious activity, such as missing or deleted emails.

Other users might receive emails from the compromised account without the
corresponding email existing in the Sent Items folder of the sender.
The presence of inbox rules that weren't created by the intended user or the
administrator. These rules may automatically forward emails to unknown addresses
or move them to the Notes, Junk Email, or RSS Subscriptions folders.
The user's display name might be changed in the Global Address List.
The user's mailbox is blocked from sending email.
The Sent or Deleted Items folders in Microsoft Outlook or Outlook on the web
(formerly known as Outlook Web App) contain common hacked-account
messages, such as "I'm stuck in London, send money."
Unusual profile changes, such as the name, the telephone number, or the postal
code were updated.
Unusual credential changes, such as multiple password changes are required.
Mail forwarding was recently added.
An unusual signature was recently added, such as a fake banking signature or a
prescription drug signature.
If a user reports any of the above symptoms, you should perform further investigation.
The Microsoft 365 Defender portal and the Azure portal offer tools to help you
investigate the activity of a user account that you suspect may be compromised.
Unified audit logs in the Microsoft 365 Defender portal: Review all the activities
for the suspected account by filtering the results for the date range spanning from
immediately before the suspicious activity occurred to the current date. Do not
filter on the activities during the search. For more information, see Search the audit
log in the compliance center.
Azure AD Sign-in logs and other risk reports in the Azure AD portal: Examine the
values in these columns:
Review IP address
sign-in locations
sign-in times
sign-in success or failure
How to secure and restore email function to a

suspected compromised Microsoft 365 account
and mailbox
Even after you've regained access to your account, the attacker may have added back-
door entries that enable the attacker to resume control of the account.
You must do all the following steps to regain access to your account the sooner the
better to make sure that the hijacker doesn't resume control your account. These steps
help you remove any back-door entries that the hijacker may have added to your
account. After you do these steps, we recommend that you run a virus scan to make
sure that your computer isn't compromised.
Step 1 Reset the user's password

Follow the procedures in Reset a business password for someone.
） Important
Do not send the new password to the intended user through email as the
attacker still has access to the mailbox at this point.
Make sure that the password is strong and that it contains upper and
lowercase letters, at least one number, and at least one special character.
Don't reuse any of your last five passwords. Even though the password history
requirement lets you reuse a more recent password, you should select
something that the attacker can't guess.
If your on-premises identity is federated with Microsoft 365, you must change
your password on-premises, and then you must notify your administrator of
the compromise.
Be sure to update app passwords. App passwords aren't automatically

revoked when a user account password reset. The user should delete existing
app passwords and create new ones. For instructions, see Create and delete
app passwords from the Additional security verification page.
We highly recommended that you enable Multi-Factor Authentication (MFA)

in order to prevent compromise, especially for accounts with administrative
privileges. To learn more about MFA, go to Set up multi-factor
authentication.
Step 2 Remove suspicious email forwarding addresses
1. In the Microsoft 365 admin center at https://admin.microsoft.com , go to Users >
Active users. To go directly to the Active users page, use
https://admin.microsoft.com/Adminportal/Home#/users .
2. On the Active users page, find the user account in question, and select the user
(row) without selecting the checkbox.
3. In the details flyout that appears, select the Mail tab.
4. If the value in the Email forwarding section is Applied, click Manage email
forwarding. In the Manage email forwarding flyout that appears, clear Forward all
email sent to this mailbox, and then click Save changes.
Step 3 Disable any suspicious inbox rules

1. Sign in to the user's mailbox using Outlook on the web.
2. Click on the gear icon and click Mail.
3. Click Inbox and sweep rules and review the rules.
4. Disable or delete suspicious rules.
Step 4 Unblock the user from sending mail

If the suspected compromised mailbox was used illicitly to send spam email, it is likely
that the mailbox has been blocked from sending mail.
To unblock a mailbox from sending mail, follow the procedures in Removing a user from
the Restricted Users portal after sending spam email.
Step 5 Optional: Block the user account from signing-in
） Important
You can block the suspected compromised account from signing-in until you
believe it is safe to re-enable access.
1. In the Microsoft 365 admin center at https://admin.microsoft.com , go to Users >

Active users. To go directly to the Active users page, use
2. On the Active users page, find and select the user account, click , and then select
Edit sign-in status.
3. On the Block sign-in pane that appears, select Block this user from signing in, and
then click Save changes.
4. In the Exchange admin center (EAC) at https://admin.exchange.microsoft.com ,

go to Recipients > Mailboxes. To go directly to the Mailboxes page, use
https://admin.exchange.microsoft.com/#/mailboxes .
5. On the Mailboxes page, find and select the user. In the mailbox details flyout that
opens, do the following steps:
In the Email apps section, select Manage email apps settings. In the Manage
settings for email apps flyout that appears, block all of the available settings
by moving the toggle to the right :
Outlook on the web
Outlook desktop (MAPI)
Exchange Web Services
Mobile (Exchange ActiveSync)
IMAP
POP3
When you're finished, click Save and then click Close.
Step 6 Optional: Remove the suspected compromised

account from all administrative role groups
７ Note
Administrative role group membership can be restored after the account has been
secured.
1. In the Microsoft 365 admin center at https://admin.microsoft.com , do the

following steps:
a. Go to Users > Active users. To go directly to the Active users page, use
b. On the Active users page, find and select the user account, click , and then
select Manage roles.
c. Remove any administrative roles that are assigned to the account. When you're
finished, click Save changes.
2. in the Microsoft 365 Defender portal at https://security.microsoft.com , do the

following steps:
a. Go to Permissions & roles > Email & collaboration roles > Roles. To go directly
to the Permissions page, use
b. On the Permissions page, select each role group in the list and look for the user
account in the Members section of the details flyout that appears. If the role
group contains the user account, do the following steps:
i. In the Members section, click Edit.
ii. On the Editing Choose members flyout that appears, click Edit.
iii. On the Choose members flyout that appears, click Remove.
iv. In the flyout that appears, select the user account, and then click Remove.
When you're finished, click Done, Save, and then Close.
3. In the Exchange admin center at https://admin.exchange.microsoft.com/ , do the

following steps:
a. Select Roles > Admin roles. To go directly to the Admin roles page, use
https://admin.exchange.microsoft.com/#/adminRoles .
b. On the Admin roles page, manually select each role group, and in the details
pane, select the Assigned tab to verify the user accounts. If the role group
contains the user account, do the following steps:
i. Select the user account.
ii. Click the .
Step 7 Optional: Additional precautionary steps

1. Make sure that you verify your sent items. You may have to inform people on your
contacts list that your account was compromised. The attacker may have asked
them for money, spoofing, for example, that you were stranded in a different
country and needed money, or the attacker may send them a virus to also hijack
their computers.
2. Any other service that used this Exchange account as its alternative email account
may have been compromised. First, do these steps for your Microsoft 365
subscription, and then do these steps for your other accounts.
3. Make sure that your contact information, such as telephone numbers and
addresses, is correct.
See also
Detect and Remediate Outlook Rules and Custom Forms Injections Attacks in
Microsoft 365
Detect and Remediate Illicit Consent Grants
Internet Crime Complaint Center
Securities and Exchange Commission - "Phishing" Fraud
To report spam email directly to Microsoft and your admin Use the Report
Message add-in
Remediate malicious email delivered in
Office 365
 Tip
Applies to
Remediation means taking a prescribed action against a threat. Malicious email sent to
your organization can be cleaned up either by the system, through zero-hour auto
purge (ZAP), or by security teams through remediation actions like move to inbox, move
to junk, move to deleted items, soft delete, or hard delete. Microsoft Defender for Office
365 Plan 2/E5 enables security teams to remediate threats in email and collaboration
functionality through manual and automated investigation.
７ Note
To remediate malicious email, security teams need the Search and Purge role
assigned to them. Role assignment is done through permissions in the Microsoft
365 Defender portal.
What you need to know before you begin

Admins can take required action on emails, but to get those actions approved, they
must have the Search and Purge role assigned to them in the Email & collaboration
permissions in the Microsoft 365 Defender portal. Without the *Search and purge"*role
added to one of the role-groups, they won't be able to execute the action.
Because email actions create automated investigations in the backend, you need to
enable Automated Investigation. Go to Settings > Endpoints > Advanced features and
turn on Automated Investigation.
Manual and automated remediation
Manual hunting occurs when security teams identify threats manually by using the
search and filtering capabilities in Explorer. Manual email remediation can be triggered
through any email view (Malware, Phish, or All email) after you identify a set of emails
that need to be remediated.
Security teams can use Explorer to select emails in several ways:
Choose emails by hand: Use filters in various views. Select up to 100 emails to
remediate.
Query selection: Select an entire query by using the top select all button. The same
query is also shown in action center mail submission details. Customers can submit
maximum 200,000 emails from threat explorer.
Query selection with exclusion: Sometimes security operations teams may want to
remediate emails by selecting an entire query and excluding certain emails from
the query manually. To do so, an admin can use the Select all check box and scroll
down to exclude emails manually. The query can hold a maximum of 200,000
emails.
Once emails are selected through Explorer, you can start remediation by taking direct
action or by queuing up emails for an action:
Direct approval: When actions like move to inbox, move to junk, move to deleted
items, soft delete, or hard delete are selected by security personnel who have
appropriate permissions, and the next steps in remediation are followed, the
remediation process begins to execute the selected action.
７ Note
As the remediation gets kicked-off, it generates an alert and an investigation in
parallel. Alert shows up in the alerts queue with the name "Administrative action
submitted by an Administrator" suggesting that security personnel took the action
of remediating an entity. It presents details like name of the person who performed
the action, supporting investigation link, time etc. It works really well to know every
time a harsh action like remediation is performed on entities. All these actions can
be tracked under the Actions & Submissions > Action center -> History tab
(public preview).
Two-step approval: An "add to remediation" action can be taken by admins who

don't have appropriate permissions or who need to wait to execute the action. In
this case, the targeted emails are added to a remediation container. Approval is
needed before the remediation is executed.
Automated investigation and response actions are triggered by alerts or by security

operations teams from Explorer. These may include recommended remediation actions
that must be approved by a security operations team. These actions are included on the
Action tab in the automated investigation.
All remediation (direct approvals) created in Explorer, Advanced hunting, or through

Automated investigation are displayed in the Action center at Actions & Submissions >
Action center > History tab (https://security.microsoft.com/action-center/history ).
Manual actions pending approval using the two-step approval process (1. Add to
remediation by one security operation team member, 2. Reviewed and approved by
another security operation team member) are visible at Actions & Submissions > Action
center > Pending tab (https://security.microsoft.com/action-center/pending ). After
approval, they're visible at Actions & Submissions > Action center > History tab
(https://security.microsoft.com/action-center/history ).
Unified Action Center shows remediation actions for the past 30 days. Actions taken
through Explorer are listed by the name that the security operations team provided
when the remediation was created as well as approval Id, Investigation Id. Actions taken
through automated investigations have titles that begin with the related alert that
triggered the investigation, such as Zap email cluster.
Open any remediation item to view details about it, including its remediation name,
approval Id, Investigation Id, creation date, description, status, action source, action
type, decided by, status. It also opens a side pane with action details, email cluster
details, alert and Incident details.
Open Investigation page this opens up an admin Investigation that contains fewer
details and tabs. It shows details like: related alert, entity selected for remediation,
action taken, remediation status, entity count, logs, approver of action. This
investigation keeps a track of investigation done by the admin manually and
contains details to selections made by the admin, hence is called admin action
investigation. No need to act on the investigation and alert its already in approved
state.
Email count Displays the number of emails submitted through Threat Explorer.
These emails can be actionable or not actionable.
Action logs Show the details of remediation statuses like successful, failed, and
already in destination.
Actionable: Emails in the following cloud mailbox locations can be acted on and
moved:
Inbox
Junk
Deleted folder
Soft-deleted folder
７ Note
Currently, only a user with access to the mailbox can recover items from a
soft-deleted folder.
Not actionable: Emails in the following locations can't be acted on or moved in

remediation actions:
Quarantine
Hard-deleted folder
On-premises/external
Failed/dropped
Suspicious messages are categorized as either remediable or nonremediable. In most

cases, remediable and nonremediable messages combine equals total messages
submitted. But in rare cases this may not be true. This can happen because of system
delays, timeouts, or expired messages. Messages expire based on the Explorer retention
period for your organization.
Unless you're remediating old messages after your organization's Explorer retention
period, it's advisable to retry remediating items if you see number inconsistencies. For
system delays, remediation updates are typically refreshed within a few hours.
If your organization's retention period for email in Explorer is 30 days and you're
remediating emails going back 29-30 days, mail submission counts may not always add
up. The emails might have started moving out of the retention period already.
If remediations are stuck in the "In progress" state for a while, it's likely due to system
delays. It could take up to a few hours to remediate. You might see variations in mail
submission counts, as some of the emails may not have been included the query at the
start of remediation due to system delays. It is a good idea to retry remediating in such
cases.
７ Note
For best results, remediation should be done in batches of 50,000 or fewer.
Only remediable emails are acted on during remediation. Nonremediable emails can't
be remediated by the Office 365 email system, as they aren't stored in cloud mailboxes.
Admins can take actions on emails in quarantine if necessary, but those emails will
expire out of quarantine if they're not manually purged. By default, emails quarantined
because of malicious content aren't accessible by users, so security personnel don't have
to take any action to get rid of threats in quarantine. If the emails are on-premises or
external, the user can be contacted to address the suspicious email. Or the admins can
use separate email server/security tools for removal. These emails can be identified by
applying the delivery location = on-prem external filter in Explorer. For failed or dropped
email, or email not accessible by users, there won't be any email to mitigate, since these
mails don't reach the mailbox.
Action logs: This shows the messages remediated, successful, failed, already in
destination.
Status can be:

Started: Remediation is triggered.
Queued: Remediation is queued up for mitigation of emails.
In progress: Mitigation is in progress.
Completed: Mitigation on all remediable emails either completed
successfully or with some failures.
Failed: No remediations were successful.
As only remediable emails can be acted on, each email's cleanup is shown as
successful or failed. From the total remediable emails, successful and failed
mitigations are reported.
Success: The desired action on remediable emails was accomplished. For
example: An admin wants to remove emails from mailboxes, so the admin takes
the action of soft-deleting emails. If a remediable email isn't found in the
original folder after the action is taken, the status will show as successful.
Failure: The desired action on remediable emails failed. For example: An admin
wants to remove emails from mailboxes, so the admin takes the action of soft-
deleting emails. If a remediable email is still found in the mailbox after the
action is taken, status will show as failed.
Already in destination: The desired action was already taken on the email OR
the email already existed in the destination location. For example: An email was
soft deleted by the admin through Explorer on day one. Then similar emails
show up on day 2, which are again soft deleted by the admin. While selecting
these emails, admin ends up picking some emails from day one that are already
soft deleted. Now these emails will not be acted upon again, they will just show
as "already in destination", since no action was taken on them as they existed in
the destination location.
New: An Already in destination column has been added in the Action Log. This
feature uses the latest delivery location in Threat Explorer to signal if the mail
has already been remediated. Already in destination will help security teams
understand the total number of messages that still need to be addressed.
Actions can only be taken on messages in Inbox, Junk, Deleted, and Soft Deleted folders
of Threat Explorer. Here's an example of how the new column works. A soft delete action
takes place on the message present in the Inbox, then the message will be handled
according to policies. The next time a soft delete is performed, this message will show
under the column 'Already in destination' signaling it doesn't need to be addressed
again.
Select any item in the action log to display remediation details. If the details say
"successful" or "not found in mailbox", that item was already removed from the mailbox.
Sometimes there's a system error during remediation. In those cases, it's a good idea to
retry the remediation action.
In case of remediating large batches of email, export the messages sent for remediation
via Mail Submission, and messages that were remediated via Action Logs. The export
limit is increased to 100,000 records.
Admins can take remediation actions like moving email messages to Junk, Inbox, or
Deleted items folder and delete actions like soft deleted or hard delete from Advanced
Hunting pages.
Remediation mitigates threats, addresses suspicious emails, and helps keep an
organization secure.
(AIR) in Microsoft Defender for Office
365
 Tip
Applies to

Microsoft Defender for Office 365 includes powerful automated investigation and
response (AIR) capabilities that can save your security operations team time and effort.
As alerts are triggered, it's up to your security operations team to review, prioritize, and
respond to those alerts. Keeping up with the volume of incoming alerts can be
overwhelming. Automating some of those tasks can help.
AIR enables your security operations team to operate more efficiently and effectively.
AIR capabilities include automated investigation processes in response to well-known
threats that exist today. Appropriate remediation actions await approval, enabling your
security operations team to respond effectively to detected threats. With AIR, your
security operations team can focus on higher-priority tasks without losing sight of
important alerts that are triggered.
This article describes:
The overall flow of AIR;

How to get AIR; and
The required permissions to configure or use AIR capabilities.
This article also includes next steps, and resources to learn more.
The overall flow of AIR

An alert is triggered, and a security playbook starts an automated investigation, which
results in findings and recommended actions. Here's the overall flow of AIR, step by
step:
1. An automated investigation is initiated in one of the following ways:
Either an alert is triggered by something suspicious in email (such as a

message, attachment, URL, or compromised user account). An incident is
created, and an automated investigation begins; or
A security analyst starts an automated investigation while using Explorer.
2. While an automated investigation runs, it gathers data about the email in question
and entities related to that email. Such entities can include files, URLs, and
recipients. The investigation's scope can increase as new and related alerts are
triggered.
3. During and after an automated investigation, details and results are available to
view. Results might include recommended actions that can be taken to respond to
and remediate any existing threats that were found.
4. Your security operations team reviews the investigation results and

recommendations, and approves or rejects remediation actions.
5. As pending remediation actions are approved (or rejected), the automated

investigation completes.
Note: If the investigation does not result in recommended actions the automated
investigation will close and the details of what was reviewed as part of the automated
investigation will still be available on the investigation page.
In Microsoft Defender for Office 365, no remediation actions are taken automatically.
Remediation actions are taken only upon approval by your organization's security team.
AIR capabilities save your security operations team time by identifying remediation
actions and providing the details needed to make an informed decision.
During and after each automated investigation, your security operations team can:
View details about an alert related to an investigation

View the results details of an investigation
Review and approve actions as a result of an investigation
 Tip
For a more detailed overview, see How AIR works.

How to get AIR
AIR capabilities are included in Microsoft Defender for Office 365, provided your policies
and alerts are configured. Need some help? Follow the guidance in Protect against
threats to set up or configure the following protection settings:
Audit logging (should be turned on)

Anti-phishing protection
Anti-spam protection
Safe Links and Safe Attachments
In addition, make sure to review your organization's alert policies, especially the default
policies in the Threat management category.
Which alert policies trigger automated

investigations?
Microsoft 365 provides many built-in alert policies that help identify Exchange admin
permissions abuse, malware activity, potential external and internal threats, and
information governance risks. Several of the default alert policies can trigger automated
investigations. The following table describes the alerts that trigger automated
investigations, their severity in the Microsoft 365 Defender portal, and how they're
generated:
Alert Severity How the alert is generated
A potentially High This alert is generated when any of the following occurs:
malicious URL A user protected by Safe Links in your organization
click was clicks a malicious link
detected Verdict changes for URLs are identified by Microsoft
Users override Safe Links warning pages (based on your
organization's Safe Links policy.
For more information on events that trigger this alert, see Set
up Safe Links policies.
An email Informational This alert is generated when users in your organization report
message is messages as phishing email using the Microsoft Report
reported by a Message or Report Phishing add-ins.
user as malware
or phish
Email messages Informational This alert is generated when any messages containing a
containing malicious file are delivered to mailboxes in your organization.
malicious file If this event occurs, Microsoft removes the infected messages
removed after from Exchange Online mailboxes using zero-hour auto purge
delivery (ZAP).
Email messages Informational This alert is generated when any email messages containing
containing malware are delivered to mailboxes in your organization. If
malware are this event occurs, Microsoft removes the infected messages
delivery (ZAP).
Email messages Informational This alert is generated when any messages containing a
containing malicious URL are delivered to mailboxes in your organization.
malicious URL If this event occurs, Microsoft removes the infected messages
delivery (ZAP).
Email messages Informational This alert is generated when any messages containing phish
containing are delivered to mailboxes in your organization. If this event
phish URLs are occurs, Microsoft removes the infected messages from
removed after Exchange Online mailboxes using ZAP.
delivery
Suspicious Medium This alert is generated when someone in your organization has
email sending sent suspicious email and is at risk of being restricted from
patterns are sending email. The alert is an early warning for behavior that
detected might indicate that the account is compromised, but not
severe enough to restrict the user.
Although it's rare, an alert generated by this policy may be an
anomaly. However, it's a good idea to check whether the user
A user is High This alert is generated when someone in your organization is

restricted from restricted from sending outbound mail. This alert typically
sending email results when an email account is compromised.
For more information about restricted users, see Remove

blocked users from the Restricted Users portal in Microsoft
365.
Admin Informational This alert is generated when an admin triggers the manual
triggered investigation of an email from Threat Explorer. This alert
manual notifies your organization that the investigation was started.
investigation of
email
Admin Medium This alert is generated when an admin triggers the manual
triggered user user compromise investigation of either an email sender or
compromise recipient from Threat Explorer. This alert notifies your
investigation organization that the user compromise investigation was
started.
 Tip
To learn more about alert policies or edit the default settings, see Alert policies in
the Microsoft Purview compliance portal.
Required permissions to use AIR capabilities

Permissions are granted through certain roles, such as those that are described in the
following table:
Task Role(s) required
Set up AIR One of the following roles:

features Global Administrator
These roles can be assigned in Azure Active Directory or in the Microsoft 365
Defender portal.
Start an One of the following roles, assigned in Azure Active Directory or in the Microsoft
automated 365 Defender portal:
investigation
--- or --- Global Administrator
Approve or Security Operator
reject Security Reader
recommended --- and ---

actions Search and Purge (this role is assigned only in the Microsoft 365 Defender
portal. You might need to create a new Email & collaboration role group
there and add the Search and Purge role to that new role group.
Required licenses
Microsoft Defender for Office 365 Plan 2 licenses should be assigned to:
Security administrators (including global administrators)

Your organization's security operations team (including security readers and those
with the Search and Purge role)
End users
Next steps
Get started using AIR
See details and results of an automated investigation
Review and approve pending actions
View pending or completed remediation actions
How automated investigation and
response works in Microsoft Defender
for Office 365
 Tip
Applies to

As security alerts are triggered, it's up to your security operations team to look into
those alerts and take steps to protect your organization. Sometimes, security operations
teams can feel overwhelmed by the volume of alerts that are triggered. Automated
investigation and response (AIR) capabilities in Microsoft Defender for Office 365 can
help.
AIR enables your security operations team to operate more efficiently and effectively.
AIR capabilities include automated investigation processes in response to well-known
threats that exist today. Appropriate remediation actions await approval, enabling your
security operations team to respond to detected threats.
This article describes how AIR works through several examples. When you're ready to
get started using AIR, see Automatically investigate and respond to threats.
Example 1: A user-reported phish message launches an investigation playbook

Example 2: A security administrator triggers an investigation from Threat Explorer
Example 3: A security operations team integrates AIR with their SIEM using the
Office 365 Management Activity API
Example: A user-reported phish message

launches an investigation playbook
Suppose that a user in your organization receives an email that they think is a phishing
attempt. The user, trained to report such messages, uses the Microsoft Report Message
or Report Phishing add-ins to send it to Microsoft for analysis. The submission is also
sent to your system and is visible in Explorer in the Submissions view (formerly referred
to as the User-reported view). In addition, the user-reported message now triggers a
system-based informational alert, which automatically launches the investigation
playbook.
During the root investigation phase, various aspects of the email are assessed. These
aspects include:
A determination about what type of threat it might be;

Who sent it;
Where the email was sent from (sending infrastructure);
Whether other instances of the email were delivered or blocked;
An assessment from our analysts;
Whether the email is associated with any known campaigns;
and more.
After the root investigation is complete, the playbook provides a list of recommended
actions to take on the original email and entities associated with it.
Next, several threat investigation and hunting steps are executed:
Similar email messages are identified via email cluster searches.

The signal is shared with other platforms, such as Microsoft Defender for Endpoint.
A determination is made on whether any users have clicked through any malicious
links in suspicious email messages.
A check is done across Exchange Online Protection (EOP) and Microsoft Defender
for Office 365 to see if there are any other similar messages reported by users.
A check is done to see if a user has been compromised. This check leverages
signals across Office 365, Microsoft Defender for Cloud Apps, and Azure Active
Directory, correlating any related user activity anomalies.
During the hunting phase, risks and threats are assigned to various hunting steps.
Remediation is the final phase of the playbook. During this phase, remediation steps are
taken, based on the investigation and hunting phases.
Example: A security administrator triggers an

investigation from Threat Explorer
In addition to automated investigations that are triggered by an alert, your
organization's security operations team can trigger an automated investigation from a
view in Threat Explorer. This investigation also creates an alert, so Microsoft 365
Defender incidents and external SIEM tools can see that this investigation was triggered.
For example, suppose that you are using the Malware view in Explorer. Using the tabs
below the chart, you select the Email tab. If you select one or more items in the list, the
+ Actions button activates.
Using the Actions menu, you can select Trigger investigation.


Similar to playbooks triggered by an alert, automatic investigations that are triggered

from a view in Explorer include a root investigation, steps to identify and correlate
threats, and recommended actions to mitigate those threats.
Example: A security operations team integrates

AIR with their SIEM using the Office 365
Management Activity API
AIR capabilities in Microsoft Defender for Office 365 include reports & details that
security operations teams can use to monitor and address threats. But you can also
integrate AIR capabilities with other solutions. Examples include a security information
and event management (SIEM) system, a case management system, or a custom
reporting solution. These kinds of integrations can be done by using the Office 365
Management Activity API.
For example, recently, an organization set up a way for their security operations team to
view user-reported phish alerts that were already processed by AIR. Their solution
integrates relevant alerts with the organization's SIEM server and their case-
management system. The solution greatly reduces the number of false positives so that
their security operations team can focus their time and effort on real threats. To learn
more about this custom solution, see Tech Community blog: Improve the Effectiveness
of your SOC with Microsoft Defender for Office 365 and the O365 Management API .
Next steps
Get started using AIR
Review and manage remediation actions
in Office 365
 Tip
Applies to
As automated investigations on email & collaboration content result in verdicts, such as

Malicious or Suspicious, certain remediation actions are created. In Microsoft Defender
for Office 365, remediation actions can include:
Soft deleting email messages or clusters

Turning off external mail forwarding
These remediation actions are not taken unless and until your security operations team
approves them. We recommend reviewing and approving any pending actions as soon
as possible so that your automated investigations complete in a timely manner. You
need to be part of Search & purge role before taking any actions.
We've added additional checks for duplicate or overlapping investigations with the same
clusters approved multiple times. If the same investigation cluster is already approved in
the previous hour, new duplicate remediation will not be processed again. This behavior
doesn't remove duplicate investigations or investigation evidence - it simply de-
duplicates approved actions to improve remediation processing speed. For the duplicate
approved cluster investigations, you won't see action details in the action center side
panel.
Approve (or reject) pending actions

There are four different ways to find and take auto investigation actions:
Incident queue
Investigation itself (accessed via Incident or from an alert)
Action center
Investigation and remediation investigations queue
Incident queue
Incidents page at Incidents & alerts > Incidents. To go directly to the Incidents
page, use https://security.microsoft.com/incidents .
2. Filter on Pending action for the Automated investigation state (optional).
3. On the Incidents page, select an incident name to open its summary page.
4. Select the Evidence and Response tab.
5. Select an item in the list to open its flyout pane.
6. Review the information, and then take one of the following steps:
Select the Approve pending action option to initiate a pending action.

Select the Reject pending action option to prevent a pending action from
being taken.
Action center
Action center page by selecting Action center. To go directly to the Action center
page, use https://security.microsoft.com/action-center/pending .
2. On the Action center page, verify that the Pending tab is selected, and then review
the list of actions that are awaiting approval.
Select Open investigation page to view more details about the investigation.
Select Approve to initiate a pending action.
Select Reject to prevent a pending action from being taken.
Investigation and remediation investigations

queue
Threat investigation page at Email & collaboration > Investigations. To go
directly to the Threat investigation page, use
https://security.microsoft.com/airinvestigation .
2. On the Threat investigation page, find and an item from the list whose status is
Pending action.
3. Click Open in new window on the list time (between ID and Status).
4. In the page that opens, take approve or reject actions.
Change or undo one remediation action

There are two different ways to reconsider submitted actions:
Through the unified action center .

Though the Office action center .
Change or undo through the unified action

center
unified action center by selecting Action center. To go directly to the unified action
center, use https://security.microsoft.com/action-center/ .
2. On the Action center page, select the History tab, and then select the action that
you want to change or undo.
3. In the pane on the right side of the screen, select the appropriate action (move to
inbox, move to junk, move to deleted items, soft delete, or hard delete).
Change or undo through the Office action

center
Office action center at Email & collaboration > Review > Action center. To go
directly to the Office action center, use
https://security.microsoft.com/threatincidents .
2. On the Action center page, select the appropriate remediation.
3. In the side panel, click on the mail submissions entry and wait for the list to load.
4. Wait for the Action button at the top to enable and select the Action button to
change the action type.
5. This will create the appropriate actions.
Next steps
Use Threat Explorer
Admin /Manual Actions
How to report false positives/negatives in automated investigation and response
capabilities
See also
View details and results of an automated investigation in Office 365
How to report false positives/negatives
in automated investigation and
response capabilities
 Tip
Applies to

If automated investigation and response (AIR) capabilities in Office 365 missed or

wrongly detected something, there are steps your security operations team can take to
fix it. Such actions include:
Reporting a false positive/negative to Microsoft;

Adjusting alerts (if needed); and
Undoing remediation actions that were taken.
Use this article as a guide.
Report a false positive/negative to Microsoft

for analysis
If AIR in Microsoft Defender for Office 365 missed an email message, an email
attachment, a URL in an email message, or a URL in an Office file, you can submit
suspected spam, phish, URLs, and files to Microsoft for Office 365 scanning.
You can also Submit a file to Microsoft for malware analysis .
Adjust an alert to prevent false positives from

recurring
If an alert is triggered by legitimate use, or the alert is inaccurate, you can Manage alerts
in the Defender for Cloud Apps portal.
If your organization is using Microsoft Defender for Endpoint in addition to Office 365,
and a file, IP address, URL, or domain is treated as malware on a device, even though it's
safe, you can create a custom indicator with an "Allow" action for your device.
Undo a remediation action

In most cases, if a remediation action was taken on an email message, email attachment,
or URL, and the item is actually not a threat, your security operations team can undo the
remediation action and take steps to prevent the false positive from recurring. You can
either use Threat Explorer or the Actions tab for an investigation to undo an action.
） Important
Make sure you have the necessary permissions before attempting to perform the
following tasks.
Undo an action using Threat Explorer

With Threat Explorer, your security operations team can find an email affected by an
action and potentially undo the action.
Scenario Undo Options Learn more
An email message was Move the message to Find and investigate malicious
routed to a user's Junk Email the user's Deleted email that was delivered in Office
folder Items folder 365
Move the message to
the user's Inbox
Delete the message
An email message or a file Release the email or Manage quarantined messages as

was quarantined file an admin
Delete the email or file
Undo an action in the Action center

In the Action center, you can see remediation actions that were taken and potentially
undo the action.
Action center by selecting Action center. To go directly to the Action center, use
https://security.microsoft.com/action-center/ .
2. In the Action center, select the History tab to view the list of completed actions.
3. Select an item. Its flyout pane opens.
4. In the flyout pane, select Undo. (Only actions that can be undone will have an
Undo button.)
See also
Automated investigations in Microsoft Defender for Office 365
Details and results of an automated
investigation in Microsoft 365
 Tip
Applies to
When an automated investigation occurs in Microsoft Defender for Office 365, details
about that investigation are available during and after the automated investigation
process. If you have the necessary permissions, you can view those details in the
Microsoft 365 Defender portal. Investigation details provide you with up-to-date status,
and the ability to approve any pending actions.
 Tip
Check out the new, unified investigation page in the Microsoft 365 Defender portal.
To learn more, see (NEW!) Unified investigation page.
Investigation status
The investigation status indicates the progress of the analysis and actions. As the
investigation runs, status changes to indicate whether threats were found, and whether
actions have been approved.
Status Description
Starting The investigation has been triggered and waiting to start running.
Running The investigation process has started and is underway. This state also occurs when
pending actions are approved.
Status Description
No Threats The investigation has finished and no threats (user account, email message, URL,
Found or file) were identified.
TIP: If you suspect something was missed (such as a false negative), you can take
action using Threat Explorer.
Partially The automated investigation found issues, but there are no specific remediation
Investigated actions to resolve those issues.
The Partially Investigated status can occur when some type of user activity was
identified but no cleanup actions are available. Examples include any of the
following user activities:
A data loss prevention event

An email sending anomaly
Sent malware
Sent phish
Note: This Partially Investigated status used to be labeled as Threats Found.
The investigation found no malicious URLs, files, or email messages to remediate,

and no mailbox activity to fix, such as turning off forwarding rules or delegation.
TIP: If you suspect something was missed (such as a false negative), you can
investigate and take action using Threat Explorer
Terminated The investigation stopped. An investigation can stop for several reasons:
By System The investigation's pending actions expired. Pending actions time out after
awaiting approval for one week
There are too many actions. For example, if there are too many users
clicking on malicious URLs, it can exceed the investigation's ability to run all
the analyzers, so the investigation halts
TIP: If an investigation halts before actions were taken, try using Threat Explorer to
find and address threats.
Pending The investigation has found a threat, such as a malicious email, a malicious URL, or
Action a risky mailbox setting, and an action to remediate that threat is awaiting approval.
The Pending Action state is triggered when any threat with a corresponding
action is found. However, the list of pending actions can increase as an
investigation runs. View investigation details to see if other items are still pending
completion.
Remediated The investigation finished and all remediation actions were approved (noted as
fully remediated).
NOTE: Approved remediation actions can have errors that prevent the actions
from being taken. Regardless of whether remediation actions are successfully
completed, the investigation status doesn't change. View investigation details.
Status Description
Partially The investigation resulted in remediation actions, and some were approved and
Remediated completed. Other actions are still pending.
Failed At least one investigation analyzer ran into a problem where it couldn't complete
properly.
NOTE If an investigation fails after remediation actions were approved, the
remediation actions might still have succeeded. View the investigation details.
Queued By An investigation is being held in a queue. When other investigations complete,

Throttling queued investigations begin. Throttling helps avoid poor service performance.
TIP: Pending actions can limit how many new investigations can run. Make sure to
approve (or reject) pending actions.
Terminated If an investigation is held in the queue too long, it stops.

By TIP: You can start an investigation from Threat Explorer.
Throttling
View details of an investigation

1. Go to the Microsoft 365 Defender portal (https://security.microsoft.com ) and
sign in.
2. In the navigation pane, select Actions & submissions > Action center.
3. On either the Pending or History tabs, select an action. Its flyout pane opens.
4. In the flyout pane, select Open investigation page.
5. Use the various tabs to learn more about the investigation.
View details about an alert related to an

investigation
Certain kinds of alerts trigger automated investigation in Microsoft 365. To learn more,
see alert policies that trigger automated investigations.
1. Go to the Microsoft 365 Defender portal (https://security.microsoft.com ) and

sign in.
2. In the navigation pane, select Action center.
3. On either the Pending or History tabs, select an action. Its flyout pane opens.
4. In the flyout pane, select Open investigation page.
5. Select the Alerts tab to view a list of all of the alerts associated with that
investigation.
6. Select an item in the list to open its flyout pane. There, you can view more
information about the alert.
Keep the following points in mind
Email counts are calculated at the time of the investigation, and some counts are
recalculated when you open investigation flyouts (based on an underlying query).
The email counts shown for the email clusters on the Email tab and the email
quantity value shown on cluster flyout are calculated at the time of investigation,
and don't change.
The email count shown at the bottom of the Email tab of the email cluster flyout
and the count of email messages shown in Explorer reflect email messages
received after the investigation's initial analysis.
Thus, an email cluster that shows an original quantity of 10 email messages would
show an email list total of 15 when five more email messages arrive between the
investigation analysis phase and when the admin reviews the investigation.
Likewise, old investigations might start showing higher counts than Explorer
queries show, because data in Microsoft Defender for Office 365 Plan 2 expires
after seven days for trials and after 30 days for paid licenses.
Showing both count historical and current counts in different views is done to
indicate the email impact at the time of investigation and the current impact up
until the time that remediation is run.
In the context of email, you might see a volume anomaly threat surface as part of
the investigation. A volume anomaly indicates a spike in similar email messages
around the investigation event time compared to earlier timeframes. A spike in
email traffic together with certain characteristics (for example, subject and sender
domain, body similarity, and sender IP) is typical of the start of email campaigns or
attacks. However, bulk, spam, and legitimate email campaigns commonly share
these characteristics.
Volume anomalies represent a potential threat, and accordingly could be less

severe compared to malware or phish threats that are identified using anti-virus
engines, detonation, or malicious reputation.
You don't have to approve every action. If you don't agree with the recommended
action or your organization doesn't choose certain types of actions, then you can
choose to Reject the actions or simply ignore them and take no action.
Approving and/or rejecting all actions lets the investigation fully close (status
becomes remediated), while leaving some actions incomplete results in the
investigation status changing to a partially remediated state.
Next steps
Review and approve pending actions
Remediation actions in Microsoft
 Tip
Applies to

Remediation actions
Threat protection features in Microsoft Defender for Office 365 include certain
remediation actions. Such remediation actions can include:
Soft delete email messages or clusters

Block URL (time-of-click)
Turn off external mail forwarding
Turn off delegation
In Microsoft Defender for Office 365, remediation actions are not taken automatically.
Instead, remediation actions are taken only upon approval by your organization's
security operations team.
Threats and remediation actions

Microsoft Defender for Office 365 includes remediation actions to address various
threats. Automated investigations often result in one or more remediation actions to
review and approve. In some cases, an automated investigation does not result in a
specific remediation action. To further investigate and take appropriate actions, use the
guidance in the following table.
Category Threat/risk Remediation action(s)

Email Malware Soft delete email/cluster

If more than a handful of email messages in a cluster
contain malware, the cluster is considered to be
malicious.
Email Malicious URL

Soft delete email/cluster
(A malicious URL was Block URL (time-of-click verification)
detected by Safe Links.)
Email that contains a malicious URL is considered to be
malicious.
Email Phish Soft delete email/cluster

If more than a handful of email messages in a cluster
contain phishing attempts, the whole cluster is
considered a phishing attempt.
Email Zapped phish

Soft delete email/cluster
(Email messages were Reports are available to view zapped messages. See if
delivered and then ZAP moved a message and FAQs.
zapped.)
Email Missed phish email Automated investigation triggered by the user's report
reported by a user
Email Volume anomaly

Automated investigation does not result in a specific
(Recent email quantities pending action.
exceed the previous 7-10 Volume anomaly is not a clear threat, but is merely an
days for matching indication of larger email volumes in recent days
criteria.) compared to the last 7-10 days.
Although a high volume of email can indicate potential

issues, confirmation is needed in terms of either
malicious verdicts or a manual review of email
messages/clusters. See Find suspicious email that was
delivered.
Email No threats found

(The system did not find pending action.
any threats based on Threats found and zapped after an investigation is
files, URLs, or analysis of complete are not reflected in an investigation's
email cluster verdicts.) numerical findings, but such threats are viewable in
Threat Explorer.
User A user clicked a malicious Automated investigation does not result in a specific
URL
pending action.
(A user navigated to a Block URL (time-of-click)
page that was later found
to be malicious, or a user Use Threat Explorer to view data about URLs and click
bypassed a Safe Links verdicts.
warning page to get to a
If your organization is using Microsoft Defender for
malicious page.)
Endpoint, consider investigating the user to determine if
their account is compromised.
User A user is sending Automated investigation does not result in a specific

malware/phish pending action.
The user might be reporting malware/phish, or someone
could be spoofing the user as part of an attack. Use
Threat Explorer to view and handle email containing
malware or phish.
User Email forwarding

Remove forwarding rule
(Mailbox forwarding rules Use the Autofowarded messages report to view specific
are configured, chch details about forwarded email.
could be used for data
exfiltration.)
User Email delegation rules

Remove delegation rule
(A user's account has If your organization is using Microsoft Defender for
delegations set up.) Endpoint, consider investigating the user who's getting
the delegation permission.
User Data exfiltration

(A user violated email or pending action.
file-sharing DLP policies View DLP reports and take action.
User Anomalous email sending Automated investigation does not result in a specific
(A user recently sent pending action.
more email than during Sending a large volume of email isn't malicious by itself;
the previous 7-10 days.) the user might just have sent email to a large group of
recipients for an event. To investigate, use the New users
forwarding email insight in the EAC and Outbound
message report in the EAC to determine what's going on
and take action.
Next steps
View details and results of an automated investigation in Microsoft Defender for
Office 365
View pending or completed remediation actions following an automated
investigation in Microsoft Defender for Office 365
Related articles
Learn about automated investigation in Microsoft Defender for Endpoint
Learn about capabilities in Microsoft 365 Defender
Review and manage remediation actions
in Office 365
 Tip
Applies to
As automated investigations on email & collaboration content result in verdicts, such as

Malicious or Suspicious, certain remediation actions are created. In Microsoft Defender
for Office 365, remediation actions can include:
Soft deleting email messages or clusters

Turning off external mail forwarding
These remediation actions are not taken unless and until your security operations team
approves them. We recommend reviewing and approving any pending actions as soon
as possible so that your automated investigations complete in a timely manner. You
need to be part of Search & purge role before taking any actions.
We've added additional checks for duplicate or overlapping investigations with the same
clusters approved multiple times. If the same investigation cluster is already approved in
the previous hour, new duplicate remediation will not be processed again. This behavior
doesn't remove duplicate investigations or investigation evidence - it simply de-
duplicates approved actions to improve remediation processing speed. For the duplicate
approved cluster investigations, you won't see action details in the action center side
panel.
Approve (or reject) pending actions

There are four different ways to find and take auto investigation actions:
Incident queue
Investigation itself (accessed via Incident or from an alert)
Action center
Investigation and remediation investigations queue
Incident queue
Incidents page at Incidents & alerts > Incidents. To go directly to the Incidents
page, use https://security.microsoft.com/incidents .
2. Filter on Pending action for the Automated investigation state (optional).
3. On the Incidents page, select an incident name to open its summary page.
4. Select the Evidence and Response tab.
5. Select an item in the list to open its flyout pane.
6. Review the information, and then take one of the following steps:
Select the Approve pending action option to initiate a pending action.

Select the Reject pending action option to prevent a pending action from
being taken.
Action center
Action center page by selecting Action center. To go directly to the Action center
page, use https://security.microsoft.com/action-center/pending .
2. On the Action center page, verify that the Pending tab is selected, and then review
the list of actions that are awaiting approval.
Select Open investigation page to view more details about the investigation.
Select Approve to initiate a pending action.
Select Reject to prevent a pending action from being taken.
Investigation and remediation investigations

queue
Threat investigation page at Email & collaboration > Investigations. To go
directly to the Threat investigation page, use
https://security.microsoft.com/airinvestigation .
2. On the Threat investigation page, find and an item from the list whose status is
Pending action.
3. Click Open in new window on the list time (between ID and Status).
4. In the page that opens, take approve or reject actions.
Change or undo one remediation action

There are two different ways to reconsider submitted actions:
Through the unified action center .

Though the Office action center .
Change or undo through the unified action

center
unified action center by selecting Action center. To go directly to the unified action
center, use https://security.microsoft.com/action-center/ .
2. On the Action center page, select the History tab, and then select the action that
you want to change or undo.
3. In the pane on the right side of the screen, select the appropriate action (move to
inbox, move to junk, move to deleted items, soft delete, or hard delete).
Change or undo through the Office action

center
Office action center at Email & collaboration > Review > Action center. To go
directly to the Office action center, use
https://security.microsoft.com/threatincidents .
2. On the Action center page, select the appropriate remediation.
3. In the side panel, click on the mail submissions entry and wait for the list to load.
4. Wait for the Action button at the top to enable and select the Action button to
change the action type.
5. This will create the appropriate actions.
Next steps
Use Threat Explorer
Admin /Manual Actions
How to report false positives/negatives in automated investigation and response
capabilities
See also
View details and results of an automated investigation in Office 365
Address compromised user accounts
with automated investigation and
response
 Tip
Applies to

Microsoft Defender for Office 365 Plan 2 includes powerful automated investigation and
response (AIR) capabilities. Such capabilities can save your security operations team a
lot of time and effort dealing with threats. This article describes one of the facets of the
AIR capabilities, the compromised user security playbook.
The compromised user security playbook enables your organization's security team to:
Speed up detection of compromised user accounts;

Limit the scope of a breach when an account is compromised; and
Respond to compromised users more effectively and efficiently.
Compromised user alerts

When a user account is compromised, atypical or anomalous behaviors occur. For
example, phishing and spam messages might be sent internally from a trusted user
account. Defender for Office 365 can detect such anomalies in email patterns and
collaboration activity within Office 365. When this happens, alerts are triggered, and the
threat mitigation process begins.
Investigate and respond to a compromised
user
When a user account is compromised, alerts are triggered. And in some cases, that user
account is blocked and prevented from sending any further email messages until the
issue is resolved by your organization's security operations team. In other cases, an
automated investigation begins which can result in recommended actions that your
security team should take.
View and investigate restricted users
View details about automated investigations
） Important
You must have appropriate permissions to perform the following tasks. See
Required permissions to use AIR capabilities.
Watch this short video to learn how you can detect and respond to user compromise in
Microsoft Defender for Office 365 using Automated Investigation and Response (AIR)
and compromised user alerts.
https://www.microsoft.com/en-us/videoplayer/embed/RWAl83?postJsllMsg=true
View and investigate restricted users

You have a few options for navigating to a list of restricted users. For example, in the
Microsoft 365 Defender portal, you can go to Email & collaboration > Review >
Restricted Users. The following procedure describes navigation using the Alerts
dashboard, which is a good way to see various kinds of alerts that might have been
triggered.
1. Open the Microsoft 365 Defender portal at https://security.microsoft.com and

go to Incidents & alerts > Alerts. Or, to go directly to the Alerts page, use
https://security.microsoft.com/alerts .
2. On the Alerts page, filter the results by time period and the policy named User
restricted from sending email.

3. If you select the entry by clicking on the name, a User restricted from sending
email page opens with additional details for you to review. Next to the Manage
alert button, you can click More options and then select View restricted user
details to go to the Restricted users page, where you can release the restricted
user.
View details about automated investigations

When an automated investigation has begun, you can see its details and results in the
Action center in the Microsoft 365 Defender portal.
To learn more, see View details of an investigation.
Keep the following points in mind

Stay on top of your alerts. As you know, the longer a compromise goes
undetected, the larger the potential for widespread impact and cost to your
organization, customers, and partners. Early detection and timely response are
critical to mitigate threats, and especially when a user's account is compromised.
Automation assists your security operations team. Automated investigation and

response capabilities can detect a compromised user early on and enable your
security operations team to take action to remediate the threat. Need some help
with this? See Review and approve actions.
Next steps
Review the required permissions to use AIR capabilities
Find and investigate malicious email in Office 365
Learn about AIR in Microsoft Defender for Endpoint
Visit the Microsoft 365 Roadmap to see what's coming soon and rolling out
Custom or third-party reporting
solutions for Microsoft Defender for
Office 365
 Tip
Applies to

With Microsoft Defender for Office 365, you get detailed information about automated
investigations. However, some organizations also use a custom or third-party reporting
solution. If your organization wants to integrate information about automated
investigations with such a solution, you can use the Office 365 Management Activity API.
With Microsoft Defender for Office 365, you get detailed information about automated
investigations. However, some organizations also use a custom or third-party reporting
solution. If your organization wants to integrate information about automated
investigations with such a solution, you can use the Office 365 Management Activity API.
Resource Description
Office 365 The Office 365 Management Activity API provides information about various
Management user, admin, system, and policy actions and events from Microsoft 365 and Azure
APIs overview Active Directory activity logs.
Get started The Office 365 Management API uses Azure AD to provide authentication
with Office services for your application to access Microsoft 365 data. Follow the steps in this
365 article to set this up.
Management
APIs
Office 365 You can use the Office 365 Management Activity API to retrieve information
Management about user, admin, system, and policy actions and events from Microsoft 365 and
Activity API Azure AD activity logs. Read this article to learn more about how this works.
reference
Resource Description
Office 365 Get an overview of the Common schema and the Defender for Office 365 and
Management threat investigation and response schema to learn about specific kinds of data
Activity API available through the Office 365 Management Activity API.
schema
See also
Automated investigation and response in Microsoft 365 Defender
Email analysis in investigations for
 Tip
Applies to

During the automated investigation of alerts, Microsoft Defender for Office 365 analyzes
the original email for threats and identifies other emails that are related to the original
email and potentially part of an attack. This analysis is important because email attacks
rarely consist of a single email.
The automated investigation's email analysis identifies email clusters using attributes
from the original email to query for emails sent and received by your organization. This
is similar to a security operations analyst would hunt for the related emails in Explorer or
Advanced Hunting. Several queries are used to identify matching emails because
attackers typically morph the email parameters to avoid security detection. The
clustering analysis performs these checks to determine how to handle emails involved in
the investigation:
The email analysis creates queries (clusters) of emails using attributes from the
original email – sender values (IP address, sender domain) and contents (subject,
cluster ID) in order to find emails that might be related.
If analysis of the original email's URLs and files identifies that some are malicious
(that is, malware or phish), then it will also create queries or clusters of emails
containing the malicious URL or file.
Email clustering analysis counts the threats associated with the similar emails in the
cluster to determine whether the emails are malicious, suspicious, or have no clear
threats. If the cluster of emails matching the query has a sufficient amount of
spam, normal phish, high confidence phish or malware threats, the email cluster
gets that threat type applied to it.
The email clustering analysis also checks the latest delivery location of the original
email and emails in the email clusters to help identify if the emails potentially still
need removal or have already been remediated or prevented. This analysis is
important because attackers morph malicious content plus security policies and
protection may vary between mailboxes. This capability leads to situations where
malicious content may still sit in mailboxes, even though one or more malicious
emails have been prevented or detected and removed by zero-hour auto purge
(ZAP).
Email clusters that are considered malicious due to malware, high confidence
phish, malicious files, or malicious URL threats will get a pending action to soft
delete the emails when the emails are still in the cloud mailbox (inbox or junk
folder). If malicious emails or email clusters are only "Not In Mailbox" (blocked,
quarantined, failed, soft deleted, etc.) or "On-premises/External" with none in the
cloud mailbox, then no pending action will be set up to remove them.
If any of the email clusters are determined to be malicious, then the threat
identified by the cluster will get applied back to the original email involved in the
investigation. This behavior is similar to a security operations analyst using email
hunting results to determine the verdict of an original email based on similar
emails. This result ensures that regardless of whether an original email's URLs, files,
or source email indicators are detected or not, the system can identify malicious
emails that are potentially evading detection through personalization, morphing,
evasion, or other attacker techniques.
In the user compromise investigation, additional email clusters are created to
identify potential email issues created by the mailbox. This process includes a clean
email cluster (good emails from user, potential data exfiltration, and potential
command/control emails), suspicious email clusters (emails containing spam or
normal phish) and malicious email clusters (emails containing malware or high
confidence phish). These email clusters provide security operations analysts data to
determine what other problems may need to be addressed from a compromise,
and visibility on which emails may have triggered the original alerts (for example,
phish/spam that triggered user sending restrictions)
Email clustering analysis via similarity and malicious entity queries ensures that email
problems are fully identified and cleaned up, even if only one email from an attack gets
identified. You can use links from the email cluster details side panel views to open the
queries in Explorer or Advanced Hunting to perform deeper analysis and change the
queries if needed. This capability enables manual refinement and remediation if you find
the email cluster's queries too narrow or too broad (including unrelated emails).
Here are additional enhancements to email analysis in investigations.

AIR investigation ignores advanced delivery
items (SecOps mailbox and PhishEDU
messages)
During the email clustering analysis, all clustering queries will ignore security mailboxes
set up as Security Operations mailboxes in the Advanced Delivery policy. Similarly, the
email clustering queries will ignore phish simulation (education) messages that are
configured in the Advanced Delivery policy. Neither the SecOps nor the PhishEdu
exclusion values are shown in the query to keep the clustering attributes simple and
easy to read. This exclusion ensures that threat intelligence and operational mailboxes
(SecOps mailboxes) and the phish simulations (PhishEdu) are ignored during threat
analysis and do not get removed during any remediation.
７ Note
When opening an email cluster to view it in Explorer from the email cluster details,
the PhishEdu and SecOps mailbox filters will be applied in Explorer but will not be
shown. If you change the Explorer filters, dates, or refresh the query within the page
– then the PhishEdu/SecOps filter exclusions will get removed and emails that
match these will be shown once again. If you refresh the Explorer page using the
browser refresh function, the original query filters will get re-loaded, including the
PhishEdu/SecOps filters – but removing any subsequent changes you had made.
AIR updates pending email action status

The investigation email analysis calculates email threats and locations at the time of the
investigation to create the investigation evidence and actions. This data can get stale
and outdated when actions outside of the investigation affect the emails involved in the
investigation. For example, security operations manual hunting and remediation may
clean up emails included in an investigation. Likewise, deletion actions approved in
parallel investigations or Zero-hour auto purge (ZAP) automatic quarantine actions may
have removed emails. In addition, delayed detections of threats after email delivery may
change the number of threats included in the investigation's email queries/clusters.
To ensure investigation actions are up to date, any investigation that has pending
actions will periodically re-run the email analysis queries to update the email locations
and threats.
When the email cluster data changes, it will update the threat and latest delivery
location counts.
If emails or email cluster with pending actions no longer are in the mailbox, then
the pending action will be canceled, and the malicious email/cluster considered
remediated.
Once all the investigation's threats have been remediated or canceled as noted
above, then the investigation will transition to a remediated state and the original
alert resolved.
The display of incident evidence for email and

email clusters
Email-based evidence in the Evidence and Response tab for an incident now displays
the following information.
From the numbered callouts in the figure:
1. You can perform remediation actions, in addition to the Action Center.
2. You can take remediation action for email clusters with a Malicious verdict (but not
Suspicious).
3. For the email spam verdict, phishing is split into high confidence and normal phish.
For a Malicious verdict, the threat categories are malware, high confidence phish,
malicious URL, and malicious file.
For a Suspicious verdict, the threat categories are spam and normal phish.
4. The email count by is based the latest delivery location and includes counters for
email in mailboxes, not in mailboxes, and on-premises.
5. Includes the date and time of the query, which might get updated for latest data.
For email or email clusters in the Entities tab of an investigation, Prevented means that
there was no malicious emails in the mailbox for this item (mail or cluster). Here is an
example.
In this example, the email is malicious but not in a mailbox.
Next steps
Recover from a ransomware attack in
Microsoft 365
Applies to

Even if you take every precaution to protect your organization, you can still fall victim to
a ransomware attack. Ransomware is big business, and in today's threat landscape
Microsoft 365 is an ever-increasing target for sophisticated attacks .
The steps in this article will give you the best chance to recover data and stop the
internal spread of infection. Before you get started, consider the following items:
There's no guarantee that paying the ransom will return access to your files. In fact,
paying the ransom can make you a target for more ransomware.
If you already paid, but you recovered without using the attacker's solution,
contact your bank to see if they can block the transaction.
We also recommend that you report the ransomware attack to law enforcement,
scam reporting websites, and Microsoft as described later in this article.
It's important for you respond quickly to the attack and its consequences. The
longer you wait, the less likely it is that you can recover the affected data.
Step 1: Verify your backups

If you have offline backups, you can probably restore the encrypted data after you've
removed the ransomware payload (malware) from your environment and after you've
verified that there's no unauthorized access in your Microsoft 365 environments.
If you don't have backups, or if your backups were also affected by the ransomware, you
can skip this step.
Step 2: Disable Exchange ActiveSync and

OneDrive sync
The key point here is to stop the spread of data encryption by the ransomware.
If you suspect email as a target of the ransomware encryption, temporarily disable user
access to mailboxes. Exchange ActiveSync synchronizes data between devices and
To disable Exchange ActiveSync for a mailbox, see How to disable Exchange ActiveSync
for users in Exchange Online .
To disable other types of access to a mailbox, see:
Enable or disable MAPI for a mailbox.
Enable or Disable POP3 or IMAP4 access for a user
Pausing OneDrive sync will help protect your cloud data from being updated by
potentially infected devices. For more information, see How to Pause and Resume sync
in OneDrive .
Step 3: Remove the malware from the affected

devices
Run a full, current antivirus scan on all suspected computers and devices to detect and
remove the payload that's associated with the ransomware.
Don't forget to scan devices that are synchronizing data, or the targets of mapped
network drives.
You can use Windows Defender or (for older clients) Microsoft Security Essentials .
An alternative that will also help you remove ransomware or malware is the Malicious
Software Removal Tool (MSRT) .
If these options don't work, you can try Windows Defender Offline or Troubleshoot
problems with detecting and removing malware .
Step 4: Recover files on a cleaned computer or

device
After you've completed the previous step to remove the ransomware payload from your
environment (which will prevent the ransomware from encrypting or removing your
files), you can use File History in Windows 11, Windows 10, Windows 8.1, and by using
System Protection in Windows 7 to attempt to recover your local files and folders.
Notes:
Some ransomware will also encrypt or delete the backup versions, so you can't use
File History or System Protection to restore files. If that happens, you need use
backups on external drives or devices that were not affected by the ransomware or
OneDrive as described in the next section.
If a folder is synchronized to OneDrive and you aren't using the latest version of
Windows, there might be some limitations using File History.
Step 5: Recover your files in your OneDrive for

Business
Files Restore in OneDrive for Business allows you to restore your entire OneDrive to a
previous point in time within the last 30 days. For more information, see Restore your
OneDrive .
Step 6: Recover deleted email

In the rare case that the ransomware deleted all your email, you can probably recover
the deleted items. For more information, see:
Recover deleted messages in a user's mailbox
Recover deleted items in Outlook for Windows
Step 7: Re-enable Exchange ActiveSync and

OneDrive sync
After you've cleaned your computers and devices and recovered your data, you can re-
enable Exchange ActiveSync and OneDrive sync that you previously disabled in Step 2.
Step 8 (Optional): Block OneDrive sync for

specific file extensions
After you've recovered, you can prevent OneDrive for Business clients from
synchronizing the file types that were affected by this ransomware. For more
information, see Set-SPOTenantSyncClientRestriction
Report the attack
Contact law enforcement

You should contact your local or federal law enforcement agencies. For example, if you
are in the United States you can contact the FBI local field office , IC3 or Secret
Service .
Submit a report to your country's scam reporting website

Scam reporting websites provide information about how to prevent and avoid scams.
They also provide mechanisms to report if you were victim of scam.
Australia: SCAMwatch
Canada: Canadian Anti-Fraud Centre
France: Agence nationale de la sécurité des systèmes d'information
Germany: Bundesamt für Sicherheit in der Informationstechnik
Ireland: a Garda Síochána
New Zealand: Consumer Affairs Scams
Switzerland Nationales Zentrum für Cybersicherheit NCSC
United Kingdom: Action Fraud
United States: On Guard Online
If your country isn't listed, ask your local or federal law enforcement agencies.
Submit email messages to Microsoft

You can report phishing messages that contain ransomware by using one of several
methods. For more information, see Report messages and files to Microsoft.
Additional ransomware resources

Key information from Microsoft:
The growing threat of ransomware , Microsoft On the Issues blog post on July 20,
2021
Human-operated ransomware
Rapidly protect against ransomware and extortion
2021 Microsoft Digital Defense Report (see pages 10-19)
Ransomware: A pervasive and ongoing threat threat analytics report in the
Microsoft 365:
Deploy ransomware protection for your Microsoft 365 tenant

Maximize Ransomware Resiliency with Azure and Microsoft 365
Malware and ransomware protection
Protect your Windows PC from ransomware
Handling ransomware in SharePoint Online
Threat analytics reports for ransomware in the Microsoft 365 Defender portal
Microsoft 365 Defender:
Find ransomware with advanced hunting
Microsoft Azure:
Azure Defenses for Ransomware Attack

Maximize Ransomware Resiliency with Azure and Microsoft 365
Backup and restore plan to protect against ransomware
Help protect from ransomware with Microsoft Azure Backup (26 minute video)
Recovering from systemic identity compromise
Advanced multistage attack detection in Microsoft Sentinel
Fusion Detection for Ransomware in Microsoft Sentinel
Microsoft Defender for Cloud Apps:
Create anomaly detection policies in Defender for Cloud Apps
Microsoft Security team blog posts:
3 steps to prevent and recover from ransomware (September 2021)
A guide to combatting human-operated ransomware: Part 1 (September 2021)
Key steps on how Microsoft's Detection and Response Team (DART) conducts
ransomware incident investigations.
A guide to combatting human-operated ransomware: Part 2 (September 2021)
Recommendations and best practices.

Becoming resilient by understanding cybersecurity risks: Part 4—navigating current
threats (May 2021)
See the Ransomware section.
Human-operated ransomware attacks: A preventable disaster (March 2020)
Includes attack chain analyses of actual attacks.
Ransomware response—to pay or not to pay? (December 2019)
Norsk Hydro responds to ransomware attack with transparency (December

2019)
Detect and Remediate Illicit Consent
Grants
 Tip
Applies to

Summary Learn how to recognize and remediate the illicit consent grants attack in
Microsoft 365.
What is the illicit consent grant attack in

Microsoft 365?
In an illicit consent grant attack, the attacker creates an Azure-registered application
that requests access to data such as contact information, email, or documents. The
attacker then tricks an end user into granting that application consent to access their
data either through a phishing attack, or by injecting illicit code into a trusted website.
After the illicit application has been granted consent, it has account-level access to data
without the need for an organizational account. Normal remediation steps, like resetting
passwords for breached accounts or requiring Multi-Factor Authentication (MFA) on
accounts, are not effective against this type of attack, since these are third-party
applications and are external to the organization.
These attacks leverage an interaction model which presumes the entity that is calling the
information is automation and not a human.
） Important
Do you suspect you're experiencing problems with illicit consent-grants from an

app, right now? Microsoft Defender for Cloud Apps has tools to detect, investigate,
and remediate your OAuth apps. This Defender for Cloud Apps article has a tutorial
that outlines how to go about investigating risky OAuth apps. You can also set
OAuth app policies to investigate app-requested permissions, which users are
authorizing these apps, and widely approve or ban these permissions requests.
What does an illicit consent grant attack look

like in Microsoft 365?
You need to search the audit log to find signs, also called Indicators of Compromise
(IOC) of this attack. For organizations with many Azure-registered applications and a
large user base, the best practice is to review your organizations consent grants on a
weekly basis.
Steps for finding signs of this attack

1. Open the Microsoft 365 Defender portal at https://security.microsoft.com and
then select Audit. Or, to go directly to the Audit page, use
https://security.microsoft.com/auditlogsearch .
2. On the Audit page, verify that the Search tab is selected, and then configure the
following settings:
Date and time range

Activities: Verify that Show results for all activities is selected.
When you're finished, click Search.
3. Click the Activity column to sort the results and look for Consent to application.
4. Select an entry from the list to see the details of the activity. Check to see if
IsAdminConsent is set to True.
７ Note
It can take from 30 minutes up to 24 hours for the corresponding audit log entry to
be displayed in the search results after an event occurs.
The length of time that an audit record is retained and searchable in the audit log
depends on your Microsoft 365 subscription, and specifically the type of the license
that is assigned to a specific user. For more information, see Audit log.
If this value is true, it indicates that someone with Global Administrator access may
have granted broad access to data. If this is unexpected, take steps to confirm an
attack.
How to confirm an attack

If you have one or more instances of the IOCs listed above, you need to do further
investigation to positively confirm that the attack occurred. You can use any of these
three methods to confirm the attack:
Inventory applications and their permissions using the Azure Active Directory
portal. This method is thorough, but you can only check one user at a time which
can be very time consuming if you have many users to check.
Inventory applications and their permissions using PowerShell. This is the fastest
and most thorough method, with the least amount of overhead.
Have your users individually check their apps and permissions and report the
results back to the administrators for remediation.
Inventory apps with access in your organization

You can do this for your users with either the Azure Active Directory Portal, or
PowerShell or have your users individually enumerate their application access.
Steps for using the Azure Active Directory Portal

You can look up the applications to which any individual user has granted permissions
by using the Azure Active Directory Portal at https://portal.azure.com .
1. Sign in to the Azure portal with administrative rights.

2. Select the Azure Active Directory blade.
3. Select Users.
4. Select the user that you want to review.
5. Select Applications.
This will show you the apps that are assigned to the user and what permissions the
applications have.
Steps for having your users enumerate their application

access
Have your users go to https://myapps.microsoft.com and review their own application
access there. They should be able to see all the apps with access, view details about
them (including the scope of access), and be able to revoke privileges to suspicious or
illicit apps.
Steps for doing this with PowerShell

The simplest way to verify the Illicit Consent Grant attack is to run Get-
AzureADPSPermissions.ps1 , which will dump all the OAuth consent grants and OAuth
apps for all users in your tenancy into one .csv file.
Pre-requisites
The Azure AD PowerShell library installed.
Global administrator rights on the tenant that the script will be run against.
Local Administrator on the computer from which will run the scripts.
） Important
We highly recommend that you require multi-factor authentication on your

administrative account. This script supports MFA authentication.
1. Sign in to the computer that you will run the script from with local administrator
rights.
2. Download or copy the Get-AzureADPSPermissions.ps1 script from GitHub to a

folder from which you will run the script. This will be the same folder to which the
output "permissions.csv" file will be written.
3. Open a PowerShell session as an administrator and open to the folder where you
saved the script to.
4. Connect to your directory using the Connect-AzureAD cmdlet.
5. Run this PowerShell command:
PowerShell
.\Get-AzureADPSPermissions.ps1 | Export-csv -Path "Permissions.csv" -

NoTypeInformation
The script produces one file named Permissions.csv. Follow these steps to look for illicit
application permission grants:
1. In the ConsentType column (column G) search for the value "AllPrinciples". The
AllPrincipals permission allows the client application to access everyone's content
in the tenancy. Native Microsoft 365 applications need this permission to work
correctly. Every non-Microsoft application with this permission should be reviewed
carefully.
2. In the Permission column (column F) review the permissions that each delegated
application has to content. Look for "Read" and "Write" permission or "All"
permission, and review these carefully because they may not be appropriate.
3. Review the specific users that have consents granted. If high profile or high impact
users have inappropriate consents granted, you should investigate further.
4. In the ClientDisplayName column (column C) look for apps that seem suspicious.
Apps with misspelled names, super bland names, or hacker-sounding names
should be reviewed carefully.
Determine the scope of the attack

After you have finished inventorying application access, review the audit log to
determine the full scope of the breach. Search on the affected users, the time frames
that the illicit application had access to your organization, and the permissions the app
had. You can search the audit log in the Microsoft 365 Defender portal.
） Important
Mailbox auditing and Activity auditing for admins and users must have been
enabled prior to the attack for you to get this information.
How to stop and remediate an illicit consent

grant attack
After you have identified an application with illicit permissions, you have several ways to
remove that access.
You can revoke the application's permission in the Azure Active Directory Portal by:
1. Navigate to the affected user in the Azure Active Directory User blade.
2. Select Applications.
3. Select the illicit application.
4. Click Remove in the drill down.
You can revoke the OAuth consent grant with PowerShell by following the steps in
Remove-AzureADOAuth2PermissionGrant.
You can revoke the Service App Role Assignment with PowerShell by following the
steps in Remove-AzureADServiceAppRoleAssignment.
You can also disable sign-in for the affected account altogether, which will in turn
disable app access to data in that account. This isn't ideal for the end user's
productivity, of course, but if you are working to limit impact quickly, it can be a
viable short-term remediation.
You can turn integrated applications off for your tenancy. This is a drastic step that
disables the ability for end users to grant consent on a tenant-wide basis. This
prevents your users from inadvertently granting access to a malicious application.
This isn't strongly recommended as it severely impairs your users' ability to be
productive with third party applications. You can do this by following the steps in
Turning Integrated Apps on or off.
See also
Unexpected application in my applications list walks administrators through
various actions they may want to take after realizing there are unexpected
applications with access to data.
Integrating applications with Azure Active Directory is a high-level overview of
consent and permissions.
Problems developing my application provides links to various consent related
articles.
Application and service principal objects in Azure Active Directory (Azure AD)
provides an overview of the Application and Service principal objects that are core
to the application model.
Manage access to apps is an overview of the capabilities that administrators have
to manage user access to apps.
Detect and Remediate Outlook Rules
and Custom Forms Injections Attacks
 Tip
Summary Learn how to recognize and remediate the Outlook rules and custom Forms
injections attacks in Office 365.
What is the Outlook Rules and Custom Forms

injection attack?
After an attacker gains access to your organization, they'll try to establish a foothold to
stay in or get back in after they've been discovered. This activity is called establishing a
persistence mechanism. There are two ways that an attacker can use Outlook to establish
a persistence mechanism:
By exploiting Outlook rules.

By injecting custom forms into Outlook.
Reinstalling Outlook, or even giving the affected person a new computer won't help.
When the fresh installation of Outlook connects to the mailbox, all rules and forms are
synchronized from the cloud. The rules or forms are typically designed to run remote
code and install malware on the local machine. The malware steals credentials or
performs other illicit activity.
The good news is: if you keep your Outlook clients patched to the latest version, you
aren't vulnerable to the threat as current Outlook client defaults block both
mechanisms.
The attacks typically follow these patterns:
The Rules Exploit:
1. The attacker steals a user's credentials.

2. The attacker signs in to that user's Exchange mailbox (Exchange Online or on-
premises Exchange).
3. The attacker creates a forwarding Inbox rule in the mailbox. The forwarding rule is
triggered when the mailbox receives a specific message from the attacker that
matches the conditions of the rule. The rule conditions and message format are
tailor-made for each other.
4. The attacker sends the trigger email to the compromised mailbox, which is still
being used as normal by the unsuspecting user.
5. When the mailbox receives a message that matches the conditions of rule, the
action of the rule is applied. Typically, the rule action is to launch an application on
a remote (WebDAV) server.
6. Typically, the application installs malware on the user's machine (for example,
PowerShell Empire ).
7. The malware allows the attacker to steal (or steal again) the user's username and
password or other credentials from local machine and perform other malicious
activities.
The Forms Exploit:
1. The attacker steals a user's credentials.
2. The attacker signs in to that user's Exchange mailbox (Exchange Online or on-
premises Exchange).
3. The attacker inserts a custom mail form template into the user's mailbox. The
custom form is triggered when the mailbox receives a specific message from the
attacker that requires the mailbox to load the custom form. The custom form and
the message format are tailor-made for each other.
4. The attacker sends the trigger email to the compromised mailbox, which is still
being used as normal by the unsuspecting user.
5. When the mailbox receives the message, the mailbox loads the required form. The
form launches an application on a remote (WebDAV) server.
6. Typically, the application installs malware on the user's machine (for example,
PowerShell Empire ).
7. The malware allows the attacker to steal (or steal again) the user's username and
password or other credentials from local machine and perform other malicious
activities.
What a Rules and Custom Forms Injection

attack might look like Office 365?
These persistence mechanisms are unlikely to be noticed by your users and may in some
cases even be invisible to them. This article tells you how to look for any of the seven
signs (Indicators of Compromise) listed below. If you find any of these, you need to take
remediation steps.
Indicators of the Rules compromise:

Rule Action is to start an application.
Rule References an EXE, ZIP, or URL.
On the local machine, look for new process starts that originate from the
Outlook PID.
Indicators of the Custom forms compromise:

Custom forms present saved as their own message class.
Message class contains executable code.
Typically, malicious forms are stored in Personal Forms Library or Inbox folders.
Form is named IPM.Note.[custom name].
Steps for finding signs of this attack and

confirming it
You can use either of the following methods to confirm the attack:
Manually examine the rules and forms for each mailbox using the Outlook client.
This method is thorough, but you can only check one mailbox at a time. This
method can be very time consuming if you have many users to check, and might
also infect the computer that you're using.
Use the Get-AllTenantRulesAndForms.ps1 PowerShell script to automatically

dump all the mail forwarding rules and custom forms for all the users in your
tenancy. This is the fastest and safest method with the least amount of overhead.
Confirm the Rules Attack Using the Outlook client

1. Open the users Outlook client as the user. The user may need your help in
examining the rules on their mailbox.
2. Refer to Manage email messages by using rules article for the procedures on
how to open the rules interface in Outlook.
3. Look for rules that the user did not create, or any unexpected rules or rules with
suspicious names.
4. Look in the rule description for rule actions that start and application or refer to an
.EXE, .ZIP file or to launching a URL.
5. Look for any new processes that start using the Outlook process ID. Refer to Find
the Process ID.
Steps to confirm the Forms attack using the Outlook

client
1. Open the user Outlook client as the user.
2. Follow the steps in, Show the Developer tab for the user's version of Outlook.
3. Open the now visible developer tab in Outlook and click design a form.
4. Select the Inbox from the Look In list. Look for any custom forms. Custom forms
are rare enough that if you have any custom forms at all, it is worth a deeper look.
5. Investigate any custom forms, especially those marked as hidden.
6. Open any custom forms and in the Form group click View Code to see what runs
when the form is loaded.
Steps to confirm the Rules and Forms attack using

PowerShell
The simplest way to verify a rules or custom forms attack is to run the Get-
AllTenantRulesAndForms.ps1 PowerShell script. This script connects to every mailbox
in your tenant and dumps all the rules and forms into two .csv files.
Pre-requisites
You will need to have global administrator rights to run the script because the script
connects to every mailbox in the tenancy to read the rules and forms.
1. Sign in to the machine that you will run the script from with local administrator
rights.
2. Download or copy the Get-AllTenantRulesAndForms.ps1 script from GitHub to a
folder from which you will run it. The script will create two date stamped files to
this folder, MailboxFormsExport-yyyy-mm-dd.csv, and MailboxRulesExport-yyyy-
mm-dd.csv.
3. Open a PowerShell instance as an administrator and open the folder you saved the
script to.
4. Run this PowerShell command line as follows .\Get-

AllTenantRulesAndForms.ps1 .\Get-AllTenantRulesAndForms.ps1
Interpreting the output

MailboxRulesExport-yyyy-mm-dd.csv: Examine the rules (one per row) for action
conditions that include applications or executables:
ActionType (column A): If you see the value "ID_ACTION_CUSTOM", the rule is
likely malicious.
IsPotentiallyMalicious (column D): If this value is "TRUE", the rule is likely

malicious.
ActionCommand (column G): If this column lists an application or any file with
.exe or .zip extensions, or an unknown entry that refers to a URL, the rule is
likely malicious.
MailboxFormsExport-yyyy-mm-dd.csv: In general, the use of custom forms is rare.

If you find any in this workbook, you open that user's mailbox and examine the
form itself. If your organization did not put it there intentionally, it is likely
malicious.
How to stop and remediate the Outlook Rules

and Forms attack
If you find any evidence of either of these attacks, remediation is simple, just delete the
rule or form from the mailbox. You can do this with the Outlook client or using Exchange
PowerShell to remove rules.
Using Outlook
1. Identify all the devices that the user has used with Outlook. They will all need to be
cleaned of potential malware. Do not allow the user to sign on and use email until
all the devices are cleaned.
2. Follow the steps in Delete a rule for each device.
3. If you are unsure about the presence of other malware, you can format and
reinstall all the software on the device. For mobile devices, you can follow the
manufacturers steps to reset the device to the factory image.
4. Install the most up-to-date versions of Outlook. Remember that the current
version of Outlook blocks both types of this attack by default.
5. Once all offline copies of the mailbox have been removed, reset the user's
password (use a high quality one) and follow the steps in Setup multi-factor
authentication for users if MFA has not already been enabled. This ensures that the
user's credentials are not exposed via other means (such as phishing or password
re-use).
Using PowerShell
There are two Exchange PowerShell cmdlets you can use to remove or disable
dangerous rules. Just follow the steps.
Steps for mailboxes that are on an Exchange server
1. Connect to the Exchange server using remote PowerShell or the Exchange

Management Shell. Follow the steps in Connect to Exchange servers using remote
PowerShell or Open the Exchange Management Shell.
2. If you want to completely remove a single rule, multiple rules, or all rules from a
mailbox use the Remove-InboxRule cmdlet.
3. If you want to retain the rule and its contents for further investigation use the
Disable-InboxRule cmdlet.
Steps for mailboxes in Exchange Online

1. Follow the steps in Connect to Exchange Online PowerShell.
2. If you want to completely remove a single rule, multiple rules, or all rules from a
mailbox use the Remove-Inbox Rule cmdlet.
3. If you want to retain the rule and its contents for further investigation use the
Disable-InboxRule cmdlet.
How to minimize future attacks
First: protect your accounts

The Rules and Forms exploits are only used by an attacker after they have stolen or
breached one of your user's accounts. So, your first step to preventing the use of these
exploits against your organization is to aggressively protect your user accounts. Some of
the most common ways that accounts are breached are through phishing or password
spray attacks .
The best way to protect your user accounts, and especially your administrator accounts,
is to set up multi-factor authentication for users. You should also:
Monitor how your user accounts are accessed and used. You may not prevent the
initial breach, but you will shorten the duration and the impact of the breach by
detecting it sooner. You can use these Office 365 Cloud App Security policies to
monitor you accounts and alert on unusual activity:
Multiple failed login attempts: This policy profiles your environment and
triggers alerts when users perform multiple failed login activities in a single
session with respect to the learned baseline, which could indicate an attempted
breach.
Impossible travel: This policy profiles your environment and triggers alerts
when activities are detected from the same user in different locations within a
time period that is shorter than the expected travel time between the two
locations. This could indicate that a different user is using the same credentials.
Detecting this anomalous behavior necessitates an initial learning period of
seven days during which it learns a new user's activity pattern.
Unusual impersonated activity (by user): This policy profiles your environment
and triggers alerts when users perform multiple impersonated activities in a
single session with respect to the baseline learned, which could indicate an
attempted breach.
Use a tool like Office 365 Secure Score to manage account security configurations
and behaviors.
Second: Keep your Outlook clients current

Fully updated and patched versions of Outlook 2013, and 2016 disable the "Start
Application" rule/form action by default. This will ensure that even if an attacker
breaches the account, the rule and form actions will be blocked. You can install the latest
updates and security patches by following the steps in Install Office updates .
Here are the patch versions for your Outlook 2013 and 2016 clients:
Outlook 2016: 16.0.4534.1001 or greater.
Outlook 2013: 15.0.4937.1000 or greater.
For more information on the individual security patches, see:
Outlook 2016 Security Patch
Outlook 2013 Security Patch
Third: Monitor your Outlook clients

Note that even with the patches and updates installed, it is possible for an attacker to
change the local machine configuration to re-enable the "Start Application" behavior.
You can use Advanced Group Policy Management to monitor and enforce local machine
policies on your clients.
You can see if "Start Application" has been re-enabled through an override in the
registry by using the information in How to view the system registry by using 64-bit
versions of Windows . Check these subkeys:
Outlook 2016:
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\
Outlook 2013:
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Security\
Look for the key EnableUnsafeClientMailRules. If it is there and is set to 1, the Outlook
security patch has been overridden and the computer is vulnerable to the Form/Rules
attack. If the value is 0, the "Start Application" action is disabled. If the updated and
patched version of Outlook is installed and this registry key is not present, then a system
is not vulnerable to these attacks.
Customers with on-premises Exchange installations should consider blocking older

versions of Outlook that do not have patches available. Details on this process can be
found in the article Configure Outlook client blocking.
See also:
Malicious Outlook Rules by SilentBreak Security Post about Rules Vector
provides a detailed review of how the Outlook Rules.
MAPI over HTTP and Mailrule Pwnage on the Sensepost blog about Mailrule
Pwnage discusses a tool called Ruler that lets you exploit mailboxes through
Outlook rules.
Outlook forms and shells on the Sensepost blog about Forms Threat Vector.
Ruler Codebase
Ruler Indicators of Compromise

Respond to a compromised connector
 Tip
Applies to

Connectors are used for enabling mail flow between Microsoft 365 or Office 365 and
email servers that you have in your on-premises environment. For more information, see
Configure mail flow using connectors in Exchange Online.
A compromised inbound connector is defined as when an unauthorized individual either

applies change(s) to an existing inbound connector or creates a new inbound connector
in a Microsoft 365 tenant, with the intention of sending spam or phish emails. Note that
this is applicable only to inbound connectors of type OnPremises.
Detect a compromised connector

Here are some of the characteristics of a compromised connector:
Sudden spike in outbound mail volume.
Mismatch between P1 and P2 senders in outbound mails. For more information on

P1 and P2 senders, see How EOP validates the From address to prevent phishing.
Outbound mails sent from a domain that is not provisioned or registered.
The connector is blocked from sending relaying mail.
The presence of an inbound connector wasn't created by the intended user or the
administrator.
Unauthorized change(s) in existing connector configuration, such as name, domain

name, and IP address.
A recently compromised administrator account. Note that you can edit connector
configuration only if you have administrative access.
Secure and restore email function to a

suspected compromised connector
You must complete all the following steps to regain access to your connector. These
steps help you remove any back-door entries that may have been added to your
connector.
Step 1: Identify if an inbound connector has been

compromised
Review recent suspicious connector traffic or related messages

If you have Microsoft Defender for Office 365 plan 2, go directly to
1. Select Connector, insert Connector Name, select date range, and then click
Refresh.
2. Identify if there's any abnormal spike or dip in email traffic.
3. Identify:
If Sender IP matches with your organization's on-prem IP address.
If a significant number of emails were recently sent to the Junk folder. This is
a good indicator of a compromised connector being used to send spam.
If the recipients are the ones that your organization usually stays in contact
with.
If you have Microsoft Defender for Office 365 Plan 1 or Exchange Online Protection, go
to https://admin.exchange.microsoft.com/#/messagetrace .
1. Open Suspicious connector activity alert in https://security.microsoft.com/alerts .
2. Select an activity under Activity list, and copy suspicious connector domain and IP
address detected in the alert.
3. Search by using connector domain and IP address in Message trace .


4. In the Message trace search results, identify:
If a significant number of emails were recently marked as FilteredAsSpam.

This is a good indicator of a compromised connector being used to send
spam.
If the recipients are the ones that your organization usually stays in contact
with.

Investigate and validate connector-related activity
Use the following command line in PowerShell to investigate and validate connector-
related activity by a user in the audit log. For more information, see Use a PowerShell
script to search the audit log.
PowerShell
Search-UnifiedAuditLog -StartDate "<ExDateTime>" -EndDate "<ExDateTime>" -

Operations "New-InboundConnector", "Set-InboundConnector", "Remove-
InboundConnector
Step 2: Review and revert unauthorized change(s) in a

connector
1. Sign into https://admin.exchange.microsoft.com/ .
2. Review and revert unauthorized connector change(s).
Step 3: Unblock the connector to re-enable mail flow

1. Sign into https://security.microsoft.com/restrictedentities .
2. Select the restricted connector to unblock the connector.
Step 4: Investigate and remediate potentially

compromised administrative user account
If a user with an unauthorized connector activity is identified, you can investigate this
user for potential compromise. For more information, see Responding to a
Compromised Email Account.
More information
Remove blocked connectors
Remove blocked users
Remove blocked users from the
Restricted users portal in Microsoft 365
 Tip
Applies to

If a user exceeds one of the outbound sending limits as specified in the service limits or
in outbound spam policies, the user is restricted from sending email, but they can still
receive email.
The user is added to the Restricted users page in the Microsoft 365 Defender portal.
When they try to send email, the message is returned in a non-delivery report (also
known as an NDR or bounce message) with the error code 5.1.8 and the following text:
"Your message couldn't be delivered because you weren't recognized as a valid

sender. The most common reason for this is that
your email address is suspected of
sending spam and it's no longer allowed to send email. Contact your email admin
for
assistance. Remote Server returned '550 5.1.8 Access denied, bad outbound
sender."
Admins can remove users from the Restricted users page in the Microsoft 365 Defender
or in Exchange Online PowerShell.
Learn more on Restricted entities

A restricted entity is an entity that has been blocked from sending email because either
it has been potentially compromised, or it has exceeded sending limit.
There are 2 types of restricted entities:

Restricted user: Learn about why a user can be restricted and how to handle
restricted users (this article).
Restricted connector: For more information about why a connector can be

restricted and how to handle restricted connectors, see Remove blocked
connectors from the Restricted entities portal.

go directly to the Restricted users page, use
https://security.microsoft.com/restrictedusers .

PowerShell.
To remove users from the Restricted users portal, you need to be a member of
For read-only access to the Restricted users portal, you need to be a member of
７ Note

About admin roles.

A sender exceeding the outbound email limits is an indicator of a compromised

account. Before you remove the user from the Restricted users portal, be sure to
follow the required steps to regain control of their account. For more information,
see Responding to a compromised email account in Office 365.
remove a user from the Restricted users list
Email & collaboration > Review > Restricted users. To go directly to the
Restricted users page, use https://security.microsoft.com/restrictedusers .
2. On the Restricted users page, find and select the user that you want to unblock by
clicking on the user.
3. Click the Unblock action that appears.
4. In the Unblock user flyout that appears, read the details about the restricted
account. You should go through the recommendations to ensure you're taking the
proper actions in case the account is compromised.
5. The next screen has recommendations to help prevent future compromise.

Enabling multi-factor authentication (MFA) and resetting the password are a good
defense.
6. Click Yes to confirm the change.
７ Note
Under most circumstances, all restrictions should be removed from the user
within one hour. Transient technical issues might cause a longer wait time, but
the total wait should be no longer than 24 hours.
Verify the alert settings for restricted users

The default alert policy named User restricted from sending email will automatically
notify admins when users are blocked from sending outbound mail. You can verify these
settings and add additional users to notify. For more information about alert policies,
see Alert policies in Microsoft 365.
） Important
For alerts to work, audit log search must to be turned on. For more information, see
Turn the audit log search on or off.

Email & collaboration > Policies & rules > Alert policy. To go directly to the Alert
policy page, use https://security.microsoft.com/alertpolicies .
2. On the Alert policy page, find and select the alert named User restricted from
sending email. You can sort the policies by name, or use the Search box to find the
policy.
3. In the User restricted from sending email flyout that appears, verify or configure
Status: Verify the alert is turned on .
Email recipients: Click Edit and verify or configure the following settings in
the Edit recipients flyout that appears:
Send email notifications: Verify this is selected (On).
Email recipients: The default value is TenantAdmins (meaning, Global
admin members). To add more recipients, click in a blank area of the box.
A list of recipients will appear, and you can start typing a name to filter
and select a recipient. You can remove an existing recipient from the box
by clicking next to their name.
Daily notification limit: The default value is No limit but you can select a
limit for the maximum number of notifications per day.
4. Back on the User restricted from sending email flyout, click Close.
Use Exchange Online PowerShell to view and

remove users from the Restricted users list
To view this list of users that are restricted from sending email, run the following
command:
PowerShell
Get-BlockedSenderAddress
To view details about a specific user, replace <emailaddress> with their email address
and run the following command:
PowerShell
Get-BlockedSenderAddress -SenderAddress <emailaddress>
For detailed syntax and parameter information, see Get-BlockedSenderAddress.
To remove a user from the Restricted users list, replace <emailaddress> with their email
address and run the following command:
PowerShell
Remove-BlockedSenderAddress -SenderAddress <emailaddress>
For detailed syntax and parameter information, see Remove-BlockedSenderAddress.

Remove blocked connectors from the
Restricted entities portal
 Tip
Applies to

If an inbound connector is detected as potentially compromised, it is restricted from

sending any relaying email. The connector is then added to the Restricted entities page
in the Microsoft 365 Defender portal. When the connector is used to send email, the
message is returned in a non-delivery report (also known as an NDR or bounced
message) with the error code 550;5.7.711 and the following text:
Your message couldn't be delivered. The most common reason for this is that your
organization's email connector is suspected of sending spam or phish and it's no
longer allowed to send email. Contact your email admin for assistance.
Remote
Server returned '550;5.7.711 Access denied, bad inbound connector. AS(2204).'
Admins can remove connectors from the Restricted entities page in Microsoft 365
Defender or in Exchange Online PowerShell.
Learn more on restricted entities

A restricted entity is an entity that has been blocked from sending email because either
it has been potentially compromised, or it has exceeded sending limit.
There are 2 types of restricted entities:
Restricted user: For more information about why a user can be restricted and how
to handle restricted users, see Remove blocked users from the Restricted entities
portal.
Restricted connector: Learn about why a connector can be restricted and how to
handle restricted connectors (this article).

Open the Microsoft 365 Defender portal at https://security.microsoft.com . To go
directly to the Restricted entities page, use
https://security.microsoft.com/restrictedentities .

PowerShell.
You must have permissions in Exchange Online before you can follow the
procedures mentioned in this article:
To remove connectors from the Restricted entities portal, you need to be a
groups.
For read-only access to the Restricted entities portal, you need to be a member
７ Note

About admin roles.

Before you remove the connector from the Restricted entities portal, be sure to
follow the required steps to regain control of the connector. For more information,
see Respond to a compromised connector.

remove a connector from the Restricted
entities list
1. In the Microsoft 365 Defender portal , go to Email & collaboration > Review >
Restricted entities. To go directly to the Restricted entities page, use
https://security.microsoft.com/restrictedentities .
2. On the Restricted entities page, find and select the connector that you want to
unblock by clicking on the connector.
3. Click the Unblock action that appears.
4. In the Unblock entity flyout that appears, read the details about the restricted
connector. You should go through the recommendations to ensure you're taking
the proper actions in case the connector is compromised.
5. When you're finished, click Unblock.
７ Note
It might take up to 1 hour for all restrictions to be removed from the

connector.
Verify the alert settings for restricted

connectors
The default alert policy named Suspicious connector activity will automatically notify
admins when connectors are blocked from relaying email. For more information about
alert policies, see Alert policies in Microsoft 365.
） Important
For alerts to work, audit log search must to be turned on. For more information, see
Turn the audit log search on or off.
1. In the Microsoft 365 Defender portal, go to Email & collaboration > Policies &
rules > Alert policy.
2. On the Alert policy page, find and select the alert named Suspicious connector
activity. You can sort the policies by name, or use the Search box to find the
policy.
3. In the Suspicious connector activity flyout that appears, verify or configure the
following settings:
Status: Verify the alert is turned on .
Email recipients: Click Edit and verify or configure the following settings in
the Edit recipients flyout that appears:
Send email notifications: Verify this is selected (On).
Email recipients: The default value is TenantAdmins (meaning, Global
admin members). To add more recipients, click on a blank area of the box.
A list of recipients will appear, and you can start typing a name to filter
and select a recipient. You can remove an existing recipient from the box
by clicking next to their name.
Daily notification limit: The limit is no more than 3 notifications per
connector per day.
4. Back on the Suspicious connector activity flyout, click Close.
Use Exchange Online PowerShell to view and

remove connectors from the Restricted entities
list
To view the list of connectors that are restricted from sending email, run the following
command:
PowerShell
Get-BlockedConnector
To view details about a specific connector, replace <connectorId> and run the following
command:
PowerShell
Get-BlockedConnector -ConnectorId <connectorId>
To remove a connector from the Restricted entities list, replace <connectorId> and run
the following command:
PowerShell
Remove-BlockedConnector -ConnectorId <connectorId>
More information
Respond to a compromised connector
Remove blocked users
Tune anti-phishing protection
Applies to

Although Microsoft 365 comes with a variety of anti-phishing features that are enabled
by default, it's possible that some phishing messages could still get through to your
mailboxes. This topic describes what you can do to discover why a phishing message
got through, and what you can do to adjust the anti-phishing settings in your Microsoft
365 organization without accidentally making things worse.
First things first: deal with any compromised

accounts and make sure you block any more
phishing messages from getting through
If a recipient's account was compromised as a result of the phishing message, follow the
steps in Responding to a compromised email account in Microsoft 365.
If your subscription includes Microsoft Defender for Office 365, you can use Office 365
Threat Intelligence to identify other users who also received the phishing message. You
have additional options to block phishing messages:
Safe Links in Microsoft Defender for Office 365
Safe Attachments in Microsoft Defender for Office 365
Anti-phishing policies in Microsoft Defender for Office 365. Note that you can
temporarily increase the Advanced phishing thresholds in the policy from
Standard to Aggressive, More aggressive, or Most aggressive.
Verify these Defender for Office 365 features are turned on.
Report the phishing message to Microsoft

Reporting phishing messages is helpful in tuning the filters that are used to protect all
customers in Microsoft 365. For instructions, see Report messages and files to Microsoft.
Inspect the message headers
You can examine the headers of the phishing message to see if there's anything that you
can do yourself to prevent more phishing messages from coming through. In other
words, examining the messages headers can help you identify any settings in your
organization that were responsible for allowing the phishing messages in.
Specifically, you should check the X-Forefront-Antispam-Report header field in the

message headers for indications of skipped filtering for spam or phishing in the Spam
Filtering Verdict (SFV) value. Messages that skip filtering will have an entry of SCL:-1 ,
which means one of your settings allowed this message through by overriding the spam
or phishing verdicts that were determined by the service. For more information on how
to get message headers and the complete list of all available anti-spam and anti-
phishing message headers, see Anti-spam message headers in Microsoft 365.
Best practices to stay protected

On a monthly basis, run Secure Score to assess your organization's security
settings.
For messages that end up in quarantine by mistake, or for messages that are
allowed through, we recommend that you search for those messages in Threat
Explorer and real-time detections. You can search by sender, recipient, or message
ID. After you locate the message, go to details by clicking on the subject. For a
quarantined message, look to see what the "detection technology" was so that you
can use the appropriate method to override. For an allowed message, look to see
which policy allowed the message.
Email from spoofed senders (the From address of the message doesn't match the
source of the message) is classified as phishing in Defender for Office 365.
Sometimes spoofing is benign, and sometimes users don't want messages from
specific spoofed sender to be quarantined. To minimize the impact to users,
periodically review the spoof intelligence insight, the Spoofed senders tab in the
Tenant Allow/Block List, and the Spoof detections report. Once you have reviewed
allowed and blocked spoofed senders and made any necessary overrides, you can
be confident to configure spoof intelligence in anti-phishing policies to
Quarantine suspicious messages instead of delivering them to the user's Junk
Email folder.
You can repeat the above step for Impersonation (domain or user) in Microsoft
Defender for Office 365. The Impersonation report is found under Threat
Management > Dashboard > Insights.
Periodically review the Threat Protection Status report.
Some customers inadvertently allow phishing messages through by putting their

own domains in the Allow sender or Allow domain list in anti-spam policies.
Although this configuration will allow some legitimate messages through, it will
also allow malicious messages that would normally be blocked by the spam and/or
phishing filters. Instead of allowing the domain, you should correct the underlying
problem.
The best way to deal with legitimate messages that are blocked by Microsoft 365
(false positives) that involve senders in your domain is to fully and completely
configure the SPF, DKIM, and DMARC records in DNS for all of your email
domains:
Verify that your SPF record identifies all sources of email for senders in your
domain (don't forget third-party services!).
Use hard fail (-all) to ensure that unauthorized senders are rejected by email
systems that are configured to do so. You can use the spoof intelligence insight
to help identify senders that are using your domain so that you can include
authorized third-party senders in your SPF record.
For configuration instructions, see:
Use DKIM to validate outbound email sent from your custom domain
Whenever possible, we recommend that you deliver email for your domain directly
to Microsoft 365. In other words, point your Microsoft 365 domain's MX record to
Microsoft 365. Exchange Online Protection (EOP) is able to provide the best
protection for your cloud users when their mail is delivered directly to Microsoft
365. If you must use a third-party email hygiene system in front of EOP, use
Enhanced Filtering for Connectors. For instructions, see Enhanced Filtering for
Using the built-in Report button in Outlook on the web or the Microsoft Report
Message or Report Phishing add-ins to report messages to Microsoft helps with
the training of our detection systems. Admins should also take advantage of admin
submission capabilities to report messages to Microsoft.
Multi factor authentication (MFA) is a good way to prevent compromised accounts.
You should strongly consider enabling MFA for all of your users. For a phased
approach, start by enabling MFA for your most sensitive users (admins, executives,
etc.) before you enable MFA for everyone. For instructions, see Set up multi-factor
authentication.
Forwarding rules to external recipients are often used by attackers to extract data.
Use the Review mailbox forwarding rules information in Microsoft Secure Score to
find and even prevent forwarding rules to external recipients. For more
information, see Mitigating Client External Forwarding Rules with Secure Score.
Quarantined email messages in EOP and
 Tip
Applies to


quarantine is available to hold potentially dangerous or unwanted messages.
Anti-malware policies automatically quarantine a message if any attachment is found to

contain malware. For more information, see Configure anti-malware policies in EOP.
By default, anti-spam policies quarantine phishing and high confidence phishing

messages, and deliver spam, high confidence spam, and bulk email messages to the
user's Junk Email folder. But, you can also create and customize anti-spam policies to
quarantine spam, high confidence spam, and bulk-email messages. For more
information, see Configure anti-spam policies in EOP.
Both users and admins can work with quarantined messages:
Quarantine policies define what users are allowed to do or not do to quarantined

messages based on why the message was quarantined (for supported features).
Default quarantine policies enforce the historical capabilities as described below.
Admins can create and apply custom quarantine policies that define less restrictive
or more restrictive capabilities for users, and also turn on quarantine notifications.
For more information, see Quarantine policies.
Admins can work with all types of quarantined messages for all users. By default,
only admins can work with messages that were quarantined as malware, high
confidence phishing, or as a result of mail flow rules (also known as transport
rules). For more information, see Manage quarantined messages and files as an
admin in EOP.
By default, users can work with quarantined messages where they are a recipient
and the message was quarantined as spam, bulk email, or phishing (not high
confidence phishing). For more information, see Find and release quarantined
messages as a user in EOP.
To prevent users from managing their own quarantined phishing messages,

admins can assign a quarantine policy that denies access to quarantined messages
from the Phishing email filtering verdict in anti-spam policies. For more
information, see Assign quarantine policies in anti-spam policiesQuarantine
policies.
Admins can report false positives to Microsoft from quarantine. For more
information, see Take action on quarantined email and Take action on quarantined
files.
Depending on the user reported message settings in the organization (specifically,

the Let your organization report messages from quarantine setting), users can
report false positives to Microsoft from quarantine.
How long quarantined messages are held in quarantine before they expire varies
based on why the message was quarantined. The features that quarantine
messages and their corresponding retention periods are described in the following
table:
Quarantine reason Default Customizable? Comments

retention
period
retention
period
Messages 15 days: Yes You can configure (lower) this

quarantined by anti- In the value in anti-spam policies. For
spam policies: spam, default more information, see the
high confidence anti-spam Retain spam in quarantine for
spam, phishing, high policy. this many days
confidence phishing, In anti- (QuarantineRetentionPeriod)
or bulk. spam setting in Configure anti-spam
policies policies.
that you
create in
PowerShell.
30 days in
anti-spam
policies that
you create in
the Microsoft
365 Defender
portal.
Messages 30 days Yes This retention period is also

quarantined by anti- controlled by the Retain spam
phishing policies: in quarantine for this many
spoof intelligence in days
EOP; user (QuarantineRetentionPeriod)
impersonation, setting in anti-spam policies.
domain The retention period that's used
impersonation, or is the value from the first
mailbox intelligence matching anti-spam policy that
in Defender for Office the recipient is defined in.
365.
Messages 30 days No If you turn on common

quarantined by anti- attachments filtering in anti-
malware policies malware policies (in the default
(malware messages). policy or in custom policies), file
attachments in email messages
to the affected recipients are
treated as malware based solely
on the file extension. A
predefined list of mostly
executable file types is used by
default, but you can customize
the list. For more information,
see Anti-malware policies.
retention
period
Messages 30 days No
quarantined by Safe
Attachments policies
in Defender for Office
365 (malware
messages).
Messages 30 days No
quarantined by mail
flow rules: the action
is Deliver the
message to the
hosted quarantine
(Quarantine).
Files quarantined by 30 days No Files quarantined in SharePoint

Safe Attachments for or OneDrive are removed fom
SharePoint, OneDrive, quarantine after 30 days, but
and Microsoft Teams the blocked files remain in
(malware files). SharePoint or OneDrive in the
blocked state.
When a message expires from quarantine, you can't recover it.
For more information about quarantine, see Quarantine FAQ.

Manage quarantined messages and files
as an admin in EOP
 Tip
Applies to
[Exchange Online Protection](eop-about.md


quarantine holds potentially dangerous or unwanted messages. For more information,
see Quarantined email messages in EOP.
Admins can view, release, and delete all types of quarantined messages for all users.
Admins can also report false positives to Microsoft.
By default, only admins can manage messages that were quarantined as malware, high
confidence phishing, or as a result of mail flow rules (also known as transport rules). But
admins can use quarantine policies to define what users are allowed to do to
quarantined messages based on why the message was quarantined (for supported
features). For more information, see Quarantine policies.
Admins in organizations with Microsoft Defender for Office 365 can also manage files
that were quarantined by Safe Attachments for SharePoint, OneDrive, and Microsoft
Teams.
You view and manage quarantined messages in the Microsoft 365 Defender portal or in
Online mailboxes).
Watch this short video to learn how to manage quarantined messages as an

administrator.
https://www.microsoft.com/en-us/videoplayer/embed/RWGGPF?postJsllMsg=true

To go directly to the Quarantine page, use
https://security.microsoft.com/quarantine .

To take action on quarantined messages for all users, you need to be a member
of the Organization Management, Security Administrator, or Quarantine
Administrator* role groups. To submit messages to Microsoft, you need to be a
member of the Security Administrator role group.
For read-only access to quarantined messages for all users, you need to be a
Notes:
*
Members of the Quarantine Administrator role group in Email &
collaboration roles in the Microsoft 365 Defender portal also need to be
members of the Hygiene Management role group in Exchange Online to do
quarantine procedures in Exchange Online PowerShell.
Quarantined messages are retained for a default period of time based on why they
were quarantined. After the retention period expires, the messages are
automatically deleted and are not recoverable. For more information, see
Quarantined email messages in EOP and Defender for Office 365.

manage quarantined email messages
View quarantined email
Email & collaboration > Review > Quarantine. To go directly to the Quarantine
page, use https://security.microsoft.com/quarantine .
2. On the Quarantine page, verify that the Email tab is selected.
3. You can sort the results by clicking on an available column header. Click Customize
columns to change the columns that are shown. The default values are marked
with an asterisk (*):
Time received*
Subject*
Sender*
Quarantine reason*
Release status*
Policy type*
Expires*
Recipient
Message ID
Policy name
Message size
Mail direction
Recipient tag
4. To filter the results, click Filter. The following filters are available in the Filters flyout
that appears:
Message ID: The globally unique identifier of the message.
For example, you used message trace to look for a message that was sent to
a user in your organization, and you determine that the message was
quarantined instead of delivered. Be sure to include the full message ID value,
which might include angle brackets (<>). For example: <79239079-d95a-483a-
aacf-e954f592a0f6@XYZPR00BM0200.contoso.com> .
Sender address
Recipient address
Subject
Time received: Enter a Start time and End time (date).
Expires: Filter messages by when they will expire from quarantine:

Today
Next 2 days
Next 7 days
Custom: Enter a Start time and End time (date).
Recipient tag
Quarantine reason:
Transport rule (mail flow rule)
Bulk
Spam
Malware: Anti-malware policies in EOP or Safe Attachments policies in
Defender for Office 365. The Policy Type value indicates which feature was
used.
Phishing: The spam filter verdict was Phishing or anti-phishing protection
quarantined the message (spoof settings or impersonation protection).
Recipient: All users or Only me. End users can only manage quarantined
messages sent to them.
Release status: Any of the following values:

Needs review
Approved
Denied
Release requested
Released
Policy Type: Filter messages by policy type:

Anti-malware policy
Safe Attachments policy
Anti-phishing policy
Anti-spam policy
Transport rule (mail flow rule)
When you're finished, click Apply. To clear the filters, click Clear filters.
5. Use the Search box and a corresponding value to find specific messages. Wildcards
aren't supported. You can search by the following values:
Sender email address

Subject. Use the entire subject of the message. The search is not case-
sensitive.
After you've entered the search criteria, press ENTER to filter the results.
７ Note
The Search box on the main Quarantine page will search only quarantined
items in the current view, not the entire quarantine. To search all quarantined
items, use Filter and the resulting Filters flyout.
After you find a specific quarantined message, select the message to view details about
it, and to take action on it (for example, view, release, download, or delete the message).
View quarantined message details
When you select quarantined message from the list, the following information is
available in the details flyout that appears.

Message ID: The globally unique identifier for the message. Available in the
Message-ID header field in the message header.
Sender address
Received: The date/time when the message was received.
Subject
Quarantine reason: Shows if a message has been identified as Spam, Bulk, Phish,
matched a mail flow rule (Transport rule), or was identified as containing Malware.
Policy type
Policy name
Recipient count
Recipients: If the message contains multiple recipients, you need to click Preview
message or View message header to see the complete list of recipients.
Recipient tag: For more information, see User tags in Microsoft Defender for Office
365.
Expires: The date/time when the message will be automatically and permanently
deleted from quarantine.
Released to: All email addresses (if any) to which the message has been released.
Not yet released to: All email addresses (if any) to which the message has not yet
been released.
To take action on the message, see the next section.
７ Note
To remain in the details flyout, but change the quarantined message that you're
looking at, use the up and down arrows at the top of the flyout.
Take action on quarantined email

After you select a quarantined message from the list, the following actions are available
in the details flyout:
Release email*: In the flyout pane that appears, configure the following options:
Add sender to your organization's allow list: Select this option to prevent
messages from the sender from being quarantined.
Choose one of the following options:

Release to all recipients
Release to specific recipients: Select the recipients in the Recipients box that
appears
Send a copy of this message to other recipients: Select this option and enter
the recipient email addresses in the Recipients box that appears.
７ Note
To send a copy of the message to other recipients, you must also release
the message at least one of the original recipients (select Release to all
recipients or Release to specific recipients).
Submit the message to Microsoft to improve detection (false positive): This

option is selected by default, and reports the erroneously quarantined message
to Microsoft as a false positive. If the message was quarantined as spam, bulk,
phishing, or containing malware, the message is also reported to the Microsoft
Spam Analysis Team. Depending on the results of their analysis, the service-wide
spam filter rules might be adjusted to allow the message through.
Allow messages like this: This option is turned off by default ( ). Turn it on (
) to temporarily prevent messages with similar URLs, attachments, and
other properties from being quarantined. When you turn this option on, the
following options are available:
Remove after: Select how long you want to allow messages like this. Select 1
day to 30 days. The default is 30.
Optional note: Enter a useful description for the allow.
When you're finished, click Release message.
Notes about releasing messages:

You can't release a message to the same recipient more than once.
Only recipients who haven't received the message will appear in the list of
potential recipients.
Only members of the Security Administrators role group can see and use the
Submit the message to Microsoft to improve detection (false positive) and
Allow messages like this options.
Share email: In the flyout that appears, add one or more recipients to receive a
copy of the message. When you're finished, click Share.
The following actions are available after you click More actions:
View message headers: Choose this link to see the message header text. The
Message header flyout appears with the following links:
Copy message header: Click this link to copy the message header (all header
fields) to your clipboard.
Microsoft Message Header Analyzer: To analyze the header fields and values in
depth, click this link to go to the Message Header Analyzer. Paste the message
header into the Insert the message header you would like to analyze section
(CTRL+V or right-click and choose Paste), and then click Analyze headers.
Preview message: In the flyout that appears, choose one of the following tabs:
Source: Shows the HTML version of the message body with all links disabled.
Plain text: Shows the message body in plain text.
Delete from quarantine: After you click Yes in the warning that appears, the
message is immediately deleted without being sent to the original recipients.
Download email: In the flyout that appears, configure the following settings:
Reason for downloading file: Enter descriptive text.
Create password and Confirm password: Enter a password that's required to
open the downloaded message file.
When you're finished, click Download, and then Done to save a local copy of the
message. The .eml message file is save in a compressed file named Quarantined
Messages.zip in your Downloads folder. If the .zip file already exists, a number is
appended to the filename (for example, Quarantined Messages(1).zip).
Block sender: Add the sender to the Blocked Senders list in your mailbox. For
more information, see Block a mail sender .
Submit only: Reports the message to Microsoft for analysis. In the flyout that
appears, choose the following options:
Select the submission type: Email (default), URL, or File.
following options:
Add the email network message ID (default, with the corresponding value in
the box)
Upload the email file (.msg or eml): Click Browse files to find and select the
.msg or .eml message file to submit.
Choose a recipient who had an issue: Select one (preferred) or more original
recipients of the message to analyze the policies that were applied to them.
Select a reason for submitting to Microsoft: Choose one of the following
options:
Should not have been blocked (false positive) (default): The following
options are available:
Allow messages like this: This option is turned off by default ( ). Turn
it on ( ) to temporarily prevent messages with similar URLs,
attachments, and other properties from being quarantined. When you turn
this option on, the following options are available:
Remove after: Select how long you want to allow messages like this.
Select 1 day to 30 days. The default is 30.
Optional note: Enter a useful description for the allow.
Should have been blocked (false negative).
*
This option is not available for messages that have already been released (the Released
status value is Released).
If you don't release or remove the message, it will be deleted after the default
quarantine retention period expires (as shown in the Expires column).
７ Note
On a mobile device, the description text isn't available on the action icons.
The icons in order and their corresponding descriptions are summarized in the
following table:
Icon Description
Release email
Share email
View message headers
Preview message
Delete from quarantine

Icon Description
Download email
Block sender
Submit only
Take action on multiple quarantined email messages

When you select multiple quarantined messages in the list (up to 100) by clicking in the
blank area to the left of the first column, the Bulk actions drop down list appears where
you can take the following actions:
Release messages: Releases messages to all recipients. In the flyout that

appears, you can choose the following options, which are the same as when you
release a single message:
Add sender to your organization's allow list
Send a copy of this message to other recipients
Submit the message to Microsoft to improve detection (false positive)
Allow messages like this:
Remove after: 1 day to 30 days
Optional note
When you're finished, click Release message.
７ Note
Consider the following scenario: john@gmail.com sends a message to
faith@contoso.com and john@subsidiary.contoso.com. Gmail bifurcates this
message into two copies that are both routed to quarantine as phishing in
Microsoft. An admin releases both of these messages to
admin@contoso.com. The first released message that reaches the admin
mailbox is delivered. The second released message is identified as duplicate
delivery and is skipped. Message are identified as duplicates if they have the
same message ID and received time.
Delete messages: After you click Yes in the warning that appears, the messages
are immediately removed from quarantine without being sent to the original
recipients.
Download messages
Submit only

manage quarantined files in Defender for
Office 365
７ Note
The procedures for quarantined files in this section are available only to Microsoft
Defender for Office 365 Plan 1 or Plan 2 subscribers.
In organizations with Defender for Office 365, admins can manage files that were
quarantined by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams. To
enable protection for these files, see Turn on Safe Attachments for SharePoint,
７ Note
Files quarantined in SharePoint or OneDrive are removed fom quarantine after 30

days, but the blocked files remain in SharePoint or OneDrive in the blocked state.
View quarantined files

2. On the Quarantine page, select the Files tab (Email is the default tab).
3. You can sort the results by clicking on an available column header. Click Customize
columns to change the columns that are shown. The default columns are marked
with an asterisk (*):
User*
Location*
Attachment filename*
File URL*
File Size
Release status*
Expires*
Detected by
Modified by time
When you're finished, click Apply or Cancel.
that appears:
Time received: Start time and End time (date).

Expires: Start time and End time (date).
Quarantine reason: The only available value is Malware.
Policy type
When you're finished, click Apply or Cancel.
After you find a specific quarantined file, select the file to view details about it, and to
take action on it (for example, view, release, download, or delete the file).
View quarantined file details
When you select a quarantined file from the list, the following information is available in
the details flyout that opens:

File Name
File URL: URL that defines the location of the file (for example, in SharePoint
Online).
Malicious content detected on The date/time the file was quarantined.
Expires: The date when the file will be deleted from quarantine.
Detected by
Released?
Malware Name
Document ID: A unique identifier for the document.
File Size: In kilobytes (KB).
Organization Your organization's unique ID.
Last modified
Modified By: The user who last modified the file.
Secure Hash Algorithm 256-bit (SHA-256) value: You can use this hash value to
identify the file in other reputation stores or in other locations in your
environment.
To take action on the file, see the next section.
７ Note
To remain in the details flyout, but change the quarantined file that you're looking
at, use the up and down arrows at the top of the flyout.
Take action on quarantined files

After you select a quarantined file from the list, the following actions are available in the
details flyout:
Release file*: In the flyout pane that appears, turn on or turn off Report files to
Microsoft for analysis, and then click Release.
Download file: In the flyout that appears, select I understand the risks from
downloading this file, and then click Download to save a local copy of the file.
Delete from quarantine: After you click Yes in the warning that appears, the file
is immediately deleted.
* This option is not available for files that have already been released (the Released
If you don't release or remove the file, it will be deleted after the default quarantine
retention period expires (as shown in the Expires column).
Take action on multiple quarantined files
When you select multiple quarantined files in the list (up to 100) by clicking in the blank
area to the left of the Subject column, the Bulk actions drop down list appears where
Release file: In the flyout pane that appears, turn on or turn off Report files to
Microsoft for analysis, and then click Release.
Delete from quarantine: After you click Yes in the warning that appears, the file
is immediately deleted.
Download file: In the flyout that appears, select I understand the risks from
downloading this file, and then click Download to save a local copy of the file.

EOP PowerShell to view and manage
quarantined messages and files
The cmdlets that you use to view and manage messages and files in quarantine are
described in the following list:
Delete-QuarantineMessage
Export-QuarantineMessage
Get-QuarantineMessage
Preview-QuarantineMessage: Note that this cmdlet is only for messages, not
quarantined files from Safe Attachments for SharePoint, OneDrive, and Microsoft
Teams.
Release-QuarantineMessage

Find and release quarantined messages
as a user in EOP
 Tip
Applies to


see Quarantine in EOP.
As an ordinary user (not an admin), the default capabilities that are available to you as a
recipient of a quarantined message are described in the following table:
Quarantine reason View Release Delete
Anti-spam policies
Bulk
Spam
High confidence spam
Phishing
Anti-phishing policies
Spoof intelligence protection in EOP
Impersonated user protection in Defender for Office 365

Quarantine reason View Release Delete
Impersonated domain protection in Defender for Office 365
Mailbox intelligence protection in Defender for Office 365
Email messages with attachments that are quarantined as malware.
Safe Attachments in Defender for Office 365
Safe Attachments policies that quarantine email messages with

malicious attachments as malware.
Safe Attachments for SharePoint, OneDrive, and Microsoft Teams that

quarantines malicious files as malware.
Mail flow rules (transport rules)
Mail flow rules that quarantine email messages.
Quarantine policies define what users are allowed to do to quarantined messages based
on why the message was quarantined in supported features. Default quarantine policies
enforce the historical capabilities as described in the previous table. Admins can create
and apply custom quarantine policies that define less restrictive or more restrictive
capabilities for users in supported features. For more information, see Quarantine
policies.
You view and manage your quarantined messages in the Microsoft 365 Defender portal
or (if an admin has set this up) quarantine notifications from quarantine policies.

To go directly to the Quarantine page, use
https://security.microsoft.com/quarantine .
Admins can configure how long messages are kept in quarantine before they're
permanently deleted in anti-spam policies. Messages that have expired from
quarantine are unrecoverable. For more information, see Configure anti-spam
policies in EOP.
By default, messages that were quarantined for high confidence phishing, malware,
or by mail flow rules are only available to admins, and aren't visible to users. For
more information, see Manage quarantined messages and files as an admin in
EOP.
View your quarantined messages
７ Note
Your ability to view quarantined messages is controlled by the quarantine policy

that applies to the quarantined message type (which might be the default
quarantine policy for the quarantine reason).

2. On the Quarantine page, you can sort the results by clicking on an available
column header. Click Customize columns to change the columns that are shown.
The default values are marked with an asterisk (*):
Time received*
Subject*
Sender*
Quarantine reason*
Release status*
Policy type*
Expires*
Recipient
Message ID
Policy name
Message size
Mail direction
that appears:
Message ID: The globally unique identifier of the message.

Sender address
Recipient address
Subject
Time received: Enter a Start time and End time (date).
Expires: Filter messages by when they will expire from quarantine:
Today
Next 2 days
Next 7 days
Custom: Enter a Start time and End time (date).
Quarantine reason:
Bulk
Spam
Phishing: The spam filter verdict was Phishing or anti-phishing protection
quarantined the message (spoof settings or impersonation protection).
Release status: Any of the following values:
Needs review
Approved
Denied
Release requested
Released
Policy Type: Filter messages by policy type:
Anti-malware policy
Safe Attachments policy
Anti-phishing policy
Anti-spam policy
When you're finished, click Apply. To clear the filters, click Clear filters.
4. Use Search box and a corresponding value to find specific messages. Wildcards
aren't supported. You can search by the following values:
Message ID
Sender email address
Recipient email address
Subject. Use the entire subject of the message. The search is not case-
sensitive.
Policy name. Use the entire policy name. The search is not case-sensitive.
After you've entered the search criteria, press ENTER to filter the results.
７ Note
The Search box on the main Quarantine page will search only quarantined
items in the current view, not the entire quarantine. To search all quarantined
items, use Filter and the resulting Filters flyout.
After you find a specific quarantined message, select the message to view details about
it, and to take action on it (for example, view, release, download, or delete the message).
View quarantined message details

When you select quarantined message from the list, the following information is
available in the details flyout that appears.
When you select an email message in the list, the following message details appear in
the Details flyout pane:
Message ID: The globally unique identifier for the message.

Sender address
Received: The date/time when the message was received.
Subject
Quarantine reason
Policy type: The type of policy. For example, Anti-spam policy.
Recipient count
Recipients: If the message contains multiple recipients, you need to click Preview
message or View message header to see the complete list of recipients.
Expires: The date/time when the message will be automatically and permanently
deleted from quarantine.
To take action on the message, see the next section.
７ Note
To remain in the details flyout, but change the quarantined message that you're
looking at, use the up and down arrows at the top of the flyout.
Take action on quarantined email
７ Note
Your ability to take action on quarantined messages is controlled by the quarantine

policy that applies to the quarantined message type (which might be the default
quarantine policy for the quarantine reason). This section describes all available
actions.
After you select a quarantined message from the list, the following actions are available
in the details flyout:
Release email*: Delivers the message to your Inbox.

View message headers: Choose this link to see the message header text. The
Message header flyout appears with the following links:
Copy message header: Click this link to copy the message header (all header
fields) to your clipboard.
Microsoft Message Header Analyzer: To analyze the header fields and values in
depth, click this link to go to the Message Header Analyzer. Paste the message
header into the Insert the message header you would like to analyze section
(CTRL+V or right-click and choose Paste), and then click Analyze headers.
The following actions are available after you click More actions:
Preview message: In the flyout that appears, choose one of the following tabs:
Source: Shows the HTML version of the message body with all links disabled.
Plain text: Shows the message body in plain text.
Remove from quarantine: After you click Yes in the warning that appears, the
message is immediately deleted without being sent to the original recipients.
Download email: In the flyout that appears, configure the following settings:
Reason for downloading file: Enter descriptive text.
Create password and Confirm password: Enter a password that's required to
open the downloaded message file.
When you're finished, click Download, and then Done to save a local copy of the
message. The .eml message file is save in a compressed file named Quarantined
Messages.zip in your Downloads folder. If the .zip file already exists, a number is
appended to the filename (for example, Quarantined Messages(1).zip).
*
This option is not available for messages that have already been released (the Released
If you don't release or remove the message, it will be deleted after the default
quarantine retention period expires (as shown in the Expires column).
７ Note
On a mobile device, the description text isn't available on the action icons.

The icons in order and their corresponding descriptions are summarized in the
following table:
Icon Description
Release email
Preview message
Remove from quarantine
Block sender
Take action on multiple quarantined email messages

When you select multiple quarantined messages in the list (up to 100) by clicking in the
blank area to the left of the first column, the Bulk actions drop down list appears where

Release messages: Delivers the messages to your Inbox.
Delete messages: After you click Yes in the warning that appears, the messages
are immediately removed from quarantine without being sent to the original
recipients.
Quarantine policies
 Tip
Applies to:

Quarantine policies (formerly known as quarantine tags) in Exchange Online Protection

(EOP) and Microsoft Defender for Office 365 allow admins to control what users are able
to do to quarantined messages based on why the message was quarantined. This
feature is available in all Microsoft 365 organizations with Exchange Online mailboxes.
Traditionally, users have been allowed or denied levels of interactivity for quarantine
messages based on why the message was quarantined. For example, users can view and
release messages that were quarantined by anti-spam filtering as spam or bulk, but they
can't view or release messages that were quarantined as high confidence phishing or
malware.
For supported protection features, quarantine policies specify what users are allowed to
do to their own messages (messages where they're a recipient) in quarantine and in
quarantine notifications. Quarantine notifications are the replacement for end-user spam
notifications. These notifications are now controlled by quarantine policies, and contain
information about quarantined messages for all supported protection features (not just
anti-spam policy and anti-phishing policy verdicts).
Default quarantine policies that enforce the historical user capabilities are automatically
assigned to actions in the supported protection features that quarantine messages. Or,
you can create custom quarantine policies and assign them to the supported protection
features to allow or prevent users from performing specific actions on those types of
The individual quarantine policy permissions are combined into the following preset
permission groups:
No access
Limited access
Full access
The individual quarantine policy permissions that are contained in the preset permission
groups are described in the following table:
Permission No Limited Full

access access access
Block sender (PermissionToBlockSender)
Delete (PermissionToDelete)
Preview (PermissionToPreview)
Allow recipients to release a message from quarantine

(PermissionToRelease)*
Allow recipients to request a message to be released from

quarantine (PermissionToRequestRelease)
*
The Allow recipients to release a message from quarantine permission is not honored
in anti-malware policies or for the high confidence phishing verdict in anti-spam
policies. Users cannot release their own malware or high confidence phishing messages
from quarantine. At best, you can use the Allow recipients to request a message to be
released from quarantine permission.
The default quarantine policies, their associated permission groups, and whether
quarantine notifications are enabled is described in the following table:
Default quarantine policy Permission group used Quarantine notifications enabled?
AdminOnlyAccessPolicy No access No
DefaultFullAccessPolicy Full access No
NotificationEnabledPolicy* Full access Yes
If you don't like the default permissions in the preset permission groups, or if you want
to enable quarantine notifications, create and use custom quarantine policies. For more
information about what each permission does, see the Quarantine policy permission
details section later in this article.
You create and assign quarantine policies in the Microsoft 365 Defender portal or in
PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with Exchange
Online mailboxes; standalone EOP PowerShell in EOP organizations without Exchange
Online mailboxes).
７ Note
How long quarantined messages are held in quarantine before they expire is
controlled by the Retain spam in quarantine for this many days
(QuarantineRetentionPeriod) in anti-spam policies. For more information, see
If you change the quarantine policy that's assigned to a supported protection

feature, the change affects messages that are quarantined after you make the
change. Messages that were previously quarantined by that protection feature are
not affected by the settings of the new quarantine policy assignment.
Full access permissions and quarantine

notifications
*
The quarantine policy named NotificationEnabledPolicy is not present in all
environments. You'll have the NotificationEnabledPolicy quarantine policy if your
organization meets both of the following requirements:
Your organization existed before the quarantine policy feature was turned on (late
July/early August 2021).
You had one or more anti-spam policies (the default anti-spam policy or custom
anti-spam policies) where the Enable end-user spam notifications setting was
turned on.
As described earlier, quarantine notifications in quarantine policies replace end-user

spam notifications that you used to turn on or turn off in anti-spam policies. The built-in
quarantine policy named DefaultFullAccessPolicy duplicates the historical permissions for
quarantined messages, but quarantine notifications are not turned on in the quarantine
policy. And, because you can't modify the built-in policy, you can't turn on quarantine
notifications in DefaultFullAccessPolicy.
To provide the permissions of DefaultFullAccessPolicy but with quarantine notifications

turned on, we created the policy named NotificationEnabledPolicy to use in place of
DefaultFullAccessPolicy for those organizations that needed it (organizations where end-
user spam notifications were turned on).
For new organizations or older organizations that never had end-user spam notifications
enabled in anti-spam policies, you won't have the quarantine policy named
NotificationEnabledPolicy. The way for you to turn on quarantine notifications is to
create and use custom quarantine policies where quarantine notifications are turned on.

go directly to the Quarantine policies page, use
https://security.microsoft.com/quarantinePolicies .

To view, create, modify, or remove quarantine policies, you need to be a member

of the Organization Management, Security Administrator, or Quarantine
Administrator roles in the Microsoft 365 Defender portal. For more information,
see Permissions in the Microsoft 365 Defender portal.
Step 1: Create quarantine policies in the

1. In the Microsoft 365 Defender portal , go to Email & collaboration > Policies &
Rules > Threat policies > Quarantine policies in the Rules section. Or, to go
directly to the Quarantine policies page, use
2. On the Quarantine policies page, click Add custom policy.
3. The New policy wizard opens. On the Policy name page, enter a brief but unique
name in the Policy name box. You'll need to identify and select the quarantine
policy by name in upcoming steps. When you're finished, click Next.
4. On the Recipient message access page, select one of the following values:
Limited access: The individual permissions that are included in this

permission group are described earlier in this article.
Set specific access (Advanced): Use this value to specify custom permissions.
Configure the following settings that appear:
Select release action preference: Select one of the following values:
Blank: This is the default value.
Allow recipients to release a message from quarantine
Allow recipients to request a message to be released from quarantine
Select additional actions recipients can take on quarantined messages:
Select some, all, or none of the following values:
Delete
Preview
Block sender
These permissions and their effect on quarantined messages and in quarantine

notifications are described in the Quarantine policy permission details section later
in this article.
5. On the End-user spam notification page, select Enable to enable quarantine

notifications (formerly known as end-user spam notifications). When you're
finished, click Next.
７ Note
As explained earlier, the built-in policies (AdminOnlyAccessPolicy or

DefaultFullAccessPolicy) do not have quarantined notifications turned on, and
you can't modify the policies.
6. On the Review policy page, review your settings. You can select Edit in each
Now you're ready to assign the quarantine policy to a quarantine feature as described in
the Step 2 section.
Create quarantine policies in PowerShell
If you'd rather use PowerShell to create quarantine policies, connect to Exchange Online
PowerShell or Exchange Online Protection PowerShell and use the New-
QuarantinePolicy cmdlet.
７ Note
If you don't use the ESNEnabled parameter and the value $true , then quarantine
notifications are turned off.
Use the EndUserQuarantinePermissionsValue parameter
To create a quarantine policy using the EndUserQuarantinePermissionsValue parameter,

use the following syntax:
PowerShell
New-QuarantinePolicy -Name "<UniqueName>" -EndUserQuarantinePermissionsValue

<0 to 236> [-EsnEnabled $true]
The EndUserQuarantinePermissionsValue parameter uses a decimal value that's

converted from a binary value. The binary value corresponds to the available end-user
quarantine permissions in a specific order. For each permission, the value 1 equals True
and the value 0 equals False.
The required order and values for each individual permission are described in the
following table:
Permission Decimal value Binary value
PermissionToViewHeader* 128 10000000
PermissionToDownload** 64 01000000
PermissionToAllowSender** 32 00100000
PermissionToBlockSender 16 00010000
PermissionToRequestRelease*** 8 00001000
PermissionToRelease*** 4 00000100
PermissionToPreview 2 00000010
Permission Decimal value Binary value
PermissionToDelete 1 00000001
*
The value 0 doesn't hide the View message header button in the details of the
quarantined message (the button is always available).
**
This setting is not used (the value 0 or 1 does nothing).
***
Don't set both of these values to 1. Set one to 1 and the other to 0, or set both to 0.
For Limited access permissions, the required values are:
Permission Limited access
PermissionToViewHeader 0
PermissionToDownload 0
PermissionToAllowSender 0
PermissionToBlockSender 1
PermissionToRequestRelease 1
PermissionToRelease 0
PermissionToPreview 1
PermissionToDelete 1
Binary value 00011011
Decimal value to use 27
This example creates a new quarantine policy named LimitedAccess with quarantine
notifications turned on that assigns the Limited access permissions as described in the
previous table.
PowerShell
New-QuarantinePolicy -Name LimitedAccess -EndUserQuarantinePermissionsValue

27 -EsnEnabled $true
For custom permissions, use the previous table to get the binary value that corresponds
to the permissions you want. Convert the binary value to a decimal value and use the
decimal value for the EndUserQuarantinePermissionsValue parameter. Don't use the
binary value for the parameter value.
For detailed syntax and parameter information, see New-QuarantinePolicy.
Step 2: Assign a quarantine policy to supported

features
In supported protection features that quarantine email messages, you can assign a
quarantine policy to the available quarantine actions. Features that quarantine messages
and the availability of quarantine policies are described in the following table:
Feature Quarantine Default quarantine policies

policies used
supported?
Anti-spam policies: Yes DefaultFullAccessPolicy*

(Full access)
Spam (SpamAction) DefaultFullAccessPolicy*
High confidence spam (Full access)
(HighConfidenceSpamAction) DefaultFullAccessPolicy*
Phishing (PhishSpamAction) (Full access)
High confidence phishing AdminOnlyAccessPolicy
(HighConfidencePhishAction) (No access)
Bulk (BulkSpamAction) DefaultFullAccessPolicy*
(Full access)
Anti-phishing policies: Yes DefaultFullAccessPolicy*

Spoof intelligence protection (Full access)
(AuthenticationFailAction) Impersonation protection:
Impersonation protection in Defender DefaultFullAccessPolicy*
for Office 365: (Full access)
If message is detected as an DefaultFullAccessPolicy*
impersonated user (Full access)
(TargetedUserProtectionAction) DefaultFullAccessPolicy*
If message is detected as an (Full access)
impersonated domain
(TargetedDomainProtectionAction)
If mailbox intelligence detects and
impersonated user
(MailboxIntelligenceProtectionAction)
Anti-malware policies: All detected messages Yes AdminOnlyAccessPolicy (No

are always quarantined. access)
Feature Quarantine Default quarantine policies
policies used
supported?
Safe Attachments protection: Yes AdminOnlyAccessPolicy

No (No access)
Email messages with attachments that n/a
are quarantined as malware by Safe
Attachments policies (Enable and Action)
Files quarantined as malware by Safe
Attachments for SharePoint, OneDrive,
and Microsoft Teams
Mail flow rules (also known as transport rules) No n/a

with the action: Deliver the message to the
hosted quarantine (Quarantine).
*
As previously described in this article, your organization might use
NotificationEnabledPolicy instead of DefaultFullAccessPolicy. The only difference
between these two quarantine policies is quarantine notifications are turned on in
NotificationEnabledPolicy and turned off in DefaultFullAccessPolicy.
The default quarantine policies, preset permission groups, and permissions are
described at the beginning of this article and later in this article.
７ Note
If you're happy with the default end-user permissions and quarantine notifications
that are provided (or not provided) by the default quarantine policies, you don't
need to do anything. If you want to add or remove end-user capabilities (the
available buttons) for user quarantined messages, or enable quarantine
notifications and add or remove the same capabilities in quarantine notifications,
you can assign a different quarantine policy to the quarantine action.
Assign quarantine policies in supported

policies in the Microsoft 365 Defender portal
７ Note
Users can't release their own messages that were quarantined as malware (anti-
malware policies) or high confidence phishing (anti-spam policies), regardless of
how the quarantine policy is configured. At best, admins can configure the
quarantine policy so users can request the release of their quarantined malware or
high confidence phishing messages.
Anti-spam policies
rules > Threat policies > Anti-spam in the Policies section.
Or, to go directly to the Ant-spam policies page, use

2. On the Anti-spam policies page, do one of the following steps:
Find and select an existing inbound anti-spam policy.

Create a new inbound anti-spam policy.
Edit existing: Select the policy by clicking on the name of the policy. In the
policy details flyout, go to the Actions section and then click Edit actions.
Create new: In the new policy wizard, get to the Actions page.
4. On the Actions page, every verdict that has the Quarantine message action will
also have the Select quarantine policy box for you to select a corresponding
quarantine policy.
Note: When you create a new policy, a blank Select quarantine policy value
indicates the default quarantine policy for that verdict is used. When you later edit
the policy, the blank values are replaced by the actual default quarantine policy
names as described in the previous table.

Full instructions for creating and modifying anti-spam policies are described in
Anti-spam policies in PowerShell

If you'd rather use PowerShell to assign quarantine policies in anti-spam policies,
connect to Exchange Online PowerShell or Exchange Online Protection PowerShell and
PowerShell
<New-HostedContentFilterPolicy -Name "<Unique name>" | Set-

HostedContentFilterPolicy -Identity "<Policy name>"> [-SpamAction
Quarantine] [-SpamQuarantineTag <QuarantineTagName>] [-
HighConfidenceSpamAction Quarantine] [-HighConfidenceSpamQuarantineTag
<QuarantineTagName>] [-PhishSpamAction Quarantine] [-PhishQuarantineTag
<QuarantineTagName>] [-HighConfidencePhishQuarantineTag <QuarantineTagName>]
[-BulkSpamAction Quarantine] [-BulkQuarantineTag <QuarantineTagName>] ...
Notes:
The default value for the PhishSpamAction and HighConfidencePhishAction

parameters is Quarantine, so you don't need to use those parameters when you
create new spam filter policies in PowerShell. For the SpamAction,
HighConfidenceSpamAction, and BulkSpamAction parameters in new or existing
anti-spam policies, the quarantine policy is effective only if the value is Quarantine.
To see the important parameter values in existing anti-spam policies, run the
following command:
PowerShell
Get-HostedContentFilterPolicy | Format-List
Name,*SpamAction,HighConfidencePhishAction,*QuarantineTag
For information about the default action values and the recommended action
values for Standard and Strict, see EOP anti-spam policy settings.
When you create new anti-spam policies, a spam filtering verdict without a
corresponding quarantine policy parameter means the default quarantine policy
for that verdict is used.
You need to replace a default quarantine policy with a custom quarantine policy
only if you want to change the default end-user capabilities on quarantined
messages for that particular spam filtering verdict.
A new anti-spam policy in PowerShell requires a spam filter policy (settings) using
the New-HostedContentFilterPolicy cmdlet and an exclusive spam filter rule
(recipient filters) using the New-HostedContentFilterRule cmdlet. For instructions,
see Use PowerShell to create anti-spam policies.
This example creates a new spam filter policy named Research Department with the
following settings:
The action for all spam filtering verdicts is set to Quarantine.

The custom quarantine policy named NoAccess that assigns No access
permissions replaces any default quarantine policies that don't already assign No
access permissions by default.
PowerShell
New-HostedContentFilterPolicy -Name "Research Department" -SpamAction

Quarantine -SpamQuarantineTag NoAccess -HighConfidenceSpamAction Quarantine
-HighConfidenceSpamQuarantineTag NoAction -PhishSpamAction Quarantine -
PhishQuarantineTag NoAction -BulkSpamAction Quarantine -BulkQuarantineTag
NoAccess
For detailed syntax and parameter information, see New-HostedContentFilterPolicy.
This example modifies the existing spam filter policy named Human Resources. The
action for the spam quarantine verdict is set to Quarantine, and the custom quarantine
policy named NoAccess is assigned.
PowerShell
Set-HostedContentFilterPolicy -Identity "Human Resources" -SpamAction

Quarantine -SpamQuarantineTag NoAccess
For detailed syntax and parameter information, see Set-HostedContentFilterPolicy.
Anti-phishing policies
Spoof intelligence is available in EOP and Defender for Office 365. User impersonation
protection, domain impersonation protection, and mailbox intelligence are available
only in Defender for Office 365. For more information, see Anti-phishing policies in
Microsoft 365.
rules > Threat policies > Anti-phishing in the Policies section.
Or, to go directly to the Ant-spam policies page, use

2. On the Anti-phishing page, do one of the following steps:
Find and select an existing anti-phishing policy.

Create a new anti-phishing policy.
policy details flyout, go to the Protection settings section and then click Edit
protection settings.
4. On the Protection settings page, verify that the following settings are turned on
and configured as required:
Enabled users to protect: Specify users.

Enabled domains to protect: Select Include domains I own and/or Include
custom domains and specify the domains.
Enable mailbox intelligence
Enable intelligence for impersonation protection
Enable spoof intelligence
Edit existing: In the policy details flyout, go to the Actions section and then
click Edit actions.
6. On the Actions page, every verdict that has the Quarantine the message action
will also have the Apply quarantine policy box for you to select a corresponding
quarantine policy.
Note: When you create a new policy, a blank Apply quarantine policy value
indicates the default quarantine policy for that action is used. When you later edit
the policy, the blank values are replaced by the actual default quarantine policy
names as described in the previous table.

Full instructions for creating and modifying anti-phishing policies are available in the
following topics:

Anti-phishing policies in PowerShell

If you'd rather use PowerShell to assign quarantine policies in anti-phishing policies,
PowerShell
<New-AntiPhishPolicy -Name "<Unique name>" | Set-AntiPhishPolicy -Identity "

<Policy name>"> [-EnableSpoofIntelligence $true] [-AuthenticationFailAction
Quarantine] [-SpoofQuarantineTag <QuarantineTagName>] [-
EnableMailboxIntelligence $true] [-EnableMailboxIntelligenceProtection
$true] [-MailboxIntelligenceProtectionAction Quarantine] [-
MailboxIntelligenceQuarantineTag <QuarantineTagName>] [-
EnableOrganizationDomainsProtection $true] [-EnableTargetedDomainsProtection
$true] [-TargetedDomainProtectionAction Quarantine] [-
TargetedDomainQuarantineTag <QuarantineTagName>] [-
EnableTargetedUserProtection $true] [-TargetedUserProtectionAction
Quarantine] [-TargetedUserQuarantineTag <QuarantineTagName>] ...
Notes:
The Enable* parameters are required to turn on the specific protection features.
The default value for the EnableMailboxIntelligence and EnableSpoofIntelligence
parameters is $true, so you don't need to use these parameters when you create
new anti-phish policies in PowerShell. All other Enable* parameters need to have
the value $true so you can set the value Quarantine in the corresponding *Action
parameters to then assign a quarantine policy. None of the *\Action parameters
have the default value Quarantine.
To see the important parameter values in existing anti-phish policies, run the
following command:
PowerShell
Get-AntiPhishPolicy | Format-List
Name,Enable*Intelligence,Enable*Protection,*Action,*QuarantineTag
For information about the default action values and the recommended action
values for Standard and Strict, see EOP anti-phishing policy settings and
Impersonation settings in anti-phishing policies in Microsoft Defender for Office
365.
When you create anti-phishing policies, an anti-phishing action without a

corresponding quarantine policy parameter means the default quarantine policy
for that verdict is used.
You need to replace a default quarantine policy with a custom quarantine policy
only if you want to change the default end-user capabilities on quarantined
messages for that particular verdict.
A new anti-phishing policy in PowerShell requires an anti-phish policy (settings)

using the New-AntiPhishPolicy cmdlet and an exclusive anti-phish rule (recipient
filters) using the New-AntiPhishRule cmdlet. For instructions, see the following
topics:
Use PowerShell to configure anti-phishing policies in EOP
Use Exchange Online PowerShell to configure anti-phishing policies
This example creates a new anti-phish policy named Research Department with the
following settings:
The action for all spam filtering verdicts is set to Quarantine.

The custom quarantine policy named NoAccess that assigns No access
permissions replaces any default quarantine policies that don't already assign No
access permissions by default.
PowerShell
New-AntiPhishPolicy -Name "Research Department" -AuthenticationFailAction

Quarantine -SpoofQuarantineTag NoAccess -EnableMailboxIntelligenceProtection
$true -MailboxIntelligenceProtectionAction Quarantine -
MailboxIntelligenceQuarantineTag NoAccess -
EnableOrganizationDomainsProtection $true -EnableTargetedDomainsProtection
$true -TargetedDomainProtectionAction Quarantine -
TargetedDomainQuarantineTag NoAccess -EnableTargetedUserProtection $true -
TargetedUserProtectionAction Quarantine -TargetedUserQuarantineTag NoAccess
This example modifies the existing anti-phish policy named Human Resources. The
action for messages detected by user impersonation and domain impersonation is set to
Quarantine, and the custom quarantine policy named NoAccess is assigned.
PowerShell
Set-AntiPhishPolicy -Identity "Human Resources" -

EnableTargetedDomainsProtection $true -TargetedDomainProtectionAction
Quarantine -TargetedDomainQuarantineTag NoAccess -
EnableTargetedUserProtection $true -TargetedUserProtectionAction Quarantine
-TargetedUserQuarantineTag NoAccess
rules > Threat policies > Anti-malware in the Policies section.
Or, to go directly to the Anti-malware page, use

2. On the Anti-malware page, do one of the following steps:
Find and select an existing anti-malware policy.

Create a new anti-malware policy.
policy details flyout, go to the Protection settings section and then click Edit
protection settings.
4. On the Protection settings page, select a quarantine policy in the Quarantine

policy box.
Note: When you create a new policy, a blank Quarantine policy value indicates the
default quarantine policy for that is used. When you later edit the policy, the blank
value is replaced by the actual default quarantine policy name as described in the
previous table.
Anti-malware policies in PowerShell
If you'd rather use PowerShell to assign quarantine policies in anti-malware policies,

PowerShell
<New-AntiMalwarePolicy -Name "<Unique name>" | Set-AntiMalwarePolicy -

Identity "<Policy name>"> [-QuarantineTag <QuarantineTagName>]
Notes:
When you create new anti-malware policies without using the QuarantineTag
parameter when you create a new anti-malware policy, the default quarantine
policy for malware detections is used (AdminOnlyAccessPolicy).
You need to replace the default quarantine policy with a custom quarantine policy
only if you want to change the default end-user capabilities on messages that are
quarantined as malware.
To see the important parameter values in existing anti-phish policies, run the
following command:
PowerShell
Get-MalwareFilterPolicy | Format-Table Name,QuarantineTag
A new anti-malware policy in PowerShell requires a malware filter policy (settings)

using the New-MalwareFilterPolicy cmdlet and an exclusive malware filter rule
(recipient filters) using the New-MalwareFilterRule cmdlet. For instructions, see
Use Exchange Online PowerShell or standalone EOP PowerShell to configure anti-
malware policies.
This example creates a malware filter policy named Research Department that uses the
custom quarantine policy named NoAccess that assigns No access permissions to the
PowerShell
New-MalwareFilterPolicy -Name "Research Department" -QuarantineTag NoAccess
This example modifies the existing malware filter policy named Human Resources by
assigning the custom quarantine policy named NoAccess that assigns No access
permissions to the quarantined messages.
PowerShell
New-MalwareFilterPolicy -Identity "Human Resources" -QuarantineTag NoAccess
Safe Attachments policies in Defender for Office 365

rules > Threat policies > Safe Attachments in the Policies section.
Or, to go directly to the Safe Attachments page, use

2. On the Safe Attachments page, do one of the following steps:
Find and select an existing Safe Attachments policy.

Create a new Safe Attachments policy.
policy details flyout, go to the Settings section and then click Edit settings.
Create new: In the new policy wizard, get to the Settings page.
4. On the Settings page, do the following steps:
a. Safe Attachments unknown malware response: Select Block, Replace, or
Dynamic Delivery.
b. Select a quarantine policy in the Quarantine policy box.
Note: When you create a new policy, a blank Quarantine policy value indicates the
default quarantine policy is used. When you later edit the policy, the blank value is
replaced by the actual default quarantine policy name as described in the previous
table.
Full instructions for creating and modifying Safe Attachments policies are described in
Set up Safe Attachments policies in Microsoft Defender for Office 365.
Safe Attachments policies in PowerShell

If you'd rather use PowerShell to assign quarantine policies in Safe Attachments policies,
PowerShell
<New-SafeAttachmentPolicy -Name "<Unique name>" | Set-SafeAttachmentPolicy -

Identity "<Policy name>"> -Enable $true -Action <Block | Replace |
DynamicDelivery> [-QuarantineTag <QuarantineTagName>]
Notes:
The Action parameter values Block, Replace, or DynamicDelivery can result in

quarantined messages (the value Allow does not quarantine messages). The value
of the Action parameter in meaningful only when the value of the Enable
parameter is $true .
When you create new Safe Attachments policies without using the QuarantineTag
parameter, the default quarantine policy for Safe Attachments detections in email
is used (AdminOnlyAccessPolicy).
You need to replace the default quarantine policy with a custom quarantine policy
only if you want to change the default end-user capabilities on email messages
that are quarantined by Safe Attachments policies.
To see the important parameter values, run the following command:
PowerShell
Get-SafeAttachmentPolicy | Format-List Name,Enable,Action,QuarantineTag
A new Safe Attachments policy in PowerShell requires a safe attachment policy

(settings) using the New-SafeAttachmentPolicy cmdlet and an exclusive safe
attachment rule (recipient filters) using the New-SafeAttachmentRule cmdlet. For
instructions, see Use Exchange Online PowerShell or standalone EOP PowerShell to
configure Safe Attachments policies.
This example creates a safe attachment policy named Research Department that blocks
detected messages and uses the custom quarantine policy named NoAccess that
assigns No access permissions to the quarantined messages.
PowerShell
New-SafeAttachmentPolicy -Name "Research Department" -Enable $true -Action

Block -QuarantineTag NoAccess
This example modifies the existing safe attachment policy named Human Resources by
assigning the custom quarantine policy named NoAccess that assigns No access
permissions.
PowerShell
Set-SafeAttachmentPolicy -Identity "Human Resources" -QuarantineTag NoAccess
Configure global quarantine notification

settings in the Microsoft 365 Defender portal
The global settings for quarantine policies allow you to customize the quarantine
notifications that are sent to recipients of quarantined messages if quarantine
notifications are turned on in the quarantine policy. For more information about these
notifications, see Quarantine notifications.
rules > Threat policies > Quarantine policies in the Rules section. Or, to go
2. On the Quarantine policies page, select Global settings.
3. In the Quarantine notification settings flyout that opens, configure the following
settings:
７ Note
We don't allow the same display name, subject, or disclaimer text for different
languages. You need to provide a different display name, subject, and
disclaimer text for each language that you select.
The same sender address is used for all languages. Although you can select a
different sender email address for each language, the last sender you specify
is used for all languages.
Customize quarantine notifications based on the recipient's language:
The Display name of the sender that's used in quarantine notifications as

shown in the following screenshot.
The Subject field of the quarantine notification messages.
The Disclaimer text that's added to the bottom of quarantine notifications.

The localized text, A disclaimer from your organization: is always included
first, followed by the text you specify as show in the following screenshot:
The language identifier for the Display name, Subject, and Disclaimer
values. Quarantine notifications are already localized based on the
recipient's language settings. The Display name, Subject, and Disclaimer
values are used in quarantine notifications that apply to the recipient's
language.
Select the language in the Choose language box before you enter values
in the Display name, Subject and Disclaimer boxes. When you change the
value in the Choose language box, the values in the Display name,
Subject, and Disclaimer boxes are emptied.
Follow these steps to customize quarantine notifications based on the

recipient's language:
a. Select the language from the Choose language box. The default value is
Default, which means the default language for the Microsoft 365
organization. For more information, see How to set language and region
settings for Microsoft 365.
b. Enter values for Display name, Subject, and Disclaimer. The values must
be unique for each language. If you try to reuse a Display name, Subject,
or Disclaimer value for multiple languages, you'll get an error when you
click Save.
c. Use Specify sender address to select an existing recipient to use as the

sender of quarantine notifications. If you've already specified a sender for
a different language, the sender you specify will overwrite your previous
selection (the same sender email address is used for all languages).
d. Click the Add button.
e. Repeat the previous steps to create a maximum of three customized

quarantine notifications based on the recipient's language. An unlabeled
box shows the languages that you've configured:
Use my company logo: Select this option to replace the default Microsoft
logo that's used at the top of quarantine notifications. Before you do this
step, you need to follow the instructions in Customize the Microsoft 365
supported if your organization has a custom logo pointing to a URL instead
of an uploaded image file.
The following screenshot shows a custom logo in a quarantine notification:


Send end-user spam notification every (days): Select the frequency for
quarantine notifications. The default value is 3 days, but you can select 1 to
15 days.


View quarantine policies in the Microsoft 365

Defender portal
2. The Quarantine policies page shows the list of policies by Name and Last updated
date.
3. To view the settings of built-in or custom quarantine policies, select the quarantine
policy from the list by clicking on the name.
4. To view the global settings, click Global settings
View quarantine policies in PowerShell

If you'd rather use PowerShell to view quarantine policies, do any of the following steps:
To view a summary list of all built-in or custom policies, run the following
command:
PowerShell
Get-QuarantinePolicy | Format-Table Name
To view the settings of built-in or custom quarantine policies, replace

<QuarantinePolicyName> with the name of the quarantine policy, and run the
following command:
PowerShell
Get-QuarantinePolicy -Identity "<QuarantinePolicyName>"
To view the global settings for quarantine notifications, run the following
command:
PowerShell
Get-QuarantinePolicy -QuarantinePolicyType GlobalQuarantinePolicy
For detailed syntax and parameter information, see Get-HostedContentFilterPolicy.
Modify quarantine policies in the Microsoft 365

Defender portal
You can't modify the built-in quarantine policies named AdminOnlyAccessPolicy or
DefaultFullAccessPolicy. You can modify the built-in policy named
NotificationEnabledPolicy (if you have it) and custom quarantine policies.
2. On the Quarantine policies page, select the policy by clicking on the name.
3. After you select the policy, click the Edit policy icon that appears.
4. The Edit policy wizard that opens is virtually identical to the New policy wizard as
described in the Create quarantine policies in the Microsoft 365 Defender portal
section earlier in this article.
The main difference is: you can't rename an existing policy.
5. When you're finished modifying the policy, go to the Summary page and click
Submit.
Modify quarantine policies in PowerShell

If you'd rather use PowerShell to modify a custom quarantine policy, replace
<QuarantinePolicyName> with the name of the quarantine policy, and use the following
syntax:
PowerShell
Set-QuarantinePolicy -Identity "<QuarantinePolicyName>" [Settings]
The available settings are the same as described for creating quarantine policies earlier
in this article.
For detailed syntax and parameter information, see Set-QuarantinePolicy.
Remove quarantine policies in the Microsoft

365 Defender portal
Notes:
You can't remove the built-in quarantine policies named AdminOnlyAccessPolicy or

DefaultFullAccessPolicy. You can remove the built-in policy named
NotificationEnabledPolicy (if you have it) and custom quarantine policies.
Before you remove a quarantine policy, verify that it's not being used. For example,
run the following command in PowerShell:
PowerShell
Write-Output -InputObject "Anti-spam policies","----------------------

";Get-HostedContentFilterPolicy | Format-List Name,*QuarantineTag;
Write-Output -InputObject "Anti-phishing policies","-------------------
---";Get-AntiPhishPolicy | Format-List Name,*QuarantineTag; Write-
Output -InputObject "Anti-malware policies","----------------------
";Get-MalwareFilterPolicy | Format-List Name,QuarantineTag; Write-
Output -InputObject "Safe Attachments policies","----------------------
-----";Get-SafeAttachmentPolicy | Format-List Name,QuarantineTag
If the quarantine policy is being used, replace the assigned quarantine policy
before you remove it.
2. On the Quarantine policies page, select the custom quarantine policy that you
want to remove by clicking on the name.
3. After you select the policy, click the Delete policy icon that appears.
4. Click Remove policy in the confirmation dialog that appears.
Remove quarantine policies in PowerShell

If you'd rather use PowerShell to remove a custom quarantine policy, replace
<QuarantinePolicyName> with the name of the quarantine policy, and run the following
command:
PowerShell
Remove-QuarantinePolicy -Identity "<QuarantinePolicyName>"
For detailed syntax and parameter information, see Remove-QuarantinePolicy.
System alerts for quarantine release requests

By default, the default alert policy named User requested to release a quarantined
message automatically generates an informational alert and sends notification to
Organization Management (global administrator) whenever a user requests the release
of a quarantined message:
Admins can customize the email notification recipients or create a custom alert policy
for more options.
For more information about alert policies, see Alert policies in Microsoft 365.
Quarantine policy permission details

The following sections describe the effects of preset permission groups and individual
permissions in the details of quarantined messages and in quarantine notifications.
Preset permissions groups

The individual permissions that are included in preset permission groups are listed in
the table at the beginning of this article.
No access
If the quarantine policy assigns the No access permissions (admin only access), users will
not able to see those messages that are quarantined:
Quarantined message details: No messages will show in the end-user view.

Quarantine notifications: No notifications will be sent for those messages.
Limited access
If the quarantine policy assigns the Limited access permissions, users get the following
capabilities:
Quarantined message details: The following buttons are available:

Request release
Preview message
Block sender

Quarantine notifications: The following buttons are available:

Block sender
Request release
Review
Full access
If the quarantine policy assigns the Full access permissions (all available permissions),
users get the following capabilities:
Quarantined message details: The following buttons are available:

Release message
Preview message
Block sender
Quarantine notifications: The following buttons are available:

Block sender
Release
Review
７ Note
As explained earlier, quarantine notifications are disabled in the default quarantine

policy named DefaultFullAccessPolicy, even though that quarantine policy has the
Full access permission group assigned. Quarantine notifications are available only
in custom quarantine policies that you create or in the default quarantine access
policy named NotificationEnabledPolicy (if that policy is available in your
organization).
Individual permissions
Block sender permission
The Block sender permission (PermissionToBlockSender) controls access to the button

that allows users to conveniently add the quarantined message sender to their Blocked
Senders list.
Quarantined message details:

Block sender permission enabled: The Block sender button is available.
Block sender permission disabled: The Block sender button is not available.
Quarantine notifications:
Block sender permission enabled: The Block sender button is available.
Block sender permission disabled: The Block sender button is not available.
For more information about the Blocked Senders list, see Block messages from
someone and Use Exchange Online PowerShell to configure the safelist collection on
a mailbox.
Delete permission
The Delete permission (PermissionToDelete) controls the ability to of users to delete
their messages (messages where the user is a recipient) from quarantine.

Delete permission enabled: The Remove from quarantine button is available.
Delete permission disabled: The Remove from quarantine button is not
available.
Quarantine notifications: No effect.
Preview permission
The Preview permission (PermissionToPreview) controls the ability to of users to preview
their messages in quarantine.

Preview permission enabled: The Preview message button is available.
Preview permission disabled: The Preview message button is not available.
Quarantine notifications: No effect.
Allow recipients to release a message from quarantine permission
７ Note
This permission is not honored in anti-malware policies or for the high confidence
phishing verdict in anti-spam policies. Users cannot release their own malware or
high confidence phishing messages from quarantine. At best, you can use the
Allow recipients to request a message to be released from quarantine permission
permission.
The Allow recipients to release a message from quarantine permission

(PermissionToRelease) controls the ability of users to release their quarantined messages
directly and without the approval of an admin.

Permission enabled: The Release message button is available.
Permission disabled: The Release message button is not available.
Permission enabled: The Release button is available.
Permission disabled: The Release button is not available.
Allow recipients to request a message to be released from

quarantine permission
The Allow recipients to request a message to be released from quarantine permission
(PermissionToRequestRelease) controls the ability of users to request the release of their
quarantined messages. The message is only released after an admin approves the
request.

Permission enabled: The Request release button is available.
Permission disabled: The Request release button is not available.
Permission enabled: The Request release button is available.
Permission disabled: The Request release button is not available.
View and release quarantined messages
from shared mailboxes
 Tip
Applies to:

Users can manage quarantined messages where they are one of the recipients as
described in Find and release quarantined messages as a user in EOP. But what about
shared mailboxes where the user has Full Access and Send As or Send on Behalf
permissions to the mailbox as described in Shared mailboxes in Exchange Online?
Previously, the ability for users to manage quarantined messages sent to a shared
mailbox required admins to leave automapping enabled for the shared mailbox (it's
enabled by default when an admin gives a user access to another mailbox). However,
depending on the size and number of mailboxes that the user has access to,
performance can suffer as Outlooks tries to open all mailboxes that the user has access
to. For this reason, many admins choose to remove automapping for shared mailboxes.
Now, automapping is no longer required for users to manage quarantined messages

that were sent to shared mailboxes. It just works. There are two different methods to
access quarantined messages that were sent to a shared mailbox:
If the following statements are all true:

An admin has configured quarantine policies to allow quarantine notifications
(formerly known as end-user spam notifications).
The user has access to quarantine notifications of the shared mailbox.
The user has Full Access permissions to the shared mailbox (directly or via a
security group).
The user can click the Review button in the notification to go to quarantine in the
Microsoft 365 Defender portal. This method only allows access to quarantined
messages that were sent to the shared mailbox. Users can't manage their own
quarantine messages in this context.
The user can go to quarantine in the Microsoft 365 Defender portal and click Filter
to filter the results by Recipient address (the email address of the shared mailbox).
On the main Quarantine page, you can click on the Recipient column to sort by
messages that were sent to the shared mailbox.
Things to keep in mind

Quarantine policies define what users are allowed to do or not do to quarantined
messages based on why the message was quarantined (for supported features).
Default quarantine policies enforce the historical capabilities that allow recipients
to view and act on messages. Admins can create and apply custom quarantine
policies that define less restrictive or more restrictive capabilities for users. For
more information, see Quarantine policies.
The first user to act on the quarantined message decides the fate of the message
for everyone who uses the shared mailbox. For example, if a shared mailbox is
accessed by 10 users, and a user decides to delete the quarantine message, the
message is deleted for all 10 users. Likewise, if a user decides to release the
message, it's released to the shared mailbox and is accessible by all other users of
the shared mailbox.
Currently, the Block sender button is not available in the Details flyout for
quarantined messages that were sent to the shared mailbox.
Regarding quarantine operations for shared mailboxes, if you use nested security
groups to grant access to a shared mailbox, we recommend no more than two
levels of nested groups. For example, Group A is a member of Group B, which is a
member of Group C. To assign permissions to a shared mailbox, don't add the user
to Group A and then assign Group C to the shared mailbox.
As of July 2022, users with primary SMTP addresses that are different from their
user principal names (UPNs) should be able to access quarantined messages for
the shared mailbox.
To manage quarantined messages for the shared mailbox in Exchange Online

PowerShell, the end-user will need to use the Get-QuarantineMessage cmdlet with
shared mailbox email address for the value of the RecipientAddress parameter to
identify the messages. For example:
PowerShell
Get-QuarantineMessage -RecipientAddress officeparty@contoso.com
Then, the end-user can select a quarantined message from the list to view or take
action on.
This example shows all of the quarantined messages that were sent to the shared
mailbox, and then releases the first message in the list from quarantine (the first
message in the list is 0, the second is 1, and so on).
PowerShell
$SharedMessages = Get-QuarantineMessage -RecipientAddress

officeparty@contoso.com | select -ExpandProperty Identity
$SharedMessages
Release-QuarantineMessage -Identity $SharedMessages[0]
For detailed syntax and parameter information, see the following topics:
Get-QuarantineMessage
Get-QuarantineMessageHeader
Preview-QuarantineMessage
Release-QuarantineMessage
Use quarantine notifications to release
and report quarantined messages
 Tip
Applies to


see Quarantined messages in EOP.
Quarantine policies define what users are allowed to do to quarantined messages based
on why the message was quarantined (for supported features). For more information,
see Quarantine policies. Quarantine polices also control whether the affected recipients
(including shared mailboxes) get periodic quarantine notifications about their
quarantined messages. Quarantine notifications are the replacement for end-user spam
notifications for all supported protection features (not just anti-spam policy verdicts).
Quarantine notifications are not turned on in the built-in quarantine notifications named
AdminOnlyAccessPolicy or DefaultFullAccessPolicy. Quarantine notifications are turned
on in the built-in quarantine policy named NotificationEnabledPolicy if your
organization has it. Otherwise, to turn on quarantine notifications in quarantine policies,
you need to create and configure a new quarantine policy.
In addition, to allow the 'Block sender' option in quarantine notifications to work

correctly, users need to be enabled for remote Powershell. For instructions, see Enable
or disable access to Exchange Online PowerShell.
Admins can also use the global settings in quarantine policies to customize the sender's
display name, disclaimer text in different languages, and the company logo that's used
in quarantine notifications. For instructions, see Configure global quarantine notification
settings.
For shared mailboxes, quarantine notifications are supported only for users who are
granted FullAccess permission to the shared mailbox. For more information, see Use the
EAC to edit shared mailbox delegation.
７ Note
By default, messages that are quarantined as high confidence phishing, malware, by

mail flow rules (also known as transport rules), or Safe Attachments policies in
Defender for Office 365 are only available to admins (by default, the
AdminOnlyAccessPolicy quarantine policy is used). For more information, see
Manage quarantined messages and files as an admin in EOP.
Quarantine notifications for messages sent to distribution groups or mail-enabled

security groups are sent to all group members.
Quarantine notifications for messages sent to Microsoft 365 Groups are sent to all
group members only if the Send copies of group conversations and events to
group members setting is turned on.
When you receive a quarantine notification, the following information is always available
for each quarantined message:
Sender: The send name and email address of the quarantined message.
Subject: The subject line text of the quarantined message.
Date: The date and time (in UTC) that the message was quarantined.
The actions that are available in the quarantine notification depend on why the message
was quarantined, and the permissions that are assigned by the associated quarantine
policy. For more information, see Quarantine policy permission details.
By default, the following actions are available in the quarantine notification for
messages that were quarantined as spam, high confidence spam, or bulk:
Block Sender: Click this link to add the sender to the Blocked Senders list on your
mailbox. For more information, see Block a mail sender .
Release: You can release the message here without going to Quarantine in the
Review: Click this link to go to Quarantine in the Microsoft 365 Defender portal,
where you can (depending on why the message was quarantined) view, release,
delete or report your quarantined messages. For more information, see Find and
release quarantined messages as a user in EOP.
７ Note
A blocked sender can still send you mail. Any messages from this sender that make
it to your mailbox will be immediately moved to the Junk Email folder. Future
messages from this sender will go to your Junk Email folder or to quarantine. If you
would like to delete these messages on arrival instead of quarantining them, use
mail flow rules (also known as transport rules) to delete the messages on arrival.
FAQ
 Tip
Applies to

This topic provides frequently asked questions and answers about quarantined email
messages for Microsoft 365 organizations with mailboxes in Exchange Online, or
mailboxes.
FAQ.
FAQ.
How do I manage messages that were

quarantined for malware?
By default, only admins can manage messages that were quarantined for malware. For
more information, see Manage quarantined messages and files as an admin.
But, admins can create and apply quarantine policies to anti-malware policies that define
more capabilities for users. For more information, see Quarantine policies.
How do I quarantine spam?

By default, messages that are classified as spam or bulk email by spam filtering are
delivered to the user's mailbox, and are moved to the Junk Email folder. But you can
configure anti-spam policies to quarantine spam or bulk email messages instead. For
more information, see Configure anti-spam policies in EOP.
How do I give users access to the

quarantine?
A user must have a valid account to access their own messages in quarantine.
Standalone EOP requires that users are represented as mail users in EOP (manually
created or created via directory synchronization). For more information about managing
users in standalone EOP environments, see Manage mail users in standalone EOP.
What messages can end users access in

quarantine?
Quarantine policies define whether users can access quarantined messages based on
why the message was quarantined (for supported features). For more information, see
By default, users can access the following types of quarantined messages where they're
a recipient:
Anti-spam policies: Spam, bulk email, and phishing messages (not high confidence
phishing messages).
Anti-phishing policies: Spoofed senders, user impersonation protection (Defender
for Office 365), domain impersonation protection (Defender for Office 365), and
mailbox intelligence protection (Defender for Office 365).
For more information, see Find and release quarantined messages as a user.
By default, end users can't access the following types of quarantined messages where
they are a recipient:
Anti-spam policies: High confidence phishing.

Safe Attachments (Defender for Office 365): Email messages from Safe
Attachments policies and files from Safe Attachments for SharePoint, OneDrive,
and Microsoft Teams.
Mail flow rules (transport rules): Messages that were quarantined because of the
Deliver the message to the hosted quarantine action in mail flow rules.
For more information, see Manage quarantined messages and files as an admin.
How long are messages kept in the

quarantine?
It depends why the message was quarantined. For more information, see Quarantined
messages in EOP and Defender for Office 365.
Can I release or report more than one

quarantined message at a time?
In the Microsoft 365 Defender portal, you can select and release up to 100 messages at
a time.
Admins can use the Get-QuarantineMessage and Release-QuarantineMessage cmdlets

in Exchange Online PowerShell or standalone EOP PowerShell to find and release
quarantined messages in bulk, and to report false positives in bulk.
Are wildcards supported when

searching for quarantined messages?
Can I search for quarantined messages
for a specific domain?
Wildcards aren't supported in the Microsoft 365 Defender portal. For example, when
searching for a sender, you need to specify the full email address. But, you can use
wildcards in Exchange Online PowerShell or standalone EOP PowerShell.
For example, copy the following PowerShell code into NotePad and save the file as .ps1
in a location that's easy for you to find (for example, C:\Data\QuarantineRelease.ps1).
Then, after you connect to Exchange Online PowerShell or Exchange Online Protection
PowerShell, run the following command to run the script:
PowerShell
& C:\Data\QuarantineRelease.ps1
The script does the following actions:
Find unreleased messages that were quarantined as spam from all senders in the
fabrikam domain. The maximum number of results is 50,000 (50 pages of 1000
results).
Save the results to a CSV file.
Release the matching quarantined messages to all original recipients.
PowerShell
$Page = 1
$List = $null
Do
Write-Host "Getting Page " $Page
$List = (Get-QuarantineMessage -Type Spam -PageSize 1000 -Page $Page | where

{$_.Released -like "False" -and $_.SenderAddress -like "*fabrikam.com"})
Write-Host " " $List.count " rows in this page match"
Write-Host "
Exporting list to appended CSV for logging"
$List | Export-Csv -Path "C:\Data\Quarantined Message Matches.csv" -Append -

NoTypeInformation
Write-Host "Releasing page " $Page
$List | foreach {Release-QuarantineMessage -Identity $_.Identity -

ReleaseToAll}
$Page = $Page + 1
} Until ($Page -eq 50)
After you release a message, you can't release it again.

Use the delist portal to remove yourself
from the blocked senders list and
address 5.7.511 Access denied errors
Applies to

Are you getting an error message when you try to send an email to a recipient whose
email address is in Microsoft 365 (for example and address 5.7.511 Access denied)? If
you think you should not be receiving the error message, you can use the delist portal
to remove yourself from the blocked senders list.
What is the blocked senders list?

Microsoft uses the blocked senders list to protect its customers from spam, spoofing,
and phishing attacks. Your mail server's IP address, that is, the address your mail server
uses to identify itself on the Internet, was tagged as a potential threat to Microsoft 365
for one of a variety of reasons. When Microsoft 365 adds the IP address to the list, it
prevents all further communication between the IP address and any of our customers
through our datacenters.
You will know you have been added to the list when you receive a response to a mail
message that includes an error that looks something like this:
550 5.7.606-649 Access denied, banned sending IP [IP address] (ex. 5.7.511 Access
denied): To request removal from this list please visit https://sender.office.com/
and follow the directions. For more information see Email non-delivery reports in
Exchange Online.
where IP address is the IP address of the computer on which the mail server runs.
Verify senders before removing them from the

blocked senders list
There are good reasons for senders to wind up on the blocked senders list, but mistakes
can happen. Take a look at this video for a balanced explanation of blocked senders and
delisting.
https://www.microsoft.com/en-us/videoplayer/embed/RWMhvD?postJsllMsg=true
To use delist portal to remove yourself from

the blocked senders list (after errors like 5.7.511
Access denied)
1. In a web browser, go to https://sender.office.com .
2. Follow the instructions on the page. Ensure that you use the email address to
which the error message was sent, and the IP address that is specified in the error
message. You can only enter one email address and one IP address per visit.
3. Click Submit.
The portal sends an email to the email address that you supply. The email will look
something like the following:
4. Click the confirmation link in the email sent to you by the delisting portal.
This brings you back to the delist portal.
5. In the delist portal, click Delist IP.
After the IP address is removed from the blocked senders list, email messages from
that IP address will be delivered to recipients who use Microsoft 365. So, make sure
you're confident that email sent from that IP address won't be abusive or
malicious; otherwise, the IP address might be blocked again.
７ Note
It may take up to 24 hours or results can vary widely before restrictions are
removed.
See Create safe sender lists in EOP and Outbound spam protection in EOP to prevent an
IP from being blocked.
How do fix error code 5.7.511

When there's a problem delivering an email message that you sent, Microsoft 365 or
Office 365 sends an email to let you know. The email you receive is a delivery status
notification, also known as a DSN or bounce message. The most common type is called
a non-delivery report (NDR) and they tell you that a message wasn't delivered. In certain
situations, Microsoft must conduct additional investigations against traffic from your IP,
and if you're receiving the NDR code 5.7.511, you will not be able to use the delist
portal.
550 5.7.511 Access denied, banned sender[xxx.xxx.xxx.xxx]. To request removal from

this list, forward this message to delist@messaging.microsoft.com. For more
information, go to https://go.microsoft.com/fwlink/?LinkId=526653 .
In the email to request removal from this list, provide the full NDR code and IP address.
Microsoft will contact you within 48 hours with the next steps.
More information
The delisting form for Outlook.com, the consumer service can be found here . Be sure
to read the FAQ first for submission direction.
Welcome to the Microsoft Defender for
Office 365 step-by-step guides
Microsoft Defender for Office 365 is a powerful product with a lot of capabilities. Along
with that comes a lot of documentation and detail. But sometimes you have to get a
task completed quickly. That's when you need a step-by-step guide.
These step-by-step guides help administrators configure and use Microsoft Defender for
Office 365 by reducing distracting information like how a feature might work, and other
details not directly linked to completing a process. The guides maximize on specific steps
and clicks needed to do a thing, and reduce the time taken for admins to test a feature
and secure an organization.
If you learn Microsoft products best by doing, the step-by-step guides will jumpstart
configuration and testing. They are as useful for set up in a trial subscription as they are
in production.
Why use Microsoft Defender for Office 365

step-by-step guides
） Important
Admins need to be on top of prevention, detection, investigation and hunting,

response and remediation, and user training to position their organization securely.
The step-by-step guides touch on all of these areas so that admins can set up trials,
launch quickly into production, and configure in minutes.
Beyond links to the documentation, the step-by-step guides don't concern themselves
with product details (the docs around Microsoft Defender for Office 365 are thorough
for when you need them).
Instead, these guides are streamlined for learning by doing, testing, and running
experiments. They're ideal for trial subscriptions, and will allow admins and security
operators to deploy the same logic in production.
Examples
If you've just got Microsoft Defender for Office 365, and you want to get protected
as quickly as possible use Preset security policies.
Take advantage of additional protections designed for members of your c-suite.
How do you setup or automate a new simulation quickly and easily?
Connect Microsoft Defender for Office 365 to Sentinel.
Documentation in this format can be found under the step-by-step section in Office 365
Security. Visit the docs by using aka.ms/step-by-step .
If there's a topic, task or config you'd like to see in this format, please let us know by
leaving feedback. Thank you!
Getting the best security value from
Microsoft Defender for Office 365 when
you have third party email filtering
This guide is for you if:
You're licensed for Microsoft Defender for Office 365 and host your mailboxes in
Office 365
You're also using a third party for your email security
The information below will detail how to get the most out of your investment, broken
down into easy to follow steps.
What you will need

Mailboxes hosted in Office 365
One or more of:
Microsoft Defender for Office 365 Plan 1 for protection features
Microsoft Defender for Office 365 Plan 2 for most other features (included in E5
plans)
Microsoft Defender for Office 365 Trial (available to all customers at
aka.ms/tryMDO)
Sufficient permissions to configure the features discussed below
Step 1 – Understand the value you already have
Protection features
Built-in protection offers a base level of unobtrusive protection, and includes
malware, zero day (Safe Attachments), and URL protection (Safe Links) in email
(including internal email), SharePoint Online, OneDrive, and Teams. Note that URL
protection provided in this state is via API call only. It doesn't wrap or rewrite URLs
but does require a supported Outlook client. You can create your own custom
policies to expand your protection.
Read more & watch an overview video of Safe Links here : Complete Safe Links
overview
Read more about Safe Attachments here : Safe Attachments
Detection, investigation, response and hunting features

When alerts fire in Microsoft Defender for Office 365, they're automatically
correlated, and combined into Incidents to help reduce the alert fatigue on security
staff. Automated Investigation and Response (AIR) will trigger investigations to
help remediate and contain threats.
Read more, watch an overview video and get started here : Incident response with
Threat Analytics is our in-product detailed threat intelligence solution from expert
Microsoft security researchers, detailed reports designed to get you up to speed
on the latest threat groups, attack techniques, how to protect your organization
with Indicators of Compromise (IOC) and much more.
Read more, watch an overview video and get started here : Threat analytics in
Explorer can be used to hunt threats, visualize mail flow patterns, spot trends, and
identify the impact of changes you make during tuning Defender for Office 365.
You can also quickly delete messages from your organization with a few simple
clicks.
Read more, and get started here: Threat Explorer and Real-time detections
Step 2 – Enhance the value further with these

simple steps
Protection features
Consider enabling policies beyond the built-in Protection. Enabling time-of-click
protection, or impersonation protection, for example, to add extra layers or fill
gaps missing from your third party protection. Be aware that if you have a
transport rule or connection filter that is overriding verdicts (this also can be
known as SCL-1) you'll need to address this before turning on other protection
features.
Read more here: Anti-phishing policies

If your current security provider is configured to modify messages in any way, it's
important to note that authentication signals can impact the ability for Defender
for Office to protect you against attacks such as spoofing. If your third party
supports Authenticated Received Chain (ARC), then enabling this is a highly
recommended step in your journey to advanced dual filtering. Moving any
message modification configuration to Defender for Office 365 is also an
alternative.
Read more here: Use Trusted ARC senders for legitimate devices and services between
the sender and receiver
Enhanced Filtering for connectors allows IP address and sender information to be

preserved through the third party. This improves accuracy for the filtering
(protection) stack, post breach capabilities & authentication improvements.
Read more here: Enhanced filtering for connectors in Exchange Online
Priority account protection will offer enhanced visibility for accounts in tooling,
along with additional protection when in an advanced defense in-depth
configuration state.
Read more here: Priority account protection
Advanced Delivery should be configured to deliver any third party phish

simulations correctly, and if you have a Security Operations mailbox, consider
defining it as a SecOps mailbox to ensure emails do not get removed from the
mailbox due to threats.
Read more here: Advanced delivery
You can configure user reported message settings to allow users to report good or
bad messages to Microsoft, to a designated reporting mailbox (to integrate with
current security workflows) or both. Admins can use the User reported tab on the
Submissions page to triage false positives and false negative user reported
messages.
Read more here: Deploy and configure the report message add-in to users
Detection, investigation, response, and hunting features

Advanced hunting can be used to proactively hunt for threats in your organization,
using shared queries from the community to help you get started. You can also use
custom detections to set up alerts when personalized criteria are met.
Read more, watch an overview video and get started here: Overview - Advanced
hunting
Education features
Attack simulation training allows you to run realistic but benign cyber-attack
scenarios in your organization. If you don't already have phishing simulation
capabilities from your primary email security provider, Microsoft's simulated
attacks can help you identify and find vulnerable users, policies, and practices. This
is important knowledge to have and correct before a real attack impacts your
organization. Post simulation we assign in product or custom training to educate
users about the threats they missed, ultimately reducing your organization's risk
profile. With Attack simulation training we deliver messages directly into the inbox,
so the user experience is rich. This also means no security changes such as
overrides needed to get simulations delivered correctly.
Get started here: Get started using Attack simulation
Jump right into delivering a simulation here: How to setup automated attacks and
training within Attack simulation training
Step 3 and beyond, becoming a dual use hero

Many of the detection, investigation, response, and hunting activities described
above should be repeated by your security teams. This guidance offers a detailed
description of tasks, cadence, and team assignments we would recommend.
Read More: Security Operations Guide for Defender for Office 365
Consider user experiences such as accessing multiple quarantines, or the

submission / reporting of false positives and false negatives. You can mark
messages which are detected by the third party service with a custom X header, for
example, to allow Defender for Office 365 to detect and quarantine them via
transport rules, which would also give users a single place to access quarantined
mail.
Read More: How to configure quarantine permissions and policies
The Migration guide contains lots of useful guidance on preparing and tuning your
environment to ready it for a migration. But many of the steps are also applicable
to a dual-use scenario. Simply ignore the MX switch guidance in the final steps.
Read it here: Migrate from a third-party protection service to Microsoft Defender for
Office 365 - Office 365 | Microsoft Docs
More information
Migrate from a third-party protection service to Microsoft Defender for Office 365
Security Operations Guide for Defender for Office 365
Get more out of Microsoft Defender for Office 365 with Microsoft 365 Defender
How to configure quarantine
permissions and policies
Providing security admins and users with a very simple way to manage false positive
folders is vital given the increased demand for a more aggressive security posture with
the evolution of hybrid work. Taking a prescriptive approach, admins and users can
achieve this with the guidance below.
 Tip
For a short video aimed at admins trying to set quarantine permissions and
policies, see this link . If you are an end user opt for this 1 minute overview of
the process.
What you will need

Sufficient permissions (Security Administrator role)
5 minutes to perform the steps below.
Creating Custom quarantine policies with

Request release flow
Our custom policies give admins the ability to decide what items their users can triage in
the False positive folder with an extended ability of allowing the user to request the
release of those items from the folder.
1. Decide what verdicts category (bulk, spam, phish, high confidence phish, or
malware) of items you want your user to triage and not triage.
2. For those categories that you don't want the users to triage, assign the items to
the AdminOnlyPolicy. As for the category you want users to triage with limited
access, you can create a custom policy with a request release access and assign
users to that category.
3. It's strongly recommended that malware and high confidence phish items be
assigned to AdminOnlyPolicy, regular confidence phish items be assigned limited
access with request release, while bulk and spam can be left as full access for users.
） Important
For more information on how granular custom policies can be created, see
Quarantine policies - Office 365 | Microsoft Docs.
Assigning quarantine policies and enabling

notification with organization branding
Once it has been decided the categories of items users can triage or not-triage, and
created the corresponding quarantine policies, admins should to assign these policies to
the respective users and enable notifications.
1. Identify the users, groups, or domains that you would like to include in the full
access category vs. the limited access category, versus the Admin-Only category.
2. Sign in to the Microsoft Security portal .
3. Select Email & collaboration > Policies & rules.
4. Select Threat policies.
5. Select each of the following: Anti-spam policies, Anti-phishing policy, Anti-
Malware policy.
6. Select Create policy and choose Inbound.
7. Add policy Name, users, groups, or domains to apply the policy to, and Next.
8. In the Actions tab, select Quarantine message for categories. You will notice an
additional panel for select quarantine policy, use that dropdown to select the
quarantine policy you created earlier.
9. Move on to the Review section and click the Confirm button to create the new
policy.
10. Repeat these same steps for the other policies: Anti-phishing policy, Anti-Malware
policy, and Safe Attachment policy.
 Tip
For more detailed information on what you've learned so far, see Configure spam
filter policies - Office 365 | Microsoft Docs | Configure anti-phishing policies in
EOP - Office 365 | Microsoft Docs | Configure anti-malware policies - Office 365 |
Microsoft Docs| Set up Safe Attachments policies in Microsoft Defender for
Office 365 - Office 365 | Microsoft Docs
Next Steps
Use Global policy available in quarantine policy to enable your organization
branding logo, display name, and disclaimer.
Also set the User frequency to 1 day for the quarantine notification.
More information
Learn more about organization branding and notification settings here Quarantine
policies - Office 365 | Microsoft Docs
Set up steps for the Standard or Strict
preset security policies in Microsoft
Does Microsoft Defender for Office 365 gave you a way to apply security policies that it
would then maintain?
Did you know that when a best practice for a security control changes due to the
evolving threat landscape, or as new controls are added, Microsoft automatically
updates security control settings for users assigned to a Standard or Strict preset
security policy?
By using preset security policies (Standard or Strict), you will always have Microsoft's
recommended, best practice, configuration for your users.
Use the steps below to apply preset security policies and have Microsoft Defender for
Office 365 manage and maintain security controls for you.
What you will need

Microsoft Defender for Office 365 Plan 1 or higher (Included in E5)
Choose between Standard and Strict policies

Our Strict preset security policy has more aggressive limits and settings for security
controls that will result in more aggressive detections and will involve the admin in
making decisions on which blocked emails are released to end users.
Collect the list of your users that require more aggressive detections even if it
means more good mail will get flagged as suspicious. These are typically your
executive staff, executive support staff, and historically highly targeted users.
Ensure that the selected users have admin coverage to review and release emails if
the end user thinks that the mail might be good and requests that the message be
released to them.
If the criteria above are met, then the user should be placed in the Strict preset
security policy. Otherwise the user should be placed in the Standard preset security
policy.
 Tip
For information on what Standard and Strict security polices are, see this article.
Enable Security Presets in Microsoft Defender

for Office 365
Once you've chosen between the Standard and Strict security preset policies for your
users, it takes a few further steps to assign users to each preset.
1. Identify the users, groups, or domains you would like to include in Standard and
Strict security presets.
2. Login to the Microsoft Security portal at https://security.microsoft.com .
3. On the left nav, under Email & collaboration, select Policies & rules.
5. Select Preset Security Policies underneath the Templated policies heading
6. Select Manage underneath the Standard protection preset.
7. Select All Recipients to apply Exchange Online Protection tenant wide, or select
Specific recipients to manually add add users, groups, or domains you want to
apply the protection policy to. Click the Next button.
8. Select All Recipients to apply Defender for Office 365 Protection tenant wide, or
select Specific recipients to manually add add users, groups, or domains you want
to apply the protection policy to. Click the Next button.
9. On the Impersonation Protection section, add email addresses & domains to
protect from impersonation attacks, then add any trusted senders and domains
you do not want the impersonation protection to apply to, then press Next.
10. Click on the Confirm button.
11. Select the Manage link in the Strict protection preset.
12. Repeat steps 7-10 again, but for the users strict protection should be applied to. (if
applicable)
13. Click on the Confirm button.
 Tip
To learn more about preset policies click here

Your next step is Config Analyzer
Use config analyzer to determine if your users are configured per Microsoft's best
practices.
 Tip
Configuration analyzer allows admins to find and fix security policies where the
settings are below the Standard or Strict protection profile settings in preset
security policies. Find out more about Configuration analyzer here.
Secure Presets are always recommended because it ensures admins are exercising
Microsoft best practices. However, in some cases customized configurations are
required. Learn about custom policies here.
Reduce the attack surface for Microsoft
Teams
Microsoft Teams is a widely used collaboration tool, where many users are now
spending their time. Attackers know this and are pivoting. Below are a set of steps you
can perform to reduce the attack surface in Teams and help keep your organization
more secure.
） Important
There is a balance to strike between security and productivity, and not all these
steps may be relevant for your organizational risk profile.
What you'll need

Microsoft Teams
Microsoft Defender for Office 365 Plan 1 (for some features)
Sufficient permissions (Teams administrator / security administrator)
5-10 minutes to perform the steps below.
７ Note
Not all these options will be available for government specific clouds such as
Microsoft 365 GCC.
Turn on Microsoft Defender for Office 365 in

Teams
If licensed for Microsoft Defender for Office 365 (free 90-day evaluation available at
aka.ms/trymdo) you can ensure seamless protection from zero-day malware and time of
click protection within Microsoft Teams.
Learn More (SafeLinks) & Learn More (Safe Attachments) (Detailed Documentation)
1. Login to the security center's safe attachments configuration page at

2. Press Global settings.
3. Ensure Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft
Teams is set to on.
4. Navigate to the security center's Safe links configuration page at:
5. If you have multiple policies, you will need to complete this step for each policy
(excluding built-in, standard and strict preset policies).
6. Select a policy, a flyout will appear on the left-hand side.
7. Press Edit protection settings.
8. Ensure Safe Links checks a list of known, malicious links when users click links in
Microsoft Teams is checked.
9. Press Save.
Restricting channel email messages to

approved domains
An attacker could email channels directly if they discover the channel email address. The
best practice is to have this only setup for known trusted domains rather than open to
all (default).
1. Login to the Teams admin center at: https://admin.teams.microsoft.com/ .

2. On the left-hand navigation, expand Teams and then choose Teams settings.
3. Under the Email integration heading, choose to allow or disallow users to send
emails to a channel email address by toggling Users can send emails to a channel
email address.
4. If you have allowed users to send emails to a channel email address in the previous
step, enter the specific domains you wish to accept mail from in the Accept
channel email from these SMTP domains box. (for example, an alert provider, or
trusted supplier).
5. Press Save at the bottom of the page.
Managing third party storage options

Users can store their files in potentially unsupported 3rd party storage providers. If you
do not use these providers, you can disable this setting to reduce data leakage risk.

2. On the left-hand navigation, expand Teams and then choose Teams settings.
3. Under the Files heading, choose which storage providers you want to be available
for use within the files tab.
4. Press Save at the bottom of the page.
Disabling Third-party & custom apps

Applications are a very useful part of Microsoft teams, but it is recommended to
maintain a list of allowed apps rather than allowing all apps by default.

2. On the left-hand navigation, expand Teams apps and then choose Permission
Policies.
3. If you have custom permission policies, you will need to do these steps for each of
them if appropriate, otherwise select Global (Org-wide default).
4. Select the appropriate settings for your organization, a recommended starting
point is:
Microsoft apps – set to Allow all apps (default).

Third-party apps – set to Allow specific apps and block all others (if you
already have 3rd party apps to then select for allowing) otherwise select
Block all apps.
Custom apps – set to Allow specific apps and block all others (if you already
have custom apps to then select for allowing) otherwise select Block all apps.
5. Press Save.
6. You'll need to change this setting for each policy (if you have multiple).
Configure meeting settings

You can reduce the attack surface by ensuring people outside your organization cannot
request access to control presenter's screens and require dial in and all external people
to be authenticated & admitted from a meeting lobby.
Learn more (detailed
documentation).

2. On the left-hand navigation, expand Meetings and then choose Meeting Policies.
3. If you have assigned any custom or built-in policies to users, you will need to do
these steps for each of them if appropriate, otherwise select Global (Org-wide
default).
4. Under the Content sharing heading, ensure External participants can give or
request control is set to off.
5. Under the Participants & guests heading, ensure Automatically admit people is
set to Invited users only.
6. Ensure Dial-in users can bypass the lobby is set to off.
7. Ensure Let anonymous people join a meeting is set to off.
8. Set Chat in meetings to "Turn it on for everyone but anonymous users".
9. Press Save.
10. You'll need to change this setting for each policy.
Configure meeting settings (Restrict

presenters)
You can reduce the risk of unwanted or inappropriate content being shared during
meetings by restricting who can present to Organizers (everyone is allowed to present
by default).

2. On the left-hand navigation, expand Meetings and then choose Meeting Policies.
3. If you have assigned any custom or built-in policies to users, you will need to do
these steps for each of them if appropriate, otherwise select Global (Org-wide
default).
4. Under the Participants & guests heading, toggle who can present in meetings to
Organizers, but users can override.
5. Press Save.
6. You'll need to change this setting for each policy.
Disable open federation

Open federation allows your users to communicate externally in Microsoft teams,
allowing external organizations to start a conversation with your users and vice versa,
which is useful for collaboration, but also for attackers to directly communicate with
your organization if they know a victims email address.
Learn more (detailed
documentation)

2. On the left-hand navigation, expand Users and then choose External access.
3. Under the Teams and Skype for Business users in external organizations heading,
select the Choose which external domains your users have access to dropdown
and set this to Allow only specific external domains.
4. Enter any external domains users should be able to communicate with by pressing
Allow domains, using the flyout, and pressing Done when finished.
5. Press Save.
Learn More
Consider configuring access policies to implement Zero Trust identity and device access
policies to protect Microsoft Teams chats, groups, and content such as files and
calendars.
Learn more about teams access policies: Recommended Teams policies - Microsoft 365
for enterprise - Office 365 | Microsoft Docs
Security in Microsoft Teams:Overview of security and compliance - Microsoft Teams |

Microsoft Docs
Connect Microsoft Defender for Office
365 to Microsoft Sentinel
You can ingest your Microsoft Defender for Office 365 data (and data from the rest of
the Microsoft 365 Defender suite), including incidents, into Microsoft Sentinel.
Take advantage of rich security information events management (SIEM) combined with
data from other Microsoft 365 sources, synchronization of incidents and alerts, and
advanced hunting.
） Important
The Microsoft 365 Defender connector is currently in PREVIEW. See the

Supplemental Terms of Use for Microsoft Azure Previews for additional legal terms
that apply to Azure features that are in beta, preview, or otherwise not yet released
into general availability.>
What you will need

Microsoft Defender for Office 365 Plan 2 or higher. (Included in E5 plans)
Microsoft Sentinel Quickstart guide.
Sufficient permissions (Security Administrator in M365 & Read / Write permissions
in Sentinel).
Add the Microsoft 365 Defender Connector

1. Login to the Azure Portal and navigate to Microsoft Sentinel > Pick the relevant
workspace to integrate with Microsoft 365 Defender
a. On the left-hand navigation menu underneath the heading Configuration >
choose Data connectors.
2. When the page loads, search for Microsoft 365 Defender and select the Microsoft
365 Defender (preview) connector.
3. On the right-hand flyout, select Open Connector Page.
4. Under the Configuration section of the page that loads, select Connect incidents
& alerts, leaving Turn off all Microsoft incident creation rules for these products
ticked.
5. Scroll to Microsoft Defender for Office 365 in the Connect events section of the
page. Select EmailEvents, EmailUrlInfo, EmailAttachmentInfo &
EmailPostDeliveryEvents then Apply Changes at the bottom of the page. (Choose
tables from other Defender products if helpful and applicable, during this step.)
Next Steps
Admins will now be able to see incidents, alerts, and raw data in Microsoft Sentinel and
use this data for advanced hunting, pivoting on existing and new data from Microsoft
Defender.
More Information
Connect Microsoft 365 Defender data to Microsoft Sentinel | Microsoft Docs
Connect Microsoft Teams to Microsoft Sentinel

How to enable DMARC Reporting for
Microsoft Online Email Routing Address
(MOERA) and parked Domains
Best practice for domain email security protection is to protect yourself from spoofing
using Domain-based Message Authentication, Reporting, and Conformance (DMARC). If
you haven't already enabled DMARC for your domains, that should be the first step,
detailed here: Domain-based Message Authentication, Reporting, and Conformance
(DMARC)
This guide is designed to help you configure DMARC for domains not covered by the
main DMARC article. These domains include domains that you're not using for email,
but could be leveraged by attackers if they remain unprotected:
Your onmicrosoft.com domain, also known as the Microsoft Online Email Routing
Address (MOERA) domain.
Parked custom domains that you're currently not using for email yet.
What you'll need

Microsoft 365 admin center and access to your DNS provider hosting your
domains.
Sufficient permissions as Global Admin to make the appropriate changes in the
Microsoft 365 admin center.
10 minutes to complete the steps in this article.
Activate DMARC for MOERA Domain

1. Open the Microsoft 365 admin center at https://admin.microsoft.com .
2. On the left-hand navigation, select Show All.
3. Expand Settings and press Domains.
4. Select your tenant domain (for example, contoso.onmicrosoft.com).
5. On the page that loads, select DNS records.
6. Select + Add record.
7. A flyout will appear on the right. Ensure that the selected Type is TXT (Text).
8. Add _dmarc as TXT name.
9. Add your specific DMARC value.
10. Press Save.
Active DMARC for parked domains

1. Check if SPF is already configured for your parked domain. For instructions, see Set
up SPF to help prevent spoofing - Office 365 | Microsoft Docs
2. Contact your DNS Domain provider.
3. Ask to add this DMARC txt record with your appropriate email addresses:
v=DMARC1; p=reject; rua=mailto:d@rua.contoso.com;ruf=mailto:d@ruf.contoso.com .
Next Steps
Wait until the DNS changes are propagated and try to spoof the configured domains.
Check if the attempt is blocked based in the DMARC record, and you receive a DMARC
report.
More Information
Set up SPF to help prevent spoofing - Office 365 | Microsoft Docs
Use DMARC to validate email, setup steps - Office 365 | Microsoft Docs
Deploy and configure the report
message add-in to users
The Report message and report phishing add-in for Outlook makes it easy to report
phishing to Microsoft and its affiliates for analysis, along with easy triage for admins in
the submissions portal .
Depending on whether you are licensed for Defender for Office 365, you'll also get
added functionality such as alerting & automated investigation and response (AIR),
which will remove the burden from your security operations staff. This guide will walk
you through configuring the add-in deployment as recommended by the Microsoft
Defender for Office 365 team.
Choose between which add-in to deploy

The Report Phishing add-in provides the option to report only phishing messages
The Report Message add-in provides the option to report junk, not junk (false
positive), and phishing messages
What you'll need

Exchange Online Protection (some features require Defender for Office 365 Plan 2)
Sufficient permissions (Global admin for add-in deployment, security admin for
customization)
5-10 minutes to perform the steps below
Deploy the add-in for users

1. Login to the Microsoft 365 admin center at https://admin.microsoft.com .
2. On the left nav, press Show All then expand Settings and select Integrated Apps.
3. On the page that loads, press Get Apps.
4. In the page that appears, in the top right Search box, enter Report Message or
Report Phishing, and then select Search.
5. Press Get it now on your chosen app within the search results (publisher is
Microsoft Corporation).
6. On the flyout that appears, select who to deploy the add-in to. If testing you may
wish to use a specific group, otherwise configure it for the entire organization –
when you've made a selection press Next.
7. Review the permissions, information and capabilities then press Next.
8. Press Finish deployment (it can take 12-24 hours for the add-in to appear
automatically in Outlook clients).
Configure the add-in for users

1. Login to the Microsoft Security portal at https://security.microsoft.com .
2. On the left nav, under Email & collaboration, select Policies & rules.
4. Select User reported message settings underneath the Others heading.
5. Ensure Microsoft Outlook Report Message button is toggled to On.
6. Under Send the reported messages to choose Microsoft (Recommended).
7. Ensure Let users choose if they want to report is unchecked and Always report
the message is selected.
8. Press Save.
Optional steps – configure notifications

1. On the configuration page from the earlier steps, underneath the User reporting
experience, configure the before and after reporting pop-ups title and body if
desired. The end users will see the before reporting pop up if Ask me before
reporting is also enabled.
2. If you wish for notifications to come from an internal organizational mailbox, select
Specify Office 365 email address to use as sender and search for a valid mailbox
in your organization to send the notifications from.
3. Press Customize notifications to set up the text sent to reporting users after
admin reviews a reported message using Mark & Notify, configure the Phishing,
Junk & No threats found options.
4. On the Footer tab, select the global footer to be sent for notifications, along with
your organization's logo if appropriate.
Further reading
Learn more about user reported message settings User reported message settings -
Office 365 | Microsoft Docs
Enable the report message or report phishing add-in Enable the Microsoft Report
Message or Report Phishing add-ins - Office 365 | Microsoft Docs
Use Microsoft Defender for Office 365
with SharePoint Online
Microsoft SharePoint Online is a widely used user collaboration and file storage tool.
The following steps help reduce the attack surface area in SharePoint Online and that
help keep this collaboration tool in your organization secure. However, it's important to
note there is a balance to strike between security and productivity, and not all these
steps may be relevant for your organizational risk profile. Take a look, test, and maintain
that balance.
What you'll need

Microsoft Defender for Office 365 Plan 1
Sufficient permissions (SharePoint administrator/security administrator).
Microsoft SharePoint Online (part of Microsoft 365).
Five to ten minutes to perform these steps.
Turn on Microsoft Defender for Office 365 in

SharePoint Online
If licensed for Microsoft Defender for Office 365 (free 90-day evaluation available at
aka.ms/trymdo) you can ensure seamless protection from zero day malware and time of
click protection within Microsoft Teams.
To learn more, read Step 1: Use the Microsoft 365 Defender portal to turn on Safe
Attachments for SharePoint, OneDrive, and Microsoft Teams.
1. Sign in to the security center's safe attachments configuration page .

2. Select Global settings.
3. Ensure that Turn on Defender for Office 365 for SharePoint, OneDrive, and
Microsoft Teams is set to on.
4. Select Save.
Stop infected file downloads from SharePoint

Online
By default, users can't open, move, copy, or share malicious files that are detected by
Safe Attachments for SharePoint, OneDrive, and Microsoft Teams. However, the
Download option is still available and should be disabled.
To learn more, read Step 2: (Recommended) Use SharePoint Online PowerShell to prevent
users from downloading malicious files.
1. Open and connect to SharePoint Online PowerShell.

2. Run the following command: Set-SPOTenant -DisallowInfectedFileDownload
$true.
Further reading
Policy recommendations for securing SharePoint sites and files
Track and respond to emerging threats
with campaigns in Microsoft Defender
for Office 365
Campaigns can be used to track and respond to emerging threats because campaigns
allow you to investigate a coordinated email attack against your organization. As new
threats target your organization, Microsoft Defender for Office 365 will automatically
detect and correlate malicious messages.
What you will need

Microsoft Defender for Office 365 Plan 2 (included in E5 plans).
Sufficient permissions (Security Reader role).
Five to ten minutes to perform these steps.
What is a campaign in Microsoft Defender for

Office 365
A campaign is a coordinated email attack against one or many organizations. Email
attacks that steal credentials and company data are a large and lucrative industry. As
technologies to stop attacks grow and multiply, attackers modify their methods to
continue their success.
Microsoft leverages vast amounts of anti-phishing, anti-spam, and anti-malware data

across the entire service to help identify campaigns. We analyze and classify the attack
information according to several factors, for example:
Attack source: The source IP addresses and sender email domains.

Message properties: The content, style, and tone of the messages.
Message recipients: How recipients are related, for example, recipient domains,
recipient job functions (such as admins and executives), company types (such as
large, small, public, and private), and industries.
Attack payload: Malicious links, attachments, or other payloads in the messages.
A campaign might be short-lived, or could span several days, weeks, or months with
active and inactive periods. A campaign might be launched against your specific
organization, or your organization might be part of a larger campaign across multiple
companies.
 Tip
To learn more about the data available within a campaign, read Campaign Views in
Watch the Exploring campaign views video

https://www.microsoft.com/en-us/videoplayer/embed/RWGBL8?postJsllMsg=true
Investigating a suspicious email campaign

using threat reports
In the event that a campaign has targeted your organization and you'd like to learn
more about the impact:
1. Navigate to the campaign page .

2. Select the campaign name that you would like to investigate.
3. Upon the flyout opening, select Download threat report.
4. Open the threat report and it will provide more information surrounding the
campaign. The information in the report includes:
Executive summary: High-level summary of the type of campaign and the

number of users targeted in your organization.
Analysis: Timeline chart of when the campaign started, the count of
messages targeting your organization, and the destination and verdicts of the
messages.
Attack origin: Top sending IP addresses and domains with a count of messages
that were delivered to inboxes in your organization. This allows you to investigate
who is targeting your organization.
Email template and payload: The subject line of the emails that were part of the
campaign and URLs (and their frequency) present as part of the campaign.
Recommendations: Recommendations for next steps to remediate messages.
Investigate inboxed messages that are part of a

email threat campaign
1. Navigate to the campaign page .
2. Scroll through the list of campaigns in the Details view, below the graph.
3. Select the campaign name you want to investigate. If the campaign has a click
count of more than zero, that indicates that a user in your organization clicked on
a URL or downloaded a file from the email.
4. The campaign flyout displays more information about the campaign, the graph
displays a timeline of the campaign from campaign start to end date, and the
horizontal flow diagram displays the stages of the campaign from its origin, the
verdict, and the current location of the messages.
5. Below the flow diagram, select the URL clicks tab to display information regarding
the click. Here you can see the user that clicked on a URL, if the user is tagged as a
priority account user, the URL itself, and the time of click.
6. If you want to learn more about the inboxed and clicked messages, select Explore
messages > Inboxed messages. A new tab will open and navigate to Threat
Explorer.
7. In the details view of Explorer you can reference Latest delivery to determine if a
message is still in the inbox or was moved into quarantine by system ZAP. To get
more details about the specific message, select the message. The flyout provides
extra information. Upon selecting the Open email entity page on the top left of the
flyout, a new tab will open and give you further information about the message.
8. If you would like to take an action and move the messages out of the inbox, you
can select the message and then select Message actions > Move to junk folder.
This will ensure your user doesn't continue to interact with the malicious message
that could result in a potential breach.
Next steps
To learn more, read, Campaign Views in Microsoft Defender for Office 365.
Set up a digest notification of changes
to Microsoft Defender for Office 365
using the message center
Would it be convenient if, every week, a digest email of Microsoft Defender for Office
365 changes from the Microsoft message center landed in your inbox?
The message center is where admins learn about official service announcements and
feature changes, via visiting the site (desktop or mobile app), consulting Microsoft
Planner, or by email.
Follow the steps below to make that helpful digest email happen.
What you'll need

Microsoft Defender for Office 365 Plan 1 or 2
Sufficient permissions (Message center reader as a minimum)
Steps to set up a weekly digest mail of message

center changes and notifications.
1. Login to the Admin Center at https://admin.microsoft.com
2. On the left-hand navigation, select Show All.
3. Expand Health and press Message Center.
4. On the page that loads, select Preferences.
5. A flyout will appear on the right, select the Email tab.
6. Ensure the email notification settings are as expected, you can select Other e-mail
addresses if required to setup the digest to be sent to different users or a shared
mailbox for example.
7. Select the Send me a weekly digest about services I select box, and select the
services you wish to receive information about, as a minimum you should select
Exchange Online & Microsoft 365 Defender.
8. Press Save.
You're done.
Watch: Track your message center tasks in
Planner
Video
Learn More
Track new and changed features in the Microsoft 365 Message center
Track your message center tasks in Planner

Prioritize, Manage, Investigate &
Respond to Incidents in Microsoft 365
Defender
When alerts are triggered in Microsoft 365 Defender, automated investigation and
response (AIR) will trigger to hunt across an organization's subscription, determine the
impact and scope of the threat, and collate the information into a single Incident so that
admins don't have to manage multiple incidents.
What you'll need

Microsoft Defender for Office 365 Plan 2 or higher
Sufficient permissions (Security reader, security operations, or security
administrator, plus Search and purge role)
Prioritize & manage Incidents

Navigate to the security portal Incidents page
https://security.microsoft.com/incidents .
When the Incident page loads you can filter and prioritize by clicking columns to sort
the actions or press Filters to apply a filter such as data source, tags or state.
Now you have a prioritized list of incidents, from which you can select to rename, assign,
classify, tag, change the status or add comments via the Manage incidents button.
Use the filters to make sure Microsoft Defender for Office items are included.
If you are looking for specific alerts, either use the incident search capability (Search for
name or ID) or consider using the alert queue filtering on a specific alert.
Investigate & Respond to Incidents

After you have prioritized your incident queue, click on the Incident you'd like to
investigate to load the incidents Overview page. There will be useful information such as
MITRE ATT&CK techniques observed and a timeline of the attack.
The tabs at the top of the incident page allow you to explore more details such as the
affected users, mailboxes, endpoints, and et cetera.
The Evidence and Response tab shows items identified as related to the original alert via
the investigation.
Any items showing as Pending Action within Evidence and Response are awaiting
approval from an administrator. Sorting by the remediation status column in the All
Evidence view is recommended, followed by clicking the entity or cluster to load the
flyout menu where you can then approve the actions if appropriate.
If you need to understand the items involved further, you can use the incident graph to
see the visual linkage of the evidence and entities involved. Alternatively, you can review
the underlying investigations, which will show more of the entities and items involved in
the security event.
Next Steps
You can start using Action Center to act on pending action items from all incidents in
your organization if you want to focus on the action items AIR needs approval for.
More Information
Manage incidents in Microsoft 365 Defender | Microsoft Docs
How automated investigation and response works in Microsoft Defender for Office 365
Remediation actions in Microsoft Defender for Office 365

How to run attack simulations for your
team
Attack simulation training allows you to run realistic but benign cyber attack scenarios in
your organization. Simulated attacks can help you identify and find vulnerable users,
policies and practices before a real attack impacts your organization, leveraging inbuilt
or custom training to reduce risk and better educate end users about threats.
What you'll need

Microsoft Defender for Office 365 Plan 2 (included as part of E5)
Send a payload to target users

1. Navigate to Attack Simulation Training in your subscription.
2. Choose Simulations from the top navigation bar.
3. Select Launch a simulation.
4. Pick the technique you'd like to use from the flyout, and press Next.
5. Name the Simulation with something relevant / memorable and press Next.
6. Pick a relevant payload from the wizard, review the details and customize if
appropriate, when you are happy with the choice, press Next.
7. Choose who to target with the payload. If choosing the entire organization
highlight the radio button and press Next.
8. Otherwise, select Add Users and then search or filter the users with the wizard.
Select Add User(s) and then Next.
9. Under Select training content preference, leave the default Microsoft training
experience (Recommended) or select Redirect to a custom URL if you want to use
the custom URL. If you don't want to assign any training, then select No training.
You can either let Microsoft assign training courses by selecting Assign
training for me or you can choose specific modules with Select training
courses and modules myself
Select a Due Date (30, 15, or 7 days) from the drop-down menu.
Click Next to continue.
10. Customize the landing page displayed when a user is phished if appropriate, or
otherwise leave the Microsoft Default.
a. Under Payload indicators, check the box to add payload indicators to email.
Adding payloads will help users to learn how to identify the phishing email.
Select Open preview panel to view the message.
b. Click Next to continue.
11. Choose if you'd like end user notifications, and if so, select the delivery preferences
and customize where needed.
a. Notice that you can also select default language for the notification under the
Select default language drop-down menu.
12. Select when to launch the simulation, and how long it should be valid for. You can
also enable region aware time zone delivery. This option will deliver simulated
attack messages to your employees during their working hours based on their
region. Select Next.
13. Send a test if you're ready. Review the summary of choices. Click Submit.
Further reading
To learn how Attack Simulation works see Simulate a phishing attack with Attack
simulation training - Office 365 | Microsoft Docs
How to setup automated attacks and
training within Attack simulation
training
Attack simulation training lets you run benign attack simulations on your organization
to assess your phishing risk and teach your users how to better avoid phish attacks. By
following this guide, you will configure automated flows with specific techniques and
payloads that run when the specified conditions are met, launching simulations against
your organization.
What you'll need

Microsoft Defender for Office 365 Plan 2 (included as part of E5).
Sufficient permissions (Security Administrator role).
Send a payload to target users

1. Navigate to Attack simulation training .
2. Choose Simulation automations from the top navigation bar.
3. Press Create automation.
4. Name the Simulation automation with something relevant and memorable. Next.
5. Pick the techniques you'd like to use from the flyout. Next.
6. Manually select up to 20 payloads you'd like to use for this automation, or
alternatively select Randomize. Next.
7. If you picked OAuth as a Payload, you'll need to enter the name, logo and scope
(permissions) you'd like the app to have when it's used in a simulation. Next.
8. Choose who to target with the payload, if choosing the entire organization
highlight the radio button. Next.
9. Otherwise, select Add Users and then search or filter the users with the wizard,
press Add User(s). Next.
10. Customize the training if appropriate, otherwise leave Assign training for me
(recommended) selected. Next.
11. Customize the landing page displayed when a user is phished if appropriate,
otherwise leave as the Microsoft Default. Next.
12. Choose if you'd like end user notifications, if so select the delivery preferences and
customize where appropriate. Next.
13. For Simulation schedule, you can either select Randomized or Fixed, the
recommended option is Randomized, once selected, select Next.
14. Depending on your choice of Randomized or Fixed, the schedule details may differ,
but select preferences on the choice, including the start and end dates of the
automation. Next.
15. For Launch Details, select any final options you want, such as using unique
payloads, or targeting repeat offenders and then select Next.
16. Submit and the Simulation automation is setup.
Learn More
Full guidance can be found at Simulation automations for Attack simulation training -
Office 365 | Microsoft Docs.
Optimize and correct security policies
with configuration analyzer
Configuration analyzer is a central location and single pane of glass for administering
and viewing the email security policies you have configured in your tenant. You can
perform a side-to-side comparison of your settings to our Standard and Strict
recommended settings, apply recommendations and view historical changes that
affected your posture.
What you'll need

Compare settings and apply recommendations

1. Navigate to https://security.microsoft.com/configurationAnalyzer .
2. Pick either Standard recommendations or Strict recommendations from the top
menu based on the side-to-side comparison you'd like to make.
3. Recommendations for policy changes will be displayed. (If applicable)
4. You can then select a recommendation, note the recommended action, policy
which the recommendation is applicable to, setting name & current configuration
etc.
5. With a recommendation selected, you can press Apply recommendation and then
OK on the confirmation message that appears.
6. If you wish to manually edit a policy, or confirm settings directly within the policy,
you can press View policy instead of Apply recommendation which will load a
new tab and take you directly to the affected policy for ease.
View historical configuration changes

While in Configuration analyzer you can select Configuration drift analysis and history
from the top menu bar.
The page which loads will show you the modifications to your security policies in the
timeframe selected by the filters, along with data about the change and if it increased or
decreased your overall posture.
To learn more details about Configuration Analyzer, see Configuration analyzer for
security policies - Office 365 | Microsoft Docs.
Protect your c-suite with priority
account protection
Priority account protection helps IT and security teams ensure a high quality of service
and protection for the critical people within your organization. Tagging an account as a
priority account will enable the additional protection tuned for the mail flow patterns
targeting company executives, along with extra visibility in reports, alerts, and
investigations.
What you'll need

Microsoft Defender for Office 365 Plan 2 (included as part of E5 plans)
Tag Priority users

1. Identify the users, groups, or domains you would like to tag as priority accounts.
2. Login to the Microsoft Security Portal and navigate to Settings on the left
navigation bar.
3. Select Email & collaboration on the page that loads and then click User tags
4. On the User tags page, select the Priority account tag and press Edit tag
5. On the flyout that appears, select Add members
6. Search for the users you wish to tag, select one or more users and press Add
7. Review the members you have selected and press Next
8. Press Submit to confirm the changes
To learn what priority account tags are see Manage and monitor priority accounts -
Microsoft 365 admin | Microsoft Docs.
Next Steps
Review the differentiated protection for users tagged as priority accounts.
PowerShell configuration
If you want to achieve these steps via PowerShell, you can do this using the following
cmdlets:
1. View a list of priority accounts: Get-User -IsVIP | select Identity

2. Add user to list of priority accounts: Set-User -VIP:$true -Identity <Identity>
3. Remove user from list of priority accounts: Set-User -VIP:$false -Identity
<Identity>
Steps to use manual email remediation
in Threat Explorer
Email remediation is an already existing feature that helps admins act on emails that are
threats.
What you'll need

Microsoft Defender for Office 365 Plan 2 (Included in E5 plans)
Sufficient permissions (be sure to grant the account Search and Purge role)
Create and track the remediation

1. Select a threat to remediate in Threat Explorer and select the Message Actions
button, which will offer you options such as Soft Delete or Hard Delete.
2. The side pane will open and ask for details like a name for the remediation,
severity, and description. Once the information is reviewed, press Submit.
3. As soon as the admin approves this action, they will see the Approval ID and a link
to the Microsoft 365 Defender Action Center here . This page is where actions
can be tracked.
a. Admin action alert - A system alert shows up in the alert queue with the name
'Administrative action submitted by an Administrator'. This indicates that an
admin took the action of remediating an entity. It gives details such as the name
of the admin who took the action, and the investigation link and time. This
makes admins aware of each important action, like remediation, taken on
entities.
b. Admin action investigation - Since the analysis on entities was already done by
the admin and that's what led to the action taken, no additional analysis is done
by the system. It shows details such as related alert, entity selected for
remediation, action taken, remediation status, entity count, and approver of the
action. This allows admins to keep track of the investigation and actions carried
out manually--an admin action investigation.
4. Action logs in unified action center - History and action logs for email actions like
soft delete and move to deleted items folder, are all available in a centralized view
under the unified Action Center > History tab.
5. Filters in unified action center - There are multiple filters such as remediation
name, approval ID, Investigation ID, status, action source, and action type. These
are useful for finding and tracking email actions in unified Action center.
） Important
Performance
For better performance, remediation should be done in batches of
50,000 or fewer. Narrow down the search result by using latest delivery location and
trigger email remediation if the email is in remediable folder like Inbox, Junk,
Deleted, for example.
Scenarios that call for email remediation

Here are scenarios of email remediation:
1. As part of an investigation SecOps identifies a threat in an end-user's mailbox and

wants to clear out the problem email(s).
2. When suggested email actions in Automated Investigation and Response (AIR) are
approved by SecOps, remediation action triggers automatically for the given email
or email cluster.
Two manual email remediation scenarios:
1. The main scenario:

a. Manual actions taken on emails (for example, using Threat Explorer or
Advanced Hunting) are only visible in the legacy Defender for Office 365 Action
Center (Email and Collaboration > Review > Action Center in Action center -
Microsoft 365 security).
2. Two-step approval scenario:
a. Manual actions pending approval using the two-step approval process (1. The
email was added to remediation by one analyst, 2. The email was reviewed and
approved by another analyst).
Given the common scenarios, email remediation can be triggered in three different
ways.
1. Query based remediation: By selecting all the search results with a query (200,000
emails can be submitted at a maximum).
2. Handpicked remediation: Selecting emails one-by-one by clicking on the check
box (100 emails can be submitted at one time).
3. Query based remediation with exclusions: Selecting all emails, and then manually
removing a few messages (the query can hold a maximum of 1,000 emails and the
maximum number of exclusions is 100).
Next Steps
1. Go to the Microsoft 365 Defender portal and sign in.
2. In the navigation pane, select Action center.
3. Go to the History tab, click on any waiting approval list. It opens up a side pane.
4. Track the action status in the unified action center.
More information
Learn more about email remediation
Prioritize and manage Automated
Investigations and Response (AIR)
Automated Investigation and Response (AIR) saves your security operations team time
and effort.
When alerts are triggered, automated investigation will determine the scope of
impact of a threat in your organization and provide recommended remediation
actions.
Security teams can save time by leveraging AIR automation to reduce the need for
manual hunting.
These investigations can identify emails that haven't been cleaned-up by Zero-
hour Auto Purge (ZAP) or other remediation.
AIR investigations also identify mailbox configurations that may be risky or indicate
a compromised mailbox.
Investigation actions (and investigations) are accessible from several points in the
Microsoft Security portal: via Incidents, via Alerts, or via Action Center. Which admins use
is based on the workflow an admin is pursuing.
Why use the Action Center workflow

As automated investigations on Email & collaboration content results in verdicts, such as
Malicious or Suspicious, certain remediation actions are created. The remediation actions
suggested aren't carried out automatically. SecOps must navigate to each investigation
to approve those suggested actions. In the Action Center all the pending actions are
aggregated for quick approval.
What you'll need

Microsoft Defender for Office 365 Plan 2 or higher (Included with E5)
Sufficient permissions (Security reader, security operations, or security
administrator, plus Search and purge role)
Steps to analyze and approve AIR actions

directly from the Action Center
1. Navigate to Microsoft 365 Defender portal and sign in.
2. When the Action center loads, filter and prioritize by clicking columns to sort the
actions, or press Filters to apply a filter such as entity type (for a particular URL) or
action type (such as soft delete email).
3. A flyout will open once an action is clicked. It will appear on right-hand side of the
screen for review.
4. For more information about why an action is requested, select Open investigation
page in the flyout to learn more about the investigation or alerts linked to this
action. (Admins can also approve actions seen on the investigation page by
selecting the Pending Actions tab.)
5. Otherwise, select Approve to take the recommended action directly from the
Action Center.
6. Reject the action, if you determine it's unnecessary.
Check AIR history

1. Navigate to the Microsoft 365 Defender portal and sign in.
2. In the left-hand navigation pane, expand Action & submissions then click Action
Center.
3. When the Action Center loads press the History tab.
4. View the history of AIR, including decisions made, source of action, and admin who
made the decision, if appropriate.
More Information
View the results of an automated investigation in Microsoft 365 - Office 365 | Microsoft
Docs
Learn about approving and rejecting pending actions from the Investigation page
How to handle malicious emails that are
delivered to recipients (False Negatives),
using Microsoft Defender for Office 365
Microsoft Defender for Office 365 helps deal with malicious emails (False Negative) that
are delivered to recipients and that put your organizational productivity at risk.
Defender for Office 365 can help you understand why emails are getting delivered, how
to resolve the situation quickly, and how to prevent similar situations from happening in
the future.
What you'll need

Microsoft Defender for Office 365 Plan 1 and 2 (included as part of E5). Exchange
Online customers can also leverage this.
Handling malicious emails in the Inbox folder

of end users
1. Ask end users to report the email as phishing or junk using Microsoft Message
Add-in or Microsoft Phish add-in or the Outlook buttons.
2. End users can also add the sender to the block senders list in Outlook to prevent
emails from this sender from being delivered to their inbox.
3. Admins can triage the user reported messages from User reported tab on the
Submissions page.
4. From those reported messages, admins can submit to Microsoft for analysis to
learn why that email was allowed in the first place.
5. If needed, while submitting to Microsoft for analysis, admins can create a block for
the sender to mitigate the problem.
6. Once the results for submissions are available, read the verdict to understand why
emails were allowed, and how your tenant setup could be improved to prevent
similar situations from happening in the future.
Handling malicious emails in junk folder of end
users
1. Ask end users to report the email as phishing using Microsoft Message Add-in, or
Microsoft Phish Add-in, or the Outlook buttons.
2. Admins can triage the user reported messages from the User reported tab on the
Submissions page.
3. From those reported messages admins can submit to Microsoft for analysis and
learn why that email was allowed in the first place.
4. If needed, while submitting to Microsoft for analysis, admins can create a block for
the sender to mitigate the problem.
5. Once the results for submissions are available, read the verdict to understand why
Handling malicious emails landing in the

quarantine folder of end users
1. End users receive an email digest about quarantined messages as per the settings
enabled by admins.
2. End users can preview the messages in quarantine, block the sender, and submit
those messages to Microsoft for analysis.
Handling malicious emails landing in the

quarantine folder of admins
1. Admins can view the quarantined emails (including the ones asking permission to
request release) from the review page.
2. Admins can submit any malicious, or suspicious messages to Microsoft for analysis,
and create a block to mitigate the situation while waiting for verdict.
3. Once the results for submissions are available, read the verdict to learn why the
How to handle Legitimate emails
getting blocked (False Positive), using
Microsoft Defender for Office 365 helps deal with important legitimate business emails
that are mistakenly blocked as threats (False Positives). Defender for Office 365 can help
admins understand why legitimate emails are being blocked, how to resolve the
situation quickly, and prevent similar situations from happening in the future.
What you'll need

Microsoft Defender for Office 365 Plan 1 or 2 (included as part of E5). Exchange
Online customers can also leverage this feature.
Handling legitimate emails in to Junk folder of

end users
1. Ask end users to report the email as not junk using Microsoft Message Add-in or
the Outlook buttons.
2. End users can also add the sender to the safe sender list in Outlook to prevent
the email from these senders landing in Junk folder.
3. Admins can triage the user-reported messages from the User reported tab on the
Submission page.
4. From those reported messages admins can submit to Microsoft for analysis and
understand why was that email blocked in the first place.
5. If needed, while submitting to Microsoft for analysis, admins can judiciously create
an allow for a sender to mitigate the problem.
6. Once the results from the admin submission are available, read it to understand
why emails were blocked and how your tenant setup could be improved to prevent
Handling legitimate emails that are in

quarantine folder of end users
1. An end user receives an email digest about quarantined messages as per the
settings enabled by security admins.
2. End users can preview the messages in quarantine, block the sender, release the
messages, submit those messages to Microsoft for analysis, and request release of
those emails from admins.
Handling legitimate emails in quarantine folder

of an admin
1. Admins can view the quarantined emails (including the ones asking permission to
request release) from the review page.
2. Admins can release the message from quarantine while submitting it to Microsoft
for analysis, and create an allow to mitigate the situation.
3. Once the results for submissions are available, admins should read the verdict to
understand why emails were blocked, and how the tenant setup could be
improved to prevent similar situations from happening in the future.
Assess the impact of security
configuration changes with Explorer
Before you make change(s) to your security configuration, such as policies or transport
rules, it's important to understand the impact of the change(s) so that you can plan and
ensure minimal disruption to your organization.
This step-by-step guide will take you through assessing a change, and exporting the
impacted emails for assessment. The procedure can be applied to many different
changes, by altering the criteria (filters) you use in explorer.
What you'll need

Microsoft Defender for Office 365 Plan 2 (included as part of E5).
Sufficient permissions (Security reader minimum required to assess via Threat
Explorer).
Assess changing normal confidence phish

delivery location to quarantine (from the Junk
email folder)
1. Login to the security portal and navigate to Explorer (underneath Email &
Collaboration on the left nav) https://security.microsoft.com/threatexplorer .
2. Select Phish from the top tab selection (All email is the default view).
3. Press the filter button (defaulted to Sender) and select Phish confidence level.
4. Select the Phish confidence level of Normal.
5. Add an additional filter of Original delivery location set as Junk folder.
6. Press Refresh. Explorer is now filtered to show all the mail that is detected as
normal confidence phish and gets delivered to the Junk folder due to the settings
in the anti-spam policy.
7. If you wish to pivot the data displayed in the chart, you can do by using the data
slicer top left of the chart (defaulted to Delivery action), selecting useful data
such as Sender IP, or Sender domain to spot trends and top affected senders.
8. Below the chart section, where the affected emails are displayed, select Export
email list, which will generate a CSV for offline analysis. This is a list of the emails
which would be quarantined if the phish action was changed to Quarantine
(recommended change for both standard and strict presets).
Assess removing a sender / domain override

removal
1. Login to the security portal and navigate to Explorer (underneath Email &
Collaboration on the left nav) https://security.microsoft.com/threatexplorer .
2. Select All email if not already selected.
3. Press the filter button (defaulted to Sender) and add either a sender or sender
domain filter, then add the entry where you wish to assess the impact of removal.
4. Expand the date range to the maximum & press Refresh You should now see mail
listed if the sender / sending domain is still active in messaging your organization.
If not you may need to tweak the filter, or alternatively you no longer receive mail
from that domain / sender and can remove the entry safely.
5. If mail is listed, this means the entry is still an active sender. Pivot the data in the
chart using the data slicer (defaulted to Delivery action) to Detection technology.
6. The chart should refresh, and if it now displays no data, this means we have not
detected any threats on any of the mail previously shown, which indicates an
override is not needed, as there is no detection to override.
7. If there is data displayed when the data is sliced by Detection technology, this
means removing the override would have impact on this sender / domain due to
the protection stack taking action.
8. You should investigate the mail further to assess if it is truly malicious and the
entry can be removed, or if it is a false positive and should be remediated so it is
no longer incorrectly detected as a threat (authentication is the biggest cause of
false positives).
Further reading
Consider using secure presets Ensuring you always have the optimal security controls
with preset security policies
You can also manage email authentication issues with spoof intelligence Spoof
intelligence insight
Learn more about email authentication Email Authentication in Exchange Online

Protection
Introduction
Historically, allow lists have told Exchange Online Protection to ignore the signals
indicating an email is malicious. It is commonplace for vendors to request IPs, domains,
and sender addresses be overridden unnecessarily. Attackers have been known to take
advantage of this mistake and it is a pressing security loophole to have unnecessary
allow list entries. This step-by-step guide will walk you through using advanced hunting
to identify these misconfigured overrides and remove them, so you can increase your
organization's security posture.
What you will need

Microsoft Defender for Office 365 Plan 2 (Included in E5 plans, or trial available at
aka.ms/trymdo)
Sufficient permissions (Security reader role)
5-10 minutes to do the steps below.
Common steps for all the below queries

1. Login to the security portal and navigate to advanced hunting
2. Enter the KQL query into the query box, and press Run Query.
3. Pressing the NetworkMessageId hyperlink for individual emails when shown in the
results will load a flyout, allowing easy access to the email entity page, where the
analysis tab will provide further details, such as the transport rule(s) which that
email matched.
4. The results can also be exported by pressing Export for manipulation / analysis
offline.
 Tip
Changing OrgLevelAction to UserLevelAction will allow you to search for emails

getting overridden by users rather than administrators, and can also be a useful
insight.
Queries
Top override source
Use this query to find where the most unnecessary overrides are located. This query
looks for emails that have been overridden without any detection that needed an
override.
EmailEvents | where OrgLevelAction == "Allow" | summarize count() by

OrgLevelPolicy, ThreatTypes
Top overridden threat type

Use this query to find the most overridden types of threat detected. This query looks for
emails that had the detected threat overridden, DMARC, or Spoof indicates email
authentication issues that can be fixed to remove the need for the override.
EmailEvents | where OrgLevelAction == "Allow" and ThreatTypes != "" |summarize

count() by DetectionMethods
Top overridden IPs

This query looks for emails that have been overridden by IP, without any detection that
called for an override.

count() by SenderIPv4 | top 10 by count_
Top overridden domains

This query looks for emails that have been overridden by sending domain without any
detection that called for an override. (Change to SenderMailFromDomain to check the
5321.MailFrom)

count() by SenderFromDomain | top 10 by count_
Top overridden senders

This query looks for emails that have been overridden by sending address without any
detection that requires an override. (Change to SenderMailFromAddress to check the
5321.MailFrom)
count() by SenderFromAddress | top 10 by count_
Learn More
Hopefully you found this useful, with some basic queries to get you started with
advanced hunting, to learn more check out the below articles
Learn more about advanced hunting: Overview - Advanced hunting
Learn more about authentication: Email Authentication in Exchange Online Protection

Roles and role groups in Microsoft
Defender for Office 365 and Microsoft
Purview compliance
 Tip
The Microsoft 365 Defender portal and Microsoft Purview compliance portal have
replaced the Security & Compliance Center as the place to manage Microsoft Defender
for Office 365 and Microsoft Purview compliance roles and role groups for your
organization. For more information about permissions within these portals, see the
following articles:
Email & collaboration permissions in the Microsoft 365 Defender portal

Microsoft Purview solutions permissions in the Microsoft Purview compliance
portal
These portals let you grant permissions to people who perform tasks like device
management, data loss prevention, eDiscovery, retention, and so on. These people can
perform only the tasks that you explicitly grant them access to. To access these portals,
users need to be a global admin or a member of one or more Defender for Office 365
(Email & collaboration) or Purview compliance groups.
Permissions in these portals are based on the role-based access control (RBAC)
permissions model. RBAC is the same permissions model that's used by Exchange, so if
you're familiar with Exchange Online, granting permissions in these portals will be very
similar. But, It's important to remember that role groups in Exchange Online and role
groups for Defender for Office 365 or Purview compliance don't share membership or
permissions. For example, while an Organization Management role group exists in
Exchange Online, the permissions granted and role group members are different than
the Organization Management role group in Defender for Office 365 and Purview
compliance.
This article contains the inventory of Defender for Office 365 and Purview compliance
roles and role groups.
７ Note
In the Microsoft 365 Defender preview program, a different Microsoft Defender 365
RBAC model is also available. The permissions in this RBAC model are different
from the Defender for Office 365 permissions as described in this article. For more
information, see Microsoft 365 Defender role-based access control (RBAC).
Role groups in Microsoft Defender for Office

365 and Microsoft Purview compliance
The table in this section lists the default role groups that are available in the Microsoft
365 Defender and Microsoft Purview compliance portals, and the roles that are assigned
to the role groups by default. To grant permissions to a user to perform taks in Defender
for Office 365 or Purview compliance, add them to the appropriate role group.
Managing permissions in Defender for Office 365 or Purview compliance gives users
access to security and compliance features that are available within their respective
portals. To grant permissions to other features, such as Exchange mail flow rules (also
known as transport rules), you need to grant permissions in Exchange Online. For more
information, see Permissions in Exchange Online.
７ Note
To view the Permissions tab as described in this article, you need to be an admin.
Specifically, you need to be assigned the Role Management role, and that role is
assigned only to the Organization Management role group by default.
Furthermore, the Role Management role allows users to view, create, and modify
role groups.
Role group Description Default roles

assigned
Attack Don't use this role group in these portals. Use the Attack Simulator
Simulation corresponding role in Azure AD. Admin
Administrators
Attack Don't use this role group in these portals. Use the Attack Simulator
Simulator corresponding role in Azure AD. Payload Author
Payload
Authors
assigned
Communication Provides permission to all the communication Case Management
Compliance compliance roles: administrator, analyst, investigator,

and viewer. Communication
Compliance Admin
Communication
Compliance
Analysis
Communication
Compliance Case
Management
Communication
Compliance
Investigation
Communication
Compliance Viewer
Data Classification
Feedback Provider
Data Connector
Admin
View-Only Case
Communication Administrators of communication compliance that can Communication

Compliance create/edit policies and define global settings. Compliance Admin
Administrators
Communication
Compliance Case
Management
Data Connector
Admin
Communication Analysts of communication compliance that can Communication

Compliance investigate policy matches, view message meta data, Compliance
Analysts and take remediation actions. Analysis
Communication
Compliance Case
Management
assigned
Communication Analysts of communication compliance that can Case Management
Compliance investigate policy matches, view message content, and

Investigators take remediation actions. Communication
Compliance
Analysis
Communication
Compliance Case
Management
Communication
Compliance
Investigation
Data Classification
Feedback Provider
View-Only Case
Communication Viewer of communication compliance that can access Communication

Compliance the available reports and widgets. Compliance Case
Viewers Management
Communication
Compliance Viewer
Compliance Members can manage settings for device management, Case Management
Administrator1 data loss prevention, reports, and preservation.

Communication
Compliance Admin
Communication
Compliance Case
Management
Compliance
Administrator
Compliance Search
Data Classification
Feedback Provider
Data Classification
Feedback Reviewer
Data Connector
assigned
Admin
Data Investigation
Management
Device
Management
Disposition
Management
DLP Compliance
Management
Hold
IB Compliance
Management
Information
Protection Admin
Information
Protection Analyst
Information
Protection
Investigator
Information
Protection Reader
Insider Risk
Management
Admin
Manage Alerts
Organization
Configuration
RecordManagement
Retention
Management
View-Only Audit
assigned
Logs
View-Only Case
View-Only Device
Management
View-Only DLP
Compliance
Management
View-Only IB
Compliance
Management
View-Only Manage
Alerts
View-Only
Recipients
View-Only Record
Management
View-Only
Retention
Management
Compliance Members can manage settings for device management, Compliance

Data data protection, data loss prevention, reports, and Administrator
Administrator preservation.
Compliance Search
Data Connector
Admin
Device
Management
Disposition
Management
DLP Compliance
Management
IB Compliance
Management

assigned
Information
Protection Admin
Information
Protection Analyst
Information
Protection
Investigator
Information
Protection Reader
Manage Alerts
Organization
Configuration
RecordManagement
Retention
Management
Sensitivity Label
Administrator
View-Only Audit
Logs
View-Only Device
Management
View-Only DLP
Compliance
Management
View-Only IB
Compliance
Management
View-Only Manage
Alerts
View-Only
Recipients

assigned
View-Only Record
Management
View-Only
Retention
Management
Compliance Manage template creation and modification. Compliance

Manager Manager
Administrators Administration
Compliance
Manager
Assessment
Compliance
Manager
Contribution
Compliance
Manager Reader
Data Connector
Admin
Compliance Create assessments, implement improvement actions, Compliance

Manager and update test status for improvement actions. Manager
Assessors Assessment
Compliance
Manager
Contribution
Compliance
Manager Reader
Data Connector
Admin
assigned
Compliance Create assessments and perform work to implement Compliance

Manager improvement actions. Manager
Contributors Contribution
Compliance
Manager Reader
Data Connector
Admin
Compliance View all Compliance Manager content except for Compliance

Manager administrator functions. Manager Reader
Readers
Content View the contents files in Content explorer. Data Classification

Explorer Content Viewer
Content Viewer
Content View all items in Content explorer in list format only. Data Classification
Explorer List List Viewer
Viewer
Data Perform searches on mailboxes, SharePoint Online sites, Communication
Investigator and OneDrive for Business locations.

Compliance Search
Custodian
Data Investigation
Management
Export
Preview
Review
RMS Decrypt
Search And Purge

assigned
eDiscovery Members can perform searches and place holds on Case Management
Manager mailboxes, SharePoint Online sites, and OneDrive for

Business locations. Members can also create and Communication
manage eDiscovery cases, add and remove members to

a case, create and edit Content Searches associated Compliance Search
with a case, and access case data in eDiscovery

(Premium).
Custodian
An eDiscovery Administrator is a member of the Export
eDiscovery Manager role group who has been assigned

additional permissions. In addition to the tasks that an Hold
eDiscovery Manager can perform, an eDiscovery

Administrator can: Preview
View all eDiscovery cases in the organization. Review
Manage any eDiscovery case after they add

themselves as a member of the case. RMS Decrypt
The primary difference between an eDiscovery Manager

and an eDiscovery Administrator is that an eDiscovery
Administrator can access all cases that are listed on the
eDiscovery cases page in the compliance portal. An
eDiscovery manager can only access the cases they
created or cases they are a member of. For more
information about making a user an eDiscovery
Administrator, see Assign eDiscovery permissions in the
compliance portal.
assigned
Global Reader Members have read-only access to reports, alerts, and Security Reader
can see all the configuration and settings.
Sensitivity Label
The primary difference between Global Reader and Reader
Security Reader is that a Global Reader can access

configuration and settings. Service Assurance
View
View-Only Audit
Logs
View-Only Device
Management
View-Only DLP
Compliance
Management
View-Only IB
Compliance
Management
View-Only Manage
Alerts
View-Only
Recipients
View-Only Record
Management
View-Only
Retention
Management
assigned
Information Full control over all information protection features, Data Classification
Protection including sensitivity labels and their policies, DLP, all Content Viewer
classifier types, activity and content explorers, and all

related reports. Information
Protection Admin
Information
Protection Analyst
Information
Protection
Investigator
Information
Protection Reader
Information Create, edit, and delete DLP policies, sensitivity labels Information
Protection and their policies, and all classifier types. Manage Protection Admin
Admins endpoint DLP settings and simulation mode for auto-
labeling policies.
Information Access and manage DLP alerts and activity explorer. Data Classification
Protection View-only access to DLP policies, sensitivity labels and List Viewer
Analysts their policies, and all classifier types.

Information
Protection Analyst
Information Access and manage DLP alerts, activity explorer, and Data Classification
Protection content explorer. View-only access to DLP policies, Content Viewer
Investigators sensitivity labels and their policies, and all classifier

types. Information
Protection Analyst
Information
Protection
Investigator
Information View-only access to reports for DLP policies and Information

Protection sensitivity labels and their policies. Protection Reader
Readers
assigned
Insider Risk Use this role group to manage insider risk management Case Management
Management for your organization in a single group. By adding all

user accounts for designated administrators, analysts, Data Connector
and investigators, you can configure insider risk Admin
management permissions in a single group. This role

group contains all the insider risk management Insider Risk
permission roles. This is the easiest way to quickly get Management
started with insider risk management and is a good fit Admin
for organizations that do not need separate permissions

defined for separate groups of users. Insider Risk
Management
Analysis
Insider Risk
Management Audit
Insider Risk
Management
Investigation
View-Only Case
Insider Risk Use this role group to initially configure insider risk Case Management
Management management and later to segregate insider risk

Admins administrators into a defined group. Users in this role Data Connector
group can create, read, update, and delete insider risk Admin
management policies, global settings, and role group

assignments. Insider Risk
Management
Admin
View-Only Case
Insider Risk Use this group to assign permissions to users that will Case Management
Management act as insider risk case analysts. Users in this role group
Analysts can access all insider risk management alerts, cases, and Insider Risk
notices templates. They cannot access the insider risk Management
Content Explorer. Analysis
View-Only Case
Insider Risk Use this group to assign permissions to users that will Insider Risk
Management audit insider risk management activities. Users in this Management Audit
Auditors role group can access the insider risk audit log.
assigned
Insider Risk Use this group to assign permissions to users that will Case Management
Management act as insider risk data investigators. Users in this role

Investigators group can access all insider risk management alerts, Insider Risk
cases, notices templates, and the Content Explorer for Management
all cases. Investigation
View-Only Case
IRM This role group is visible, but is used by background Insider Risk
Contributors services only. Management
Permanent
contribution
Insider Risk
Management
Temporary
contribution
Knowledge Configure knowledge, learning, assign trainings and Knowledge Admin

Administrators other intelligent features.
MailFlow Members can monitor and view mail flow insights and View-Only
Administrator reports in the Defender portal. Global admins can add Recipients
ordinary users to this group, but, if the user isn't a
member of the Exchange Admin group, the user will not
have access to Exchange admin-related tasks.
Organization Members can control permissions for accessing features Audit Logs
Management1 in these portals, and also manage settings for device
management, data loss prevention, reports, and Case Management
preservation.
Communication
Users who are not global administrators must be
Compliance Admin
Exchange administrators to see and take action on
devices that are managed by Basic Mobility and Security Communication
for Microsoft 365 (formerly known as Mobile Device Compliance Case
Management or MDM). Management
Global admins are automatically added as members of Compliance

this role group, but you won't see them in the output of Administrator
the Get-RoleGroupMember cmdlet in Security &
Compliance PowerShell. Compliance Search
Data Connector
Admin
Device
Management
assigned
DLP Compliance
Management
Hold
IB Compliance
Management
Insider Risk
Management
Admin
Manage Alerts
Organization
Configuration
Quarantine
RecordManagement
Retention
Management
Role Management
Search And Purge
Security
Administrator
Security Reader
Sensitivity Label
Administrator
Sensitivity Label
Reader
Service Assurance
View
Tag Contributor
Tag Manager
Tag Reader
View-Only Audit
Logs
assigned
View-Only Device
Management
View-Only DLP
Compliance
Management
View-Only IB
Compliance
Management
View-Only Case
View-Only Manage
Alerts
View-Only
Recipients
View-Only Record
Management
View-Only
Retention
Management
assigned
Privacy Manage access control for Priva in the Microsoft Case Management
Management Purview compliance portal.
Data Classification
Content Viewer
Data Classification
List Viewer
Privacy
Management
Admin
Privacy
Management
Analysis
Privacy
Management
Investigation
Privacy
Management
Permanent
contribution
Privacy
Management
Temporary
contribution
Privacy
Management
Viewer
Subject Rights
Request Admin
View-Only Case
Privacy Administrators of privacy management solution that Case Management

Management can create/edit policies and define global settings.
Administrators Privacy
Management
Admin
View-Only Case
assigned
Privacy Analysts of privacy management solution that can Case Management

Management investigate policy matches, view messages meta data,
Analysts and take remediation actions. Data Classification
List Viewer
Privacy
Management
Analysis
View-Only Case
Privacy Manage contributor access for privacy management Privacy

Management cases. Management
Contributors Permanent
contribution
Privacy
Management
Temporary
contribution
Privacy Investigators of privacy management solution that can Case Management

Management investigate policy matches, view message content, and
Investigators take remediation actions. Data Classification
Content Viewer
Data Classification
List Viewer
Privacy
Management
Investigation
View-Only Case
Privacy Viewer of privacy management solution that can access Data Classification
Management the available dashboards and widgets. List Viewer
Viewers
Privacy
Management
Viewer
Quarantine Members can access all Quarantine actions. For more Quarantine
Administrator information, see Manage quarantined messages and
files as an admin in EOP
assigned
Records Members can configure all aspects of records Disposition

Management management, including retention labels and disposition Management
reviews.
RecordManagement
Retention
Management
Reviewer Members can access review sets in eDiscovery Review

(Premium) cases. Members of this role group can see
and open the list of cases on the eDiscovery >
Advanced page in the Microsoft Purview compliance
portal that they're members of. After the user accesses
an eDiscovery (Premium) case, they can select Review
sets to access case data. This role doesn't allow the user
to preview the results of a collection search that's
associated with the case or do other search or case
management tasks. Members of this role group can
only access the data in a review set.
assigned
Security Members have access to a number of security features Audit Logs

Administrator of Identity Protection Center, Privileged Identity
Management, Monitor Microsoft 365 Service Health, Device
and the Defender and compliance portals. Management
By default, this role group may not appear to have any
DLP Compliance
members. However, the Security Administrator role
Management
from Azure Active Directory is assigned to this role
group. Therefore, this role group inherits the IB Compliance
capabilities and membership of the Security Management
Administrator role from Azure Active Directory.
Manage Alerts
To manage permissions centrally, add and remove
group members in the Azure Active Directory admin Quarantine
center. For more information, see Azure AD built-in
roles. If you edit this role group in these portals Security
(membership or roles), those changes apply only to the Administrator
security and compliance areas and not to any other
Sensitivity Label
services.
Administrator
This role group includes all of the read-only permissions
Tag Contributor
of the Security reader role, plus a number of additional
administrative permissions for the same services: Azure
Tag Manager
Information Protection, Identity Protection Center,
Privileged Identity Management, Monitor Microsoft 365 Tag Reader
Service Health, and the Defender and compliance
portals. View-Only Audit
Logs
View-Only Device
Management
View-Only DLP
Compliance
Management
View-Only IB
Compliance
Management
View-Only Manage
Alerts
assigned
Security Members can manage security alerts, and also view Compliance Search
Operator reports and settings of security features.
Manage Alerts
Security Reader
Tag Contributor
Tag Reader
Tenant
AllowBlockList
Manager
View-Only Audit
Logs
View-Only Device
Management
View-Only DLP
Compliance
Management
View-Only IB
Compliance
Management
View-Only Manage
Alerts
assigned
Security Reader Members have read-only access to a number of security Security Reader
features of Identity Protection Center, Privileged
Identity Management, Monitor Microsoft 365 Service Sensitivity Label
Health, and the Defender and compliance portals. Reader
By default, this role group may not appear to have any
Tag Reader
members. However, the Security Reader role from Azure
Active Directory is assigned to this role group. View-Only Device
Therefore, this role group inherits the capabilities and Management
membership of the Security Reader role from Azure
Active Directory. View-Only DLP
Compliance
To manage permissions centrally, add and remove Management
group members in the Azure Active Directory admin
center. For more information, see Azure AD built-in View-Only IB
roles. If you edit this role group in the portals Compliance
(membership or roles), those changes apply only to Management
security and compliance areas and not to any other
services. View-Only Manage
Alerts
Service Members can access the Service assurance section in Service Assurance
Assurance User the compliance portal. Service assurance provides View
reports and documents that describe Microsoft's
security practices for customer data that's stored in
Microsoft 365. It also provides independent third-party
audit reports on Microsoft 365. For more information,
see Service assurance in the compliance portal.
Subject Rights Create subject rights requests. Case Management
Request
Administrators Subject Rights
Request Admin
View-Only Case
Supervisory Members can create and manage the policies that Supervisory Review
Review define which communications are subject to review in Administrator
an organization. For more information, see Configure
communication compliance policies for your
organization.
７ Note
1 This role group doesn't assign members the permissions necessary to search the
audit log or to use any reports that might include Exchange data, such as the DLP
or Defender for Office 365 reports. To search the audit log or to view all reports, a
user has to be assigned permissions in Exchange Online. This is because the
underlying cmdlet used to search the audit log is an Exchange Online cmdlet.
Global admins can search the audit log and view all reports because they're
automatically added as members of the Organization Management role group in
Exchange Online. For more information, see Search the audit log in the
compliance portal.
Roles in Microsoft Defender for Office 365 and

Microsoft Purview compliance
The table in this section lists the available roles and the role groups that they're
assigned to by default.
The following roles aren't assigned to the Organization Management role group by
default:
Attack Simulator Admin

Attack Simulator Payload Author
Communication
Communication Compliance Analysis
Communication Compliance Investigation
Communication Compliance Viewer
Compliance Manager Administration
Compliance Manager Assessment
Compliance Manager Contribution
Compliance Manager Reader
Custodian
Data Classification Content Viewer
Data Classification Feedback Provider
Data Classification Feedback Reviewer
Data Classification List Viewer
Data Investigation Management
Disposition Management
Export
Information Protection Admin
Information Protection Analyst
Information Protection Investigator
Information Protection Reader
Insider Risk Management Analysis
Insider Risk Management Audit
Insider Risk Management Investigation
Insider Risk Management Permanent contribution
Insider Risk Management Temporary contribution
Knowledge Admin
Preview
Privacy Management Admin
Privacy Management Analysis
Privacy Management Investigation
Privacy Management Permanent contribution
Privacy Management Temporary contribution
Privacy Management Viewer
Review
RMS Decrypt
Subject Rights Request Admin
Supervisory Review Administrator
Tenant AllowBlockList Manager
Role Description Default role

group
assignments
Attack Simulator Don't use this role in the portals. Use the Attack Simulator
Admin corresponding role in Azure AD. Administrators
Attack Simulator Don't use this role in the portals. Use the Attack Simulator
Payload Author corresponding role in Azure AD. Payload Authors
Audit Logs Turn on and configure auditing for the organization, Organization
view the organization's audit reports, and then export Management
these reports to a file.

Security
Administrator
Case Management Create, edit, delete, and control access to eDiscovery Communication
cases. Compliance
Communication
Compliance
Investigators
Compliance
Administrator
eDiscovery
Manager
Insider Risk
group
assignments
Management
Insider Risk
Management
Admins
Insider Risk
Management
Analysts
Insider Risk
Management
Investigators
Organization
Management
Privacy
Management
Privacy
Management
Administrators
Privacy
Management
Analysts
Privacy
Management
Investigators
Subject Rights
Request
Administrators
Communication Manage all communications with the custodians Data Investigator

identified in an eDiscovery (Premium) case. Create
hold notifications, hold reminders, and escalations to eDiscovery
management. Track custodian acknowledgment of Manager
hold notifications and manage access to the custodian
portal that is used by each custodian in a case to track
communications for the cases where they were
identified as a custodian.
group
assignments
Communication Used to manage policies in the Communication Communication

Compliance Admin Compliance feature. Compliance
Communication
Compliance
Administrators
Compliance
Administrator
Organization
Management
Communication Used to perform investigation, remediation of the Communication

Compliance message violations in the Communication Compliance Compliance
Analysis feature. Can only view message meta data.

Communication
Compliance
Analysts
Communication
Compliance
Investigators
group
assignments
Communication Used to access Communication Compliance cases. Communication

Compliance Case Compliance
Management
Communication
Compliance
Administrators
Communication
Compliance
Analysts
Communication
Compliance
Investigators
Communication
Compliance
Viewers
Compliance
Administrator
Organization
Management
Communication Used to perform investigation, remediation, and Communication

Compliance review message violations in the Communication Compliance
Investigation Compliance feature. Can view message meta data and

message. Communication
Compliance
Investigators
Communication Used to access reports and widgets in the Communication

Compliance Viewer Communication Compliance feature. Compliance
Communication
Compliance
Viewers
group
assignments
Compliance View and edit settings and reports for compliance Compliance
Administrator features. Administrator
Compliance Data
Administrator
Organization
Management
Compliance Manage template creation and modification. Compliance

Manager Manager
Administration Administrators
Compliance Create assessments, implement improvement actions, Compliance

Manager and update test status for improvement actions. Manager
Assessment Administrators
Compliance
Manager
Assessors
Compliance Create assessments and perform work to implement Compliance

Manager improvement actions. Manager
Contribution Administrators
Compliance
Manager
Assessors
Compliance
Manager
Contributors
group
assignments
Compliance View all Compliance Manager content except for Compliance

Manager Reader administrator functions. Manager
Administrators
Compliance
Manager
Assessors
Compliance
Manager
Contributors
Compliance
Manager Readers
Compliance Search Perform searches across mailboxes and get an Compliance

estimate of the results. Administrator
Compliance Data
Administrator
Data Investigator
eDiscovery
Manager
Organization
Management
Security
Operator
Custodian Identify and manage custodians for eDiscovery Data Investigator

(Premium) cases and use the information from Azure
Active Directory and other sources to find data eDiscovery
sources associated with custodians. Associate other Manager
data sources such as mailboxes, SharePoint sites, and
Teams with custodians in a case. Place a legal hold on
the data sources associated with custodians to
preserve content in the context of a case.
group
assignments
Data Classification View in-place rendering of files in Content explorer. Content Explorer
Content Viewer Content Viewer
Information
Protection
Information
Protection
Investigators
Privacy
Management
Privacy
Management
Investigators
Data Classification Allows providing feedback to classifiers in content Communication

Feedback Provider explorer. Compliance
Communication
Compliance
Investigators
Compliance
Administrator
Data Classification Allows reviewing feedback from classifiers in feedback Compliance

Feedback Reviewer explorer. Administrator
group
assignments
Data Classification View the list of files in content explorer. Content Explorer
List Viewer List Viewer
Information
Protection
Analysts
Privacy
Management
Privacy
Management
Analysts
Privacy
Management
Investigators
Privacy
Management
Viewers
group
assignments
Data Connector Create and manage connectors to import and archive Communication
Admin non-Microsoft data in Microsoft 365. Compliance
Communication
Compliance
Administrators
Compliance
Administrator
Compliance Data
Administrator
Compliance
Manager
Administrators
Compliance
Manager
Assessors
Compliance
Manager
Contributors
Insider Risk
Management
Insider Risk
Management
Admins
Organization
Management
Data Investigation Create, edit, delete, and control access to data Compliance
Management investigation. Administrator
Data Investigator
group
assignments
Device View and edit settings and reports for device Compliance
Management management features. Administrator
Compliance Data
Administrator
Organization
Management
Security
Administrator
Disposition Control permissions for accessing Manual Disposition Compliance

Management in the the Defender and compliance portals. Administrator
Compliance Data
Administrator
Records
Management
DLP Compliance View and edit settings and reports for data loss Compliance
Management prevention (DLP) policies. Administrator
Compliance Data
Administrator
Organization
Management
Security
Administrator
Export Export mailbox and site content that's returned from Data Investigator
searches.
eDiscovery
Manager
Hold Place content in mailboxes, sites, and public folders on Compliance

hold. When on hold, a copy of the content is stored in Administrator
a secure location. Content owners will still be able to

modify or delete the original content. eDiscovery
Manager
Organization
Management
group
assignments
IB Compliance View, create, remove, modify, and test Information Compliance

Management Barrier policies. Administrator
Compliance Data
Administrator
Organization
Management
Security
Administrator
Information Create, edit, and delete DLP policies, sensitivity labels Compliance
Protection Admin and their policies, and all classifier types. Manage Administrator
endpoint DLP settings and simulation mode for auto-

labeling policies. Compliance Data
Administrator
Information
Protection
Information
Protection
Admins
Information Access and manage DLP alerts and activity explorer. Compliance
Protection Analyst View-only access to DLP policies, sensitivity labels and Administrator
their policies, and all classifier types.

Compliance Data
Administrator
Information
Protection
Information
Protection
Analysts
Information
Protection
Investigators
group
assignments
Information Access and manage DLP alerts, activity explorer, and Compliance
Protection content explorer. View-only access to DLP policies, Administrator
Investigator sensitivity labels and their policies, and all classifier

types. Compliance Data
Administrator
Information
Protection
Information
Protection
Investigators
Information View-only access to reports for DLP policies and Compliance

Protection Reader sensitivity labels and their policies. Administrator
Compliance Data
Administrator
Information
Protection
Information
Protection
Readers
Insider Risk Create, edit, delete, and control access to Insider Risk Compliance
Management Management feature. Administrator
Admin
Insider Risk
Management
Insider Risk
Management
Admins
Organization
Management
Insider Risk Access all insider risk management alerts, cases, and Insider Risk
Management notices templates. Management
Analysis
Insider Risk
Management
Analysts
group
assignments
Insider Risk Allow viewing Insider Risk audit trails. Insider Risk
Management Audit Management
Insider Risk
Management
Auditors
Insider Risk Access all insider risk management alerts, cases, Insider Risk
Management notices templates, and the Content Explorer for all Management
Investigation cases.
Insider Risk
Management
Investigators
Insider Risk This role group is visible, but is used by background IRM Contributors
Management services only.
Permanent
contribution
Insider Risk This role group is visible, but is used by background IRM Contributors
Management services only.
Temporary
contribution
Knowledge Admin Configure knowledge, learning, assign trainings and Knowledge

other intelligent features. Administrators
Manage Alerts View and edit settings and reports for alerts. Compliance
Administrator
Compliance Data
Administrator
Organization
Management
Security
Administrator
Security
Operator
group
assignments
Organization Run, view, and export audit reports and manage Compliance
Configuration compliance policies for DLP, devices, and preservation. Administrator
Compliance Data
Administrator
Organization
Management
Preview View a list of items that are returned from content Data Investigator
searches, and open each item from the list to view its
contents. eDiscovery
Manager
Privacy Manage policies in Privacy Management and has Privacy

Management access to all functionality of the solution. Management
Admin
Privacy
Management
Administrators
Privacy Perform investigation and remediation of the message Privacy

Management violations in Privacy Management. Can only view Management
Analysis messages metadata. Privacy
Management
Analysts
Privacy Perform investigation, remediation, and review Privacy

Management message violations in Privacy Management. Can view Management
Investigation message metadata and the full message.
Privacy
Management
Investigators
Privacy Access Privacy Management cases as a permanent Privacy

Management contributor. Management
Permanent
contribution Privacy
Management
Contributors
Privacy Access Privacy Management cases as a temporary Privacy

Management contributor. Management
Temporary
contribution Privacy
Management
Contributors
group
assignments
Privacy Access dashboards and widgets in Privacy Privacy

Management Management. Management
Viewer
Privacy
Management
Viewers
Quarantine Allows viewing and releasing quarantined email. Quarantine

Administrator
Security
Administrator
Organization
Management
RecordManagement View and edit the configuration of the records Compliance

management feature. Administrator
Compliance Data
Administrator
Organization
Management
Records
Management
Retention Manage retention policies, retention labels, and Compliance

Management retention label policies. Administrator
Compliance Data
Administrator
Organization
Management
Records
Management
group
assignments
Review This role lets users access review sets in eDiscovery Data Investigator
(Premium) cases. Users who are assigned this role can
see and open the list of cases on the eDiscovery > eDiscovery
Advanced page in the Microsoft Purview compliance Manager
portal that they're members of. After the user accesses
Reviewer
an eDiscovery (Premium) case, they can select Review
sets to access case data. This role doesn't allow the
user to preview the results of a collection search that's
associated with the case or do other search or case
management tasks. Users with this role can only
access the data in a review set.
RMS Decrypt Decrypt RMS-protected content when exporting Data Investigator

search results.
eDiscovery
Manager
Role Management Manage role group membership and create or delete Organization
custom role groups. Management
Search And Purge Lets people bulk-remove data that matches the Data Investigator
criteria of a content search.
Organization
Management
Security View and edit the configuration and reports for Organization
Administrator Security features. Management
Security
Administrator
Security Reader View the configuration and reports for Security Global Reader
features.
Organization
Management
Security
Operator
Security Reader
group
assignments
Sensitivity Label View, create, modify, and remove sensitivity labels. Compliance Data
Administrator Administrator
Organization
Management
Security
Administrator
Sensitivity Label View the configuration and usage of sensitivity labels. Global Reader
Reader
Organization
Management
Security Reader
Service Assurance Download the available documents from the Service Global Reader
View Assurance section. Content includes independent

auditing, compliance documentation, and trust- Organization
related guidance for using Microsoft 365 features to Management
manage regulatory compliance and security risks.

Service
Assurance User
Supervisory Review Manage supervisory review policies, including which Supervisory

Administrator communications to review and who should do the Review
review.
Tag Contributor View and update membership of existing user tags. Organization
Management
Security
Administrator
Security
Operator
Tag Manager View, update, create, and delete user tags. Organization
Management
Security
Administrator
Tag Reader Read-only access to existing user tags. Security Reader

group
assignments
Tenant Manage tenant allow block list settings. Security

AllowBlockList Operator
Manager
View-Only Audit View and export audit reports. Because these reports Compliance
Logs might contain sensitive information, you should only Administrator
assign this role to people with an explicit need to view

this information. Compliance Data
Administrator
Global Reader
Organization
Management
Security
Administrator
Security
Operator
View-Only Case Communication

Compliance
Communication
Compliance
Investigators
Compliance
Administrator
Insider Risk
Management
Insider Risk
Management
Admins
Insider Risk
Management
Analysts
Insider
RiskManagement
Investigators

group
assignments
Organization
Management
Privacy
Management
Privacy
Management
Administrators
Privacy
Management
Analysts
Privacy
Management
Investigators
Subject Rights
Request
Administrators
View-Only Device View the configuration and reports for the Device Compliance
Management Management feature. Administrator
Compliance Data
Administrator
Global Reader
Organization
Management
Security
Administrator
Security
Operator
Security Reader
group
assignments
View-Only DLP View the settings and reports for data loss prevention Compliance
Compliance (DLP) policies. Administrator
Management
Compliance Data
Administrator
Global Reader
Organization
Management
Security
Administrator
Security
Operator
Security Reader
View-Only IB View the configuration and reports for the Information Compliance
Compliance Barriers feature. Administrator
Management
Compliance Data
Administrator
Global Reader
Organization
Management
Security
Administrator
Security
Operator
Security Reader
group
assignments
View-Only Manage View the configuration and reports for the Manage Compliance
Alerts Alerts feature. Administrator
Compliance Data
Administrator
Global Reader
Organization
Management
Security
Administrator
Security
Operator
Security Reader
View-Only View information about users and groups. Compliance

Recipients Administrator
Compliance Data
Administrator
Global Reader
MailFlow
Administrator
Organization
Management
View-Only Record View the configuration of the records management Compliance

Management feature. Administrator
Compliance Data
Administrator
Global Reader
Organization
Management
group
assignments
View-Only View the configuration of retention policies, retention Compliance

Retention labels, and retention label policies. Administrator
Management
Compliance Data
Administrator
Global
Administrator
Organization
Management
Data retention information for
By default, data across different features is retained for a maximum of 30 days. However,
for some of the features, you can specify the retention period based on policy. See the
following table for the different retention periods for each feature.
７ Note
Defender for Office 365 Plan 1

Feature Retention period
Alert metadata details (Microsoft 90 days

Defender for Office alerts)
Entity metadata details (Emails) 30 days
Activity alert details (audit logs) 7 days
Email entity page 30 days
Quarantine 30 days (configurable up to 30 days maximum)
Reports 90 days (for all aggregated data)
30 days (for all detailed information except below)
10 days (for Threat protection status report detail and

spoof mail report details)
7 days (for URL protection report details)
Submissions 30 days
Threat Explorer/ Real-Time detections 30 days
Defender for Office 365 Plan 2

Defender for Office 365 Plan 1 capabilities, plus:
Feature Retention period
Action Center 180 days, 30 days (Office Action center)
Advanced Hunting 30 days
AIR (Automated Investigation and Response) 60 days (for investigations meta data)
30 days (for email meta data)
Attack Simulation Data 18 months
Campaigns 30 days
Incidents 30 days
Remediation 30 days
Threat Analytics 30 days
Threat Trackers 30 days

Order and precedence of email
protection
 Tip
Applies to


inbound email may be flagged by multiple forms of protection. For example, the built-in
anti-phishing policies in EOP that are available to all Microsoft 365 customers, and the
more robust anti-phishing policies that are available to Microsoft Defender for Office
365 customers. Messages also pass through multiple detection scans for malware, spam,
phishing, etc. Given all this activity, there may be some confusion as to which policy is
applied.
In general, a policy that's applied to a message is identified in the X-Forefront-

Antispam-Report header in the CAT (Category) property. For more information, see
Anti-spam message headers.
There are two major factors that determine which policy is applied to a message:
The order of processing for the email protection type: This order is not
configurable, and is described in the following table:
Order Email protection Category Where to manage
1 Malware CAT:MALW Configure anti-malware policies in EOP
2 Phishing CAT:PHSH Configure anti-spam policies in EOP
3 High confidence spam CAT:HSPM Configure anti-spam policies in EOP

Order Email protection Category Where to manage
4 Spoofing CAT:SPOOF Spoof intelligence insight in EOP
5* User impersonation UIMP Configure anti-phishing policies in

(protected users) Microsoft Defender for Office 365
6* Domain impersonation DIMP Configure anti-phishing policies in

(protected domains) Microsoft Defender for Office 365
7 Spam CAT:SPM Configure anti-spam policies in EOP
8 Bulk CAT:BULK Configure anti-spam policies in EOP
* These features are only available in anti-phishing policies in Microsoft Defender

for Office 365.
The priority of the policy: For each type of policy (anti-spam, anti-malware, anti-
phishing, etc.), there's a default policy that applies to everyone, but you can create
custom policies that apply to specific users (recipients). Each custom policy has a
priority value that determines the order that the policies are applied in. The default
policy is always applied last.
） Important
If a recipient is defined in multiple policies of the same type (anti-spam, anti-

phishing, etc.), only the policy with the highest priority is applied to the
recipient. Any remaining policies of that type are not evaluated for the
recipient (including the default policy).
For example, consider the following anti-phishing policies in Microsoft Defender for
Office 365 that apply to the same users, and a message that's identified as both user
impersonation and spoofing:
Policy name Priority User impersonation Anti-spoofing
Policy A 1 On Off
Policy B 2 Off On
1. The message is identified as spoofing, because spoofing (4) is evaluated before

user impersonation (5).
2. Policy A is applied first because it has a higher priority than Policy B.
3. Based on the settings in Policy A, no action is taken on the message because anti-
spoofing is turned off.
4. The processing of anti-phishing policies stops for all included recipients, so Policy
B is never applied to recipients who are also in Policy A.
Because the same users might be intentionally or unintentionally included in multiple

policies of the same type, use the following design guidelines for custom policies:
Assign a higher priority to policies that apply to a small number of users, and a
lower priority to policies that apply to a large number of users. Remember, the
default policy is always applied last.
Configure your higher priority policies to have stricter or more specialized settings
than lower priority policies.
Consider using fewer custom policies (only use custom policies for users who
require stricter or more specialized settings).
Troubleshooting mail sent to Microsoft
365
 Tip
Applies to

This article provides troubleshooting information for senders who are experiencing
issues when trying to send email to inboxes in Microsoft 365 and best practices for bulk
mailing to customers.
Are you managing your IP and domain's

sending reputation?
EOP filtering technologies are designed to provide anti-spam protection for Microsoft
365 and other Microsoft products like Exchange Server. We also use SPF, DKIM, and
DMARC; email authentication technologies that help address the problem of spoofing
and phishing by verifying that the domain sending the email is authorized to do so. EOP
filtering is influenced by many factors related to the sending IP, domain, authentication,
list accuracy, complaint rates, content and more. Of these, one of the principal factors in
driving down a sender's reputation and their ability to deliver email is their junk email
complaint rate.
Are you sending email from new IP addresses?

IP addresses not previously used to send email typically don't have any reputation built
up in our systems. As a result, emails from new IPs are more likely to experience delivery
issues. Once the IP has built a reputation for not sending spam, EOP will typically allow
for a better email delivery experience.
New IPs that are added for domains that are authenticated under existing SPF records
typically experience the added benefit of inheriting some of the domain's sending
reputation. If your domain has a good sending reputation new IPs may experience a
faster ramp up time. A new IP can expect to be fully ramped within a couple of weeks or
sooner depending on volume, list accuracy, and junk email complaint rates.
Confirm that your DNS is set up correctly

For instructions about how to create and maintain DNS records, including the MX record
required for mail routing, you will need to contact your DNS hosting provider.
Ensure that you do not advertise yourself as a

non-routable IP
We may not accept email from senders who fail a reverse-DNS lookup. In some cases,
legitimate senders advertise themselves incorrectly as a non-internet routable IP when
attempting to open a connection to EOP. IP addresses that are reserved for private
(non-routable) networking include:
192.168.0.0/16 (or 192.168.0.0 - 192.168.255.255)

10.0.0.0/8 (or 10.0.0.0 - 10.255.255.255)
172.16.0.0/11 (or 172.16.0.0 - 172.31.255.255)
You received a non-delivery report (NDR) when

sending email to a user in Office 365
Some delivery issues are the result of the sender's IP address being blocked by
Microsoft or because the user account is identified as banned sender due to previous
spam activity. If you believe that you have received the NDR in error, first follow any
instructions in the NDR message to resolve the issue.
For more information about the error you received, see the list of error codes in Email
non-delivery reports in Exchange Online.
For example, if you receive the following NDR, it indicates that the sending IP address
was blocked by Microsoft:
550 5.7.606-649 Access denied, banned sending IP [x.x.x.x]; To request removal from
this list please visit https://sender.office.com/ and follow the directions.

To request removal from this list, you can Use the delist portal to remove yourself from
the blocked senders list.
My email landed in the recipient's Junk Email

folder
If a message was incorrectly identified as spam by EOP, you can work with the recipient
to submit this false positive message to the Microsoft Spam Analysis Team, who will
evaluate and analyze the message. For more information, see Report messages and files
to Microsoft.
Traffic from my IP address is throttled by EOP

If you receive an NDR from EOP that indicates that your IP address is being throttled by
EOP, for example:
host xxxx.outlook.com [x.x.x.x]: 451 4.7.550 Access denied, please try again later
You received the NDR because suspicious activity has been detected from the IP address
and it has been temporarily restricted while it is being further evaluated. If the suspicion
is cleared through evaluation, this restriction will be lifted shortly.
I can't receive email from senders in Microsoft

365
In order to receive messages from our users, make sure your network allows
connections from the IP addresses that EOP uses in our datacenters. For more
information, see Exchange Online Protection IP addresses.
Best practices for bulk emailing to Microsoft

365 users
If you often conduct bulk email campaigns to Microsoft 365 users and want to ensure
that your emails arrive in a safe and timely manner, follow the tips in this section.
Ensure that the From name reflects who is sending the

message
The Subject should be a brief summary of what the message is about, and the message
body should clearly and succinctly indicate what the offering, service, or product is
about. For example:
Correct:
From: marketing@shoppershandbag.com
Subject: Updated catalog for the Christmas season!
Incorrect:
From: someone@outlook.com
Subject: Catalogs
The easier you make it for people to know who you are and what you are doing, the less
difficulty you will have delivering through most spam filters.
Always include an unsubscribe option in campaign emails

Marketing emails, especially newsletters, should always include a way of unsubscribing
from future emails. For example:
This email was sent to example@contoso.com by sender@fabrikam.com.
Update Profile/Email Address | Instant removal with SafeUnsubscribe™ |

Privacy Policy
Some senders include this option by requiring recipients to send an email to a certain
alias with "Unsubscribe" in the subject. This is not preferable to the one-click example
above. If you do choose to require recipients to send a mail, ensure that when they click
the link, all the required fields are pre-populated.
Use the double opt-in option for marketing email or

newsletter registration
This industry best practice is recommended if your company requires or encourages
users to register their contact information in order to access your product or services.
Some companies make it a practice to automatically sign up their users for marketing
emails or e-newsletters during the registration process, but this is considered a
questionable marketing practice in the world of email filtering.
During the registration process, if the "Yes, please send me your newsletter" or "Yes,
please send me special offers" checkbox is selected by default, users who do not pay
close attention may unintentionally sign up for marketing email or newsletters that they
do not want to receive.
Microsoft recommends the double opt-in option instead, which means that the
checkbox for marketing emails or newsletters is unchecked by default. Additionally,
once the registration form has been submitted, a verification email is sent to the user
with a URL that allows them to confirm their decision to receive marketing emails.
This helps ensure that only those users who want to receive marketing email are signed
up for the emails, subsequently clearing the sending company of any questionable email
marketing practices.
Ensure that email message content is transparent and

traceable
Just as important as the way the emails are sent is the content they contain. When
creating email content, use the following best practices to ensure that your emails will
not be flagged by email filtering services:
When the email message requests that recipients add the sender to the address
book, it should clearly state that such action is not a guarantee of delivery.
Redirects included in the body of the message should be similar and consistent,
and not multiple and varied. A redirect in this context is anything that points away
from the message, such as links and documents. If you have a lot of advertising or
Unsubscribe links or Update the Profile links, they should all point to the same
domain. For example:
Correct (all domains are the same):
unsubscribe.bulkmailer.com
profile.bulkmailer.com
options.bulkmailer.com
Incorrect (all domains are different):
unsubscribe.bulkmailer.com
profile.excite.com
options.yahoo.com
Avoid content with large images and attachments, or messages that are solely
composed of an image.
Your public privacy or P3P settings should clearly state the presence of tracking
pixels (web bugs or beacons).
Remove incorrect email aliases from your databases

Any email alias in your database that creates a bounce-back is unnecessary and puts
your outbound emails at risk for further scrutiny by email filtering services. Ensure that
your email database is up-to-date.
Anti-spam message headers in
Microsoft 365
 Tip
Applies to

In all Microsoft 365 organizations, Exchange Online Protection (EOP) scans all incoming
messages for spam, malware, and other threats. The results of these scans are added to
the following header fields in messages:
X-Forefront-Antispam-Report: Contains information about the message and

about how it was processed.
X-Microsoft-Antispam: Contains additional information about bulk mail and

phishing.
Authentication-results: Contains information about SPF, DKIM, and DMARC (email

authentication) results.
This article describes what's available in these header fields.
For information about how to view an email message header in various email clients, see
View internet message headers in Outlook .
 Tip
You can copy and paste the contents of a message header into the Message
Header Analyzer tool. This tool helps parse headers and put them into a more
readable format.
X-Forefront-Antispam-Report message header
fields
After you have the message header information, find the X-Forefront-Antispam-Report
header. There will be multiple field and value pairs in this header separated by
semicolons (;). For example:
...CTRY:;LANG:hr;SCL:1;SRV:;IPV:NLI;SFV:NSPM;PTR:;CAT:NONE;SFTY:;...
The individual fields and values are described in the following table.
７ Note
The X-Forefront-Antispam-Report header contains many different fields and

values. Fields that aren't described in the table are used exclusively by the Microsoft
anti-spam team for diagnostic purposes.
Field Description
ARC The ARC protocol has the following fields:
AAR : Records the content of the Authentication-results header from

DMARC.
AMS : Includes cryptographic signatures of the message.
AS : Includes cryptographic signatures of the message headers. This field
contains a tag of a chain validation called "cv=" , which includes the
outcome of the chain validation as none, pass, or fail.
Field Description
CAT: The category of protection policy, applied to the message:

BULK : Bulk
DIMP : Domain Impersonation
GIMP : Mailbox intelligence based impersonation
HPHSH or HPHISH : High confidence phishing
HSPM : High confidence spam
MALW : Malware
PHSH : Phishing
SPM : Spam
SPOOF : Spoofing
UIMP : User Impersonation
AMP : Anti-malware
SAP : Safe attachments
FTBP : Anti-malware filetype policy
OSPM : Outbound spam
An inbound message may be flagged by multiple forms of protection and multiple

detection scans. Policies have different priorities, and the policy with the highest
priority is applied first. For more information, see What policy applies when
multiple protection methods and detection scans run on your email.
CIP:[IP The connecting IP address. You can use this IP address in the IP Allow List or the IP
address] Block List. For more information, see Configure connection filtering.
CTRY The source country as determined by the connecting IP address, which may not be
the same as the originating sending IP address.
H: The HELO or EHLO string of the connecting email server.

[helostring]
IPV:CAL The message skipped spam filtering because the source IP address was in the IP
Allow List. For more information, see Configure connection filtering.
IPV:NLI The IP address was not found on any IP reputation list.
LANG The language in which the message was written, as specified by the country code
(for example, ru_RU for Russian).
PTR: The PTR record (also known as the reverse DNS lookup) of the source IP address.
[ReverseDNS]
SCL The spam confidence level (SCL) of the message. A higher value indicates the
message is more likely to be spam. For more information, see Spam confidence
level (SCL).
Field Description
SFTY The message was identified as phishing and will also be marked with one of the
following values:
9.19: Domain impersonation. The sending domain is attempting to
impersonate a protected domain. The safety tip for domain impersonation is
added to the message (if it's enabled).
9.20: User impersonation. The sending user is attempting to impersonate a
user in the recipient's organization, or a protected user that's specified in an
anti-phishing policy in Microsoft Defender for Office 365. The safety tip for
user impersonation is added to the message (if it's enabled).
9.25: First contact safety tip. This value might be an indication of a
suspicious or phishing message. For more information, see First contact
safety tip.
SFV:BLK Filtering was skipped and the message was blocked because it was sent from an
address in a user's Blocked Senders list.
For more information about how admins can manage a user's Blocked Senders
list, see Configure junk email settings on Exchange Online mailboxes.
SFV:NSPM Spam filtering marked the message as non-spam and the message was sent to the
intended recipients.
SFV:SFE Filtering was skipped and the message was allowed because it was sent from an
address in a user's Safe Senders list.
For more information about how admins can manage a user's Safe Senders list,
see Configure junk email settings on Exchange Online mailboxes.
SFV:SKA The message skipped spam filtering and was delivered to the Inbox because the
sender was in the allowed senders list or allowed domains list in an anti-spam
policy. For more information, see Configure anti-spam policies.
SFV:SKB The message was marked as spam because it matched a sender in the blocked
senders list or blocked domains list in an anti-spam policy. For more information,
SFV:SKI Similar to SFV:SKN, the message skipped spam filtering for another reason (for
example, an intra-organizational email within a tenant).
SFV:SKN The message was marked as non-spam prior to being processed by spam filtering.
For example, the message was marked as SCL -1 or Bypass spam filtering by a
mail flow rule.
SFV:SKQ The message was released from the quarantine and was sent to the intended
recipients.
SFV:SKS The message was marked as spam prior to being processed by spam filtering. For
example, the message was marked as SCL 5 to 9 by a mail flow rule.
SFV:SPM The message was marked as spam by spam filtering.

Field Description
SRV:BULK The message was identified as bulk email by spam filtering and the bulk complaint
level (BCL) threshold. When the MarkAsSpamBulkMail parameter is On (it's on by
default), a bulk email message is marked as spam (SCL 6). For more information,
X- The message matched an Advanced Spam Filter (ASF) setting. To see the X-header
CustomSpam: value for each ASF setting, see Advanced Spam Filter (ASF) settings.
[ASFOption]
X-Microsoft-Antispam message header fields

The following table describes useful fields in the X-Microsoft-Antispam message
header. Other fields in this header are used exclusively by the Microsoft anti-spam team
for diagnostic purposes.
Field Description
BCL The bulk complaint level (BCL) of the message. A higher BCL indicates a bulk mail message
is more likely to generate complaints (and is therefore more likely to be spam). For more
information, see Bulk complaint level (BCL).
Authentication-results message header

The results of email authentication checks for SPF, DKIM, and DMARC are recorded
(stamped) in the Authentication-results message header in inbound messages.
The following list describes the text that's added to the Authentication-Results header
for each type of email authentication check:
SPF uses the following syntax:
text
spf=<pass (IP address)|fail (IP address)|softfail

(reason)|neutral|none|temperror|permerror> smtp.mailfrom=<domain>
For example:
text
spf=pass (sender IP is 192.168.0.1) smtp.mailfrom=contoso.com
spf=fail (sender IP is 127.0.0.1) smtp.mailfrom=contoso.com
DKIM uses the following syntax:
text
dkim=<pass|fail (reason)|none> header.d=<domain>
For example:
text
dkim=pass (signature was verified) header.d=contoso.com
dkim=fail (body hash did not verify) header.d=contoso.com
DMARC uses the following syntax:
text
dmarc=<pass|fail|bestguesspass|none> action=
<permerror|temperror|oreject|pct.quarantine|pct.reject> header.from=
<domain>
For example:
text
dmarc=pass action=none header.from=contoso.com
dmarc=bestguesspass action=none header.from=contoso.com
dmarc=fail action=none header.from=contoso.com
dmarc=fail action=oreject header.from=contoso.com
Authentication-results message header fields

The following table describes the fields and possible values for each email
authentication check.
Field Description
Field Description
action Indicates the action taken by the spam filter based on the results of the DMARC
check. For example:
oreject or o.reject: Stands for override reject. In this case Microsoft 365
uses this action when it receives a message that fails the DMARC check
from a domain whose DMARC TXT record has a policy of p=reject. Instead
of deleting or rejecting the message, Microsoft 365 marks the message as
spam. For more information on why Microsoft 365 is configured this way,
see How Microsoft 365 handles inbound email that fails DMARC.
pct.quarantine: Indicates that a percentage less than 100% of messages
that do not pass DMARC will be delivered anyway. This means that the
message failed DMARC and the policy was set to quarantine, but the pct
field was not set to 100% and the system randomly determined not to
apply the DMARC action, as per the specified domain's policy.
pct.reject: Indicates that a percentage less than 100% of messages that do
not pass DMARC will be delivered anyway. This means that the message
failed DMARC and the policy was set to reject, but the pct field was not set
to 100% and the system randomly determined not to apply the DMARC
action, as per the specified domain's policy.
permerror: A permanent error occurred during DMARC evaluation, such as
encountering an incorrectly formed DMARC TXT record in DNS.
Attempting to resend this message isn't likely to end with a different
result. Instead, you may need to contact the domain's owner in order to
resolve the issue.
temperror: A temporary error occurred during DMARC evaluation. You
may be able to request that the sender resend the message later in order
to process the email properly.
compauth Composite authentication result. Used by Microsoft 365 to combine multiple

types of authentication such as SPF, DKIM, DMARC, or any other part of the
message to determine whether or not the message is authenticated. Uses the
From: domain as the basis of evaluation.
dkim Describes the results of the DKIM check for the message. Possible values include:
pass: Indicates the DKIM check for the message passed.
fail (reason): Indicates the DKIM check for the message failed and why. For
example, if the message was not signed or the signature was not verified.
none: Indicates that the message was not signed. This may or may not
indicate that the domain has a DKIM record or the DKIM record does not
evaluate to a result, only that this message was not signed.
Field Description
dmarc Describes the results of the DMARC check for the message. Possible values
include:
pass: Indicates the DMARC check for the message passed.
fail: Indicates the DMARC check for the message failed.
bestguesspass: Indicates that no DMARC TXT record for the domain exists,
but if one had existed, the DMARC check for the message would have
passed.
none: Indicates that no DMARC TXT record exists for the sending domain
in DNS.
header.d Domain identified in the DKIM signature if any. This is the domain that's queried
for the public key.
header.from The domain of the 5322.From address in the email message header (also known
as the From address or P2 sender). Recipient sees the From address in email
clients.
reason The reason the composite authentication passed or failed. The value is a 3-digit
code. For example:
000: The message failed explicit authentication ( compauth=fail ). For
example, the message received a DMARC fail with an action of quarantine
or reject.
001: The message failed implicit authentication ( compauth=fail ). This
means that the sending domain did not have email authentication records
published, or if they did, they had a weaker failure policy (SPF soft fail or
neutral, DMARC policy of p=none ).
002: The organization has a policy for the sender/domain pair that is
explicitly prohibited from sending spoofed email. This setting is manually
set by an admin.
010: The message failed DMARC with an action of reject or quarantine, and
the sending domain is one of your organization's accepted-domains (this
is part of self-to-self, or intra-org, spoofing).
1xx or 7xx: The message passed authentication ( compauth=pass ). The last
two digits are internal codes used by Microsoft 365.
2xx: The message soft-passed implicit authentication ( compauth=softpass ).
The last two digits are internal codes used by Microsoft 365.
3xx: The message was not checked for composite authentication
( compauth=none ).
4xx or 9xx: The message bypassed composite authentication
( compauth=none ). The last two digits are internal codes used by Microsoft
365.
6xx: The message failed implicit email authentication, and the sending
domain is one of your organization's accepted domains (this is part of self-
to-self or intra-org spoofing).
Field Description
smtp.mailfrom The domain of the 5321.MailFrom address (also known as the MAIL FROM
address, P1 sender, or envelope sender). This is the email address that's used for
non-delivery reports (also known as NDRs or bounce messages).
spf Describes the results of the SPF check for the message. Possible values include:
pass (IP address) : The SPF check for the message passed and includes
the sender's IP address. The client is authorized to send or relay email on
behalf of the sender's domain.
fail (IP address) : The SPF check for the message failed and includes the
sender's IP address. This is sometimes called hard fail.
softfail (reason) : The SPF record designated the host as not being
allowed to send, but is in transition.
neutral : The SPF record explicitly states that it does not assert whether
the IP address is authorized to send.
none : The domain doesn't have an SPF record or the SPF record doesn't
evaluate to a result.
temperror : A temporary error has occurred. For example, a DNS error. The
same check later might succeed.
permerror : A permanent error has occurred. For example, the domain has
a badly formatted SPF record.
Reference: Policies, practices, and
guidelines
 Tip
Applies to

Microsoft is dedicated to helping provide the most trusted user experience on the web.
Therefore, Microsoft has developed various policies, procedures, and adopted several
industry best practices to help protect our users from abusive, unwanted, or malicious
email. Senders attempting to send email to users should ensure they fully understand
and are following the guidance in this article to help in this effort and to help avoid
potential delivery issues.
If you are not in compliance with these policies and guidelines, it may not be possible
for our support team to assist you. If you are adhering to the guidelines, practices, and
policies presented in this article and are still experiencing delivery issues based on your
sending IP address, please follow the steps to submit a delisting request. For
instructions, see Use the delist portal to remove yourself from the blocked senders list.
General Microsoft policies

Email sent to Microsoft 365 users must comply with all Microsoft policies governing
email transmission and use of Microsoft 365.
Terms of Services applicable to Microsoft 365; in particular, the prohibition against

using the service to spam or distribute malware.
Microsoft Services Agreement

Governmental regulations
Email sent to Microsoft 365 users must adhere to all applicable laws and regulations
governing email communications in the applicable jurisdiction.
CAN-SPAM Act: A Compliance Guide for Business
"Remove Me" Responses and Responsibilities: Email Marketers Must Honor

"Unsubscribe" Claims
Technical guidelines
Email sent to Microsoft 365 should comply with the applicable recommendations listed
in the documents below (some links are only available in English).
RFC 2505: Anti-Spam Recommendations for SMTP MTAs
RFC 2920: SMTP Service Extension for Command Pipelining
In addition, email servers connecting to Microsoft 365 must adhere to the following
requirements:
Sender is expected to comply with all technical standards for the transmission of
Internet email, as published by The Internet Society's Internet Engineering Task
Force (IETF), including RFC 5321, RFC 5322, and others.
After given a numeric SMTP error response code between 500 and 599 (also
known as a permanent non-delivery response or NDR), the sender must not
attempt to retransmit that message to that recipient.
After multiple non-delivery responses, the sender must cease further attempts to
send email to that recipient.
Messages must not be transmitted through insecure email relay or proxy servers.
The mechanism for unsubscribing, either from individual lists or all lists hosted by
the sender, must be clearly documented and easy for recipients to find and use.
Connections from dynamic IP space may not be accepted.
Email servers must have valid reverse DNS records.
Reputation management
Senders, ISP's, and other service providers should actively manage the reputation of
your outbound IP addresses.
Microsoft 365 limits

Senders must adhere to Microsoft 365 limits listed in Exchange Online Protection Limits.
Email delivery resources and organizations

Microsoft actively works with industry bodies and service providers in order to improve
the internet and email ecosystem. These organizations have published best practice
documents that we support and recommend senders adhere to. This improves your
ability to deliver email among several email service providers around the world.
Messaging Malware Mobile Anti-Abuse Working Group
Online Trust Alliance
Email Sender & Provider Coalition
Abuse and spam reporting

To report unlawful, abusive, unwanted or malicious email, see Report messages and files
to Microsoft. Sending these types of communications is a violation of Microsoft policy,
and appropriate action will be taken on confirmed reports.
Law enforcement
If you are a member of law enforcement and wish to serve Microsoft Corporation with
legal documentation regarding Office 365, or if you have questions regarding legal
documentation you have submitted to Microsoft, please call (1) (425) 722-1299.
Sending mail to Microsoft 365
These articles help external senders improve their reputation and increase their ability to
deliver email to users at Microsoft 365. They also provide some information about how
you can report junk email and phishing attempts even if you aren't a Microsoft 365 user
yourself.
If you're not a customer, but are trying to send mail to someone in who is, you're in the
right place. If you're an admin and you need help with fighting spam, this isn't the right
section for you. Instead, go to anti-spam and anti-malware.
For information about... See...
Services provided to email system admins that are sending individual and Services for non-
bulk email to customers. customers sending
mail to Office 365
How to fix problems reaching customers at Microsoft 365 through email. Troubleshooting mail
Best practices for sending bulk mail to Microsoft 365 recipients. sent to Office 365
How Microsoft 365 prevents junk email, including phishing and spoofing Anti-spam protection
email, from being sent to our customers. in Microsoft 365
How you, an admin sending email to Microsoft 365 customers, can avoid Reference: Policies,
having email blocked by adhering to our anti-spam policies. This is the practices, and
legal stuff you need to know. guidelines
How Microsoft 365 uses Sender Policy
Framework (SPF) to prevent spoofing
 Tip
Applies to

Summary: This article describes how Microsoft 365 uses the Sender Policy Framework
(SPF) TXT record in DNS to ensure that destination email systems trust messages sent
from your custom domain. This applies to outbound mail sent from Microsoft 365.
Messages sent from Microsoft 365 to a recipient within Microsoft 365 will always pass
SPF.
An SPF TXT record is a DNS record that helps prevent spoofing and phishing by
verifying the domain name from which email messages are sent. SPF validates the origin
of email messages by verifying the IP address of the sender against the alleged owner of
the sending domain.
７ Note
SPF record types were deprecated by the Internet Engineering Task Force (IETF) in
2014. Instead, ensure that you use TXT records in DNS to publish your SPF
information. The rest of this article uses the term SPF TXT record for clarity.
Domain administrators publish SPF information in TXT records in DNS. The SPF
information identifies authorized outbound email servers. Destination email systems
verify that messages originate from authorized outbound email servers. If you're already
familiar with SPF, or you have a simple deployment, and just need to know what to
include in your SPF TXT record in DNS for Microsoft 365, you can go to Set up SPF in
Microsoft 365 to help prevent spoofing. If you don't have a deployment that is fully
hosted in Microsoft 365, or you want more information about how SPF works or how to
troubleshoot SPF for Microsoft 365, keep reading.
７ Note
Previously, you had to add a different SPF TXT record to your custom domain if you
also used SharePoint Online. This is no longer required. This change should reduce
the risk of SharePoint Online notification messages ending up in the Junk Email
folder. You do not need to make any changes immediately, but if you receive the
"too many lookups" error, modify your SPF TXT record as described in Set up SPF
in Microsoft 365 to help prevent spoofing.
How SPF works to prevent spoofing and

phishing in Microsoft 365
SPF determines whether or not a sender is permitted to send on behalf of a domain. If
the sender isn't permitted to do so, that is, if the email fails the SPF check on the
receiving server, the spam policy configured on that server determines what to do with
the message.
Each SPF TXT record contains three parts: the declaration that it's an SPF TXT record, the
IP addresses that are allowed to send mail from your domain and the external domains
that can send on your domain's behalf, and an enforcement rule. You need all three in a
valid SPF TXT record. This article describes how you form your SPF TXT record and
provides best practices for working with the services in Microsoft 365. Links to
instructions on working with your domain registrar to publish your record to DNS are
also provided.
SPF basics: IP addresses allowed to send from your

custom domain
Take a look at the basic syntax for an SPF rule:
v=spf1 <IP> <enforcement rule>
For example, let's say the following SPF rule exists for contoso.com:
v=spf1 <IP address #1> <IP address #2> <IP address #3> <enforcement rule>
In this example, the SPF rule instructs the receiving email server to only accept mail from
these IP addresses for the domain contoso.com:
IP address #1
IP address #2
IP address #3
This SPF rule tells the receiving email server that if a message comes from contoso.com,
but not from one of these three IP addresses, the receiving server should apply the
enforcement rule to the message. The enforcement rule is usually one of these options:
Hard fail. Mark the message with 'hard fail' in the message envelope and then
follow the receiving server's configured spam policy for this type of message.
Soft fail. Mark the message with 'soft fail' in the message envelope. Typically, email
servers are configured to deliver these messages anyway. Most end users don't see
this mark.
Neutral. Do nothing, that is, don't mark the message envelope. This is reserved for
testing purposes and is rarely used.
The following examples show how SPF works in different situations. In these examples,
contoso.com is the sender and woodgrovebank.com is the receiver.
Example 1: Email authentication of a message sent

directly from sender to receiver
SPF works best when the path from sender to receiver is direct, for example:
When woodgrovebank.com receives the message, if IP address #1 is in the SPF TXT

record for contoso.com, the message passes the SPF check and is authenticated.
Example 2: Spoofed sender address fails the SPF check

Suppose a phisher finds a way to spoof contoso.com:
Since IP address #12 isn't in contoso.com's SPF TXT record, the message fails the SPF
check and the receiver may choose to mark it as spam.
Example 3: SPF and forwarded messages

One drawback of SPF is that it doesn't work when an email has been forwarded. For
example, suppose the user at woodgrovebank.com has set up a forwarding rule to send
all email to an outlook.com account:
The message originally passes the SPF check at woodgrovebank.com but it fails the SPF
check at outlook.com because IP #25 isn't in contoso.com's SPF TXT record.
Outlook.com might then mark the message as spam. To work around this problem, use
SPF with other email authentication methods such as DKIM and DMARC.
SPF basics: Including third-party domains that can send

mail on behalf of your domain
In addition to IP addresses, you can also configure your SPF TXT record to include
domains as senders. These are added to the SPF TXT record as "include" statements. For
example, contoso.com might want to include all of the IP addresses of the mail servers
from contoso.net and contoso.org, which it also owns. To do this, contoso.com publishes
an SPF TXT record that looks like this:
text
v=spf1 include:contoso.net include:contoso.org -all
When the receiving server sees this record in DNS, it also performs a DNS lookup on the
SPF TXT record for contoso.net and then for contoso.org. If it finds another include
statement within the records for contoso.net or contoso.org, it will follow those too. In
order to help prevent denial of service attacks, the maximum number of DNS lookups
for a single email message is 10. Each include statement represents an additional DNS
lookup. If a message exceeds the 10 limit, the message fails SPF. Once a message
reaches this limit, depending on the way the receiving server is configured, the sender
may get a message that says the message generated "too many lookups" or that the
"maximum hop count for the message has been exceeded" (which can happen when the
lookups loop and surpass the DNS timeout). For tips on how to avoid this, see
Troubleshooting: Best practices for SPF in Microsoft 365.
Requirements for your SPF TXT record and

Microsoft 365
If you set up mail when you set up Microsoft 365, you already created an SPF TXT record
that identifies the Microsoft messaging servers as a legitimate source of mail for your
domain. This record probably looks like this:
text
If you're a fully hosted customer, that is, you have no on-premises mail servers that send
outbound mail, this is the only SPF TXT record that you need to publish for Office 365.
If you have a hybrid deployment (that is, you have some mailboxes on-premises and
some hosted in Microsoft 365), or if you're an Exchange Online Protection (EOP)
standalone customer (that is, your organization uses EOP to protect your on-premises
mailboxes), you should add the outbound IP address for each of your on-premises edge
mail servers to the SPF TXT record in DNS.
Form your SPF TXT record for Microsoft 365

Use the syntax information in this article to form the SPF TXT record for your custom
domain. Although there are other syntax options that are not mentioned here, these are
the most commonly used options. Once you've formed your record, you need to update
the record at your domain registrar.
For information about the domains you'll need to include for Microsoft 365, see External
DNS records required for SPF. Use the step-by-step instructions for updating SPF (TXT)
records for your domain registrar.
SPF TXT record syntax for Microsoft 365

A typical SPF TXT record for Microsoft 365 has the following syntax:
text
v=spf1 [<ip4>|<ip6>:<IP address>] [include:<domain name>] <enforcement rule>
For example:
text
v=spf1 ip4:192.168.0.1 ip4:192.168.0.2 include:spf.protection.outlook.com -

all
where:
v=spf1 is required. This defines the TXT record as an SPF TXT record.
ip4 indicates that you're using IP version 4 addresses. ip6 indicates that you're
using IP version 6 addresses. If you're using IPv6 IP addresses, replace ip4 with ip6
in the examples in this article. You can also specify IP address ranges using CIDR
notation, for example ip4:192.168.0.1/26.
IP address is the IP address that you want to add to the SPF TXT record. Usually,
this is the IP address of the outbound mail server for your organization. You can list
multiple outbound mail servers. For more information, see Example: SPF TXT
record for multiple outbound on-premises mail servers and Microsoft 365.
domain name is the domain you want to add as a legitimate sender. For a list of
domain names you should include for Microsoft 365, see External DNS records
required for SPF.
Enforcement rule is usually one of the following:
-all
Indicates hard fail. If you know all of the authorized IP addresses for your
domain, list them in the SPF TXT record, and use the -all (hard fail) qualifier.
Also, if you're only using SPF, that is, you aren't using DMARC or DKIM, you
should use the -all qualifier. We recommend that you use always this qualifier.
~all
Indicates soft fail. If you're not sure that you have the complete list of IP
addresses, then you should use the ~all (soft fail) qualifier. Also, if you're using
DMARC with p=quarantine or p=reject, then you can use ~all. Otherwise, use -
all.
?all
Indicates neutral. This is used when testing SPF. We don't recommend that you
use this qualifier in your live deployment.
Example: SPF TXT record to use when all of your mail is

sent by Microsoft 365
If all of your mail is sent by Microsoft 365, use this in your SPF TXT record:
text
Example: SPF TXT record for a hybrid scenario with one

on-premises Exchange Server and Microsoft 365
In a hybrid environment, if the IP address of your on-premises Exchange Server is
192.168.0.1, in order to set the SPF enforcement rule to hard fail, form the SPF TXT
record as follows:
text
v=spf1 ip4:192.168.0.1 include:spf.protection.outlook.com -all
Example: SPF TXT record for multiple outbound on-

premises mail servers and Microsoft 365
If you have multiple outbound mail servers, include the IP address for each mail server in
the SPF TXT record and separate each IP address with a space followed by an "ip4:"
statement. For example:
text
v=spf1 ip4:192.168.0.1 ip4:192.168.0.2 ip4:192.168.0.3

include:spf.protection.outlook.com -all
Next steps: Set up SPF for Microsoft 365

Once you've formulated your SPF TXT record, follow the steps in Set up SPF in Microsoft
365 to help prevent spoofing to add it to your domain.
Although SPF is designed to help prevent spoofing, but there are spoofing techniques
that SPF can't protect against. In order to protect against these, once you have set up
SPF, you should also configure DKIM and DMARC for Microsoft 365. To get started, see
Use DKIM to validate outbound email sent from your custom domain in Microsoft 365.
Next, see Use DMARC to validate email in Microsoft 365.
Troubleshooting: Best practices for SPF in

Microsoft 365
You can only create one SPF TXT record for your custom domain. Creating multiple
records causes a round robin situation and SPF will fail. To avoid this, you can create
separate records for each subdomain. For example, create one record for contoso.com
and another record for bulkmail.contoso.com.
If an email message causes more than 10 DNS lookups before it's delivered, the
receiving mail server will respond with a permanent error, also called a permerror, and
cause the message to fail the SPF check. The receiving server may also respond with a
non-delivery report (NDR) that contains an error similar to these:
The message exceeded the hop count.
The message required too many lookups.
Avoiding the "too many lookups" error when

you use third-party domains with Microsoft
365
Some SPF TXT records for third-party domains direct the receiving server to perform a
large number of DNS lookups. For example, at the time of this writing, Salesforce.com
contains 5 include statements in its record:
text
v=spf1 include:_spf.google.com
include:_spfblock.salesforce.com
include:_qa.salesforce.com
include:_spfblock1.salesforce.com
include:spf.mandrillapp.com mx ~all
To avoid the error, you can implement a policy where anyone sending bulk email, for
example, has to use a subdomain specifically for this purpose. You then define a
different SPF TXT record for the subdomain that includes the bulk email.
In some cases, like the salesforce.com example, you have to use the domain in your SPF
TXT record, but in other cases, the third-party may have already created a subdomain
for you to use for this purpose. For example, exacttarget.com has created a subdomain
that you need to use for your SPF TXT record:
text
cust-spf.exacttarget.com
When you include third-party domains in your SPF TXT record, you need to confirm with
the third-party which domain or subdomain to use in order to avoid running into the 10
lookup limit.
How to view your current SPF TXT record and

determine the number of lookups that it
requires
You can use nslookup to view your DNS records, including your SPF TXT record. There
are many free, online tools available that you can use to view the contents of your SPF
TXT record. By looking at your SPF TXT record and following the chain of include
statements and redirects, you can determine how many DNS lookups the record
requires. Some online tools will even count and display these lookups for you. Keeping
track of this number will help prevent messages sent from your organization from
triggering a permanent error, called a perm error, from the receiving server.
Need help with adding the SPF TXT record? Read the article Create DNS records at any
DNS hosting provider for Microsoft 365 for detailed information about usage of Sender
Policy Framework with your custom domain in Microsoft 365. Anti-spam message
headers includes the syntax and header fields used by Microsoft 365 for SPF checks.
Services for non-customers sending
mail to Microsoft 365
Email abuse, junk email, and fraudulent emails (phishing) continue to burden the entire
email ecosystem. To help maintain user trust in the use of email, Microsoft has put
various policies and technologies in place to help protect our users. However, Microsoft
understands that legitimate email should not be negatively affected. Therefore, we have
established a suite of services to help senders improve their ability to deliver email to
Microsoft 365 users by proactively managing their sending reputation.
This overview provides information about benefits we provide to your organization even
if you aren't a customer.
Sender solutions
Service Benefits
This online help content Provides:

A starting point for any questions related to delivering
communications to EOP users.
Includes a simple online guide with our policies and
requirements.
An overview of the junk email filters and authentication
technologies employed by Microsoft.
Microsoft support Provides self-help and escalation support for delivery issues.
Anti-Spam IP Delist Portal A tool to submit IP delist request. Before submitting this request it is
the sender's responsibility to ensure that any further mail originating
from the IP in question is not abusive or malicious.
Abuse and spam Keeps spam and other unwanted mail from being sent from
reporting for junk email Exchange Online and cluttering up the internet and your mail system.
originating from
Exchange Online
Microsoft support
Microsoft offers several support options for people having trouble sending mail to
Microsoft 365 recipients. We recommend that you:
Follow the instructions in any non-delivery report you receive.
Check out the most common problems that non-customers encounter in

Troubleshooting mail sent to Office 365.
Use the Microsoft 365 delist portal to submit a request to have your IP removed
from the blocked sender's list.
Read the Microsoft community forums .
Contact the customer you're trying to email using another method and ask them
to contact Microsoft Support and open a support ticket on your behalf. In some
cases, for legal reasons, Microsoft Support must communicate directly with the
sender who owns the IP space that is being blocked. However, non-customers
typically can't open support tickets.
For more information about Microsoft Technical support for Office 365, see
Support.
Anti-Spam IP Delist Portal

This is a self-service portal you can use to remove yourself from the Microsoft 365
blocked senders list. Use this portal if you are you getting an error message when you
try to send an email to a recipient whose email address is in Microsoft 365 and you
don't think you should be. For more information, see Use the delist portal to remove
yourself from the blocked senders list.
Abuse and spam reporting for junk email

originating from Exchange Online
Sometimes Microsoft 365 is used by third parties to send junk email, in violation of our
terms of use and policy. If you receive any junk email from Office 365, you can report
these messages to Microsoft. For instructions, see Report messages and files to
Microsoft.
Configure EOP to deliver spam to Junk
Email folders in hybrid environments
） Important
This article is only for EOP customers in hybrid environments with mailboxes in on-
premises Exchange environments. This article does not apply to Microsoft 365
customers with Exchange Online mailboxes.
If you're an Exchange Online Protection (EOP) customer in a hybrid environment, you

need to configure your on-premises Exchange organization to recognize and translate
the spam filtering verdicts of EOP. Doing so allows the junk email rule in on-premises
mailboxes to correctly move messages from the Inbox to the Junk Email folder.
Specifically, you need to create mail flow rules (also known as transport rules) in your
on-premises Exchange organization with the following settings:
Conditions: Find messages with the following EOP anti-spam headers and values:
X-Forefront-Antispam-Report: SFV:SPM (message marked as spam by spam
filtering)
X-Forefront-Antispam-Report: SFV:SKS (message marked as spam by mail flow
rules in EOP before spam filtering)
X-Forefront-Antispam-Report: SFV:SKB (message marked as spam by spam
filtering due to the sender's email address or email domain being in the blocked
sender list or the blocked domain list in EOP)
For more information about these header values, see Anti-spam message headers.
Action: Set the spam confidence level (SCL) of these messages to 6 (spam).
This article describes how to create the required mail flow rules the Exchange admin
center (EAC) and in the Exchange Management Shell (Exchange PowerShell) in the on-
premises Exchange organization.
 Tip
Instead of delivering the messages to the on-premises user's Junk Email folder, you
can configure anti-spam policies in EOP to quarantine spam messages in EOP. For
more information, see Configure anti-spam policies in EOP.
You need to be assigned permissions in the on-premises Exchange environment
before you can do these procedures. Specifically, you need to be assigned the
Transport Rules role, which is assigned to the Organization Management,
Compliance Management, and Records Management roles by default. For more
information, see Add members to a role group.
If and when a message is delivered to the Junk Email folder in an on-premises

Exchange mailbox is controlled by a combination of the following settings:
The SCLJunkThreshold parameter value on the Set-OrganizationConfig cmdlet in
the Exchange Management Shell. The default value is 4, which means an SCL of
5 or higher should deliver the message to the user's Junk email folder.
The SCLJunkThreshold parameter value on the Set-Mailbox cmdlet in the
Exchange Management Shell. The default value is blank ($null), which means the
organization setting is used.
For details, see Exchange spam confidence level
(SCL) thresholds.
Whether the junk email rule is enabled on the mailbox (the Enabled parameter
value is $true on the Set-MailboxJunkEmailConfiguration cmdlet in the
Exchange Management Shell). It's the junk email rule that actually moves the
message to the Junk Email folder after delivery. By default, the junk email rule is
enabled on mailboxes. For more information, see Configure Exchange antispam
settings on mailboxes.
To open the EAC on an Exchange Server, see Exchange admin center in Exchange
Server. To open the Exchange Management Shell, see Open the Exchange
Management Shell or Connect to Exchange servers using remote PowerShell.
For more information about mail flow rules in on-premises Exchange, see the
following articles:
Mail flow rules in Exchange Server
Mail flow rule conditions and exceptions (predicates) in Exchange Server
Mail flow rule actions in Exchange Server
Use the EAC to create mail flow rules that set

the SCL of EOP spam messages
2. Click Add and select Create a new rule in the drop-down that appears.
Name: Enter a unique, descriptive name for the rule. For example:
EOP SFV:SPM to SCL 6
EOP SFV:SKS to SCL 6
EOP SFV:SKB to SCL 6
Click More Options.
Apply this rule if: Select A message header > includes any of these words.
In the Enter text header includes Enter words sentence that appears, do the
following steps:
Click Enter text. In the Specify header name dialog that appears, enter X-
Forefront-Antispam-Report and then click OK.
Click Enter words. In the Specify words or phrases dialog that appears,
enter one of the EOP spam header values (SFV:SPM, SFV:SKS, or SFV:SKB),
click Add , and then click OK.
Do the following: Select Modify the message properties > Set the spam
confidence level (SCL).
In the Specify SCL dialog that appears, select 6 (the default value is 5).
Repeat these steps for the remaining EOP spam verdict values (SFV:SPM, SFV:SKS, or
SFV:SKB).
Use the Exchange Management Shell to create

mail flow rules that set the SCL of EOP spam
messages
Use the following syntax to create the three mail flow rules:
Powershell
New-TransportRule -Name "<RuleName>" -HeaderContainsMessageHeader "X-

Forefront-Antispam-Report" -HeaderContainsWords "<EOPSpamFilteringVerdict>"
-SetSCL 6
For example:
Powershell
New-TransportRule -Name "EOP SFV:SPM to SCL 6" -HeaderContainsMessageHeader

"X-Forefront-Antispam-Report" -HeaderContainsWords "SFV:SPM" -SetSCL 6
Powershell
New-TransportRule -Name "EOP SFV:SKS to SCL 6" -HeaderContainsMessageHeader

"X-Forefront-Antispam-Report" -HeaderContainsWords "SFV:SKS" -SetSCL 6
Powershell
New-TransportRule -Name "EOP SFV:SKB to SCL 6" -HeaderContainsMessageHeader

"X-Forefront-Antispam-Report" -HeaderContainsWords "SFV:SKB" -SetSCL 6

To verify that you've successfully configured standalone EOP to deliver spam to the Junk
Email folder in hybrid environment, do any of the following steps:
In the EAC, go to Mail flow > Rules, select the rule, and then click Edit to verify
the settings.
In the Exchange Management Shell, replace <RuleName> with the name of the
mail flow rule, and rul the following command to verify the settings:
PowerShell
Get-TransportRule -Identity "<RuleName>" | Format-List
In an external email system that doesn't scan outbound messages for spam, send
a Generic Test for Unsolicited Bulk Email (GTUBE) message to an affected recipient,
and confirm that it's delivered to their Junk Email folder. A GTUBE message is
similar to the European Institute for Computer Antivirus Research (EICAR) text file
for testing malware settings.
To send a GTUBE message, include the following text in the body of an email
message on a single line, without any spaces or line breaks:
text
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
Monitor for leaks of personal data

There are many tools that can be used to monitor the use and transport of personal
data. This topic describes three tools that work well.
In the illustration:
Start with Microsoft Purview data loss prevention reports for monitoring personal
data in SharePoint Online, OneDrive for Business, and email in transit. These
reports provide the greatest level of detail for monitoring personal data. However,
these reports don't include all services in Office 365.
Next, use alert policies and the audit log to monitor activity across services. Set up
ongoing monitoring or search the audit log to investigate an incident. The audit
log works across services—Sway, Power BI, eDiscovery, Dynamics 365, Power
Automate, Microsoft Teams, Admin activity, OneDrive for Business, SharePoint
Online, mail in transit, and mailboxes at rest. Skype conversations are included in
mailboxes at rest.
Finally, Use Microsoft Defender for Cloud Apps to monitor files with sensitive data
in other SaaS providers. Coming soon is the ability to use sensitive information
types and unified labels across Azure Information Protection and Office with
Defender for Cloud Apps. You can set up policies that apply to all of your SaaS
apps or specific apps (like Box). Defender for Cloud Apps doesn't discover files in
Exchange Online, including files attached to email.
Data loss prevention reports

After you create your data loss prevention (DLP) policies, you'll want to verify that
they're working as you intended and helping you to stay compliant. With the DLP
reports in Office 365, you can quickly view the number of DLP policy matches, overrides,
or false positives; see whether they're trending up or down over time; filter the report in
different ways; and view more details by selecting a point on a line on the graph.
You can use the DLP reports to:
Focus on specific time periods and understand the reasons for spikes and trends.
Discover business processes that violate your organization's DLP policies.
Understand any business impact of the DLP policies.
View the justifications submitted by users when they resolve a policy tip by
overriding the policy or reporting a false positive.
Verify compliance with a specific DLP policy by showing any matches for that
policy.
View a list of files with sensitive data that matches your DLP policies in the details
pane.
In addition, you can use the DLP reports to fine-tune your DLP policies as you run them
in test mode.
DLP reports are in the Microsoft Purview compliance portal. Go to Reports >
Organizational data section to find the DLP policy matches, DLP incidents, and DLP
false positives and overrides reports.
For more information, see View the reports for data loss prevention.
Audit log and alert policies

The audit log contains events from Exchange Online, SharePoint Online, OneDrive for
Business, Azure Active Directory, Microsoft Teams, Power BI, Sway, and other services.
The Microsoft 365 Defender portal and the Microsoft Purview compliance portal provide
two ways to monitor and report against the audit log:
Set up alert policies, view alerts, and monitor trends—Use the alert policy and alert
dashboard tools in either the Microsoft 365 Defender portal or the Microsoft
Purview compliance portal.
Search the audit log directly: Search for all events in a specified date rage. Or you
can filter the results based on specific criteria, such as the user who performed the
action, the action, or the target object.
Information compliance and security teams can use these tools to proactively review
activities performed by both end users and administrators across services. Automatic
alerts can be configured to send email notifications when certain activities occur on
specific site collections - for example when content is shared from sites known to
contain GDPR-related information. This allows those teams to follow up with users to
ensure that corporate security policies are followed, or to provide additional training.
Information security teams can also search the audit log to investigate suspected data
breaches and determine both root cause and the extent of the breach. This built-in
capability facilitates compliance with article 33 and 34 of the GDPR, which require
notifications be provided to the GDPR supervisory authority and to the data subjects
themselves of a data breach within a specific time period. Audit log entries are only
retained for 90 days within the service - it is often recommended and many
organizations required that these logs be retained for longer periods of time.
Solutions are available that subscribe to the Unified Audit Logs through the Microsoft
Management Activity API and can both store log entries as needed, and provide
advanced dashboards and alerts. One example is Microsoft Operations Management
Suite (OMS).
More information about alert policies and searching the audit log:
Alert policies in Microsoft 365

Search the audit log for user and admin activity in Office 365 (introduction)
Turn audit log search on or off
Search the audit log
Search-UnifiedAuditLog (cmdlet)
Detailed properties in the audit log

Microsoft Defender for Cloud Apps helps you discover other SaaS apps in use across
your networks and sensitive data sent to and from these apps.
Microsoft Defender for Cloud Apps is a comprehensive service providing deep visibility,
granular controls, and enhanced threat protection for your cloud apps. It identifies more
than 15,000 cloud applications in your network-from all devices-and provides risk
scoring and ongoing risk assessment and analytics. No agents required: information is
collected from your firewalls and proxies to give you complete visibility and context for
cloud usage and shadow IT.
To better understand your cloud environment, the Defender for Cloud Apps investigate
feature provides deep visibility into all activities, files, and accounts for sanctioned and
managed apps. You can gain detailed information on a file level and discover where
data travels in the cloud apps.
For examples, the following illustration demonstrates two Defender for Cloud Apps
policies that can help with GDPR.
The first policy alerts when files with a predefined PII attribute or custom expression that
you choose is shared outside the organization from the SaaS apps that you choose.
The second policy blocks downloads of files to any unmanaged device. You choose the
attributes within the files to look for and the SaaS apps you want the policy to apply to.
These attribute types are coming soon to Defender for Cloud Apps:
Sensitive information types

Unified labels across Microsoft 365 and Azure Information Protection
Defender for Cloud Apps dashboard

If you haven't yet started to use Defender for Cloud Apps, begin by starting it up. To
access Defender for Cloud Apps: https://portal.cloudappsecurity.com .
７ Note
Be sure to enable 'Automatically scan files for Azure Information Protection

classification labels' (in General settings) when getting started with Defender for
Cloud Apps or before you assign labels. After setup, Defender for Cloud Apps does
not scan existing files again until they are modified.
More information:
Deploy Defender for Cloud Apps

More information about Microsoft Defender for Cloud Apps
Block downloads of sensitive information using the Microsoft Defender for Cloud
Apps proxy
Example file and activity policies to detect

sharing of personal data
Detect sharing of files containing PII — Credit card

number
Alert when a file containing a credit card number is shared from an approved cloud app.
Control Settings
Policy type File policy
Policy template No template
Policy severity High
Category DLP
Filter settings Access level = Public (Internet), Public, External

App = <select apps> (use this setting if you want to limit monitoring to specific
SaaS apps)
Apply to All files, all owners
Content Includes files that match a present expression: All countries: Finance: Credit
inspection card number
Don't require relevant context: unchecked (this setting will match keywords as
well as regex)
Includes files with at least 1 match
Unmask the last 4 characters of the violation: checked
Alerts Create an alert for each matching file: checked

Daily alert limit: 1000
Select an alert as email: checked
To: infosec@contoso.com
Governance Microsoft OneDrive for Business

Make private: check Remove External Users
All other settings: unchecked
Microsoft SharePoint Online
Make private: check Remove External Users
Similar policies:
Detect sharing of Files containing PII - Email Address

Detect sharing of Files containing PII - Passport Number
Detect Customer or HR Data in Box or OneDrive for

Business
Alert when a file labeled as Customer Data or HR Data is uploaded to OneDrive for
Business or Box.
Notes:
Box monitoring requires a connector be configured using the API Connector SDK.
This policy requires capabilities that are currently in private preview.
Control Settings
Policy type Activity policy
Policy No template
template
Policy High
severity
Category Sharing Control
Act on Single activity
Filter Activity type = Upload File

settings App = Microsoft OneDrive for Business and Box
Classification Label (currently in private preview): Azure Information Protection =

Customer Data, Human Resources—Salary Data, Human Resources—Employee
Data
Alerts Create an alert: checked

Daily alert limit: 1000
Select an alert as email: checked
To: infosec@contoso.com
Governance All apps

Put user in quarantine: check
Office 365
Put user in quarantine: check
Similar policies:
Detect large downloads of Customer data or HR Data—Alert when a large number

of files containing customer data or HR data have been detected being
downloaded by a single user within a short period of time.
Detect Sharing of Customer and HR Data—Alert when files containing Customer or
HR Data are shared.
Security Information and Event
Management (SIEM) server integration
with Microsoft 365 services and
applications
Applies to

 Tip
Summary
Is your organization using or planning to get a Security Information and Event
Management (SIEM) server? You might be wondering how it integrates with Microsoft
365 or Office 365. This article provides a list of resources you can use to integrate your
SIEM server with Microsoft 365 services and applications.
 Tip
If you don't have a SIEM server yet and are exploring your options, consider
Microsoft Sentinel.
Do I need a SIEM server?

Whether you need a SIEM server depends on many factors, such as your organization's
security requirements and where your data resides. Microsoft 365 includes a wide
variety of security features that meet many organizations' security needs without
additional servers, such as a SIEM server. Some organizations have special circumstances
that require the use of a SIEM server. Here are some examples:
Fabrikam has some content and applications on premises, and some in the cloud
(they have a hybrid cloud deployment). To get security reports across all their
content and applications, Fabrikam has implemented a SIEM server.
Contoso is a financial services organization that has particularly stringent security
requirements. They have added a SIEM server to their environment to take
advantage of the extra security protection they require.
SIEM server integration with Microsoft 365

A SIEM server can receive data from a wide variety of Microsoft 365 services and
applications. The following table lists several Microsoft 365 services and applications,
along with SIEM server inputs and resources to learn more.
Microsoft 365 Service or SIEM server Resources to learn more

Application inputs/methods
Microsoft Defender for Audit logs SIEM integration with Microsoft Defender
Office 365 for Office 365
Microsoft Defender for HTTPS endpoint Pull alerts to your SIEM tools
Endpoint hosted in Azure
REST API
Microsoft Defender for Log integration SIEM integration with Microsoft Defender
Cloud Apps for Cloud Apps
 Tip
Take a look at Microsoft Sentinel. Microsoft Sentinel comes with connectors for
Microsoft solutions. These connectors are available "out of the box" and provide for
real-time integration. You can use Microsoft Sentinel with your Microsoft 365
Defender solutions and Microsoft 365 services, including Office 365, Azure AD,
Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and more.
Audit logging must be turned on

Make sure that audit logging is turned on before you configure SIEM server integration.
For SharePoint Online, OneDrive for Business, and Azure Active Directory, see Turn
auditing on or off.
For Exchange Online, see Manage mailbox auditing.
Integration steps if your SIEM is Microsoft

Sentinel
Be sure that your current plan allows for Microsoft Sentinel integration (for example, you
have Microsoft Defender for Office 365 Plan 2 or higher), and that your account in
Microsoft Defender for Office 365 or Microsoft 365 Defender is a Security Administrator.
Finally, be sure that you have Write permissions in Microsoft Sentinel.
1. Navigate to Microsoft Sentinel.

2. On the navigation to the left of the screen Configuration > Data connectors.
3. Search for Microsoft 365 Defender and select the Microsoft 365 Defender
(preview) connector.
4. On the right of your screen select Open Connector Page.
5. Under Configuration > select Connect incidents & alerts
a. Turn off all Microsoft incident creation rules for the products currently selected.
6. Scroll to Microsoft Defender for Office 365 in the Connect events section of the
page.
Note that you can choose tables from any other Microsoft Defender product you find
helpful and applicable while completing the final step, (below).
7. Select EmailEvents, EmailUrlInfo, EmailAttachmentInfo, and

EmailPostDeliveryEvents > and Apply Changes.
More resources
Integrate security solutions in Microsoft Defender for Cloud
Integrate Microsoft Graph Security API alerts with a SIEM

SIEM integration with Microsoft
Applies to

 Tip
If your organization is using a security information and event management (SIEM)

server, you can integrate Microsoft Defender for Office 365 with your SIEM server. You
can set up this integration by using the Office 365 Activity Management API.
SIEM integration enables you to view information, such as malware or phish detected by
Microsoft Defender for Office 365, in your SIEM server reports.
To see an example of SIEM integration with Microsoft Defender for Office 365, see
Tech Community blog: Improve the Effectiveness of your SOC with Defender for
Office 365 and the O365 Management API .
To learn more about the Office 365 Management APIs, see Office 365 Management
APIs overview.
How SIEM integration works

The Office 365 Activity Management API retrieves information about user, admin,
system, and policy actions and events from your organization's Microsoft 365 and Azure
Active Directory activity logs. If your organization has Microsoft Defender for Office 365
Plan 1 or 2, or Office 365 E5, you can use the Microsoft Defender for Office 365 schema.
Recently, events from automated investigation and response capabilities in Microsoft

Defender for Office 365 Plan 2 were added to the Office 365 Management Activity API.
In addition to including data about core investigation details such as ID, name and
status, the API also contains high-level information about investigation actions and
entities.
The SIEM server or other similar system polls the audit.general workload to access
detection events. To learn more, see Get started with Office 365 Management APIs.
Enum: AuditLogRecordType - Type: Edm.Int32
AuditLogRecordType
The following table summarizes the values of AuditLogRecordType that are relevant for
Microsoft Defender for Office 365 events:
Value Member name Description
28 ThreatIntelligence Phishing and malware events from Exchange Online

Protection and Microsoft Defender for Office 365.
41 ThreatIntelligenceUrl Safe Links time-of-block and block override events from

47 ThreatIntelligenceAtpContent Phishing and malware events for files in SharePoint

Online, OneDrive for Business, and Microsoft Teams, from
64 AirInvestigation Automated investigation and response events, such as

investigation details and relevant artifacts, from Microsoft
Defender for Office 365 Plan 2.
） Important
You must have either the global administrator or Security Administrator role
assigned in the Microsoft 365 Defender portal to set up SIEM integration with
Microsoft Defender for Office 365. For more information, see Permissions in the
Audit logging must be turned on for your Microsoft 365 environment. To get help
with this, see Turn audit log search on or off.
See also
Office 365 threat investigation and response
Automated investigation and response (AIR) in Office 365
Privileged Identity Management (PIM)
and why to use it with Microsoft
Privileged Identity Management (PIM) is an Azure feature that, once set up, gives users
access to data for a limited period of time (sometimes called time-boxed period of time)
so that a specific task can be done. This access is given 'just-in-time' to do the action
that's required, and then revoked. PIM limits the access and time that user has to
sensitive data, reducing exposure risk when compared to privileged administration
accounts that have long-term access to data and other settings. So how can we use this
feature (PIM) in conjunction with Microsoft Defender for Office 365?
 Tip
PIM access is scoped to the role and identity level and allows completion of
multiple tasks. It's not to be confused with Privileged Access Management (PAM)
which is scoped at a Task level.
Steps to use PIM to grant just-in-time access to

Defender for Office 365 related tasks
By setting up PIM to work with Defender for Office 365, admins create a process for a
user to request access to take the actions they need. The user must justify the need for
the elevation of their privileges.
In this example we will configure "Alex", a member of our security team who will have
zero-standing access within Office 365, but can elevate to both a role required for
normal day-to-day operations, such as Threat Hunting and then also to a higher level of
privilege when less frequent but sensitive operations, such as remediating malicious
delivered email is required.
７ Note
This will walk you through the steps required to setup PIM for a Security Analyst
who requires the ability to purge emails using Threat Explorer in Microsoft
Defender for Office 365, but the same steps can be used for other RBAC roles
within the Security, and Compliance portal. For example this process could be used
for a information worker who requires day-to-day access in eDiscovery to perform
searches and case work, but only occasionally needs the elevated right to export
data from the tenant.
Step 1. In the Azure PIM console for your subscription, add the user (Alex) to the Azure
Security Reader role and configure the security settings related to activation.
1. Sign into the Azure AD Admin Center and select Azure Active Directory > Roles
and administrators.
2. Select Security Reader in the list of roles and then Settings > Edit
3. Set the 'Activation maximum duration (hours)' to a normal working day and 'On
activation' to require Azure MFA.
4. As this is Alex's normal privilege level for day-to-day operations, we will Uncheck
Require justification on activation' > Update.
5. Select Add Assignments > No member selected > select or type the name to
search for the correct member.
6. Click the Select button to choose the member you need to add for PIM privileges
> click Next > make no changes on the Add Assignment page (both assignment
type Eligible and duration Permanently Eligible will be defaults ) and Assign.
The name of your user (here 'Alex') will appear under Eligible assignments on the next
page, this means they are able to PIM into the role with the settings configured earlier.
７ Note
For a quick review of Privileged Identity Management see this video .


Step 2. Create the required second (elevated) permission group for additional tasks and
assign eligibility.
Using Privileged Access groups we can now create our own custom groups and
combine permissions or increase granularity where required to meet your organizational
practices and needs.
Create a role group requiring the permissions we need

In the Microsoft 365 Defender portal, create a custom role group that contains the
permissions that we want.

Permissions & Roles, and then select Roles under Email and Collaboration. To go
directly to the Permissions page, use
2. On the Permissions page, click Create.
3. Name your group to reflect its purpose such as 'Search and Purge PIM'.
4. Don't add members, simply save the group and move on to the next part!
Create the security group in Azure AD for elevated

permissions
1. Browse back to the Azure AD Admin Center and navigate to Azure AD > Groups
> New Group.
2. Name your Azure AD group to reflect its purpose, no owners or members are
required right now.
3. Turn Azure AD roles can be assigned to the group to Yes.
4. Don't add any roles, members or owners, create the group.
5. Go back into the group you've just created, and select Privileged Access > Enable
Privileged Access.
6. Within the group, select Eligible assignments > Add assignments > Add the user
who needs Search & Purge as a role of Member.
7. Configure the Settings within the group's Privileged Access pane. Choose to Edit
the settings for the role of Member.
8. Change the activation time to suit your organization. In this example require Azure
MFA, justification, and ticket information before selecting Update.
Nest the newly created security group into the role group
1. Connect to Security & Compliance PowerShell and run the following command:
PowerShell
Add-RoleGroupMember "<<Role Group Name>>" -Member "<<Azure Security

Group>>"`
Test your configuration of PIM with Defender

for Office 365
1. Login with the test user (Alex), who should have no administrative access within
the Microsoft 365 Defender portal at this point.
2. Navigate to PIM, where the user can activate their day-to-day security reader role.
3. If you try to purge an email using Threat Explorer, you get an error stating you
need additional permissions.
4. PIM a second time into the more elevated role, after a short delay you should now
be able to purge emails without issue.

Permanent assignment of administrative roles and permissions such as Search and

Purge Role doesn't hold with the Zero Trust security initiative, but as you can see, PIM
can be used to grant just-in-time access to the toolset required.
Our thanks to Customer Engineer Ben Harris for access to the blog post and resources
used for this content.
Add support for anonymous inbound
email over IPv6 in Microsoft 365
Applies to

Microsoft 365 organizations with Exchange Online mailboxes and standalone Exchange
Online Protection (EOP) organizations without Exchange Online mailboxes support
anonymous inbound email over IPv6. The source IPv6 email server must meet both of
the following requirements:
The source IPv6 address must have a valid reverse DNS lookup (PTR) record that
allows the destination to find the domain name from the IPv6 address.
The sender must pass either SPF verification (defined in RFC 7208 ) or DKIM
verification (defined in RFC 6376 ).
Before your organization can receive anonymous inbound email over IPv6, an admin
needs to contact Microsoft support and ask for it. For instructions about how to open a
support request, see Contact support for business products - Admin Help.
After anonymous inbound IPv6 message support is enabled in your organization, the
message will go through the normal message filtering that's provided by the service.
Troubleshooting
If the source email server doesn't have an IPv6 reverse DNS lookup record, the
messages will be rejected with the following error:
450 4.7.25 Service unavailable, sending IPv6 address [2a01:111:f200:2004::240]

must have reverse DNS record.
If the sender doesn't pass SPF or DKIM validation, the messages will be rejected
with the following error:
450 4.7.26 Service unavailable, message sent over IPv6

[2a01:111:f200:2004::240] must pass either SPF or DKIM validation.
If you try to receive anonymous IPv6 messages before you've opted in, the
message will be rejected with the following error:
550 5.2.1 Service unavailable, [contoso.com] does not accept email over IPv6.
Related topics
Support for validation of DKIM signed messages
Support for validation of DKIM signed
messages
 Tip
Applies to

Exchange Online Protection (EOP) and Exchange Online both support inbound
validation of Domain Keys Identified Mail (DKIM ) messages.
DKIM validates that an email message wasn't spoofed by someone else, and was sent
from the domain it says it came from. It ties an email message to the organization that
sent it. DKIM verification is used automatically for all messages sent with IPv6. Microsoft
365 also supports DKIM when mail is sent over IPv4. (For more information about IPv6
support, see Support for anonymous inbound email messages over IPv6.)
DKIM validates a digitally signed message that appears in the DKIM-Signature header of
the message headers. The results of a DKIM-Signature validation are stamped in the
Authentication-Results header. The message header text appears similar to the following
(where contoso.com is the sender):
Authentication-Results: <contoso.com>; dkim=pass (signature was verified)
header.d=example.com;
７ Note
For more information about the Authentication-Results header, see RFC 7001
(Message Header Field for Indicating Message Authentication Status .
Microsoft's DKIM implementation conforms with this RFC.
Admins can create Exchange mail flow rules (also known as transport rules) on the
results of DKIM validation. These mail flow rules will allow admins to filter or route
messages as needed.
Application Guard for Office for admins
Applies to: Word, Excel, and PowerPoint for Microsoft 365 Apps, Windows 10 Enterprise,
Windows 11 Enterprise
Microsoft Defender Application Guard for Office (Application Guard for Office) helps
prevent untrusted files from accessing trusted resources, keeping your enterprise safe
from new and emerging attacks. This article walks admins through setting up supported
devices for Application Guard for Office.
Prerequisites
Licensing requirements
Microsoft 365 E5 or Microsoft 365 E5 Security
Safe Documents in Microsoft 365
Minimum hardware requirements

CPU: 64-bit, 4 cores (physical or virtual), virtualization extensions (Intel VT-x OR
AMD-V), Core i5 equivalent or higher recommended
Physical memory: 8-GB RAM
Hard disk: 10 GB of free space on the system drive (SSD recommended)
Minimum software requirements

Windows: Windows 10 Enterprise edition, Client Build version 2004 (20H1) build
19041 or later. All versions of Windows 11 are supported.
Office: Microsoft 365 Apps with build 16.0.13530.10000 or later. For Current
Channel and Monthly Enterprise Channel installations, this equals to version 2011.
For Semi-Annual Enterprise Channel and Semi-Annual Enterprise Channel
(Preview), the minimum version is 2108 or later. Both 32-bit and 64-bit versions are
supported.
Update package: Windows 10 cumulative monthly security update KB4571756
For detailed system requirements, refer to System requirements for Microsoft Defender
Application Guard. Also, please refer to your computer manufacturer's guides on how to
enable virtualization technology.
To learn more about Microsoft 365 Apps update
channels, see Overview of update channels for Microsoft 365 Apps.
Deploy Application Guard for Office
Enable Application Guard for Office

1. (Windows 10 only) Download and install Windows 10 cumulative monthly security
updates KB4571756.
2. Select Microsoft Defender Application Guard under Windows Features and select
OK. Enabling the Application Guard feature will prompt a system reboot. You can
choose to reboot now or after step 3.
The feature can also be enabled by running the following PowerShell command as
administrator:
PowerShell
Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-

ApplicationGuard
3. From the Group Policy Editor window, expand Computer Configuration ->
Administrative Templates -> Windows Components -> Microsoft Defender
Application Guard. Enable the Turn on Microsoft Defender Application Guard in
Managed Mode setting. Set the value under Options as 2 or 3.

Alternatively, you can set the corresponding CSP policy:
OMA-URI:
./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Settings/Allow
WindowsDefenderApplicationGuard
Data type: Integer
Value: 2
4. Restart the system.
Set Diagnostics & feedback to send full data
７ Note
This is not required, however, configuring optional diagnostics data will help
diagnose reported issues.
This step ensures that the data necessary to identify and fix problems is reaching
Microsoft. Follow these steps to enable diagnostics on your Windows device:
1. Open Settings from the Start menu.
2. On Windows Settings, select Privacy.
3. Under Privacy, select Diagnostics & feedback and select Optional diagnostic data.
For more on configuring Windows diagnostic settings, refer to Configuring Windows

diagnostic data in your organization.
Confirm that Application Guard for Office is enabled and

working
Before confirming that Application Guard for Office is enabled:
1. Launch Word, Excel, or PowerPoint on a device where the policies have been
deployed.
2. From the app you launched, go to File -> Account. On the Account page, verify
that the expected license is shown.
To confirm that Application Guard for Office is enabled, open an untrusted document.
For example, you can open a document that was downloaded from the internet or an
email attachment from someone outside your organization.
When you first open an untrusted file, you see an Office splash screen like the following
example. Application Guard for Office is being activated and the file is being opened.
Subsequent openings of untrusted files are typically faster.
After the file opens, there are a few visual indicators that signal that the file is open
inside Application Guard for Office:
A callout in the ribbon
The application icon with a shield in the taskbar
Configure Application Guard for Office

Office supports the following policies to configure Application Guard for Office. These
policies can be configured through group policies or through the Office cloud policy
service.
７ Note
Configuring these policies can disable some functionality for files opened in
Application Guard for Office.
Policy Description
Don't use Application Enabling this policy forces Word, Excel, and PowerPoint to use the
Guard for Office Protected View isolation container instead of Application Guard for
Office.
Configure Application This policy determines if the Application Guard for Office container is
Guard for Office pre-created for improved run-time performance. When you enable this
container pre- policy, you can specify the number of days to continue pre-creating a
creation container or let the Office built-in heuristic pre-create the container.
Policy Description
Don't allow Enabling this policy prevents a user from copying and pasting content
copy/paste for Office from a document opened in Application Guard for Office to a document
documents opened in opened outside of the container.
Application Guard for
Office
Disable hardware This policy controls whether Application Guard for Office uses hardware
acceleration in acceleration to render graphics. If you enable this setting, Application
Application Guard for Guard for Office uses software-based (CPU) rendering and won't load
Office any third-party graphics drivers or interact with any connected graphics
hardware.
Disable unsupported This policy controls whether Application Guard for Office will block
file types protection unsupported file types from being opened or if it will enable the
in Application Guard redirection to Protected View.
for Office
Turn off camera and Enabling this policy removes Office access to the camera and
microphone access microphone inside Application Guard for Office.
for documents
opened in Application
Guard for Office
Restrict printing from Enabling this policy limits the printers that a user can print to from a file
documents opened in opened in Application Guard for Office. For example, you can use this
Application Guard for policy to restrict users to only print to PDF.
Office
Prevent users from Enabling this policy removes the option (within the Office application
removing Application experience) to disable Application Guard for Office protection or to open
Guard for Office a file outside Application Guard for Office.
protection on files Note: Users can still bypass this policy by manually removing the mark-
of-the-web property from the file or by moving a document to a trusted
location.
７ Note
For the following policies to take effect, users are required to sign out and sign in
again to Windows:
Disable copy/paste for documents opened in Application Guard for Office

Restrict printing for documents opened in Application Guard for Office
Turn off camera and microphone access to documents opened in Application
Guard for Office
Submit feedback
Submit feedback via Feedback Hub

If you encounter any issues when launching Application Guard for Office, you're
encouraged to submit your feedback via Feedback Hub:
1. Open the Feedback Hub app and sign in.
2. If you get an error dialog while launching Application Guard, select Report to
Microsoft in the error dialog to start a new feedback submission. Otherwise,
navigate to https://aka.ms/mdagoffice-fb to select the correct category for
Application Guard, then select + Add new feedback near the top right.
3. Enter a summary in the Summarize your feedback box.
4. Enter a detailed description of the issue and what steps you completed to debug
in the Explain in more detail box, then select Next.
5. Select the bubble next to Problem. Make sure the category selected is Security
and Privacy > Microsoft Defender Application Guard – Office, then select Next.
6. Select New feedback, then Next.
7. Collect traces about the issue:
a. Expand the Recreate my problem tile.
b. If the issue you're experiencing occurs while Application Guard is running, open
an Application Guard instance. Opening an instance allows additional traces to
be collected from within the Application Guard container.
c. Select Start recording, and wait for the tile to stop spinning and say Stop
recording.
d. Fully reproduce the issue with Application Guard. Reproduction might include
attempting to launch an Application Guard instance and waiting until it fails, or
reproducing an issue in a running Application Guard instance.
e. Select the Stop recording tile.
f. Keep any running Application Guard instance(s) open, even for a few minutes
after submission, so that container diagnostics can also be collected.
8. Attach any relevant screenshots or files related to the problem.

9. Select Submit.
Submit feedback via One Customer Voice

You may also submit feedback from within Word, Excel, and PowerPoint if the issue
happens when files are opened in Application Guard. Refer to Provide feedback for
detailed guidance.
Integration with Microsoft Defender for

Endpoint and Microsoft Defender for Office
365
Application Guard for Office is integrated with Microsoft Defender for Endpoint to
provide monitoring and alerting on malicious activity that happens in the isolated
environment.
Safe Documents in Microsoft E365 E5 is a feature that uses Microsoft Defender for
Endpoint to scan documents opened in Application Guard for Office. For an additional
layer of protection, users can't leave Application Guard for Office until the results of the
scan have been determined.
Limitations and considerations

Application Guard for Office is a protected mode that isolates untrusted
documents so that they can't access trusted corporate resources, an intranet, the
user's identity, and arbitrary files on the computer. As a result, if a user tries to
access a feature that has a dependency on such access—for example, inserting a
picture from a local file on disk—the access fails and displays a prompt like the
following example. To enable an untrusted document to access trusted resources,
users must remove Application Guard protection from the document.

７ Note
Advise users to only remove protection if they trust the file and the source of
the file.
Active content like macros and ActiveX controls are disabled in Application Guard
for Office. To enable active content, the Application Guard protection must be
removed.
Untrusted files from network shares or files shared from OneDrive, OneDrive for
Business, or SharePoint Online open as read-only in Application Guard. Users can
save a local copy of such files to continue working in the container or remove
protection to directly work with the original file.
Files that are protected by Information Rights Management (IRM) are blocked by
default. If users want to open such files in Protected View, an administrator must
configure policy settings for unsupported file types for the organization.
Any customizations to Office applications in Application Guard for Office do not

persist after a user signs out and signs in again or after the device restarts.
Only Accessibility tools that use the UIA framework can provide an accessible
experience for files opened in Application Guard for Office.
Network connectivity is required for the first launch of Application Guard after
installation.
In the document's info section, the Last Modified By property may display
WDAGUtilityAccount as the user. WDAGUtilityAccount is the anonymous account
used by Application Guard. The desktop user's identity isn't available inside the
Application Guard container.
Performance optimizations for Application

Guard for Office
Application Guard uses a virtualized container, similar to a virtual machine, to isolate
untrusted documents away from the system. The process of creating a container and
setting up the Application Guard container to open Office documents has a
performance overhead that might negatively affect user experience when users open an
untrusted document.
To provide users with the expected file-opening experience, Application Guard uses
logic to pre-create a container when the following heuristic is met on a system: A user
has opened a file in either Protected View or Application Guard in the past 28 days.
When this heuristic is met, Office will pre-create an Application Guard container for the
user after they sign in to Windows. While this pre-create operation is in progress, the
system may experience slow performance, but the effect will resolve as soon as the
operation completes.
７ Note
The hints needed for the heuristic to pre-create the container are generated by
Office applications as a user uses them. If a user installs Office on a new system
where Application Guard is enabled, Office will not pre-create the container until
after the first time a user opens an untrusted document on the system. The user will
observe that this first file takes longer to open in Application Guard.
Known issues
Selecting web links ( http or https ) doesn't open the browser.
The default setting for copy-paste protection policy is to enable clipboard access
to text only.
The default setting for unsupported file types protection policy is to block opening
untrusted unsupported file types that are encrypted or have Information Rights
Management (IRM) set. This includes files that are encrypted by using sensitivity
labels from Microsoft Purview Information Protection.
CSV and HTML files are not supported at this time.
Application Guard for Office currently does not work with NTFS compressed
volumes. If you are seeing an error "ERROR_VIRTUAL_DISK_LIMITATION" please try
uncompressing the volume.
Updates to .NET might cause files to fail to open in Application Guard. As a
workaround, users can restart their device when they come across this failure.
Learn more about the issue at Receiving an error message when attempting to
open Windows Defender Application Guard or Windows Sandbox .
Please see Frequently asked questions - Microsoft Defender Application Guard for
additional information.
Delegated administration FAQ
FAQ
 Tip
This article provides frequently asked questions and answers about delegated
administration tasks in Microsoft 365 for Microsoft partners and resellers. Delegated
administration includes the ability to manage Exchange Online Protection (EOP) settings
for other tenants (companies).
I'm a reseller and I need to manage my

customer tenants. How does this work?
If you're a Microsoft partner or reseller, and you've signed up to be a Microsoft Cloud
Solution Provider (CSP), you can request delegated administration capabilities in your
customer's Microsoft 365 organization. For more information, see the following articles:
Cloud Solution Provider program

Obtain permissions to manage a customer's service or subscription.
I'm a customer, not a reseller. How can

set up delegated administrator for my
subtenants?
Delegated administration is only available for resellers and partners. However, there's a
sample PowerShell script that will help you apply policies to your subtenants
(companies). For more information, see Sample script for applying EOP settings to
multiple tenants.
Can I prevent my subtenant admin from

modifying my policy?
No. Microsoft 365 does not currently have this capability.
Can I get consolidated reporting across

all of my subtenants?
Consolidated reporting across the companies you manage isn't available in Microsoft
365 admin center reports. However, you can get reports by using Microsoft Graph.
EOP general FAQ
FAQ
 Tip
Applies to
Exchange Online Protection standalone
Here we answer the most common general questions about Exchange Online Protection
(EOP) cloud-hosted email filtering service. For additional frequently asked questions
(FAQ) topics, go to the following links:
EOP queued, deferred, and bounced messages FAQ
Delegated administration FAQ
Quarantine FAQ
Message Trace FAQ
What is EOP?
EOP is a cloud-hosted email filtering service built to protect customers from spam and
malware, and to implement custom policy rules. EOP is included in any Microsoft 365
subscription that contains Exchange Online mailboxes. EOP is also available as a
standalone offering to help protect on-premises email environments.
How do I sign up for an EOP trial or

purchase EOP?
Sign up for an EOP trial or purchase EOP via the web at the Exchange Online Protection
home page . Note that the functionality for a trial purchase is the same as for a paid
subscription, but also includes the additional features provided with the Exchange
Enterprise CAL with Services subscription plan.
How is EOP priced?

EOP is licensed by user. For the latest pricing information, see the Exchange Online
Protection home page .
How long does it take to put EOP into

production?
When you change your MX record, as per the steps outlined in Set up your EOP service,
and your mail flows through EOP, filtering begins immediately. The MX record may take
as long as 24-48 hours to propagate via DNS. You can fine tune your protection settings
at any time during this process.
Do I have to use all features of

Microsoft 365 to use EOP? What if I just
want EOP protection and that's all?
You can use EOP to protect your on-premises mailboxes without using any other
features of Microsoft 365. This is known as a standalone subscription. A list of EOP
features can be found in the Exchange Online Protection Service Description.
Why do I need a Microsoft 365 tenant

when signing up for email filtering
through EOP?
Microsoft 365 is the name given to a collection of products and services that may be
accessed through a Microsoft 365 tenant. Think of the Microsoft 365 tenant as the
starting point to which you may add licenses for email filtering.
Does EOP have a communication portal
where I can find out about known issues
and expected resolutions? What about
new features?
The Microsoft 365 admin center will have some of this information. If you are impacted
by a Service Level Event then you should see a communication alert (typically
accompanied by a bell icon) after signing in to the Microsoft 365 admin center. We
recommend that you read and act on any items as appropriate.
Regarding new EOP features, the Microsoft 365 for business roadmap is a good
resource for finding out information about upcoming new features. We'll also be
posting blog articles about new features to the Microsoft 365 Blogs website.
Does the service work with legacy

Exchange versions (such as Exchange
Server 2010) and non-Exchange
environments?
Yes, the service is server agnostic and can be used with any SMTP mail transfer agent.
What size organization can use the

service?
Any size. The EOP network has sufficient capacity to accommodate your growth, no
matter how fast your organization grows.
What permissions do I need to set up

EOP?
In order to configure EOP, you must be a global admin, or an Exchange Company
Administrator (the Organization Management role group).
How do I know my data and private
information are safe?
To learn more about the steps we've taken to ensure the safety of your data and private
information, including information about Service Level Agreements (SLAs), go to the
Office 365 Trust Center .
Are there any limits I should be aware

of, such as message size limitations?
Yes. For more information about limits in EOP, see Exchange Online Protection Limits.
Does EOP support PowerShell?

Yes, full EOP functionality is available via PowerShell: Exchange Online PowerShell for
organizations with Exchange Online Mailboxes; standalone EOP PowerShell for
standalone EOP organizations. For more information, see Exchange Online PowerShell
and Exchange Online Protection PowerShell.
EOP queued, deferred, and
bounced messages FAQ
FAQ
 Tip
Applies to

This topic provides answers to frequently asked questions about messages that have
been queued, deferred, or bounced during the Exchange Online Protection (EOP)
filtering process.
Why is mail queuing?

Messages are queued or deferred if the service is unable to make a connection to the
recipient server for delivery. It will not defer messages if a 500-series error is returned
from the recipient network.
How does a message become deferred?

Messages will be held when a connection to the recipient server cannot be made and
the recipient's server is returning a "temporary failure" such as a connection time-out,
connection refused, or a 400-series error. If there is a permanent failure, such as a 500-
series error, then the message will be returned to the sender.
How long does a message remain in

deferral and what is the retry interval?
Messages in deferral will remain in our queues for 1 day. Message retry attempts are
based on the error we get back from the recipient's mail system. The first few deferrals
are 15 minutes or less, with subsequent retries (over the next half dozen or so)
increasing the interval over multiple retries to a max of 60 minutes. The interval duration
expansion is dynamic, taking into consideration multiple variables like queue sizes and
internal message priority. In basic, it's 15 minutes (or less) to start, then expanding from
there over the next few hours to 60 mins max.
After your email server is restored, how

are queued messages distributed?
After your email server is restored, all queued messages are automatically processed in
the order in which they were received and queued when the server became unavailable.
Learn about the robust security solutions in Microsoft 365 Defender so that you can
better protect your enterprise across attack surfaces.
ｅ OVERVIEW
What is Microsoft 365 Defender?
ｈ WHAT'S NEW
What's new in Microsoft 365 Defender
ｑ VIDEO
Overview video
Evaluate capabilities
ｂ GET STARTED
Create a trial lab
Run pilot project in production
Get started
ｂ GET STARTED
Get started with Microsoft 365 Defender
｀ DEPLOY
Turn on Microsoft 365 Defender
Deploy supported services

ｅ OVERVIEW
What is Microsoft Defender for Identity?
Microsoft Defender for Identity architecture
ｅ OVERVIEW
What is Microsoft Defender for Office 365?
Microsoft Defender for Office 365 service description
Microsoft Defender for Office 365 in Microsoft 365 Defender
Redirecting Microsoft Defender for Office 365 in Microsoft 365 Defender
ｅ OVERVIEW
What is Microsoft Defender for Endpoint?
Defender for Endpoint in Microsoft 365 Defender
Redirecting Defender for Endpoint in Microsoft 365 Defender
ｅ OVERVIEW
What is Microsoft Defender for Cloud Apps?
Get started with Microsoft Defender for Cloud Apps
Manage incidents and alerts
ｅ OVERVIEW
ｅ OVERVIEW
Investigate incidents
Track and respond to emerging threats
Hunt for threats
Reference
ｉ REFERENCE
Microsoft 365 Defender APIs

documentation
Microsoft Defender for Endpoint delivers preventative protection, post-breach
detection, automated investigation, and response.
ｅ OVERVIEW
What is Microsoft Defender for Endpoint?
What is Defender for Endpoint plan 1?
Compare Defender for Endpoint plans
ｈ WHAT'S NEW
What's new in Microsoft Defender for Endpoint
Announcing Microsoft Defender for Endpoint Plan 1
ｑ VIDEO
Overview video
Evaluate & deploy the service
ｂ GET STARTED
Evaluate Microsoft Defender for Endpoint
Plan your deployment
｀ DEPLOY
Deployment guide
Onboard supported devices
Set up and configure Defender for Endpoint Plan 1
ｃ HOW-TO GUIDE
Migration guide
ｑ VIDEO
Onboarding video
Security operations
ｅ OVERVIEW
Endpoint detection and response
Behavioral blocking and containment
Automated investigation and response (AIR)
Advanced hunting
Microsoft Threat Experts
Threat analytics
Use Microsoft Defender for Endpoint on other platforms
ｅ OVERVIEW
Microsoft Defender for Endpoint on Mac
Microsoft Defender for Endpoint on iOS
Microsoft Defender for Endpoint on Linux
Microsoft Defender for Endpoint on Android
Reference
ｉ REFERENCE
Management and APIs
Partner integration
Security administration
ｅ OVERVIEW
Microsoft Defender Vulnerability Management
Attack surface reduction
Next-generation protection
documentation
Microsoft Defender for Identity cloud service helps protect your enterprise hybrid
environments from multiple types of advanced targeted cyber attacks and insider
threats.
About Microsoft Defender for Identity
ｅ OVERVIEW
What is Microsoft Defender for Identity?
Ｙ ARCHITECTURE
Defender for Identity architecture
ｈ WHAT'S NEW
Releases
Check out Defender for Identity alerts
ｂ GET STARTED
Security alerts
Manage security alerts
Health alerts
Explore different ways to use Defender for Identity
ｃ HOW-TO GUIDE
Security posture assessments
Configure detection exclusions
Search and filter monitored activities

Set entity tags
Advanced Threat Analytics (ATA) to Defender for Identity migration
Investigate threats
ｇ TUTORIAL
Investigate assets
Investigate lateral movement paths
Remediation actions
Resources and support
ｉ REFERENCE
Support
Defender for Identity data security and privacy

documentation
Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that
operates on multiple clouds. It provides rich visibility, control over data travel, and
sophisticated analytics to identify and combat cyberthreats across all your cloud
services.
About Defender for Cloud Apps
ｅ OVERVIEW
What is Defender for Cloud Apps?
Top 20 CASB use cases
ｈ WHAT'S NEW
Releases
ｑ VIDEO
Deployment videos
Get started
ｆ QUICKSTART
Get started with Defender for Cloud Apps
ｉ REFERENCE
Using the Defender for Cloud Apps REST API
Investigate anomaly detection alerts
Explore our top use cases
ｇ TUTORIAL
Detect and manage suspicious activities
Investigate risky users
Investigate risky OAuth apps
Protect any app in your organization in real time
Block download of sensitive information
Manage cloud platform security
Protect files with admin quarantine
Apply sensitivity labels from Microsoft Purview Information Protection
Extend governance to endpoint remediation
Concepts
ｐ CONCEPT
Protect apps with Conditional Access App Control
Working with the dashboard
Working with App risk scores
Working with discovered apps
Protect connected apps
Manage app governance
Best practices
ｂ GET STARTED
Discover and assess cloud apps
Apply cloud governance policies
Limit exposure of shared data and enforce collaboration policies
Discover, classify, label, and protect regulated and sensitive data stored in the cloud
Enforce DLP and compliance policies for data stored in the cloud
Block and protect download of sensitive data to unmanaged or risky devices
Secure collaboration with external users by enforcing real-time session controls

Detect cloud threats, compromised accounts, malicious insiders, and ransomware
Use the audit trail of activities for forensic investigations
Secure IaaS services and custom apps
Discover and control Shadow IT
ｇ TUTORIAL
Discover and identify Shadow IT
Evaluate and analyze
Manage your apps
ｐ CONCEPT
Working with the dashboard
Working with the discovered apps
Working with App risk scores
｀ DEPLOY
Deploy Cloud Discovery
ｃ HOW-TO GUIDE
Integrate with Microsoft Defender for Endpoint
Cloud Discovery enrichment
ｉ REFERENCE
Discover and assess cloud apps
ｑ VIDEO
Shadow IT discovery beyond the corporate network
ｄ TRAINING
Read our e-books
Explore Microsoft 365, a complete solution that includes Defender for Cloud Apps
ｑ VIDEO
Watch our webinars

Microsoft Defender for Business
Simple, comprehensive endpoint security to help you protect your business, so you can
focus on what matters. Defender for Business is available as a standalone subscription
and is included in Microsoft 365 Business Premium. And, Microsoft Defender for
Business servers is now generally available! Learn more at https://aka.ms/mdb-servers.
Overview
ｅ OVERVIEW
What is Defender for Business?
The simplified configuration process
Compare plans for small and medium-sized businesses
Resources for Microsoft partners
Integration with Microsoft 365 Lighthouse
ｃ HOW-TO GUIDE
Get the most from your Defender for Business trial
Get started
ｂ GET STARTED
Interactive guide - Get started with Defender for Business
Get Defender for Business
Get Microsoft Defender for Business servers
See the trial user guide
Use the setup wizard
Turn on preview features
Help and more resources
ｃ HOW-TO GUIDE
How to get help or contact support
Glossary of security terms

Microsoft Defender Vulnerability
Management
Reduce cyber risk with continuous vulnerability discovery and assessment, risk-based
prioritization, and remediation.
Overview
ｅ OVERVIEW
What is Microsoft Defender Vulnerability Management?
Compare Microsoft Defender Vulnerability Management offerings
Get started
ｂ GET STARTED
Get Defender Vulnerability Management
Discover and explore inventories
ｃ HOW-TO GUIDE
Device inventory
Software inventory
Browser extensions
Certificate inventory
Detect and assess threats
ｃ HOW-TO GUIDE
Dashboard insights
Exposure score
Microsoft Secure Score for Devices
Security baselines
Hunt for exposed devices
Identify risk and prioritize remediation
ｃ HOW-TO GUIDE
Address security recommendations
Network share configuration assessment
Exceptions for security recommendations
Plan for end-of-support software
Mitigate zero-day vulnerabilities
Vulnerabilities in my organization
Event timeline
Track and mitigate remediation activities
ｃ HOW-TO GUIDE
Remediate vulnerabilities
Block vulnerable applications
Vulnerable devices report

Microsoft 365 Security Office 365 Security O365 Worldwide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Microsoft 365 Security Office 365 Security O365 Worldwide

Uploaded by

Copyright:

Available Formats

Tell us about your PDF experience.

Microsoft Defender for Office 365

Defender for Office 365 & Exchange Online Protection

Office 365 Security overview

Getting started with Defender for Office 365

Protect against threats

What's new in Microsoft Defender for Office 365

Evaluate Defender for Office 365

Try Defender for Office 365

Migrate to Defender for Office 365

Setting up Email Authentication protection

Set up SPF to help prevent spoofing

Set up Exchange Online Protection

Exchange Online Protection overview

Configure your Microsoft 365 tenant for increased security

Configuration analyzer in EOP and Defender for Office 365

Gain insights through Attack simulation training

Mail flow rules (transport rules) in Exchange Online

Email security reports in the Microsoft 365 Defender portal

Views in Threat Explorer and real-time detections

Campaign Views in Microsoft Defender for Office 365

Investigate malicious email that was delivered in Office 365

View Defender for Office 365 reports

Reporting and message trace in EOP

View the admin audit log

Remediate malicious email delivered in Office 365

Respond to a Compromised Email Account

Remediate Outlook Rules and Custom Forms Injections Attacks

Submit False Positives/False Negatives

Get Started with AIR in Defender for Office 365

Address compromised user accounts with AIR

Exchange Online Protection

What is Defender for Office 365 security

1. Exchange Online Protection (EOP)

Prevents broad, Protects email and collaboration Adds post-breach investigation,

The Office 365 security ladder from EOP to

preventing and detecting threats

starting with Exchange Online Protection:

Prevent/Detect Investigate Respond

Technologies include: Audit Zero-hour auto purge

If you want to dig in to EOP, jump to this article.

Gains with Defender for Office 365, Plan 1 (to date):

Prevent/Detect Investigate Respond

Technologies include everything in EOP plus: SIEM integration Same

Gains with Defender for Office 365, Plan 2 (to date):

Technologies include everything in EOP, and Threat Automated Investigation

Microsoft Defender for Office 365 Plan 1 vs.

This structure is divided so that Security Administration topics are followed by

Use Threat Explorer or Real-time detections

Use Attack simulation training

Microsoft Defender for Office 365 plan 1 and plan 2

Learn more by watching this video .

What's new in Microsoft 365 Defender

View converted admin submission from user reported messages: Configure a

Configurable impersonation protection custom users and domains and increased

Introducing differentiated protection for priority accounts in Microsoft Defender

Microsoft Defender for Office 365 Plan 1 and

Microsoft Defender for Office 365 plan 1 and plan 2

This article is for business customers.

Threat protection policies: Define threat-protection policies to set the appropriate

Threat investigation and response capabilities: Use leading-edge tools to

Interactive guide to Microsoft Defender for

Check out the interactive guide