Anti-Spam
Configure Exchange Online Protection (EOP) anti-spam policies to filter unwanted bulk email, phishing attempts, and spam. Multi-layered filtering analyzes sender reputation, content, and behavior to protect your organization.
Spam Verdicts
High Confidence Spam
Clear spam indicators. Recommended action: Quarantine or delete.
Spam
Likely spam based on content and sender analysis. Default action: Move to Junk.
High Confidence Phishing
Definite phishing attempt. Always quarantine. Users cannot release.
Phishing
Suspected phishing based on URL or content analysis. Recommended: Quarantine.
Bulk
Legitimate but unwanted marketing email. Configurable threshold and action.
Anti-Spam Policy Settings
Spam Threshold and Actions
| Verdict | Available Actions | Recommended |
|---|---|---|
| Spam | Move to Junk, Quarantine, Delete | Move to Junk |
| High Confidence Spam | Quarantine, Delete | Quarantine |
| Phishing | Move to Junk, Quarantine | Quarantine |
| High Confidence Phishing | Quarantine (fixed) | Quarantine |
| Bulk | Move to Junk, Quarantine, Delete | Move to Junk |
Bulk Email Threshold
Bulk Complaint Level (BCL) ranges from 1-9. Lower values mean stricter filtering.
- BCL 1-3: Legitimate marketing (low complaint rate)
- BCL 4-6: Mixed reputation
- BCL 7-9: High complaint rate, likely unwanted
Default threshold: 7. Standard preset: 6. Strict preset: 5.
Spam Properties
Mark messages as spam based on specific characteristics:
- Empty messages
- JavaScript or VBScript in HTML
- Frame or IFrame tags in HTML
- Object tags in HTML
- Embed tags in HTML
- Form tags in HTML
Allow and Block Lists
Allowed Senders/Domains
Mail from these sources bypasses spam filtering. Use sparingly as it creates security risk.
Warning: Allow lists don’t bypass malware or phishing protection.
Blocked Senders/Domains
Mail from these sources is always marked as spam. Useful for persistent spam sources not caught by filters.
Tenant Allow/Block List
Centrally manage allowed and blocked entries for URLs, files, and senders. Entries expire after 30 days unless renewed.
Inbound vs Outbound
Inbound Anti-Spam
Filters spam coming into your organization. Protects users from unwanted email and phishing.
- Connection filtering (IP reputation)
- Content filtering (body analysis)
- Sender filtering (domain reputation)
Outbound Anti-Spam
Prevents your organization from sending spam. Protects your domain reputation and prevents compromise.
- Rate limiting per user
- External forwarding control
- Compromise detection
Outbound Spam Policy
Sending Limits
Configure maximum recipients per hour and per day. Exceeding limits blocks the user from sending.
External Forwarding
- Automatic — System controls forwarding based on risk
- On — Allow all external forwarding
- Off — Block all automatic forwarding to external
Notifications
Notify specified admins when users are blocked for sending spam or exceeding limits.
Quarantine Management
Quarantined spam can be reviewed and released:
Admin Quarantine
Administrators review all quarantined messages. Can release, delete, or report false positives.
User Quarantine
Users can view their own quarantined spam (not phishing). Can release spam to inbox if allowed by policy.
Note: Quarantine policies control what actions users can take. High confidence phishing never allows user release.
Best Practices
- Use preset security policies — Standard or Strict presets provide Microsoft-recommended settings.
- Enable Zero-Hour Auto Purge — ZAP removes spam discovered after delivery to user mailboxes.
- Minimize allow lists — Allow lists bypass spam filtering and can be exploited by attackers.
- Block external forwarding — Prevent auto-forwarding to external domains to limit data exfiltration.
API Reference
GET /api/exchange/anti-spam-policies
List anti-spam policies
PUT /api/exchange/anti-spam-policies/:id
Update policy settings
GET /api/exchange/outbound-spam-policies
List outbound spam policies
GET /api/exchange/quarantine?type=spam
List quarantined spam
GET /api/exchange/spam-report
Get spam detection statistics