Why you Need to Configure Your Spam Filter in Office 365

Introduction

It feels like tech companies have been the waging war against spam virtually since the Internet became mainstream in the late 1990s. Would you believe that’s incorrect? Technically, the first spam was sent over ARPANET (the predecessor to what we now know as the “Internet”) all the way back in 1978. It was sent by a marketing manager promoting a new computer. He sent it to only 400 people and it resulted in $13 million dollars in sales. Fast forward to 2022 and we see all kinds of depressing statistics for how SPAM dominates the Internet. Common figures put the total number of emails sent daily at around 22 billion. Roughly 122 billion (85%) of those are spam (https://dataprot.net/statistics/spam-statistics/). That’s the bad news. The good news is that the figure dropped from about 316 billion in 2020. Let’s find out how Microsoft’s Office 365 spam filters are going to help with this problem!

Does Office 365 Have a Spam Filter?

The answer to this first question is yes! They are configured using policies under Exchange Online Protection (EOP), Microsoft’s powerful cloud-based filtering service. This service was first launched in 2009 by Microsoft as “Forefront Online Security for Exchange”. Later that same year, it rebranded to “Forefront Online Protection for Exchange,” and finally to EOP in 2014.

How Do I Access My Spam Filter for Office 365?

The Office 365 spam filters/policies are accessed via the Microsoft Office Admin center Security Portal, under Policies and rules:

You can also reach them directly using this link: https://security.microsoft.com/antispam

How Do I Set up Spam Filters in Office 365?

So, there are 2 important concepts to cover before we get started:

spam filter policies
spam filter rules

Spam filter policies are used to specify what happens if a condition is true, and the associated notification options in that policy. On the other hand, spam filter rules are used to specify the priority and who the policy is applied to. The spam filter rule is created and defined when you create the policy.

Once you hop into the portal, you’ll see that Microsoft starts you off with 3 default built-in policies:

Anti-spam inbound policy (Default);
Connection filter policy (Default);
Anti-spam outbound policy (Default).

Some things to note about these built-in policies:

They are applied to all recipients in the organization (despite an absence of a spam filter rule associated with each policy);
The “priority” for each is a value called “Lowest” and cannot be modified but will always be applied last, i.e., so long as you have a single custom policy, that custom policy will always take precedence;
They cannot be deleted.

Policies can be created via the web Security Center or via PowerShell. I’ll go through the web interface for this exercise, but the link to configuring via PowerShell is here.

To create your own policy, click in the “Create Policy” button and select the type of policy you want to add:

We’ll go through Inbound first, so choose “Inbound” from those 2 options.

Name
Something meaningful to describe what the policy does.

Users, Groups, Domains

Users: mailboxes, mail users, or mail contacts

Groups: distribution groups, mail-enabled security groups, or Microsoft 365 Groups

Domains: all recipients in the specified domain

Bulk email threshold & spam properties Here you can specify the bulk complaint level (BCL). In Exchange Online Protection parlance, the BCL level is a value, added in a X-header to the message, effectively indicating if the message is spam. The higher the value, the stronger likelihood it is spam. If the spam level reaches this threshold value based when it is assessed, the specified action (defined later) kicks in.

BCL	Description
0	The message isn’t from a bulk sender.
1,2,3	The message is from a bulk sender that generates few complaints.
4,5,6,7	The message is from a bulk sender that generates a mixed number of complaints.
8,9	The message is from a bulk sender that generates a high number of complaints.

Microsoft assigns 7 as the default value. More information here on Bulk complaint level values.

How to adjust settings to assess the message for different types of links or URLs

In the next section, you can adjust settings to assess the message for different types of links or URLs and specify whether to increase the spam score based on those.

The last section has 13 different properties you can adjust to explicitly mark the message as spam. For example, you might have a requirement to block any email that fails a SPF check. You can adjust as many or as little to suit your spam “appetite” (yes, that metaphor was intentional).

Clicking Next is where you can set the action to be taken for bulk, spam, and phishing messages. For each of these, you can take actions like moving messages to the Junk folder in Outlook, deleting the message, quarantining, and a few others. Here too you can enable safety tips for the policy, which adds a message like this as a banner in Outlook:

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

In the last section you can add senders or entire domains in fact to an allowed or blocked list, and finally an opportunity to review all the settings and create your policy.

We’ve covered inbound spam, but what about outbound spam? You might wonder what is meant by this and what EOP offers in this space. Without an outbound Office 365 spam filter, what’s there to stop users in your organization, knowingly or if compromised, from themselves becoming a spammer? Answer…Outbound spam policies!

Let’s check it out.

Click in the “Create Policy” button, but this time choose Outbound.

As with Inbound, choose a name and who the policy applies to.

In the “Outbound Protection Settings” you can set a variety of message limits, like restricting how many emails the affected person or persons can send daily, and then what action to take when that threshold is met.

This is also where you can add a policy to disable forwarding rules entirely if desired. Using Forwarding rules is a common attack vector for data exfil, so well worth considering. More on this in the next section.

A final screen gives you the opportunity to review the settings before adding the policy.

How Crucial Is Spam Filtering for Your Email Address?

This is a great segue to follow-up on the disabling of forwarding rules I touched on in the previous section. If the account for one or more of your users are compromised, the attacker can simply create a rule to forward all emails to their own email address, or any email address for that matter, without the user being aware of this. Take a moment to think about the consequences if that happens.

What else is the impact if you don’t have outbound policies for your organization? Well, at the “bad” end of the scale, the IP address and/or domain name could be marked as spam by another organization or a threat intelligence network, and put on a blocklist. Getting your organization off one of these lists is no easy task, so the impact is significant.

Important Office 365 Spam Filtering Options

Like in any war, and indeed the fight against spam is more of a war than a battle, you need allies. EOP gives you the option to “conscript” your users into this war by empowering them to report suspected spam and phishing emails. This is implemented using the “Report Message” and “Report Phishing” add-ins” for Outlook and Outlook on the web. Once in-place, users get a nifty button in their Outlook client which looks like this:

Outlook Client

Outlook on the Web

(Enable the Report Message or the Report Phishing add-ins – Office 365 | Microsoft Docs)

Isn’t that handy? With this in place, you are effectively crowd-sourcing your entire organization as foot-soldiers for battle!

Setting it up is an article/guide all of itself, but links to get this set up below:
Report spam, non-spam, and phishing messages to Microsoft – Office 365 | Microsoft Docs
Enable the Report Message or the Report Phishing add-ins – Office 365 | Microsoft Docs

The Dangers of Spam Email

The dangers of spam are many, but chief amongst those is financial and reputational damage. Barely a day goes by without hearing about a company or individual who lost a significant amount of money from even just a single phishing or spam email.

The reputational damage as a result of spam is also significant and it unfortunately comes in a few flavors. In its simplest form, the organization’s brand is associated with or thought of in a negative context.

There can also be a loss of customer trust, where customers lose confidence in a business to be able to perform its core function, which ultimately means loss of revenue.

To properly protect your Microsoft Office 365 environment, use Hornetsecurity 365 Total Protection, 365 Total Backup, 365 Permission Manager, and 365 Total Protection Enterprise Backup.

We work hard perpetually to give our customers confidence in their Spam & Malware Protection and Advanced Threat Protection strategies.

To keep up to date with the latest Microsoft 365 articles and practices, pay a visit to our Hornetsecurity blog now.

Conclusion

Email security is difficult, and this recent survey on that topic from Hornetsecurity gives some interesting insights into how the Microsoft platform is found to be performing – https://www.hornetsecurity.com/en/security-information/microsoft365-email-security-survey/

Microsoft is investing heavily in cybersecurity and last year committed to spending 20 billion dollars over the next five years in this space (Microsoft expands on cybersecurity commitments for U.S. government agencies – Microsoft in Business Blogs.)

The range of tools and features Microsoft provides via Exchange Online Protection and the Office 365 spam filters is quite vast. Like any complex tool, it needs time and expertise to get it humming.