Why you Need to Configure Your Spam Filter in Office 365
Does Office 365 Have a Spam Filter?
The answer to this first question is yes! They are configured using policies under Exchange Online Protection (EOP), Microsoft’s powerful cloud-based filtering service. This service was first launched in 2009 by Microsoft as “Forefront Online Security for Exchange”. Later that same year, it rebranded to “Forefront Online Protection for Exchange,” and finally to EOP in 2014.
How Do I Access My Spam Filter for Office 365?
The Office 365 spam filters/policies are accessed via the Microsoft Office Admin center Security Portal, under Policies and rules:
You can also reach them directly using this link: https://security.microsoft.com/antispam
How Do I Set up Spam Filters in Office 365?
So, there are 2 important concepts to cover before we get started:
- spam filter policies
- spam filter rules
Spam filter policies are used to specify what happens if a condition is true, and the associated notification options in that policy. On the other hand, spam filter rules are used to specify the priority and who the policy is applied to. The spam filter rule is created and defined when you create the policy.
Once you hop into the portal, you’ll see that Microsoft starts you off with 3 default built-in policies:
- Anti-spam inbound policy (Default);
- Connection filter policy (Default);
- Anti-spam outbound policy (Default).
Some things to note about these built-in policies:
- They are applied to all recipients in the organization (despite an absence of a spam filter rule associated with each policy);
- The “priority” for each is a value called “Lowest” and cannot be modified but will always be applied last, i.e., so long as you have a single custom policy, that custom policy will always take precedence;
- They cannot be deleted.
Policies can be created via the web Security Center or via PowerShell. I’ll go through the web interface for this exercise, but the link to configuring via PowerShell is here.
We’ll go through Inbound first, so choose “Inbound” from those 2 options.
Something meaningful to describe what the policy does.
Users, Groups, Domains
Users: mailboxes, mail users, or mail contacts
Groups: distribution groups, mail-enabled security groups, or Microsoft 365 Groups
Domains: all recipients in the specified domain
|0||The message isn’t from a bulk sender.|
|1,2,3||The message is from a bulk sender that generates few complaints.|
|4,5,6,7||The message is from a bulk sender that generates a mixed number of complaints.|
|8,9||The message is from a bulk sender that generates a high number of complaints.|
In the next section, you can adjust settings to assess the message for different types of links or URLs and specify whether to increase the spam score based on those.
The last section has 13 different properties you can adjust to explicitly mark the message as spam. For example, you might have a requirement to block any email that fails a SPF check. You can adjust as many or as little to suit your spam “appetite” (yes, that metaphor was intentional).
Clicking Next is where you can set the action to be taken for bulk, spam, and phishing messages. For each of these, you can take actions like moving messages to the Junk folder in Outlook, deleting the message, quarantining, and a few others. Here too you can enable safety tips for the policy, which adds a message like this as a banner in Outlook:
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
In the last section you can add senders or entire domains in fact to an allowed or blocked list, and finally an opportunity to review all the settings and create your policy.
We’ve covered inbound spam, but what about outbound spam? You might wonder what is meant by this and what EOP offers in this space. Without an outbound Office 365 spam filter, what’s there to stop users in your organization, knowingly or if compromised, from themselves becoming a spammer? Answer…Outbound spam policies!
Let’s check it out.
Click in the “Create Policy” button, but this time choose Outbound.
As with Inbound, choose a name and who the policy applies to.
In the “Outbound Protection Settings” you can set a variety of message limits, like restricting how many emails the affected person or persons can send daily, and then what action to take when that threshold is met.
This is also where you can add a policy to disable forwarding rules entirely if desired. Using Forwarding rules is a common attack vector for data exfil, so well worth considering. More on this in the next section.
A final screen gives you the opportunity to review the settings before adding the policy.
How Crucial Is Spam Filtering for Your Email Address?
This is a great segue to follow-up on the disabling of forwarding rules I touched on in the previous section. If the account for one or more of your users are compromised, the attacker can simply create a rule to forward all emails to their own email address, or any email address for that matter, without the user being aware of this. Take a moment to think about the consequences if that happens.
What else is the impact if you don’t have outbound policies for your organization? Well, at the “bad” end of the scale, the IP address and/or domain name could be marked as spam by another organization or a threat intelligence network, and put on a blocklist. Getting your organization off one of these lists is no easy task, so the impact is significant.
Important Office 365 Spam Filtering Options
Like in any war, and indeed the fight against spam is more of a war than a battle, you need allies. EOP gives you the option to “conscript” your users into this war by empowering them to report suspected spam and phishing emails. This is implemented using the “Report Message” and “Report Phishing” add-ins” for Outlook and Outlook on the web. Once in-place, users get a nifty button in their Outlook client which looks like this:
Outlook on the Web
Isn’t that handy? With this in place, you are effectively crowd-sourcing your entire organization as foot-soldiers for battle!
Setting it up is an article/guide all of itself, but links to get this set up below:
Report spam, non-spam, and phishing messages to Microsoft – Office 365 | Microsoft Docs
Enable the Report Message or the Report Phishing add-ins – Office 365 | Microsoft Docs
The Dangers of Spam Email
The dangers of spam are many, but chief amongst those is financial and reputational damage. Barely a day goes by without hearing about a company or individual who lost a significant amount of money from even just a single phishing or spam email.
The reputational damage as a result of spam is also significant and it unfortunately comes in a few flavors. In its simplest form, the organization’s brand is associated with or thought of in a negative context.
There can also be a loss of customer trust, where customers lose confidence in a business to be able to perform its core function, which ultimately means loss of revenue.
Email security is difficult, and this recent survey on that topic from Hornetsecurity gives some interesting insights into how the Microsoft platform is found to be performing – https://www.hornetsecurity.com/en/security-information/microsoft365-email-security-survey/
Microsoft is investing heavily in cybersecurity and last year committed to spending 20 billion dollars over the next five years in this space (Microsoft expands on cybersecurity commitments for U.S. government agencies – Microsoft in Business Blogs.)
The range of tools and features Microsoft provides via Exchange Online Protection and the Office 365 spam filters is quite vast. Like any complex tool, it needs time and expertise to get it humming.