- Duplicating default rules
- Editing the connection filter
- Editing spam filter (content filter)
- Increasing spam scoring
- Marking emails as spam
- Quarantine settings
- Outgoing spam messages (outbound spam)
- Malware filter
- Notifications for deleted messages and attachments
- Blocking attachments using the malware filter
- Checking the protection features
- Conclusion
- Send emails in Exchange Online using an alias address: Configuration with PowerShell and admin center - Tue, Jun 29 2021
- Deactivate update notifications on Windows Server - Wed, Jun 3 2020
- Remove unneeded settings from Group Policy Objects - Thu, Apr 23 2020
Microsoft sets up all Office 365 tenants with several default settings. This increases the efficiency of the cloud platform. If, on the other hand, you want to configure your own settings, you must first create the prerequisites for them.
Duplicating default rules
As a first step, copy the default rules and policies for all Office 365 customers to the respective tenant so they are editable. This lets you adapt them to your own needs.
Start this process with the Enable-OrganizationCustomization command.
You only need to execute it once, and you cannot undo it. Subsequently, you can examine the current state of the tenant via the hydration status with Get-OrganizationConfig. The value False indicates the client can now create its own policies.
Editing the connection filter
The default connection filter has zero effect because it is not configured. While the spam filter can release or block mail addresses and domains, the connection filter concentrates purely on IP addresses and networks.
If you want to reject messages coming from certain IP addresses or exclude them from spam filtering, you have to configure mail flow rules.
You can retrieve the relevant settings with Get-HostedConnectionFilterPolicy:
Get-HostedConnectionFilterPolicy -Identity Default | Format-Table Name, IP*, EnableSafeList
To edit the filter, use the Set-HostedConnectionFilterPolicy cmdlet. This lets you define multiple IP addresses (up to 256) and subnets, using a comma as a separator. In addition, you can subscribe to the SafeList, where Microsoft collects IP addresses from trusted senders:
Set-HostedConnectionFilterPolicy -Identity Default ` -IPAllowList 192.168.1.10,172.16.1.20 ` -IPBlockList 10.0.0.0/32,192.168.2.0/24 -EnableSafeList $true
If you want to change the IP lists, you have to be careful not to overwrite the existing entries. Therefore, using Add or Remove is mandatory. Such a command would look like this:
Set-HostedConnectionFilterPolicy -Identity Default -IPAllowList @{Add="192.168.1.11", "192.168.1.12", "172.16.1.0/24"; Remove="192.168.2.0/24"}
Find further information about the connection filtering function at Microsoft Docs.
Editing spam filter (content filter)
There is also a predefined spam filter here with the name Default. This moves suspicious spam emails into the junk mail folder of the respective mailboxes. But the default filter setting omits many of the possible options, which I will discuss in more detail below.
Get-HostedContentFilterPolicy displays only a rudimentary list of supported settings.
Microsoft distinguishes between spam and messages with a high spam probability. If you want to quarantine the latter instead of moving them to the junk mail folder, you can use the following command:
Set-HostedContentFilterPolicy -Identity Default -HighConfidenceSpamAction Quarantine
Increasing spam scoring
There are four options to control the rating of messages. Matching a criterion increases the message rating and makes filtering it out as spam more likely.
Parameter | Notes |
IncreaseScoreWithBizOrInfoUrls | If the message contains links to domains ending in .biz or .info |
IncreaseScoreWithImageLinks | If the message contains images loaded from an external source |
IncreaseScoreWithNumericIps | If the message contains links with IP addresses instead of domains |
IncreaseScoreWithRedirectToOtherPort | If the message contains links that redirect to certain ports |
The following command activates these four options:
Set-HostedContentFilterPolicy -Identity Default ‑IncreaseScoreWithBizOrInfoUrls on ` -IncreaseScoreWithImageLinks on -IncreaseScoreWithNumericIps on ` -IncreaseScoreWithRedirectToOtherPort on
Marking emails as spam
There are several criteria for marking emails as spam. Meeting one of these criteria directly classifies the message as spam. The following table lists the options with short descriptions.
Parameter | Notes |
MarkAsSpamBulkMail | Messages recognized as bulk or graymail |
MarkAsSpamEmbedTagsInHtml | Embed tags contained in HTML |
MarkAsSpamEmptyMessages | News without any content |
MarkAsSpamFormTagsInHtml | Forms contained in HTML |
MarkAsSpamFramesInHtml | frame or iframe tags in HTML |
MarkAsSpamFromAddressAuthFail | If the sender ID check returns an error (hard fail) |
MarkAsSpamJavaScriptInHtml | JavaScript or VBScript included in HTML |
MarkAsSpamNdrBackscatter | Message recognized as a nondelivery report (NDR) |
MarkAsSpamObjectTagsInHtml | Object tags included in HTML |
MarkAsSpamSensitiveWordList | Checks the message for specific words |
MarkAsSpamSpfRecordHardFail | If the Sender Policy Framework (SPF) check returns an error (hard fail) |
MarkAsSpamWebBugsInHtml | Web bugs (external minigraphics) in HTML included |
Activating an option also can occur via Set-HostedContentFilterPolicy. The following example turns on the SPF check. In general, you can enter several parameters at once.
Set-HostedContentFilterPolicy -Identity Default -MarkAsSpamSpfRecordHardFail On
Find further descriptions on how to adjust the spam filter here on Microsoft Docs.
Quarantine settings
To inform users by email about spam under quarantine, you have to activate the notification. In addition, you can specify the interval in days and the language of the email:
Set-HostedContentFilterPolicy -Identity Default ‑EnableEndUserSpamNotifications $true ` -EndUserSpamNotificationLanguage German -EndUserSpamNotificationFrequency 5
Outgoing spam messages (outbound spam)
To prevent the system from sending spam and being blacklisted, it scans outgoing messages for spam. Upon confirming the suspicion, it blocks the user in question. The following command shows that the default setting does not enable notifications about such actions:
Get-HostedOutboundSpamFilterPolicy
The following command returns detailed output, including the notification addresses:
Get-HostedOutboundSpamFilterPolicy | fl Name, NotifyOutboundSpam, NotifyOutboundSpamRecipients, BccSuspiciousOutboundMail, BccSuspiciousOutboundAdditionalRecipients
If you want to set up the notification, Set-HostedOutboundSpamFilterPolicy will do this task:
Set-HostedOutboundSpamFilterPolicy -Identity Default ‑BccSuspiciousOutboundMail $true ` -BccSuspiciousOutboundAdditionalRecipients suspicious-sender@buerkit.de ` -NotifyOutboundSpam $true -NotifyOutboundSpamRecipients outboundspam-alert@buerkit.de
A check confirms the successful execution of the command:
Microsoft explains how outgoing message scanning works with Office 365 in this article.
You can configure additional notifications for different actions in the Security and Compliance Center under the notification policies.
Malware filter
You can retrieve the responsible standard filter via Get-MalwareFilterPolicy.
Unfortunately, the default setting for the filter will only isolate malware messages, and it does not generate alerts. Thus, the sender and recipient of a mistakenly intercepted mail remain unaware of the message's deletion.
Only the administrator can release the message from quarantine via the Security and Compliance Center. However, the Exchange Admin Center does not display the messages deleted by the malware filter in quarantine. For more information about quarantine, click here.

Administrators can release intercepted messages from quarantine in the Security and Compliance Center
Notifications for deleted messages and attachments
If you want EOP to notify you about intercepted mail, it offers several possibilities. It distinguishes between internal and external senders of malware mails. In addition, it can also inform an administrator.
To notify the sender of a deleted message, you must configure the following settings:
Set-MalwareFilterPolicy -Identity "Default" ` -Action DeleteAttachmentAndUseDefaultAlertText -EnableInternalSenderNotifications $true -EnableExternalSenderNotifications $true
To notify an administrator, use the following command:
Set-MalwareFilterPolicy -Identity "Default" ‑EnableInternalSenderAdminNotifications $true ` -EnableExternalSenderAdminNotifications $true ` -InternalSenderAdminAddress mailadmin@buerkit.de ` -ExternalSenderAdminAddress mailadmin@buerkit.de
The administrator and the sender will then receive a notification of the undeliverability of a message.
Blocking attachments using the malware filter
If you want to block attachments with executable files in general, the malware filter can also do this. The following command ensures removal of files with the respective extensions:
Set-MalwareFilterPolicy -Identity "Default" -EnableFileFilter $true
For more information about malware filtering, visit Microsoft Docs.
Checking the protection features
You can test functions of antispam systems from different manufacturers via a special message. It must have the following content to check their operation, actions, and notifications:
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
To test the malware filter, the corresponding message looks like this:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Conclusion
Overall, the basic version of Office 365 already includes adequate protection against spam and viruses. In addition, it's a good idea to implement Advanced Threat Protection, for example, against phishing attacks, exploits, and zero-day attacks.