What triggers Microsoft's Defender filtering layer to assign a Spam Confidence Level (SCL) score?

Question

Calling all Exchange and Microsoft 365 experts!

 

I am investigating why two messages (received by the same recipient) sent from the same sender, domain, IP, and infrastructure received different Spam Confidence Level (SCL) scores from Microsoft’s cloud filtering layer (Exchange Online Protection).

Message 1 (SCL 1): Delivered to Inbox

Message 2 (SCL 5): Routed to Junk

Both messages:

• Passed SPF, DKIM, DMARC, and CompAuth
• Had identical spam rule triggers and phishing scores
• Used the same HELO/EHLO and PTR records

The only differences were:

• Slightly different routing paths and engine codes
• Subtle differences in message body content

Question: What specific factors or heuristics in Microsoft’s cloud filtering layer could cause a change in SCL scoring for messages that appear nearly identical in infrastructure and authentication?

Any insights into how SCL scoring is dynamically influenced would be greatly appreciated!

 

Thank you in advance to whoever can shed some insight into this!!!

 

 

Answer 1

Hi Maxim,

Microsoft’s scoring is probabilistic and context-aware, not deterministic. Even minor content or routing differences can tip the balance when combined with adaptive heuristics. SCL values (0–9) reflect cumulative signals, not just authentication status.

Refer to https://learn.microsoft.com/en-us/defender-office-365/anti-spam-spam-confidence-level-scl-about for additional.