What's the difference between junk email and bulk email in EOP?

• Applies to:

  ✅ Exchange Online Protection, ✅ Microsoft Defender for Office 365 Plan 1 and Plan 2, ✅ Microsoft Defender XDR

In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, customers sometimes ask: "What's the difference between junk email and bulk email?" This article explains the difference and describes the controls that are available in EOP.

• Junk email is spam, which is an unsolicited and universally unwanted message (when identified correctly). EOP rejects spam based on the reputation of the source email server. If a message passes source IP inspection, it continues through spam filtering. If the message is classified as Spam or High confidence spam by spam filtering, what happens to the message depends on the verdict and the anti-spam policy that detected the message.

  For the default actions that are taken on spam and high confidence spam messages in the default anti-spam policy and in the Standard and Strict preset security policies, see the Spam and High confidence spam entries in EOP anti-spam policy settings.

  In the default anti-spam policy and in custom anti-spam policies, you can configure the action to take on spam filtering verdicts. For instructions, see Configure anti-spam policies in EOP.

  If you disagree with the spam filtering verdict, you can report messages as spam or good to Microsoft in several ways, as described in Report messages and files to Microsoft.

• Bulk email (also known as gray mail), is more difficult to classify. Whereas spam is a constant threat, bulk email is often one-time advertisements or marketing messages. Some users want bulk email messages (and in fact, they have deliberately signed up to receive them), while other users consider bulk email to be spam. For example, some users want to receive advertising messages from the Contoso Corporation or invitations to an upcoming conference on cybersecurity, while other users consider these same messages to be spam.

  For more information about how bulk email is identified, see Bulk complaint level (BCL) in EOP.

How to manage bulk email

Because of the mixed reaction to bulk email, there isn't universal guidance that applies to every organization.

Anti-spam policies have a default BCL threshold that's used to identify bulk email as spam, and a specific action to take on those bulk messages. For more information, see the following articles:

• Bulk complaint level (BCL) in EOP
• Configure anti-spam policies in EOP.
• EOP anti-spam policy settings

Another option that's easy to overlook: if a user complains about receiving bulk email, but the messages are from reputable senders that pass spam filtering in EOP, have the user check for an unsubscribe option in the bulk email message.

How to tune bulk email

As of September 2022, Microsoft Defender for Office 365 Plan 2 customers can access BCL from advanced hunting. This feature allows admins to look at all bulk senders who sent mail to their organization, their corresponding BCL values, and the amount of email that was received. You can drill down into the bulk senders by using other columns in EmailEvents table in the Email & collaboration schema. For more information, see EmailEvents.

For example, if Contoso has set their current bulk threshold to 7 in anti-spam policies, Contoso recipients receive email from all senders in their Inbox if the BCL value is 6 or less. Admins can run the following query to get a list of all bulk senders in the organization:

EmailEvents
| where BulkComplaintLevel >= 1 and Timestamp > datetime(2022-09-XXT00:00:00Z)
| summarize count() by SenderMailFromAddress, BulkComplaintLevel

This query allows admins to identify wanted and unwanted senders. If a bulk sender has a BCL score that's more than the bulk threshold, admins can report the sender's messages to Microsoft for analysis. This action also adds the sender as an allow entry in the Tenant Allow/Block List.

Organizations without Defender for Office 365 Plan 2 can try the features in Microsoft Defender XDR for Office 365 Plan 2 for free. Use the 90-day Defender for Office 365 evaluation at https://security.microsoft.com/atpEvaluation. Learn about who can sign up and trial terms here.

If you have Defender for Office 365 Plan 1 or Plan 2, you can use the Threat protection status report to identify wanted and unwanted bulk senders:

1. Open the Threat protection status report at one of the following URLs:

   • EOP: https://security.microsoft.com/reports/TPSAggregateReport
   • Defender for Office 365: https://security.microsoft.com/reports/TPSAggregateReportATP

2. Select View data by Email > Spam and Chart breakdown by Detection Technology.

3. Select Filter. In the Filters flyout that opens, select only Bulk in the Detection section.

   Use the Bulk complaint level slider to filter the bulk detections by BCL value.

   When you're finished in the Filters flyout, select Apply.

4. Back on the Threat protection status page, select one of the bulk messages from the details table below the chart by clicking anywhere in the row other than the check box next to the first column.

   In the message details flyout that opens, select Open email entity at the top of the flyout to see details about the message in the Email entity page in Microsoft Defender for Office 365.

5. After you identify wanted and unwanted bulk senders, adjust the bulk threshold in the default anti-spam policy and in custom anti-spam policies. If some bulk senders don't fit within your bulk threshold, report the messages to Microsoft for analysis.

Admins can follow the recommended bulk threshold values or choose a bulk threshold value that suits the needs of their organization.