Exchange Mail Flow rules vs Microsoft 365 Defender Anti-Spam/Anti-Phishing rules order of precedence

FotS 81 Reputation points
2022-08-18T01:15:41.167+00:00

(I hope I'm posting this in the right place. This is concerning Office 365 for email (Exchange Online/Microsoft 365/whatever-it's-being-called-these-days... primary admin portal is accessed here: https://admin.microsoft.com/) and the Mail Flow rules found in the EAC (https://admin.exchange.microsoft.com/#/transportrules) in relation to the Microsoft 365 Defender Anti-Spam/Anti-Phishing rules/filters (https://security.microsoft.com/threatpolicy).)

I've recently started working as IT for a new company using Office 365 for email that is using basic Microsoft 365 Defender in addition to some Exchange Mail Flow rules to filter out unwanted spam/phishing emails. Specifically, they have an Exchange Mail Flow rule in place to submit any emails with plain html attachments for admin approval, first, before releasing to the intended recipient.

There are 3 of us that are approval admins for this, but even still, I feel like there is a high volume of these that are coming through on a regular basis, not to mention that one of the admins (who's actually my "boss-in-training") keeps approving emails for delivery that he shouldn't be.

At one point, I tried setting up a rule in the Anti-Spam/Anti-Phishing filters of Microsoft 365 Defender to pre-filter certain emails (we had a period of high volume of emails from a specific email address), but it didn't seem to take affect. IE, the Exchange Mail Flow rule was still forwarding the emails this other filter was supposed to catch to us for approval.

So my question is 2 fold:

  1. Are the Exchange Mail Flow rules processed before the Microsoft 365 Defender Anti-Spam/Anti-Phishing/etc rules, and
  2. Can I somehow change this?

The desired behavior I am after is to have the Exchange Mail Flow rule (in this case, at least) only process those things that have already passed the Anti-Spam/Anti-Phishing filters. What I don't want to happen, here, is setting up a rule in Anti-Spam/Anti-Phishing that just says all html attachments bad. I just want the default Defender algorithms to get first crack at them, leaving us with only the stuff it failed to detect. Unless, of course, it is considered best practice to just prevent all emails with these types of attachments, anyway....

Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,166 questions
{count} votes

Accepted answer
  1. Vasil Michev 94,911 Reputation points MVP
    2022-08-18T07:13:06.49+00:00

    Mail flow rules are evaluated after anti-malware/anti-phishing scan, but before the generic spam filters. You cannot override the order, the only way of doing this is by changing the SCL of the message.
    That said, I cannot think of many legitimate reasons why you'd be sending a .html attachment, so you might as well block them. You can always add exceptions for specific senders if needed. Or use the safe attachments feature, if you're already paying for Defender for O365.


0 additional answers

Sort by: Most helpful