This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 53%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EF%3C/text%3E%3C/svg%3E)
(I hope I'm posting this in the right place. This is concerning Office 365 for email (Exchange Online/Microsoft 365/whatever-it's-being-called-these-days... primary admin portal is accessed here: https://admin.microsoft.com/) and the Mail Flow rules found in the EAC (https://admin.exchange.microsoft.com/#/transportrules) in relation to the Microsoft 365 Defender Anti-Spam/Anti-Phishing rules/filters (https://security.microsoft.com/threatpolicy).)
I've recently started working as IT for a new company using Office 365 for email that is using basic Microsoft 365 Defender in addition to some Exchange Mail Flow rules to filter out unwanted spam/phishing emails. Specifically, they have an Exchange Mail Flow rule in place to submit any emails with plain html attachments for admin approval, first, before releasing to the intended recipient.
There are 3 of us that are approval admins for this, but even still, I feel like there is a high volume of these that are coming through on a regular basis, not to mention that one of the admins (who's actually my "boss-in-training") keeps approving emails for delivery that he shouldn't be.
At one point, I tried setting up a rule in the Anti-Spam/Anti-Phishing filters of Microsoft 365 Defender to pre-filter certain emails (we had a period of high volume of emails from a specific email address), but it didn't seem to take affect. IE, the Exchange Mail Flow rule was still forwarding the emails this other filter was supposed to catch to us for approval.
So my question is 2 fold:
The desired behavior I am after is to have the Exchange Mail Flow rule (in this case, at least) only process those things that have already passed the Anti-Spam/Anti-Phishing filters. What I don't want to happen, here, is setting up a rule in Anti-Spam/Anti-Phishing that just says all html attachments bad. I just want the default Defender algorithms to get first crack at them, leaving us with only the stuff it failed to detect. Unless, of course, it is considered best practice to just prevent all emails with these types of attachments, anyway....
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 31%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJX%3C/text%3E%3C/svg%3E)
Hi @FotS ,
As @Vasil Michev said ,You could change the SCL of the message, you could refer to this document:
https://learn.microsoft.com/en-us/Exchange/antispam-and-antimalware/antispam-protection/scl?view=exchserver-2019
You could accept useful answers to help more people.
Mail flow rules are evaluated after anti-malware/anti-phishing scan, but before the generic spam filters. You cannot override the order, the only way of doing this is by changing the SCL of the message.
That said, I cannot think of many legitimate reasons why you'd be sending a .html attachment, so you might as well block them. You can always add exceptions for specific senders if needed. Or use the safe attachments feature, if you're already paying for Defender for O365.
Hmm, ok, in that case, then, it would seem I didn't set up the new rules in the Defender section correctly, because the emails they were supposed to be catching and filtering out, like I mentioned, were still hitting the Mail Flow rule. I believe this was the doc I was using (been over a month now since then): https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-your-spam-filter-policies?view=o365-worldwide I was attempting to use it to filter out a specific email address at the time.
I guess technically this answers my question, though now I need to figure out why what I was doing in Defender wasn't working....