Tune Bulk mail (grey mail) filtering in Defender for Office 365
This guide describes how to tune your bulk email filtering settings in Exchange Online or Microsoft Defender for Office 365. This process includes configuring the delivery location of detected bulk mail and, if necessary, optional transport rules you can use to achieve a more aggressive filtering stance should this suit your organization's needs.
What you'll need
- Exchange Online as a minimum. (Microsoft Defender for Office 365 offers extra functionality)
- Sufficient permissions. (Security Administrator)
- Basic understanding of checking message headers (for more information, see View internet message headers in Outlook)
- 30 minutes to complete the following steps
Understanding the bulk (BCL) value
Bulk mail is typically advertising emails or marketing messages. These emails can be more challenging to filter as some customers want these emails. Other customers consider these emails spam and don't want to receive them. We add a "BCL" value stamp on emails based on the number of complaints we get about that sender and allow you to select the threshold to accept so you can tune the number of bulk messages you receive.
Check the BCL value of an email and the threshold in your policies
- Take the headers of a message you're concerned with and search for the "X-Microsoft-Antispam:" header, which contains a BCL value. Make a note of this number.
- Repeat this process until you have an average BCL value. We'll use this value as the threshold. Any mail with a BCL value above this number will be impacted by the changes we make.
- Login to the Microsoft Security portal at https://security.microsoft.com.
- On the left nav, under Email & collaboration, select Policies & rules.
- Select Threat policies and then Anti-Spam.
- When the page loads, the next action you'll take depends on the type of policy you're using:
- Preset Policies can't be edited. The threshold is 6 in standard, 5 in strict.
- The default (inbuilt) policy is 7.
- Custom policies are set to 7 by default unless another value is provided.
- Edit (or create a custom policy) to set the BCL threshold that meets your needs. For example, if most of the messages you collected (which were all unwanted) have a BCL value of 4 or higher, setting the BCL value to 4 in the policy would filter out these messages for your end users.
- Within that policy, under the "Edit actions" section, select the "bulk message action" and select what to do when the threshold is exceeded. For example, you could select Quarantine if you would like to keep all bulk out of the mailbox or use the Junk email folder for a less aggressive stance.
- If you receive complaints from users about too many bulk emails being blocked, you can adjust this threshold, or alternatively, submit the message to us, which will also add the sender to the Tenant Allow/Block List.
Review this step-by-step guide for more details on allowing senders using the Tenant Allow/Block List: How to handle legitimate emails getting blocked from delivery using Microsoft Defender for Office 365.
More aggressive strategies for managing bulk senders
In some cases, the sender of bulk mail doesn't generate enough complaints for its messages to be assigned a BCL value high enough to be caught by your tuned threshold value. In this situation, it's possible to use transport rules to take an aggressive approach; however, use caution, as false positives (unwanted blocking) will occur. Tune the rules with exceptions and management to stay relevant for your organization's mail patterns.
To better protect certain groups of users, such as your c-suite and priority accounts, you can create a specialized policy specifically scoped to them and set a higher BCL threshold, alongside a separate transport rule (if applicable). These groups of users might be more vulnerable to unsolicited emails due to their email addresses being readily accessible in the public domain.
See Use mail flow rules to filter bulk email in Exchange Online | Microsoft Learn for more information.
For customers with Microsoft Defender for Office 365
Customers with Microsoft Defender for Office 365 Plan 1 or higher can use the email entity page to discover the BCL value of messages instead of interrogating headers.
Customers with Microsoft Defender for Office 365 Plan 2 can interrogate bulk values at scale using advanced hunting.
Email Protection Basics in Microsoft 365: Bulk Email - Microsoft Community Hub
What's the difference between junk email and bulk email? - Office 365 | Microsoft Learn
Submit and view feedback for