Configure outbound spam filtering policies

  • 8 minutes

EOP automatically checks outbound email messages for spam and unusual sending activity in the following organizations:

  • Microsoft 365 organizations with mailboxes in Exchange Online
  • Standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes

Outbound spam from a user typically indicates a compromised account. EOP marks suspicious outbound messages as spam (regardless of the spam confidence level or SCL). The system then routes these messages through the high-risk delivery pool to help protect the reputation of the service. Protecting the reputation of the service means keeping Microsoft 365 source email servers off of IP blocklists. Alert policies automatically notify administrators of suspicious outbound email activity and blocked users.

Outbound spam policies

EOP uses outbound spam policies as part of your organization's overall defense against spam. Admins can view, edit, and configure (but not delete) the default outbound spam policy.

For greater granularity, you can also create custom outbound spam policies that apply to specific users, groups, or domains in your organization. Custom policies always take precedence over the default policy, but you can change the priority (running order) of your custom policies.

You can configure outbound spam policies in the Microsoft Defender portal or in PowerShell. When using PowerShell, you must use either:

  • Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online.
  • Standalone EOP PowerShell for organizations without Exchange Online mailboxes.

The basic elements of an outbound spam policy in EOP are:

  • The outbound spam filter policy. Specifies the actions for outbound spam filtering verdicts and the notification options.
  • The outbound spam filter rule. Specifies the priority and sender filters (who the policy applies to) for an outbound spam filter policy.

The difference between these two elements isn't obvious when you manage outbound spam policies in the Microsoft Defender portal:

  • Creating a policy. You're actually creating an outbound spam filter rule and the associated outbound spam filter policy at the same time using the same name for both.
  • Modifying a policy. Settings related to the name, priority, enabled or disabled, and sender filters modify the outbound spam filter rule. All other settings modify the associated outbound spam filter policy.
  • Removing a policy. The system removes the outbound spam filter rule and the associated outbound spam filter policy.

Every organization has a built-in outbound spam policy named Default. This default policy that has the following properties:

  • The system applies the policy to all senders in the organization. This process occurs even though there's no outbound spam filter rule (sender filters) associated with the policy.
  • The policy has the custom priority value Lowest that you can't modify. As such, the system always applies the policy last. Any custom policies that you create always have a higher priority than the policy named Default.
  • You can't delete the default policy.

To increase the effectiveness of outbound spam filtering, you can create custom outbound spam policies with stricter settings for specific users or groups of users.

Create outbound spam policies in the Microsoft Defender portal

Creating a custom outbound spam policy in the Microsoft Defender portal creates the spam filter rule AND the associated spam filter policy at the same time using the same name for both.

  1. In the Microsoft Defender portal at https://security.microsoft.com, select Email & Collaboration, then Policies & Rules, then Threat policies, and then Anti-spam in the Policies section.

  2. On the Anti-spam policies page, select Create policy and then select Outbound from the drop-down list that appears.

  3. The policy wizard opens. On the Name your policy page, configure these settings and then select Next:

    • Name: Enter a unique, descriptive name for the policy.
    • Description: Enter an optional description for the policy.

  4. On the Users, groups, and domains page that appears, identify the internal senders that the policy applies to (recipient conditions) and then select Next:

    • Users. The specified mailboxes, mail users, or mail contacts.
    • Groups:
      • Members of the specified distribution groups or mail-enabled security groups.
      • The specified Microsoft 365 Groups.
    • Domains. All senders in the specified accepted domains in your organization.

    Select inside the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, select the X next to the value.

    For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.). However, the system displays the corresponding display name in the results. For users, enter an asterisk (*) by itself to see all available values.

    Multiple values in the same condition use OR logic (for example, [sender1] or [sender2]). Different conditions use AND logic (for example, [sender1] and [member of group 1]).

    - Exclude these users, groups, and domains. To add exceptions for the internal senders that the policy applies to (recipient exceptions), select this option and configure the exceptions. The settings and behavior are exactly like the conditions.

  5. On the Protection settings page that opens, configure the following settings and then select Next:

    • Message limits. The settings in this section configure the limits for outbound email messages from Exchange Online mailboxes:

      • Set an external message limit. The maximum number of external recipients per hour.
      • Set an internal message limit. The maximum number of internal recipients per hour.
      • Set a daily message limit. The maximum total number of recipients per day.

      A valid value is 0 to 10000. The default value is 0, which means the system uses the service defaults. For more information, see Sending limits.

      Enter a value in the box, or use the increase/decrease arrows on the box.

    • Restriction placed on users who reach the message limit. Select an action from the drop-down list when the message count exceeds any of the limits in the Protection settings section.

      For all actions, the senders specified in the User restricted from sending email alert policy receive email notifications.

      • Restrict the user from sending mail until the following day. This option is the default value. The system sends email notifications, but the user can't send any more messages until the following day, based on UTC time. An administrator can't override this block.
        • The alert policy named User restricted from sending email notifies admins (through email and on the View alerts page).
        • The system also notifies any recipients specified in the Notify specific people if a sender is blocked due to sending outbound spam setting in the policy.
        • The user can't send any more messages until the following day, based on UTC time. An administrator can't override this block.
      • Restrict the user from sending mail. The system sends email notifications and adds the user to Restricted users in the Microsoft Defender portal. The user can't send email until an administrator removes them from the Restricted users list. After an administrator removes the user from the list, the user can once again send email for that day.
      • No action, alert only. The system sends email notifications.

    • Forwarding rules. Use the settings in this section to control automatic email forwarding by Exchange Online mailboxes to external senders.

      Select one of the following actions from the Automatic forwarding rules drop down list:

      • Automatic - System-controlled. Allows outbound spam filtering to control automatic external email forwarding. This option is the default value.
      • On. The policy doesn't disable automatic external email forwarding.
      • Off. The policy disables all automatic external email forwarding.

      When you disable automatic forwarding, the recipient receives a nondelivery report (also known as an NDR or bounce message) if external senders send email to a mailbox that has forwarding in place. If an internal sender sends the message and mailbox forwarding (also known as SMTP forwarding) is the forwarding method, the internal sender receives the NDR. The internal sender doesn't receive an NDR if the forwarding occurred due to an Inbox rule.

    • Notifications. Use the settings in the section to configure other recipients who should receive copies and notifications of suspicious outbound email messages:

      • Send a copy of suspicious outbound messages that exceed these limits to these users and groups. This setting adds the specified recipients to the Bcc field of suspicious outbound messages. This setting only works in the default outbound spam policy. It doesn't work in custom outbound spam policies that you create.

        Select the check box to enable this setting. In the field that appears, select inside the box, enter a valid email address, and then press Enter or select the complete value displayed below the box.

        Repeat this step as many times as necessary. To remove an existing value, select the X next to the value.

  6. On the Review page that appears, review your settings. You can select Edit in each section to modify the settings within the section. Or you can select Back or select the specific page in the wizard.

    When everything appears correct, select Create.

  7. On the confirmation page that appears, select Done.

Configure outbound spam policies in Exchange PowerShell

As previously described, an outbound spam policy consists of an outbound spam filter policy and an outbound spam filter rule. In Exchange Online PowerShell or standalone EOP PowerShell, you manage the policy and the rule separately.

In Exchange Online PowerShell or standalone EOP PowerShell, the cmdlets used to configure outbound spam filter policies and outbound spam filter rules are different:

  • Outbound spam filter policies. Use the *-HostedOutboundSpamFilterPolicy cmdlets.
  • Outbound spam filter rules. Use the *-HostedOutboundSpamFilterRule cmdlets.

In PowerShell, you create the outbound spam filter policy first. You then create the outbound spam filter rule that identifies the policy the rule applies to.

When you remove an outbound spam filter policy from PowerShell, the system doesn't automatically remove the corresponding outbound spam filter rule. Similarly, if you remove an outbound spam filter rule from PowerShell, the system doesn't remove the outbound spam filter policy.

Creating an outbound spam policy in Exchange PowerShell is a two-step process:

  1. Create the outbound spam filter policy.
  2. Create the outbound spam filter rule that specifies the outbound spam filter policy the rule applies to. You can't associate an outbound spam filter rule with more than one outbound spam filter policy.

You can configure the following settings on new outbound spam filter policies in PowerShell. These settings aren't available in the Microsoft Defender portal until after you create the policy:

  • Create the new policy as disabled (Enabled $false on the New-HostedOutboundSpamFilterRule cmdlet).
  • Set the priority of the policy during creation (Priority [Number] on the New-HostedOutboundSpamFilterRule cmdlet).

Note

A new outbound spam filter policy that you create in PowerShell isn't visible in the Microsoft Defender portal until you assign the policy to an outbound spam filter rule.

Step 1: Use Exchange PowerShell to create an outbound spam filter policy

Use the following Exchange PowerShell command to create an outbound spam filter policy:

New-HostedOutboundSpamFilterPolicy -Name "<PolicyName>" [-AdminDisplayName "<Comments>"] <Additional Settings>

The following example creates a new outbound spam filter policy named Contoso Executives. The policy contains the following settings:

  • Restrict the recipient rate limits to smaller values than the defaults.
  • Prevent the user from sending messages after reaching any of the limits.
New-HostedOutboundSpamFilterPolicy -Name "Contoso Executives" -RecipientLimitExternalPerHour 400 -RecipientLimitInternalPerHour 800 -RecipientLimitPerDay 800 -ActionWhenThresholdReached BlockUser

Step 2: Use Exchange PowerShell to create an outbound spam filter rule

Use the following PowerShell command to create an outbound spam filter rule:

New-HostedOutboundSpamFilterRule -Name "<RuleName>" -HostedOutboundSpamFilterPolicy "<PolicyName>" <Sender filters> [<Sender filter exceptions>] [-Comments "<OptionalComments>"]

The following example creates a new outbound spam filter rule named Contoso Executives. The rule contains the following settings:

  • The outbound spam filter policy (Contoso Executives) is associated with the rule.
  • The rule applies to members of the group named Contoso Executives Group.
New-HostedOutboundSpamFilterRule -Name "Contoso Executives" -HostedOutboundSpamFilterPolicy "Contoso Executives"