Manage anti-malware and anti-spam policies


Anti-malware and anti-spam defenses are a critical part of any modern messaging system. Microsoft 365 provides highly effective tools for minimizing the number of unwanted messages that reach user mailboxes while providing strong defenses against malicious software.

Exchange Online uses several anti-spam technologies to minimize incoming spam messages. It scans incoming messages and stores the results in the Anti-spam Message Headers that are part of every SMTP message. Additionally, it saves the spam confidence level (SCL) as part of this header; the SCL includes the likeliness that the message is spam.

When Microsoft Exchange Online Protection (EOP) scans an incoming message, it inserts an X-Forefront-Antispam-Report header (X-header) into the SMTP header of the message. The fields in this header enable an organization to gather information about the message and how it was processed. Organizations can then use tool such as the Remote Connectivity Analyzer (RCA) to translate the email header information. By doing so, organizations can troubleshoot mail flow issues and understand how Exchange Online Protection is processing emails.

Microsoft Exchange Online Protection provides the following filters that can be configured to protect your organization’s messaging system:

  • Malware filtering
  • Connection filtering
  • Spam filtering

The RCA tool is available here.

Additional reading. See the following site for an in-depth explanation of the Exchange Online plans and the anti-spam features available in each.

Configuring malware filtering

Exchange Online uses the malware protection in EOP to protect user mailboxes against infected messages. EOP uses multiple industry-leading malware detection engines to scan incoming and outgoing mail, with these engines being updated as new virus definitions appear.

In the Exchange Admin Center (EAC) and the Security and Compliance Center, anti-malware policies can be configured to protect against malware in Microsoft 365. An anti-malware policy is a combination of two elements:

  • A malware policy that defines what happens when malware is detected.
  • A malware rule that defines who the policy applies to.

Exchange Online comes with a preconfigured malware filter that simply deletes the message without providing any notifications. This policy, which applies to everyone, can be edited but not deleted. You also can't change who the policy applies to.

Some organizations determine they need different protection arrangements for different internal groups. In this situation, they can add one or more anti-malware policies and then fine-tune the settings to meet their requirements.

Malware filters are configured through the protection settings that can be maintained in the EAC and Windows PowerShell. Rules and policies must be configured separately when Windows PowerShell is used to maintain these settings.

A policy's priority controls the order in which the policy is applied. Policies are applied in sequential order from the highest priority down to the lowest. The default policy is always the lowest priority. It provides a final barrier that simply deletes the offending messages. A policy's priority can be changed at any time.

To configure a malware policy with PowerShell, use the New-MalwareFilterPolicy command. To configure a malware rule that applies a policy to users, groups, or domains, use the New-MalwareFilterRule command.

Configuring connection filtering

Both Exchange Online and the Security and Compliance Center provide a connection filter that enables organizations to configure filtering based on IP addresses, with separate “IP allow” and “IP block” lists. Unlike malware filters, there's only one default connection filter, but its settings can be customized.

An IP allowlist contains individual addresses or ranges of addresses that an organization trusts. An IP blocklist contains addresses or even subnets of known spammers from which an organization doesn't want to receive messages. A safe list can also be enabled. This option enables acceptance of messages that are from known senders. Microsoft uses third-party sources to supply the list of safe senders.

Settings that an organization can change include:

  • Allowed IP addresses
  • Blocked IP addresses
  • Enable safe list

In an IP allowlist and an IP blocklist, an organization can specify individual addresses or network ranges using Classless Inter-Domain Routing (CIDR). CIDR is a method of allocating IP addresses. It's more flexible than the original system of Internet Protocol (IP) address classes because it removes the class A, B, and C subnet masks.

The Allow setting typically overrides the Block setting. As a result, if an organization adds an address to both lists, mail is allowed from that IP address. The SCL is automatically set to -1 for IP addresses on the IP allowlist. This setting means the message skips all further processing. Connection filters can be added or changed in both the EAC and Windows PowerShell.

To configure connection filters using Windows PowerShell, the Set-HostedConnectionFilterPolicy cmdlet must be used. For example, let's say that an organization wants to make the following changes to its allowlist:

  • add IP address
  • add IP address range through
  • remove IP address

To update its allowlist with these changes, an organization must run the following PowerShell command:

Set-HostedConnectionFilterPolicy "Default" -IPAllowList @{Add="","";Remove=""}


Connection filtering is effective for catching all traffic from the IP addresses in the blocklist. However, it may not be the most effective way for an organization to protect its environment given its business requirements. For more information, see the following article on Configuring EOP best practices.

Configuring spam filtering

Spam filters are the main component against malware or other harmful email attachments that want to grab personal information from a user's computer. Spam filters:

  • provide a range of basic and advanced filtering options.
  • automatically add spam processing headers.
  • assign a spam confidence level to the messages before delivery to user mailboxes.

Configuration settings for spam filters fall into the following categories:

  • General (name, description)
  • Spam and bulk actions
  • IP allowlist
  • IP blocklist
  • International spam
  • Advanced options
  • Applied to

The default spam filter policy applies to all messages and all mailboxes. Other spam filter policies can then be added that apply different settings to separate groups. They can also set the application order of those policies.

Exercise – Interactive demonstrations

Select the following links to complete these interactive demonstrations:

The first simulation guides you through the steps to create a mail flow rule in the Microsoft 365 tenant for the fictitious Adatum Corporation. In the second simulation, you'll learn how to configure Microsoft 365's default malware policy.