Sign In
In this module

AD2.8 Anti-Spam Tuning

5-6 hours · Module 2 · Free
Operational Objective
EOP's default anti-spam policy is functional but generic. It uses Microsoft's global spam filters, which are tuned for the average M365 tenant — not for your specific organization. The result: some spam gets through that a stricter policy would catch, and some legitimate email gets flagged that a properly tuned policy would allow. Anti-spam tuning is about adjusting the sensitivity and the actions to match your environment. This subsection covers the settings worth changing, the settings to leave alone, and the specific tuning that reduces spam reaching inboxes without causing false positives that frustrate users.
Deliverable: A tuned anti-spam policy with appropriate bulk email threshold, action settings, and allow/block lists — reducing spam in inboxes while minimising false positives.
Estimated completion: 20 minutes
ANTI-SPAM SETTINGS WORTH TUNING TUNE THESE Bulk complaint level (default 7 → try 6) High-confidence spam → quarantine (not junk) High-confidence phishing → quarantine Retain spam in quarantine 30 days Low risk, measurable improvement CONSIDER CAREFULLY Bulk complaint level below 5 Allowed/blocked sender lists International spam filtering (language/country) ZAP (zero-hour auto purge) settings Test before enforcing LEAVE ALONE Advanced spam filtering (ASF) options Most are deprecated or cause FPs Outbound spam policy (default is fine) Connection filtering (IP allow/block) Diminishing returns, high FP risk

Figure AD2.8 — Anti-spam tuning priority. Focus on the bulk complaint level threshold and action settings (left). Consider language/country filters and sender lists if you have specific needs (middle). Leave the advanced spam filtering options at default — most are deprecated and cause more problems than they solve (right).

The settings worth changing

Navigate to security.microsoft.com → Email & collaboration → Policies & rules → Threat policies → Anti-spam. Edit the default anti-spam policy (or create a custom one for more control).

Bulk email threshold: The default is 7 (on a scale of 1-9, where 1 is most aggressive). Lowering it to 6 catches more bulk email (newsletters, marketing, and legitimate-but-unwanted messages) without a significant increase in false positives. Don't go below 5 without monitoring — aggressive bulk filtering catches marketing emails your users subscribed to. Test at 6 for two weeks, then adjust if needed.

Spam action: The default delivers spam to the Junk folder. For high-confidence spam, change the action to "Quarantine message." Quarantine keeps the spam out of the user's mailbox entirely — they only see it if they check the quarantine, which most users never do. This reduces the chance of a user fishing through their Junk folder and opening something malicious.

Phishing action: Set high-confidence phishing to "Quarantine message" (if it's not already). Standard phishing can remain at "Move message to Junk Email folder" — quarantining all phishing is more aggressive and may catch legitimate emails that have phishing-like characteristics.

Quarantine retention: Set to 30 days (the maximum). This gives you time to investigate quarantined messages and release false positives. The default is 15 days — increasing it provides a wider investigation window.

Zero-hour auto purge (ZAP): Ensure ZAP is enabled for both spam and phishing. ZAP retroactively removes emails from user mailboxes when Microsoft reclassifies a previously delivered email as spam or phishing. If an email was clean at delivery but Microsoft later identifies it as malicious, ZAP removes it automatically — even from the user's inbox. This is a powerful retroactive protection that operates without admin intervention.

Allowed and blocked sender lists

The Tenant Allow/Block List (security.microsoft.com → Policies & rules → Threat policies → Tenant Allow/Block Lists) lets you override Microsoft's spam verdicts for specific senders, domains, or URLs.

Blocked senders/domains: Add domains that consistently send spam or phishing to your organization. Block the domain, not just the sender address — attackers use different addresses on the same domain. Be cautious about blocking entire TLDs (.xyz, .top) — while many spam campaigns use these, some legitimate businesses do too.

Allowed senders/domains: Use sparingly. Allowing a sender bypasses spam filtering for that address — which means if the allowed sender's account is compromised, the attacker's emails also bypass filtering. Only allow specific addresses that consistently trigger false positives, and review the list quarterly. Never allow entire domains like gmail.com or outlook.com — that creates an enormous bypass.

Submissions: When users report false positives (legitimate email caught as spam) or false negatives (spam that reached the inbox), submit the messages to Microsoft through the Submissions page (security.microsoft.com → Email & collaboration → Submissions). Microsoft reviews submissions and updates their global filters — your submission helps everyone, not just your tenant.

Managing anti-spam policies with PowerShell

For repeatable configuration and documentation, manage anti-spam settings through PowerShell:

Connect-ExchangeOnline

# View current anti-spam policy settings
Get-HostedContentFilterPolicy -Identity "Default" |
    Select-Object BulkThreshold, SpamAction, HighConfidenceSpamAction,
        PhishSpamAction, HighConfidencePhishAction,
        QuarantineRetentionPeriod, ZapEnabled,
        EnableEndUserSpamNotifications | Format-List

# Update the key settings
Set-HostedContentFilterPolicy -Identity "Default" `
    -BulkThreshold 6 `
    -HighConfidenceSpamAction Quarantine `
    -HighConfidencePhishAction Quarantine `
    -QuarantineRetentionPeriod 30 `
    -ZapEnabled $true

After changing settings, verify they took effect:

Get-HostedContentFilterPolicy -Identity "Default" | Select-Object BulkThreshold, HighConfidenceSpamAction

Quarantine analysis — finding patterns in blocked email

The quarantine is a data source, not just a holding pen. Analysing what gets quarantined tells you what threats target your organization and whether your filtering is calibrated correctly.

Navigate to security.microsoft.com → Email & collaboration → Review → Quarantine. Export the last 30 days of quarantine data. Look for three patterns:

Repeated senders. If the same sender domain appears 20+ times in quarantine, add it to your block list — the spam filter is catching it but spending processing cycles on each email. Blocking at the tenant level stops the emails before filtering.

Legitimate senders. If you see emails from known vendors, partners, or internal systems in quarantine, the filter is too aggressive for those senders. Add them to the allowed senders list (specific address, not domain) and submit as false positive to Microsoft.

Campaign patterns. If you see clusters of quarantined emails with similar subjects ("Your account has been compromised," "Invoice #[random]," "Delivery notification") arriving on the same day, that's an active phishing campaign targeting your organization. Even though the emails were quarantined, the campaign indicates your domain is on an attacker's target list — which means more sophisticated variants may follow that bypass the current filters.

Outbound spam protection

One setting most administrators overlook: outbound spam protection. If a user account in your tenant is compromised and starts sending spam or phishing from your domain, outbound spam filtering catches it. Navigate to security.microsoft.com → Policies & rules → Threat policies → Anti-spam → Outbound policies.

The default outbound policy limits the number of emails a user can send per hour and per day. If a compromised account tries to send 10,000 phishing emails, the outbound filter blocks the send after the first few hundred and generates an alert. This protects your domain's email reputation — mass spam from your domain would get your IPs blocklisted, affecting email delivery for every user.

The default outbound settings are appropriate for most environments. The one change worth making: enable the notification for outbound spam detection. Set an email address to receive alerts when outbound spam is detected — this is an early indicator of account compromise, separate from the sign-in log alerts you configured in Module AD1.

Configure the outbound spam alert in PowerShell:

Set-HostedOutboundSpamFilterPolicy -Identity "Default" `
    -NotifyOutboundSpam $true `
    -NotifyOutboundSpamRecipients "security-alerts@northgateeng.com"

This sends an alert to your admin mailbox whenever M365 detects that a user account in your tenant is sending spam. The alert includes the user account that's sending — which is almost certainly compromised. When you receive this alert, execute the compromised account procedure from Module AD1.9 immediately. An account sending outbound spam has been compromised and the attacker is using it for email-based attacks against external targets — your domain reputation degrades with every spam email sent.

Setting up quarantine notification for users

By default, users don't know when legitimate email is quarantined — the email silently disappears. Enable quarantine notifications so users receive a daily digest of quarantined messages. Navigate to security.microsoft.com → Policies & rules → Threat policies → Quarantine policies → Global settings.

Enable "Send end-user spam notifications" and set the frequency to daily. Users receive an email listing their quarantined messages with the option to release false positives themselves (for spam quarantine) or request release (for phishing quarantine, which requires admin approval).

This reduces your admin workload because users can self-service legitimate email that was incorrectly quarantined as spam. For phishing quarantine, the release request comes to you for review — users can flag it but can't release it themselves, which prevents an attacker from social-engineering a user into releasing a malicious email from quarantine.

Configure the notification via PowerShell:

Set-QuarantinePolicy -Identity "DefaultGlobalTag" `
    -EndUserSpamNotificationFrequency 1 `
    -ESNEnabled $true

The combination of quarantine notifications for users and outbound spam alerts for admins gives you visibility on both sides: inbound threats quarantined before reaching users, and outbound threats detected from compromised accounts.

External email tagging — a simple but effective control

One anti-phishing control that's independent of Defender for Office 365 and works on every M365 tier: tag external emails with a visible banner. Create a mail flow rule that prepends a warning to every email from outside your organization.

Navigate to the Exchange admin center → Mail flow → Rules → New rule. Configure:

Name: "External Email Warning Banner" Apply this rule if: The sender is located → Outside the organization Do the following: Prepend the subject with "[EXTERNAL] " OR Prepend the disclaimer with a message like: "⚠ This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender."

The disclaimer option adds an HTML banner at the top of every external email. This is a visual cue that costs nothing to deploy, requires no additional licensing, and immediately reduces the effectiveness of impersonation attacks — because an email "from" your CEO with an "[EXTERNAL]" tag is obviously suspicious.

In PowerShell:

New-TransportRule -Name "External Email Warning Banner" `
    -FromScope NotInOrganization `
    -PrependSubject "[EXTERNAL] " `
    -Priority 0

Or for an HTML disclaimer banner:

$disclaimer = '<div style="background:#fff3cd;border:1px solid #ffc107;padding:8px 12px;margin-bottom:12px;font-size:13px;color:#856404;border-radius:4px;">⚠ <strong>External email</strong> — This message originated from outside the organization. Exercise caution with links and attachments.</div>'

New-TransportRule -Name "External Email Disclaimer" `
    -FromScope NotInOrganization `
    -ApplyHtmlDisclaimerLocation Prepend `
    -ApplyHtmlDisclaimerText $disclaimer `
    -Priority 0

This rule takes 2 minutes to create and immediately makes every external email visually distinguishable from internal communication. Users learn to look for the tag — and its absence on an email that claims to be from a colleague is an instant red flag.

Compliance Myth: "Anti-spam filtering is a solved problem — the defaults are fine"
The defaults are a reasonable starting point, but they're tuned for the average tenant. Your organization receives email from different senders, in different volumes, with different patterns. A pharmaceutical company receives legitimate email about medication that a generic spam filter might flag. A manufacturing company receives emails with attachment types that a strict policy might quarantine. A law firm receives emails from individual senders (opposing counsel) that bulk filtering might catch. Tuning isn't about making the filter "better" — it's about making it match YOUR email patterns. Review the quarantine weekly for the first month to identify false positives, and adjust accordingly.
Decision point

Users report that legitimate emails from a specific partner company are consistently landing in their Junk folder. You check and confirm the emails have valid SPF and DKIM but are flagged as "Bulk" by the spam filter because the partner sends from a marketing automation platform. What do you do?

Option A: Add the partner's domain to the allowed senders list.

Option B: Add the partner's specific sending address to the allowed senders list, document the exception, and set a quarterly review date.

Option C: Increase the bulk email threshold from 6 to 8, reducing sensitivity for all bulk email.

The correct answer is Option B. Adding the specific address is more targeted than the entire domain (which would bypass filtering for every sender at that domain, including potentially compromised accounts). Increasing the bulk threshold reduces protection for all bulk email — a disproportionate response to one false positive. Document the exception and review quarterly because partner sending addresses change and allowed entries should be revalidated.

Try it: Review your spam quarantine

Navigate to security.microsoft.com → Email & collaboration → Review → Quarantine. Set the filter to the last 7 days and "Quarantine reason: Spam" and "Quarantine reason: Bulk."

Review the quarantined messages. Are any legitimate emails caught? If so, note the sender, the reason for quarantine, and whether the issue is bulk threshold sensitivity or sender reputation. Release any false positives and consider adding the specific sender to the allowed list.

Check the Junk folder of 2-3 users (with their permission). Are they receiving spam in their inbox that should have been caught? If so, submit those messages to Microsoft through the Submissions page and consider lowering the bulk threshold.

This review takes 10 minutes and should become part of your monthly monitoring cadence.

ZAP (zero-hour auto purge) is enabled in your anti-spam policy. A phishing email passes EOP filtering at 09:00 and is delivered to 5 users' inboxes. At 09:45, Microsoft reclassifies the email as phishing based on new threat intelligence. What happens?
Nothing — the email was already delivered and can only be manually removed — No. ZAP specifically addresses this scenario — retroactive removal of emails that were delivered before reclassification.
The email is moved to Junk for all 5 users — Depends on your ZAP configuration. If ZAP is configured for phishing with "quarantine" action, it goes to quarantine, not junk.
Only users who haven't opened the email yet have it removed — No. ZAP removes the email regardless of read status. Even if the user has already opened and read the email, ZAP moves it out of the inbox.
ZAP automatically removes the email from all 5 inboxes and moves it to quarantine — even if some users have already read it — Correct. ZAP acts retroactively on reclassified emails. It removes the email from the inbox (or junk folder) and moves it to quarantine for all affected users, regardless of whether they've read it. The user sees the email disappear. This is powerful protection against delayed-classification phishing — the 45-minute gap between delivery and ZAP action is significantly better than waiting for manual admin intervention.
Operational Artifact — Anti-Spam Configuration Reference
Your anti-spam configuration: bulk threshold at 6, high-confidence spam action set to quarantine, high-confidence phishing action set to quarantine, ZAP enabled for spam and phishing, quarantine retention at 30 days. Allowed senders documented in your exception register with quarterly review dates. Review the quarantine monthly for false positives. Submit persistent false positives and false negatives to Microsoft via the Submissions page. This configuration balances protection with user experience — aggressive enough to catch real threats, not so aggressive that it disrupts legitimate email.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You're reading the free modules of M365 Security: From Admin to Defender

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts.

View Pricing See Full Syllabus
← Previous Next →