by Scott Jack
Content Contributor, E-N Computers
Over a decade of experience in technical support including end user support, mobile device management, application deployment, training, and documentation.
Updated March 11, 2025
Microsoft 365 spam filtering provides powerful protection against spam, phishing, and malware and can be accessed through Microsoft Defender for Office 365 (formerly Exchange Online Protection). While basic protection is enabled by default, you can significantly enhance your organization’s security by properly configuring these settings. This guide provides comprehensive instructions for configuring modern spam filtering in Microsoft 365.
QUICK ANSWER:
How can you use Microsoft 365 spam filtering?
In the Microsoft Defender admin portal, go to Email & Collaboration > Policies & Rules > Threat policies. Under the Policies section, select Anti-spam. Configure actions for spam and high-confidence spam based on your security needs. An experienced managed services provider like E-N Computers can be an effective partner for Microsoft 365 administration when you have limited IT resources.
Access spam filter settings
As of 2024, spam filtering is configured through the Microsoft 365 Defender portal rather than the classic Exchange Admin Center:
- Sign in to Microsoft 365 Defender portal
- Navigate to Email & Collaboration > Policies & Rules > Threat policies
- Under the Policies section, select Anti-spam
Know the four components of anti-spam policies in MS365
Modern anti-spam policies in Microsoft 365 consist of several components: spam threshold and actions, quarantine management, allow and block lists, and international spam settings.
Spam threshold and actions
The anti-spam engine assigns a Spam Confidence Level (SCL) to each message based on its characteristics.
| SCL rating | Category | Description |
|---|---|---|
| -1–1 | Non-spam | Messages from trusted senders (e.g., in your allow list) and other messages likely to be legitimate |
| 2–4 | Borderline | Some suspicious characteristics, but not enough to be classified as spam |
| 5–6 | Spam | Likely to be spam |
| 7–9 | High confidence spam | Very likely to be spam |
Non-spam and borderline messages are delivered to the inbox. For spam and high-confidence spam, you can specify different actions:
- Move to Junk Email folder: Delivers to the recipient’s Junk folder (recommended for medium-confidence spam)
- Quarantine: Routes message to the admin quarantine (good for high-confidence spam)
- Delete: Permanently removes the message with no recovery option
- Add X-header: Adds a custom header for downstream processing
- Prepend subject line: Adds warning text to the subject line
- Redirect: Sends to a specified mailbox for review
Quarantine management
Quarantined messages are held in a secure area for up to 30 days rather than being delivered to the recipient’s inbox. Administrators can review them by going to Threat Management > Review > Quarantine. You can configure whether users are notified of quarantined messages and grant access to self-service quarantine management so they can release their own messages. In high-security environments, it’s recommended to restrict this ability to administrators only.
Allow and block lists
Allow and block lists override normal filtering rules and should be used carefully. Messages from allowed senders or domains bypass spam filtering entirely, which can create security vulnerabilities if not managed properly. Conversely, messages from blocked senders or domains are automatically treated as spam regardless of their content.
When configuring these lists, it’s best to add your organization’s external IP addresses to the allow list to prevent legitimate outbound mail from being blocked. However, you should never add your own domain to the allow list, as this could allow spoofed emails through. Consider using time-limited entries for temporary exceptions rather than permanent entries, and regularly audit your lists to remove unnecessary exceptions.
International spam settings
You can block messages based on language and region. These messages are treated as high-confidence spam according to your settings.
Advanced protection features in MS365
Microsoft 365 provides additional protections beyond basic spam filtering for comprehensive security against email-based threats.
Anti-Phishing policies
Configure anti-phishing policies under Email & Collaboration > Policies & Rules > Threat policies > Anti-phishing.
- Impersonation protection detects attempts to impersonate your executives or partners.
- Mailbox intelligence uses AI to analyze users’ email patterns and detect anomalies.
- Spoof intelligence detects emails with forged sender addresses.
- First contact safety tips warn users when they receive emails from new senders.
Safe Attachments and Safe Links
These Defender for Office 365 features provide protection against malware and phishing. Safe Attachments scans email attachments in a virtual environment before delivery, detonating any potentially malicious code in a sandbox to detect threats that might bypass traditional signature-based scanning. Safe Links provides time-of-click protection by scanning links when users click them rather than only at delivery time, protecting against delayed attacks where malicious content is added to websites after emails have been scanned and delivered.
Zero-Hour Auto Purge (ZAP)
ZAP retroactively removes malicious messages that were delivered before they were identified as threats. It’s enabled by default in Microsoft 365, acts on spam and malware in email and Teams messages, and is configured in anti-spam policies.
Monitoring and Reporting
Spam filters are not just set-and-forget. To be effective, you should regularly monitor and review reports so that you can adjust your policies to new tactics.
- Access Reports > Email & Collaboration > Email Security for comprehensive views of:
- Spam detections
- Phishing attempts
- Malware blocks
- Top targeted users
- Review the Threat Explorer (Hunting > Email & Collaboration > Explorer) to investigate specific incidents or campaigns
- Use Alert policies to receive notifications about unusual activity, such as spikes in spam or phishing attempts targeting specific departments or executives.
Implementation Examples
Different organizations have different security needs and risk tolerances. Here are three example configurations that might serve as starting points for your own implementation.
Example 1: Basic Protection for Small Business
- Set Spam action: Move to Junk Email folder
- Set High-confidence spam action: Quarantine
- Enable user quarantine notifications
- Block common spam languages not used by your organization
- Enable basic Safe Links protection
Example 2: High-Security Configuration
- Set Spam action: Quarantine
- Set High-confidence spam action: Delete
- Enable anti-phishing with impersonation protection for executives
- Configure Safe Attachments with Dynamic Delivery
- Implement strict international spam filtering
- Create regular review process for quarantined messages
Example 3: Regulated Industry Setup
- Set all suspicious messages to Quarantine
- Enable admin-only release for quarantined messages
- Implement strict SPF, DKIM, and DMARC enforcement
- Configure detailed message logging and retention
- Implement mail flow rules for regulatory requirements
- Deploy enhanced protection for priority accounts
Troubleshooting Common Issues
Spam filtering may occasionally catch legitimate messages (false positives) or let spam through (false negatives). Here’s how you can troubleshoot these issues.
False Positives
If legitimate messages are being marked as spam:
- Check message headers for SCL rating and filtering decisions
- Consider adding trusted senders to Allow lists (cautiously)
- Review international spam settings if blocking messages from specific regions
- Submit false positives to Microsoft through the Security portal
False Negatives
If spam is getting through your filters:
- Examine headers to understand why messages bypassed filtering
- Consider increasing the aggressiveness of your spam threshold
- Implement additional mail flow rules for specific patterns
- Enable advanced features like anti-phishing if available in your subscription
Get help from a MS365 expert
Properly configured spam filtering in Microsoft 365 can dramatically reduce unwanted and malicious emails reaching your users, but it requires regular attention and adjustment as threats evolve. While the tools are powerful, many small and medium businesses lack the time and expertise to optimize these settings and maintain them over time.
E-N Computers specializes in providing managed IT services for small and medium businesses throughout Virginia, Maryland, and Washington, D.C., with expertise in Microsoft 365 deployments and security optimization. Our team of certified professionals can implement, monitor, and maintain robust spam filtering configurations tailored to your specific business needs.
Beyond spam filtering, E-N Computers provides comprehensive IT support and management services including:
- Microsoft 365 administration
- U.S.-based help desk and onsite support
- Patch management
- Backup and recovery
- Strategic planning
- Compliance support
- Cybersecurity and network monitoring
When you have the right people working together, you can implement systems and processes that actively help you reach your business goals. We sometimes call this IT maturity. But for many organizations, something is off when it comes to their partnerships, strategy, systems, and settings. How can you know what’s working well and where you have room for improvement? Start by taking our free IT Maturity Self-Assessment. You’ll walk away with some pointers and, if you want, a free appointment to discuss your results.
Not sure if you need managed IT services?
Take the IT Maturity Self-Assessment
In a few minutes, get actionable insights on your IT strategy, plus a free strategic consultation.
