Every Exchange-enabled Office 365 license includes the Exchange Online Protection (EOP) service to protect users from spam, viruses, and other malware.  This protection covers both inbound and outbound mail traffic for each mailbox.


By default, all content detected as likely spam is automatically moved to each user's Junk Email folder.  Users can review the content of that folder and blacklist senders directly from their Outlook or OWA clients.


Some organizations may prefer that junk email be quarantined rather than simply be moved to a Junk Email folder within a user's mailbox.  An organization may also want to customize the severity of the spam filter, blacklist or whitelist senders globally for the organization, or send notifications to their users when items are quarantined.  This article provides instructions on customizing the EOP policies for an organization.

Accessing the Exchange Online Protection portal


To access the Exchange Online Protection portal, open the following URL in any web browser and log in with a user's Office 365 Credentials:


https://protection.office.com/


Users will require either the Global Administrative role or Exchange Administrative role to customize any EOP policies.  Users without these roles will only be able to access the Quarantine for their own mailbox.

Customizing the Organization's Spam Filter policy


Once logged in to the EOP portal with an administrator, use the following steps to customize the spam filter policies for the organization:


  1. Click on Threat management in the left-hand menu.


  2. Click on Policy.


  3. Click the Anti-spam panel.


  4. Click the Custom tab.


  5. Click the Custom settings switch to turn it On.


  6. There are four portions of the spam filter policy that can be customized:
    • Default spam filter policy - This policy affects inbound email traffic for all users.
    • Connection filter policy - This policy affects specific sending hosts relaying inbound email.
    • Outbound spam filter policy - This policy affects outbound email from users in the organization.
    • Spoof intelligence policy - This policy affects email from domains matching those of the organization.

  7. To customize the settings for any specific policy, click on the wedge corresponding to that policy to expand it, and then click the Edit Policy button.

    • The configurable policy options for the Default spam filter policy are as follows:
      • Spam and bulk actions
        • The following options can be selected for Spam, High-Confidence Spam, Phishing email, and Bulk email: 
          • Move message to Junk Email folder (the default setting)
          • Add X-header (adds an entry to the email's header designating it as spam)
          • Prepend subject line with text, Redirect message to email address
          • Delete message (spam deleted in this manner will not be recoverable)
          • Quarantine message
        • Select the threshold will determine how aggressively the filter will consider content as spam.  A lower number means a more aggressive filter.
        • The Quarantine Retention setting will determine how long an email will remain in quarantine before it is purged.  Items that have been purged from the quarantine are not recoverable.
        • When the Safety Tips option is enabled, a header will be added to each email processed by EOP indicating if it is suspicious, spam, trusted, or safe.
      • Allow lists will designate sender email addresses and domains that are considered trusted across the entire organization and will not be checked by the spam filter.
      • Block lists will designate sender email addresses and domains that will always be treated as spam for the entire organization.  Any email received from these senders will be processed according to the Spam and bulk actions settings.
      • International spam designates email sent in specified languages or from specified countries/regions as spam.  Any email received in a specified language or from a specified country/region will be processed according to the Spam and bulk actions settings.
      • Spam properties allows certain mail content or formatting to be designated for increased spam scoring or to be marked as spam outright.

    • The configurable policy options for the Connection filter policy are as follows:
      • IP Allow List designates the sending host IP addresses that are considered trusted for the organization.  Any email received from these IPs will not be checked by the spam filter.
      • IP Block List designates the sending host IP addresses that will always be treated as spam for the entire organization.  Any email received from these senders will be processed according to the Spam and bulk actions settings.

    • The configurable policy options for the Outbound spam filter policy are as follows:

      Please note that Outbound spam filtering is required for all organizations in Office 365 and cannot be disabled.  For information on how Office 365 handles outbound spam, we recommend reviewing the following Microsoft post: Understanding outbound spam controls in Office 365
      • Send a copy of suspicious outbound email messages to specific people - This setting will designate a contact that will be notified if an outbound email is marked as spam.
      • Notify specific people if a sender is blocked due to sending outbound spam - This setting will designate a contact that will be notified if a user in the organization has been blocked due to outbound spam.

    • The Spoof Intelligence policy contains the following two options:
      • Show me senders I already reviewed - This options allows an admin to view users that have been listed in the policy and change settings for those domains.
      • Review new senders - This options allows an admin to review users that have been detected by the spam filter as having been spoofed and set whether the spoofing is to be allowed or blocked.

  8. In addition to the organization-wide policies, custom policies can be created for individual domains, users, or groups.  To create a new custom policy, click the Create a policy button.
    1. Add a Title and optional Description for the new custom policy.
    2. Configure each of the policy sections as needed.  The available options for the custom policy are the same as those of each default policy.
    3. Click the wedge corresponding to the Applied to section to expand it.

    4. Click the Add a condition button.
    5. Select the recipient condition from the drop-down menu, and enter the corresponding domain, recipient, or group.
    6. Optionally, additional conditions may be added by clicking the Add a condition button again.
    7. Optionally, exceptions may be added by clicking the Add an exception button.
    8. Click the Save button.

Customizing the Organization's Malware Filter Policy


Once logged in to the EOP portal with an administrator, use the following steps to customize the malware filter policies for the organization:


  1. Click on Threat management in the left-hand menu.


  2. Click on Policy.


  3. Click on the Anti-malware panel.


  4. Double-click on the Default policy.


  5. Click on Settings in the left-hand menu.

  6. The following options are available to configure:
    • Malware Detection Response - This option sets whether the intended recipient of an email with detected malware will be notified that the message has been quarantined.  Please note that while the recipient can be notified that an email has been quarantined as malware, only an admin will be able to release the email.
    • Common Attachment Types Filter - This option allows specific attachment file types to be blocked as possible malware.  The file types most commonly used for spreading malware have been listed, but the File Types list can be customized per the needs of the organization.
    • Notifications - This option determines whether a notification will be sent to the sender of the quarantined malware email.
    • Administrator Notifications - This option determines whether a notification will be sent to a designated administrator when an email is quarantined for malware.
  7. Click the Save button to update the Default policy with any changes that have been made.

Accessing the Exchange Online Protection Quarantine


Once logged on to the EOP portal, use the following steps to access the Quarantine and manage quarantined items:


  1. Click on Threat management in the left-hand menu.


  2. Click on Review.


  3. Click the Quarantine panel.


  4. If an administrator is logged in to the Quarantine, they will see options to view quarantined content for the entire organization, or for just their own mailbox.

     The following types of quarantined content can be viewed and managed by an admin:
    • Transport Rule - This listing shows items quarantined due to a Transport Rule.
    • Bulk - This listing shows items quarantined from bulk senders (typically mailing lists or known mass-mailers).
    • Phish - This listing shows items quarantined due to phishing links or attachments.
    • Malware - This listing shows items quarantined due to malware detected in the email or attachment.
    • Spam

  5. If a non-administrator user is logged into the Quarantine, they will only be able to view content quarantined for their own organization, and only Bulk or Spam content.

  6. Click on a quarantined item to review and manage that item.


  7. The following actions can be taken on a quarantined item:
    • Release message - This will release the email from quarantine and deliver it to its original intended recipient.
    • View message header - This will display the item's message header.  Headers can be useful to determine an email's source and route.
    • Preview message - This will display the item's message body in a plain text format.
    • Download message - This will download the item in a .eml format.
    • Remove from quarantine - This will purge the item from the quarantine. Items that have been purged from the quarantine are not recoverable.

  8. Multiple items can be selected from the quarantine list.  When multiple items are selected, the available actions are Release messages and Remove from quarantine.