Microsoft 365

Microsoft 365 Spam Filter: How to Manage Email Filtering

Microsoft 365 includes multi-layer spam and malware filtering through Exchange Online Protection (EOP). While the default configuration catches most obvious spam, businesses frequently need to adjust filtering policies to reduce false positives, tighten phishing protection, or whitelist legitimate senders. This guide explains how to configure and manage Microsoft 365 email filtering.

AT

AMVIA Team

Editorial

7 min read·Mar 2026

Most businesses run the default policy and assume they are covered. They usually are not. The defaults are a sensible baseline, but a baseline is not a tuned filter — and email is still the route most attackers take into a UK business. This guide walks through how EOP works, where to change the settings that matter, and how to stop legitimate email getting trapped. It pairs with our Microsoft 365 security pillar and our wider email security guidance.

How does the Office 365 spam filter actually work?

Every email delivered to a Microsoft 365 mailbox passes through Exchange Online Protection before it reaches the inbox. EOP runs four filtering layers in sequence, each one designed to catch a different class of unwanted or malicious mail. It is on by default for every Microsoft 365 plan.

  • Connection filtering — checks the sending IP address against Microsoft's threat intelligence and known bad-actor lists
  • Anti-malware scanning — scans attachments for known malware signatures
  • Anti-spam filtering — analyses content, structure and metadata against spam patterns
  • Anti-phishing — detects spoofed senders, lookalike domains, and other phishing indicators

On Business Premium and above, Defender for Office 365 adds Safe Attachments (sandboxing unknown files) and Safe Links (URL detonation at click time), a materially higher level of protection. Microsoft documents the full EOP pipeline in its anti-spam protection overview.

Where do you manage Office 365 spam filter policies?

Office 365 spam filter settings live in the Microsoft Defender portal (security.microsoft.com), under Email & Collaboration > Policies & Rules > Threat Policies. This is the single place to control how detected mail is handled across the whole tenant, rather than per mailbox.

The policy categories you will use most:

PolicyWhat it controlsPlan
Anti-spam policiesJunk, quarantine or delete detected spamAll plans
Anti-malware policiesMalware handling and notificationsAll plans
Anti-phishing policiesImpersonation and spoof protectionAll plans
Safe AttachmentsSandbox scanning of attachmentsBusiness Premium+
Safe LinksURL checking at click timeBusiness Premium+

If you are not sure which plan you hold or what it includes, an M365 security audit maps your current policies against what Microsoft recommends.

Which anti-spam settings should you change first?

The default anti-spam policy is a reasonable starting point, but three settings reward attention. Tuning them is the difference between a filter that catches real threats and one that either floods the junk folder or lets bulk mail straight through.

Spam Confidence Level (SCL)

Microsoft assigns each inbound email a Spam Confidence Level from 0 (not spam) to 9 (definitely spam). The default policy moves SCL 5 and above to junk or quarantine. Lowering the threshold catches more borderline spam but raises the risk of quarantining legitimate mail, so change it deliberately and review the results.

Bulk Complaint Level (BCL)

Bulk commercial email — newsletters, marketing blasts — is scored separately from spam on a Bulk Complaint Level scale. Many businesses benefit from tightening this threshold to filter unwanted marketing that technically is not spam, without touching the spam rules themselves.

Quarantine versus the Junk Email folder

You can route detected mail to the user's Junk Email folder (where they self-recover) or to administrator-controlled quarantine. High-confidence spam is better sent to quarantine, where users request release rather than getting potentially dangerous mail one click away in their inbox.

How do you stop legitimate email being flagged as spam?

False positives — real email caught by the filter — are disruptive and erode trust in the system. The usual causes are predictable, and most are fixable without weakening protection across the tenant.

Common triggers:

  • Newsletters and marketing email from legitimate suppliers
  • Senders on domains with a poor sending reputation
  • Automated mail from business software with missing or misconfigured SPF, DKIM or DMARC records

Allow lists let you add specific sender addresses or domains in the anti-spam policy. Use sender-level allows, not domain-level — whitelisting an entire domain bypasses filtering for every message claiming to come from it, including spoofs. Microsoft specifically recommends against allow-listing domains you or your partners own, because it creates a phishing hole; use mail flow rules or Outlook safe-sender lists for those cases.

Mail flow rules (transport rules) give fine-grained control: they can override spam decisions, stamp headers, redirect mail, or add warning banners to messages matching set conditions — useful for scenarios the standard policies cannot handle alone.

Why is native filtering not always enough?

EOP is strong, but it is also the most-targeted filter in the world, which means attackers test against it constantly. Independent benchmarking has reported a 47% rise in attacks evading Microsoft's native defences (KnowBe4 2025 Phishing Benchmark Report), which is why layered controls matter for higher-risk inboxes.

The practical answer is not to rip out EOP — it is to harden it and add the Defender for Office 365 layers on top. Impersonation protection, Safe Links and Safe Attachments close the gaps that pure content filtering leaves open. For organisations under real pressure, AMVIA pairs this with Microsoft Defender for Business and dedicated phishing protection monitored by our in-house SOC. The National Cyber Security Centre reaches the same conclusion: technical filtering must sit alongside reporting and response.

How do you configure anti-phishing protection?

The default anti-phishing policy gives basic cover; the high-value settings are off or generic until you set them. Phishing — especially impersonation of named executives — is where the costly attacks land, so this policy deserves a deliberate pass rather than the defaults.

  • Impersonation protection — name your key people (CEO, CFO, finance staff) and protected domains so Microsoft flags mail attempting to impersonate them
  • Spoofed sender intelligence — on by default, but confirm it is active in the policy
  • DMARC honouring — lets Microsoft enforce your published DMARC policy on inbound mail that fails verification

How do you review what the filter is catching?

The Microsoft Defender portal reports on filtering activity — what is being quarantined, false-positive rates, and threat trends. On Business Premium and above, Threat Explorer gives a live view of recent email threats so you can investigate suspicious messages, trace flow, and understand exactly what the filter caught.

End users review and release held mail at security.microsoft.com/quarantine, which cuts the administrative load on IT. Set quarantine policies so users can self-release low-risk mail while high-confidence threats still require an administrator. This is part of how AMVIA delivers a single, accountable, security-first service across your whole Microsoft 365 security estate — see our wider cybersecurity approach for how email fits the bigger picture.

Too Much Spam Getting Through? Or Too Much Legitimate Email Being Blocked?

AMVIA tunes Microsoft 365 anti-spam and anti-phishing policies for UK businesses to find the right balance between protection and deliverability.

Frequently Asked Questions