Microsoft 365 Spam Filter: How to Manage Email Filtering
Microsoft 365 includes multi-layer spam and malware filtering through Exchange Online Protection (EOP). While the default configuration catches most obvious spam, businesses frequently need to adjust filtering policies to reduce false positives, tighten phishing protection, or whitelist legitimate senders. This guide explains how to configure and manage Microsoft 365 email filtering.
AMVIA Team
Editorial
Most businesses run the default policy and assume they are covered. They usually are not. The defaults are a sensible baseline, but a baseline is not a tuned filter — and email is still the route most attackers take into a UK business. This guide walks through how EOP works, where to change the settings that matter, and how to stop legitimate email getting trapped. It pairs with our Microsoft 365 security pillar and our wider email security guidance.
How does the Office 365 spam filter actually work?
Every email delivered to a Microsoft 365 mailbox passes through Exchange Online Protection before it reaches the inbox. EOP runs four filtering layers in sequence, each one designed to catch a different class of unwanted or malicious mail. It is on by default for every Microsoft 365 plan.
- Connection filtering — checks the sending IP address against Microsoft's threat intelligence and known bad-actor lists
- Anti-malware scanning — scans attachments for known malware signatures
- Anti-spam filtering — analyses content, structure and metadata against spam patterns
- Anti-phishing — detects spoofed senders, lookalike domains, and other phishing indicators
On Business Premium and above, Defender for Office 365 adds Safe Attachments (sandboxing unknown files) and Safe Links (URL detonation at click time), a materially higher level of protection. Microsoft documents the full EOP pipeline in its anti-spam protection overview.
Where do you manage Office 365 spam filter policies?
Office 365 spam filter settings live in the Microsoft Defender portal (security.microsoft.com), under Email & Collaboration > Policies & Rules > Threat Policies. This is the single place to control how detected mail is handled across the whole tenant, rather than per mailbox.
The policy categories you will use most:
| Policy | What it controls | Plan |
|---|---|---|
| Anti-spam policies | Junk, quarantine or delete detected spam | All plans |
| Anti-malware policies | Malware handling and notifications | All plans |
| Anti-phishing policies | Impersonation and spoof protection | All plans |
| Safe Attachments | Sandbox scanning of attachments | Business Premium+ |
| Safe Links | URL checking at click time | Business Premium+ |
If you are not sure which plan you hold or what it includes, an M365 security audit maps your current policies against what Microsoft recommends.
Which anti-spam settings should you change first?
The default anti-spam policy is a reasonable starting point, but three settings reward attention. Tuning them is the difference between a filter that catches real threats and one that either floods the junk folder or lets bulk mail straight through.
Spam Confidence Level (SCL)
Microsoft assigns each inbound email a Spam Confidence Level from 0 (not spam) to 9 (definitely spam). The default policy moves SCL 5 and above to junk or quarantine. Lowering the threshold catches more borderline spam but raises the risk of quarantining legitimate mail, so change it deliberately and review the results.
Bulk Complaint Level (BCL)
Bulk commercial email — newsletters, marketing blasts — is scored separately from spam on a Bulk Complaint Level scale. Many businesses benefit from tightening this threshold to filter unwanted marketing that technically is not spam, without touching the spam rules themselves.
Quarantine versus the Junk Email folder
You can route detected mail to the user's Junk Email folder (where they self-recover) or to administrator-controlled quarantine. High-confidence spam is better sent to quarantine, where users request release rather than getting potentially dangerous mail one click away in their inbox.
How do you stop legitimate email being flagged as spam?
False positives — real email caught by the filter — are disruptive and erode trust in the system. The usual causes are predictable, and most are fixable without weakening protection across the tenant.
Common triggers:
- Newsletters and marketing email from legitimate suppliers
- Senders on domains with a poor sending reputation
- Automated mail from business software with missing or misconfigured SPF, DKIM or DMARC records
Allow lists let you add specific sender addresses or domains in the anti-spam policy. Use sender-level allows, not domain-level — whitelisting an entire domain bypasses filtering for every message claiming to come from it, including spoofs. Microsoft specifically recommends against allow-listing domains you or your partners own, because it creates a phishing hole; use mail flow rules or Outlook safe-sender lists for those cases.
Mail flow rules (transport rules) give fine-grained control: they can override spam decisions, stamp headers, redirect mail, or add warning banners to messages matching set conditions — useful for scenarios the standard policies cannot handle alone.
Why is native filtering not always enough?
EOP is strong, but it is also the most-targeted filter in the world, which means attackers test against it constantly. Independent benchmarking has reported a 47% rise in attacks evading Microsoft's native defences (KnowBe4 2025 Phishing Benchmark Report), which is why layered controls matter for higher-risk inboxes.
The practical answer is not to rip out EOP — it is to harden it and add the Defender for Office 365 layers on top. Impersonation protection, Safe Links and Safe Attachments close the gaps that pure content filtering leaves open. For organisations under real pressure, AMVIA pairs this with Microsoft Defender for Business and dedicated phishing protection monitored by our in-house SOC. The National Cyber Security Centre reaches the same conclusion: technical filtering must sit alongside reporting and response.
How do you configure anti-phishing protection?
The default anti-phishing policy gives basic cover; the high-value settings are off or generic until you set them. Phishing — especially impersonation of named executives — is where the costly attacks land, so this policy deserves a deliberate pass rather than the defaults.
- Impersonation protection — name your key people (CEO, CFO, finance staff) and protected domains so Microsoft flags mail attempting to impersonate them
- Spoofed sender intelligence — on by default, but confirm it is active in the policy
- DMARC honouring — lets Microsoft enforce your published DMARC policy on inbound mail that fails verification
How do you review what the filter is catching?
The Microsoft Defender portal reports on filtering activity — what is being quarantined, false-positive rates, and threat trends. On Business Premium and above, Threat Explorer gives a live view of recent email threats so you can investigate suspicious messages, trace flow, and understand exactly what the filter caught.
End users review and release held mail at security.microsoft.com/quarantine, which cuts the administrative load on IT. Set quarantine policies so users can self-release low-risk mail while high-confidence threats still require an administrator. This is part of how AMVIA delivers a single, accountable, security-first service across your whole Microsoft 365 security estate — see our wider cybersecurity approach for how email fits the bigger picture.
Too Much Spam Getting Through? Or Too Much Legitimate Email Being Blocked?
AMVIA tunes Microsoft 365 anti-spam and anti-phishing policies for UK businesses to find the right balance between protection and deliverability.
Frequently Asked Questions
Yes. Every Microsoft 365 plan includes Exchange Online Protection (EOP), which provides multi-layer spam, malware and phishing filtering on by default. On Business Premium and above, Defender for Office 365 adds Safe Attachments (sandbox scanning) and Safe Links (URL checking at click time) for stronger protection against modern threats.
Sender allow lists are managed in the Microsoft Defender portal under Threat Policies > Anti-spam policies. Add the specific sender address or domain to the allowed senders list. For individual users, the Outlook Safe Senders list also works. Avoid whitelisting entire domains you communicate with regularly — use per-address allows instead to avoid opening a spoofing gap.
Email is usually quarantined for one of three reasons: aggressive spam thresholds, a low sending reputation for the sender's domain, or missing or failed SPF, DKIM or DMARC records. Check the message headers for the SCL score and review the sender's DNS records. The fix is normally adjusting the quarantine threshold or adding the sender to an allow list.
Safe Attachments, available on Business Premium and above via Defender for Office 365 Plan 1, sends email attachments to a detonation sandbox before delivery. The sandbox opens the file in an isolated environment and checks for malicious behaviour. Safe attachments are delivered normally, typically adding a few minutes to delivery time.
Yes. End users access their quarantine at security.microsoft.com/quarantine to review held messages. Administrators see every quarantined message for the organisation. Depending on your quarantine policy settings, users may be able to release messages themselves or must request release from an administrator first.
For low-risk inboxes the defaults are a fair baseline, but they are rarely tuned to a specific business. Reviewing SCL and bulk thresholds, enabling impersonation protection, and adding the Defender for Office 365 layers on Business Premium materially reduces what gets through. Higher-risk teams benefit from active monitoring on top.
Related Reading
Microsoft 365 Spam Filter: The Complete Guide
In-depth guide to spam filtering in Microsoft 365: setup, allow/blocklists and best practices.
BarracudaOne | How AMVIA Keeps Your Business Compliant
How AMVIA's email security platform provides protection beyond the built-in Microsoft 365 filters.
Microsoft 365 Security | Hardening Your Business Tenant
Comprehensive Microsoft 365 security configuration including email protection best practices.