Microsoft 365 Spam Filter: The Complete Guide
This complete guide to Microsoft 365 spam filtering covers Exchange Online Protection architecture, anti-spam and anti-phishing policy setup, allow and blocklists, quarantine management, Safe Attachments, Safe Links, and how to test your configuration. Written for IT administrators and business owners managing their own Microsoft 365 tenant.
Nathan Hill-Haimes
Technical Director
Exchange Online Protection: The Foundation
Every email that arrives at a Microsoft 365 mailbox passes through Exchange Online Protection (EOP) — Microsoft's cloud-based email filtering service. EOP is included at no additional cost in all Microsoft 365 paid plans and provides the baseline spam, malware and phishing protection for the platform.
EOP processes inbound email through a pipeline of checks. Understanding the order helps when troubleshooting why a specific email was (or wasn't) filtered:
- Connection filtering — checks the sending IP against Microsoft's Safe List, block lists and reputation databases
- Anti-malware scanning — scans attachments and message content for known malware signatures
- Mail flow rules (transport rules) — any custom rules you've created that can override or modify filtering behaviour
- Anti-spam filtering — applies content analysis and assigns a Spam Confidence Level (SCL) and Bulk Complaint Level (BCL)
- Anti-phishing — checks for spoofed senders, lookalike domains, and impersonation attempts
On Business Premium and above, two additional layers are available: Safe Attachments and Safe Links (part of Defender for Office 365 Plan 1).
The Spam Confidence Level (SCL)
The SCL is Microsoft's assessment of how likely an email is to be spam, scored from -1 to 9:
- SCL -1 — email allowed through connection filtering (from an IP on your safe sender list)
- SCL 0-1 — not spam
- SCL 2-4 — low probability spam
- SCL 5-6 — spam (junk folder by default)
- SCL 7-9 — high confidence spam (quarantine by default)
The default anti-spam policy action thresholds can be adjusted. Moving messages with SCL 5-6 to quarantine rather than junk provides better control — administrators and users can review the quarantine, whereas users often miss junk email.
Configuring Anti-Spam Policies
Access anti-spam settings at security.microsoft.com > Email & Collaboration > Policies & Rules > Threat Policies > Anti-spam.
Inbound Anti-Spam Policy
The default inbound policy applies to all users. You can create custom policies that apply to specific groups, domains or users with higher or lower thresholds than the default.
Key settings to review:
- Spam action — where to send email at each SCL threshold (junk, quarantine, delete)
- Bulk email threshold (BCL) — 1-9; lower values filter more bulk email. The default is 7. Reducing to 5 significantly reduces bulk commercial email.
- Quarantine policy — which quarantine policy applies to quarantined messages (affects what users can do when they access quarantine)
- Safety tips — enable first contact safety tips (warning when receiving email from a sender for the first time) and suspicious sender warnings
Configuring Anti-Phishing Policies
Anti-phishing policies are in the same Threat Policies section. The default policy provides basic protection; a custom policy should be created with the following settings reviewed:
Impersonation Protection
Add up to 60 key users (CEO, CFO, Head of Finance, etc.) whose identity should be protected. Microsoft will flag email that appears to impersonate them using a similar display name or lookalike domain. This is one of the most effective controls against CEO fraud (Business Email Compromise) attacks.
Also add your own domain(s) and key partner domains to protected domains — Microsoft will flag email purporting to come from these domains that doesn't match the expected sending infrastructure.
Spoofed Sender Intelligence
Enable spoofed sender intelligence, which uses Microsoft's threat data to identify email that's spoofing sender addresses. This is on by default but verify it's active. Check the Spoof Intelligence report in the Defender portal periodically — it shows which senders are being flagged as spoofed and allows you to explicitly allow legitimate senders that are being incorrectly flagged.
Allow and Block Lists
Tenant Allow/Block List
The Tenant Allow/Block List (security.microsoft.com > Email & Collaboration > Policies & Rules > Threat Policies > Tenant Allow/Block Lists) is the correct place to add organisation-wide allows and blocks for specific senders, domains, URLs and file hashes.
When adding a domain allow, be specific about the scope. Adding a domain to the allow list bypasses spam filtering for all email purportedly from that domain — including spoofed email. For partners and suppliers, use spoofed sender allows rather than domain allows where possible.
User-Level Safe Senders
Individual users can add senders to their Outlook Safe Senders list. This is appropriate for personal newsletters or suppliers they receive from regularly. Administrators can manage user-level lists via PowerShell if bulk updates are needed.
Safe Attachments
Safe Attachments (available on Business Premium and Defender for Office 365 Plan 1) processes email attachments in a detonation sandbox before delivery. The attachment is opened in an isolated virtual environment, behaviour is analysed, and delivery proceeds only if the attachment is safe.
Set up Safe Attachments policy under Threat Policies > Safe Attachments. The Dynamic Delivery option delivers the email body immediately while the attachment is being scanned, then replaces the placeholder once scanning is complete. This minimises delivery delay for the recipient.
Safe Links
Safe Links rewrites URLs in emails and Teams messages and checks them against Microsoft's threat intelligence at click time. If a URL leads to a known malicious site — even if it was safe when the email was received — the click is blocked.
Enable Safe Links in Threat Policies > Safe Links. For the most comprehensive protection, ensure Safe Links applies to both email and Teams messages. Track URL click data in the Defender portal to identify users who are clicking on suspicious links even if they were blocked.
Testing Your Spam Filter
GTUBE (Generic Test for Unsolicited Bulk Email) is a standard test string for anti-spam systems. Sending a test email containing the GTUBE string (available at spamassassin.apache.org) should trigger the spam filter. If it doesn't, your filtering is not working correctly.
The Microsoft Remote Connectivity Analyzer (testconnectivity.microsoft.com) includes email-related tests that can help diagnose filtering and delivery issues.
Reporting and Ongoing Management
Regular review of the filtering reports in the Microsoft Defender portal is good practice. The Email & Collaboration reports section provides charts of spam, malware and phishing detections over time. Spikes in phishing attempts targeting your domain are worth investigating further.
AMVIA manages Microsoft 365 email filtering and security for UK businesses, including policy configuration, ongoing monitoring and response to phishing incidents. We also provide BarracudaOne email security as an additional filtering layer for businesses that need protection beyond what EOP provides.
Is Your Microsoft 365 Email Filtering Properly Configured?
AMVIA audits and configures Microsoft 365 anti-spam, anti-phishing and Defender for Office 365 settings for UK businesses.
Frequently Asked Questions
By default, mail with an SCL of 5–6 goes to the user's Junk Email folder and SCL 7–9 (high-confidence spam) is quarantined. Both thresholds can be changed in the anti-spam policy. Many businesses benefit from sending SCL 5–6 to quarantine instead of junk for better visibility and control over what staff actually see.
Add the sender address or domain to the Tenant Allow/Block List in the Microsoft Defender portal under Threat Policies. This blocks it across the whole organisation. Individual users can also add senders to their Outlook Blocked Senders list, but that only applies to their own mailbox, so use the tenant list for anything organisation-wide.
Exchange Online Protection (EOP) ships with every paid Microsoft 365 plan and provides baseline spam, malware and anti-phishing filtering. Defender for Office 365, included in Business Premium, adds Safe Attachments sandbox scanning and Safe Links click-time URL checks. Defender gives materially stronger protection against sophisticated phishing and malware that EOP alone can miss.
Microsoft 365 retains quarantined email for up to 30 days by default, after which messages are permanently deleted (learn.microsoft.com). Administrators can set the quarantine retention period anywhere up to that 30-day maximum. Users and admins can release or delete quarantined messages at any point before the retention period expires.
Yes. Microsoft 365 sends quarantine digest notifications on a configurable schedule, daily or weekly. The digest lists quarantined messages so users can review and release legitimate mail without an admin. You set the frequency and contents in the quarantine policy, which also controls exactly what each user is allowed to do from the notification.
For basic spam, the EOP defaults are a reasonable start, but they are deliberately permissive and leave gaps against targeted phishing and business email compromise. Tightening anti-spam thresholds, enabling impersonation protection, and turning on Safe Attachments and Safe Links on Business Premium close most of those gaps. Many SMEs add a second filtering layer for extra cover.
Related Reading
Microsoft 365 Spam Filter | How to Manage Email Filtering
Overview of managing spam filtering in Microsoft 365 for business administrators.
BarracudaOne | How AMVIA Keeps Your Business Compliant
How AMVIA's advanced email security platform adds protection beyond EOP.
Microsoft 365 Email | Exchange Online Setup Guide
Setting up and managing Exchange Online email for your business.