Microsoft 365 Spam Filter: How to Manage Email Filtering

How Microsoft 365 Email Filtering Works

Every email delivered to a Microsoft 365 mailbox passes through Exchange Online Protection (EOP) — Microsoft's multi-layer filtering service. EOP runs before email reaches a user's inbox and provides:

• Connection filtering — checks the sending IP address against Microsoft's threat intelligence and known bad actor lists
• Anti-malware scanning — scans attachments for malware signatures
• Anti-spam filtering — analyses email content, structure and metadata against spam patterns
• Anti-phishing — detects spoofed sender addresses, lookalike domains, and other phishing indicators

On Business Premium and above, Defender for Office 365 adds Safe Attachments (sandboxing unknown attachments) and Safe Links (URL detonation at click time), providing a materially higher level of protection.

Where to Manage Filtering Policies

Microsoft 365 spam filter settings are managed in the Microsoft Defender portal (security.microsoft.com) under Email & Collaboration > Policies & Rules > Threat Policies. Key policy categories:

• Anti-spam policies — control what happens to detected spam (move to junk, quarantine, or delete)
• Anti-malware policies — configure malware handling and notification settings
• Anti-phishing policies — configure impersonation protection and spoofed sender settings
• Safe Attachments — available on Business Premium and above
• Safe Links — available on Business Premium and above

Anti-Spam Policy Settings

The default Microsoft 365 anti-spam policy is a reasonable baseline, but there are several settings worth reviewing:

Spam Confidence Level (SCL)

Microsoft assigns each inbound email a Spam Confidence Level from 0 (not spam) to 9 (definitely spam). The default policy quarantines email at SCL 5 and above, and puts a junk folder label on SCL 5+. You can adjust these thresholds — lowering the quarantine threshold catches more borderline spam, but increases the risk of legitimate email being quarantined.

Bulk Email Threshold (BCL)

Bulk commercial email (newsletters, marketing emails) is handled separately from spam. The Bulk Complaint Level threshold determines what happens to bulk email. Many businesses benefit from reducing this threshold to filter out unwanted marketing email that technically isn't spam.

Quarantine vs Junk Folder

Spam can be sent to the user's Junk Email folder (where the user can recover it) or to the administrator-controlled quarantine. High-confidence spam is typically better sent to quarantine, where users can request release without automatically getting potentially dangerous email in their inbox.

Managing False Positives: Legitimate Email Flagged as Spam

Overly aggressive filtering that catches legitimate email is disruptive. Common causes of false positives include:

• Newsletters and marketing emails from legitimate suppliers
• Email from domains with poor sending reputation but legitimate purpose
• Automated email from business software with misconfigured SPF records

Allow Lists

You can add specific sender email addresses or domains to an allow list in the anti-spam policy. Use sender-level allows rather than domain-level allows where possible — whitelisting an entire domain bypasses filtering for all email from that domain, including spoofed email purporting to come from it.

Note: Microsoft recommends against using allow lists for domains you own or that your partners own, as this creates a phishing risk. Use mail flow rules or safe sender lists in Outlook instead for these cases.

Mail Flow Rules (Transport Rules)

Mail flow rules provide fine-grained control over email routing and processing. They can override spam decisions, apply headers, redirect email, or add warnings to messages that match specific conditions. They're useful for advanced scenarios that can't be handled by the standard anti-spam policies alone.

Anti-Phishing Policy Configuration

The default anti-phishing policy provides basic protection. Key settings to review:

• Enable impersonation protection — specify key individuals (CEO, CFO, etc.) and domains whose identity should be protected. Microsoft will flag email that attempts to impersonate these identities.
• Enable spoofed sender intelligence — on by default, but verify it's active in the policy
• Enable DMARC protection — allows Microsoft to honour your DMARC policy for inbound email that fails DMARC verification

Spam Filter Reporting and Review

The Microsoft Defender portal provides reports on filtering activity — what's being quarantined, false positive rates, and threat trends. The Threat Explorer tool (available on Business Premium and above) provides a live view of recent email threats, allowing you to investigate suspicious emails, trace message flow, and understand what the filter is catching.

End users can access quarantine at security.microsoft.com/quarantine to review and release quarantined messages, reducing the administrative burden on IT teams.

AMVIA configures and manages Microsoft 365 email filtering for UK businesses as part of our managed IT support service. We also provide enhanced email security through our BarracudaOne platform for businesses requiring additional protection beyond EOP.