Microsoft 365 Spam Filter: The Complete Guide

Exchange Online Protection: The Foundation

Every email that arrives at a Microsoft 365 mailbox passes through Exchange Online Protection (EOP) — Microsoft's cloud-based email filtering service. EOP is included at no additional cost in all Microsoft 365 paid plans and provides the baseline spam, malware and phishing protection for the platform.

EOP processes inbound email through a pipeline of checks. Understanding the order helps when troubleshooting why a specific email was (or wasn't) filtered:

1. Connection filtering — checks the sending IP against Microsoft's Safe List, block lists and reputation databases
2. Anti-malware scanning — scans attachments and message content for known malware signatures
3. Mail flow rules (transport rules) — any custom rules you've created that can override or modify filtering behaviour
4. Anti-spam filtering — applies content analysis and assigns a Spam Confidence Level (SCL) and Bulk Complaint Level (BCL)
5. Anti-phishing — checks for spoofed senders, lookalike domains, and impersonation attempts

On Business Premium and above, two additional layers are available: Safe Attachments and Safe Links (part of Defender for Office 365 Plan 1).

The Spam Confidence Level (SCL)

The SCL is Microsoft's assessment of how likely an email is to be spam, scored from -1 to 9:

• SCL -1 — email allowed through connection filtering (from an IP on your safe sender list)
• SCL 0-1 — not spam
• SCL 2-4 — low probability spam
• SCL 5-6 — spam (junk folder by default)
• SCL 7-9 — high confidence spam (quarantine by default)

The default anti-spam policy action thresholds can be adjusted. Moving messages with SCL 5-6 to quarantine rather than junk provides better control — administrators and users can review the quarantine, whereas users often miss junk email.

Configuring Anti-Spam Policies

Access anti-spam settings at security.microsoft.com > Email & Collaboration > Policies & Rules > Threat Policies > Anti-spam.

Inbound Anti-Spam Policy

The default inbound policy applies to all users. You can create custom policies that apply to specific groups, domains or users with higher or lower thresholds than the default.

Key settings to review:

• Spam action — where to send email at each SCL threshold (junk, quarantine, delete)
• Bulk email threshold (BCL) — 1-9; lower values filter more bulk email. The default is 7. Reducing to 5 significantly reduces bulk commercial email.
• Quarantine policy — which quarantine policy applies to quarantined messages (affects what users can do when they access quarantine)
• Safety tips — enable first contact safety tips (warning when receiving email from a sender for the first time) and suspicious sender warnings

Configuring Anti-Phishing Policies

Anti-phishing policies are in the same Threat Policies section. The default policy provides basic protection; a custom policy should be created with the following settings reviewed:

Impersonation Protection

Add up to 60 key users (CEO, CFO, Head of Finance, etc.) whose identity should be protected. Microsoft will flag email that appears to impersonate them using a similar display name or lookalike domain. This is one of the most effective controls against CEO fraud (Business Email Compromise) attacks.

Also add your own domain(s) and key partner domains to protected domains — Microsoft will flag email purporting to come from these domains that doesn't match the expected sending infrastructure.

Spoofed Sender Intelligence

Enable spoofed sender intelligence, which uses Microsoft's threat data to identify email that's spoofing sender addresses. This is on by default but verify it's active. Check the Spoof Intelligence report in the Defender portal periodically — it shows which senders are being flagged as spoofed and allows you to explicitly allow legitimate senders that are being incorrectly flagged.

Allow and Block Lists

Tenant Allow/Block List

The Tenant Allow/Block List (security.microsoft.com > Email & Collaboration > Policies & Rules > Threat Policies > Tenant Allow/Block Lists) is the correct place to add organisation-wide allows and blocks for specific senders, domains, URLs and file hashes.

When adding a domain allow, be specific about the scope. Adding a domain to the allow list bypasses spam filtering for all email purportedly from that domain — including spoofed email. For partners and suppliers, use spoofed sender allows rather than domain allows where possible.

User-Level Safe Senders

Individual users can add senders to their Outlook Safe Senders list. This is appropriate for personal newsletters or suppliers they receive from regularly. Administrators can manage user-level lists via PowerShell if bulk updates are needed.

Safe Attachments

Safe Attachments (available on Business Premium and Defender for Office 365 Plan 1) processes email attachments in a detonation sandbox before delivery. The attachment is opened in an isolated virtual environment, behaviour is analysed, and delivery proceeds only if the attachment is safe.

Set up Safe Attachments policy under Threat Policies > Safe Attachments. The Dynamic Delivery option delivers the email body immediately while the attachment is being scanned, then replaces the placeholder once scanning is complete. This minimises delivery delay for the recipient.

Safe Links

Safe Links rewrites URLs in emails and Teams messages and checks them against Microsoft's threat intelligence at click time. If a URL leads to a known malicious site — even if it was safe when the email was received — the click is blocked.

Enable Safe Links in Threat Policies > Safe Links. For the most comprehensive protection, ensure Safe Links applies to both email and Teams messages. Track URL click data in the Defender portal to identify users who are clicking on suspicious links even if they were blocked.

Testing Your Spam Filter

GTUBE (Generic Test for Unsolicited Bulk Email) is a standard test string for anti-spam systems. Sending a test email containing the GTUBE string (available at spamassassin.apache.org) should trigger the spam filter. If it doesn't, your filtering is not working correctly.

The Microsoft Remote Connectivity Analyzer (testconnectivity.microsoft.com) includes email-related tests that can help diagnose filtering and delivery issues.

Reporting and Ongoing Management

Regular review of the filtering reports in the Microsoft Defender portal is good practice. The Email & Collaboration reports section provides charts of spam, malware and phishing detections over time. Spikes in phishing attempts targeting your domain are worth investigating further.

AMVIA manages Microsoft 365 email filtering and security for UK businesses, including policy configuration, ongoing monitoring and response to phishing incidents. We also provide BarracudaOne email security as an additional filtering layer for businesses that need protection beyond what EOP provides.