| Category | Microsoft Docs article | Related commit history on GitHub | Change details |
|---|---|---|---|
| admin | Adoption Score | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/adoption/adoption-score.md | We provide metrics, insights, and recommendations in two areas: For each of the mentioned categories, we look at public research to identify some best practices and associated benefits in the form of organizational effectiveness. For example, Forrester research has shown that when people collaborate and share content in the cloud (instead of emailing attachments), they can save up to 100 minutes a week. Furthermore, we quantify the use of these best practices in your organization to help you see where you are on your digital transformation journey. -- **Technology experiences:** Your organization depends on reliable and well-performing technology, as well as the efficient use of Microsoft 365. [Endpoint analytics](https://aka.ms/endpointanalytics) helps you understand how your organization can be impacted by performance and health issues with your hardware and software. [Network connectivity](../../enterprise/microsoft-365-networking-overview.md) helps you understand Exchange, SharePoint, and Microsoft Teams performance on your network architecture. You can review and update network settings to improve connectivity. Microsoft 365 apps health helps you understand whether the devices in your organization are running Microsoft 365 apps on recommended channels.+- **Technology experiences:** Your organization depends on reliable and well-performing technology, and the efficient use of Microsoft 365. [Endpoint analytics](https://aka.ms/endpointanalytics) helps you understand how your organization can be impacted by performance and health issues with your hardware and software. [Network connectivity](../../enterprise/microsoft-365-networking-overview.md) helps you understand Exchange, SharePoint, and Microsoft Teams performance on your network architecture. You can review and update network settings to improve connectivity. Microsoft 365 apps health helps you understand whether the devices in your organization are running Microsoft 365 apps on recommended channels. > [!NOTE] > All insights are calculated using data at the organizational level, not the individual level. We provide metrics, insights, and recommendations in two areas: To enable Adoption Score: -1. Login to the Microsoft 365 admin center as a Global Administrator and go to **Reports** > **Adoption Score** +1. Sign in to the Microsoft 365 admin center as a Global Administrator and go to **Reports** > **Adoption Score** 2. Select **enable Adoption Score**. It can take up to 24 hours for insights to become available. > [!NOTE] For people experiences data, you need a Microsoft 365 for business or Office 365 Adoption Score is only available in the Microsoft 365 admin center and can only be accessed by IT professionals who have one of the following roles: -- Global admin-- Exchange admins-- SharePoint admin-- Skype for Business admin-- Teams admin+- Global Administrator +- Exchange Administrator +- SharePoint Administrator +- Skype for Business Administrator +- Teams Service Administrator +- Teams Communications Administrator - Global Reader - Reports Reader - Usage Summary Reports Reader - User Experience Success Manager+- Organizational Messages Writer Role The role-based access control model for Adoption Score helps organizations further digital transformation efforts with Microsoft 365 by providing the flexibility to assign roles to IT professionals within an organization. Your Adoption Score is based on the combined scores of your people and technolog - Microsoft 365 Apps Health (100 points) - **Total possible = 800 points** -In each score category, we quantify the key indicators for how your organization is using Microsoft 365 in its journey towards digital transformation. We provide 28-day and 180-day views of the key activities. We also provide supporting metrics that are not part of the score calculation, but are important for helping you identify underlying usage statistics and configurations that you can address. +In each score category, we quantify the key indicators for how your organization is using Microsoft 365 in its journey towards digital transformation. We provide 28-day and 180-day views of the key activities. We also provide supporting metrics that aren't part of the score calculation, but are important for helping you identify underlying usage statistics and configurations that you can address. -### Products included in Adoption Score +### Products included in Adoption Score Adoption Score includes data from Exchange, SharePoint, OneDrive, Teams, Word, Excel, PowerPoint, OneNote, Outlook, Yammer, and Skype. Your organization's score is updated daily and reflects user actions completed in the last 28 (including the current day). -## Interpreting your organization's Adoption Score +## Interpreting your organization's Adoption Score The Adoption Score home page shows your organization's total score and score history and the primary insight for each category. This report helps organizations understand: > [!NOTE] > Users also have the option to get productivity insights from the [MyAnalytics dashboard](/workplace-analytics/myanalytics/use/dashboard-2). +## Group Level Aggregates ++The group-level filters functionality helps admins and adoption strategists understand how different groups, based on data from Azure Active Directory, are performing on the people experiencing insights. It's used to provide higher granularity of insights and actions. ++[Learn more about Group Level Aggregates](group-level-aggregates.md). ++## Adoption Score Organizational Messages ++Organizational Messages is a new feature added to Adoption Score that will increase the actionability of admins to reach employees and drive adoption awareness. For example, to improve the content collaboration score, admins can send notifications to encourage employees who werenΓÇÖt actively using cloud attachments before to use the feature when they're about to attach a physical attachment in Outlook. Currently, we enable admins to send messages to drive the adoption scenarios for OneDrive SharePoint, Teams Chat, using @mention in Outlook, and cloud attachments in Outlook. ++[Learn more about Adoption Score Organizational Messages](organizational-messages.md). ## We want to hear from you |
| admin | Group Level Aggregates | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/adoption/group-level-aggregates.md | + + Title: "Group Level Aggregates in Adoption Score" +f1.keywords: +- NOCSH ++++audience: Admin +++ms.localizationpriority: high +monikerRange: 'o365-worldwide' ++- Tier2 +- scotvorg +- M365-subscription-management +- Adm_O365 +- Adm_TOC ++- AdminSurgePortfolio +- AdminTemplateSet +search.appverid: +- MET150 +- MOE150 +description: "Use Group Level Aggregates in Microsoft Adoption score to get group-level insights for your organization in Microsoft 365." ++# Group Level Aggregates in Adoption Score ++Group Level Aggregates help admins and adoption strategists understand how different groups are performing on the people experiencing insights. Group Level Aggregates provide a higher level of insights and actions for your organization based on data from Azure Active Directory (Azure AD). You can get group-level insights for your organization in Microsoft 365 and use them to: ++- **Compare** different groups of your organization to understand the overall distribution of adoption scores and insights, groups that are doing well, and groups that need growth. ++- **Focus** on a specific group of your organization to understand more about it in isolation. ++## How to enable Group Level Aggregates ++Group Level Aggregates isn't enabled by default. ++> [!NOTE] +> Group Level Aggregates can only be enabled by the Global Administrator role. + +To enable Group Level Aggregates: ++1. Sign in to the [Microsoft 365 admin center](https://admin.microsoft.com/) as a Global Administrator. ++2. Go to **Settings** \> **Org settings** \> **Adoption Score**. ++3. Under **Insights Calculation and Display**, select **Turn on group-level insights**. ++Once enabled, it can be accessed by all roles on the people experiences pages. +++## Data accuracy evaluation ++Before group-level insights can be enabled, you need to run a data accuracy evaluation to determine if group data is accurate. The evaluation helps you make an informed decision about which segments to use that will best reflect your organizationΓÇÖs composition. +++The data accuracy evaluation check is a report that reflects the organizationΓÇÖs composition based on key attributes in Azure AD. ++Currently, we provide capabilities for five attributes in Azure AD: ++- Company ++- Department ++- Country ++- State and Country ++- City, State, and Country +++The report displays the number of people who are included for all the different organizational attributes out of the total number of employees in Azure AD. This is included based on an entry in the Azure AD fields for those five selected attributes. You can download the report for these five attributes and check for data accuracy. This report is only run and approved once while setting up Group Level Aggregates. ++Example: In the screenshot, the organization has the ΓÇÿDepartmentΓÇÖ attribute filled for XX out of the total YY employees with ZZ unique departments mentioned. You would see ZZ unique departments in the Group Level Aggregates filters on people experience insights pages. ++To have all people included in the group-level insights reporting, make sure the above five fields are accurately updated for all employees in Azure AD. For subsequent updates to the Azure AD attributes, you don't need to run the evaluation again. The updates are available immediately. [Learn more about how to update user data in Azure AD here](/azure/active-directory/fundamentals/active-directory-users-profile-azure-portal). ++## Filtering people experiences scores ++Group-level insights on people experience insights help filter the overall score and each insight for the selected group. When certain filters are applied, you'll see an informative message when some insights aren't available. ++In some cases, you may not see an entire group in the filters despite all data being accurate in Azure AD. This happens when the group has fewer than 10 individuals for that unique group. We do this to protect user privacy so that no insights can be directly correlated to individual users. + |
| admin | Organizational Messages | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/adoption/organizational-messages.md | + + Title: "Microsoft Adoption Score Organizational Messages" +f1.keywords: +- NOCSH ++++audience: Admin +++ms.localizationpriority: high +monikerRange: 'o365-worldwide' ++- Tier2 +- scotvorg +- M365-subscription-management +- Adm_O365 +- Adm_TOC ++- AdminSurgePortfolio +- AdminTemplateSet +search.appverid: +- MET150 +- MOE150 +description: "Learn how to send messages to your organization in Microsoft 365 using organizational messages in Adoption Score." +++# Adoption Score Organizational Messages ++Organizational messages enable IT admins to deliver clear, actionable messages in-product and in a targeted way, while maintaining user-level privacy. Organizational messages in Adoption Score use targeted in-product notifications to advise on Microsoft 365 recommended practices based on Adoption Score insights. Users can be reminded to use products that have recently been deployed, encouraged to try a product on a different surface, or to recommend new ways of working, such as using @mentions to improve response rates in communications. Templated messages are delivered to users in their flow of work through surfaces including Outlook, Excel, PowerPoint, and Word. Authorized professionals can use the organizational messages wizard in Adoption Score to choose from up to three templated message types, define when and how often a message can be displayed, and exclude groups or priority accounts from receiving the message. ++Organizational messages for Adoption Score will initially roll out to Communication, Content Collaboration, Mobility, and more to follow to support all People Experience categories. Check out the [2022 Ignite session](https://ignite.microsoft.com/en-US/sessions/ff17a80f-2fa6-4e52-b92c-745f0ca8d574?source=sessions) for a detailed demonstration and feature description. ++> [!NOTE] +> The feature is currently in preview. If you encounter any bugs or have any suggestions, please give us feedback in the Microsoft 365 admin center. We appreciate your feedback and will reach out to you as fast as we can. ++## Who can use the feature? ++For a successful preview experience, you need to be one of the following admin roles: ++- Global administrator ++- Organizational message writer ++The organizational message writer role is the new built-in role that allows assigned admins to view and configure messages. The global administrator can assign the organizational message writer role to admin: ++1) Go to **Roles** > **Role assignments** ++2) Search for and select **Organizational message writer** ++3) Under **Assigned**, select **Add users** or **Add groups** ++4) Choose a group of admins you’d like to assign the role to, and select **Add** ++## Where will the messages appear? ++In this preview, we support the teaching call-out and business bars in Word, Excel, PowerPoint, and Outlook Desktop Apps. ++Business bars are supported by Microsoft 365 Consumer subscribers, Office 2019, Office 2016, Office 2013, and Office 2010. +++*The user sees an in-product notification recommending they use Teams messages more.* ++The desktop teaching call-out is supported by Microsoft 365 Consumer and Commercial Office 2019, and Office 2016 Consumer. +++*The user sees an in-product notification recommending they save to OneDrive more.* ++## How to enable Adoption Score Organizational Messages ++To enable Adoption Score Organizational Message, the global administrator needs to enable Adoption Score first: ++1. Sign in to the [admin center](https://admin.microsoft.com/) as a global administrator and go to **Reports** > **Adoption Score** ++1. Select **Enable Adoption Score**. It can take up to 24 hours for insights to become available. ++1. Under the **Organizational Messages** tab, select **Allow approved admins to send in-product recommendations to specified users** ++> [!NOTE] +> Only a global administrator can enable Adoption Score. The organizational message writer role can only opt in for Adoption Score Organizational Messages. ++After Adoption Score is enabled, the global administrator and organizational message writer role can opt in for Adoption Score Organizational Message. ++Visit [privacy controls for Adoption Score](privacy.md) to understand how to enable Adoption Score. +++## Getting Started ++In the Microsoft 365 admin center, go to **Reports** > **Adoption Score.** ++We currently have organizational messages for three people experience categories: Communication, Content collaboration, and Mobility. In each category, you’ll find available actions to take under the **How can I impact my score** section. Select **See what action you can take** > **Create message** to start the process. ++To see all available organizational messages, go to the **Action (Preview)** tab next to **Overview**. There are currently five available messages for you to create. Choose one and select **Create message** to start. ++## Capabilities ++As global administrator or organizational message writer role, you can do any of the following actions: ++- Choose a message from a set of templated content for business bars or teaching call-outs ++- Select the recipients based on user activities, Azure AD user groups, and group level aggregates ++- Schedule a time frame and frequency for delivery of the messages ++- Save drafts anytime during the message creation process ++- Track the status of organizational messages and user engagement ++- Manage scheduled or active organizational messages ++## Take action on insights ++### Step 1: Choose a message to take action ++1. Under the **Messages** tab, view where the messages will appear. ++2. Choose a message from a set of templated content. ++3. Select **Preview this message** to see an example of what recipients will see during the date range you choose. ++4. The messages will show up in the same language as the user’s surface. Currently, there are 41 languages supported. [Check the appendix to see which languages are supported](#appendix). ++5. Select **Next** to proceed to the **Recipients** tab. ++6. If you want to exit the message creation process for now and save a draft, select **Save and close**. The drafts are stored in the **Your org’s messages** tab under **Actions**. ++### Step 2: Select the recipients ++1) Under the **Recipients** tab, the recipients are by default selected based on their activities. For example, targeted users who aren't actively using OneDrive or SharePoint with the apps enabled for the past 28 days. ++2) Select **Apply filter** > **Choose organizational attribute** ++ - **Groups**: In addition to the default recipients, you can send messages to specific Azure AD user groups ++ - **Companies, Country (State) – City, Departments**: Using group-level aggregates, you can apply attributes filter such as attributes like location, departments, and companies to target specific groups of audiences. [Learn more about how to open Group Level Aggregates and validate data accuracy](group-level-aggregates.md). ++3) You can also omit users with priority accounts or in certain Microsoft 365 groups. ++4) Select **Next** to proceed to the **Schedule** tab. ++> [!NOTE] +> The recipient list is refreshed daily. The users who adopted the recommended practices will be removed from the recipient lists. +++### Step 3: Schedule a time window and frequency for delivery of the messages ++1) Under the **Schedule** tab, select **Start date**. ++2) Selecting an **End date** is optional. The default duration is 365 days. ++3) Choose **Frequency**. ++4) Select **Next** to proceed to the **Finish** tab. ++> [!NOTE] +> If the frequency of the message is set as once a week, the message will only show on one of the surfaces per week. After the user selects or dismisses the message, it won’t show up again. Teaching call-out messages only appear twice in their lifetime even if the user doesn’t select it. +++### Step 4: Finish or Save Draft ++1) Under the **Finish** tab, confirm the message details and then select **Schedule**. ++2) If you want to exit the message creation process for now and save a draft, select **Save and close.** The drafts are stored in the **Your org’s messages** tab under **Actions**. ++### Step 5: Track the status of the messages and user engagement ++Once messages have been created, you'll see the reporting in the table under the **Your org’s messages** tab under **Actions**. The following information is available: ++- Message name ++- Status: Draft/Scheduled/Active/Scheduled/Canceled/Completed/Error ++- Last edited date ++- Start date ++- End date   ++- Related category ++- Related metric ++- Creator ++- (Available after messages are active) Total messages seen: total number of times the message was shown to users ++- (Available after messages are active) Total clicks: total number of times the message was clicked by users ++> [!NOTE] +> This capability is only available to Product admins, report reader roles, and user success specialists who have reader permissions. +++### Step 6: Cancel or clone messages ++Once messages have been created, you'll see the reporting in the table under the **Your org’s messages** tab under **Actions**. ++- Select three dots to the right of **Message name** to see a dropdown of actions. ++- Select **cancel** or **clone**. ++> [!NOTE] +> Each tenant can have one active message for each insight. If you want to schedule a new message, you can go to the **Your org’s message** page to cancel active ones. ++## FAQ ++### Q: Why does the total number of messages seen differ from the expected number? ++A: For any given message, not every user **in its selected audience** (selected as message recipients) will receive the message. This is expected behavior because the message delivery depends on other factors that affect a message’s reach, including: ++- **User behavior**: some delivery channels require the user to go to a specific location/app to have a chance to see the message (for example, an Office desktop app call-out message can only be delivered to a user who opens the Office desktop app). ++- **System protections to prevent over-messaging and user dissatisfaction**: some communication channels have message frequency limits if too many messages are live at a given time (for example, a Teaching call-out won't appear more than twice to each user). ++### Q: How can I test the messages before sending them to users of my entire company? ++A: You can send messages to specific Azure AD groups, such as your IT department. See [Select the recipients](#step-2-select-the-recipients) for details. ++### Q: What is the recommended time frame window for the messages? ++A: As the frequency of the messages is at most once a week, the recommended minimum duration is one month. The recommended length of the time window is 12 months. The recipient’s list is refreshed daily. Your messages will always be sent to users who haven’t adopted the recommended practices in the last 28 days. Messages won’t repeatedly send to users who have already adopted. ++### Q: Will I be able to customize the text in the messages? ++A: Not currently, but additional customization options will be enabled in future releases. ++## Organizational Messages in Microsoft Intune (Windows Endpoint Manager) ++Organizational messages in Windows Endpoint Manager enable organizations to deliver branded personalized messages to their employees via native Windows 11 surfaces, such as Notification Center and the Get started app. These messages are intended to help people ramp up in new roles quicker, learn more about their organization, and stay informed of new updates and trainings. [Learn more about Organizational messages in Windows Endpoint Manager](/mem/intune/remote-actions/organizational-messages-prerequisites). ++## Appendix ++### Messages Localization supported ++| Languages | Locale | +|-|| +| Arabic | ar | +| Bulgarian | bg | +| Chinese (Simplified) | zh-cn | +| Chinese (Traditional) | zh-tw | +| Croatian | hr | +| Czech | cs | +| Danish | da | +| Dutch | nl | +| English (United States) | en | +| Estonian | et | +| Finnish | fi | +| French (France) | fr | +| German | de | +| Greek | el | +| Hebrew | he | +| Hungarian | hu | +| Indonesian | id | +| Italian | it | +| Japanese | ja | +| Korean | ko | +| Latvian | lv | +| Lithuanian | lt | +| Norwegian (Bokmål) | no | +| Polish | pl | +| Portuguese (Brazil) | pt-br | +| Portuguese (Portugal) | pt-pt | +| Romanian | ro | +| Russian | ru | +| Serbian (Latin) | sr | +| Slovak | sk | +| Slovenian | sl | +| Spanish (Spain) | es | +| Swedish | sv | +| Thai | th | +| Turkish | tr | +| Ukrainian | uk | +| Vietnamese | vi | +| Catalan | ca | +| Basque | eu | +| Galician | gl | +| Serbian (Cyrillic) RS | sr-Cyrl | ++## Related content ++[Microsoft 365 apps health – Technology experiences](apps-health.md) (article)\ +[Content collaboration – People experiences](content-collaboration.md) (article)\ +[Meetings – People experiences](meetings.md) (article)\ +[Mobility – People experiences](mobility.md) (article)\ +[Privacy controls for Adoption Score](privacy.md) (article)\ +[Teamwork – People experiences](teamwork.md) (article) |
| admin | Privacy | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/adoption/privacy.md | The controls give you: - Flexible admin roles to control who can see the information in Adoption Score - The capability to remove users and groups from people experience calculations - The capability to opt out of the people experiences area+- The capability to display insights at the group level, such as department or region +- The capabilities to allow general admins to send in-product recommendations to specific users ## Flexible admin roles to control who can see the information in Adoption Score To view the entire Adoption Score, you need be one of the following admin roles: -- Global admin-- Exchange admins-- SharePoint admin-- Skype for Business admin-- Teams admin+- Global Administrator +- Exchange Administrator +- SharePoint Administrator +- Skype for Business Administrator +- Teams Service Administrator +- Teams Communications Administrator - Global Reader - Reports Reader - Usage Summary Reports Reader - User Experience Success Manager+- Organizational Messages Writer Role Global admin can assign the Reports Reader role, Usage Summary Reports Reader role, or User Experience Success Manager role to anyone who's responsible for change management and adoption, but not necessarily an IT administrator. -Users with the Reports Reader role can view usage reporting data and the reports dashboard in Microsoft 365 admin center and the adoption context pack in Power BI. Users with Usage Summary Reports Reader role can see only tenant level aggregates and group level aggregates in Microsoft 365 Usage Analytics and Adoption Score. The User Experience Success Manager role includes the permissions of the Usage Summary Reports Reader role, and can get access to more Adoption-related information such as Message Center, Product Feedback, and Service Health. See [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference) to learn more about different roles. +Users with the Reports Reader role can view usage reporting data and the reports dashboard in Microsoft 365 admin center and the adoption context pack in Power BI. Users with Usage Summary Reports Reader role can see only tenant level aggregates and group-level aggregates in Microsoft 365 Usage Analytics and Adoption Score. The User Experience Success Manager role includes the permissions of the Usage Summary Reports Reader role, and can get access to more Adoption-related information such as Message Center, Product Feedback, and Service Health. See [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference) to learn more about different roles. ## Capability to choose specific users or certain groups To omit certain groups: 1. In the admin center, go to **Settings** > **Org Settings** > **Adoption Score**. 2. Select **Exclude specific users via group**. -3. Choose one or multiple Admin Center AAD groups to omit. +3. Choose one or multiple Admin Center Azure AD groups to omit. 4. Select **Save changes**. :::image type="content" source="../../media/adoption-score-exclude-users.png" alt-text="Screenshot: Option to exclude specific users via group when calculating insights."::: To opt out: 4. Select **Save**. :::image type="content" source="../../media/adoption-score-calculate-insights.png" alt-text="Screenshot: Org settings option to opt out of people experiences insights":::++## Capability to display insights at the group level ++By default, insights are shown in aggregate in at the organizational level. You can also display insights at the group level, such as department or region. If you opt out people experience, you can't turn on this control. [Learn more about Group Level Aggregates](group-level-aggregates.md). ++To turn on group-level insights: ++1. In the admin center, go toΓÇ»**Settings**ΓÇ»>ΓÇ»**Org Settings**ΓÇ»>ΓÇ»**Adoption Score**. +1. Select **All users** or **Specific users**. +1. Select **Turn on group-level insights**. +++> [!NOTE] +> You are recommended to run the Azure Active Directory data accuracy evaluation and review your organization's Azure Active Directory profile data a few times a year to ensure the available profiles accurately reflect your org's composition. +++## Capabilities to allow admins to send in-product recommendations to specific users ++Organizational Messages is a new feature added to Adoption Score that will increase the actionability of admins to reach employees and drive adoption awareness. For example, to improve the content collaboration score, admins can send notifications to encourage employees who werenΓÇÖt actively using cloud attachments before to use the feature when they're about to attach a physical attachment in Outlook. Currently, we enable admins to send messages to drive the adoption scenarios for OneDrive SharePoint, Teams Chat, using @mention in Outlook, and cloud attachments in Outlook. [Learn more about Adoption Score Organizational Messages](organizational-messages.md). ++To schedule, send, and manage an organizational message on Adoption Score, you need be one of the following admin roles: ++- Global Administrator +- Organizational Message Writer Role ++The Organizational Message Writer Role is a new built-in role that allows assigned admins to view and configure messages. Reach out to the Global admins to get assigned. ++To turn on organizational messages: ++- In the admin center, go toΓÇ»**Settings**ΓÇ»>ΓÇ»**Org Settings**ΓÇ»>ΓÇ»**Adoption Score**. +- Under the Organizational Messages tab, select **All approved admins to send in-product recommendations to specific users**. +++>[!NOTE] +> Both roles can sign up or opt for a tenant for organizational messages. Other roles can read and see the results of the messages. If you opt out of people experience, you cannot turn on this control. ++## Related content ++[Microsoft Adoption Score](adoption-score.md) (article)\ +[Enable Microsoft 365 usage analytics](../../admin/usage-analytics/enable-usage-analytics.md) (article)\ +[Overview of the Microsoft 365 admin center](../admin-overview/admin-center-overview.md) (video) |
| admin | M365 Feature Descriptions | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/m365-feature-descriptions.md | Office 365 for enterprise follows a role-based access control (RBAC) model: perm **Partners:** You can select a Microsoft partner and delegate administrative functions, including creating service request tickets. For more information, see the [Partners](/office365/servicedescriptions/office-365-platform-service-description/partners) service description and [Add, change, or delete a subscription advisor partner](/office365/admin/misc/add-partner). +**Technical support for partners:** If you're a partner and need information about specific partner support plans to support your customers, you have [Advanced Support for Partners](https://partner.microsoft.com/support/advanced-cloud-support) or [Premier Support for Partners](https://partner.microsoft.com/support/microsoft-services-premier-support). For more information, see [Compare partner support plans](https://partner.microsoft.com/support/partnersupport). + **Developers:** Developers can learn more about developing Office and SharePoint applications at the [MSDN Microsoft Developer Network](https://developer.microsoft.com/office/docs). Developer Support is available through online blogs and forums in the developer community, through Premier or Partner support resources, or directly through Microsoft. For links to Developer Support options, see [Support Resources](https://developer.microsoft.com/office/docs). **Volume licensing**: If you have already purchased licenses from Microsoft under a volume licensing program, here's where to go for support: For support related to licenses and locating keys, go to the [Volume Licensing Service Center](https://www.microsoft.com/licensing/servicecenter/default.aspx); for technical support, see [Technical support](/office365/servicedescriptions/office-365-platform-service-description/support#technical-support); for billing questions, see [Billing and subscription management support](/office365/servicedescriptions/office-365-platform-service-description/support#billing-and-subscription-management-support); for general information about volume licensing, go to [Volume Licensing](https://www.microsoft.com/licensing/default). |
| business-premium | M365bp Trial Playbook Microsoft Business Premium | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-trial-playbook-microsoft-business-premium.md | When you [start a trial or purchase Microsoft 365 Business Premium](get-microsof 2. Use your [preset security policies](/security/office-365-security/preset-security-policies.md). These policies represent a baseline protection profile that's suitable for most users. Standard protection includes: - - [Safe Links](../security/office-365-security/safe-links.md), [Safe Attachments](../security/office-365-security/safe-attachments.md) and [Anti-Phishing](../security/office-365-security/anti-phishing-protection.md) policies that are scoped to the entire tenant or the subset of users you may have chosen during the trial setup process. (Your trial subscription is for up to 25 users.) + - [Safe Links](../security/office-365-security/safe-links.md), [Safe Attachments](../security/office-365-security/safe-attachments.md) and [Anti-Phishing](../security/office-365-security/anti-phishing-protection-about.md) policies that are scoped to the entire tenant or the subset of users you may have chosen during the trial setup process. (Your trial subscription is for up to 25 users.) - Protection for productivity apps, such as [SharePoint](/sharepoint/introduction), [OneDrive](/onedrive/one-drive-quickstart-small-business), [Microsoft 365 apps](/deployoffice/about-microsoft-365-apps), and [Microsoft Teams](/microsoftteams/teams-overview). |
| compliance | Alert Policies | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/alert-policies.md | The tables also indicate the Office 365 Enterprise and Office 365 US Government |**Messages containing malicious entity not removed after delivery**|Generates an alert when any message containing malicious content (file, URL, campaign, no entity), is delivered to mailboxes in your organization. If this event occurs, Microsoft attempted to remove the infected messages from Exchange Online mailboxes using [Zero-hour auto purge](../security/office-365-security/zero-hour-auto-purge.md), but the message was not removed due to a failure. Additional investigation is recommended. This policy automatically triggers [automated investigation and response in Office 365](../security/office-365-security/office-365-air.md).|Medium|Yes|E5/G5 or Defender for Office 365 P2 add-on subscription| |**Phish delivered because a user's Junk Mail folder is disabled**|**Note**: This alert policy is in the process of being deprecated. Mailbox settings no longer determine whether detected messages can be moved to the Junk Email folder. For more information, see [Configure junk email settings on Exchange Online mailboxes](/microsoft-365/security/office-365-security/configure-junk-email-settings-on-exo-mailboxes).|Informational|No|E1/F1/G1, E3/F3/G3, or E5/G5| |**Phish delivered due to an ETR override**<sup>\*\*</sup>|Generates an alert when Microsoft detects an Exchange transport rule (also known as a mail flow rule) that allowed delivery of a high confidence phishing message to a mailbox. For more information about Exchange Transport Rules (Mail flow rules), see [Mail flow rules (transport rules) in Exchange Online](/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules).|Informational|No|E1/F1/G1, E3/F3/G3, or E5/G5|-|**Phish delivered due to an IP allow policy**<sup>\*\*</sup>|Generates an alert when Microsoft detects an IP allow policy that allowed delivery of a high confidence phishing message to a mailbox. For more information about the IP allow policy (connection filtering), see [Configure the default connection filter policy - Office 365](../security/office-365-security/configure-the-connection-filter-policy.md).|Informational|No|E1/F1/G1, E3/F3/G3, or E5/G5| +|**Phish delivered due to an IP allow policy**<sup>\*\*</sup>|Generates an alert when Microsoft detects an IP allow policy that allowed delivery of a high confidence phishing message to a mailbox. For more information about the IP allow policy (connection filtering), see [Configure the default connection filter policy - Office 365](../security/office-365-security/connection-filter-policies-configure.md).|Informational|No|E1/F1/G1, E3/F3/G3, or E5/G5| |**Phish not zapped because ZAP is disabled**<sup>\*\*</sup>|Generates an alert when Microsoft detects delivery of a high confidence phishing message to a mailbox because Zero-Hour Auto Purge for Phish messages is disabled.|Informational|No|E5/G5 or Defender for Office 365 P2 add-on subscription| |**Potential nation-state activity**|Microsoft Threat Intelligence Center detected an attempt to compromise accounts from your tenant.|High|No|E5/G5 or Defender for Office 365 P2 add-on subscription| |**Remediation action taken by admin on emails or URL or sender**|**Note**: This alert policy has been replaced by the **Administrative action submitted by an Administrator** alert policy. This alert policy will eventually go away, so we recommend disabling this alert policy and using **Administrative action submitted by an Administrator** instead. <br/><br/> This alert is triggered when an admin takes remediation action on the selected entity|Informational|Yes|E5/G5 or Defender for Office 365 P2 add-on subscription|-|**Suspicious connector activity**|Generates an alert when a suspicious activity is detected on an inbound connector in your organization. Mail is blocked from using the inbound connector. The admin will receive an email notification and an alert. This alert provides guidance on how to investigate, revert changes, and unblock a restricted connector. To learn how to respond to this alert, see [Respond to a compromised connector](/microsoft-365/security/office-365-security/respond-compromised-connector).|High|No|E1/F1/G1, E3/F3/G3, or E5/G5| +|**Suspicious connector activity**|Generates an alert when a suspicious activity is detected on an inbound connector in your organization. Mail is blocked from using the inbound connector. The admin will receive an email notification and an alert. This alert provides guidance on how to investigate, revert changes, and unblock a restricted connector. To learn how to respond to this alert, see [Respond to a compromised connector](/microsoft-365/security/office-365-security/connectors-detect-respond-to-compromise).|High|No|E1/F1/G1, E3/F3/G3, or E5/G5| |**Suspicious email forwarding activity**|Generates an alert when someone in your organization has autoforwarded email to a suspicious external account. This is an early warning for behavior that may indicate the account is compromised, but not severe enough to restrict the user. Although it's rare, an alert generated by this policy may be an anomaly. It's a good idea to [check whether the user account is compromised](../security/office-365-security/responding-to-a-compromised-email-account.md).|High|No|E1/F1/G1, E3/F3/G3, or E5/G5| |**Suspicious email sending patterns detected**|Generates an alert when someone in your organization has sent suspicious email and is at risk of being restricted from sending email. This is an early warning for behavior that may indicate that the account is compromised, but not severe enough to restrict the user. Although it's rare, an alert generated by this policy may be an anomaly. However, it's a good idea to [check whether the user account is compromised](../security/office-365-security/responding-to-a-compromised-email-account.md).|Medium|Yes|E1/F1/G1, E3/F3/G3, or E5/G5| |**Tenant Allow/Block List entry is about to expire**|Generates an alert when a Tenant Allow/Block List entry is about to be removed. This event is triggered three days prior to expiration date, which is based when the entry was created or last updated. <br/><br/> For blocks, you can extend the expiration date to keep the block in place. For allows, you need to resubmit the item so that our analysts can take another look. However, if the allow has already been graded as a false positive, then the entry will only expire when the system filters have been updated to naturally allow the entry. For more information on events that trigger this alert, see [Manage the Tenant Allow/Block list](../security/office-365-security/tenant-allow-block-list.md).|Informational|No|E5/G5 or Defender for Office 365 P2 add-on subscription| |
| compliance | Compliance Manager Assessments | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-manager-assessments.md | Compliance Manager helps you create assessments that evaluate your compliance wi All of your assessments are listed on the assessments tab of Compliance Manager. Learn more about [how to filter your view of your assessments and interpret status states](compliance-manager-setup.md#assessments-page). > [!IMPORTANT]-> The templates available to your organization for building assessments depend on your licensing agreement. [Review licensing details](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#microsoft-purview-compliance-manager). +> The assessment templates that are included by default for your organization depend on your licensing agreement. [Review licensing details](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#microsoft-purview-compliance-manager). ## Data Protection Baseline default assessment You can create a group while creating a new assessment. Groups can't be created ## Understand templates before creating assessments -Assessment templates contain the controls and action recommendations for assessments, based on certifications for different privacy regulations and standards. Your organization starts out with at least one and possibly more **included** templates available to use, depending on your licensing agreement. Your organization may also purchase additional **premium** templates. --Each template exists in two versions: one for use with Microsoft 365 (or other Microsoft products as available), and a universal version that can be tailored to assess other products that you use. You can choose the appropriate template type for the product you want to assess. +Assessment templates contain the controls and action recommendations for assessments, based on certifications for different privacy regulations and standards. Each template exists in two versions: one for use with Microsoft 365 (or other Microsoft products as available), and a universal version that can be tailored to assess other products that you use. You can choose the appropriate template type for the product you want to assess. Get more details more about templates at [Learn about assessment templates in Compliance Manager](compliance-manager-templates.md). Follow the steps to grant user access to an assessment. 1. Select the **+ Add** command for the role tab you're on: **Add reader**, or **Add assessor** or **Add contributor**. -1. Another flyout pane appears which lists all the users in your organization. You can select the checkbox next to the username you want to add, or you can enter their name in the search bar adn select the user from there. You can select multiple users at once. +1. Another flyout pane appears which lists all the users in your organization. You can select the checkbox next to the username you want to add, or you can enter their name in the search bar and select the user from there. You can select multiple users at once. 1. After making all your selections, select **Add**. > [!NOTE] |
| compliance | Compliance Manager Setup | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-manager-setup.md | Compliance Manager settings can only be accessed by users who hold a global admi Compliance Manager detects signals from other Microsoft Purview solutions that your organization may subscribe to, including data lifecycle management, information protection, Microsoft Purview Data Loss Prevention, communication compliance, and insider risk management. Compliance Manager also detects signals from complementary improvement actions that are monitored by [Microsoft Secure Score](../security/defender/microsoft-secure-score.md). -Using these signals, Compliance Manager can automatically test certain improvement actions for you, which helps maximize efficiency in your compliance activities. When an improvement action is successfully tested and implemented, you receive the full amount of points, which gets [credited to your overall compliance score](compliance-score-calculation.md#how-compliance-manager-continuously-assesses-controls). +Using these signals, Compliance Manager can automatically test certain improvement actions for you, which helps maximize efficiency in your compliance activities. When an improvement action is successfully tested and implemented, you receive the full number of points, which gets [credited to your overall compliance score](compliance-score-calculation.md#how-compliance-manager-continuously-assesses-controls). **Automatic testing is turned on by default for organizations new to Compliance Manager.** When you first deploy Microsoft 365 or Office 365, it takes approximately seven days to fully collect data and factor it into your compliance score. When automated testing is turned on, the actionΓÇÖs test date wonΓÇÖt be updated, but its test status will update. When new assessments are created, scores automatically include Microsoft control scores and Secure Score integration. See [Manage automated testing settings](#manage-automated-testing-settings) below to edit or turn off this setting. You can reassign improvement actions from one user to another. When you reassign 5. From the **Select** drop-down menu, choose **Reassign improvement actions**. The **Reassign improvement actions** flyout pane will appear. -6. In the **Search users** field, enter the name or email address of the user you want assign the improvement actions *to*. +6. In the **Search users** field, enter the name or email address of the user to whom you're assigning the improvement actions. 7. When you see the name of your intended user under **Improvement actions will be assigned to**, select the user, then select **Assign actions**. The assessments page summarizes key information about each assessment: - **Status**: - **Complete** - all controls have a status of ΓÇ£passed,ΓÇ¥ or at least one is passed and the rest are ΓÇ£out of scopeΓÇ¥ - **Incomplete** ΓÇô at least one control has a status of ΓÇ£failed"- - **None** - all controls have have not been tested + - **None** - all controls haven't been tested - **In progress** - improvement actions have any other status, including ΓÇ£in progress,ΓÇ¥ ΓÇ£partial credit,ΓÇ¥ or ΓÇ£undetected - **Assessment progress**: the percentage of the work done toward completion, as measured by the number of controls successfully tested - **Your improvement actions**: the number of completed actions to satisfy implementation of your controls By default, you'll see the [Data Protection Baseline](compliance-manager-assessm ## Assessment templates page -A template is a framework for creating an assessment in Compliance Manager. The assessment templates page displays a list of templates and key details. The list includes templates provided by Compliance Manager as well as any templates your organization has modified or created. You can apply filters to find a template based on certification, product scope, country, industry, and who created it. +A template is a framework for creating an assessment in Compliance Manager. The assessment templates page displays a list of templates and key details. The list includes templates provided by Compliance Manager as well as any templates your organization has modified or created. -The **activated templates** counter near the top of the page shows the number of active assessment templates currently in use out of the total number of templates available for your organization to use. See [Template availability and licensing](compliance-manager-templates.md#template-availability-and-licensing) for more information. +The **Activated/Licensed templates** counter near the top of the page shows the number of active assessment templates currently in use out of the total number of templates available for your organization to use. See [Template availability and licensing](compliance-manager-templates.md#template-availability-and-licensing) for more information. Select a template from its row to bring up its details page, which contains a description of the template and further information about certification, scope, and controls details. From this page you can select the appropriate buttons to create an assessment, export the template data to Excel, or modify the template. |
| compliance | Compliance Manager Templates List | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-manager-templates-list.md | description: "Microsoft Purview Compliance Manager provides templates for buildi **In this article:** View the comprehensive list of **templates** available for creating assessments in Compliance Manager. > [!IMPORTANT]-> The assessment templates that are available to your organization depend on your licensing agreement. [Review the details](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#microsoft-purview-compliance-manager). -> -> Starting in mid-December 2022, licensing updates will affect which templates are included as part of licensing agreements. [Learn more about these changes below](#included-templates). +> The assessment templates that are included by default for your organization depend on your licensing agreement. [Review licensing details](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#microsoft-purview-compliance-manager). [!INCLUDE [purview-preview](../includes/purview-preview.md)] Templates are added to Compliance Manager as new laws and regulations are enacte ## List of templates and where to find them -Below is the complete list of templates in Compliance Manager. Template names match the associated regulation or certification. Where available, links in the template names below take you to related documentation about that standard, regulation, or law. +Below is the complete list of templates in Compliance Manager. Template names match the associated regulation or certification. Find all templates in Compliance Manager on the **Assessment templates** tab. Select a template name to view the template's description, properties, controls, and associated improvement actions. -Each template (except for the [Microsoft Data Protection Baseline](compliance-manager-assessments.md#data-protection-baseline-default-assessment) default template) is available in at least one version designed for use with a specific product, such as Microsoft 365, along with a universal version that you can use to assess other products of your choice. To learn more about template options, see [Learn about assessment templates](compliance-manager-templates.md). --You can also select individual templates in Compliance Manager to view more information about them, including a description of the regulation and properties of the template. Read the **About** section for a summary. +Each template (except for the [Microsoft Data Protection Baseline](compliance-manager-assessments.md#data-protection-baseline-default-assessment) default template) is available in at least one version designed for use with a specific product, such as Microsoft 365, along with a universal version that you can use to assess other products of your choice. Templates that correspond to a regulation which has multiple levels or versions are treated as a single template. Jump to a section below to view templates by area or industry: - [Global](#global) Jump to a section below to view templates by area or industry: - [North America](#north-america) - [South America](#south-america) -### Where to find your templates in Compliance Manager --To review the templates available to your organization, go to your **Assessment templates** page. Learn more about [how to view and manage your templates](compliance-manager-templates.md#view-and-manage-templates). - ## Included templates -> [!NOTE] -> Starting mid-December 2022, we're rolling out changes to included and premium templates. Listed below is a summary of changes, which will be fully documented when the rollout begins: -> -> - Customers at all subscription levels will have the Microsoft Data Protection Baseline template included as part of their subscription. -> - Customers at the A5/E5/G5 subscription levels will be able to choose any three premium templates to use for free. The use of any premium templates beyond those three will require purchase. -> - The included templates for US Government Community (GCC) Moderate, GCC High, and Department of Defense (DoD) customers are the Cybersecurity Maturity Model Certification (CMMC) template (levels 1 through 5) in addition to the Microsoft Data Protection Baseline template. -> - Templates that correspond to a regulation will now all be grouped together and treated as a single template. For example, CMMC - Level 1, and CMMC - Level 2 will now be counted as one template; you won't need to purchase multiple templates for the same regulation when that regulation has multiple levels or versions. -> -> Get additional details on our [frequently asked questions](compliance-manager-faq.yml) page. --One or more of the templates listed below are included as part of your licensing agreement. The Microsoft Data Protection Baseline template is included for all organizations. --- [Microsoft Data Protection Baseline](compliance-manager-assessments.md#data-protection-baseline-default-assessment)-- [European Union GDPR](/compliance/regulatory/gdpr)-- [ISO/IEC 27001:2013](/compliance/regulatory/offering-iso-27001)-- NIST 800-53 Revs. 4 and 5+Some assessment templates are included in Compliance Manager by default, depending on subscription level: -> [!NOTE] -> For US Government Community (GCC) Moderate, GCC High, and Department of Defense (DoD) customers: the Cybersecurity Maturity Model Certification (CMMC) Levels 1 through 5 templates are included, in addition to the templates listed above. +- **Customers at all subscription levels**: The [Microsoft Data Protection Baseline](compliance-manager-assessments.md#data-protection-baseline-default-assessment) template is included for all organizations as part of their subscription. +- **Customers at the A5/E5/G5 subscription levels**: In addition to the Microsoft Data Protection baseline, you can choose any three premium templates to use for free. +- **US Government Community (GCC) Moderate, GCC High, and Department of Defense (DoD) customers**: The Cybersecurity Maturity Model Certification (CMMC) template, levels 1 through 5, is included in addition to the Microsoft Data Protection Baseline template. #### Preview templates The templates listed below are available in preview. Creating assessments from t ## Premium templates -The templates listed below may be purchased by your organization. See the [note above](#included-templates) about upcoming changes in December 2022. +The templates listed below may be purchased by your organization. Certain licensing agreements allow for the use of three premium templates for free. Review [licensing details](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#microsoft-purview-compliance-manager). ### Global |
| compliance | Compliance Manager Templates | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-manager-templates.md | description: "Understand how to use and manage templates for building assessment **In this article:** Understand **how templates work** and **how to manage them** from your assessment templates page. Get instructions for **creating** new templates, **extending** and **modifying** existing templates, **formatting your template data with Excel**, and exporting template **reports**. > [!IMPORTANT]-> The assessment templates that are available to your organization depend on your licensing agreement. [Review licensing details](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#microsoft-purview-compliance-manager). -> -> Starting in mid-December 2022, licensing updates will affect which templates are included as part of licensing agreements. [Learn more about these changes below](#template-availability-and-licensing). +> The assessment templates that are included by default for your organization depend on your licensing agreement. [Review licensing details](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#microsoft-purview-compliance-manager). [!INCLUDE [purview-preview](../includes/purview-preview.md)] Note that US Government Community (GCC) Moderate, GCC High, and Department of De ## Template availability and licensing -> [!NOTE] -> Starting mid-December 2022, we're rolling out changes to included and premium templates. Listed below is a summary of changes, which will be fully documented when the rollout begins: -> -> - Customers at all subscription levels will have the Microsoft Data Protection Baseline template included as part of their subscription. -> - Customers at the A5/E5/G5 subscription levels will be able to choose any three premium templates to use for free. The use of any premium templates beyond those three will require purchase. -> - The included templates for US Government Community (GCC) Moderate, GCC High, and Department of Defense (DoD) customers are the Cybersecurity Maturity Model Certification (CMMC) template (levels 1 through 5) in addition to the Microsoft Data Protection Baseline template. -> - Templates that correspond to a regulation will now all be grouped together and treated as a single template. For example, CMMC - Level 1, and CMMC - Level 2 will now be counted as one template; you won't need to purchase multiple templates for the same regulation when that regulation has multiple levels or versions. -> -> Get additional details on our [frequently asked questions](compliance-manager-faq.yml) page. - There are two categories of templates in Compliance -1. **Included templates** are granted by your Compliance Manager license and cover key regulations and requirements. To learn more about what templates are available under your licensing agreement, see [licensing details](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#compliance-manager). +1. **Included templates** are granted by your Compliance Manager license and cover key regulations and requirements. To learn more about what templates are available under your licensing agreement, see [licensing details](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#microsoft-purview-compliance-manager). 2. **Premium templates** to cover additional needs and scenarios can be obtained by purchasing template licenses. When you begin creating assessments, Compliance Manager will track how many templates are active so you can monitor your usage. To learn more, see [Active and inactive templates](compliance-manager-templates.md#active-and-inactive-templates). If you link any assessments to a purchased premium template, that template will #### Activated templates counter -Your assessment page and assessment templates page have an **activated templates** counter near the top. The counter displays the number of templates in use out of the number you're eligible to use according to your licensing agreement. Template use is counted at the certification level. +Your **Assessment templates** page has an **Activated/Licensed templates** counter near the top. The counter displays the number of templates in use out of the number you're eligible to use according to your licensing agreement. -For example, if your counter shows 2/5, this means your organization has activated 2 templates out of the 5 that are available to use. +For example, if your counter shows 2/5, this means your organization has activated 2 templates out of the 5 that are available to use. If your counter shows 5/2, this indicates that your organization exceeds its limits and needs to purchase 3 of the premium templates in use. -If your counter shows 5/2, this indicates that your organization exceeds its limits and needs to purchase 3 of the premium templates in use. +Templates for a pre-defined product, such as Microsoft 365, have joint licensing with the universal versions of the same template. This enables you to use the same underlying regulation across more than one product. Using either or both versions of the same template will only count as one activated template. -Templates for a pre-defined product, such as Microsoft 365, have joint licensing with the universal versions of the same template. This enables you to use the same underlying certification across more than one product. Using either or both versions of the same template will only count as one activated template. +Similarly, templates that belong to the same regulation family are also counted as one template. The regulation family is shown in the **Overarching regulation** column on the **Assessment templates** page. When you purchase a template license for a regulation and activate the template, it counts as one activated template even if you create assessments for different levels or versions of that regulation. For example, if you use a template for CMMC Level 1 and a template for CMMC Level 2, your activated templates counter increases by only one. -For further details, see [Compliance Manager licensing guidance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#compliance-manager). +For further details, see [Compliance Manager licensing guidance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#microsoft-purview-compliance-manager). ## View and manage templates |
| compliance | Compliance Manager Whats New | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-manager-whats-new.md | description: "Find out whatΓÇÖs new in Compliance Manger and whatΓÇÖs to come. R [!INCLUDE [purview-preview](../includes/purview-preview.md)] +## December 2022 ++Assessment templates that belong to the same regulation family now count as one template. This change means that when you purchase a premium template license for a regulation, the license will apply for all levels and versions of that regulation. Review the [list of templates](compliance-manager-templates-list.md) and a summary of [template licensing changes starting December 2022](compliance-manager-faq.yml#what-changed-with-template-licensing-in-december-2022-). + ## November 2022 Compliance Manager now allows you to assign user roles that are specific to individual assessments. This feature allows you to provide assessors with scoped access to Compliance Manager. Learn more about [granting user access to individual assessments](compliance-manager-assessments.md#grant-user-access-to-individual-assessments). View our [full list of assessment templates](compliance-manager-templates-list.m ### Continuous compliance assessment of improvement actions -We're adding automated testing and evidence generation for over 35 improvement actions in Compliance Manager that were not previously covered by Secure Score. With continuous compliance assessment, you can receive updates about which of these improvement actions you've completed if they're relevant for your compliance assessments and you're licensed to access the relevant solutions. Continuous compliance assessment also gives users visibility into the scoring logic of your improvement actions and provides insight and evidence about why you received a certain score. This feature works alongside existing integrations with Microsoft 365 Secure Score, and any automated actions you've previously configured will continue to work as-is. Learn more about [automated testing settings](compliance-manager-setup.md#testing-source-for-automated-testing). +We're adding automated testing and evidence generation for over 35 improvement actions in Compliance Manager that weren't previously covered by Secure Score. With continuous compliance assessment, you can receive updates about which of these improvement actions you've completed if they're relevant for your compliance assessments and you're licensed to access the relevant solutions. Continuous compliance assessment also gives users visibility into the scoring logic of your improvement actions and provides insight and evidence about why you received a certain score. This feature works alongside existing integrations with Microsoft 365 Secure Score, and any automated actions you've previously configured will continue to work as-is. Learn more about [automated testing settings](compliance-manager-setup.md#testing-source-for-automated-testing). ## February 2022 |
| contentunderstanding | Set Up Content Understanding | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/set-up-content-understanding.md | To use structured document processing or freeform document processing models, yo For details about Syntex licensing, see [Microsoft Syntex licensing](syntex-licensing.md) +### Pay-as-you-go preview ++Microsoft Syntex is offering a limited-time free preview for pay-as-you-go document processing charged through an Azure subscription. The preview allows you to track Microsoft Syntex processing events at no cost to assess usage and estimate costs for a future pay-as-you-go license. For details about the preview, see [Microsoft Syntex pay-as-you-go preview](/legal/microsoft-365/microsoft-syntex-azure-billing-trial). To set up the preview, see [Configure Microsoft Syntex for Azure pay-as-you-go billing](syntex-azure-billing.md). + ## To set up Syntex 1. In the Microsoft 365 admin center, select <a href="https://go.microsoft.com/fwlink/p/?linkid=2171997" target="_blank">**Setup**</a>, and then view the **Files and content** section. -1. In the **Files and content** section, select **Automate content understanding**. Note that your current AI Builder credit availability is shown in the **At a glance** section.<br/> --1. On the **Automate content understanding** page, click **Get started** to walk through the setup process. <br/> +1. In the **Files and content** section, select **Use content AI with Microsoft Syntex**. - > [!div class="mx-imgBorder"] - > </br> +1. On the **Use content AI with Microsoft Syntex** page, select **Set up Microsoft Syntex** to walk through the setup process. <br/> 1. On the **Configure AI Builder model creation** page, you can choose if you want to let end users create and train models that use AI Builder and apply them to document libraries. A menu option will be available in the document library ribbon in SharePoint document libraries in which it is enabled. For details about Syntex licensing, see [Microsoft Syntex licensing](syntex-lice 1. On the confirmation page, select **Done**. -1. You'll be returned to your **Automate content understanding** page. From this page, you can select **Manage** to make any changes to your configuration settings. +1. You'll be returned to your **Use content AI with Microsoft Syntex** page. From this page, you can select **Manage Microsoft Syntex** to make any changes to your configuration settings. ++If you plan to use the pay-as-you-go preview, see [Configure Microsoft Syntex for Azure pay-as-you-go billing](syntex-azure-billing.md). ## Assign licenses To assign licenses: 1. In the Microsoft 365 admin center, under **Users**, select <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">**Active users**</a>. -2. Select the users that you want to license, and choose **Manage product licenses**. --3. Choose **Apps** from the drop-down menu. +1. Select the users that you want to license, and choose **Manage product licenses**. -4. Select **Show apps for Syntex**. Under **Apps**, make sure **Common Data Service for Syntex**, **Syntex**, and **Syntex - SPO type** are all selected. +1. Choose **Apps** from the drop-down menu. - > [!div class="mx-imgBorder"] - >  +1. Select **Show apps for Syntex**. Under **Apps**, make sure **Common Data Service for Syntex**, **Syntex**, and **Syntex - SPO type** are all selected. -5. Click **Save changes**. +1. Select **Save changes**. ## See also |
| contentunderstanding | Syntex Azure Billing | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/syntex-azure-billing.md | + + Title: Configure Microsoft Syntex for pay-as-you-go billing in Azure (Preview) +++++audience: admin ++++ - enabler-strategic + - m365initiative-syntex +search.appverid: MET150 +ms.localizationpriority: medium +description: Learn about how to set up pay-as-you-go Azure billing for Microsoft Syntex and how to monitor your usage. +++# Configure Microsoft Syntex for pay-as-you-go billing in Azure (Preview) ++Some Microsoft Syntex features are billed through an Azure subscription. In this limited-time preview, you can use prebuilt and unstructured document processing (formerly document understanding) at no cost and see activity reports in Azure. ++After the preview ends, document processing will be charged on a pay-as-you-go basis. You will have the option to opt in at that time. For details about the preview, see [Microsoft Syntex pay-as-you-go preview](/legal/microsoft-365/microsoft-syntex-azure-billing-trial). ++This preview does not include structured or freeform document processing which use AI Builder credits. ++## Prerequisites ++To use Microsoft Syntex pay-as-you go, you need: ++- An Azure subscription +- An Azure resource group in that subscription +- An Azure storage account in that subscription if you want to create usage reports. (See [Azure Blob Storage pricing](https://azure.microsoft.com/pricing/details/storage) for pricing.) ++If you already have these resources for other purposes, you can also use them with Microsoft Syntex. ++For information about how to create an Azure subscription, see [Create your initial Azure subscriptions](/azure/cloud-adoption-framework/ready/azure-best-practices/initial-subscriptions) ++For information about how to create an Azure resource group, see [Manage Azure resource groups by using the Azure portal](/azure/azure-resource-manager/management/manage-resource-groups-portal). ++For information about how to create an Azure storage account, see [Create a storage account](/azure/storage/common/storage-account-create). The storage account does not need to be public or connected to the internet. ++## Set up Microsoft Syntex billing in Azure ++When you set up Microsoft Syntex billing in Azure, events will be sent to the Azure meter in your account and you will be able to view the pages processed for unstructured and prebuilt document processing models. ++The following permissions are required to set up Microsoft Syntex billing: ++- You must have Global Administrator or SharePoint Administrator permissions to be able to access the Microsoft 365 admin center and set up Syntex. +- You must have owner or contributor rights to the Azure subscription that you want to use for Microsoft Syntex billing. ++To configure Microsoft Syntex billing ++1. In the Microsoft 365 admin center, select <a href="https://go.microsoft.com/fwlink/p/?linkid=2171997" target="_blank">**Setup**</a>, and then view the **Files and content** section. ++1. In the **Files and content** section, select **Use content AI with Microsoft Syntex**. ++1. On the **Microsoft Syntex** page, select **Configure billing** to walk through the setup process. +1. On the **Enter your Azure subscription** panel, choose an Azure subscription from the **Azure subscription** dropdown. +1. Choose a resource group and region. (The region determines where your tenant ID and usage information such as site names will be stored.) +1. Select **Save**. ++If you need to change or disconnect your Azure subscription, you can select **Manage billing** on the **Use content AI with Microsoft Syntex**. ++If you have not previously configured Microsoft Syntex, read [Set up Microsoft Syntex](set-up-content-understanding.md) to learn how. ++## Monitor your Microsoft Syntex pay-as-you-go usage ++You can monitor your Microsoft Syntex pay-as-you-go usage in Azure Cost Management. (There's no charge for this usage during the preview and the cost analysis dashboard won't show any information.) ++To run the report, the customer must have at least *read* access to the resource group and *contributor* access to the storage container. ++Pages processed are counted for every time the model runs against the document for all pages processed in the document regardless of whether there was a positive classification. This includes when a document is processed after being updated. ++Model training does not count toward pages processed. ++To create a report +1. Sign in to [Azure Cost Management](https://portal.azure.com/#view/Microsoft_Azure_CostManagement/Menu/~/overview). +1. Under **Settings**, select **Exports**. +1. Select **Add**. +1. Type a name for the export. +1. Select the **Metric** that you want to report on. +1. Choose an **Export type** and the dates for the export. +1. In the **Storage** section, choose the subscription that you're using for Microsoft Syntex billing. +1. In the **Storage account** dropdown, choose a storage account to which you have contributor access. +1. Type a name for the container where the report will be stored. +1. Type the path within the container where you want to export the report. +1. Select **Create**. ++Once the report has been created, it will run on the date you specified. You can also run it manually. ++To run a report +1. In the Azure Cost Management Exports list, select the report that you want to run. +1. Select **Run now**. ++The report may take up to an hour to run. ++To access the report +1. In the Azure Cost Management Exports list, select the report. +1. Select the storage account. +1. Under **Data storage**, select **Containers**. +1. Select the container where you stored the report. +1. Navigate to the csv file for the report that you want to view. +1. Select the csv, and then select **Download**. ++Filter the csv on **consumedService** = *Microsoft.Syntex*. The following columns include Microsoft Syntex transaction information: ++- meterName +- meterCategory +- meterSubCategory +- ProductName +- quantity +- tags (site and library information) ++## Related topics ++[Overview of Microsoft Syntex](syntex-overview.md) ++[Licensing for Microsoft Syntex](syntex-licensing.md) + |
| enterprise | M365 Dr Workload Other | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/m365-dr-workload-other.md | Please refer to [Data Residency - Yammer | Microsoft Learn](/yammer/manage-secur 1. Canada 1. Japan -| Country Code | Country Name | Viva Insights Advanced | Viva Learning | Planner | +| Country Code | Countries/Regions | Viva Insights Advanced | Viva Learning | Planner | | | | | | | | AF | Afghanistan | APC<sup>2</sup>| APC<sup>2</sup>| APC<sup>2</sup>| | AX | Aland Islands | APC<sup>2</sup>| AMER<sup>3</sup>| EUR<sup>1</sup>| Please refer to [Data Residency - Yammer | Microsoft Learn](/yammer/manage-secur | SZ | Swaziland | EUR<sup>1</sup>| EUR<sup>1</sup>| EUR<sup>1</sup>| | SE | Sweden | EUR<sup>1</sup>| EUR<sup>1</sup>| EUR<sup>1</sup>| | CH | Switzerland | EUR<sup>1</sup>| EUR<sup>1</sup>| EUR<sup>1</sup>|-| TW | Taiwan, Republic of China | APC<sup>2</sup>| APC<sup>2</sup>| APC<sup>2</sup>| +| TW | Taiwan | APC<sup>2</sup>| APC<sup>2</sup>| APC<sup>2</sup>| | TJ | Tajikistan | EUR<sup>1</sup>| APC<sup>2</sup>| EUR<sup>1</sup>| | TH | Thailand | APC<sup>2</sup>| APC<sup>2</sup>| APC<sup>2</sup>| | TL | Timor-Leste | APC<sup>2</sup>| EUR<sup>1</sup>| APC<sup>2</sup>| |
| enterprise | Microsoft 365 External Recipient Service Alerts | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-external-recipient-service-alerts.md | Title: "External recipients service alerts" + Title: "Service advisories for messages pending delivery to external recipients" Previously updated : 05/31/2022 Last updated : audience: Admin -description: "Use external recipients service alerts to monitor mailboxes on hold that are reaching their mailbox quota." +description: "Use external recipients service advisories to monitor mailboxes on hold that are reaching their mailbox quota." -# Service alerts for messages pending delivery to external recipients in Exchange Online monitoring +# Messages Pending Delivery to External Recipients Outside of Exchange Online -The service alerts inform admins of mail queuing to external recipients outside of Exchange Online. These alerts may require remediation actions that are outside of Microsoft, but they can provide you with information needed to remediate. +This advisory informs you of mail queuing to external recipients outside of Exchange Online. Many of these advisories require actions outside of Microsoft and provide administrators with the information needed to remediate. -These service alerts are displayed in the Microsoft 365 admin center. To view these service alerts, go to **Health** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842900" target="_blank">**Service health**</a> > **Exchange Online** and then click the **Active issues** tab. The name for these service alerts is "Message Queueing to External Recipients Above Thresholds". +These advisories are displayed in the Microsoft 365 admin center. To view these advisories, go to **Health** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842900" target="_blank">**Service health**</a> > **Exchange Online** and then click the **Active issues** tab. The name for these service alerts is "Message Queueing to External Recipients Above Thresholds".  When you double-click the service alert, a flyout page similar to the following  -## What do these service alerts indicate? +## What do these service advisories indicate? -The service alerts for messages pending delivery to external recipients informs you that messages destined to recipients outside of Exchange Online may be delayed. The queueing of messages may be caused by your on-premises environment or a third-party messaging or journaling solution. --Here are some common reasons for queueing messages to external recipients. However, the issues causing these service alerts may not be limited to these reasons. +This service advisory informs you of messages destined to recipients outside Exchange Online may be delayed. Queueing may be caused by your on-premises environment or third-party messaging\journaling solution. Reasons for queueing may be caused by, but are not limited to: - DNS changes - Excessive sending rates -- On-premises Message Transfer Agents (MTA) or journaling solutions with low to no free disk space--- MTAs in backpressure--- Network issues, including load balancers+- MTA\journaling solutions with low to no free disk space - Certificate issues -Each service alert contains high-level recommendations for remediating the issue. The service alert also indicates the number of messages queued at the time of alert, the domain where the messages are queued to, and the SMTP error code associated with most of the queued messages. +Each service advisory contains high level recommendations for administrators in remediating the issue. We also provide the number of messages queued at the time of alert, the domain where the messages are queued to, and the SMTP error code associated with most messages. -For more information for determining the root cause for these service alerts, see [Mail flow intelligence in Exchange Online](../security/office-365-security/mail-flow-intelligence-in-office-365.md). This article also includes suggested actions to fix the root cause. +For more information for determining the root cause for these service alerts, see [Mail flow intelligence in Exchange Online](../security/office-365-security/connectors-mail-flow-intelligence.md). This article also includes suggested actions to fix the root cause. > [!NOTE]-> Microsoft can't account for every SMTP error code provided by third-party vendors. Therefore, admins may be required to investigate errors codes that are specific to their MTA or journaling solutions used by their organization. +> As Microsoft cannot account for every SMTP error code provided by third-party vendors, administrators may be required to investigate these errors codes specific to their Message Transfer Agent (MTA) or journaling solutions. ## More information If your organization has recently created or changed mail flow connectors in your on-premises or Exchange Online organization, see the following articles for more information. +- [Queued messages report in the new EAC in Exchange Online](/exchange/monitoring/mail-flow-reports/mfr-queued-messages-report#queues) ++- [Mail flow insights in the EAC](/exchange/monitoring/mail-flow-insights/mail-flow-insights) ++- [Trace an email message in Exchange Online](/exchange/monitoring/trace-an-email-message/trace-an-email-message) + - [Configure mail flow using connectors in Exchange Online](/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/use-connectors-to-configure-mail-flow) - [Set up connectors to route mail](/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/set-up-connectors-to-route-mail) If your organization has recently created or changed mail flow connectors in you - [Mail flow reports in the EAC](/exchange/monitoring/mail-flow-reports/mail-flow-reports) -- [Mail flow insights in the EAC](/exchange/monitoring/mail-flow-insights/mail-flow-insights)- - [Queued messages report in the EAC](/exchange/monitoring/mail-flow-reports/mfr-queued-messages-report)--- [Trace an email message in Exchange Online](/exchange/monitoring/trace-an-email-message/trace-an-email-message) |
| enterprise | Microsoft 365 Monitoring | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-monitoring.md | +ms.localizationpriority: medium search.appverid: - MET150 |
| frontline | Switch From Enterprise To Frontline | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/switch-from-enterprise-to-frontline.md | |
| scheduler | Scheduler Faqs | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/scheduler/scheduler-faqs.md | description: "Scheduler for Microsoft 365 FAQ" # Scheduler for Microsoft 365 FAQ +> [!IMPORTANT] +> Scheduler for Microsoft 365 will stop working in August 2023. After that date, Scheduler won't be able to create or modify any meeting requests. + **Question:** How does Scheduler integrate with other Cortana features, such as *Cortana for Windows*, *Daily Briefing Email*, and *Play My Emails*?</br> Scheduler is an independent service from other Cortana features. Other Cortana features can be disabled at the tenant level, and Scheduler can still be enabled by using the cortana@yourdomain.com email address. Currently, users can only interact with Scheduler via email. |
| scheduler | Scheduler Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/scheduler/scheduler-overview.md | description: "Overview of Scheduler for Microsoft 365." # Welcome to Scheduler for Microsoft 365 +> [!IMPORTANT] +> Scheduler for Microsoft 365 will stop working in August 2023. After that date, Scheduler won't be able to create or modify any meeting requests. + Scheduler for Microsoft 365 is a service that lets you delegate meeting and appointment scheduling to Cortana, your digital personal assistant. Scheduler uses natural language processing to interpret emails sent to Cortana (cortana@yourdomain.com) to find a time to meet and send calendar invitations for the meeting organizer. |
| scheduler | Scheduler Preferences | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/scheduler/scheduler-preferences.md | description: Learn how to adjust scheduling preferences for Scheduler for Micros # Scheduling preferences used by Scheduler +> [!IMPORTANT] +> Scheduler for Microsoft 365 will stop working in August 2023. After that date, Scheduler won't be able to create or modify any meeting requests. + Scheduler uses several Outlook preferences to schedule a meeting for an organizer. Any changes to the preference settings in Outlook clients will affect how Scheduler handles requests sent to Cortana. For instance, if an organizer changes the time zone preference on the settings page in Outlook Web, all requests by the organizer that follow will default to the new time zone. ## Supported settings |
| scheduler | Scheduler Recurring Meetings | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/scheduler/scheduler-recurring-meetings.md | Title: Scheduling Dynamic Recurring Meetings-+ audience: Admin description: "Users can learn more about scheduling dynamic recurring meetings." # Scheduling Dynamic Recurring Meetings +> [!IMPORTANT] +> Scheduler for Microsoft 365 will stop working in August 2023. After that date, Scheduler won't be able to create or modify any meeting requests. + Scheduler's dynamic meetings work around the user's busy schedule. Recurring meetings managed by Scheduler behave differently than traditional recurring meetings in Outlook. To keep your future calendar open and minimize conflicts with attendees, Scheduler will schedule one instance of a recurring meeting at a time. -As an example, asking Cortana to "Schedule 30 minutes of focus time every day" will initially create one 30 minute appointment for the next available date on your calendar. Once that appointment time has passed, Scheduler will proceed to book another instance on the following date. If the original time slot is not currently available, then Scheduler will adjust the time based on your availability. +As an example, asking Cortana to "Schedule 30 minutes of focus time every day" will initially create one 30-minute appointment for the next available date on your calendar. Once that appointment time has passed, Scheduler will proceed to book another instance on the following date. If the original time slot isn't currently available, then Scheduler will adjust the time based on your availability. The same heuristic can be applied to meetings with invitees. You can include attendees in your request and ask Cortana to "Schedule a meeting every two weeks". The first and each successive meeting will get scheduled dynamically based on the current availability of all attendees within your organization. If you or an attendee is unavailable or out of the office on the next date, the meeting time will automatically adjust to when everyone is available, and the desired cadence is preserved for follow-on meeting instances based on the newly scheduled date. Scheduler supports daily, weekly, and monthly intervals. Here are some examples of how you can email Cortana to schedule recurring meetings: -- "Cortana, schedule a meeting every 2 weeks."+- "Cortana, schedule a meeting every two weeks." - "Book 30 minutes monthly for a review." - "Cortana will find 30 minutes for us to meet every Tuesday." - "Cortana, schedule 30 minutes every Friday at 3:30pm" You can change the frequency of any recurring meeting or a non-recurring meeting ## Cancelling Recurring Meetings -You can reply to Cortana's latest confirmation message and ask to "cancel this meeting" to cancel the scheduled instance. However, Scheduler will continue to schedule future meetings at the same frequency. Alternatively, you can just ask Scheduler to reschedule the next instance to the desired date or time. If you wish to cancel the entire recurring series, respond with "cancel this series" and no future instances will be scheduled. +You can reply to Cortana's latest confirmation message and ask to "cancel this meeting" to cancel the scheduled instance. However, Scheduler will continue to schedule future meetings at the same frequency. Alternatively, you can just ask Scheduler to reschedule the next instance to the desired date or time. If you wish to cancel the entire recurring series, respond with "cancel this series", and no future instances will be scheduled. ## Recurring Meeting Limitations -Please note that there are some technical limitations on the types of recurrences Scheduler can understand and support: +Note that there are some technical limitations on the types of recurrences Scheduler can understand and support: -- Multiple occurrences within the same interval are not supported (for example: "twice a week").-- End dates for recurrence are not supported (for example: "every day until December 20th"). Since each meeting is scheduled upon completion of the previous meeting, simply reply to the latest message from Cortana with "cancel this meeting series".-- Scheduler currently does not support recurrence frequencies greater than 90 days.+- Multiple occurrences within the same interval aren't supported (for example: "twice a week"). +- End dates for recurrence aren't supported (for example: "every day until December 20"). Since each meeting is scheduled upon completion of the previous meeting, just reply to the latest message from Cortana with "cancel this meeting series". +- Scheduler currently doesn't support recurrence frequencies greater than 90 days. |
| scheduler | Scheduler Setup | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/scheduler/scheduler-setup.md | description: "Setting up Scheduler for Microsoft 365." # Setting up Scheduler for Microsoft 365 +> [!IMPORTANT] +> Scheduler for Microsoft 365 will stop working in August 2023. After that date, Scheduler won't be able to create or modify any meeting requests. + Tenant admins need to set up a Scheduler assistant mailbox and obtain Scheduler licenses for meeting organizers to enable the Scheduler for Microsoft 365 service. ## Licensing |
| scheduler | Scheduler Trust Privacy | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/scheduler/scheduler-trust-privacy.md | description: "Understanding Trust and Privacy in Scheduler for Microsoft 365 are # Trust and Privacy in Scheduler for Microsoft 365 +> [!IMPORTANT] +> Scheduler for Microsoft 365 will stop working in August 2023. After that date, Scheduler won't be able to create or modify any meeting requests. + Scheduler is a unique offering whose artificial intelligence is augmented with human assistance when the AI models are not confident in the userΓÇÖs intent, often due to ambiguity or contextual references. ## Policies |
| scheduler | Scheduler Using | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/scheduler/scheduler-using.md | description: "Using Scheduler for Microsoft 365." # How to use Scheduler for Microsoft 365 +> [!IMPORTANT] +> Scheduler for Microsoft 365 will stop working in August 2023. After that date, Scheduler won't be able to create or modify any meeting requests. + Cortana understands natural language. Include cortana@yourdomain.com in an email with other attendees, and Cortana will take over from there. Cortana will send email notifications confirming meeting times and keep you up to date on progress. To use Scheduler, add CortanaΓÇÖs email address to your email in addition to the people you want to meeting with. In your email to Cortana and the other attendees, tell Cortana to schedule a meeting using natural language. |
| security | Configure Server Exclusions Microsoft Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus.md | ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium Last updated : 11/28/2022 Because Microsoft Defender Antivirus is built in, it does not require exclusions Operating system exclusions and server role exclusions do not appear in the standard exclusion lists that are shown in the [Windows Security app](microsoft-defender-security-center-antivirus.md). > [!NOTE]-> Automatic exclusions for server roles and operating system files do not apply to Windows Server 2012. Automatic exclusions can apply if your servers running Windows Server 2012 R2 are onboarded to Defender for Endpoint. (See [Onboard Windows servers to the Microsoft Defender for Endpoint service](configure-server-endpoints.md).) +> Automatic exclusions apply only to Windows Server 2016 and later. These exclusions are not visible in the Windows Security app and in PowerShell. +> Automatic exclusions can apply if your servers running Windows Server 2012 R2 are onboarded to Defender for Endpoint. For more information, see [Onboard Windows servers to the Microsoft Defender for Endpoint service](configure-server-endpoints.md). +> Automatic exclusions for server roles and operating system files do not apply to Windows Server 2012. ### The list of automatic exclusions |
| security | Switch To Mde Phase 2 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-mde-phase-2.md | ms.pagetype: security ms.localizationpriority: medium Previously updated : 08/10/2022 Last updated : 12/01/2022 audience: ITPro The specific exclusions to configure will depend on which version of Windows you | OS |Exclusions | |:--|:--|-|[Windows 11](/windows/whats-new/windows-11-overview) <br/><br/>Windows 10, [version 1803](/lifecycle/announcements/windows-server-1803-end-of-servicing) or later (See [Windows 10 release information](/windows/release-health/release-information))<br/><br/>Windows 10, version 1703 or 1709 with [KB4493441](https://support.microsoft.com/help/4493441) installed <br/><br/> [Windows Server 2022](/windows/release-health/status-windows-server-2022)<br/><br/>[Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019) <br/><br/>[Windows Server 2016](/windows/release-health/status-windows-10-1607-and-windows-server-2016)<br/><br/>[Windows Server 2012 R2](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<br/><br/>[Windows Server, version 1803](/windows-server/get-started/whats-new-in-windows-server-1803) | `C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCM.exe`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection`<br/><br/> In addition, on Windows Server 2012 R2 and 2016 running the modern, unified solution the following exclusions are required after updating the Sense EDR component using [KB5005292](https://support.microsoft.com/en-us/topic/microsoft-defender-for-endpoint-update-for-edr-sensor-f8f69773-f17f-420f-91f4-a8e5167284ac):<br/> <br/> `C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\MsSense.exe` <br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseCnCProxy.exe`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseIR.exe`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseCE.exe`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseSampleUploader.exe`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseCM.exe`| +|[Windows 11](/windows/whats-new/windows-11-overview) <br/><br/>Windows 10, [version 1803](/lifecycle/announcements/windows-server-1803-end-of-servicing) or later (See [Windows 10 release information](/windows/release-health/release-information))<br/><br/>Windows 10, version 1703 or 1709 with [KB4493441](https://support.microsoft.com/help/4493441) installed |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCM.exe`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection`| +[Windows Server 2022](/windows/release-health/status-windows-server-2022)<br/><br/>[Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019) <br/><br/>[Windows Server 2016](/windows/release-health/status-windows-10-1607-and-windows-server-2016)<br/><br/>[Windows Server 2012 R2](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<br/><br/>[Windows Server, version 1803](/windows-server/get-started/whats-new-in-windows-server-1803) | On Windows Server 2012 R2 and Windows Server 2016 running the [modern, unified solution](configure-server-endpoints.md#windows-server-2012-r2-and-windows-server-2016), the following exclusions are required after updating the Sense EDR component using [KB5005292](https://support.microsoft.com/topic/microsoft-defender-for-endpoint-update-for-edr-sensor-f8f69773-f17f-420f-91f4-a8e5167284ac):<br/> <br/> `C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\MsSense.exe` <br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseCnCProxy.exe`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseIR.exe`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseCE.exe`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseSampleUploader.exe`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseCM.exe` <br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection`| |[Windows 8.1](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<br/><br/>[Windows 7](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)<br/><br/>[Windows Server 2008 R2 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`<br/><br/>**NOTE**: Monitoring Host Temporary Files 6\45 can be different numbered subfolders.<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` | ## Add your existing solution to the exclusion list for Microsoft Defender Antivirus |
| security | Eval Defender Office 365 Architecture | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-office-365-architecture.md | The following table identified key concepts that are important to understand whe |Exchange Online Protection|Exchange Online Protection (EOP) is the cloud-based filtering service that helps protect your organization against spam and malware in email. EOP is included in all Microsoft 365 licenses that include Exchange Online.|[Exchange Online Protection overview](../office-365-security/exchange-online-protection-overview.md)| |Anti-malware protection|Organizations with mailboxes in Exchange Online are automatically protected against malware.|[Anti-malware protection in EOP](../office-365-security/anti-malware-protection.md)| |Anti-spam protection|Organizations with mailboxes in Exchange Online are automatically protected against junk mail and spam.|[Anti-spam protection in EOP](../office-365-security/anti-spam-protection.md)|-|Anti-phishing protection|Defender for Office 365 offers more advanced anti-phishing protection related to spear phishing, whaling, ransomware, and other malicious activities.|[Extra anti-phishing protection in Microsoft Defender for Office 365](../office-365-security/anti-phishing-protection.md)| +|Anti-phishing protection|Defender for Office 365 offers more advanced anti-phishing protection related to spear phishing, whaling, ransomware, and other malicious activities.|[Extra anti-phishing protection in Microsoft Defender for Office 365](../office-365-security/anti-phishing-protection-about.md)| |Anti-spoofing protection|EOP includes features to help protect your organization from spoofed (forged) senders.|[Anti-spoofing protection in EOP](../office-365-security/anti-spoofing-protection.md)| |Safe Attachments|Safe Attachments provides an extra layer of protection by using a virtual environment to check and "detonate" attachments in email messages before they're delivered.|[Safe Attachments in Microsoft Defender for Office 365](../office-365-security/safe-attachments.md)| |Safe Attachments for SharePoint, OneDrive, and Microsoft Teams|In addition, Safe Attachments for SharePoint, OneDrive, and Microsoft Teams offers an extra layer of protection for files that have been uploaded to cloud storage repositories.|[Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](../office-365-security/mdo-for-spo-odb-and-teams.md)| |
| security | Eval Defender Office 365 Pilot | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-office-365-pilot.md | The table below provides references and more guidance for configuring and assign |Policy|Description|Included in preset<br>security policies?|Default policy<br>available?|Reference| |||::|::||-|Connection filter policies|Identify good or bad source email servers by IP address.|No|Yes|[Configure the default connection filter policy in EOP](../office-365-security/configure-the-connection-filter-policy.md)| +|Connection filter policies|Identify good or bad source email servers by IP address.|No|Yes|[Configure the default connection filter policy in EOP](../office-365-security/connection-filter-policies-configure.md)| |Outbound spam filter policies|Specify outbound message rate limits and control external email forwarding.|No|Yes|[Configure outbound spam filtering in EOP](../office-365-security/configure-the-outbound-spam-policy.md)| |Anti-malware policies|Protect users from email malware including what actions to take and who to notify if malware is detected.|Yes|Yes|[Configure anti-malware policies in EOP](../office-365-security/configure-anti-malware-policies.md)|-|Anti-spam policies|Protect users from email spam including what actions to take if spam is detected.|Yes|Yes|[Configure anti-spam policies in Defender for Office 365](../office-365-security/configure-your-spam-filter-policies.md)| +|Anti-spam policies|Protect users from email spam including what actions to take if spam is detected.|Yes|Yes|[Configure anti-spam policies in Defender for Office 365](../office-365-security/anti-spam-policies-configure.md)| |Anti-spoofing protection|Protect users from spoofing attempts using spoof intelligence and spoof intelligence insights.|Yes|Yes|[Configure spoof intelligence in Defender for Office 365](../office-365-security/learn-about-spoof-intelligence.md) <br><br> [Configure anti-phishing policies in EOP](../office-365-security/configure-anti-phishing-policies-eop.md)| |Impersonation protection|Protect users from phishing attacks and configure safety tips on suspicious messages|Yes, but some configuration required.|Yes, but some configuration required.|[Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365](../office-365-security/set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365) <br><br> [Impersonation insight in Defender for Office 365](../office-365-security/anti-phishing-mdo-impersonation-insight.md) <br><br> [Configure anti-phishing policies in Microsoft Defender for Office 365](../office-365-security/configure-mdo-anti-phishing-policies.md)| |Safe Attachments policies|Protect users from malicious content in email attachments and files in SharePoint, OneDrive, and Teams.|Yes|Effectively, via Built-in protection|[Set up Safe Attachment policies in Defender for Office 365](../office-365-security/set-up-safe-attachments-policies.md)| |
| security | Supported Event Types | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/supported-event-types.md | The following table only includes the list of the tables supported in the stream | **[EmailEvents](advanced-hunting-emailevents-table.md)** | GA |GA |GA |GA | | **[EmailPostDeliveryEvents](advanced-hunting-emailpostdeliveryevents-table.md)** | GA |GA |GA |GA | | **[EmailUrlInfo](advanced-hunting-emailurlinfo-table.md)** | GA |GA |GA |GA |-| **[IdentityLogonEvents](advanced-hunting-identitylogonevents-table.md)**|GA|Public preview |Public preview |Public preview | -| **[IdentityQueryEvents](advanced-hunting-identityqueryevents-table.md)**|GA|Public preview |Public preview |Public preview | -| **[IdentityDirectoryEvents](advanced-hunting-identitydirectoryevents-table.md)**|GA|Public preview |Public preview |Public preview | -| **[CloudAppEvents](advanced-hunting-cloudappevents-table.md)**|GA|Public preview |Public preview |Public preview | +| **[IdentityLogonEvents](advanced-hunting-identitylogonevents-table.md)**|GA |GA |GA |GA | +| **[IdentityQueryEvents](advanced-hunting-identityqueryevents-table.md)**|GA |GA |GA |GA | +| **[IdentityDirectoryEvents](advanced-hunting-identitydirectoryevents-table.md)**|GA |GA |GA |GA | +| **[CloudAppEvents](advanced-hunting-cloudappevents-table.md)**|GA |GA |GA |GA | | **[UrlClickEvents](advanced-hunting-urlclickevents-table.md)**|GA |GA |GA |GA | |
| security | Address Compromised Users Quickly | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/address-compromised-users-quickly.md | - - The compromised user security playbook enables your organization's security team to: - Speed up detection of compromised user accounts; The compromised user security playbook enables your organization's security team When a user account is compromised, atypical or anomalous behaviors occur. For example, phishing and spam messages might be sent internally from a trusted user account. Defender for Office 365 can detect such anomalies in email patterns and collaboration activity within Office 365. When this happens, alerts are triggered, and the threat mitigation process begins. -For example, here's an alert that was triggered because of suspicious email sending: -- --And here's an example of an alert that was triggered when a sending limit was reached for a user: -- - ## Investigate and respond to a compromised user When a user account is compromised, alerts are triggered. And in some cases, that user account is blocked and prevented from sending any further email messages until the issue is resolved by your organization's security operations team. In other cases, an automated investigation begins which can result in recommended actions that your security team should take. |
| security | Allow Block Email Spoof | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/allow-block-email-spoof.md | For instructions, see [Report questionable email to Microsoft](admin-submission. You can create block entries for domains and email addresses directly in the Tenant Allow/Block List. -Email messages from these senders are marked as *high confidence spam* (SCL = 9). What happens to the messages is determined by the [anti-spam policy](configure-your-spam-filter-policies.md) that detected the message for the recipient. In the default anti-spam policy and new custom policies, messages that are marked as high confidence spam are delivered to the Junk Email folder by default. In Standard and Strict [preset security policies](preset-security-policies.md), high confidence spam messages are quarantined. +Email messages from these senders are marked as *high confidence spam* (SCL = 9). What happens to the messages is determined by the [anti-spam policy](anti-spam-policies-configure.md) that detected the message for the recipient. In the default anti-spam policy and new custom policies, messages that are marked as high confidence spam are delivered to the Junk Email folder by default. In Standard and Strict [preset security policies](preset-security-policies.md), high confidence spam messages are quarantined. > [!NOTE] > Users in the organization can't send email to these blocked domains and addresses. They'll receive the following non-delivery report (also known as an NDR or bounce message): `550 5.7.703 Your message can't be delivered because one or more recipients are blocked by your organization's tenant recipient block policy.` The entire message is blocked for all recipients of the message, even if only one recipient email address or domain is defined in a block entry. |
| security | Anti Phishing Policies Mdo Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-phishing-policies-mdo-configure.md | search.appverid: met150 - [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) - [Microsoft 365 Defender](../defender/microsoft-365-defender.md) -Anti-phishing policies in [Microsoft Defender for Office 365](defender-for-office-365.md) can help protect your organization from malicious impersonation-based phishing attacks and other types of phishing attacks. For more information about the differences between anti-phishing policies in Exchange Online Protection (EOP) and anti-phishing policies in Microsoft Defender for Office 365, see [Anti-phishing protection](anti-phishing-protection.md). +Anti-phishing policies in [Microsoft Defender for Office 365](defender-for-office-365.md) can help protect your organization from malicious impersonation-based phishing attacks and other types of phishing attacks. For more information about the differences between anti-phishing policies in Exchange Online Protection (EOP) and anti-phishing policies in Microsoft Defender for Office 365, see [Anti-phishing protection](anti-phishing-protection-about.md). Admins can view, edit, and configure (but not delete) the default anti-phishing policy. For greater granularity, you can also create custom anti-phishing policies that apply to specific users, groups, or domains in your organization. Custom policies always take precedence over the default policy, but you can change the priority (running order) of your custom policies. |
| security | Anti Phishing Protection About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-phishing-protection-about.md | + + Title: Anti-phishing protection +f1.keywords: + - NOCSH +++ Last updated : +audience: ITPro +++ms.localizationpriority: medium +search.appverid: + - MET150 +ms.assetid: 75af74b2-c7ea-4556-a912-8c48e07271d3 ++ - m365-security + - m365initiative-defender-office365 ++ - TopSMBIssues + - seo-marvel-apr2020 +description: Admins can learn about the anti-phishing protection features in Exchange Online Protection (EOP) and Microsoft Defender for Office 365. +++++# Anti-phishing protection in Microsoft 365 +++**Applies to** +- [Exchange Online Protection](exchange-online-protection-overview.md) +- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) +- [Microsoft 365 Defender](../defender/microsoft-365-defender.md) ++*Phishing* is an email attack that tries to steal sensitive information in messages that appear to be from legitimate or trusted senders. There are specific categories of phishing. For example: ++- **Spear phishing** uses focused, customized content that's specifically tailored to the targeted recipients (typically, after reconnaissance on the recipients by the attacker). ++- **Whaling** is directed at executives or other high value targets within an organization for maximum effect. ++- **Business email compromise (BEC)** uses forged trusted senders (financial officers, customers, trusted partners, etc.) to trick recipients into approving payments, transferring funds, or revealing customer data. Learn more by watching [this video](https://www.youtube.com/watch?v=8Kn31h9HwIQ&list=PL3ZTgFEc7LystRja2GnDeUFqk44k7-KXf&index=2). ++- **Ransomware** that encrypts your data and demands payment to decrypt it almost always starts out in phishing messages. Anti-phishing protection can't help you decrypt encrypted files, but it can help detect the initial phishing messages that are associated with the ransomware campaign. For more information about recovering from a ransomware attack, see [Recover from a ransomware attack in Microsoft 365](recover-from-ransomware.md). ++With the growing complexity of attacks, it's even difficult for trained users to identify sophisticated phishing messages. Fortunately, Exchange Online Protection (EOP) and the additional features in Microsoft Defender for Office 365 can help. ++## Anti-phishing protection in EOP ++EOP (that is, Microsoft 365 organizations without Microsoft Defender for Office 365) contains features that can help protect your organization from phishing threats: ++- **Spoof intelligence**: Use the spoof intelligence insight to review detected spoofed senders in messages from external and internal domains, and manually allow or block those detected senders. For more information, see [Spoof intelligence insight in EOP](learn-about-spoof-intelligence.md). ++- **Anti-phishing policies in EOP**: Turn spoof intelligence on or off, turn unauthenticated sender indicators in Outlook on or off, and specify the action for blocked spoofed senders. For more information, see [Configure anti-phishing policies in EOP](configure-anti-phishing-policies-eop.md). ++- **Allow or block spoofed senders in the Tenant Allow/Block List**: When you override the verdict in the spoof intelligence insight, the spoofed sender becomes a manual allow or block entry that only appears on the **Spoofed senders** tab in the Tenant Allow/Block List. You can also manually create allow or block entries for spoof senders before they're detected by spoof intelligence. For more information, see [Manage the Tenant Allow/Block List in EOP](manage-tenant-allow-block-list.md). ++- **Implicit email authentication**: EOP enhances standard email authentication checks for inbound email ([SPF](set-up-spf-in-office-365-to-help-prevent-spoofing.md), [DKIM](use-dkim-to-validate-outbound-email.md), and [DMARC](use-dmarc-to-validate-email.md) with sender reputation, sender history, recipient history, behavioral analysis, and other advanced techniques to help identify forged senders. For more information, see [Email authentication in Microsoft 365](email-validation-and-authentication.md). ++## Additional anti-phishing protection in Microsoft Defender for Office 365 ++Microsoft Defender for Office 365 contains additional and more advanced anti-phishing features: ++- **Anti-phishing policies in Microsoft Defender for Office 365**: Configure impersonation protection settings for specific message senders and sender domains, mailbox intelligence settings, and adjustable advanced phishing thresholds. For more information, see [Configure anti-phishing policies in Microsoft Defender for Office 365](configure-mdo-anti-phishing-policies.md). For more information about the differences between anti-phishing policies in EOP and anti-phishing policies in Defender for Office 365, see [Anti-phishing policies in Microsoft 365](set-up-anti-phishing-policies.md). +- **Campaign Views**: Machine learning and other heuristics identify and analyze messages that are involved in coordinated phishing attacks against the entire service and your organization. For more information, see [Campaign Views in Microsoft Defender for Office 365](campaigns.md). +- **Attack simulation training**: Admins can create fake phishing messages and send them to internal users as an education tool. For more information, see [Simulate a phishing attack](attack-simulation-training.md). ++## Other anti-phishing resources ++- For end users: [Protect yourself from phishing schemes and other forms of online fraud](https://support.microsoft.com/office/be0de46a-29cd-4c59-aaaf-136cf177d593). ++- [How Microsoft 365 validates the From address to prevent phishing](anti-phishing-from-email-address-validation.md). |
| security | Anti Phishing Protection Spoofing About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-phishing-protection-spoofing-about.md | + + Title: Anti-spoofing protection +f1.keywords: + - NOCSH +++ Last updated : +audience: ITPro +++search.appverid: + - MET150 +ms.assetid: d24bb387-c65d-486e-93e7-06a4f1a436c0 ++ - m365-security + - Strat_O365_IP + - m365initiative-defender-office365 + - EngageScoreSep2022 + - ContentEngagementFY23 ++ - TopSMBIssues + - seo-marvel-apr2020 +ms.localizationpriority: high +description: Admins can learn about the anti-spoofing features that are available in Exchange Online Protection (EOP), which can help mitigate against phishing attacks from spoofed senders and domains. +++++# Anti-spoofing protection in EOP +++**Applies to** +- [Exchange Online Protection](exchange-online-protection-overview.md) +- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) +- [Microsoft 365 Defender](../defender/microsoft-365-defender.md) ++In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, EOP includes features to help protect your organization from spoofed (forged) senders. ++When it comes to protecting its users, Microsoft takes the threat of phishing seriously. Spoofing is a common technique that's used by attackers. **Spoofed messages appear to originate from someone or somewhere other than the actual source**. This technique is often used in phishing campaigns that are designed to obtain user credentials. The anti-spoofing technology in EOP specifically examines forgery of the From header in the message body (used to display the message sender in email clients). When EOP has high confidence that the From header is forged, the message is identified as spoofed. ++The following anti-spoofing technologies are available in EOP: ++- **Email authentication**: An integral part of any anti-spoofing effort is the use of email authentication (also known as email validation) by SPF, DKIM, and DMARC records in DNS. You can configure these records for your domains so destination email systems can check the validity of messages that claim to be from senders in your domains. For inbound messages, Microsoft 365 requires email authentication for sender domains. For more information, see [Email authentication in Microsoft 365](email-validation-and-authentication.md). ++ EOP analyzes and blocks messages that can't be authenticated by the combination of standard email authentication methods and sender reputation techniques. ++ :::image type="content" source="../../media/eop-anti-spoofing-protection.png" alt-text="The EOP anti-spoofing checks" lightbox="../../media/eop-anti-spoofing-protection.png"::: ++- **Spoof intelligence insight**: Review spoofed messages from senders in internal and external domains during the last 7 days, and allow or block those senders. For more information, see [Spoof intelligence insight in EOP](learn-about-spoof-intelligence.md). ++- **Allow or block spoofed senders in the Tenant Allow/Block List**: When you override the verdict in the spoof intelligence insight, the spoofed sender becomes a manual allow or block entry that only appears on the **Spoofed senders** tab in the Tenant Allow/Block List. You can also manually create allow or block entries for spoof senders before they're detected by spoof intelligence. For more information, see [Manage the Tenant Allow/Block List in EOP](manage-tenant-allow-block-list.md). ++- **Anti-phishing policies**: In EOP and Microsoft Defender for Office 365, anti-phishing policies contain the following anti-spoofing settings: + - Turn spoof intelligence on or off. + - Turn unauthenticated sender indicators in Outlook on or off. + - Specify the action for blocked spoofed senders. ++ For more information, see [Spoof settings in anti-phishing policies](set-up-anti-phishing-policies.md#spoof-settings). ++ **Note**: Anti-phishing policies in Defender for Office 365 contain addition protections, including **impersonation** protection. For more information, see [Exclusive settings in anti-phishing policies in Microsoft Defender for Office 365](set-up-anti-phishing-policies.md#exclusive-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365). ++- **Spoof detections report**: For more information, see [Spoof Detections report](view-email-security-reports.md#spoof-detections-report). ++ **Note**: Defender for Office 365 organizations can also use Real-time detections (Plan 1) or Threat Explorer (Plan 2) to view information about phishing attempts. For more information, see [Microsoft 365 threat investigation and response](office-365-ti.md). ++## How spoofing is used in phishing attacks ++Spoofing messages have the following negative implications for users: ++- **Spoofed messages deceive users**: A spoofed message might trick the recipient into clicking a link and giving up their credentials, downloading malware, or replying to a message with sensitive content (known as a business email compromise or BEC). ++ The following message is an example of phishing that uses the spoofed sender msoutlook94@service.outlook.com: ++  ++ This message didn't come from service.outlook.com, but the attacker spoofed the **From** header field to make it look like it did. This was an attempt to trick the recipient into clicking the **change your password** link and giving up their credentials. ++ The following message is an example of BEC that uses the spoofed email domain contoso.com: ++  ++ The message looks legitimate, but the sender is spoofed. ++- **Users confuse real messages for fake ones**: Even users who know about phishing might have difficulty seeing the differences between real messages and spoofed messages. ++ The following message is an example of a real password reset message from the Microsoft Security account: ++  ++ The message really did come from Microsoft, but users have been conditioned to be suspicious. Because it's difficult to the difference between a real password reset message and a fake one, users might ignore the message, report it as spam, or unnecessarily report the message to Microsoft as phishing. ++## Different types of spoofing ++Microsoft differentiates between two different types of spoofed messages: ++- **Intra-org spoofing**: Also known as _self-to-self_ spoofing. For example: ++ - The sender and recipient are in the same domain: + > From: chris@contoso.com <br> To: michelle@contoso.com ++ - The sender and the recipient are in subdomains of the same domain: + > From: laura@marketing.fabrikam.com <br> To: julia@engineering.fabrikam.com ++ - The sender and recipient are in different domains that belong to the same organization (that is, both domains are configured as [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in the same organization): + > From: sender @ microsoft.com <br> To: recipient @ bing.com ++ Spaces are used in the email addresses to prevent spambot harvesting. ++ Messages that fail [composite authentication](email-validation-and-authentication.md#composite-authentication) due to intra-org spoofing contain the following header values: ++ `Authentication-Results: ... compauth=fail reason=6xx` ++ `X-Forefront-Antispam-Report: ...CAT:SPOOF;...SFTY:9.11` ++ - `reason=6xx` indicates intra-org spoofing. ++ - SFTY is the safety level of the message. 9 indicates phishing, .11 indicates intra-org spoofing. ++- **Cross-domain spoofing**: The sender and recipient domains are different, and have no relationship to each other (also known as external domains). For example: + > From: chris@contoso.com <br> To: michelle@tailspintoys.com ++ Messages that fail [composite authentication](email-validation-and-authentication.md#composite-authentication) due to cross-domain spoofing contain the following headers values: ++ `Authentication-Results: ... compauth=fail reason=000/001` ++ `X-Forefront-Antispam-Report: ...CAT:SPOOF;...SFTY:9.22` ++ - `reason=000` indicates the message failed explicit email authentication. `reason=001` indicates the message failed implicit email authentication. ++ - `SFTY` is the safety level of the message. 9 indicates phishing, .22 indicates cross-domain spoofing. ++> [!NOTE] +> If you've gotten a message like ***compauth=fail reason=###*** and need to know about composite authentication (compauth), and the values related to spoofing, see [*Anti-spam message headers in Microsoft 365*](anti-spam-message-headers.md). Or go directly to the [*reason*](anti-spam-message-headers.md) codes. ++For more information about DMARC, see [Use DMARC to validate email in Microsoft 365](use-dmarc-to-validate-email.md). ++## Problems with anti-spoofing protection ++Mailing lists (also known as discussion lists) are known to have problems with anti-spoofing due to the way they forward and modify messages. ++For example, Gabriela Laureano (glaureano@contoso.com) is interested in bird watching, joins the mailing list birdwatchers@fabrikam.com, and sends the following message to the list: ++> **From:** "Gabriela Laureano" \<glaureano@contoso.com\> <br> **To:** Birdwatcher's Discussion List \<birdwatchers@fabrikam.com\> <br> **Subject:** Great viewing of blue jays at the top of Mt. Rainier this week <p> Anyone want to check out the viewing this week from Mt. Rainier? ++The mailing list server receives the message, modifies its content, and replays it to the members of list. The replayed message has the same From address (glaureano@contoso.com), but a tag is added to the subject line, and a footer is added to the bottom of the message. This type of modification is common in mailing lists, and may result in false positives for spoofing. ++> **From:** "Gabriela Laureano" \<glaureano@contoso.com\> <br> **To:** Birdwatcher's Discussion List \<birdwatchers@fabrikam.com\> <br> **Subject:** [BIRDWATCHERS] Great viewing of blue jays at the top of Mt. Rainier this week <p> Anyone want to check out the viewing this week from Mt. Rainier? <p> This message was sent to the Birdwatchers Discussion List. You can unsubscribe at any time. ++To help mailing list messages pass anti-spoofing checks, do following steps based on whether you control the mailing list: ++- Your organization owns the mailing list: ++ - Check the FAQ at DMARC.org: [I operate a mailing list and I want to interoperate with DMARC, what should I do?](https://dmarc.org/wiki/FAQ#I_operate_a_mailing_list_and_I_want_to_interoperate_with_DMARC.2C_what_should_I_do.3F). ++ - Read the instructions at this blog post: [A tip for mailing list operators to interoperate with DMARC to avoid failures](/archive/blogs/tzink/a-tip-for-mailing-list-operators-to-interoperate-with-dmarc-to-avoid-failures). ++ - Consider installing updates on your mailing list server to support ARC, see <http://arc-spec.org>. ++- Your organization doesn't own the mailing list: ++ - Ask the maintainer of the mailing list to configure email authentication for the domain that the mailing list is relaying from. ++ When enough senders reply back to domain owners that they should set up email authentication records, it spurs them into taking action. While Microsoft also works with domain owners to publish the required records, it helps even more when individual users request it. ++ - Create inbox rules in your email client to move messages to the Inbox. You can also ask your admins to configure overrides as described in [Spoof intelligence insight in EOP](learn-about-spoof-intelligence.md) and [Manage the Tenant Allow/Block List](manage-tenant-allow-block-list.md). ++ - Use the Tenant Allow/Block List to create an override for the mailing list to treat it as legitimate. For more information, see [Create allow entries for spoofed senders](allow-block-email-spoof.md#create-allow-entries-for-spoofed-senders). ++If all else fails, you can report the message as a false positive to Microsoft. For more information, see [Report messages and files to Microsoft](report-junk-email-messages-to-microsoft.md). ++## Considerations for anti-spoofing protection ++If you're an admin who currently sends messages to Microsoft 365, you need to ensure that your email is properly authenticated. Otherwise, it might be marked as spam or phishing. For more information, see [Solutions for legitimate senders who are sending unauthenticated email](email-validation-and-authentication.md#solutions-for-legitimate-senders-who-are-sending-unauthenticated-email). ++Senders in an individual user's (or admin's) Safe Senders list will bypass parts of the filtering stack, including spoof protection. For more information, see [Outlook Safe Senders](create-safe-sender-lists-in-office-365.md#use-outlook-safe-senders). ++Admins should avoid (when possible) using allowed sender lists or allowed domain lists. These senders bypass all spam, spoofing, and phishing protection, and also sender authentication (SPF, DKIM, DMARC). For more information, see [Use allowed sender lists or allowed domain lists](create-safe-sender-lists-in-office-365.md#use-allowed-sender-lists-or-allowed-domain-lists). |
| security | Anti Phishing Protection Tuning | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-phishing-protection-tuning.md | + + Title: Tune anti-phishing protection +f1.keywords: + - NOCSH ++++audience: ITPro +++ms.localizationpriority: medium +search.appverid: ++ - m365-security + - m365initiative-defender-office365 + - MET150 +description: Admins can learn to identify the reasons why and how a phishing message got through in Microsoft 365, and what to do to prevent more phishing messages in the future. +++++# Tune anti-phishing protection ++**Applies to** +- [Exchange Online Protection](exchange-online-protection-overview.md) +- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) +- [Microsoft 365 Defender](../defender/microsoft-365-defender.md) ++Although Microsoft 365 comes with a variety of anti-phishing features that are enabled by default, it's possible that some phishing messages could still get through to your mailboxes. This topic describes what you can do to discover why a phishing message got through, and what you can do to adjust the anti-phishing settings in your Microsoft 365 organization _without accidentally making things worse_. ++## First things first: deal with any compromised accounts and make sure you block any more phishing messages from getting through ++If a recipient's account was compromised as a result of the phishing message, follow the steps in [Responding to a compromised email account in Microsoft 365](responding-to-a-compromised-email-account.md). ++If your subscription includes Microsoft Defender for Office 365, you can use [Office 365 Threat Intelligence](office-365-ti.md) to identify other users who also received the phishing message. You have additional options to block phishing messages: ++- [Safe Links in Microsoft Defender for Office 365](set-up-safe-links-policies.md) ++- [Safe Attachments in Microsoft Defender for Office 365](set-up-safe-attachments-policies.md) ++- [Anti-phishing policies in Microsoft Defender for Office 365](configure-mdo-anti-phishing-policies.md). Note that you can temporarily increase the **Advanced phishing thresholds** in the policy from **Standard** to **Aggressive**, **More aggressive**, or **Most aggressive**. ++Verify these Defender for Office 365 features are turned on. ++## Report the phishing message to Microsoft ++Reporting phishing messages is helpful in tuning the filters that are used to protect all customers in Microsoft 365. For instructions, see [Report messages and files to Microsoft](report-junk-email-messages-to-microsoft.md). ++## Inspect the message headers ++You can examine the headers of the phishing message to see if there's anything that you can do yourself to prevent more phishing messages from coming through. In other words, examining the messages headers can help you identify any settings in your organization that were responsible for allowing the phishing messages in. ++Specifically, you should check the **X-Forefront-Antispam-Report** header field in the message headers for indications of skipped filtering for spam or phishing in the Spam Filtering Verdict (SFV) value. Messages that skip filtering will have an entry of `SCL:-1`, which means one of your settings allowed this message through by overriding the spam or phishing verdicts that were determined by the service. For more information on how to get message headers and the complete list of all available anti-spam and anti-phishing message headers, see [Anti-spam message headers in Microsoft 365](anti-spam-message-headers.md). ++## Best practices to stay protected ++- On a monthly basis, run [Secure Score](../defender/microsoft-secure-score.md) to assess your organization's security settings. ++- For messages that end up in quarantine by mistake, or for messages that are allowed through, we recommend that you search for those messages in [Threat Explorer and real-time detections](threat-explorer.md). You can search by sender, recipient, or message ID. After you locate the message, go to details by clicking on the subject. For a quarantined message, look to see what the "detection technology" was so that you can use the appropriate method to override. For an allowed message, look to see which policy allowed the message. ++- Email from spoofed senders (the From address of the message doesn't match the source of the message) is classified as phishing in Defender for Office 365. Sometimes spoofing is benign, and sometimes users don't want messages from specific spoofed sender to be quarantined. To minimize the impact to users, periodically review the [spoof intelligence insight](learn-about-spoof-intelligence.md), the **Spoofed senders** tab in the [Tenant Allow/Block List](manage-tenant-allow-block-list.md), and the [Spoof detections report](view-email-security-reports.md#spoof-detections-report). Once you have reviewed allowed and blocked spoofed senders and made any necessary overrides, you can be confident to [configure spoof intelligence in anti-phishing policies](set-up-anti-phishing-policies.md#spoof-settings) to **Quarantine** suspicious messages instead of delivering them to the user's Junk Email folder. ++- You can repeat the above step for Impersonation (domain or user) in Microsoft Defender for Office 365. The Impersonation report is found under **Threat Management** \> **Dashboard** \> **Insights**. ++- Periodically review the [Threat Protection Status report](view-reports-for-mdo.md#threat-protection-status-report). ++- Some customers inadvertently allow phishing messages through by putting their own domains in the Allow sender or Allow domain list in anti-spam policies. Although this configuration will allow some legitimate messages through, it will also allow malicious messages that would normally be blocked by the spam and/or phishing filters. Instead of allowing the domain, you should correct the underlying problem. ++ The best way to deal with legitimate messages that are blocked by Microsoft 365 (false positives) that involve senders in your domain is to fully and completely configure the SPF, DKIM, and DMARC records in DNS for _all_ of your email domains: ++ - Verify that your SPF record identifies _all_ sources of email for senders in your domain (don't forget third-party services!). ++ - Use hard fail (\-all) to ensure that unauthorized senders are rejected by email systems that are configured to do so. You can use the [spoof intelligence insight](learn-about-spoof-intelligence.md) to help identify senders that are using your domain so that you can include authorized third-party senders in your SPF record. ++ For configuration instructions, see: ++ - [Set up SPF to help prevent spoofing](set-up-spf-in-office-365-to-help-prevent-spoofing.md) ++ - [Use DKIM to validate outbound email sent from your custom domain](use-dkim-to-validate-outbound-email.md) ++ - [Use DMARC to validate email](use-dmarc-to-validate-email.md) ++- Whenever possible, we recommend that you deliver email for your domain directly to Microsoft 365. In other words, point your Microsoft 365 domain's MX record to Microsoft 365. Exchange Online Protection (EOP) is able to provide the best protection for your cloud users when their mail is delivered directly to Microsoft 365. If you must use a third-party email hygiene system in front of EOP, use Enhanced Filtering for Connectors. For instructions, see [Enhanced Filtering for Connectors in Exchange Online](/Exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors). ++- Users should use the [Report Message add-in](enable-the-report-message-add-in.md) or the [Report Phishing add-in](enable-the-report-phish-add-in.md) to report messages to Microsoft, which can train our system. Admins should also take advantage of [Admin Submission](admin-submission.md) capabilities. ++- Multi factor authentication (MFA) is a good way to prevent compromised accounts. You should strongly consider enabling MFA for all of your users. For a phased approach, start by enabling MFA for your most sensitive users (admins, executives, etc.) before you enable MFA for everyone. For instructions, see [Set up multi-factor authentication](../../admin/security-and-compliance/set-up-multi-factor-authentication.md). ++- Forwarding rules to external recipients are often used by attackers to extract data. Use the **Review mailbox forwarding rules** information in [Microsoft Secure Score](../defender/microsoft-secure-score.md) to find and even prevent forwarding rules to external recipients. For more information, see [Mitigating Client External Forwarding Rules with Secure Score](/archive/blogs/office365security/mitigating-client-external-forwarding-rules-with-secure-score). |
| security | Anti Spam Backscatter About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spam-backscatter-about.md | + + Title: Backscatter in EOP +f1.keywords: + - NOCSH +++ Last updated : +audience: ITPro +++ms.localizationpriority: medium +search.appverid: + - MET150 +ms.assetid: 6f64f2de-d626-48ed-8084-03cc72301aa4 ++ - m365-security ++ - seo-marvel-apr2020 +description: In this article, you'll learn about Backscatter and Microsoft Exchange Online Protection (EOP) +++++# Backscatter in EOP ++**Applies to** +- [Exchange Online Protection](exchange-online-protection-overview.md) +- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) +- [Microsoft 365 Defender](../defender/microsoft-365-defender.md) ++*Backscatter* is non-delivery reports (also known as NDRs or bounce messages) that you receive for messages that you didn't send. Backscatter is caused by spammers forging (spoofing) the From address (also known as the `5322.From` or P2 address) in their messages. Spammers will often use real email addresses as the From address to lend credibility to their messages. When spam is sent to a non-existent recipient, the destination email server is essentially tricked into returning the undeliverable message in an NDR to the forged sender in the From address. ++In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, EOP makes every effort to identify and silently drop messages from dubious sources without generating an NDR. But, based on the sheer volume email flowing through the service, there's always the possibility that EOP will unintentionally send backscatter. ++Backscatterer.org maintains a blocklist (also known as a DNS blocklist or DNSBL) of email servers that were responsible for sending backscatter, and EOP servers might appear on this list. But, we don't try to remove ourselves from the Backscatterer.org blocklist because (by their own admission) their list isn't a list of spammers. ++> [!TIP] +> The Backscatterer.org website (<http://www.backscatterer.org/?target=usage>) recommends using their service in Safe mode instead of Reject mode, because large email services almost always send some backscatter. |
| security | Anti Spam Bulk Complaint Level Bcl About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spam-bulk-complaint-level-bcl-about.md | + + Title: Bulk complaint level values +f1.keywords: + - NOCSH +++ Last updated : +audience: ITPro +++ms.localizationpriority: medium +search.appverid: + - MET150 +ms.assetid: a5b03b3c-37dd-429e-8e9b-2c1b25031794 ++ - m365-security +description: Admins can learn about bulk complaint level (BCL) values that are used in Exchange Online Protection (EOP). +++++# Bulk complaint level (BCL) in EOP ++**Applies to** +- [Exchange Online Protection](exchange-online-protection-overview.md) +- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) +- [Microsoft 365 Defender](../defender/microsoft-365-defender.md) ++In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, EOP assigns a bulk complaint level (BCL) to inbound messages from bulk mailers. The BCL is added to the message in an X-header and is similar to the [spam confidence level (SCL)](anti-spam-spam-confidence-level-scl-about.md) that's used to identify messages as spam. A higher BCL indicates a bulk message is more likely to generate complaints (and is therefore more likely to be spam). Microsoft uses both internal and third party sources to identify bulk mail and determine the appropriate BCL. ++Bulk mailers vary in their sending patterns, content creation, and recipient acquisition practices. Good bulk mailers send desired messages with relevant content to their subscribers. These messages generate few complaints from recipients. Other bulk mailers send unsolicited messages that closely resemble spam and generate many complaints from recipients. Messages from a bulk mailer are known as bulk mail or gray mail. ++ Spam filtering marks messages as **Bulk email** based on the BCL threshold (the default value or a value you specify) and takes the specified action on the message (the default action is deliver the message to the recipient's Junk Email folder). For more information, see [Configure anti-spam policies](anti-spam-policies-configure.md) and [What's the difference between junk email and bulk email?](anti-spam-spam-vs-bulk-about.md) ++The BCL thresholds are described in the following table. ++|BCL|Description| +|::|| +|0|The message isn't from a bulk sender.| +|1, 2, 3|The message is from a bulk sender that generates few complaints.| +|4, 5, 6, 7<sup>\*</sup>|The message is from a bulk sender that generates a mixed number of complaints.| +|8, 9|The message is from a bulk sender that generates a high number of complaints.| ++<sup>\*</sup> This is the default threshold value that's used in anti-spam policies. |
| security | Anti Spam Message Headers | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spam-message-headers.md | The individual fields and values are described in the following table. ||| |`ARC`|The `ARC` protocol has the following fields: <ul><li>`AAR`: Records the content of the **Authentication-results** header from DMARC.</li><li>`AMS`: Includes cryptographic signatures of the message.</li><li>`AS`: Includes cryptographic signatures of the message headers. This field contains a tag of a chain validation called `"cv="`, which includes the outcome of the chain validation as **none**, **pass**, or **fail**.</li></ul>| |`CAT:`|The category of protection policy, applied to the message: <ul><li>`BULK`: Bulk</li><li>`DIMP`: Domain Impersonation</li><li>`GIMP`: [Mailbox intelligence based impersonation](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)</li><li>`HPHSH` or `HPHISH`: High confidence phishing</li><li>`HSPM`: High confidence spam</li><li>`MALW`: Malware</li><li>`PHSH`: Phishing</li><li>`SPM`: Spam</li><li>`SPOOF`: Spoofing</li><li>`UIMP`: User Impersonation</li><li>`AMP`: Anti-malware</li><li>`SAP`: Safe attachments</li><li>`FTBP`: Anti-malware filetype policy</li><li>`OSPM`: Outbound spam</li></ul> <p> An inbound message may be flagged by multiple forms of protection and multiple detection scans. Policies have different priorities, and the policy with the highest priority is applied first. For more information, see [What policy applies when multiple protection methods and detection scans run on your email](how-policies-and-protections-are-combined.md).|-|`CIP:[IP address]`|The connecting IP address. You can use this IP address in the IP Allow List or the IP Block List. For more information, see [Configure connection filtering](configure-the-connection-filter-policy.md).| +|`CIP:[IP address]`|The connecting IP address. You can use this IP address in the IP Allow List or the IP Block List. For more information, see [Configure connection filtering](connection-filter-policies-configure.md).| |`CTRY`|The source country as determined by the connecting IP address, which may not be the same as the originating sending IP address.| |`H:[helostring]`|The HELO or EHLO string of the connecting email server.|-|`IPV:CAL`|The message skipped spam filtering because the source IP address was in the IP Allow List. For more information, see [Configure connection filtering](configure-the-connection-filter-policy.md).| +|`IPV:CAL`|The message skipped spam filtering because the source IP address was in the IP Allow List. For more information, see [Configure connection filtering](connection-filter-policies-configure.md).| |`IPV:NLI`|The IP address was not found on any IP reputation list.| |`LANG`|The language in which the message was written, as specified by the country code (for example, ru_RU for Russian).| |`PTR:[ReverseDNS]`|The PTR record (also known as the reverse DNS lookup) of the source IP address.|-|`SCL`|The spam confidence level (SCL) of the message. A higher value indicates the message is more likely to be spam. For more information, see [Spam confidence level (SCL)](spam-confidence-levels.md).| +|`SCL`|The spam confidence level (SCL) of the message. A higher value indicates the message is more likely to be spam. For more information, see [Spam confidence level (SCL)](anti-spam-spam-confidence-level-scl-about.md).| |`SFTY`|The message was identified as phishing and will also be marked with one of the following values: <ul><li>9.19: Domain impersonation. The sending domain is attempting to [impersonate a protected domain](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365). The safety tip for domain impersonation is added to the message (if it's enabled).</li><li>9.20: User impersonation. The sending user is attempting to impersonate a user in the recipient's organization, or [a protected user that's specified in an anti-phishing policy](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365) in Microsoft Defender for Office 365. The safety tip for user impersonation is added to the message (if it's enabled).</li><li>9.25: First contact safety tip. This value _might_ be an indication of a suspicious or phishing message. For more information, see [First contact safety tip](set-up-anti-phishing-policies.md#first-contact-safety-tip).</li></ul>| |`SFV:BLK`|Filtering was skipped and the message was blocked because it was sent from an address in a user's Blocked Senders list. <p> For more information about how admins can manage a user's Blocked Senders list, see [Configure junk email settings on Exchange Online mailboxes](configure-junk-email-settings-on-exo-mailboxes.md).| |`SFV:NSPM`|Spam filtering marked the message as non-spam and the message was sent to the intended recipients.| The individual fields and values are described in the following table. |`SFV:SKS`|The message was marked as spam prior to being processed by spam filtering. For example, the message was marked as SCL 5 to 9 by a mail flow rule.| |`SFV:SPM`|The message was marked as spam by spam filtering.| |`SRV:BULK`|The message was identified as bulk email by spam filtering and the bulk complaint level (BCL) threshold. When the _MarkAsSpamBulkMail_ parameter is `On` (it's on by default), a bulk email message is marked as spam (SCL 6). For more information, see [Configure anti-spam policies](configure-your-spam-filter-policies.md).|-|`X-CustomSpam: [ASFOption]`|The message matched an Advanced Spam Filter (ASF) setting. To see the X-header value for each ASF setting, see [Advanced Spam Filter (ASF) settings](advanced-spam-filtering-asf-options.md).| +|`X-CustomSpam: [ASFOption]`|The message matched an Advanced Spam Filter (ASF) setting. To see the X-header value for each ASF setting, see [Advanced Spam Filter (ASF) settings](anti-spam-policies-asf-settings-about.md).| ## X-Microsoft-Antispam message header fields The following table describes useful fields in the **X-Microsoft-Antispam** mess |Field|Description| |||-|`BCL`|The bulk complaint level (BCL) of the message. A higher BCL indicates a bulk mail message is more likely to generate complaints (and is therefore more likely to be spam). For more information, see [Bulk complaint level (BCL)](bulk-complaint-level-values.md).| +|`BCL`|The bulk complaint level (BCL) of the message. A higher BCL indicates a bulk mail message is more likely to generate complaints (and is therefore more likely to be spam). For more information, see [Bulk complaint level (BCL)](anti-spam-bulk-complaint-level-bcl-about.md).| ## Authentication-results message header |
| security | Anti Spam Policies Asf Settings About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spam-policies-asf-settings-about.md | + + Title: ASF settings in EOP +f1.keywords: + - NOCSH ++++audience: ITPro ++ms.localizationpriority: medium +search.appverid: + - MET150 +ms.assetid: b286f853-b484-4af0-b01f-281fffd85e7a ++ - m365-security ++ - seo-marvel-apr2020 +description: Admins can learn about the Advanced Spam Filter (ASF) settings that are available in anti-spam policies in Exchange Online Protection (EOP). +++++# Advanced Spam Filter (ASF) settings in EOP ++**Applies to** +- [Exchange Online Protection](exchange-online-protection-overview.md) +- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) +- [Microsoft 365 Defender](../defender/microsoft-365-defender.md) ++In all Microsoft 365 organizations, the Advanced Spam Filter (ASF) settings in anti-spam policies in EOP allow admins to mark messages as spam based on specific message properties. ASF specifically targets these properties because they're commonly found in spam. Depending on the property, ASF detections will either mark the message as **Spam** or **High confidence spam**. ++> [!NOTE] +> Enabling one or more of the ASF settings is an aggressive approach to spam filtering. You can't report messages that are filtered by ASF as false positives. You can identify messages that were filtered by ASF by: +> +> - Periodic quarantine notifications from spam and high confidence spam filter verdicts. +> - The presence of filtered messages in quarantine. +> - The specific `X-CustomSpam:` X-header fields that are added to messages as described in this article. ++The following sections describe the ASF settings and options that are available in anti-spam policies in the Microsoft 365 Defender portal, and in Exchange Online PowerShell or standalone EOP PowerShell ([New-HostedContentFilterPolicy](/powershell/module/exchange/new-hostedcontentfilterpolicy) and [Set-HostedContentFilterPolicy](/powershell/module/exchange/set-hostedcontentfilterpolicy)). For more information, see [Configure anti-spam policies in EOP](configure-your-spam-filter-policies.md). ++## Enable, disable, or test ASF settings ++For each ASF setting, the following options are available in anti-spam policies: ++- **On**: ASF adds the corresponding X-header field to the message, and either marks the message as **Spam** (SCL 5 or 6 for [Increase spam score settings](#increase-spam-score-settings)) or **High confidence spam** (SCL 9 for [Mark as spam settings](#mark-as-spam-settings)). +- **Off**: The ASF setting is disabled. This is the default value, and we recommend that you don't change it. +- **Test**: ASF adds the corresponding X-header field to the message. What happens to the message is determined by the **Test mode** (*TestModeAction*) value: + - **None**: Message delivery is unaffected by the ASF detection. The message is still subject to other types of filtering and rules in EOP. + - **Add default X-header text (*AddXHeader*)**: The X-header value `X-CustomSpam: This message was filtered by the custom spam filter option` is added to the message. You can use this value in Inbox rules or mail flow rules (also known as transport rules) to affect the delivery of the message. + - **Send Bcc message (*BccMessage*)**: The specified email addresses (the *TestModeBccToRecipients* parameter value in PowerShell) are added to the Bcc field of the message, and the message is delivered to the additional Bcc recipients. In the Microsoft 365 Defender portal, you separate multiple email addresses by semicolons (;). In PowerShell, you separate multiple email addresses by commas. ++ **Notes**: ++ - Test mode is not available for the following ASF settings: + - **Conditional Sender ID filtering: hard fail** (*MarkAsSpamFromAddressAuthFail*) + - **NDR backscatter**(*MarkAsSpamNdrBackscatter*) + - **SPF record: hard fail** (*MarkAsSpamSpfRecordHardFail*) + - The same test mode action is applied to *all* ASF settings that are set to **Test**. You can't configure different test mode actions for different ASF settings. ++## Increase spam score settings ++The following **Increase spam score** ASF settings set the spam confidence level (SCL) of detected messages to 5 or 6, which corresponds to a **Spam** filter verdict and the corresponding action in anti-spam policies. ++|Anti-spam policy setting|Description|X-header added| +|||| +|**Image links to remote websites** <p> *IncreaseScoreWithImageLinks*|Messages that contain `<Img>` HTML tag links to remote sites (for example, using http) are marked as spam.|`X-CustomSpam: Image links to remote sites`| +|**Numeric IP address in URL** <p> *IncreaseScoreWithNumericIps*|Messages that contain numeric-based URLs (typically, IP addresses) are marked as spam.|`X-CustomSpam: Numeric IP in URL`| +|**URL redirect to other port** <p> *IncreaseScoreWithRedirectToOtherPort*|Message that contain hyperlinks that redirect to TCP ports other than 80 (HTTP), 8080 (alternate HTTP), or 443 (HTTPS) are marked as spam.|`X-CustomSpam: URL redirect to other port`| +|**Links to .biz or .info websites** <p> *IncreaseScoreWithBizOrInfoUrls*|Messages that contain `.biz` or `.info` links in the body of the message are marked as spam.|`X-CustomSpam: URL to .biz or .info websites`| ++## Mark as spam settings ++The following **Mark as spam** ASF settings set the SCL of detected messages to 9, which corresponds to a **High confidence spam** filter verdict and the corresponding action in anti-spam policies. ++|Anti-spam policy setting|Description|X-header added| +|||| +|**Empty messages** <p> *MarkAsSpamEmptyMessages*|Messages with no subject, no content in the message body, and no attachments are marked as high confidence spam.|`X-CustomSpam: Empty Message`| +|**Embedded tags in HTML** <p> *MarkAsSpamEmbedTagsInHtml*|Message that contain `<embed>` HTML tags are marked as high confidence spam. <p> This tag allows the embedding of different kinds of documents in an HTML document (for example, sounds, videos, or pictures).|`X-CustomSpam: Embed tag in html`| +|**JavaScript or VBScript in HTML** <p> *MarkAsSpamJavaScriptInHtml*|Messages that use JavaScript or Visual Basic Script Edition in HTML are marked as high confidence spam. <p> These scripting languages are used in email messages to cause specific actions to automatically occur.|`X-CustomSpam: Javascript or VBscript tags in HTML`| +|**Form tags in HTML** <p> *MarkAsSpamFormTagsInHtml*|Messages that contain `<form>` HTML tags are marked as high confidence spam. <p> This tag is used to create website forms. Email advertisements often include this tag to solicit information from the recipient.|`X-CustomSpam: Form tag in html`| +|**Frame or iframe tags in HTML** <p> *MarkAsSpamFramesInHtml*|Messages that contain `<frame>` or `<iframe>` HTML tags are marked as high confidence spam. <p> These tags are used in email messages to format the page for displaying text or graphics.|`X-CustomSpam: IFRAME or FRAME in HTML`| +|**Web bugs in HTML** <p> *MarkAsSpamWebBugsInHtml*|A *web bug* (also known as a *web beacon*) is a graphic element (often as small as one pixel by one pixel) that's used in email messages to determine whether the message was read by the recipient. <p> Messages that contain web bugs are marked as high confidence spam. <p> Legitimate newsletters might use web bugs, although many consider this an invasion of privacy. |`X-CustomSpam: Web bug`| +|**Object tags in HTML** <p> *MarkAsSpamObjectTagsInHtml*|Messages that contain `<object>` HTML tags are marked as high confidence spam. <p> This tag allows plug-ins or applications to run in an HTML window.|`X-CustomSpam: Object tag in html`| +|**Sensitive words** <p> *MarkAsSpamSensitiveWordList*|Microsoft maintains a dynamic but non-editable list of words that are associated with potentially offensive messages. <p> Messages that contain words from the sensitive word list in the subject or message body are marked as high confidence spam.|`X-CustomSpam: Sensitive word in subject/body`| +|**SPF record: hard fail** <p> *MarkAsSpamSpfRecordHardFail*|Messages sent from an IP address that isn't specified in the SPF Sender Policy Framework (SPF) record in DNS for the source email domain are marked as high confidence spam. <p> Test mode is not available for this setting.|`X-CustomSpam: SPF Record Fail`| ++The following **Mark as spam** ASF settings set the SCL of detected messages to 6, which corresponds to a **Spam** filter verdict and the corresponding action in anti-spam policies. ++|Anti-spam policy setting|Description|X-header added| +|||| +|**Sender ID filtering hard fail** <p> *MarkAsSpamFromAddressAuthFail*|Messages that hard fail a conditional Sender ID check are marked as spam. <p> This setting combines an SPF check with a Sender ID check to help protect against message headers that contain forged senders. <p> Test mode is not available for this setting.|`X-CustomSpam: SPF From Record Fail`| +|**Backscatter** <p> *MarkAsSpamNdrBackscatter*|*Backscatter* is useless non-delivery reports (also known as NDRs or bounce messages) caused by forged senders in email messages. For more information, see [Backscatter messages and EOP](anti-spam-backscatter-about.md). <p> You don't need to configure this setting in the following environments, because legitimate NDRs are delivered, and backscatter is marked as spam: <ul><li>Microsoft 365 organizations with Exchange Online mailboxes.</li><li>On-premises email organizations where you route *outbound* email through EOP.</li></ul> <p> In standalone EOP environments that protect inbound email to on-premises mailboxes, turning this setting on or off has the following result: <ul><li> **On**: Legitimate NDRs are delivered, and backscatter is marked as spam.</li><li>**Off**: Legitimate NDRs and backscatter go through normal spam filtering. Most legitimate NDRs will be delivered to the original message sender. Some, but not all, backscatter is marked as spam. By definition, backscatter can only be delivered to the spoofed sender, not to the original sender.</li></ul> <p> Test mode is not available for this setting.|`X-CustomSpam: Backscatter NDR`| |
| security | Anti Spam Policies Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spam-policies-configure.md | + + Title: Configure spam filter policies +f1.keywords: + - NOCSH +++ Last updated :+audience: ITPro +++ms.localizationpriority: high +search.appverid: + - MET150 +ms.assetid: 316544cb-db1d-4c25-a5b9-c73bbcf53047 ++ - m365-security ++description: Admins can learn how to view, create, modify, and delete anti-spam policies in Exchange Online Protection (EOP). +++++# Configure anti-spam policies in EOP +++**Applies to** +- [Exchange Online Protection](exchange-online-protection-overview.md) +- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) +- [Microsoft 365 Defender](../defender/microsoft-365-defender.md) ++In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, inbound email messages are automatically protected against spam by EOP. EOP uses anti-spam policies (also known as spam filter policies or content filter policies) as part of your organization's overall defense against spam. For more information, see [Anti-spam protection](anti-spam-protection.md). ++Admins can view, edit, and configure (but not delete) the default anti-spam policy. For greater granularity, you can also create custom anti-spam policies that apply to specific users, groups, or domains in your organization. Custom policies always take precedence over the default policy, but you can change the priority (running order) of your custom policies. ++You can configure anti-spam policies in the Microsoft 365 Defender portal or in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes). ++The basic elements of an anti-spam policy are: ++- **The spam filter policy**: Specifies the actions for spam filtering verdicts and the notification options. +- **The spam filter rule**: Specifies the priority and recipient filters (who the policy applies to) for a spam filter policy. ++The difference between these two elements isn't obvious when you manage anti-spam polices in the Microsoft 365 Defender portal: ++- When you create an anti-spam policy, you're actually creating a spam filter rule and the associated spam filter policy at the same time using the same name for both. +- When you modify an anti-spam policy, settings related to the name, priority, enabled or disabled, and recipient filters modify the spam filter rule. All other settings modify the associated spam filter policy. +- When you remove an anti-spam policy, the spam filter rule and the associated spam filter policy are removed. ++In Exchange Online PowerShell or standalone EOP PowerShell, you manage the policy and the rule separately. For more information, see the [Use Exchange Online PowerShell or standalone EOP PowerShell to configure anti-spam policies](#use-exchange-online-powershell-or-standalone-eop-powershell-to-configure-anti-spam-policies) section later in this article. ++Every organization has a built-in anti-spam policy named Default that has these properties: ++- The policy is applied to all recipients in the organization, even though there's no spam filter rule (recipient filters) associated with the policy. +- The policy has the custom priority value **Lowest** that you can't modify (the policy is always applied last). Any custom policies that you create always have a higher priority. +- The policy is the default policy (the **IsDefault** property has the value `True`), and you can't delete the default policy. ++To increase the effectiveness of spam filtering, you can create custom anti-spam policies with stricter settings that are applied to specific users or groups of users. ++## What do you need to know before you begin? ++- You open the Microsoft 365 Defender portal at <https://security.microsoft.com>. To go directly to the **Anti-spam policies** page, use <https://security.microsoft.com/antispam>. ++- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). To connect to standalone EOP PowerShell, see [Connect to Exchange Online Protection PowerShell](/powershell/exchange/connect-to-exchange-online-protection-powershell). ++- You need to be assigned permissions in **Exchange Online** before you can do the procedures in this article: + - To add, modify, and delete anti-spam policies, you need to be a member of the **Organization Management** or **Security Administrator** role groups. + - For read-only access to anti-spam policies, you need to be a member of the **Global Reader** or **Security Reader** role groups. ++ For more information, see [Permissions in Exchange Online](/exchange/permissions-exo/permissions-exo). ++ **Notes**: ++ - Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions _and_ permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md). + - The **View-Only Organization Management** role group in [Exchange Online](/Exchange/permissions-exo/permissions-exo#role-groups) also gives read-only access to the feature. ++- For our recommended settings for anti-spam policies, see [EOP anti-spam policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-spam-policy-settings). ++- You can't completely turn off spam filtering, but you can use a mail flow rule (also known as a transport rule) to bypass most spam filtering on incoming message (for example, if you route email through a third-party protection service or device before delivery to Microsoft 365). For more information, see [Use mail flow rules to set the spam confidence level (SCL) in messages](/exchange/security-and-compliance/mail-flow-rules/use-rules-to-set-scl). + - High confidence phishing messages are still filtered. Other features in EOP are not affected (for example, messages are always scanned for malware). + - If you need to bypass spam filtering for SecOps mailboxes or phishing simulations, don't use mail flow rules. For more information, see [Configure the delivery of third-party phishing simulations to users and unfiltered messages to SecOps mailboxes](configure-advanced-delivery.md). ++## Use the Microsoft 365 Defender portal to create anti-spam policies ++Creating a custom anti-spam policy in the Microsoft 365 Defender portal creates the spam filter rule and the associated spam filter policy at the same time using the same name for both. ++1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section. To go directly to the **Anti-spam policies** page, use <https://security.microsoft.com/antispam>. ++2. On the **Anti-spam policies** page, click  **Create policy** and then select **Inbound** from the drop down list. ++3. The policy wizard opens. On the **Name your policy page**, configure these settings: + - **Name**: Enter a unique, descriptive name for the policy. + - **Description**: Enter an optional description for the policy. ++ When you're finished, click **Next**. ++4. On the **Users, groups, and domains** page that appears, identify the internal recipients that the policy applies to (recipient conditions): + - **Users**: The specified mailboxes, mail users, or mail contacts. + - **Groups**: + - Members of the specified distribution groups or mail-enabled security groups. + - The specified Microsoft 365 Groups. + - **Domains**: All recipients in the specified [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in your organization. ++ Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, click remove  next to the value. ++ For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users, enter an asterisk (\*) by itself to see all available values. ++ Multiple values in the same condition use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). Different conditions use AND logic (for example, _\<recipient1\>_ and _\<member of group 1\>_). ++ - **Exclude these users, groups, and domains**: To add exceptions for the internal recipients that the policy applies to (recipient exceptions), select this option and configure the exceptions. The settings and behavior are exactly like the conditions. ++ > [!IMPORTANT] + > Multiple different types of conditions or exceptions are not additive; they're inclusive. The policy is applied _only_ to those recipients that match _all_ of the specified recipient filters. For example, you configure a recipient filter condition in the policy with the following values: + > + > - Users: romain@contoso.com + > - Groups: Executives + > + > The policy is applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy is not applied to him. + > + > Likewise, if you use the same recipient filter as an exception to the policy, the policy is not applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy still applies to him. ++ When you're finished, click **Next**. ++5. On the **Bulk email threshold & spam properties** page that appears, configure the following settings: ++ - **Bulk email threshold**: Specifies the bulk complaint level (BCL) of a message that triggers the specified action for the **Bulk** spam filtering verdict that you configure on the next page. A higher value indicates the message is less desirable (more likely to resemble spam). The default value is 7. For more information, see [Bulk complaint level (BCL) in EOP](anti-spam-bulk-complaint-level-bcl-about.md) and [What's the difference between junk email and bulk email?](anti-spam-spam-vs-bulk-about.md). ++ By default, the PowerShell only setting _MarkAsSpamBulkMail_ is `On` in anti-spam policies. This setting dramatically affects the results of a **Bulk** filtering verdict: ++ - **_MarkAsSpamBulkMail_ is On**: A BCL that's greater than or equal to the threshold is converted to an SCL 6 that corresponds to a filtering verdict of **Spam**, and the action for the **Bulk** filtering verdict is taken on the message. + - **_MarkAsSpamBulkMail_ is Off**: The message is stamped with the BCL, but _no action_ is taken for a **Bulk** filtering verdict. In effect, the BCL threshold and **Bulk** filtering verdict action are irrelevant. ++ - **Increase spam score**, **Mark as spam**<sup>\*</sup> and **Test mode**: Advanced Spam Filter (ASF) settings that are turned off by default. ++ For details about these settings, see [Advanced Spam Filter settings in EOP](anti-spam-policies-asf-settings-about.md). ++ <sup>\*</sup> The **Contains specific languages** and **from these countries** settings are not part of ASF. ++ - **Contains specific languages**: Click the box and select **On** or **Off** from the drop down list. If you turn it on, a box appears. Start typing the name of a language in the box. A filtered list of supported languages will appear. When you find the language that you're looking for, select it. Repeat this step as many times as necessary. To remove an existing value, click remove  next to the value. ++ - **From these countries***: Click the box and select **On** or **Off** from the drop down list. If you turn it on, a box appears. Start typing the name of a country in the box. A filtered list of supported countries will appear. When you find the country that you're looking for, select it. Repeat this step as many times as necessary. To remove an existing value, click remove  next to the value. ++ When you're finished, click **Next**. ++6. On the **Actions** page that appears, configure the following settings: ++ - **Message actions**: Select or review the action to take on messages based on the following spam filtering verdicts: + - **Spam** + - **High confidence spam** + - **Phishing** + - **High confidence phishing** + - **Bulk** ++ The available actions for spam filtering verdicts are described in the following table. ++ - A check mark ( Γ£ö ) indicates the action is available (not all actions are available for all verdicts). + - An asterisk ( <sup>\*</sup> ) after the check mark indicates the default action for the spam filtering verdict. ++ |Action|Spam|High<br>confidence<br>spam|Phishing|High<br>confidence<br>phishing|Bulk| + ||::|::|::|::|::| + |**Move message to Junk Email folder**: The message is delivered to the mailbox and moved to the Junk Email folder.<sup>1,4</sup>|Γ£ö<sup>\*</sup>|Γ£ö<sup>\*</sup>|Γ£ö||Γ£ö<sup>\*</sup>| + |**Add X-header**: Adds an X-header to the message header and delivers the message to the mailbox. <p> You enter the X-header field name (not the value) later in the **Add this X-header text** box. <p> For **Spam** and **High confidence spam** verdicts, the message is moved to the Junk Email folder.<sup>1,2</sup>|Γ£ö|Γ£ö|Γ£ö||Γ£ö| + |**Prepend subject line with text**: Adds text to the beginning of the message's subject line. The message is delivered to the mailbox and moved to the Junk email folder.<sup>1,2</sup> <p> You enter the text later in the **Prefix subject line with this text** box.|Γ£ö|Γ£ö|Γ£ö||Γ£ö| + |**Redirect message to email address**: Sends the message to other recipients instead of the intended recipients. <p> You specify the recipients later in the **Redirect to this email address** box.|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö| + |**Delete message**: Silently deletes the entire message, including all attachments.|Γ£ö|Γ£ö|Γ£ö||Γ£ö| + |**Quarantine message**: Sends the message to quarantine instead of the intended recipients. <p> You specify how long the message should be held in quarantine later in the **Quarantine** box. <p> You specify the [quarantine policy](quarantine-policies.md) that applies to quarantined messages for the spam filter verdict in the **Select a policy** box that appears. For more information, see [Quarantine policies](quarantine-policies.md).<sup>3</sup>|Γ£ö|Γ£ö|Γ£ö<sup>\*</sup>|Γ£ö<sup>\*</sup>|Γ£ö| + |**No action**|||||Γ£ö| ++ > <sup>1</sup> EOP now uses its own mail flow delivery agent to route messages to the Junk Email folder instead of using the junk email rule in the mailbox. The _Enabled_ parameter on the **Set-MailboxJunkEmailConfiguration** cmdlet no longer has any effect on mail flow. For more information, see [Configure junk email settings on Exchange Online mailboxes](configure-junk-email-settings-on-exo-mailboxes.md). + > + > In hybrid environments where EOP protects on-premises Exchange mailboxes, you need to configure mail flow rules (also known as transport rules) in on-premises Exchange. These mail flow rules translate the EOP spam filtering verdict so the junk email rule in the mailbox can move the message to the Junk Email folder. For details, see [Configure EOP to deliver spam to the Junk Email folder in hybrid environments](/exchange/standalone-eop/configure-eop-spam-protection-hybrid). + > + > <sup>2</sup> You can this use value as a condition in mail flow rules to filter or route the message. + > + > <sup>3</sup> A blank **Select a policy** value means the default quarantine policy for that particular verdict is used. When you later edit the anti-spam policy or view the settings, the default quarantine policy name is shown. For more information about default quarantine policies that are used for the spam filter verdicts, see [this table](quarantine-policies.md#step-2-assign-a-quarantine-policy-to-supported-features). + > + > <sup>4</sup> For **High confidence phishing**, the action **Move message to Junk Email folder** has effectively been deprecated. Although you might be able to select **Move message to Junk Email folder**, high confidence phishing messages are always quarantined (equivalent to selecting **Quarantine message**). + > + > Users can't release their own messages that were quarantined as high confidence phishing. At best, admins can configure the quarantine policy so users can request the release of their quarantined high confidence phishing messages. ++ - **Retain spam in quarantine for this many days**: Specifies how long to keep the message in quarantine if you selected **Quarantine message** as the action for a spam filtering verdict. After the time period expires, the message is deleted, and is not recoverable. A valid value is from 1 to 30 days. ++ > [!NOTE] + > The default value is 15 days in the default anti-spam policy and in new anti-spam policies that you create in PowerShell. The default value is 30 days in new anti-spam policies that you create in the Microsoft 365 Defender portal. + > + > This setting also controls how long messages that were quarantined by **anti-phishing** policies are retained. For more information, see [Quarantined messages in EOP and Defender for Office 365](quarantine-email-messages.md). ++ - **Add this X-header text**: This box is required and available only if you selected **Add X-header** as the action for a spam filtering verdict. The value you specify is the header field *name* that's added to the message header. The header field *value* is always `This message appears to be spam`. ++ The maximum length is 255 characters, and the value can't contain spaces or colons (:). ++ For example, if you enter the value `X-This-is-my-custom-header`, the X-header that's added to the message is `X-This-is-my-custom-header: This message appears to be spam.` ++ If you enter a value that contains spaces or colons (:), the value you enter is ignored, and the default X-header is added to the message (`X-This-Is-Spam: This message appears to be spam.`). ++ - **Prepend subject line with this text**: This box is required and available only if you selected **Prepend subject line with text** as the action for a spam filtering verdict. Enter the text to add to the beginning of the message's subject line. ++ - **Redirect to this email address**: This box is required and available only if you selected the **Redirect message to email address** as the action for a spam filtering verdict. Enter the email address where you want to deliver the message. You can enter multiple values separated by semicolons (;). ++ - **Enable safety Tips**: By default, Safety Tips are enabled, but you can disable them by clearing the checkbox. ++ - **Enable zero-hour auto purge (ZAP)**: ZAP detects and takes action on messages that have already been delivered to Exchange Online mailboxes. For more information, see [Zero-hour auto purge - protection against spam and malware](zero-hour-auto-purge.md). ++ ZAP is turned on by default. When ZAP is turned on, the following settings are available: ++ - **Enable ZAP for phishing messages**: By default, ZAP is enabled for phishing detections, but you can disable it by clearing the checkbox. + - **Enable ZAP for spam messages**: By default, ZAP is enabled for spam detections, but you can disable it by clearing the checkbox. ++ > [!NOTE] + > End-user spam notifications have been replaced by _quarantine notifications_ in quarantine policies. Quarantine notifications contain information about quarantined messages for all supported protection features (not just anti-spam policy and anti-phishing policy verdicts). For more information, see [Quarantine policies](quarantine-policies.md). ++ When you're finished, click **Next**. ++7. On the **Allow & block list** flyout that appears, you are able to configure message senders by email address or email domain that are allowed to skip spam filtering. ++ In the **Allowed** section, you can configure allowed senders and allowed domains. In the **Blocked** section, you can add blocked senders and blocked domains. ++ > [!IMPORTANT] + > + > Think very carefully before you add domains to the allowed domains list. For more information, see [Create safe sender lists in EOP](create-safe-sender-lists-in-office-365.md) + > + > As of September 2022, if an allowed sender, domain, or subdomain is in an [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in your organization, that sender, domain, or subdomain must pass [email authentication](email-validation-and-authentication.md) checks in order to skip anti-spam filtering. + > + > Never add common domains (for example, microsoft.com or office.com) to the allowed domains list. If these domains are allowed to bypass spam filtering, attackers can easily send messages that spoof these trusted domains into your organization. + > + > Manually blocking domains by adding the domains to the blocked domains list isn't dangerous, but it can increase your administrative workload. For more information, see [Create block sender lists in EOP](create-block-sender-lists-in-office-365.md). + > + > There will be times when our filters will miss a message, you don't agree with the filtering verdict, or it takes time for our systems to catch up to it. In these cases, the allow list and block list are available to override the current filtering verdicts. But, you should use these lists sparingly and temporarily: longs lists can become unmanageable, and our filtering stack should be doing what it's supposed to be doing. If you're going to keep an allowed domain for an extended period of time, you should tell the sender to verify that their domain is authenticated and set to DMARC reject appropriately. ++ The steps to add entries to any of the lists are the same: ++ 1. Click the link for the list that you want to configure: + - **Allowed** \> **Senders**: Click **Manage (nn) sender(s)**. + - **Allowed** \> **Domains**: Click **Allow domains**. + - **Blocked** \> **Senders**: Click **Manage (nn) sender(s)**. + - **Blocked** \> **Domains**: Click **Block domains**. ++ 2. In the flyout that appears, do the following steps: + 1. Click  **Add senders** or **Add domains**. + 2. In the **Add senders** or **Add domains** flyout that appears, enter the sender's email address in the **Sender** box or the domain in the **Domain** box. As you're typing, the value appears below the box. When you're finished typing the email address or domain, select the value below the box. + 3. Repeat the previous step as many times as necessary. To remove an existing value, click remove  next to the value. ++ When you're finished, click **Add senders** or **Add domains**. ++ Back on the main flyout, the senders or domains that you added are listed on the page. To remove an entry from this page, do the following steps: ++ 1. Select one or more entries from the list. You can also use the **Search** box to find values in the list. + 2. After you select at least one entry, the delete icon  appears. + 3. Click the delete icon  to remove the selected entries. ++ When you're finished, click **Done**. ++ Back on the **Allow & block list** page, click **Next** when you're read to continue. ++8. On the **Review** page that appears, review your settings. You can select **Edit** in each section to modify the settings within the section. Or you can click **Back** or select the specific page in the wizard. ++ When you're finished, click **Create**. ++9. On the confirmation page that appears, click **Done**. ++## Use the Microsoft 365 Defender portal to view anti-spam policies ++1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section. To go directly to the **Anti-spam policies** page, use <https://security.microsoft.com/antispam>. ++2. On the **Anti-spam policies** page, look for one of the following values: + - The **Type** value is **Custom anti-spam policy** + - The **Name** value is **Anti-spam inbound policy (Default)** ++ The following properties are displayed in the list of anti-spam policies: ++ - **Name** + - **Status** + - **Priority** + - **Type** ++3. When you select an anti-spam policy by clicking on the name, the policy settings are displayed in a flyout. ++## Use the Microsoft 365 Defender portal to modify anti-spam policies ++1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section. To go directly to the **Anti-spam policies** page, use <https://security.microsoft.com/antispam>. ++2. On the **Anti-spam policies** page, select an anti-spam policy from the list by clicking on the name: + - A custom policy that you created where the value in the **Type** column is **Custom anti-spam policy**. + - The default policy named **Anti-spam inbound policy (Default)**. ++3. In the policy details flyout that appears, select **Edit** in each section to modify the settings within the section. For more information about the settings, see the previous [Use the Microsoft 365 Defender portal to create anti-spam policies](#use-the-microsoft-365-defender-portal-to-create-anti-spam-policies) section in this article. ++ For the default anti-spam policy, the **Applied to** section isn't available (the policy applies to everyone), and you can't rename the policy. ++To enable or disable a policy or set the policy priority order, see the following sections. ++### Enable or disable anti-spam policies ++You can't disable the default anti-spam policy. ++1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section. To go directly to the **Anti-spam policies** page, use <https://security.microsoft.com/antispam>. ++2. On the **Anti-spam policies** page, select a policy with the **Type value** of **Custom anti-spam policy** from the list by clicking on the name. ++3. At the top of the policy details flyout that appears, you'll see one of the following values: + - **Policy off**: To turn on the policy, click  **Turn on** . + - **Policy on**: To turn off the policy, click  **Turn off**. ++4. In the confirmation dialog that appears, click **Turn on** or **Turn off**. ++5. Click **Close** in the policy details flyout. ++Back on the main policy page, the **Status** value of the policy will be **On** or **Off**. ++### Set the priority of custom anti-spam policies ++By default, anti-spam policies are given a priority that's based on the order they were created in (newer policies are lower priority than older policies). A lower priority number indicates a higher priority for the policy (0 is the highest), and policies are processed in priority order (higher priority policies are processed before lower priority policies). No two policies can have the same priority, and policy processing stops after the first policy is applied. ++To change the priority of a policy, you click **Increase priority** or **Decrease priority** in the properties of the policy (you can't directly modify the **Priority** number in the Microsoft 365 Defender portal). Changing the priority of a policy only makes sense if you have multiple policies. ++ **Notes**: ++- In the Microsoft 365 Defender portal, you can only change the priority of the anti-spam policy after you create it. In PowerShell, you can override the default priority when you create the spam filter rule (which can affect the priority of existing rules). +- Anti-spam policies are processed in the order that they're displayed (the first policy has the **Priority** value 0). The default anti-spam policy has the priority value **Lowest**, and you can't change it. ++1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section. To go directly to the **Anti-spam policies** page, use <https://security.microsoft.com/antispam>. ++2. On the **Anti-spam policies** page, select a select a policy with the **Type value** of **Custom anti-spam policy** from the list by clicking on the name. ++3. At the top of the policy details flyout that appears, you'll see **Increase priority** or **Decrease priority** based on the current priority value and the number of custom policies: + - The anti-spam policy with the **Priority** value **0** has only the **Decrease priority** option available. + - The anti-spam policy with the lowest **Priority** value (for example, **3**) has only the **Increase priority** option available. + - If you have three or more anti-spam policies, the policies between the highest and lowest priority values have both the **Increase priority** and **Decrease priority** options available. ++ Click  **Increase priority** or  **Decrease priority** to change the **Priority** value. ++4. When you're finished, click **Close** in the policy details flyout. ++## Use the Microsoft 365 Defender portal to remove custom anti-spam policies ++When you use the Microsoft 365 Defender portal to remove a custom anti-spam policy, the spam filter rule and the corresponding spam filter policy are both deleted. You can't remove the default anti-spam policy. ++1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section. To go directly to the **Anti-spam policies** page, use <https://security.microsoft.com/antispam>. ++2. On the **Anti-spam policies** page, select a policy with the **Type value** of **Custom anti-spam policy** from the list by clicking on the name. At the top of the policy details flyout that appears, click  **More actions** \>  **Delete policy**. ++3. In the confirmation dialog that appears, click **Yes**. ++## Use Exchange Online PowerShell or standalone EOP PowerShell to configure anti-spam policies ++As previously described, an anti-spam policy consists of a spam filter policy and a spam filter rule. ++In Exchange Online PowerShell or standalone EOP PowerShell, the difference between spam filter policies and spam filter rules is apparent. You manage spam filter policies by using the **\*-HostedContentFilterPolicy** cmdlets, and you manage spam filter rules by using the **\*-HostedContentFilterRule** cmdlets. ++- In PowerShell, you create the spam filter policy first, then you create the spam filter rule that identifies the policy that the rule applies to. +- In PowerShell, you modify the settings in the spam filter policy and the spam filter rule separately. +- When you remove a spam filter policy from PowerShell, the corresponding spam filter rule isn't automatically removed, and vice versa. ++The following anti-spam policy settings are only available in PowerShell: ++- The _MarkAsSpamBulkMail_ parameter that's `On` by default. The effects of this setting were explained in the [Use the Microsoft 365 Defender portal to create anti-spam policies](#use-the-microsoft-365-defender-portal-to-create-anti-spam-policies) section earlier in this article. +- The following settings for end-user spam quarantine notifications: + - The _DownloadLink_ parameter that shows or hides the link to the Junk Email Reporting Tool for Outlook. + - The _EndUserSpamNotificationCustomSubject_ parameter that you can use to customize the subject line of the notification. ++### Use PowerShell to create anti-spam policies ++Creating an anti-spam policy in PowerShell is a two-step process: ++1. Create the spam filter policy. +2. Create the spam filter rule that specifies the spam filter policy that the rule applies to. ++ **Notes**: ++- You can create a new spam filter rule and assign an existing, unassociated spam filter policy to it. A spam filter rule can't be associated with more than one spam filter policy. +- You can configure the following settings on new spam filter policies in PowerShell that aren't available in the Microsoft 365 Defender portal until after you create the policy: + - Create the new policy as disabled (_Enabled_ `$false` on the **New-HostedContentFilterRule** cmdlet). + - Set the priority of the policy during creation (_Priority_ _\<Number\>_) on the **New-HostedContentFilterRule** cmdlet). ++- A new spam filter policy that you create in PowerShell isn't visible in the Microsoft 365 Defender portal until you assign the policy to a spam filter rule. ++#### Step 1: Use PowerShell to create a spam filter policy ++To create a spam filter policy, use this syntax: ++```PowerShell +New-HostedContentFilterPolicy -Name "<PolicyName>" [-AdminDisplayName "<Comments>"] <Additional Settings> +``` ++This example creates a spam filter policy named Contoso Executives with the following settings: ++- Quarantine messages when the spam filtering verdict is spam or high confidence spam, and use the default [quarantine policy](quarantine-policies.md) for the quarantined messages (we aren't using the _SpamQuarantineTag_ or _HighConfidenceSpamQuarantineTag_ parameters). +- BCL 7, 8, or 9 triggers the action for a bulk email spam filtering verdict. ++```PowerShell +New-HostedContentFilterPolicy -Name "Contoso Executives" -HighConfidenceSpamAction Quarantine -SpamAction Quarantine -BulkThreshold 6 +``` ++For detailed syntax and parameter information, see [New-HostedContentFilterPolicy](/powershell/module/exchange/new-hostedcontentfilterpolicy). ++> [!NOTE] +> For detailed instructions to specify the [quarantine policy](quarantine-policies.md) to use in a spam filter policy, see [Use PowerShell to specify the quarantine policy in anti-spam policies](quarantine-policies.md#anti-spam-policies-in-powershell). ++#### Step 2: Use PowerShell to create a spam filter rule ++To create a spam filter rule, use this syntax: ++```PowerShell +New-HostedContentFilterRule -Name "<RuleName>" -HostedContentFilterPolicy "<PolicyName>" <Recipient filters> [<Recipient filter exceptions>] [-Comments "<OptionalComments>"] +``` ++This example creates a new spam filter rule named Contoso Executives with these settings: ++- The spam filter policy named Contoso Executives is associated with the rule. +- The rule applies to members of the group named Contoso Executives Group. ++```PowerShell +New-HostedContentFilterRule -Name "Contoso Executives" -HostedContentFilterPolicy "Contoso Executives" -SentToMemberOf "Contoso Executives Group" +``` ++For detailed syntax and parameter information, see [New-HostedContentFilterRule](/powershell/module/exchange/new-hostedcontentfilterrule). ++### Use PowerShell to view spam filter policies ++To return a summary list of all spam filter policies, run this command: ++```PowerShell +Get-HostedContentFilterPolicy +``` ++To return detailed information about a specific spam filter policy, use the this syntax: ++```PowerShell +Get-HostedContentFilterPolicy -Identity "<PolicyName>" | Format-List [<Specific properties to view>] +``` ++This example returns all the property values for the spam filter policy named Executives. ++```PowerShell +Get-HostedContentFilterPolicy -Identity "Executives" | Format-List +``` ++For detailed syntax and parameter information, see [Get-HostedContentFilterPolicy](/powershell/module/exchange/get-hostedcontentfilterpolicy). ++### Use PowerShell to view spam filter rules ++To view existing spam filter rules, use the following syntax: ++```PowerShell +Get-HostedContentFilterRule [-Identity "<RuleIdentity>] [-State <Enabled | Disabled] +``` ++To return a summary list of all spam filter rules, run this command: ++```PowerShell +Get-HostedContentFilterRule +``` ++To filter the list by enabled or disabled rules, run the following commands: ++```PowerShell +Get-HostedContentFilterRule -State Disabled +``` ++```PowerShell +Get-HostedContentFilterRule -State Enabled +``` ++To return detailed information about a specific spam filter rule, use this syntax: ++```PowerShell +Get-HostedContentFilterRule -Identity "<RuleName>" | Format-List [<Specific properties to view>] +``` ++This example returns all the property values for the spam filter rule named Contoso Executives. ++```PowerShell +Get-HostedContentFilterRule -Identity "Contoso Executives" | Format-List +``` ++For detailed syntax and parameter information, see [Get-HostedContentFilterRule](/powershell/module/exchange/get-hostedcontentfilterrule). ++### Use PowerShell to modify spam filter policies ++Other than the following items, the same settings are available when you modify a spam filter policy in PowerShell as when you create the policy as described in the [Step 1: Use PowerShell to create a spam filter policy](#step-1-use-powershell-to-create-a-spam-filter-policy) section earlier in this article. ++- The _MakeDefault_ switch that turns the specified policy into the default policy (applied to everyone, always **Lowest** priority, and you can't delete it) is only available when you modify a spam filter policy in PowerShell. +- You can't rename a spam filter policy (the **Set-HostedContentFilterPolicy** cmdlet has no _Name_ parameter). When you rename an anti-spam policy in the Microsoft 365 Defender portal, you're only renaming the spam filter _rule_. ++To modify a spam filter policy, use this syntax: ++```PowerShell +Set-HostedContentFilterPolicy -Identity "<PolicyName>" <Settings> +``` ++For detailed syntax and parameter information, see [Set-HostedContentFilterPolicy](/powershell/module/exchange/set-hostedcontentfilterpolicy). ++> [!NOTE] +> For detailed instructions to specify the [quarantine policy](quarantine-policies.md) to use in a spam filter policy, see [Use PowerShell to specify the quarantine policy in anti-spam policies](quarantine-policies.md#anti-spam-policies-in-powershell). ++### Use PowerShell to modify spam filter rules ++The only setting that isn't available when you modify a spam filter rule in PowerShell is the _Enabled_ parameter that allows you to create a disabled rule. To enable or disable existing spam filter rules, see the next section. ++Otherwise, no additional settings are available when you modify a spam filter rule in PowerShell. The same settings are available when you create a rule as described in the [Step 2: Use PowerShell to create a spam filter rule](#step-2-use-powershell-to-create-a-spam-filter-rule) section earlier in this article. ++To modify a spam filter rule, use this syntax: ++```PowerShell +Set-HostedContentFilterRule -Identity "<RuleName>" <Settings> +``` ++This example renames the existing spam filter rule named `{Fabrikam Spam Filter}`. ++```powershell +Set-HostedContentFilterRule -Identity "{Fabrikam Spam Filter}" -Name "Fabrikam Spam Filter" +``` ++For detailed syntax and parameter information, see [Set-HostedContentFilterRule](/powershell/module/exchange/set-hostedcontentfilterrule). ++### Use PowerShell to enable or disable spam filter rules ++Enabling or disabling a spam filter rule in PowerShell enables or disables the whole anti-spam policy (the spam filter rule and the assigned spam filter policy). You can't enable or disable the default anti-spam policy (it's always applied to all recipients). ++To enable or disable a spam filter rule in PowerShell, use this syntax: ++```PowerShell +<Enable-HostedContentFilterRule | Disable-HostedContentFilterRule> -Identity "<RuleName>" +``` ++This example disables the spam filter rule named Marketing Department. ++```PowerShell +Disable-HostedContentFilterRule -Identity "Marketing Department" +``` ++This example enables same rule. ++```PowerShell +Enable-HostedContentFilterRule -Identity "Marketing Department" +``` ++For detailed syntax and parameter information, see [Enable-HostedContentFilterRule](/powershell/module/exchange/enable-hostedcontentfilterrule) and [Disable-HostedContentFilterRule](/powershell/module/exchange/disable-hostedcontentfilterrule). ++### Use PowerShell to set the priority of spam filter rules ++The highest priority value you can set on a rule is 0. The lowest value you can set depends on the number of rules. For example, if you have five rules, you can use the priority values 0 through 4. Changing the priority of an existing rule can have a cascading effect on other rules. For example, if you have five custom rules (priorities 0 through 4), and you change the priority of a rule to 2, the existing rule with priority 2 is changed to priority 3, and the rule with priority 3 is changed to priority 4. ++To set the priority of a spam filter rule in PowerShell, use the following syntax: ++```PowerShell +Set-HostedContentFilterRule -Identity "<RuleName>" -Priority <Number> +``` ++This example sets the priority of the rule named Marketing Department to 2. All existing rules that have a priority less than or equal to 2 are decreased by 1 (their priority numbers are increased by 1). ++```PowerShell +Set-HostedContentFilterRule -Identity "Marketing Department" -Priority 2 +``` ++**Notes**: ++- To set the priority of a new rule when you create it, use the _Priority_ parameter on the **New-HostedContentFilterRule** cmdlet instead. +- The default spam filter policy doesn't have a corresponding spam filter rule, and it always has the unmodifiable priority value **Lowest**. ++### Use PowerShell to remove spam filter policies ++When you use PowerShell to remove a spam filter policy, the corresponding spam filter rule isn't removed. ++To remove a spam filter policy in PowerShell, use this syntax: ++```PowerShell +Remove-HostedContentFilterPolicy -Identity "<PolicyName>" +``` ++This example removes the spam filter policy named Marketing Department. ++```PowerShell +Remove-HostedContentFilterPolicy -Identity "Marketing Department" +``` ++For detailed syntax and parameter information, see [Remove-HostedContentFilterPolicy](/powershell/module/exchange/remove-hostedcontentfilterpolicy). ++### Use PowerShell to remove spam filter rules ++When you use PowerShell to remove a spam filter rule, the corresponding spam filter policy isn't removed. ++To remove a spam filter rule in PowerShell, use this syntax: ++```PowerShell +Remove-HostedContentFilterRule -Identity "<PolicyName>" +``` ++This example removes the spam filter rule named Marketing Department. ++```PowerShell +Remove-HostedContentFilterRule -Identity "Marketing Department" +``` ++For detailed syntax and parameter information, see [Remove-HostedContentFilterRule](/powershell/module/exchange/remove-hostedcontentfilterrule). ++## How do you know these procedures worked? ++### Send a GTUBE message to test your spam policy settings ++> [!NOTE] +> These steps will only work if the email organization that you're sending the GTUBE message from doesn't scan for outbound spam. If it does, you can't send the test message. ++Generic Test for Unsolicited Bulk Email (GTUBE) is a text string that you include in a test message to verify your organization's anti-spam settings. A GTUBE message is similar to the European Institute for Computer Antivirus Research (EICAR) text file for testing malware settings. ++Include the following GTUBE text in an email message on a single line, without any spaces or line breaks: ++```text +XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X +``` |
| security | Anti Spam Protection About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spam-protection-about.md | + + Title: Anti-spam protection +f1.keywords: + - NOCSH +++ Last updated : +audience: Admin +++ms.localizationpriority: medium +search.appverid: + - MET150 + - MOE150 +ms.assetid: 6a601501-a6a8-4559-b2e7-56b59c96a586 ++ - m365-security + - m365initiative-defender-office365 ++ - seo-marvel-apr2020 +description: Admins can learn about the anti-spam settings and filters that will help prevent spam in Exchange Online Protection (EOP). +++++# Anti-spam protection in EOP +++**Applies to** +- [Exchange Online Protection](exchange-online-protection-overview.md) +- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) +- [Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-defender) ++> [!NOTE] +> This topic is intended for admins. For end-user topics, see [Overview of the Junk Email Filter](https://support.microsoft.com/office/5ae3ea8e-cf41-4fa0-b02a-3b96e21de089) and [Learn about junk email and phishing](https://support.microsoft.com/office/86c1d76f-4d5a-4967-9647-35665dc17c31). ++In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against spam (junk email) by EOP. ++Microsoft's email safety roadmap involves an unmatched cross-product approach. EOP anti-spam and anti-phishing technology is applied across our email platforms to provide users with the latest anti-spam and anti-phishing tools and innovations throughout the network. The goal for EOP is to offer a comprehensive and usable email service that helps detect and protect users from junk email, fraudulent email threats (phishing), and malware. ++As email use has grown, so has email abuse. Unmonitored junk email can clog inboxes and networks, impact user satisfaction, and hamper the effectiveness of legitimate email communications. That's why Microsoft continues to invest in anti-spam technologies. Simply put, it starts by containing and filtering junk email. ++> [!TIP] +> The following anti-spam technologies are useful when you want to allow or block messages based on the message envelope (for example, the sender's domain or the source IP address of the message). To allow or block messages based on payload (for example, URLs in the message or attached files), then you should use the [Tenant Allow/Block List portal](manage-tenant-allow-block-list.md). ++## Anti-spam technologies in EOP ++To help reduce junk email, EOP includes junk email protection that uses proprietary spam filtering technologies to identify and separate junk email from legitimate email. EOP spam filtering learns from known spam and phishing threats and user feedback from our consumer platform, Outlook.com. Ongoing feedback from EOP users in the junk email classification program helps ensure that the EOP technologies are continually trained and improved. ++The anti-spam settings in EOP are made of the following technologies: ++- **Connection filtering**: Identifies good and bad email source servers early in the inbound email connection via the IP Allow List, IP Block List, and the *safe list* (a dynamic but non-editable list of trusted senders maintained by Microsoft). You configure these settings in the connection filter policy. Learn more at [Configure connection filtering](connection-filter-policies-configure.md). ++- **Spam filtering (content filtering)**: EOP uses the spam filtering verdicts **Spam**, **High confidence spam**, **Bulk email**, **Phishing email** and **High confidence phishing email** to classify messages. You can configure the actions to take based on these verdicts, and you can configure what users are allowed to do to quarantined messages and whether user receive quarantine notifications by using [quarantine policies](quarantine-policies.md). For more information, see [Configure anti-spam policies in Microsoft 365](configure-your-spam-filter-policies.md). ++ > [!NOTE] + > By default, spam filtering is configured to send messages that were marked as spam to the recipient's Junk Email folder. However, in hybrid environments where EOP protects on-premises Exchange mailboxes, you need to configure two mail flow rules (also known as transport rules) in your on-premises Exchange organization to recognize the EOP spam headers that are added to messages. For details, see [Configure EOP to deliver spam to the Junk Email folder in hybrid environments](/exchange/standalone-eop/configure-eop-spam-protection-hybrid). ++- **Outbound spam filtering**: EOP also checks to make sure that your users don't send spam, either in outbound message content or by exceeding outbound message limits. For more information, see [Configure outbound spam filtering in Microsoft 365](configure-the-outbound-spam-policy.md). ++- **Spoof intelligence**: For more information, see [Anti-spoofing protection in EOP](anti-spoofing-protection.md). ++## Manage errors in spam filtering ++It's possible that good messages can be identified as spam (also known as false positives), or that spam can be delivered to the Inbox (also known as false negatives). You can use the suggestions in the following sections to find out what happened and help prevent it from happening in the future. ++Here are some best practices that apply to either scenario: ++- Always report misclassified messages to Microsoft. For more information, see [Report messages and files to Microsoft](report-junk-email-messages-to-microsoft.md). ++- **Examine the anti-spam message headers**: These values will tell you why a message was marked as spam, or why it skipped spam filtering. For more information, see [Anti-spam message headers](anti-spam-message-headers.md). ++- **Point your MX record to Microsoft 365**: In order for EOP to provide the best protection, we always recommend that you have email delivered to Microsoft 365 first. For instructions, see [Create DNS records at any DNS hosting provider for Microsoft 365](../../admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider.md). ++ If the MX record points to some other location (for example, a third-party anti-spam solution or appliance), it's difficult for EOP to provide accurate spam filtering. In this scenario, you need to configure Enhanced Filtering for connectors (also known as _skip listing_). For instructions, see [Enhanced Filtering for Connectors in Exchange Online](/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors). ++- **Use email authentication**: If you own an email domain, you can use DNS to help insure that messages from senders in that domain are legitimate. To help prevent spam and unwanted spoofing in EOP, use all of the following email authentication methods: ++ - **SPF**: Sender Policy Framework verifies the source IP address of the message against the owner of the sending domain. For a quick introduction to SPF and to get it configured quickly, see [Set up SPF to help prevent spoofing](set-up-spf-in-office-365-to-help-prevent-spoofing.md). For a more in-depth understanding of how Microsoft 365 uses SPF, or for troubleshooting or non-standard deployments such as hybrid deployments, start with [How Microsoft 365 uses Sender Policy Framework (SPF) to prevent spoofing](how-office-365-uses-spf-to-prevent-spoofing.md). ++ - **DKIM**: DomainKeys Identified Mail adds a digital signature to the message header of messages sent from your domain. For information, see [Use DKIM to validate outbound email sent from your custom domain in Microsoft 365](use-dkim-to-validate-outbound-email.md). ++ - **DMARC**: Domain-based Message Authentication, Reporting, and Conformance helps destination email systems determine what to do with messages that fail SPF or DKIM checks and provides another level of trust for your email partners. For more information, see [Use DMARC to validate email in Microsoft 365](use-dmarc-to-validate-email.md). ++- **Verify your bulk email settings**: The bulk complaint level (BCL) threshold that you configure in anti-spam policies determines whether bulk email (also known as _gray mail_) is marked as spam. The PowerShell-only setting _MarkAsSpamBulkMail_ that's on by default also contributes to the results. For more information, see [Configure anti-spam policies in Microsoft 365](configure-your-spam-filter-policies.md). ++### Prevent the delivery of spam to the Inbox ++- **Verify your organization settings**: Watch out for settings that allow messages to skip spam filtering (for example, if you add your own domain to the allowed domains list in anti-spam policies). For our recommended settings, see [Recommended settings for EOP and Microsoft Defender for Office 365 security](recommended-settings-for-eop-and-office365.md) and [Create safe sender lists](create-safe-sender-lists-in-office-365.md). ++- **Use the available blocked sender lists**: For information, see [Create blocked sender lists](create-block-sender-lists-in-office-365.md). ++- **Unsubscribe from bulk email** If the message was something that the user signed up for (newsletters, product announcements, etc.) and contains an unsubscribe link from a reputable source, consider asking them to simply unsubscribe. ++- **Standalone EOP: create mail flow rules in on-premises Exchange for EOP spam filtering verdicts**: In hybrid environments where EOP protects on-premises Exchange mailboxes, you need to configure mail flow rules (also known as transport rules) in on-premises Exchange. These mail flow rules translate the EOP spam filtering verdict so the junk email rule in the mailbox can move the message to the Junk Email folder. For details, see [Configure EOP to deliver spam to the Junk Email folder in hybrid environments](/exchange/standalone-eop/configure-eop-spam-protection-hybrid). ++### Prevent good email from being identified as spam ++Here are some steps that you can take to help prevent false positives: ++- **Verify the user's Outlook Junk Email Filter settings**: ++ - **Verify the Outlook Junk Email Filter is disabled**: When the Outlook Junk Email Filter is set to the default value **No automatic filtering**, Outlook doesn't attempt to classify messages as spam. When it's set to **Low** or **High**, the Outlook Junk Email Filter uses its own SmartScreen filter technology to identify and move spam to the Junk Email folder, so you could get false positives. Note that Microsoft stopped producing spam definition updates for the SmartScreen filters in Exchange and Outlook in November, 2016. The existing SmartScreen spam definitions were left in place, but their effectiveness will likely degrade over time. ++ - **Verify the Outlook 'Safe Lists Only' setting is disabled**: When this setting is enabled, only messages from senders in the user's Safe Senders list or Safe Recipients list are delivered to the Inbox; email from everyone else is automatically moved to the Junk Email folder. ++ For more information about these settings, see [Configure junk email settings on Exchange Online mailboxes in Microsoft 365](configure-junk-email-settings-on-exo-mailboxes.md). ++- **Use the available safe sender lists**: For information, see [Create safe sender lists](create-safe-sender-lists-in-office-365.md). ++- **Verify users are within the sending and receiving limits** as described in [Receiving and sending limits](/office365/servicedescriptions/exchange-online-service-description/exchange-online-limits#receiving-and-sending-limits) in the Exchange Online service description. ++- **Standalone EOP: use directory synchronization**: If you use standalone EOP to help protect your on-premises Exchange organization, you should sync user settings with the service by using directory synchronization. Doing this ensures that your users' Safe Senders lists are respected by EOP. For more information, see [Use directory synchronization to manage mail users](/exchange/standalone-eop/manage-mail-users-in-eop#synchronize-directories-with-azure-active-directory-connect-aad-connect). ++## Anti-spam legislation ++At Microsoft, we believe that the development of new technologies and self-regulation requires the support of effective government policy and legal frameworks. The worldwide spam proliferation has spurred numerous legislative bodies to regulate commercial email. Many countries now have spam-fighting laws in place. The United States has both federal and state laws governing spam, and this complementary approach is helping to curtail spam while enabling legitimate e-commerce to prosper. The CAN-SPAM Act expands the tools available for curbing fraudulent and deceptive email messages. |
| security | Anti Spam Spam Confidence Level Scl About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spam-spam-confidence-level-scl-about.md | + + Title: Spam confidence level +f1.keywords: + - NOCSH +++ Last updated : +audience: ITPro +++ms.localizationpriority: medium +search.appverid: + - MET150 +ms.assetid: 34681000-0022-4b92-b38a-e32b3ed96bf6 ++ - m365-security ++ - seo-marvel-apr2020 +description: Admins can learn about the spam confidence level (SCL) that applied to messages in Exchange Online Protection (EOP). +++++# Spam confidence level (SCL) in EOP ++**Applies to** +- [Exchange Online Protection](exchange-online-protection-overview.md) +- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) +- [Microsoft 365 Defender](../defender/microsoft-365-defender.md) ++In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, inbound messages go through spam filtering in EOP and are assigned a spam score. That score is mapped to an individual spam confidence level (SCL) that's added to the message in an X-header. A higher SCL indicates a message is more likely to be spam. EOP takes action on the message based on the SCL. ++What the SCL means and the default actions that are taken on messages are described in the following table. For more information about actions you can take on messages based on the spam filtering verdict, see [Configure anti-spam policies in EOP](configure-your-spam-filter-policies.md). ++|SCL|Definition|Default action| +|::||| +|-1|The message skipped spam filtering. For example, the message is from a safe sender, was sent to a safe recipient, or is from an email source server on the IP Allow List. For more information, see [Create safe sender lists in EOP](create-safe-sender-lists-in-office-365.md).|Deliver the message to the recipients' inbox.| +|0, 1|Spam filtering determined the message was not spam.|Deliver the message to the recipients' inbox.| +|5, 6|Spam filtering marked the message as **Spam**|Deliver the message to the recipients' Junk Email folder.| +|8, 9|Spam filtering marked the message as **High confidence spam**|Deliver the message to the recipients' Junk Email folder.| ++You'll notice that SCL 2, 3, 4, and 7 aren't used by spam filtering. ++You can use mail flow rules (also known as transport rules) to stamp the SCL on messages. If you use a mail flow rule to set the SCL, the values 5 or 6 trigger the spam filtering action for **Spam**, and the values 7, 8, or 9 trigger the spam filtering action for **High confidence spam**. For more information, see [Use mail flow rules to set the spam confidence level (SCL) in messages](/exchange/security-and-compliance/mail-flow-rules/use-rules-to-set-scl). ++Similar to the SCL, the bulk complaint level (BCL) identifies bad bulk email (also known as _gray mail_). A higher BCL indicates a bulk mail message is more likely to generate complaints (and is therefore more likely to be spam). You configure the BCL threshold in anti-spam policies. For more information, see [Configure anti-spam policies in EOP](configure-your-spam-filter-policies.md), [Bulk complaint level (BCL) in EOP)](anti-spam-bulk-complaint-level-bcl-about.md), and [What's the difference between junk email and bulk email?](anti-spam-spam-vs-bulk-about.md). ++**** ++ **New to Microsoft 365?** Discover free video courses for **Microsoft 365 admins and IT pros**, brought to you by LinkedIn Learning. |
| security | Anti Spam Spam Vs Bulk About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spam-spam-vs-bulk-about.md | + + Title: What's the difference between junk email and bulk email? +f1.keywords: + - NOCSH +++ Last updated : +audience: ITPro +++ms.localizationpriority: medium +search.appverid: + - MET150 +ms.assetid: 8079f193-1b40-4081-9e5d-d0e50dfbcc59 ++ - m365-security ++ - seo-marvel-apr2020 +description: Admins can learn about the differences between junk email (spam) and bulk email (gray mail) in Exchange Online Protection (EOP). +++++# What's the difference between junk email and bulk email in EOP? ++**Applies to** +- [Exchange Online Protection](exchange-online-protection-overview.md) +- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) +- [Microsoft 365 Defender](../defender/microsoft-365-defender.md) ++In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, customers sometimes ask: "what's the difference between junk email and bulk email?" This topic explains the difference and describes the controls that are available in EOP. ++- **Junk email** is spam, which are unsolicited and universally unwanted messages (when identified correctly). By default, the EOP rejects spam based on the reputation of the source email server. If a message passes source IP inspection, it's sent to spam filtering. If the message is classified as spam by spam filtering, the message is (by default) delivered to the intended recipients and moved to their Junk Email folder. ++ - You can configure the actions to take on spam filtering verdicts. For instructions, see [Configure anti-spam policies in EOP](configure-your-spam-filter-policies.md). ++ - If you disagree with the spam filtering verdict, you can report messages that you consider to be spam or non-spam to Microsoft in several ways, as described in [Report messages and files to Microsoft](report-junk-email-messages-to-microsoft.md). ++- **Bulk email** (also known as _gray mail_), is more difficult to classify. Whereas spam is a constant threat, bulk email is often one-time advertisements or marketing messages. Some users want bulk email messages (and in fact, they have deliberately signed up to receive them), while other users consider bulk email to be spam. For example, some users want to receive advertising messages from the Contoso Corporation or invitations to an upcoming conference on cyber security, while other users consider these same messages to be spam. ++ For more information about how bulk email is identified, see [Bulk complaint level (BCL) in EOP](anti-spam-bulk-complaint-level-bcl-about.md). ++## How to manage bulk email ++Because of the mixed reaction to bulk email, there isn't universal guidance that applies to every organization. ++Anti-spam polices have a default BCL threshold that's used to identify bulk email as spam. Admins can increase or decrease the threshold. For more information, see the following topics: ++- [Configure anti-spam policies in EOP](configure-your-spam-filter-policies.md). +- [EOP anti-spam policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-spam-policy-settings) ++Another option that's easy to overlook: if a user complains about receiving bulk email, but the messages are from reputable senders that pass spam filtering in EOP, have the user check for a unsubscribe option in the bulk email message. ++## How to tune bulk email ++In September 2022, Microsoft Defender for Office 365 Plan 2 customers can access BCL from [advanced hunting](/microsoft-365/security/defender/advanced-hunting-overview). This feature allows admins to look at all bulk senders who sent mail to their organization, along with the corresponding BCL values and the email volume received. You can drill down into the bulk senders by using other columns in **EmailEvents** table in the **Email & collaboration** schema. For more information, see [EmailEvents](/microsoft-365/security/defender/advanced-hunting-emailevents-table). ++For example, if Contoso has set their current bulk threshold to 7 in anti-spam policies, Contoso recipients will receive email from all senders with BCL \< 7 in their Inbox. Admins can run the following query to get a list of all bulk senders in the organization: ++```console +EmailEvents +| where BulkComplaintLevel >= 1 and Timestamp > datetime(2022-09-XXT00:00:00Z) +| summarize count() by SenderMailFromAddress, BulkComplaintLevel +``` ++This query allows admins to identify wanted and unwanted senders. If a bulk sender has a BCL score that doesn't meet the bulk threshold, admins can [submit the sender's messages to Microsoft for analysis](allow-block-email-spoof.md#use-the-microsoft-365-defender-portal-to-create-allow-entries-for-domains-and-email-addresses-in-the-submissions-portal), which adds the sender as an allow entry to the Tenant Allow/Block List. ++Organizations without Defender for Office 365 Plan 2 can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free. Use the 90-day Defender for Office 365 evaluation at <https://security.microsoft.com/atpEvaluation>. Learn about who can sign up and trial terms [here](try-microsoft-defender-for-office-365.md) or you can use the [Threat protection status report](view-email-security-reports.md#threat-protection-status-report) to identify wanted and unwanted bulk senders: ++1. In the Threat protection status report, select **View data by Email \> Spam**. To go directly to the report, open one of the following URLs: ++ - EOP: <https://security.microsoft.com/reports/TPSAggregateReport> + - Defender for Office 365: <https://security.microsoft.com/reports/TPSAggregateReportATP> ++2. Filter for Bulk email, select an email to investigate and click on email entity to learn more about the sender. Email entity is available only for Defender for Office 365 Plan 2 customers. ++3. Once you have identified wanted and unwanted senders, adjust the bulk threshold to your desired level. If there are bulk senders with BCL score that doesn't fit within your bulk threshold, [submit the messages to Microsoft for analysis](allow-block-email-spoof.md#use-the-microsoft-365-defender-portal-to-create-allow-entries-for-domains-and-email-addresses-in-the-submissions-portal), which adds the sender as an allow entry to the Tenant Allow/Block List. ++Admins can follow the [recommended bulk threshold values](recommended-settings-for-eop-and-office365.md#anti-spam-anti-malware-and-anti-phishing-protection-in-eop) or choose a bulk threshold value that suits the needs of their organization. |
| security | Anti Spoofing Spoof Intelligence | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spoofing-spoof-intelligence.md | + + Title: Spoof intelligence insight +f1.keywords: + - NOCSH +++ Last updated :+audience: Admin +++ms.localizationpriority: medium +search.appverid: + - MOE150 + - MET150 +ms.assetid: 978c3173-3578-4286-aaf4-8a10951978bf ++ - m365-security ++ - seo-marvel-apr2020 +description: Admins can learn about the spoof intelligence insight in Exchange Online Protection (EOP). +++++# Spoof intelligence insight in EOP +++**Applies to** +- [Exchange Online Protection](exchange-online-protection-overview.md) +- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) +- [Microsoft 365 Defender](../defender/microsoft-365-defender.md) ++In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, inbound email messages are automatically protected against spoofing. EOP uses **spoof intelligence** as part of your organization's overall defense against phishing. For more information, see [Anti-spoofing protection in EOP](anti-spoofing-protection.md). ++When a sender spoofs an email address, they appear to be a user in one of your organization's domains, or a user in an external domain that sends email to your organization. Attackers who spoof senders to send spam or phishing email need to be blocked. But there are scenarios where legitimate senders are spoofing. For example: ++- Legitimate scenarios for spoofing internal domains: + - Third-party senders use your domain to send bulk mail to your own employees for company polls. + - An external company generates and sends advertising or product updates on your behalf. + - An assistant regularly needs to send email for another person within your organization. + - An internal application sends email notifications. ++- Legitimate scenarios for spoofing external domains: + - The sender is on a mailing list (also known as a discussion list), and the mailing list relays email from the original sender to all the participants on the mailing list. + - An external company sends email on behalf of another company (for example, an automated report or a software-as-a-service company). ++You can use the **spoof intelligence insight** in the Microsoft 365 Defender portal to quickly identify spoofed senders who are legitimately sending you unauthenticated email (messages from domains that don't pass SPF, DKIM, or DMARC checks), and manually allow those senders. ++By allowing known senders to send spoofed messages from known locations, you can reduce false positives (good email marked as bad). By monitoring the allowed spoofed senders, you provide an additional layer of security to prevent unsafe messages from arriving in your organization. ++Likewise, you can review spoofed senders that were allowed by spoof intelligence and manually block those senders from the spoof intelligence insight. ++The rest of this article explains how to use the spoof intelligence insight in the Microsoft 365 Defender portal and in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes). ++> [!NOTE] +> +> - Only spoofed senders that were detected by spoof intelligence appear in the spoof intelligence insight. When you override the allow or block verdict in the insight, the spoofed sender becomes a manual allow or block entry that appears only on the **Spoofed senders** tab in the Tenant Allow/Block List. You can also manually create allow or block entries for spoofed senders before they're detected by spoof intelligence. For more information, see [Manage the Tenant Allow/Block List in EOP](manage-tenant-allow-block-list.md). +> +> - The spoof intelligence insight and the **Spoofed senders** tab in the Tenant Allow/Block list replace the functionality of the spoof intelligence policy that was available on the anti-spam policy page in the Security & Compliance Center. +> +> - The spoof intelligence insight shows 7 days worth of data. The **Get-SpoofIntelligenceInsight** cmdlet shows 30 days worth of data. +> +> - The latest available data is 3 to 4 days old. ++## What do you need to know before you begin? ++- You open the Microsoft 365 Defender portal at <https://security.microsoft.com>. To go directly to the **Spoofed senders** tab on the **Tenant Allow/Block List** page, use <https://security.microsoft.com/tenantAllowBlockList?viewid=SpoofItem>. To go directly to the **Spoof intelligence insight** page, use <https://security.microsoft.com/spoofintelligence>. ++- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). To connect to standalone EOP PowerShell, see [Connect to Exchange Online Protection PowerShell](/powershell/exchange/connect-to-exchange-online-protection-powershell). ++- You need to be assigned permissions in **Exchange Online** before you can do the procedures in this article: + - To modify the spoof intelligence policy or enable or disable spoof intelligence, you need to be a member of one of the following role groups: + - **Organization Management** + - **Security Administrator** <u>and</u> **View-Only Configuration** or **View-Only Organization Management**. + - For read-only access to the spoof intelligence policy, you need to be a member of the **Global Reader** or **Security Reader** role groups. ++ For more information, see [Permissions in Exchange Online](/exchange/permissions-exo/permissions-exo). ++ > [!NOTE] + > + > - Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions _and_ permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md). + > - The **View-Only Organization Management** role group in [Exchange Online](/Exchange/permissions-exo/permissions-exo#role-groups) also gives read-only access to the feature. ++- You enable and disable spoof intelligence in anti-phishing policies in EOP and Microsoft Defender for Office 365. Spoof intelligence is enabled by default. For more information, see [Configure anti-phishing policies in EOP](configure-anti-phishing-policies-eop.md) or [Configure anti-phishing policies in Microsoft Defender for Office 365](configure-mdo-anti-phishing-policies.md). ++- For our recommended settings for spoof intelligence, see [EOP anti-phishing policy settings](recommended-settings-for-eop-and-office365-atp.md#eop-anti-phishing-policy-settings). ++## Open the spoof intelligence insight in the Microsoft 365 Defender portal ++1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Tenant Allow/Block Lists** in the **Rules** section. To go directly to the **Spoofed senders** tab on the **Tenant Allow/Block List** page, use <https://security.microsoft.com/tenantAllowBlockList?viewid=SpoofItem>. ++2. On the **Tenant Allow/Block Lists** page, the spoof intelligence insight looks like this: ++ :::image type="content" source="../../media/m365-sc-spoof-intelligence-insight.png" alt-text="The Spoof intelligence insight on the Anti-phishing policy page" lightbox="../../media/m365-sc-spoof-intelligence-insight.png"::: ++ The insight has two modes: ++ - **Insight mode**: If spoof intelligence is enabled, the insight shows you how many messages were detected by spoof intelligence during the past seven days. + - **What if mode**: If spoof intelligence is disabled, then the insight shows you how many messages *would* have been detected by spoof intelligence during the past seven days. ++To view information about the spoof intelligence detections, click **View spoofing activity** in the spoof intelligence insight. ++### View information about spoofed messages ++> [!NOTE] +> Remember, only spoofed senders that were detected by spoof intelligence appear on this page. When you override the allow or block verdict in the insight, the spoofed sender becomes a manual allow or block entry that appears only on the **Spoofed senders** tab in the Tenant Allow/Block List. ++On the **Spoof intelligence insight** page that appears after you click **View spoofing activity** in the spoof intelligence insight, the page contains the following information: ++- **Spoofed user**: The **domain** of the spoofed user that's displayed in the **From** box in email clients. The From address is also known as the `5322.From` address. +- **Sending infrastructure**: Also known as the _infrastructure_. The sending infrastructure will be one of the following values: + - The domain found in a reverse DNS lookup (PTR record) of the source email server's IP address. + - If the source IP address has no PTR record, then the sending infrastructure is identified as \<source IP\>/24 (for example, 192.168.100.100/24). + - A verified DKIM domain. +- **Message count**: The number of messages from the combination of the spoofed domain _and_ the sending infrastructure to your organization within the last 7 days. +- **Last seen**: The last date when a message was received from the sending infrastructure that contains the spoofed domain. +- **Spoof type**: One of the following values: + - **Internal**: The spoofed sender is in a domain that belongs to your organization (an [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains)). + - **External**: The spoofed sender is in an external domain. +- **Action**: This value is **Allowed** or **Blocked**: + - **Allowed**: The domain failed explicit email authentication checks [SPF](how-office-365-uses-spf-to-prevent-spoofing.md), [DKIM](use-dkim-to-validate-outbound-email.md), and [DMARC](use-dmarc-to-validate-email.md). However, the domain passed our implicit email authentication checks ([composite authentication](email-validation-and-authentication.md#composite-authentication)). As a result, no anti-spoofing action was taken on the message. + - **Blocked**: Messages from the combination of the spoofed domain _and_ sending infrastructure are marked as bad by spoof intelligence. The action that's taken on the spoofed messages is controlled by the default anti-phishing policy or custom anti-phishing policies (the default value is **Move message to Junk Email folder**). For more information, see [Configure anti-phishing policies in Microsoft Defender for Office 365](configure-mdo-anti-phishing-policies.md). ++You can click selected column headings to sort the results. ++To filter the results, you have the following options: ++- Click the **Filter** button. In the **Filter** flyout that appears, you can filter the results by: + - **Spoof type** + - **Action** +- Use the **Search** box to enter a comma-separated list of spoofed domain values or sending infrastructure values to filter the results. ++### View details about spoofed messages ++When you select an entry from the list, a details flyout appears that contains the following information and features: ++- **Allow to spoof** or **Block from spoofing**: Select one of these values to override the original spoof intelligence verdict and move the entry from the spoof intelligence insight to the Tenant Allow/Block List as an allow or block entry for spoof. +- Why we caught this. +- What you need to do. +- A domain summary that includes most of the same information from the main spoof intelligence page. +- WhoIs data about the sender. +- A link to open [Threat Explorer](threat-explorer.md) to see additional details about the sender under **View** \> **Phish** in Microsoft Defender for Office 365. +- Similar messages we have seen in your tenant from the same sender. ++### About allowed spoofed senders ++An allowed spoofed sender in the spoof intelligence insight or a blocked spoofed sender that you manually changed to **Allow to spoof** only allows messages from the combination of the spoofed domain _and_ the sending infrastructure. It does not allow email from the spoofed domain from any source, nor does it allow email from the sending infrastructure for any domain. ++For example, the following spoofed sender is allowed to spoof: ++- **Domain**: gmail.com +- **Infrastructure**: tms.mx.com ++Only email from that domain/sending infrastructure pair will be allowed to spoof. Other senders attempting to spoof gmail.com aren't automatically allowed. Messages from senders in other domains that originate from tms.mx.com are still checked by spoof intelligence, and might be blocked. ++## Use the spoof intelligence insight in Exchange Online PowerShell or standalone EOP PowerShell ++In PowerShell, you use the **Get-SpoofIntelligenceInsight** cmdlet to **view** allowed and blocked spoofed senders that were detected by spoof intelligence. To manually allow or block the spoofed senders, you need to use the **New-TenantAllowBlockListSpoofItems** cmdlet. For more information, see [Use PowerShell to manage spoofed sender entries to the Tenant Allow/Block List](manage-tenant-allow-block-list.md). ++To view the information in the spoof intelligence insight, run the following command: ++```powershell +Get-SpoofIntelligenceInsight +``` ++For detailed syntax and parameter information, see [Get-SpoofIntelligenceInsight](/powershell/module/exchange/get-spoofintelligenceinsight). ++## Other ways to manage spoofing and phishing ++Be diligent about spoofing and phishing protection. Here are related ways to check on senders who are spoofing your domain and help prevent them from damaging your organization: ++- Check the **Spoof Mail Report**. You can use this report often to view and help manage spoofed senders. For information, see [Spoof Detections report](view-email-security-reports.md#spoof-detections-report). ++- Review your Sender Policy Framework (SPF) configuration. For a quick introduction to SPF and to get it configured quickly, see [Set up SPF in Microsoft 365 to help prevent spoofing](set-up-spf-in-office-365-to-help-prevent-spoofing.md). For a more in-depth understanding of how Office 365 uses SPF, or for troubleshooting or non-standard deployments such as hybrid deployments, start with [How Office 365 uses Sender Policy Framework (SPF) to prevent spoofing](how-office-365-uses-spf-to-prevent-spoofing.md). ++- Review your DomainKeys Identified Mail (DKIM) configuration. You should use DKIM in addition to SPF and DMARC to help prevent attackers from sending messages that look like they are coming from your domain. DKIM lets you add a digital signature to email messages in the message header. For information, see [Use DKIM to validate outbound email sent from your custom domain in Office 365](use-dkim-to-validate-outbound-email.md). ++- Review your Domain-based Message Authentication, Reporting, and Conformance (DMARC) configuration. Implementing DMARC with SPF and DKIM provides additional protection against spoofing and phishing email. DMARC helps receiving mail systems determine what to do with messages sent from your domain that fail SPF or DKIM checks. For information, see [Use DMARC to validate email in Office 365](use-dmarc-to-validate-email.md). |
| security | Attack Simulation Training Simulations | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-simulations.md | + + Title: Simulate a phishing attack with Attack simulation training ++++audience: ITPro +++ms.localizationpriority: medium ++ - m365-security + - m365initiative-defender-office365 ++description: Admins can learn how to simulate phishing attacks and train their users on phishing prevention using Attack simulation training in Microsoft Defender for Office 365 Plan 2. ++search.appverid: met150 +++# Simulate a phishing attack with Attack simulation training in Defender for Office 365 +++**Applies to** + [Microsoft Defender for Office 365 plan 2](defender-for-office-365.md) ++Attack simulation training in Microsoft Defender for Office 365 Plan 2 or Microsoft 365 E5 lets you run benign cyberattack simulations in your organization. These simulations test your security policies and practices, as well as train your employees to increase their awareness and decrease their susceptibility to attacks. This article walks you through creating a simulated phishing attack using Attack simulation training. ++For getting started information about Attack simulation training, see [Get started using Attack simulation training](attack-simulation-training-get-started.md). ++To launch a simulated phishing attack, do the following steps: ++1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training** \> **Simulations** tab. ++ To go directly to the **Simulations** tab, use <https://security.microsoft.com/attacksimulator?viewid=simulations>. ++2. On the **Simulations** tab, select  **Launch a simulation**. ++ :::image type="content" source="../../media/attack-sim-training-simulations-launch.png" alt-text="The Launch a simulation button on the Simulations tab in Attack simulation training in the Microsoft 365 Defender portal" lightbox="../../media/attack-sim-training-simulations-launch.png"::: ++3. The simulation creation wizard opens. The rest of this article describes the pages and the settings they contain. ++> [!NOTE] +> At any point during the simulation creation wizard, you can click **Save and close** to save your progress and continue configuring the simulation later. The incomplete simulation has the **Status** value **Draft** on the **Simulations** tab. You can pick up where you left off by selecting the simulation and clicking  **Edit** simulation. ++## Select a social engineering technique ++On the **Select technique** page, select an available social engineering technique, which was curated from the [MITRE ATT&CK® framework](https://attack.mitre.org/techniques/enterprise/). Different payloads are available for different techniques. The following social engineering techniques are available: ++- **Credential harvest**: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password. +- **Malware attachment**: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that will help the attacker compromise the target's device. +- **Link in attachment**: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest. +- **Link to malware**: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user will contain a link to this malicious file. Opening the file will help the attacker compromise the target's device. +- **Drive-by URL**: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device. +- **OAuth Consent Grant**: The malicious URL asks users to grant permissions to data for a malicious Azure Application. ++If you click the **View details** link in the description, a details flyout opens that describes the technique and the simulation steps that result from the technique. +++When you're finished, click **Next**. ++## Name and describe the simulation ++On the **Name simulation** page, configure the following settings: ++- **Name**: Enter a unique, descriptive name for the simulation. +- **Description**: Enter an optional detailed description for the simulation. ++When you're finished, click **Next**. ++## Select a payload and login page ++On the **Select payload and login** page, you need to select an existing payload from the list, or create a new payload. ++You can also view the login page that's used in the payload, select a different login page to use, or create a new login page to use. ++### Payload ++The following details are shown for each payload: ++- **Payload name** +- **Language**: The language of the payload content. Microsoft's payload catalog (global) provides payloads in 10+ languages which can also be filtered. +- **Click rate**: How many people have clicked on this payload. +- **Predicted compromise rate**: Historical data across Microsoft 365 that predicts the percentage of people who will be compromised by this payload (users compromised / total number of users who receive the payload). +- **Simulations launched** counts the number of times this payload was used in other simulations. ++In the  **Search** box, you can type part of the payload name and press Enter to filter the results. ++If you click **Filter**, the following filters are available: ++- **Complexity**: Calculated based on the number of indicators in the payload that indicate a possible attack (spelling errors, urgency, etc.). More indicators are easier to identify as an attack and indicate lower complexity. The available values are: + - **High** + - **Medium** + - **Low** ++- **Language**: The available values are: **English**, **Spanish**, **German**, **Japanese**, **French**, **Portuguese**, **Dutch**, **Italian**, **Swedish**, **Chinese (Simplified)**, **Norwegian Bokmål**, **Polish**, **Russian**, **Finnish**, **Korean**, **Turkish**, **Hungarian**, **Hebrew**, **Thai**, **Arabic**, **Vietnamese**, **Slovak**, **Greek**, **Indonesian**, **Romanian**, **Slovenian**, **Croatian**, **Catalan**, or **Other**. ++- **Add tag(s)** ++- **Filter by theme**: The available values are: **Account activation**, **Account verification**, **Billing**, **Clean up mail**, **Document received**, **Expense**, **Fax**, **Finance report**, **Incoming messages**, **Invoice**, **Items received**, **Login alert**, **Mail received**, **Password**, **Payment**, **Payroll**, **Personalized offer**, **Quarantine**, **Remote work**, **Review message**, **Security update**, **Service suspended**, **Signature required**, **Upgrade mailbox storage Verify mailbox**, **Voicemail**, and **Other**. ++- **Filter by brand**: The available values are: **American Express**, **Capital One**, **DHL**, **DocuSign**, **Dropbox**, **Facebook**, **First American**, **Microsoft**, **Netflix**, **Scotiabank**, **SendGrid**, **Stewart Title**, **Tesco**, **Wells Fargo**, **Syrinx Cloud**, and **Other**. ++- **Filter by industry**: The available values are: **Banking**, **Business services**, **Consumer services**, **Education**, **Energy**, **Construction**, **Consulting**, **Financial services**, **Government**, **Hospitality**, **Insurance**, **Legal**, **Courier services**, **IT**, **Healthcare**, **Manufacturing**, **Retail**, **Telecom**, **Real estate**, and **Other**. ++- **Current event**: The available values are **Yes** or **No**. ++- **Controversial**: The available values are **Yes** or **No**. ++When you're finished configuring the filters, click **Apply**, **Cancel**, or  **Clear filters**. ++If you select a payload from the list by selecting the check box, a  **Send a test** button appears on the main page where you can send a copy of the payload email to yourself (the currently logged in user) for inspection. ++To create your own payload, click . +++If you select a payload from the list by clicking anywhere in the row other than the check box, details about the payload are shown in a flyout: ++- The **Payload** tab contains an example and other details about the payload. +- The **Login page** tab is available only in **Credential Harvest** or **Link in attachment** payloads and is described in the next section. +- The **Simulations launched** tab contains the **Simulation name**, **Click rate**, **Compromised rate**, and **Action**. +++### Login page ++> [!NOTE] +> The **Login page** tab is available only in **Credential Harvest** or **Link in attachment** payloads. ++Select the payload from the list by clicking anywhere in the row other than the check box to open the details flyout. ++The **Login page** tab in the payload details flyout shows the login page that's currently selected for the payload. ++To view the complete login page, use the **Page 1** and **Page 2** links at the bottom of the page for two-page login pages. +++To change the login page that's used in the payload, click  **Change login page**. ++On the **Select login page** flyout that appears, The following information is shown for each login page: ++- **Name** +- **Language** +- **Source**: For built-in login pages, the value is **Global**. For custom login pages, the value is **Tenant**. +- **Status**: **Ready** or **Draft**. +- **Created by**: For built-in login pages, the value is **Microsoft**. For custom login pages, the value is the UPN of the user who created the login page. +- **Last modified** +- **Actions**: Click  **Preview** to preview the login page. ++To find a login page in the list, use the  **Search** box to find the name of the login page. ++Click  **Filter** to filter the login pages by **Source** or **Language**. +++To create a new login page, click [Create new icon.](../../medi#create-login-pages). ++Back on the **Select login page**, verify the new login page you created is selected, and then click **Save**. ++Back on the payload details flyout, click [Close icon.](../../media/m365-cc-sc-close-icon.png) **Close**. ++When you're finished on the **Select a payload and login page**, click **Next**. ++## Configure OAuth Payload ++> [!NOTE] +> This page is available only if you selected **OAuth Consent Grant** on the [Select technique](#select-a-social-engineering-technique) page. Otherwise, you're taken to the **Target users** page. ++On the **Configure OAuth payload** page, configure the following settings: ++- **App name** ++- **App logo**: Click **Browse** to select a .png, .jpeg, or .gif file to use. To remove a file after you've selected it, click **Remove**. ++- **Select app scope**: Choose one of the following values: + - **Read user calendars** + - **Read user contacts** + - **Read user mail** + - **Read all chat messages** + - **Read all files that user can access** + - **Read and write access to user mail** + - **Send mail as a user** ++## Target users ++On the **Target users** page, select who will receive the simulation. Configure one of the following settings: ++- **Include all users in your organization**: The affected users are show in lists of 10. You can use the **Next** and **Previous** buttons directly below the list of users to scroll through the list. You can also use the  **Search** icon on the page to find affected users. ++- **Include only specific users and groups**: Choose one of the following options: + -  **Add users**: In the **Add users** flyout that appears, you can find users and groups based on the following criteria: ++ > [!NOTE] + > You can't use dynamic distribution groups to target users. ++ - **Search for users or groups**: In box, you can type part of the **Name** or **Email address** of the user or group and then press Enter. You can select some or all of the results. When you're finished, click **Add x users**. ++ > [!NOTE] + > Clicking the **Add filters** button to return to the **Filter users by categories** options will clear any users or groups that you selected in the search results. ++ - **Filter users by categories**: Select from none, some, or all of the following options: ++ - **Suggested user groups**: Select from the following values: + - **All suggested user groups** + - **Users not targeted by a simulation in the last three months** + - **Repeat offenders** ++ - **User tags**: User tags are identifiers for specific groups of users (for example, Priority accounts). For more information, see [User tags in Microsoft Defender for Office 365](user-tags.md). ++ Use the following options: ++ - **Search**: In  **Search by user tags**, you can type part of the user tag and then press Enter. You can select some or all of the results. + - Select **All user tags** + - Select existing user tags. ++ - **Department**: Use the following options: + - **Search**: In  **Search by Department**, you can type part the Department value and then press Enter. You can select some or all of the results. + - Select **All Department** + - Select existing Department values. ++ - **Title**: Use the following options: + - **Search**: In  **Search by Title**, you can type part of the Title value and then press Enter. You can select some or all of the results. + - Select **All Title** + - Select existing Title values. ++ :::image type="content" source="../../media/attack-sim-training-simulations-target-users-filter-by-category.png" alt-text="The User filtering on the Target users page in Attack simulation training in the Microsoft 365 Defender portal" lightbox="../../media/attack-sim-training-simulations-target-users-filter-by-category.png"::: ++ After you identify your criteria, the affected users are shown in the **User list** section that appears, where you can select some or all of the discovered recipients. ++ When you're finished, click **Apply(x)**, and then click **Add x users**. ++ Back on the main **Target users** page, you can use the  **Search** box to find affected users. You can also click  **Delete** to remove specific users. ++-  **Import**: In the dialog that opens, specify a CSV file that contains one email address per line. ++ After you find a select the CSV file, the list of users are imported and shown on the **Targeted users** page. You can use the  **Search** box to find affected users. You can also click  **Delete** to remove specific users. ++When you're finished, click **Next**. ++## Assign training ++On the **Assign training** page, you can assign trainings for the simulation. We recommend that you assign training for each simulation, as employees who go through training are less susceptible to similar attacks. The following settings are available: ++- **Select training content preference**: Choose one of the following options: + - **Microsoft training experience**: This is the default value that has the following associated options to configure: + - Select one of the following options: + - **Assign training for me**: This is the default and recommended value. We assign training based on a user's previous simulation and training results, and you can review the selections in the next steps of the wizard. + - **Select training courses and modules myself**: If you select this value, you'll still be able to see the recommended content as well as all available courses and modules in the next step of the wizard. + - **Due date**: Choose one of the following values: + - **30 days after simulation ends**: This is the default value. + - **15 days after simulation ends** + - **7 days after simulation ends** + - **Redirect to a custom URL**: This value has the following associated options to configure: + - **Custom training URL** (required) + - **Custom training name** (required) + - **Custom training description** + - **Custom training duration (in minutes)**: The default value is 0, which means there is no specified duration for the training. + - **Due date**: Choose one of the following values: + - **30 days after simulation ends**: This is the default value. + - **15 days after simulation ends** + - **7 days after simulation ends** + - **No training**: If you select this value, the only option on the page is the **Next** button that takes you to the [**Landing page**](#landing-page) page. +++### Training assignment ++> [!NOTE] +> The **Training assignment** page is available only if you selected **Microsoft training experience** \> **Select training courses and modules myself** on the previous page. ++On the **Training assignment** page, select the trainings that you want to add to the simulation by clicking  **Add trainings**. ++On the **Add training** flyout that appears, you can select the trainings to use on the following tabs that are available: ++- **Recommended** tab: Shows the recommended built-in trainings based on the simulation configuration. These are the same trainings that would have been assigned if you selected **Assign training for me** on the previous page. +- **All trainings** tab: Shows all built-in trainings that are available. ++ The following information is shown for each training: ++ - **Training name** + - **Source**: The value is **Global**. + - **Duration (mins)** + - **Preview**: Click the **Preview** button to see the training. ++ In the  **Search** box, you can type part of the training name and press Enter to filter the results on the current tab. ++ Select all trainings that you want to include from the current tab, and then click **Add**. ++Back on the main **Training assignment** page, the trainings that you selected are shown. The following information is shown for each training: ++- **Training name** +- **Source** +- **Duration (mins)** ++For each training in the list, you need to select who gets the training by selecting values in the **Assign to** column: ++- **All users** ++ or one or both of the following values: ++- **Clicked payload** +- **Compromised** ++If you don't want to use a training that's shown, click  **Delete**. +++When you're finished, click **Next**. ++### Landing page ++On the **Landing page** page, you configure the web page that users are taken to if they open the payload in the simulation. ++Microsoft-curated landing pages are available in 12 languages: Chinese (Simplified), Chinese (Traditional), English, French, German, Italian, Japanese, Korean, Portuguese, Russian, Spanish, and Dutch. ++- **Select landing page preference**: The available values are: + - **Use Microsoft default landing page**: This is the default value that has the following associated options to configure: + - **Select landing page layout**: Select one of the available templates. + - **Add logo**: Click **Browse** to find and select a .png, .jpeg, or .gif file. The logo size should be a maximum of 210 x 70 to avoid distortion. To remove the logo, click **Remove**. + - **Add payload indicators to email**: This setting is not available if you previously selected **Malware attachment** or **Link to malware** on the [Select technique](#select-a-social-engineering-technique) page. ++ You can preview the results by clicking the **Open preview panel** button at the bottom of the page. ++ - **Use a custom URL**: This setting is not available if you previously selected **Malware attachment** or **Link to malware** on the [Select technique](#select-a-social-engineering-technique) page. ++ If you select **Use a custom URL**, you need to add the URL in the **Enter the custom landing page URL** box that appears. No other options are available on the page. ++ - **Create your own landing page**: This value has the following associated options to configure: + - **Add payload indicators to email**:This setting is available to select only if both of the following statements are true: + - You selected **Credential harvest**, **Link in attachment**, **Drive-by URL**, or **OAuth Consent Grant** on the [Select technique](#select-a-social-engineering-technique) page. + - You've added the **Dynamic tag** named **Insert Payload content** in the landing page content on this page. ++ - Landing page content: Two tabs are available: + - **Text**: A rich text editor is available to create your landing page. In addition to the typical font and formatting settings, the following settings are available: + - **Dynamic tag**: Select from the following tags: ++ |Tag name|Tag value| + ||| + |**Insert User name**|`${userName}`| + |**Insert First name**|`${firstName}`| + |**Insert Last name**|`${lastName}`| + |**Insert UPN**|`${upn}`| + |**Insert Email**|`${emailAddress}`| + |**Insert Department**|`${department}`| + |**Insert Manager**|`${manager}`| + |**Insert Mobile phone**|`${mobilePhone}`| + |**Insert City**|`${city}`| + |**Insert sender name**|`${FromName}`| + |**Insert sender email**|`${FromEmail}`| + |**Insert Payload subject**|`${EmailSubject}`| + |**Insert Payload content**|`${EmailContent}`| + |**Insert Date**|`${date|MM/dd/yyyy|offset}`| ++ - **Use from default**: Select an available template to start with. You can modify the text and layout in the editing area. To reset the landing page back to the default text and layout of the template, click **Reset to default**. + - **Code**: You can view and modify the HTML code directly. ++ You can preview the results by clicking the **Open preview panel** button in the middle of the page. ++When you're finished, click **Next**. ++> [!NOTE] +> Certain trademarks, logos, symbols, insignias and other source identifiers receive heightened protection under local, state and federal statutes and laws. Unauthorized use of such indicators can subject the users to penalties, including criminal fines. Though not an extensive list, this includes the Presidential, Vice Presidential, and Congressional seals, the CIA, the FBI, Social Security, Medicare and Medicaid, the United States Internal Revenue Service, and the Olympics. Beyond these categories of trademarks, use and modification of any third-party trademark carries an inherent amount of risk. Using your own trademarks and logos in a payload would be less risky, particularly where your organization permits the use. If you have any further questions about what is or is not appropriate to use when creating or configuring a payload, you should consult with your legal advisors. ++## Select end user notification ++On the **Select end user notification** page, select from the following notification options: ++- **Do not deliver notifications**: Click **Proceed** in the alert dialog that appears. If you select this option, you're taken to the [Launch details](#launch-details) page when you click **Next**. ++- **Microsoft default notification (recommended)**: The following additional settings are available on the page: ++ - **Select default language**: The available values are: **English**, **Spanish**, **German**, **Japanese**, **French**, **Portuguese**, **Dutch**, **Italian**, **Swedish**, **Chinese (Simplified)**, **Norwegian Bokmål**, **Polish**, **Russian**, **Finnish**, **Korean**, **Turkish**, **Hungarian**, **Hebrew**, **Thai**, **Arabic**, **Vietnamese**, **Slovak**, **Greek**, **Indonesian**, **Romanian**, **Slovenian**, **Croatian**, **Catalan**, or **Other**. ++ - By default, the following notifications are included: + - **Microsoft positive reinforcement notification** + - **Microsoft default training assignment notification** + - **Microsoft default training reminder notification** ++ For each notification, the following information is available: + - **Notifications**: The name of the notification. + - **Language**: If the notification contains multiple translations, the first two languages are shown directly. To see the remaining languages, hover over the numeric icon (for example, **+10**). + - **Type**: One of the following values: + - **Positive reinforcement notification** + - **Training assignment notification** + - **Training reminder notification** + - **Delivery preferences**: For **Positive reinforcement notification** and **Training reminder notification** types, the following values are available + - **Do not deliver** + - **Deliver after campaign ends** + - **Deliver during campaign** + - **Actions**: If you click on the  **View** icon, the **Review notification** page appears with the following information: + - **Preview** tab: View the notification message as users will see it. + - To view the message in different languages, use the **Select language** box. + - Use the **Select payload to preview** box to select the notification message for simulations that contain multiple payloads. + - **Details** tab: View details about the notification: + - **Notification description** + - **Source**: For built-in notifications, the value is **Global**. For custom notifications, the value is **Tenant**. + - **Notification type**: One of the following types base on the notification you originally selected: + - **Positive reinforcement notification** + - **Training assignment notification** + - **Training reminder notification** + - **Modified by** + - **Last modified** ++ When you're finished, click **Close**. ++ You're taken to the [Launch details](#launch-details) page when you click **Next**. ++- **Customized end user notifications**: When you click **Next**, you're taken to the **Training assignment notification** page as described in the next sections. ++### Training assignment notification ++The **Training assignment notification** page is available only if you selected **Customized end user notifications** on the **[Select end user notification](#select-end-user-notification)** page. ++This page shows the following notifications and their configured languages: ++- **Microsoft default training assignment notification** +- Any custom training assignment notifications that you previously created. ++ These notifications are also available in **End user notifications** on the **Simulation content library** tab in Attack simulation training at <https://security.microsoft.com/attacksimulator?viewid=simulationcontentlibrary>. **Microsoft default training assignment notification** is available on the **Global notifications** tab. Custom training assignment notifications are available on the **Tenant notifications** tab. For more information, see [End-user notifications for Attack simulation training](attack-simulation-training-end-user-notifications.md). ++You can select an existing training assignment notification or create a new notification to use: ++- To select an existing notification, click in the blank area next to the notification name. If you click on the notification name, the notification is selected and a preview flyout appears. To deselect the notification, clear the check box next to the notification. +- To search for an existing notification, use the  **Search** box to search for the name. ++ Select the notification that you want to use, and then click **Next**. ++- To create and use a new notification, click  **Create new**. ++#### Create new training assignment notification wizard ++If you clicked  **Create new** on the **Training assignment notification** page, a notification creation wizard opens. ++The creation steps are identical as described in [Create end-user notifications](attack-simulation-training-end-user-notifications.md#create-end-user-notifications). ++> [!NOTE] +> On the **Define details** page, be sure to select the value **Training assignment notification** for **Select notification type**. ++When you're finished, you're taken back to the **Training assignment notification** page where the notification that you just created now appears in the list. ++Select the notification that you want to use, and then click **Next**. ++### Training reminder notification ++The **Training reminder notification** page is available only if you selected **Customized end user notifications** on the **[Select end user notification](#select-end-user-notification)** page. ++- **Set frequency for reminder notification**: Select **Weekly** (default) or **Twice a week**. ++- **Select a reminder notification**: This section shows the following notifications and their configured languages: ++ - **Microsoft default training reminder notification** + - Any custom training reminder notifications that you previously created. ++ These notifications are also available in **End user notifications** on the **Simulation content library** tab in Attack simulation training at <https://security.microsoft.com/attacksimulator?viewid=simulationcontentlibrary>. **Microsoft default training reminder notification** is available on the **Global notifications** tab. Custom training reminder notifications are available on the **Tenant notifications** tab. For more information, see [End-user notifications for Attack simulation training](attack-simulation-training-end-user-notifications.md). ++ You can select an existing training reminder notification or create a new notification to use: ++ - To select an existing notification, click in the blank area next to the notification name. If you click on the notification name, the notification is selected and a preview flyout appears. To deselect the notification, clear the check box next to the notification. + - To search for an existing notification, use the  **Search** box to search for the name. ++ Select the notification that you want to use, and then click **Next**. ++ - To create and use a new notification, click  **Create new**. ++#### Create new training reminder notification wizard ++If you clicked  **Create new** on the **Training reminder notification** page, a notification creation wizard opens. ++The creation steps are identical as described in [Create end-user notifications](attack-simulation-training-end-user-notifications.md#create-end-user-notifications). ++> [!NOTE] +> On the **Define details** page, be sure to select the value **Training reminder notification** for **Select notification type**. ++When you're finished, you're taken back to the **Training reminder notification** page where the notification that you just created now appears in the list. ++Select the notification that you want to use, and then click **Next**. ++### Positive reinforcement notification ++The **Positive reinforcement notification** page is available only if you selected **Customized end user notifications** on the **[Select end user notification](#select-end-user-notification)** page. ++- **Delivery preferences**: Select one of the following values: ++ - **Do not deliver**: If you select this option, you're taken to the [Launch details](#launch-details) page when you click **Next**. ++ - **Deliver after the user reports a phish and campaign ends** or **Deliver immediately after the user reports a phish**: These sections show the following notifications and their configured languages in the **Select a positive reinforcement notification** section that appears: ++ - **Microsoft default positive reinforcement notification** + - Any custom positive reinforcement notifications that you previously created. ++ These notifications are also available in **End user notifications** on the **Simulation content library** tab in Attack simulation training at <https://security.microsoft.com/attacksimulator?viewid=simulationcontentlibrary>. **Microsoft default positive reinforcement notification** is available on the **Global notifications** tab. Custom positive reinforcement notifications are available on the **Tenant notifications** tab. For more information, see [End-user notifications for Attack simulation training](attack-simulation-training-end-user-notifications.md). ++ You can select an existing positive reinforcement notification or create a new notification to use: ++ - To select an existing notification, click in the blank area next to the notification name. If you click on the notification name, the notification is selected and a preview flyout appears. To deselect the notification, clear the check box next to the notification. + - To search for an existing notification, use the  **Search** box to search for the name. ++ Select the notification that you want to use, and then click **Next**. ++ - To create and use a new notification, click  **Create new**. ++#### Create new positive reinforcement notification wizard ++If you clicked  **Create new** on the **Positive reinforcement notification** page, a notification creation wizard opens. ++The creation steps are identical as described in [Create end-user notifications](attack-simulation-training-end-user-notifications.md#create-end-user-notifications). ++> [!NOTE] +> On the **Define details** page, be sure to select the value **Positive reinforcement notification** for **Select notification type**. ++When you're finished, you're taken back to the **Positive reinforcement notification** page where the notification that you just created now appears in the list. ++Select the notification that you want to use, and then click **Next**. ++## Launch details ++On the **Launch details** page, you choose when to launch the simulation and when to end the simulation. We'll stop capturing interaction with this simulation after the end date you specify. ++The following settings are available: ++- Choose one of the following values: + - **Launch this simulation as soon as I'm done** + - **Schedule this simulation to be launched later**: This value has the following associated options to configure: + - **Select launch date** + - **Select launch time** +- **Configure number of days to end simulation after**: The default value is 2. +- **Enable region aware time zone delivery**: Deliver simulated attack messages to your employees during their working hours based on their region. +- **Display the drive-by technique interstitial data gathered page**: You can show the overlay that appears for the drive-by URL technique attacks. To hide this overlay and directly go to the landing page, de-select this option. ++- **Display the drive-by technique interstitial data gathered page**: This setting is available only if you selected **Drive-by URL** on the [select a technique page](#select-a-social-engineering-technique) page. You can show the overlay that comes up for drive-by URL technique attacks. To hide the overlay and go directly to the landing page, don't select this option. ++When you're finished, click **Next**. ++## Review simulation ++On the **Review simulation** page, you can review the details of your simulation. ++Click the  **Send a test** button to send a copy of the payload email to yourself (the currently logged in user) for inspection. ++You can select **Edit** in each section to modify the settings within the section. Or you can click **Back** or select the specific page in the wizard. ++When you're finished, click **Submit**. + |
| security | Connection Filter Policies Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/connection-filter-policies-configure.md | + + Title: Configure the default connection filter policy +f1.keywords: + - NOCSH +++ Last updated :+audience: ITPro +++ms.localizationpriority: medium +search.appverid: + - MET150 +ms.assetid: 6ae78c12-7bbe-44fa-ab13-c3768387d0e3 ++ - m365-security ++ - seo-marvel-apr2020 +description: Admins can learn how to configure connection filtering in Exchange Online Protection (EOP) to allow or block emails from email servers. +++++# Configure connection filtering +++**Applies to** +- [Exchange Online Protection](exchange-online-protection-overview.md) +- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) +- [Microsoft 365 Defender](../defender/microsoft-365-defender.md) ++If you're a Microsoft 365 customer with mailboxes in Exchange Online or a standalone Exchange Online Protection (EOP) customer without Exchange Online mailboxes, you use connection filtering in EOP (specifically, the default connection filter policy) to identify good or bad source email servers by their IP addresses. The key components of the default connection filter policy are: ++- **IP Allow List**: Skip spam filtering for all incoming messages from the source email servers that you specify by IP address or IP address range. For scenarios where spam filtering might still occur on messages from these sources, see the [Scenarios where messages from sources in the IP Allow List are still filtered](#scenarios-where-messages-from-sources-in-the-ip-allow-list-are-still-filtered) section later in this article. For more information about how the IP Allow List should fit into your overall safe senders strategy, see [Create safe sender lists in EOP](create-safe-sender-lists-in-office-365.md). ++- **IP Block List**: Block all incoming messages from the source email servers that you specify by IP address or IP address range. The incoming messages are rejected, are not marked as spam, and no additional filtering occurs. For more information about how the IP Block List should fit into your overall blocked senders strategy, see [Create block sender lists in EOP](create-block-sender-lists-in-office-365.md). ++- **Safe list**: The *safe list* is a dynamic allow list in the Microsoft datacenter that requires no customer configuration. Microsoft identifies these trusted email sources from subscriptions to various third-party lists. You enable or disable the use of the safe list; you can't configure the source email servers on the safe list. Spam filtering is skipped on incoming messages from the email servers on the safe list. ++This article describes how to configure the default connection filter policy in the Microsoft 365 Microsoft 365 Defender portal or in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes). For more information about how EOP uses connection filtering is part of your organization's overall anti-spam settings, see [Anti-spam protection](anti-spam-protection.md). ++> [!NOTE] +> The IP Allow List, safe list, and the IP Block List are one part of your overall strategy to allow or block email in your organization. For more information, see [Create safe sender lists](create-safe-sender-lists-in-office-365.md) and [Create blocked sender lists](create-block-sender-lists-in-office-365.md). ++## What do you need to know before you begin? ++- You open the Microsoft 365 Defender portal at <https://security.microsoft.com>. To go directly to the **Anti-spam policies** page, use <https://security.microsoft.com/antispam>. ++- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). To connect to standalone EOP PowerShell, see [Connect to Exchange Online Protection PowerShell](/powershell/exchange/connect-to-exchange-online-protection-powershell). ++- You need to be assigned permissions in **Exchange Online** before you can do the procedures in this article: + - To modify the default connection filter policy, you need to be a member of the **Organization Management** or **Security Administrator** role groups. + - For read-only access to the default connection filter policy, you need to be a member of the **Global Reader** or **Security Reader** role groups. ++ For more information, see [Permissions in Exchange Online](/exchange/permissions-exo/permissions-exo). ++ **Notes**: ++ - Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions _and_ permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md). + - The **View-Only Organization Management** role group in [Exchange Online](/Exchange/permissions-exo/permissions-exo#role-groups) also gives read-only access to the feature. ++- To find the source IP addresses of the email servers (senders) that you want to allow or block, you can check the connecting IP (**CIP**) header field in the message header. To view a message header in various email clients, see [View internet message headers in Outlook](https://support.microsoft.com/office/cd039382-dc6e-4264-ac74-c048563d212c). ++- The IP Allow List takes precedence over the IP Block List (an address on both lists is not blocked). ++- The IP Allow List and the IP Block List each support a maximum of 1273 entries, where an entry is a single IP address, an IP address range, or a Classless InterDomain Routing (CIDR) IP. ++## Use the Microsoft 365 Defender portal to modify the default connection filter policy ++1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section. To go directly to the **Anti-spam policies** page, use <https://security.microsoft.com/antispam>. ++2. On the **Anti-spam policies** page, select **Connection filter policy (Default)** from the list by clicking on the name of the policy. ++3. In the policy details flyout that appears, configure any of the following settings: ++ - **Description** section: Click **Edit name and description**. In the **Edit name and description** flyout that appears, enter optional descriptive text in the **Description** box. ++ When you're finished, click **Save**. ++ - **Connection filtering section**: Click **Edit connection filter policy**. In the flyout that appears, configure the following settings: ++ - **Always allow messages from the following IP addresses or address range**: This is the IP Allow list. Click in the box, enter a value, and then press Enter or select the complete value that's displayed below the box. Valid values are + - Single IP: For example, 192.168.1.1. + - IP range: For example, 192.168.0.1-192.168.0.254. + - CIDR IP: For example, 192.168.0.1/25. Valid subnet mask values are /24 through /32. To skip spam filtering for /1 to /23, see the [Skip spam filtering for a CIDR IP outside of the available range](#skip-spam-filtering-for-a-cidr-ip-outside-of-the-available-range) section later in this article. ++ Repeat this step as many times as necessary. To remove an existing value, click remove  next to the value. ++ To add the IP address or address range, click in the box and type itclick **Add** . To remove an entry, select the entry in **Allowed IP Address** and then click **Remove** . When you're finished, click **Save**. ++ - **Always block messages from the following IP addresses or address range**: This is the IP Block List. Enter a single IP, IP range, or CIDR IP in the box as previously described in the **Always allow messages from the following IP addresses or address range** setting. ++ - **Turn on safe list**: Enable or disable the use of the safe list to identify known, good senders that will skip spam filtering. To use the safe list, select the check box. ++ When you're finished, click **Save**. ++4. Back on the policy details flyout, click **Close**. ++## Use the Microsoft 365 Defender portal to view the default connection filter policy ++1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section. To go directly to the **Anti-spam policies** page, use <https://security.microsoft.com/antispam>. ++2. On the **Anti-spam policies** page, the following properties are displayed in the list of policies: ++ - **Name**: This value is **Connection filter policy (Default)** for the default connection filter policy. + - **Status**: This value is **Always on** for the default connection filter policy. + - **Priority**: This value is **Lowest** for the default connection filter policy. + - **Type**: This value is blank for the default connection filter policy. ++3. When you select the default connection filter policy, the policy settings are displayed in a flyout. ++## Use Exchange Online PowerShell or standalone EOP PowerShell to modify the default connection filter policy ++Use the following syntax: ++```powershell +Set-HostedConnectionFilterPolicy -Identity Default [-AdminDisplayName <"Optional Comment">] [-EnableSafeList <$true | $false>] [-IPAllowList <IPAddressOrRange1,IPAddressOrRange2...>] [-IPBlockList <IPAddressOrRange1,IPAddressOrRange2...>] +``` ++**Notes**: ++- Valid IP address or address range values are: + - Single IP: For example, 192.168.1.1. + - IP range: For example, 192.168.0.1-192.168.0.254. + - CIDR IP: For example, 192.168.0.1/25. Valid network mask values are /24 through /32. +- To *overwrite* any existing entries with the values you specify, use the following syntax: `IPAddressOrRange1,IPAddressOrRange2,...,IPAddressOrRangeN`. +- To *add or remove* IP addresses or address ranges without affecting other existing entries, use the following syntax: `@{Add="IPAddressOrRange1","IPAddressOrRange2",...,"IPAddressOrRangeN";Remove="IPAddressOrRange3","IPAddressOrRange4",...,"IPAddressOrRangeN"}`. +- To empty the IP Allow List or IP Block List, use the value `$null`. ++This example configures the IP Allow List and the IP Block List with the specified IP addresses and address ranges. ++```powershell +Set-HostedConnectionFilterPolicy -Identity Default -IPAllowList 192.168.1.10,192.168.1.23 -IPBlockList 10.10.10.0/25,172.17.17.0/24 +``` ++This example adds and removes the specified IP addresses and address ranges from the IP Allow List. ++```powershell +Set-HostedConnectionFilterPolicy -Identity Default -IPAllowList @{Add="192.168.2.10","192.169.3.0/24","192.168.4.1-192.168.4.5";Remove="192.168.1.10"} +``` ++For detailed syntax and parameter information, see [Set-HostedConnectionFilterPolicy](/powershell/module/exchange/set-hostedconnectionfilterpolicy). ++## How do you know this worked? ++To verify that you've successfully modified the default connection filter policy, do any of the following steps: ++- On the **Anti-spam** page in the Microsoft 365 Defender portal at <https://security.microsoft.com/antispam>, select **Connection filter policy (Default)** from the list by clicking on the name of the policy, and verify the settings. ++- In Exchange Online PowerShell or standalone EOP PowerShell, run the following command and verify the settings: ++ ```powershell + Get-HostedConnectionFilterPolicy -Identity Default + ``` ++- Send a test message from an entry on the IP Allow List. ++## Additional considerations for the IP Allow List ++The following sections identify additional items that you need to know about when you configure the IP Allow List. ++### Skip spam filtering for a CIDR IP outside of the available range ++As described earlier in this article, you can only use a CIDR IP with the network mask /24 to /32 in the IP Allow List. To skip spam filtering on messages from source email servers in the /1 to /23 range, you need to use Exchange mail flow rules (also known as transport rules). But, we recommend that you don't do this if at all possible, because the messages will be blocked if an IP address in the /1 to /23 CIDR IP range appears on any of Microsoft's proprietary or third-party block lists. ++Now that you're fully aware of the potential issues, you can create a mail flow rule with the following settings (at a minimum) to ensure that messages from these IP addresses will skip spam filtering: ++- Rule condition: **Apply this rule if** \> **The sender** \> **IP address is in any of these ranges or exactly matches** \> (enter your CIDR IP with a /1 to /23 network mask). +- Rule action: **Modify the message properties** \> **Set the spam confidence level (SCL)** \> **Bypass spam filtering**. ++You can audit the rule, test the rule, activate the rule during a specific time period, and other selections. We recommend testing the rule for a period before you enforce it. For more information, see [Manage mail flow rules in Exchange Online](/Exchange/security-and-compliance/mail-flow-rules/manage-mail-flow-rules). ++### Skip spam filtering on selective email domains from the same source ++Typically, adding an IP address or address range to the IP Allow List means you trust all incoming messages from that email source. But what if that source sends email from multiple domains, and you want to skip spam filtering for some of those domains, but not others? You can't use the IP Allow List alone to do this, but you can use the IP Allow List in combination with a mail flow rule. ++For example, the source email server 192.168.1.25 sends email from the domains contoso.com, fabrikam.com, and tailspintoys.com, but you only want to skip spam filtering for messages from senders in fabrikam.com. To do this, use the following steps: ++1. Add 192.168.1.25 to the IP Allow List. ++2. Configure a mail flow rule with the following settings (at a minimum): + - Rule condition: **Apply this rule if** \> **The sender** \> **IP address is in any of these ranges or exactly matches** \> 192.168.1.25 (the same IP address or address range that you added to the IP Allow List in the previous step). + - Rule action: **Modify the message properties** \> **Set the spam confidence level (SCL)** \> **0**. + - Rule exception: **The sender** \> **domain is** \> fabrikam.com (only the domain or domains that you want to skip spam filtering). ++### Scenarios where messages from sources in the IP Allow List are still filtered ++Messages from an email server in your IP Allow List are still subject to spam filtering in the following scenarios: ++- An IP address in your IP Allow List is also configured in an on-premises, IP-based inbound connector in *any* tenant in Microsoft 365 (let's call this Tenant A), **and** Tenant A and the EOP server that first encounters the message both happen to be in *the same* Active Directory forest in the Microsoft datacenters. In this scenario, **IPV:CAL** *is* added to the message's [anti-spam message headers](anti-spam-message-headers.md) (indicating the message bypassed spam filtering), but the message is still subject to spam filtering. ++- Your tenant that contains the IP Allow List and the EOP server that first encounters the message both happen to be in *different* Active Directory forests in the Microsoft datacenters. In this scenario, **IPV:CAL** *is not* added to the message headers, so the message is still subject to spam filtering. ++If you encounter either of these scenarios, you can create a mail flow rule with the following settings (at a minimum) to ensure that messages from the problematic IP addresses will skip spam filtering: ++- Rule condition: **Apply this rule if** \> **The sender** \> **IP address is in any of these ranges or exactly matches** \> (your IP address or addresses). +- Rule action: **Modify the message properties** \> **Set the spam confidence level (SCL)** \> **Bypass spam filtering**. ++## New to Microsoft 365? ++**** ++ **New to Microsoft 365?** Discover free video courses for **Microsoft 365 admins and IT pros**, brought to you by LinkedIn Learning. |
| security | Connectors Detect Respond To Compromise | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/connectors-detect-respond-to-compromise.md | + + Title: Respond to a compromised connector in Microsoft 365 +f1.keywords: + - NOCSH ++++audience: ITPro + Last updated :+ms.localizationpriority: medium +ms.assetid: ++ - m365-security ++description: Learn how to recognize and respond to a compromised connector in Microsoft 365. +++search.appverid: met150 +++# Respond to a compromised connector +++**Applies to** ++- [Exchange Online Protection](exchange-online-protection-overview.md) +- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) +- [Microsoft 365 Defender](../defender/microsoft-365-defender.md) ++Connectors are used for enabling mail flow between Microsoft 365 or Office 365 and email servers that you have in your on-premises environment. For more information, see [Configure mail flow using connectors in Exchange Online](/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/use-connectors-to-configure-mail-flow). ++A compromised inbound connector is defined as when an unauthorized individual either applies change(s) to an existing inbound connector or creates a new inbound connector in a Microsoft 365 tenant, with the intention of sending spam or phish emails. Note that this is applicable only to inbound connectors of type OnPremises. ++## Detect a compromised connector ++Here are some of the characteristics of a compromised connector: ++- Sudden spike in outbound mail volume. ++- Mismatch between P1 and P2 senders in outbound mails. For more information on P1 and P2 senders, see [How EOP validates the From address to prevent phishing](anti-phishing-from-email-address-validation.md#an-overview-of-email-message-standards). ++- Outbound mails sent from a domain that is not provisioned or registered. ++- The connector is blocked from sending relaying mail. ++- The presence of an inbound connector wasn't created by the intended user or the administrator. ++- Unauthorized change(s) in existing connector configuration, such as name, domain name, and IP address. ++- A recently compromised administrator account. Note that you can edit connector configuration only if you have administrative access. ++## Secure and restore email function to a suspected compromised connector ++You must complete all the following steps to regain access to your connector. These steps help you remove any back-door entries that may have been added to your connector. ++### Step 1: Identify if an inbound connector has been compromised ++#### Review recent suspicious connector traffic or related messages ++If you have [Microsoft Defender for Office 365 plan 2](defender-for-office-365.md), go directly to https://security.microsoft.com/threatexplorer. ++1. Select **Connector**, insert **Connector Name**, select date range, and then click **Refresh**. ++ :::image type="content" source="../../media/connector-compromise-explorer.png" alt-text="Inbound connector explorer view" lightbox="../../media/connector-compromise-explorer.png"::: ++2. Identify if there's any abnormal spike or dip in email traffic. ++ :::image type="content" source="../../media/connector-compromise-abnormal-spike.png" alt-text="Number of emails delivered to junk folder" lightbox="../../media/connector-compromise-abnormal-spike.png"::: ++3. Identify: ++ - If **Sender IP** matches with your organization's on-prem IP address. ++ - If a significant number of emails were recently sent to the **Junk** folder. This is a good indicator of a compromised connector being used to send spam. ++ - If the recipients are the ones that your organization usually stays in contact with. ++ :::image type="content" source="../../media/connector-compromise-sender-ip.png" alt-text="Sender IP and your organization's on-prem IP address" lightbox="../../media/connector-compromise-sender-ip.png"::: ++If you have [Microsoft Defender for Office 365 Plan 1](defender-for-office-365.md) or [Exchange Online Protection](exchange-online-protection-overview.md), go to https://admin.exchange.microsoft.com/#/messagetrace. ++1. Open **Suspicious connector activity** alert in https://security.microsoft.com/alerts. ++2. Select an activity under **Activity list**, and copy suspicious **connector domain** and **IP address** detected in the alert. ++ :::image type="content" source="../../media/connector-compromise-outbound-email-details.png" alt-text="Connector compromise outbound email details" lightbox="../../media/connector-compromise-outbound-email-details.png"::: + +3. Search by using **connector domain** and **IP address** in [**Message trace**](https://admin.exchange.microsoft.com/#/messagetrace). ++ :::image type="content" source="../../media/connector-compromise-new-message-trace.png" alt-text="New message trace flyout" lightbox="../../media/connector-compromise-new-message-trace.png"::: + +4. In the **Message trace** search results, identify: ++ - If a significant number of emails were recently marked as **FilteredAsSpam**. This is a good indicator of a compromised connector being used to send spam. ++ - If the recipients are the ones that your organization usually stays in contact with. ++ :::image type="content" source="../../media/connector-compromise-message-trace-results.png" alt-text="New message trace search results" lightbox="../../media/connector-compromise-message-trace-results.png"::: ++#### Investigate and validate connector-related activity ++Use the following command line in PowerShell to investigate and validate connector-related activity by a user in the audit log. For more information, see [Use a PowerShell script to search the audit log](/compliance/audit-log-search-script). ++```powershell +Search-UnifiedAuditLog -StartDate "<ExDateTime>" -EndDate "<ExDateTime>" -Operations "New-InboundConnector", "Set-InboundConnector", "Remove-InboundConnector +``` ++### Step 2: Review and revert unauthorized change(s) in a connector ++1. Sign into https://admin.exchange.microsoft.com/. ++2. Review and revert unauthorized connector change(s). ++### Step 3: Unblock the connector to re-enable mail flow ++1. Sign into https://security.microsoft.com/restrictedentities. ++2. Select the restricted connector to unblock the connector. ++### Step 4: Investigate and remediate potentially compromised administrative user account ++If a user with an unauthorized connector activity is identified, you can investigate this user for potential compromise. For more information, see [Responding to a Compromised Email Account](responding-to-a-compromised-email-account.md). ++## More information ++- [Remove blocked connectors](connectors-remove-blocked.md) +- [Remove blocked users](removing-user-from-restricted-users-portal-after-spam.md) |
| security | Connectors Mail Flow Intelligence | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/connectors-mail-flow-intelligence.md | + + Title: Mail flow intelligence +f1.keywords: + - NOCSH ++++audience: ITPro +++ms.localizationpriority: medium +search.appverid: + - MET150 +ms.assetid: c29f75e5-c16e-409e-a123-430691e38276 +description: Admins can learn about the error codes that are associated with message delivery using connectors (also known as mail flow intelligence). ++++++# Mail flow intelligence in EOP +++**Applies to** +- [Exchange Online Protection](exchange-online-protection-overview.md) +- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) +- [Microsoft 365 Defender](../defender/microsoft-365-defender.md) ++In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, you typically use a connector to route email messages from EOP to your on-premises email environment. You might also use a connector to route messages from Microsoft 365 to a partner organization. When Microsoft 365 can't deliver these messages via the connector, they're queued in Microsoft 365. Microsoft 365 will continue to retry delivery for each message for 24 hours. After 24 hours, the queued message will expire, and the message will be returned to the original sender in a non-delivery report (also known as an NDR or bounce message). ++Microsoft 365 generates an error when a message can't be delivered by using a connector. The most common errors and their solutions are described in this article. Collectively, queuing and notification errors for undeliverable messages sent via connectors is known as _mail flow intelligence_. ++## Error code: 450 4.4.312 DNS query failed ++Typically, this error means Microsoft 365 tried to connect to the smart host that's specified in the connector, but the DNS query to find the smart host's IP addresses failed. The possible causes for this error are: ++- There's an issue with your domain's DNS hosting service (the party that maintains the authoritative name servers for your domain). ++- Your domain has recently expired, so the MX record can't be retrieved. ++- Your domain's MX record has recently changed, and the DNS servers still have previously cached DNS information for your domain. ++### How do I fix error code 450 4.4.312? ++- Work with your DNS hosting service to identify and fix the problem with your domain. ++- If the error is from your partner organization (for example, a 3rd party cloud service provider), contact your partner to fix the issue. ++## Error code: 450 4.4.315 Connection timed out ++Typically, this means Microsoft 365 can't connect to the destination email server. The error details will explain the problem. For example: ++- Your on-premises email server is down. ++- There's an error in the connector's smart host settings, so Microsoft 365 is trying to connect to the wrong IP address. ++### How do I fix error code 450 4.4.315? ++- Find out which scenario applies to you, and make the necessary corrections. For example, if mail flow has been working correctly, and you haven't changed the connector settings, you need to check your on-premises email environment to see if the server is down, or if there have been any changes to your network infrastructure (for example, you've changed internet service providers, so you now have different IP addresses). ++- If the error is from your partner organization (for example, a 3rd party cloud service provider), contact your partner to fix the issue. ++## Error code: 450 4.4.316 Connection refused ++Typically, this error means Microsoft 365 encountered a connection error when it tried to connect to the destination email server. A likely cause for this error is your firewall is blocking connections from Microsoft 365 IP addresses. Or, this error might be by design if you've completely migrated your on-premises email system to Microsoft 365 and shut down your on-premises email environment. ++### How do I fix error code 450 4.4.316? ++- If you have mailboxes in your on-premises environment, you need to modify your firewall settings to allow connections from Microsoft 365 IP addresses on TCP port 25 to your on-premises email servers. For a list of the Microsoft 365 IP addresses, see [Microsoft 365 URLs and IP address ranges](../../enterprise/urls-and-ip-address-ranges.md). ++- If no more messages should be delivered to your on-premises environment, click **Fix now** in the alert so Microsoft 365 can immediately reject the messages with invalid recipients. This will reduce the risk of exceeding your organization's quota for invalid recipients, which could impact normal message delivery. Or, you can use the following instructions to manually fix the issue: ++ - In the Exchange admin center, disable or delete the connector that delivers email from Microsoft 365 to your on-premises email environment: ++ 1. In the EAC at <https://admin.exchange.microsoft.com>, go to **Mail flow** \> **Connectors**. To go directly to the **Connectors** page, use <https://admin.exchange.microsoft.com/#/connectors>. ++ 2. Select the connector with the **From** value **Office 365** and the **To** value **Your organization's email server** and do one of the following steps: + - Delete the connector by clicking **Delete**  + - Disable the connector by clicking **Edit**  and clearing **Turn it on**. ++ - Change the accepted domain in Microsoft 365 that's associated with your on-premises email environment from **Internal Relay** to **Authoritative**. For instructions, see [Manage accepted domains in Exchange Online](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains). ++ **Note**: Typically, these changes take between 30 minutes and one hour to take effect. After one hour, verify that you no longer receive the error. ++- If the error is from your partner organization (for example, a 3rd party cloud service provider), you need to contact your partner to fix the issue. ++## Error code: 450 4.4.317 Cannot connect to remote server ++Typically, this error means Microsoft 365 connected to the destination email server, but the server responded with an immediate error, or doesn't meet the connection requirements. The error details will explain the problem. For example: ++- The destination email server responded with a "Service not available" error, which indicates the server is unable to maintain communication with Microsoft 365. +- The connector is configured to require TLS, but the destination email server doesn't support TLS. ++### How do I fix error code 450 4.4.317? ++- Verify the TLS settings and certificates on your on-premises email servers, and the TLS settings on the connector. +- If the error is from your partner organization (for example, a 3rd party cloud service provider), you need to contact your partner to fix the issue. ++## Error code: 450 4.4.318 Connection was closed abruptly ++Typically, this error means Microsoft 365 is having difficulty communicating with your on-premises email environment, so the connection was dropped. The possible causes for this error are: ++- Your firewall uses SMTP packet examination rules, and those rules aren't working correctly. +- Your on-premises email server isn't working correctly (for example, service hangs, crashes, or low system resources), which is causing the server to time out and close the connection to Microsoft 365. +- There are network issues between your on-premises environment and Microsoft 365. ++### How do I fix error code 450 4.4.318? ++- Find out which scenario applies to you, and make the necessary corrections. +- If the problem is caused by network issues between your on-premises environment and Microsoft 365, contact your network team to troubleshoot the issue. +- If the error is from your partner organization (for example, a 3rd party cloud service provider), you need to contact your partner to fix the issue. ++## Error code: 450 4.7.320 Certificate validation failed ++Typically, this error means Microsoft 365 encountered an error while trying to validate the certificate of the destination email server. The error details will explain the error. For example: ++- Certificate expired +- Certificate subject mismatch +- Certificate is no longer valid ++### How do I fix error code 450 4.7.320? ++- Fix the certificate or the settings on the connector so that queued messages in Microsoft 365 can be delivered. +- If the error is from your partner organization (for example, a 3rd party cloud service provider), you need to contact your partner to fix the issue. ++## Other error codes ++Microsoft 365 is having difficulty delivering messages to your on-premises or partner email server. Use the **Destination server** information in the error to examine the issue in your environment, or modify the connector if there's a configuration error. ++If the error is from your partner organization (for example, a 3rd party cloud service provider), you need to contact your partner to fix the issue. |
| security | Connectors Remove Blocked | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/connectors-remove-blocked.md | + + Title: Remove blocked connectors from the Restricted entities portal in Microsoft 365 +f1.keywords: + - NOCSH ++++audience: ITPro + Last updated :+ms.localizationpriority: medium +ms.assetid: ++ - m365-security ++description: Learn how to remove blocked connectors in Microsoft 365 Defender. +++search.appverid: met150 +++# Remove blocked connectors from the Restricted entities portal +++**Applies to** ++- [Exchange Online Protection](exchange-online-protection-overview.md) +- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) +- [Microsoft 365 Defender](../defender/microsoft-365-defender.md) ++If an inbound connector is detected as potentially compromised, it is restricted from sending any relaying email. The connector is then added to the **Restricted entities** page in the Microsoft 365 Defender portal. When the connector is used to send email, the message is returned in a non-delivery report (also known as an NDR or bounced message) with the error code 550;5.7.711 and the following text: ++> Your message couldn't be delivered. The most common reason for this is that your organization's email connector is suspected of sending spam or phish and it's no +> longer allowed to send email. Contact your email admin for assistance. +> Remote Server returned '550;5.7.711 Access denied, bad inbound connector. AS(2204).' ++Admins can remove connectors from the Restricted entities page in Microsoft 365 Defender or in Exchange Online PowerShell. ++## Learn more on restricted entities ++A restricted entity is an entity that has been blocked from sending email because either it has been potentially compromised, or it has exceeded sending limit. ++There are 2 types of restricted entities: ++- **Restricted user**: For more information about why a user can be restricted and how to handle restricted users, see [Remove blocked users from the Restricted entities portal](removing-user-from-restricted-users-portal-after-spam.md). ++- **Restricted connector**: Learn about why a connector can be restricted and how to handle restricted connectors (this article). ++## What do you need to know before you begin? ++- Open the Microsoft 365 Defender portal at <https://security.microsoft.com>. To go directly to the **Restricted entities** page, use <https://security.microsoft.com/restrictedentities>. ++- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). ++- You must have permissions in **Exchange Online** before you can follow the procedures mentioned in this article: + - To remove connectors from the Restricted entities portal, you need to be a member of the **Organization Management** or **Security Administrator** role groups. + - For read-only access to the Restricted entities portal, you need to be a member of the **Global Reader** or **Security Reader** role groups. ++ For more information, see [Permissions in Exchange Online](/exchange/permissions-exo/permissions-exo). ++ > [!NOTE] + > + > - Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions _and_ permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md). + > + > - The **View-Only Organization Management** role group in [Exchange Online](/Exchange/permissions-exo/permissions-exo#role-groups) also gives read-only access to the feature. ++- Before you remove the connector from the Restricted entities portal, be sure to follow the required steps to regain control of the connector. For more information, see [Respond to a compromised connector](connectors-detect-respond-to-compromise.md). ++## Use the Microsoft 365 Defender portal to remove a connector from the Restricted entities list ++1. In the [Microsoft 365 Defender portal](https://security.microsoft.com), go to **Email & collaboration** \> **Review** \> **Restricted entities**. To go directly to the **Restricted entities** page, use <https://security.microsoft.com/restrictedentities>. ++2. On the **Restricted entities** page, find and select the connector that you want to unblock by clicking on the connector. ++3. Click the **Unblock** action that appears. ++4. In the **Unblock entity** flyout that appears, read the details about the restricted connector. You should go through the recommendations to ensure you're taking the proper actions in case the connector is compromised. ++5. When you're finished, click **Unblock**. ++ > [!NOTE] + > It might take up to 1 hour for all restrictions to be removed from the connector. ++## Verify the alert settings for restricted connectors ++The default alert policy named **Suspicious connector activity** will automatically notify admins when connectors are blocked from relaying email. For more information about alert policies, see [Alert policies in Microsoft 365](../../compliance/alert-policies.md). ++> [!IMPORTANT] +> For alerts to work, audit log search must to be turned on. For more information, see [Turn the audit log search on or off](../../compliance/turn-audit-log-search-on-or-off.md). ++1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Policies & rules** \> **Alert policy**. ++2. On the **Alert policy** page, find and select the alert named **Suspicious connector activity**. You can sort the policies by name, or use the **Search box** to find the policy. ++3. In the **Suspicious connector activity** flyout that appears, verify or configure the following settings: + - **Status**: Verify the alert is turned on . + - **Email recipients**: Click **Edit** and verify or configure the following settings in the **Edit recipients** flyout that appears: + - **Send email notifications**: Verify this is selected (**On**). + - **Email recipients**: The default value is **TenantAdmins** (meaning, **Global admin** members). To add more recipients, click on a blank area of the box. A list of recipients will appear, and you can start typing a name to filter and select a recipient. You can remove an existing recipient from the box by clicking  next to their name. + - **Daily notification limit**: The limit is no more than 3 notifications per connector per day. ++ When you're finished, click **Save**. ++4. Back on the **Suspicious connector activity** flyout, click **Close**. ++## Use Exchange Online PowerShell to view and remove connectors from the Restricted entities list ++To view the list of connectors that are restricted from sending email, run the following command: ++```powershell +Get-BlockedConnector +``` ++To view details about a specific connector, replace \<connectorId\> and run the following command: ++```powershell +Get-BlockedConnector -ConnectorId <connectorId> +``` ++To remove a connector from the Restricted entities list, replace \<connectorId\> and run the following command: ++```powershell +Remove-BlockedConnector -ConnectorId <connectorId> +``` ++## More information ++- [Respond to a compromised connector](connectors-detect-respond-to-compromise.md) +- [Remove blocked users](removing-user-from-restricted-users-portal-after-spam.md) |
| security | Create Block Sender Lists In Office 365 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/create-block-sender-lists-in-office-365.md | Regardless of the conditions or exceptions that you use to identify the messages ## Use the IP Block List -When it's not possible to use one of the other options to block a sender, _only then_ should you use the IP Block List in the connection filter policy. For more information, see [Configure the connection filter policy](configure-the-connection-filter-policy.md). It's important to keep the number of blocked IPs to a minimum, so blocking entire IP address ranges is _not_ recommended. +When it's not possible to use one of the other options to block a sender, _only then_ should you use the IP Block List in the connection filter policy. For more information, see [Configure the connection filter policy](connection-filter-policies-configure.md). It's important to keep the number of blocked IPs to a minimum, so blocking entire IP address ranges is _not_ recommended. You should _especially_ avoid adding IP address ranges that belong to consumer services (for example, outlook.com) or shared infrastructures, and also ensure that you review the list of blocked IP addresses as part of regular maintenance. |
| security | Create Safe Sender Lists In Office 365 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/create-safe-sender-lists-in-office-365.md | The following example assumes you need email from contoso.com to skip spam filte This condition checks the email authentication status of the sending email domain to ensure that the sending domain is not being spoofed. For more information about email authentication, see [SPF](set-up-spf-in-office-365-to-help-prevent-spoofing.md), [DKIM](use-dkim-to-validate-outbound-email.md), and [DMARC](use-dmarc-to-validate-email.md). - - **IP Allow List**: Specify the source IP address or address range in the connection filter policy. For instructions, see [Configure connection filtering](configure-the-connection-filter-policy.md). + - **IP Allow List**: Specify the source IP address or address range in the connection filter policy. For instructions, see [Configure connection filtering](connection-filter-policies-configure.md). Use this setting if the sending domain does not use email authentication. Be as restrictive as possible when it comes to the source IP addresses in the IP Allow List. We recommend an IP address range of /24 or less (less is better). Do not use IP address ranges that belong to consumer services (for example, outlook.com) or shared infrastructures. When messages skip spam filtering due to entries in a user's Safe Senders list, > [!CAUTION] > Without additional verification like mail flow rules, email from sources in the IP Allow List skips spam filtering and sender authentication (SPF, DKIM, DMARC) checks. This result creates a high risk of attackers successfully delivering email to the Inbox that would otherwise be filtered; however, if a message from an entry in the IP Allow List is determined to be malware or high confidence phishing, the message will be filtered. -The next best option is to add the source email server or servers to the IP Allow List in the connection filter policy. For details, see [Configure connection filtering in EOP](configure-the-connection-filter-policy.md). +The next best option is to add the source email server or servers to the IP Allow List in the connection filter policy. For details, see [Configure connection filtering in EOP](connection-filter-policies-configure.md). **Notes**: |
| security | Exchange Online Protection Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/exchange-online-protection-overview.md | To understand how EOP works, it helps to see how it processes incoming email: :::image type="content" source="../../media/tp_emailprocessingineopt3.png" alt-text="Graphic of email from the internet or Customer feedback passing into EOP and through the Connection, Anti-malware, Mailflow Rules-slash-Policy Filtering, and Content Filtering, before the verdict of either junk mail or quarantine, or end user mail delivery" lightbox="../../media/tp_emailprocessingineopt3.png"::: -1. When an incoming message enters EOP, it initially passes through connection filtering, which checks the sender's reputation. The majority of spam is stopped at this point and rejected by EOP. For more information, see [Configure connection filtering](configure-the-connection-filter-policy.md). +1. When an incoming message enters EOP, it initially passes through connection filtering, which checks the sender's reputation. The majority of spam is stopped at this point and rejected by EOP. For more information, see [Configure connection filtering](connection-filter-policies-configure.md). 2. Then the message is inspected for malware. If malware is found in the message or the attachment(s) the message is delivered to quarantine. By default, only admins can view and interact with malware quarantined messages. But, admins can create and use [quarantine policies](quarantine-policies.md) to specify what users are allowed to do to quarantined messages. To learn more about malware protection, see [Anti-malware protection in EOP](anti-malware-protection.md). For information about requirements, important limits, and feature availability a |Anti-malware|[Anti-malware protection in EOP](anti-malware-protection.md) <p> [Anti-malware protection FAQ](anti-malware-protection-faq-eop.yml) <p> [Configure anti-malware policies in EOP](configure-anti-malware-policies.md)| |Inbound anti-spam|[Anti-spam protection in EOP](anti-spam-protection.md) <p> [Anti-spam protection FAQ](anti-spam-protection-faq.yml) <p> [Configure anti-spam policies in EOP](configure-your-spam-filter-policies.md)| |Outbound anti-spam|[Outbound spam protection in EOP](outbound-spam-controls.md) <p> [Configure outbound spam filtering in EOP](configure-the-outbound-spam-policy.md) <p> [Control automatic external email forwarding in Microsoft 365](external-email-forwarding.md)|-|Connection filtering|[Configure connection filtering](configure-the-connection-filter-policy.md)| +|Connection filtering|[Configure connection filtering](connection-filter-policies-configure.md)| |Anti-phishing|[Anti-phishing policies in Microsoft 365](set-up-anti-phishing-policies.md) <p> [Configure anti-phishing policies in EOP](configure-anti-phishing-policies-eop.md)| |Anti-spoofing protection|[Spoof intelligence insight in EOP](learn-about-spoof-intelligence.md) <p> [Manage the Tenant Allow/Block List](manage-tenant-allow-block-list.md)| |Zero-hour auto purge (ZAP) for delivered malware, spam, and phishing messages|[ZAP in Exchange Online](zero-hour-auto-purge.md)| |
| security | High Risk Delivery Pool For Outbound Messages | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/high-risk-delivery-pool-for-outbound-messages.md | These scenarios can result in the IP address of the affected Microsoft 365 datac To prevent our IP addresses from being blocked, all outbound messages from Microsoft 365 datacenter servers that are determined to be spam are sent through the _high-risk delivery pool_. -The high risk delivery pool is a separate IP address pool for outbound email that's only used to send "low quality" messages (for example, spam and [backscatter](backscatter-messages-and-eop.md). Using the high risk delivery pool helps prevent the normal IP address pool for outbound email from sending spam. The normal IP address pool for outbound email maintains the reputation sending "high quality" messages, which reduces the likelihood that these IP address will appear on IP blocklists. +The high risk delivery pool is a separate IP address pool for outbound email that's only used to send "low quality" messages (for example, spam and [backscatter](anti-spam-backscatter-about.md). Using the high risk delivery pool helps prevent the normal IP address pool for outbound email from sending spam. The normal IP address pool for outbound email maintains the reputation sending "high quality" messages, which reduces the likelihood that these IP address will appear on IP blocklists. The very real possibility that IP addresses in the high-risk delivery pool will be placed on IP blocklists remains, but this is by design. Delivery to the intended recipients isn't guaranteed, because many email organizations won't accept messages from the high risk delivery pool. Possible causes for a surge in NDRs include: - A spam attack. - A rogue email server. -All of these issues can result in a sudden increase in the number of NDRs being processed by the service. Many times, these NDRs appear to be spam to other email servers and services (also known as _[backscatter](backscatter-messages-and-eop.md)_). +All of these issues can result in a sudden increase in the number of NDRs being processed by the service. Many times, these NDRs appear to be spam to other email servers and services (also known as _[backscatter](anti-spam-backscatter-about.md)_). ### Relay pool |
| security | Preset Security Policies | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/preset-security-policies.md | To verify that you've successfully assigned the **Standard protection** or **Str For example, for email that's detected as spam (not high confidence spam) verify that the message is delivered to the Junk Email folder for **Standard protection** users, and quarantined for **Strict protection** users. -Or, for [bulk mail](bulk-complaint-level-values.md), verify that the BCL value 6 or higher delivers the message to the Junk Email folder for **Standard protection** users, and the BCL value 4 or higher quarantines the message for **Strict protection** users. +Or, for [bulk mail](anti-spam-bulk-complaint-level-bcl-about.md), verify that the BCL value 6 or higher delivers the message to the Junk Email folder for **Standard protection** users, and the BCL value 4 or higher quarantines the message for **Strict protection** users. ## Preset security policies in Exchange Online PowerShell |
| security | Protect Against Threats | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/protect-against-threats.md | For detailed instructions for configuring anti-malware policies, see [Configure ## Part 2 - Anti-phishing protection in EOP and Defender for Office 365 -[Anti-phishing protection](anti-phishing-protection.md) is available in subscriptions that include [EOP](/office365/servicedescriptions/exchange-online-protection-service-description/exchange-online-protection-service-description). Advanced anti-phishing protection is available in [Defender for Office 365](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description). +[Anti-phishing protection](anti-phishing-protection-about.md) is available in subscriptions that include [EOP](/office365/servicedescriptions/exchange-online-protection-service-description/exchange-online-protection-service-description). Advanced anti-phishing protection is available in [Defender for Office 365](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description). For more information about the recommended settings for anti-phishing policies, see [EOP anti-phishing policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-phishing-policy-settings) and [Anti-phishing policy settings in Microsoft Defender for Office 365](recommended-settings-for-eop-and-office365.md#anti-phishing-policy-settings-in-microsoft-defender-for-office-365). |
| security | Recommended Settings For Eop And Office365 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365.md | To create and configure anti-spam policies, see [Configure anti-spam policies in |Security feature name|Default|Standard|Strict|Comment| ||::|::|::|| |**Bulk email threshold & spam properties**|||||-|**Bulk email threshold** <br><br> _BulkThreshold_|7|6|5|For details, see [Bulk complaint level (BCL) in EOP](bulk-complaint-level-values.md).| +|**Bulk email threshold** <br><br> _BulkThreshold_|7|6|5|For details, see [Bulk complaint level (BCL) in EOP](anti-spam-bulk-complaint-level-bcl-about.md).| |_MarkAsSpamBulkMail_|`On`|`On`|`On`|This setting is only available in PowerShell.| |**Increase spam score** settings|Off|Off|Off|All of these settings are part of the Advanced Spam Filter (ASF). For more information, see the [ASF settings in anti-spam policies](#asf-settings-in-anti-spam-policies) section in this article.| |**Mark as spam** settings|Off|Off|Off|Most of these settings are part of ASF. For more information, see the [ASF settings in anti-spam policies](#asf-settings-in-anti-spam-policies) section in this article.| To create and configure anti-spam policies, see [Configure anti-spam policies in #### ASF settings in anti-spam policies -For more information about Advanced Spam Filter (ASF) settings in anti-spam policies, see [Advanced Spam Filter (ASF) settings in EOP](advanced-spam-filtering-asf-options.md). +For more information about Advanced Spam Filter (ASF) settings in anti-spam policies, see [Advanced Spam Filter (ASF) settings in EOP](anti-spam-policies-asf-settings-about.md). |Security feature name|Default|Recommended<br/>Standard|Recommended<br/>Strict|Comment| ||::|::|::|| For more information about Advanced Spam Filter (ASF) settings in anti-spam poli |**SPF record: hard fail** <br><br> _MarkAsSpamSpfRecordHardFail_|Off|Off|Off|| |**Sender ID filtering hard fail** <br><br> _MarkAsSpamFromAddressAuthFail_|Off|Off|Off|| |**Backscatter** <br><br> _MarkAsSpamNdrBackscatter_|Off|Off|Off||-|**Test mode** <br><br> _TestModeAction_)|None|None|None|For ASF settings that support **Test** as an action, you can configure the test mode action to **None**, **Add default X-Header text**, or **Send Bcc message** (`None`, `AddXHeader`, or `BccMessage`). For more information, see [Enable, disable, or test ASF settings](advanced-spam-filtering-asf-options.md#enable-disable-or-test-asf-settings).| +|**Test mode** <br><br> _TestModeAction_)|None|None|None|For ASF settings that support **Test** as an action, you can configure the test mode action to **None**, **Add default X-Header text**, or **Send Bcc message** (`None`, `AddXHeader`, or `BccMessage`). For more information, see [Enable, disable, or test ASF settings](anti-spam-policies-asf-settings-about.md#enable-disable-or-test-asf-settings).| #### EOP outbound spam policy settings |
| security | Removing User From Restricted Users Portal After Spam | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/removing-user-from-restricted-users-portal-after-spam.md | There are 2 types of restricted entities: - **Restricted user**: Learn about why a user can be restricted and how to handle restricted users (this article). -- **Restricted connector**: For more information about why a connector can be restricted and how to handle restricted connectors, see [Remove blocked connectors from the Restricted entities portal](remove-blocked-connectors.md). +- **Restricted connector**: For more information about why a connector can be restricted and how to handle restricted connectors, see [Remove blocked connectors from the Restricted entities portal](connectors-remove-blocked.md). ## What do you need to know before you begin? |
| security | View Email Security Reports | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/view-email-security-reports.md | On the **Threat protection status** page, the ](bulk-complaint-level-values.md) of the message exceeds the defined threshold for spam.+- **Bulk**: The [bulk complaint level (BCL)](anti-spam-bulk-complaint-level-bcl-about.md) of the message exceeds the defined threshold for spam. - **Domain reputation**: The message was from a domain that was previously identified as sending spam in other Microsoft 365 organizations. - **Fingerprint matching**: The message closely resembles a previous detected malicious message. - **IP reputation**: The message was from a source that was previously identified as sending spam in other Microsoft 365 organizations. |
| solutions | Ransomware Protection Microsoft 365 Security Baselines | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/ransomware-protection-microsoft-365-security-baselines.md | Next, use [attack surface reduction rules](/microsoft-365/security/defender-endp Help prevent initial access to your tenant from an email-based attack with these Exchange email baseline settings: - Enable [Microsoft Defender Antivirus email scanning](/microsoft-365/security/defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus).-- Use Microsoft Defender for Office 365 for [enhanced phishing protection](/microsoft-365/security/office-365-security/anti-phishing-protection) and coverage against new threats and polymorphic variants.+- Use Microsoft Defender for Office 365 for [enhanced phishing protection](/microsoft-365/security/office-365-security/anti-phishing-protection-about) and coverage against new threats and polymorphic variants. - Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use Defender for Office 365 for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Defender for Office 365 to [recheck links on click](/microsoft-365/security/office-365-security/atp-safe-links) and [delete delivered mails](/microsoft-365/security/office-365-security/zero-hour-auto-purge) in response to newly acquired threat intelligence. - Review and update to the latest [recommended settings for EOP and Defender for Office 365 security](/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365-atp). - Configure Defender for Office 365 to [recheck links on click](/microsoft-365/security/office-365-security/set-up-safe-links-policies) and delete delivered mails in response to newly acquired threat intelligence. |