+

+## Does your organization use Active Directory?

+If your organization synchronizes user accounts to Microsoft 365 from a local Active Directory environment, you must delete and restore those user accounts in your local Active Directory service. You can't delete or restore them in Microsoft 365.

+To learn how to delete and restore user account in Active Directory, see [Delete a User Account](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753730(v=ws.11)).

+

+If you're using Azure Active Directory, see the [Remove-MsolUser](/powershell/module/msonline/remove-msoluser) PowerShell cmdlet.

+

+## Corporate sabotage

+## Gifts & entertainment

+## Money laundering

+## Regulatory collusion

+## Stock manipulation

+## Unauthorized disclosure

+| [Corporate sabotage](classifier-tc-definitions.md#corporate-sabotage | Detects messages that may mention acts to damage or destroy corporate assets or property. This classifier can help customers manage regulatory compliance obligations such as NERC Critical Infrastructure Protection standards or state by state regulations like Chapter 9.05 RCW in Washington state. |

+| [Gifts & entertainment](classifier-tc-definitions.md#gifts-entertainment | Detects messages that may suggest exchanging gifts or entertainment in return for service, which violates regulations related to bribery. This classifier can help customers manage regulatory compliance obligations such as Foreign Corrupt Practices Act (FCPA), UK Bribery Act, and FINRA Rule 2320. |

+| [Money laundering](classifier-tc-definitions.md#money-laundering| Detects signs that may suggest money laundering or engagement in acts to conceal or disguise the origin or destination of proceeds. This classifier can help customers manage regulatory compliance obligations such as the Bank Secrecy Act, the USA Patriot Act, FINRA Rule 3310, and the Anti-Money Laundering Act of 2020. |

+| [Regulatory collusion](classifier-tc-definitions.md#regulatory-collusion| Detects messages that may violate regulatory anti-collusion requirements such as an attempted concealment of sensitive information. This classifier can help customers manage regulatory compliance obligations such as the Sherman Antitrust Act, Securities Exchange Act 1933, Securities Exchange Act of 1934, Investment Advisers Act of 1940, Federal Commission Act, and the Robinson-Patman Act. |

+| [Stock manipulation](classifier-tc-definitions.md#stock-manipulation| Detects signs of possible stock manipulation, such as recommendations to buy, sell or hold stocks that may suggest an attempt to manipulate the stock price. This classifier can help customers manage regulatory compliance obligations such as the Securities Exchange Act of 1934, FINRA Rule 2372, and FINRA Rule 5270. |

+| [Unauthorized disclosure](classifier-tc-definitions.md#unauthorized-disclosure| Detects sharing of information containing content that is explicitly designated as confidential or internal to unauthorized individuals. This classifier can help customers manage regulatory compliance obligations such as FINRA Rule 2010 and SEC Rule 10b-5. |

+ 1. See [April 11, 2023ΓÇöKB5025221 (OS Builds 19042.2846, 19044.2846, and 19045.2846) - Microsoft Support](https://support.microsoft.com/en-us/topic/april-11-2023-kb5025221-os-builds-19042-2846-19044-2846-and-19045-2846-b00c3356-baac-4a41-8342-7f97ec83445a) for required minimum Windows Operating System builds.

+2. If necessary, add additional case members or staff to the **Cc** and **Bcc** fields. To add multiple users to these fields, separate email addresses with a semi-colon and without spaces between the addresses. For example, *user1@contoso.com;user2@contoso.com;user3@contoso.com*.

+2. If necessary, add additional case members or staff to the **Cc** and **Bcc** fields. To add multiple users to these fields, separate email addresses with a semi-colon and without spaces between the addresses. For example, *user1@contoso.com;user2@contoso.com;user3@contoso.com*.

+2. If necessary, add additional case members or staff to the **Cc** and **Bcc** fields. To add multiple users to these fields, separate email addresses with a semi-colon and without spaces between the addresses. For example, *user1@contoso.com;user2@contoso.com;user3@contoso.com*.

+After you've sent a hold notification, you can follow up with unresponsive custodians by defining a reminder workflow.

+> ³ If the search results from a user's mailbox are larger than 10 GB, the search results for the mailbox will be exported in two (or more) separate PST files. If you choose to export all search results in a single PST file, the PST file will be spilt into additional PST files if the total size of the search results is larger than 10 GB.

+ :::image type="content" source="../media/file-plan-filled-out-template.png" alt-text="File plan template example with information filled in ready to import to create retention labels.":::

+|[Microsoft Purview Communication Compliance and Insider Risk Management setup guide](https://go.microsoft.com/fwlink/?linkid=2223415) | [Microsoft Purview Communication Compliance and Insider Risk Management setup guide](https://go.microsoft.com/fwlink/?linkid=2224188) | The **Microsoft Purview Communication Compliance and Insider Risk Management setup guide** helps you protect your organization against insider risks that can be challenging to identify and difficult to mitigate. Insider risks occur in a variety of areas and can cause major problems for organizations. These problems can range from the loss of intellectual property to workplace harassment, and more. <br> <br> With the communication compliance solution, you can identify and act on communication risks for: <br> - workplace violence <br> - insider trading <br> - harassment <br> - code of conduct <br> - regulatory compliance violations. <br> <br> The insider risk management solution helps you identify, investigate, and act on risks that include: <br> - intellectual property theft <br> - sensitive data leaks <br> - security violations <br> - data spillage <br> - confidentiality violations.|

+| [Microsoft Purview Information Protection setup guide](https://go.microsoft.com/fwlink/?linkid=2222967) | [Microsoft Purview Information Protection setup guide](https://go.microsoft.com/fwlink/?linkid=2224687) | Get an overview of the capabilities you can apply to your information protection strategy so you can be confident your sensitive information is protected. Use a four-stage lifecycle approach in which you discover, classify, protect, and monitor sensitive information. The **Microsoft Purview Information Protection setup guide** provides guidance for completing each of these stages.|

+| [Microsoft Purview Data Lifecycle Management setup guide](https://go.microsoft.com/fwlink/?linkid=2223154) | [Microsoft Purview Data Lifecycle Management setup guide](https://go.microsoft.com/fwlink/?linkid=2224686) | The **Microsoft Purview Data Lifecycle Management setup guide** provides the information you need to set up and manage your organization's governance strategy to ensure that your data is classified and managed according to the specific lifecycle guidelines you set. This guide teaches you how to create, auto-apply, and publish retention labels, retention label policies, and retention policies to your organization's content and compliance records. You also get information on importing CSV files with a file plan for bulk scenarios and for applying them to individual documents manually. |

+| [Microsoft Purview Auditing solutions in Microsoft 365 guide](https://go.microsoft.com/fwlink/?linkid=2223153) | [Microsoft Purview Auditing solutions in Microsoft 365 guide](https://go.microsoft.com/fwlink/?linkid=2224816) | The **Microsoft Purview Auditing solutions in Microsoft 365 guide** provide an integrated solution to help organizations effectively respond to security events, forensic investigations, and compliance obligations. When you use the auditing solutions in Microsoft 365, you can search the audit log for activities performed in different Microsoft 365 services. |

+| [Microsoft Purview eDiscovery solutions setup guide](https://go.microsoft.com/fwlink/?linkid=2223416) | [Microsoft Purview eDiscovery solutions setup guide](https://go.microsoft.com/fwlink/?linkid=2224465) | eDiscovery is the process of identifying and delivering electronic information that can be used as evidence in legal cases. The **Microsoft Purview eDiscovery solutions setup guide** helps you use the eDiscovery tools in Microsoft Purview that allow you to search for content in: <br> - Exchange <br> - OneDrive <br> - SharePoint <br> - Microsoft Teams <br> - Microsoft 365 Groups <br> - Yammer communities. |

+|[AIP add-in disabled by default](sensitivity-labels-aip.md#how-to-configure-newer-versions-of-office-to-enable-the-aip-add-in)|Current Channel: 2302+ <br /><br> Monthly Enterprise Channel: 2303+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |Not relevant |Not relevant |Not relevant|Not relevant |

+|[Sensitivity bar](sensitivity-labels-office-apps.md#sensitivity-bar) and [display label color](sensitivity-labels-office-apps.md#label-colors) |Current Channel: 2302+ <br /><br> Monthly Enterprise Channel: 2303+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |Under review |Under review |Under review |Under review |

+### Viva Goals

+#### Summary

+#### Data Residency Available

+#### Migration

+## Migration with Advanced Data Residency

+When SharePoint Online is moved, data for the following services is also moved:

+

+- OneDrive for Business

+- Microsoft 365 Video services

+- Office in a browser

+- Microsoft 365 Apps for enterprise

+- Visio Pro for Microsoft 365

+After we've completed moving your SharePoint Online data, you might see some of the following effects.

+

+### Microsoft 365 Video Services

+- The data move for video takes longer than the moves for the rest of your content in SharePoint Online.

+- After the SharePoint Online content is moved, there will be a time frame when videos aren't able to be played.

+- We're removing the trans-coded copies from the previous datacenter and transcoding them again in the new datacenter.

+### Search

+In the course of moving your SharePoint Online data, we migrate your search index and search settings to a new location. Until we've **completed** the move of your SharePoint Online data, we continue to serve your users from the index in the original location. In the new location, search automatically starts crawling your content after we've completed moving your SharePoint Online data. From this point and onwards we serve your users from the migrated index. Changes to your content that occurred after the migration aren't included in the migrated index until crawling picks them up. Most customers don't notice that results are less fresh right after we've completed moving their SharePoint Online data, but some customers might experience reduced freshness in the first 24-48 hours.

+

+The following search features are affected:

+

+- Search results and Search Web Parts: Results don't include changes that occurred after the migration until crawling picks them up.

+- Delve: Delve doesn't include changes that occurred after the migration until crawling picks them up.

+- Popularity and Search Reports for the site: Counts for Excel reports in the new location only include migrated counts and counts from usage reports that have run after we completed moving your SharePoint Online data. Any counts from the interim period are lost and can't be recovered. This period is typically a couple of days. Some customers might experience shorter or longer losses.

+- Video Portal: View counts and statistics for the Video Portal depend on the statistics for Excel Reports, so view counts and statistics for the Video Portal are lost for the same time period as for the Excel reports.

+- eDiscovery: Items that changed during the migration aren't shown until crawling picks up the changes.

+- Data Loss Protection (DLP): Policies aren't enforced on items that change until crawling picks up the changes.

+As part of the migration, the _Primary Provisioned Geography_ will change and all new content will be stored at rest in the new _Primary Provisioned Geography_. Existing content will move in the background with no impact to you for up to 90 days after the first change to the SharePoint Online data location in the admin center.

+Network protection expands the scope of Microsoft Defender [SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview) to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources. The blocks on outbound HTTP(s) traffic are based on the domain or hostname.

+Network protection expands the scope of Microsoft 365 Defender [SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview) to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources. The blocks on outbound HTTP(s) traffic are based on the domain or hostname.

+`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`

+`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCnCProxy.exe`

+`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`

+`C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`

+`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCM.exe`

+`C:\Program Files\Windows Defender Advanced Threat Protection\SenseNdr.exe`

+`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSC.exe`

+`C:\Program Files\Windows Defender Advanced Threat Protection\Classification\SenseCE.exe`

+ When you're finished on the **Created new anti-malware policy** page, click **Done**.

+ Back on the **Anti-malware** page, the new policy is listed.

+- **Status**: Values are:

+ - **Always on** for the default anti-malware policy.

+ - **On** or **Off** for other anti-malware policies.

+- **Priority**: For more information, see the [Set the priority of custom anti-malware policies](#use-the-microsoft-365-defender-portal-to-set-the-priority-of-custom-anti-malware-policies) section.

+Use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and a corresponding value to find specific anti-malware policies.

+> [!TIP]

+> To see details about other anti-malware policies without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** buttons at the top of the flyout.

+ - :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete policy** (custom policies only)

+### Use the Microsoft 365 Defender portal to modify anti-malware policies

+After you select the default anti-malware policy or a custom policy by clicking anywhere other than the check box next to the name, the policy settings are shown in the details flyout that opens. Click **Edit** in each section to modify the settings within the section. For more information about the settings, see the [Create anti-malware policies](#use-the-microsoft-365-defender-portal-to-create-anti-malware-policies) section earlier in this article.

+For the default policy, you can't modify the name of the policy, and there are no recipient filters to configure (the policy applies to all recipients). But, you can modify all other settings in the policy.

+### Use the Microsoft 365 Defender portal to enable or disable custom anti-malware policies

+- **On the Anti-malware** page: Click :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More actions** \> **Disable selected policies**.

+- **On the Anti-malware** page: Click :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More actions** \> **Enable selected policies**.

+On the **Anti-malware** page, the **Status** value of the policy is now **On** or **Off**.

+### Use the Microsoft 365 Defender portal to set the priority of custom anti-malware policies

+- The custom policy with the lowest priority (highest **Priority** value; for example, **3**) has the :::image type="icon" source="../../media/m365-cc-sc-increase-icon.png" border="false"::: **Increase priority** action at the top of the details flyout.

+- If you have three or more policies, the policies between **Priority** 0 and the lowest priority have both the :::image type="icon" source="../../media/m365-cc-sc-increase-icon.png" border="false"::: **Increase priority** and the :::image type="icon" source="../../media/m365-cc-sc-decrease-icon.png" border="false"::: **Decrease priority** actions at the top of the details flyout.

+### Use the Microsoft 365 Defender portal to remove custom anti-malware policies

+- **On the Anti-malware** page: Select :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More actions** \> **Delete selected policies**.

+Click **Yes** in the warning dialog that opens.

+ When you're finished on the **New anti-phishing policy created** page, click **Done**.

+ Back on the **Anti-phishing** page, the new policy is listed.

+- **Status**: Values are:

+ - **Always on** for the default anti-phishing policy.

+ - **On** or **Off** for other anti-spam policies.

+- **Priority**: For more information, see the [Set the priority of custom anti-spam policies](#use-the-microsoft-365-defender-portal-to-set-the-priority-of-custom-anti-phishing-policies) section.

+Use :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to filter the policies by **Time range** (creation date) or **Status**.

+Use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and a corresponding value to find specific anti-phishing policies.

+> [!TIP]

+> To see details about other anti-phishing policies without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** buttons at the top of the flyout.

+ - :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete policy** (custom policies only)

+After you select the default anti-phishing policy or a custom policy by clicking anywhere other than the check box next to the name, the policy settings are shown in the details flyout that opens. Click **Edit** in each section to modify the settings within the section. For more information about the settings, see the [create anti-phishing policies](#use-the-microsoft-365-defender-portal-to-create-anti-phishing-policies) section earlier in this article.

+For the default policy, you can't modify the name of the policy, and there are no recipient filters to configure (the policy applies to all recipients). But, you can modify all other settings in the policy.

+### Use the Microsoft 365 Defender portal to enable or disable custom anti-phishing policies

+On the **Anti-phishing** page, the **Status** value of the policy is now **On** or **Off**.

+### Use the Microsoft 365 Defender portal to set the priority of custom anti-phishing policies

+- The custom policy with the lowest priority (highest **Priority** value; for example, **3**) has the :::image type="icon" source="../../media/m365-cc-sc-increase-icon.png" border="false"::: **Increase priority** action at the top of the details flyout.

+- If you have three or more policies, the policies between **Priority** 0 and the lowest priority have both the :::image type="icon" source="../../media/m365-cc-sc-increase-icon.png" border="false"::: **Increase priority** and the :::image type="icon" source="../../media/m365-cc-sc-decrease-icon.png" border="false"::: **Decrease priority** actions at the top of the details flyout.

+### Use the Microsoft 365 Defender portal to remove custom anti-phishing policies

+Click **Yes** in the warning dialog that opens.

+ When you're finished on the **New anti-phishing policy created** page, click **Done**.

+ Back on the **Anti-phishing** page, the new policy is listed.

+- **Status**: Values are:

+ - **Always on** for the default anti-phishing policy.

+ - **On** or **Off** for other anti-spam policies.

+- **Priority**: For more information, see the [Set the priority of custom anti-spam policies](#use-the-microsoft-365-defender-portal-to-set-the-priority-of-custom-anti-phishing-policies) section.

+ - :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete policy** (custom policies only)

+After you select the default anti-phishing policy or a custom policy by clicking anywhere other than the check box next to the name, the policy settings are shown in the details flyout that opens. Click **Edit** in each section to modify the settings within the section. For more information about the settings, see the [create anti-phishing policies](#use-the-microsoft-365-defender-portal-to-create-anti-phishing-policies) section earlier in this article.

+For the default policy, you can't modify the name of the policy, and there are no recipient filters to configure (the policy applies to all recipients). But, you can modify all other settings in the policy.

+### Use the Microsoft 365 Defender portal to enable or disable custom anti-phishing policies

+On the **Anti-phishing** page, the **Status** value of the policy is now **On** or **Off**.

+### Use the Microsoft 365 Defender portal to set the priority of custom anti-phishing policies

+- The custom policy with the lowest priority (highest **Priority** value; for example, **3**) has the :::image type="icon" source="../../media/m365-cc-sc-increase-icon.png" border="false"::: **Increase priority** action at the top of the details flyout.

+- If you have three or more policies, the policies between **Priority** 0 and the lowest priority have both the :::image type="icon" source="../../media/m365-cc-sc-increase-icon.png" border="false"::: **Increase priority** and the :::image type="icon" source="../../media/m365-cc-sc-decrease-icon.png" border="false"::: **Decrease priority** actions at the top of the details flyout.

+### Use the Microsoft 365 Defender portal to remove custom anti-phishing policies

+Click **Yes** in the warning dialog that opens.

+The default anti-spam policy automatically applies to all recipients. For greater granularity, you can also create custom anti-spam policies that apply to specific users, groups, or domains in your organization.

+- You can't completely turn off spam filtering, but you can use Exchange mail flow rules (also known as transport rules) to bypass most spam filtering on incoming messages (for example, if you route email through a third-party protection service or device before delivery to Microsoft 365). For more information, see [Use mail flow rules to set the spam confidence level (SCL) in messages](/exchange/security-and-compliance/mail-flow-rules/use-rules-to-set-scl).

+ - High confidence phishing messages are still filtered. Other features in EOP aren't affected (for example, messages are always scanned for malware).

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section. Or, to go directly to the **Anti-spam policies** page, use <https://security.microsoft.com/antispam>.

+2. On the **Anti-spam policies** page, click :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Create** **Create policy** and then select **Inbound** from the drop down list to start the new anti-spam policy wizard.

+3. On the **Name your policy** page, configure these settings:

+ When you're finished on the **Name your policy** page, click **Next**.

+4. On the **Users, groups, and domains** page, identify the internal recipients that the policy applies to (recipient conditions):

+ - Members of the specified distribution groups or mail-enabled security groups (dynamic distribution groups aren't supported).

+ Click in the appropriate box, start typing a value, and then select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, click :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value.

+ For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users or groups, enter an asterisk (\*) by itself to see all available values.

+ When you're finished on the **Users, groups, and domains** page, click **Next**.

+5. On the **Bulk email threshold & spam properties** page, configure the following settings:

+ - **Spam properties** section:

+ - **Increase spam score**, **Mark as spam**^\* and **Test mode**: Advanced Spam Filter (ASF) settings that are turned off by default.

+ For details about these settings, see [Advanced Spam Filter settings in EOP](anti-spam-policies-asf-settings-about.md).

+ ^\* The **Contains specific languages** and **from these countries** settings aren't part of ASF.

+ - **Contains specific languages**: Click the box and select **On** or **Off** from the drop down list. If you turn it on, a box appears. Start typing the name of a language in the box. A filtered list of supported languages appears. When you find the language that you're looking for, select it. Repeat this step as many times as necessary. To remove an existing value, click remove :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value.

+ - **From these countries***: Click the box and select **On** or **Off** from the drop down list. If you turn it on, a box appears. Start typing the name of a country in the box. A filtered list of supported countries appears. When you find the country that you're looking for, select it. Repeat this step as many times as necessary. To remove an existing value, click remove :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value.

+ When you're finished on the **Bulk email threshold & spam properties** page, click **Next**.

+6. On the **Actions** page, configure the following settings:

+ - **Message actions** section: Review or select the action to take on messages based on the spam filtering verdicts:

+ ⁴ For **High confidence phishing**, the **Move message to Junk Email folder** action has effectively been deprecated. Although you might be able to select that action, high confidence phishing messages are always quarantined (equivalent to selecting **Quarantine message**).

+ ⁵ Users can't release their own messages that were quarantined as high confidence phishing by anti-spam policies, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to _request_ the release of their quarantined high-confidence phishing messages.

+ - **Retain spam in quarantine for this many days**: Specifies how long to keep the message in quarantine if you selected **Quarantine message** as the action for a spam filtering verdict. After the time period expires, the message is deleted, and isn't recoverable. A valid value is from 1 to 30 days.

+ - **Safety Tips** section: By default, **Enable Safety Tips**: is selected, but you can disable Safety Tips by clearing the check box.

+ - **Zero-hour auto purge (ZAP)** section:

+ - **Enable zero-hour auto purge (ZAP)**: ZAP detects and takes action on messages that have already been delivered to Exchange Online mailboxes. For more information, see [Zero-hour auto purge - protection against spam and malware](zero-hour-auto-purge.md).

+ ZAP is turned on by default. When ZAP is turned on, the following settings are available:

+ - **Enable ZAP for phishing messages**: By default, ZAP is enabled for phishing detections, but you can disable it by clearing the check box.

+ - **Enable ZAP for spam messages**: By default, ZAP is enabled for spam detections, but you can disable it by clearing the check box.

+ When you're finished on the **Actions** page, click **Next**.

+7. On the **Allow & block list** page, you can configure message senders by email address or email domain who are allowed to skip spam filtering.

+ > Never add common domains (for example, microsoft.com or office.com) to the allowed domains list. If these domains are allowed to bypass spam filtering, attackers can easily send spoofed messages from these common domains into your organization.

+ > There are times when our filters miss a message, you don't agree with the filtering verdict, or it takes time for our systems to catch up to it. In these cases, the allow list and block list are available to override the current filtering verdicts. But, you should use these lists sparingly and temporarily: longs lists can become unmanageable, and our filtering stack should be doing what it's supposed to be doing. If you're going to keep an allowed domain for an extended period of time, you should tell the sender to verify that their domain is authenticated and set to DMARC reject appropriately.

+ 2. In the flyout that opens, do the following steps:

+ 1. Click :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Add senders** or **Add domains**.

+ 3. Repeat the previous step as many times as necessary. To remove an existing value, click remove :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value.

+ When you're finished in the **Add senders** or **Add domains** flyout, click **Add senders** or **Add domains**.

+ Back on the first flyout, the senders or domains that you added are listed on the flyout. To remove an entry from this flyout, select the sender or domain by selecting the round check box that appears next to the entry, and then click the :::image type="icon" source="../../media/m365-cc-sc-remove-selected-users-icon.png" border="false"::: action that appears.

+ To change the list of entries from normal to compact spacing, click :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: **Change list spacing to compact or normal**, and then select :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false":::.

+ Use the :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Search** box to find senders or domains on the flyout.

+ When you're finished on the flyout, click **Done**.

+8. On the **Review** page, review your settings. You can select **Edit** in each section to modify the settings within the section. Or you can click **Back** or select the specific page in the wizard.

+ When you're finished on the **Review** page, click **Create**.

+9. On the **New anti-spam policy created** page, you can click the links to view the policy, view anti-spam policies, and learn more about anti-spam policies.

+ When you're finished on the **New anti-spam policy created** page, click **Done**.

+ Back on the **Anti-spam policies** page, the new policy is listed.

+## Use the Microsoft 365 Defender portal to view anti-spam policy details

+In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section. Or, to go directly to the **Anti-spam policies** page, use <https://security.microsoft.com/antispam>.

+On the **Anti-spam policies** page, the following properties are displayed in the list of policies:

+- **Name**

+- **Status**: Values are:

+ - **Always on** for the default anti-spam policy (for example, **Anti-spam inbound policy (Default)**).

+ - **On** or **Off** for other anti-spam policies.

+- **Priority**: For more information, see the [Set the priority of custom anti-spam policies](#use-the-microsoft-365-defender-portal-to-set-the-priority-of-custom-anti-spam-policies) section.

+- **Type**: One of the following values for anti-spam policies:

+ - **Protection templates** for anti-spam policies that are associated with the Standard and Strict [preset security policies](preset-security-policies.md).

+ - **Custom anti-spam policy**

+ - Blank for the default anti-spam policy (for example, **Anti-spam inbound policy (Default)**).

+To change the list of policies from normal to compact spacing, click :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: **Change list spacing to compact or normal**, and then select :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false":::.

+Use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and a corresponding value to find specific policies.

+Select an anti-spam policy by clicking anywhere other than the check box next to the name to open the details flyout for the policy.

+> [!TIP]

+> To see details about other anti-spam policies without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** buttons at the top of the flyout.

+## Use the Microsoft 365 Defender portal to take action on anti-spam policies

+In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section. Or, to go directly to the **Anti-spam policies** page, use <https://security.microsoft.com/antispam>.

+On the **Anti-spam policies** page, select the anti-spam policy from the list by clicking anywhere in the row other than the check box next to the name. Some or all following actions are available in the details flyout that opens:

+- Modify policy settings by clicking **Edit** in each section (custom policies or the default policy)

+- :::image type="icon" source="../../media/m365-cc-sc-turn-on-off-icon.png" border="false"::: **Turn on** or :::image type="icon" source="../../media/m365-cc-sc-turn-on-off-icon.png" border="false"::: **Turn off** (custom policies only)

+- :::image type="icon" source="../../media/m365-cc-sc-increase-icon.png" border="false"::: **Increase priority** or :::image type="icon" source="../../media/m365-cc-sc-decrease-icon.png" border="false"::: **Decrease priority** (custom policies only)

+- :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete policy** (custom policies only)

+The actions are described in the following subsections.

+### Use the Microsoft 365 Defender portal to modify anti-spam policies

+After you select the default anti-spam policy or a custom policy by clicking anywhere other than the check box next to the name, the policy settings are shown in the details flyout that opens. Click **Edit** in each section to modify the settings within the section. For more information about the settings, see the [Create anti-spam policies](#use-the-microsoft-365-defender-portal-to-create-anti-spam-policies) section earlier in this article.

+For the default policy, you can't modify the name of the policy, and there are no recipient filters to configure (the policy applies to all recipients). But, you can modify all other settings in the policy.

+For the anti-spam policies named **Standard Preset Security Policy** and **Strict Preset Security Policy** that are associated with [preset security policies](preset-security-policies.md), you can't modify the policy settings in the details flyout. You can click :::image type="icon" source="../../media/m365-cc-sc-open-icon.png" border="false"::: **View preset security policies** in the details flyout to go to the **Preset security policies** page at <https://security.microsoft.com/presetSecurityPolicies> to modify the preset security policies.

+### Use the Microsoft 365 Defender portal to enable or disable anti-spam policies

+You can't disable the default anti-spam policy (it's always enabled).

+You can't enable or disable the anti-spam policies that are associated with Standard and Strict preset security policies. You enable or disable the Standard or Strict preset security policies on the **Preset security policies** page at <https://security.microsoft.com/presetSecurityPolicies>.

+After you select an enabled custom anti-spam policy (the **Status** value is **On**) by clicking anywhere other than the check box next to the name, click :::image type="icon" source="../../media/m365-cc-sc-turn-on-off-icon.png" border="false"::: **Turn off** at the top of the policy details flyout.

+After you select a disabled custom anti-spam policy (the **Status** value is **Off**) by clicking anywhere other than the check box next to the name, click :::image type="icon" source="../../media/m365-cc-sc-turn-on-off-icon.png" border="false"::: **Turn on** at the top of the policy details flyout.

+When you're finished in the policy details flyout, click **Close**.

+On the **Anti-spam policies** page, the **Status** value of the policy is now **On** or **Off**.

+### Use the Microsoft 365 Defender portal to set the priority of custom anti-spam policies

+Anti-spam policies are processed in the order that they're displayed on the **Anti-spam policies** page:

+- The anti-spam policy named **Strict Preset Security Policy** that's associated with the Strict preset security policy is always applied first (if the Strict preset security policy is [enabled](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users)).

+- The anti-spam policy named **Standard Preset Security Policy** that's associated with the Standard preset security policy is always applied next (if the Standard preset security policy is [enabled](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users)).

+- Custom anti-spam policies are applied next in priority order (if they're enabled):

+ - A lower priority value indicates a higher priority (0 is the highest).

+ - By default, a new anti-spam policy is created with a priority that's lower than the lowest existing custom anti-spam policy (the first is 0, the next is 1, etc.).

+ - No two anti-spam policies can have the same priority value.

+- The default anti-spam policy always has the priority value **Lowest**, and you can't change it.

+Anti-spam protection stops for a recipient after the first policy is applied. For more information, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md).

+After you select the custom anti-spam policy by clicking anywhere other than the check box next to the name, you can increase or decrease the priority of the policy in the details flyout that opens:

+- The custom policy with the **Priority** value **0** on the **Anti-spam policies** page has the :::image type="icon" source="../../media/m365-cc-sc-decrease-icon.png" border="false"::: **Decrease priority** action at the top of the details flyout.

+- The custom policy with the lowest priority (highest **Priority** value; for example, **3**) has the :::image type="icon" source="../../media/m365-cc-sc-increase-icon.png" border="false"::: **Increase priority** action at the top of the details flyout.

+- If you have three or more policies, the policies between **Priority** 0 and the lowest priority have both the :::image type="icon" source="../../media/m365-cc-sc-increase-icon.png" border="false"::: **Increase priority** and the :::image type="icon" source="../../media/m365-cc-sc-decrease-icon.png" border="false"::: **Decrease priority** actions at the top of the details flyout.

+When you're finished in the policy details flyout, click **Close**.

+Back on the **Anti-spam policies** page, the order of the policy in the list matches the updated **Priority** value.

+### Use the Microsoft 365 Defender portal to remove custom anti-spam policies

+You can't remove the default anti-spam policy or the anti-spam policies named **Standard Preset Security Policy** and **Strict Preset Security Policy** that are associated with [preset security policies](preset-security-policies.md).

+After you select the custom anti-spam policy by clicking anywhere other than the check box next to the name, click :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete policy** at the top of the flyout, and then click **Yes** in the warning dialog that opens.

+On the **Anti-spam policies** page, the deleted policy is no longer listed.

+In PowerShell, the basic elements of an anti-spam policy are:

+- **The spam filter policy**: Specifies the spam protections to enable or disable, the actions to apply for those protections, and other options.

+- **The spam filter rule**: Specifies the priority and recipient filters (who the policy applies to) for the associated spam filter policy.

+The difference between these two elements isn't obvious when you manage anti-spam policies in the Microsoft 365 Defender portal:

+- When you create a policy in the Defender portal, you're actually creating a spam filter rule and the associated spam filter policy at the same time using the same name for both.

+- When you modify a policy in the Defender portal, settings related to the name, priority, enabled or disabled, and recipient filters modify the spam filter rule. All other settings modify the associated spam filter policy.

+- When you remove a policy in the Defender portal, the spam filter rule and the associated spam filter policy are removed at the same time.

+In Exchange Online PowerShell, the difference between spam filter policies and spam filter rules is apparent. You manage spam filter policies by using the **\*-HostedContentFilterPolicy** cmdlets, and you manage spam filter rules by using the **\*-HostedContentFilterRule** cmdlets.

+- In PowerShell, you create the spam filter policy first, then you create the spam filter rule, which identifies the associated policy that the rule applies to.

+A significant setting that's available only in PowerShell is the _MarkAsSpamBulkMail_ parameter that's `On` by default. The effects of this setting are explained in the [Create anti-spam policies](#use-the-microsoft-365-defender-portal-to-create-anti-spam-policies) section earlier in this article.

+To return detailed information about a specific spam filter policy, use this syntax:

+|**Starting point**|[Require MFA always for guests and external users](identity-access-policies.md#require-mfa-based-on-sign-in-risk)|Create this new policy and configure: <ul><li>For **Assignments > Users and groups > Include**, choose **Select users and groups**, and then select **All guest and external users**.</li><li>For **Assignments > Conditions > Sign-in risk** and select atleast one Sign-in risk level this policy will apply to. </li></ul>|

+ Title: Configure outbound spam policies

+# Configure outbound spam policies in EOP

+Outbound spam from a user in your organization typically indicates a compromised account. Suspicious outbound messages are marked as spam (regardless of the spam confidence level or SCL) and are routed through the [high-risk delivery pool](outbound-spam-high-risk-delivery-pool-about.md) to help protect the reputation of the service (that is, to keep Microsoft 365 source email servers off of IP block lists). Admins are automatically notified of suspicious outbound email activity and blocked users via [alert policies](../../compliance/alert-policies.md).

+The default outbound spam policy automatically applies to all senders. For greater granularity, you can also create custom outbound spam policies that apply to specific users, groups, or domains in your organization.

+You can configure outbound spam policies in the Microsoft 365 Defender portal or in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes).

+- You open the Microsoft 365 Defender portal at <https://security.microsoft.com>. To go directly to the **Anti-spam policies** page, use <https://security.microsoft.com/antispam>.

+- For our recommended settings for outbound spam policies, see [EOP outbound spam policy settings](recommended-settings-for-eop-and-office365.md#eop-outbound-spam-policy-settings).

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section. Or, to go directly to the **Anti-spam policies** page, use <https://security.microsoft.com/antispam>.

+2. On the **Anti-spam policies** page, click :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Create policy** and then select **Outbound** from the drop down list to start the new outbound spam policy wizard.

+3. On the **Name your policy page**, configure these settings:

+ When you're finished on the **Name your policy page**, click **Next**.

+4. On the **Users, groups, and domains** page, identify the internal senders that the policy applies to (conditions):

+ - Members of the specified distribution groups or mail-enabled security groups (dynamic distribution groups aren't supported).

+ Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, click remove :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value.

+ For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users or groups, enter an asterisk (\*) by itself to see all available values.

+ - **Exclude these users, groups, and domains**: To add exceptions for the internal senders that the policy applies to, select this option and configure the exceptions. The settings and behavior are exactly like the conditions.

+ > Multiple different types of conditions or exceptions are not additive; they're inclusive. The policy is applied _only_ to those senders that match _all_ of the specified sender filters. For example, you configure a sender filter condition in the policy with the following values:

+ > Likewise, if you use the same sender filter as an exception to the policy, the policy is not applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy still applies to him.

+ When you're finished on the **Users, groups, and domains**, click **Next**.

+5. On the **Protection settings** page, configure the following settings:

+ - **Message limits** sections: The settings in this section configure the limits for outbound email messages from **Exchange Online** mailboxes:

+ For all actions, the senders specified in the **User restricted from sending email** alert policy (and in the now redundant **Notify these users and groups if a sender is blocked due to sending outbound spam** setting on this page) receive email notifications.

+ - **Restrict the user from sending mail until the following day**: This is the default value. Email notifications are sent, and the user is unable to send any more messages until the following day, based on UTC time. There's no way for the admin to override this block.

+ - The user is unable to send any more messages until the following day, based on UTC time. There's no way for the admin to override this block.

+ - **Forwarding rules** section: The setting in this section controls automatic email forwarding by **Exchange Online mailboxes** to external recipients. For more information, see [Control automatic external email forwarding in Microsoft 365](outbound-spam-policies-external-email-forwarding.md).

+ - **Automatic - System-controlled**: This is the default value. This value is now the same as **Off**. When this value was originally introduced, it was equivalent to **On**. Over time, thanks to the principles of [secure by default](secure-by-default.md), the effect of this value was eventually changed to **Off** for all customers. For more information, see [this blog post](https://techcommunity.microsoft.com/t5/exchange-team-blog/all-you-need-to-know-about-automatic-email-forwarding-in/ba-p/2074888).

+ - **On**: Automatic external email forwarding isn't disabled by the policy.

+ > [!NOTE]

+ >

+ > - Disabling automatic forwarding disables any Inbox rules or [mailbox forwarding](/exchange/recipients-in-exchange-online/manage-user-mailboxes/configure-email-forwarding) (also known as _SMTP forwarding_) that redirects messages to external addresses.

+ > - Outbound spam policies don't affect the forwarding of messages between internal users.

+ > - When automatic forwarding is disabled by an outbound spam policy, non-delivery reports (also known as NDRs or bounce messages) are generated in the following scenarios:

+ > - Messages from external senders for all forwarding methods.

+ > - Messages from internal senders **if** the forwarding method is mailbox forwarding. If the forwarding method is an Inbox rule, an NDR isn't generated for internal senders.

+ - **Notifications** section: Use the settings in the section to configure additional recipients who should receive copies and notifications of suspicious outbound email messages:

+ To enable this setting, select the check box. In the box that appears, click in the box, enter a valid email address, and then press the ENTER key or select the complete value that's displayed below the box.

+ Repeat this step as many times as necessary. To remove an existing value, click :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value.

+ When you're finished on the **Protection settings** page, click **Next**.

+6. On the **Review** page, review your settings. You can select **Edit** in each section to modify the settings within the section. Or you can click **Back** or select the specific page in the wizard.

+ When you're finished on the **Review** page, click **Create**.

+7. On the **New anti-spam policy created** page, you can click the links to view the policy, view outbound spam policies, and learn more about outbound spam policies.

+ When you're finished on the **New anti-spam policy created** page, click **Done**.

+ Back on the **Anti-spam policies** page, the new policy is listed.

+## Use the Microsoft 365 Defender portal to view outbound spam policy details

+In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section. Or, to go directly to the **Anti-spam policies** page, use <https://security.microsoft.com/antispam>.

+On the **Anti-spam policies** page, the following properties are displayed in the list of policies:

+- **Name**

+- **Status**: Values are:

+ - **Always on** for the default outbound spam policy (for example, **Anti-spam outbound policy (Default)**).

+ - **On** or **Off** for other outbound spam policies.

+- **Priority**: For more information, see the [Set the priority of custom outbound spam policies](#use-the-microsoft-365-defender-portal-to-set-the-priority-of-custom-outbound-spam-policies) section.

+- **Type**: One of the following values for outbound spam policies:

+ - **Custom outbound spam policy**

+ - Blank for the default outbound spam policy (for example, **Anti-spam outbound policy (Default)**).

+To change the list of policies from normal to compact spacing, click :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: **Change list spacing to compact or normal**, and then select :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false":::.

+Use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and a corresponding value to find specific policies.

+Select an outbound spam policy by clicking anywhere other than the check box next to the name to open the details flyout for the policy.

+> [!TIP]

+> To see details about other outbound spam policies without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** buttons at the top of the flyout.

+## Use the Microsoft 365 Defender portal to take action on outbound spam policies

+In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section. Or, to go directly to the **Anti-spam policies** page, use <https://security.microsoft.com/antispam>.

+On the **Anti-spam policies** page, select the outbound spam policy from the list by clicking anywhere in the row other than the check box next to the name. Some or all following actions are available in the details flyout that opens:

+- Modify policy settings by clicking **Edit** in each section (custom policies or the default policy)

+- :::image type="icon" source="../../media/m365-cc-sc-turn-on-off-icon.png" border="false"::: **Turn on** or :::image type="icon" source="../../media/m365-cc-sc-turn-on-off-icon.png" border="false"::: **Turn off** (custom policies only)

+- :::image type="icon" source="../../media/m365-cc-sc-increase-icon.png" border="false"::: **Increase priority** or :::image type="icon" source="../../media/m365-cc-sc-decrease-icon.png" border="false"::: **Decrease priority** (custom policies only)

+- :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete policy** (custom policies only)

+The actions are described in the following subsections.

+### Use the Microsoft 365 Defender portal to modify outbound spam policies

+After you select the default outbound spam policy or a custom policy by clicking anywhere other than the check box next to the name, the policy settings are shown in the details flyout that opens. Click **Edit** in each section to modify the settings within the section. For more information about the settings, see the [Create outbound spam policies](#use-the-microsoft-365-defender-portal-to-create-outbound-spam-policies) section earlier in this article.

+For the default policy, you can't modify the name of the policy, and there are no sender filters to configure (the policy applies to all senders). But, you can modify all other settings in the policy.

+### Use the Microsoft 365 Defender portal to enable or disable custom outbound spam policies

+You can't disable the default outbound spam policy (it's always enabled).

+After you select an enabled custom outbound spam policy (the **Status** value is **On**) by clicking anywhere other than the check box next to the name, click :::image type="icon" source="../../media/m365-cc-sc-turn-on-off-icon.png" border="false"::: **Turn off** at the top of the policy details flyout.

+After you select a disabled custom outbound spam policy (the **Status** value is **Off**) by clicking anywhere other than the check box next to the name, click :::image type="icon" source="../../media/m365-cc-sc-turn-on-off-icon.png" border="false"::: **Turn on** at the top of the policy details flyout.

+When you're finished in the policy details flyout, click **Close**.

+On the **Anti-spam policies** page, the **Status** value of the policy is now **On** or **Off**.

+### Use the Microsoft 365 Defender portal to set the priority of custom outbound spam policies

+Outbound spam policies are processed in the order that they're displayed on the **Anti-spam policies** page:

+- The outbound spam policy named **Strict Preset Security Policy** that's associated with the Strict preset security policy is always applied first (if the Strict preset security policy is [enabled](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users)).

+- The outbound spam policy named **Standard Preset Security Policy** that's associated with the Standard preset security policy is always applied next (if the Standard preset security policy is [enabled](preset-security-policies.md#use-the-microsoft-365-defender-portal-to-assign-standard-and-strict-preset-security-policies-to-users)).

+- Custom outbound spam policies are applied next in priority order (if they're enabled):

+ - A lower priority value indicates a higher priority (0 is the highest).

+ - By default, a new outbound spam policy is created with a priority that's lower than the lowest existing custom outbound spam policy (the first is 0, the next is 1, etc.).

+ - No two outbound spam policies can have the same priority value.

+- The default outbound spam policy always has the priority value **Lowest**, and you can't change it.

+Outbound spam protection stops for a sender after the first policy is applied. For more information, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md).

+After you select the custom outbound spam policy by clicking anywhere other than the check box next to the name, you can increase or decrease the priority of the policy in the details flyout that opens:

+- The custom policy with the **Priority** value **0** on the **Anti-spam policies** page has the :::image type="icon" source="../../media/m365-cc-sc-decrease-icon.png" border="false"::: **Decrease priority** action at the top of the details flyout.

+- The custom policy with the lowest priority (highest **Priority** value; for example, **3**) has the :::image type="icon" source="../../media/m365-cc-sc-increase-icon.png" border="false"::: **Increase priority** action at the top of the details flyout.

+- If you have three or more policies, the policies between **Priority** 0 and the lowest priority have both the :::image type="icon" source="../../media/m365-cc-sc-increase-icon.png" border="false"::: **Increase priority** and the :::image type="icon" source="../../media/m365-cc-sc-decrease-icon.png" border="false"::: **Decrease priority** actions at the top of the details flyout.

+When you're finished in the policy details flyout, click **Close**.

+Back on the **Anti-spam policies** page, the order of the policy in the list matches the updated **Priority** value.

+### Use the Microsoft 365 Defender portal to remove custom outbound spam policies

+You can't remove the default outbound spam policy.

+After you select the custom outbound spam policy by clicking anywhere other than the check box next to the name, click :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete policy** at the top of the flyout, and then click **Yes** in the warning dialog that opens.

+On the **Anti-spam policies** page, the deleted policy is no longer listed.

+In PowerShell, the basic elements of an outbound spam policy are:

+- **The outbound spam filter policy**: Specifies the actions for outbound spam filtering verdicts and the notification options.

+- **The outbound spam filter rule**: Specifies the priority and sender filters (who the policy applies to) for an outbound spam filter policy.

+The difference between these two elements isn't obvious when you manage outbound spam policies in the Microsoft 365 Defender portal:

+- When you create a policy in the Defender portal, you're actually creating an outbound spam filter rule and the associated outbound spam filter policy at the same time using the same name for both.

+- When you modify a policy in the Defender portal, settings related to the name, priority, enabled or disabled, and sender filters modify the outbound spam filter rule. All other settings modify the associated outbound spam filter policy.

+- When you remove a policy from the Defender portal, the outbound spam filter rule and the associated outbound spam filter policy are removed at the same time.

+In PowerShell, the difference between outbound spam filter policies and outbound spam filter rules is apparent. You manage spam filter policies by using the **\*-HostedOutboundSpamFilterPolicy** cmdlets, and you manage spam filter rules by using the **\*-HostedOutboundSpamFilterRule** cmdlets.

+- In PowerShell, you create the outbound spam filter policy first, then you create the outbound spam filter rule, which identifies the associated policy that the rule applies to.

+- When you remove an outbound spam filter policy from PowerShell, the corresponding outbound spam filter rule isn't automatically removed, and vice versa.

+To return detailed information about a specific outbound spam filter policy, use this syntax:

+[Auto forwarded messages report in the EAC](/exchange/monitoring/mail-flow-reports/mfr-auto-forwarded-messages-report)

+3. On the **Policy name** page, enter a brief but unique name in the **Policy name** box. The policy name is selectable in drop-down lists in upcoming steps.

+ During the creation of the anti-phishing policy, if you don't select a quarantine policy, the default quarantine policy is used. When you later view or edit the anti-phishing policy settings, the quarantine policy name is shown. The default quarantine policies are listed in the [supported features table](#step-2-assign-a-quarantine-policy-to-supported-features).

+- No effect in quarantine notifications. Previewing a quarantined message from the quarantine notification isn't possible. The **Review message** action in quarantine notifications takes users to the details flyout of the message in quarantine where they can preview the message.

+- Use the URL `http://spamlink.contoso.com` to test Safe Links protection. This URL is similar to the GTUBE text string for testing anti-spam solutions. This URL is not harmful, but it will trigger Safe Links protection.

+ - If the message was blocked by [domain or user impersonation protection in Defender for Office 365](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365), an allow entry isn't created in the Tenant Allow/Block List. Instead, the domain or sender is added to the **Trusted senders and domains section** in the [anti-phishing policy](anti-phishing-policies-mdo-configure.md#use-the-microsoft-365-defender-portal-to-modify-anti-phishing-policies) that detected the message.