+|[Microsoft Teams user activity](microsoft-teams-user-activity-preview.md)|Yes|Yes|Yes|Yes|Yes|

+|[Microsoft Teams device usage](microsoft-teams-device-usage-preview.md)|Yes|Yes|Yes|Yes|Yes|

+|[Microsoft Teams team activity](microsoft-teams-usage-activity.md)|Yes|Yes|Yes|Yes|Yes|

+1. In the admin center, go to **Teams & groups** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2066847" target="_blank">Shared mailboxes</a>.

+2. Select the shared mailbox you want to edit, and then select either **Edit name** or **Edit email addresses**.

+3. Enter a new name for the shared mailbox, or add another email alias. If you want to change the primary email address, your mailbox must have more than one email alias.

+1. In the admin center, go to **Teams & groups** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2066847" target="_blank">Shared mailboxes</a>.

+1. In the admin center, go to **Teams & groups** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2066847" target="_blank">Shared mailboxes</a>.

+1. In the admin center, go to **Teams & groups** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2066847" target="_blank">Shared mailboxes</a>.

+1. In the admin center, go to **Teams & groups** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2066847" target="_blank">Shared mailboxes</a>.

+1. In the admin center, go to **Teams & groups** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2066847" target="_blank">Shared mailboxes</a>.

+1. In the admin center, go to **Teams & groups** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2066847" target="_blank">Shared mailboxes</a>.

+1. In the admin center, go to **Teams & groups** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2066847" target="_blank">Shared mailboxes</a>.

+> Large or complex updates may take longer than others so that no users are adversely affected. There is no guarantee on the exact timeline of a release. Targeted release is now available for customers with either the Office 365 GCC plan or the Office 365 GCC High plan and DoD plan for the following

+2. On the **Home** tab, choose **New event**.

+2. Select **+ Add resource**.

+4. Select **Save**.

+## Create a signature that applies to all messages

+1. Select **Rules**.

+1. Select **Add a rule +**, and then select **Apply disclaimers**.

+1. Select **Admin centers**, and then choose **Exchange**.

+1. Under Mail flow, select **Rules**.

+1. Select the **+** (Add) icon and choose **Apply disclaimers**.

+1. Give the rule a name.

+1. Under **Apply this rule**, select **[Apply to all messages]**.

+1. Under Do the following, leave **Append the disclaimer** selected.

+1. Select **Enter text**, type your disclaimer, and then select **Save**.

+1. Select **Select one**, choose **Wrap** as a fallback option, and then select **Save**. This means that if the disclaimer can't be added because of encryption or another mail setting, it will be wrapped in a message envelope.

+1. Under **Except if**, choose whether you want exceptions for sender, recipient, attachment and more and follow those steps.

+1. Choose **Next**.

+1. Under **Rule mode**, choose **Enforce** to turn on the disclaimer immediately, otherwise, choose **Test with Policy Tips** or **Test without Policy Tips**.

+1. Choose a Severity level.

+1. Choose **Activate this rule on** and specify a date.

+1. Choose **Deactivate this rule on** and specify a date.

+1. Choose **Stop processing more rules** if you only want this signature rule to run.

+1. Choose **Defer the message** if rule processing doesnΓÇÖt complete if you want this experience.

+Admins can export all messages, notes, files, topics, users, and groups to a .zip file. For more information, see [Export data from Yammer Enterprise](/yammer/manage-security-and-compliance/export-yammer-enterprise-data).

+ - Maximum of 100 auto-labeling policies per tenant, each targeting up to 100 locations (SharePoint sites or OneDrive individual users or groups) when you specify specific locations by using the **Included** or **Excluded** options. If you keep the default configuration of **All**, this configuration is exempt from the 100 locations maximum.

+5. For the page **Assign admin units**: This configuration is currently in preview. If your organization is using [administrative units in Azure Active Directory](/azure/active-directory/roles/administrative-units), auto-labeling policies for Exchange and OneDrive can be automatically restricted to specific users by selecting administrative units. If your account has been [assigned administrative units](microsoft-365-compliance-center-permissions.md#administrative-units-preview), you must select one or more administrative units.

+ > [!NOTE]

+ > If you are editing an existing policy and change the administrative units, you must now reconfigure the locations in the next step.

+

+ > - If you selected the option to use administrative units in the previous step, the location for SharePoint sites becomes unavailable. Only auto-labeling policies for Exchange and OneDrive support administrative units.

+ > - When you use the **Included** or **Excluded** options, you will see and can select only users from the administrative units selected in the previous step.

+ - Rolling out: For the OneDrive location, you must specify users or groups. Previously, you had to specify sites by URLs. Any existing OneDrive URL sites in auto-labeling policies will continue to work but before you can specify new OneDrive locations, or for restricted admins, you must first delete any existing site URLs. Groups supported: distribution groups, Microsoft 365 groups, mail-enabled security groups, and security groups.

+However currently, restricted admins won't be able to see labeling activities for OneDrive in activity explorer.

+## Microsoft Viva Insights activities

+Viva Insights provides insight into how groups collaborate across your organization. The following table lists activities performed by users that are assigned the Administrator role or the Analyst roles in Viva Insights. Users assigned the Analyst role have full access to all service features and use the product to do analysis. Users assigned the Administrator role can configure privacy settings and system defaults, and can prepare, upload, and verify organizational data in Viva Insights. For more information, see [Introducing Microsoft Viva Insights](/viva/insights/introduction).

+> ^*An Azure Active Directory sign in and sign off activity event is created when a user signs in. This activity is logged even if you don't have Viva Insights turned on in your organization. For more information about user sign in activities, see [Sign-in logs in Azure Active Directory](/azure/active-directory/reports-monitoring/concept-sign-ins).

+## Personal insights activities

+The following table lists the activities in personal insights that are logged in the Microsoft 365 audit log. For more information about personal insights, see [Admin guide for personal insights](/viva/insights/personal/Overview/mya-for-admins).

+|Updated organization MyAnalytics settings|UpdatedOrganizationMyAnalyticsSettings|Admin updates organization-level settings for personal insights. |

+|Updated user MyAnalytics settings|UpdatedUserMyAnalyticsSettings|Admin updates user settings for personal insights.|

+|Viva Goals|VivaGoals|

+|Viva Insights|VivaInsights|

+| **Message is sent to any of these domains** <br><br> **Message is not sent to any of these domains** | Apply the policy to include or exclude specific domains in sent messages.<br><br> Make sure to use the following syntax when entering conditional text: <br><br>-Enter each domain and separate multiple domains with a comma.<br> -Do not include spaces between items separated by a comma.<br> -Remove all leading and trailing spaces.<br><br>Each domain is applied separately; only one domain must apply for the policy to apply to the message. <br><br> If you want to exclude all emails sent to two specific domains, configure the **Message is not sent to any of these domains** condition with the two domains (example 'contoso.com,wingtiptoys.com'). |

+3. On the **Define the scope for this label** page, the options selected determine the label's scope for the settings that you can configure and where they'll be visible when they're published:

+5. Repeat these steps to create more labels. However, if you want to create a sublabel, first select the parent label and select **...** for **Actions**, and then select **Create sublabel**.

+6. When you've created all the labels you need, review their order and if necessary, move them up or down. To change the order of a label, select **...** for **Actions**, and then select one of the reordering options, such as **Move up** or **Move down**. For more information, see [Label priority (order matters)](sensitivity-labels.md#label-priority-order-matters) from the overview information.

+7. If you create more than one label policy that might result in a conflict for a user, review the policy order and if necessary, move them up or down. To change the order of a label policy, select **...** for **Actions**, and then select one of the reordering options. For more information, see [Label policy priority (order matters)](sensitivity-labels.md#label-policy-priority-order-matters) from the overview information.

+In a production environment, it's unlikely that you'll need to remove sensitivity labels from a label policy, or delete sensitivity labels. It's more likely that you might need to do one or either of these actions during an initial testing phase. Make sure you understand what happens when you do either of these actions.

+Removing a label from a label policy is less risky than deleting it, and can always be added back later if needed. You can't delete a label if it's still in a label policy.

+- If the label applied encryption, the underlying protection template is archived so that previously protected content can still be opened. Because of this archived protection template, you can't create a new label with the same name. Although it's possible to delete a protection template by using [PowerShell](/powershell/module/aipservice/remove-aipservicetemplate), don't do this unless you're sure you don't need to open content that was encrypted with the archived template.

+To configure and use your sensitivity labels for specific scenarios, you might find the following articles helpful:

+ |location | include/exclude by|

+ |||

+ |Exchange email| distribution groups|

+ |SharePoint sites |sites |

+ |OneDrive accounts |accounts or distribution groups |

+ |Teams chat and channel messages |account or distribution group |

+ |Windows 10, Windows 11, and macOS (three latest released versions) devices |user or group |

+ |Microsoft Cloud App Security |instance |

+ |On-premises repositories| repository file path|

+ |Power BI (preview)| workspaces|

+ - item contains a specified kind of sensitive information that is being used in a certain context. For example, 95 social security numbers being emailed to recipient outside your org.

+ - item has a specified sensitivity label

+ - item with sensitive information is shared either internally or externally

+ - SharePoint/Exchange/OneDrive: Block people who are outside your organization from accessing the content. Show the user a tip and send them an email notification that they're taking an action that is prohibited by the DLP policy.

+ - Teams Chat and Channel: Block sensitive information from being shared in the chat or channel

+ - Windows 10, Windows 11, and macOS (three latest released versions) Devices: Audit or restrict copying a sensitive item to a removeable USB device

+ - Office Apps: Show a popup notifying the user that they're engaging in a risky behavior and block or block but allow override.

+ - On-premises file shares: move the file from where it's stored to a quarantine folder

+ > [!NOTE]

+ > The conditions and the actions to take are defined in an object called a Rule.

+### High volume of sensitive info shared or save externally

+*This feature is in preview*

+Microsoft 365 provides you with visibility into risky user activities outside of DLP policies. The **High volume of sensitive info shared or saved externally (preview)** card on the DLP homepage shows a count of sensitive items that users have:

+- uploaded to the suspicious domains

+- accessed with a suspicious application

+- copied to a removable drive

+Microsoft 365 scans the audit logs for risky activities and runs them through a correlation engine to find activities that are occurring at a high volume. No DLP policies are required.

+To get more details on the items that users are copying or moving outside of your organization (called egress activities, or exfiltration), select the **Learn more** link on the card to open a details pane. You can investigate incidents for Microsoft Purview Data Loss Prevention (DLP) from the Microsoft 365 Defender portal **Incidents & alerts** > **Incidents**. See [Investigate data loss incidents with Microsoft 365 Defender](../security/defender/investigate-dlp.md) and [Investigate alerts in Microsoft 365 Defender](../security/defender/investigate-alerts.md).

+- Content is not labeled

+These preconfigured sensitive information types (SIT) support policy tips in Outlook on the Web.

+## Sensitivity labels support for policy tips in Outlook on the Web

+## Retention labels support for policy tips in Outlook on the Web

+## Trainable classifiers support for policy tips in Outlook on the Web

+Details on support for policy tips and notifications for different apps can be found here:

+> A review set displays a maximum of 1,000 items per page and up to 10 pages (for a total of 10,000 items displayed per review set). Use default or custom filters to adjust the displayed items as needed.

+ Title: "Enable autoexpanding archiving"

+description: "For administrators: Learn how to enable autoexpanding archiving, which provides your users with additional storage for their Exchange Online mailboxes. You can enable autoexpanding archiving for your entire organization or just for specific users."

+# Enable autoexpanding archiving

+You can use the Exchange Online autoexpanding archiving feature to enable additional storage space for archive mailboxes. When autoexpanding archiving is turned on, additional storage space is automatically added to a user's archive mailbox until it reaches the storage limit of 1.5 TB. You can turn on autoexpanding archiving for everyone in your organization or just for specific users. For more information about autoexpanding archiving, see [Learn about autoexpanding archiving](autoexpanding-archiving.md).

+## Before you enable autoexpanding archiving

+ - After you turn on autoexpanding archiving for your organization or for a specific user, it can't be turned off. Administrators also can't adjust the storage quota for autoexpanding archiving.

+ - Autoexpanding archiving prevents you from recovering or restoring an [inactive mailbox](inactive-mailboxes-in-office-365.md#what-are-inactive-mailboxes). That means if you enable autoexpanding archiving for a mailbox and the mailbox is made inactive at a later date, you won't be able to [recover the inactive mailbox](recover-an-inactive-mailbox.md) (by converting it to an active mailbox) or [restore it](restore-an-inactive-mailbox.md) (by merging the contents to an existing mailbox).

+ If autoexpanding archiving is enabled on an inactive mailbox, the only way to recover data is by using the Content search tool in the Microsoft Purview compliance portal to export the data from the mailbox and import to another mailbox. For more information, see the [Inactive mailboxes and autoexpanding archives](inactive-mailboxes-in-office-365.md#inactive-mailboxes-and-auto-expanding-archives).

+- You must be a global administrator in your organization or a member of the Organization Management role group in your Exchange Online organization to enable autoexpanding archiving. Alternately, you have to be a member of a role group that's assigned the Mail Recipients role to enable autoexpanding archiving for specific users.

+- A user's mailbox must already be [enabled for archive](enable-archive-mailboxes.md) before you can enable autoexpanding archiving.

+- After you turn on autoexpanding archiving, an archive mailbox is converted to an autoexpanding archive when the archive mailbox (including the Recoverable Items folder) reaches 90 GB. It can take up to 30 days for the additional storage space to be provisioned.

+- Autoexpanding archiving also supports shared mailboxes.

+- You can't use the Exchange admin center or the Microsoft Purview compliance portal to enable autoexpanding archiving. You must use Exchange Online PowerShell.

+## Enable autoexpanding archiving for your entire organization

+You can enable autoexpanding archiving for your entire organization. After you turn it on, autoexpanding archiving will be enabled for existing user mailboxes and for new user mailboxes that are created. When you create user mailboxes, be sure to enable the user's main archive mailbox so the autoexpanding archiving feature works for the new user mailbox.

+2. Run the following command in Exchange Online PowerShell to enable autoexpanding archiving for your entire organization.

+## Enable autoexpanding archiving for specific users

+Instead of enabling autoexpanding archiving for every user in your organization, you can enable it only for specific users. You might do this because only some users might have a need for a large archive storage capacity.

+When you enable autoexpanding archiving for a specific user and the user's mailbox in on hold or assigned to a retention policy, the following two configurations changes are made:

+This additional space is added to prevent any storage issues that may occur before the autoexpanding archive is provisioned. Additional storage space *is not* added when you enable autoexpanding archiving for your entire organization, as described in the previous section.

+2. Run the following command in Exchange Online PowerShell to enable autoexpanding archiving for a specific user. As previously explained, the user's archive mailbox (main archive) must be enabled before you can turn on autoexpanding archiving for that user.

+> In an Exchange hybrid deployment, you can't use the **Enable-Mailbox -AutoExpandingArchive** command to enable autoexpanding archiving for a specific user whose primary mailbox is on-premises and whose archive mailbox is cloud-based. To enable autoexpanding archiving for cloud-based archive mailboxes in an Exchange hybrid deployment, you have to run the **Set-OrganizationConfig -AutoExpandingArchive** command in Exchange Online PowerShell to enable autoexpanding archiving for the entire organization. If a user's primary and archive mailboxes are both cloud-based, then you can use the **Enable-Mailbox -AutoExpandingArchive** command to enable autoexpanding archiving for that specific user.

+## Verify that autoexpanding archiving is enabled

+To verify that autoexpanding archiving is enabled for your organization, run the following command in Exchange Online PowerShell.

+A value of `True` indicates that autoexpanding archiving is enabled for the organization.

+To verify that autoexpanding archiving is enabled for a specific user, run the following command in Exchange Online PowerShell.

+A value of `True` indicates that autoexpanding archiving is enabled for the user.

+To determine if autoexpanding archiving is enabled for inactive mailboxes, run the following command in Exchange Online PowerShell.

+A value of `True` indicates that autoexpanding archiving is enabled for the inactive mailbox. A value of `False` indicates that autoexpanding archiving isn't enabled.

+Keep the following things in mind after you enable autoexpanding archiving:

+- If you run the **Set-OrganizationConfig -AutoExpandingArchive** command to enable autoexpanding archiving for your organization, you don't have to run the **Enable-Mailbox -AutoExpandingArchive** on individual mailboxes. Running the **Set-OrganizationConfig** cmdlet to enable autoexpanding archiving for your organization doesn't change the *AutoExpandingArchiveEnabled* property on user mailboxes to `True`.

+- Similarly, the values for the *ArchiveQuota* and *ArchiveWarningQuota* mailbox properties aren't changed when you enable autoexpanding archiving. In fact, when you enable autoexpanding archiving for a user mailbox and the *AutoExpandingArchiveEnabled* property is set to `True`, the *ArchiveQuota* and *ArchiveWarningQuota* properties are ignored. Here's an example of these mailbox properties after autoexpanding archiving is enabled for a user's mailbox.

+ 

+- Autoexpanding archiving is supported for cloud-based archive mailboxes in an Exchange hybrid deployment for users who have an on-premises primary mailbox. However, after autoexpanding archiving is enabled for a cloud-based archive mailbox, you can't off-board that archive mailbox back to the on-premises Exchange organization. Autoexpanding archiving isn't supported for on-premises mailboxes in any version of Exchange Server.

+- For a list of Outlook clients that users can use to access items in the additional storage area in their archive mailbox, see the "Outlook requirements for accessing items in an auto-expanded archive" section in [Learn about autoexpanding archiving](autoexpanding-archiving.md#outlook-requirements-for-accessing-items-in-an-auto-expanded-archive).

+- As previously explained, 10 GB is added to the storage quota of the user's primary archive mailbox (and to the Recoverable Items folder if the mailbox is on hold) when you run the **Enable-Mailbox -AutoExpandingArchive** command. This provides additional storage until the auto-expanded storage space is provisioned (which can take up to 30 days). This additional storage space isn't added when you run the **Set-OrganizationConfig -AutoExpandingArchive** to enable autoexpanding archiving for all mailboxes in your organization. If you enabled autoexpanding archiving for the entire organization, but need to add the additional 10 GB of storage space for a specific user, you can run the **Enable-Mailbox -AutoExpandingArchive** command on that mailbox. You will receive an error saying that autoexpanding archiving has already been enabled, but the additional storage space will be added to the mailbox.

+> Autoexpanding archiving is supported only for mailboxes used by individual users or for shared mailboxes with a growth rate that doesn't exceed 1 GB per day. Using journaling, transport rules, or auto-forwarding rules to copy messages to an archive mailbox for the purposes of archiving is not permitted. A user's archive mailbox is intended for just that user. Microsoft reserves the right to deny additional archiving in instances where a user's archive mailbox is used to store archive data for other users or in other cases of inappropriate use.

+ - **Remove encryption if the file or email is encrypted**: When you select this option, applying the label removes existing encryption, even if it was applied independently from a sensitivity label.

+In Outlook, when a user applies a sensitivity label that lets them assign permissions to a message, you can choose the **Do Not Forward option** or **Encrypt-Only**. The user will see the label name and description at the top of the message, which indicates the content's being protected. Unlike Word, PowerPoint, and Excel (see the [next section](#word-powerpoint-and-excel-permissions)), users aren't prompted to select specific permissions. For this configuration, the administrator controls the permissions, but not who has access.

+In Word, PowerPoint, and Excel, when a user applies a sensitivity label that lets them assign permissions to a document, the user is prompted to specify their choice of users and permissions for the encryption. For this configuration, the user and not the administrator controls both who can access the document, and what permissions they have.

+For built-in labeling in Windows, users can additionally specify a domain name when they're prompted to specify their choice of users and permissions. When a domain name is entered, the permissions will apply to all users in an organization that owns the domain and it is in Azure Active Directory. To identify the minimum versions that support this setting, use the [capabilities table](sensitivity-labels-versions.md#sensitivity-label-capabilities-in-word-excel-and-powerpoint) and the row **Let users assign permissions:- Prompt users for custom permissions (users, groups, and organizations)**.

+Now in preview, sensitivity labels support [administrative units that have been configured in Azure Active Directory](/azure/active-directory/roles/administrative-units):

+- You can define the initial scope of sensitivity label policies and auto-labeling policies when you create or edit these policies. When you select administrative units, only the users in those administrative units will be eligible for the policy.

+> Don't select administrative units for an auto-labeling policy that you want to apply to documents in SharePoint. Because administrative units support only users and groups, if you configure an auto-labeling policy to use administrative units, you won't be able to select the SharePoint location.

+|[Microsoft Purview Data Loss Prevention](dlp-learn-about-dlp.md)| Helps prevent unintentional sharing of sensitive items. | [Learn about data loss prevention](dlp-learn-about-dlp.md)|

+|[Microsoft Purview extension for Chrome](dlp-chrome-learn-about.md) | Extends DLP capabilities to the Chrome browser | [Get started with the Microsoft Purview extension for Chrome](dlp-chrome-get-started.md)|

+|[Learn about the Microsoft Purview extension for Firefox](dlp-firefox-extension-learn.md)|Extends DLP capabilities to the Firefox browser|[Get startd with the Microsoft Purview extension for Firefox](dlp-firefox-extension-get-started.md)

+|[Microsoft Purview data loss prevention on-premises repositories](dlp-on-premises-scanner-learn.md)|Extends DLP monitoring of file activities and protective actions for those files to on-premises file shares and SharePoint folders and document libraries.|[Get started with Microsoft Purview data loss prevention on-premises repositories](dlp-on-premises-scanner-get-started.md)|

+|[Protect sensitive information in Microsoft Teams chat and channel messages](dlp-microsoft-teams.md) | Extends some DLP functionality to Teams chat and channel messages | [Learn about the default data loss prevention policy in Microsoft Teams](dlp-teams-default-policy.md)|

+Use the **Search** control to search for an Alert ID or search for a specific word in the alert name. The search results display any policy alert containing the Alert ID or a word defined in the search.

+- **Case ID**: The ID of the case.

+Use the **Search** control to search for a Case ID or to search for specific text in case names. Use the case filter to sort cases by the following attributes:

+- **Case ID**: The ID of the case.

+- Alert

+- Alert ID

+Use the search control to search for an Alert ID or to search for specific text in alert names. Use the alert filter to sort cases by the following attributes:

+- ID

+- Users

+- Alert

+- Alert severity

+- Risk factors

+> [!NOTE]

+> To reduce your OCR costs, charges for scanning each unique image are incurred only once.

+>

+> Small images, such as logos and signatures that are sent in email via Microsoft Exchange are scanned and billed only once per unique image across all users of the tenant. For all subsequent instances, the results of the previous scan will be reused.

+>

+>Additionally, each scanned image can be used in any number of policies across data loss prevention, insider risk management, auto-labeling, and records management at no additional charge.

+If there are multiple auto-apply retention label policies that could apply a retention label, and the content meets the conditions of more than one of these policies, you can't control which retention label will be selected. However, in some cases, the retention label for the oldest auto-apply retention label policy (by date created) is selected. This happens only when the matching policies don't include multiple instances of the same type of condition (sensitive information types, specific keywords or searchable properties, or trainable classifiers).

+You can apply just one sensitivity label to an item such as a document, email, or container. If you set an option that requires your users to provide a justification for changing a label to a lower sensitivity, the order of this list identifies the lower sensitivity. However, this option doesn't apply to sublabels that share the priority of their parent label.

+When you select a sensitivity label, you can reorder it by using the options to move it to the top or bottom of the list if it's not a sublabel, move it up or down by one label, or directly assign a number.

+With sublabels, you can group one or more labels below a parent label that a user sees in an Office app. For example, under Confidential, your organization might use several different labels for specific types of that sensitivity. In this example, the parent label Confidential is simply a text label with no protection settings, and because it has sublabels, it can't be applied to content. Instead, users must choose Confidential to view the sublabels, and then they can choose a sublabel to apply to content.

+If you delete a sensitivity label from the admin portal, the label is't automatically removed from content, and any protection settings continue to be enforced on content that had that label applied.

+The sensitivity labels that are built into Microsoft 365 Apps on Windows, macOS, iOS, and Android look and behave very similarly across these devices to provide users with a consistent labeling experience. However, on Windows computers, you can also use the [Azure Information Protection (AIP) client](/azure/information-protection/rms-client/aip-clientv2). The AIP Office add-in component from this client is now in [maintenance mode](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/azure-information-protection-and-the-information-protection/ba-p/3671070) and will be [retired April 2024](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/retirement-notification-for-the-azure-information-protection/ba-p/3791908). When the AIP client is installed, it's no longer the default labeling client for the latest Office apps.

+### Data loss prevention

+- **General availability (GA)**: Oversharing Popup for Outlook Win 32. [Scenario 2 Show policy tip as oversharing popup](dlp-create-deploy-policy.md#scenario-2-show-policy-tip-as-oversharing-popup) and [Business justification X-Header](dlp-policy-reference.md#business-justification-x-header).

+- **In preview**: Now rolling out, OneDrive locations for [auto-labeling policies](apply-sensitivity-label-automatically.md#how-to-configure-auto-labeling-policies-for-sharepoint-onedrive-and-exchange) are changing from sites specified by URLs to users and groups. This change of configuration means that [administrative units](microsoft-365-compliance-center-permissions.md#administrative-units-preview) are now supported for OneDrive auto-labeling policies. Any existing OneDrive sites specified in auto-labeling policies as site URLs will continue to work but before you can add more OneDrive locations, or for restricted admins, you must first delete any existing OneDrive sites specified as URLs. Groups supported: distribution groups, Microsoft 365 groups, mail-enabled security groups, and security groups.

+- **In preview**: Prevent [oversharing of labeled emails as a DLP policy tip](dlp-create-deploy-policy.md#scenario-2-show-policy-tip-as-oversharing-popup). This DLP policy configuration is an equivalent for the AIP add-in with PowerShell advanced settings that implement pop-up messages in Outlook that warn, justify, or block emails being sent.

+- The earliest version for the AIP add-in to be [disabled by default in Office apps](sensitivity-labels-aip.md#how-to-disable-the-aip-add-in-to-use-built-in-labeling-for-office-apps) for the Current Channel and Monthly Enterprise Channel is now version 2302. The minimum version for the Semi-Annual Channel hasn't changed.

+Refer to endpoint.microsoft.com, Tenant Administration | Tenant Status for existing tenants. If you do not have an existing tenant, create a trial tenant and provision Intune. Microsoft will not store Intune customer data at rest outside the stated geo, except if:

+- If you are using the Remote Help feature, the Helper and Sharer's information may be sent outside of the stated Geo for 48 hours.

+> [!NOTE]

+> The **Poland** local data center region launched on April 26, 2023. If your organization requires the migration of your Microsoft 365 customer data to Poland, and a data residency commitments for Poland, please refer to [Advanced Data Residency](advanced-data-residency.md) for more information.

+> [!NOTE]

+> For tenants in Australia, Brazil, Canada, France, Germany, India, Japan, Qatar, South Korea, Norway, South Africa, Sweden, Switzerland, United Arab Emirates, and the United Kingdom, additional workloads are available for data residency commitments. Refer to [Advanced Data Residency](advanced-data-residency.md) for more information.

+- Exchange Online [Data Location](m365-dr-workload-exo.md#how-can-i-determine-customer-data-location)

+## Week of June 05, 2023

+| Published On |Topic title | Change |

+|||--|

+| 6/5/2023 | [Set preferences for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-preferences?view=o365-worldwide) | modified |

+| 6/5/2023 | Mail flow map | removed |

+| 6/6/2023 | [Understanding deployment insights in Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-deployment-insights-overview?view=o365-worldwide) | modified |

+| 6/6/2023 | [Submit files in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/admin-submissions-mde?view=o365-worldwide) | modified |

+| 6/6/2023 | [Get baseline profile configurations](/microsoft-365/security/defender-endpoint/get-security-baselines-assessment-configurations?view=o365-worldwide) | modified |

+| 6/6/2023 | [Microsoft Defender Antivirus security intelligence and product updates](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-updates?view=o365-worldwide) | modified |

+| 6/6/2023 | [Advanced Hunting API](/microsoft-365/security/defender-endpoint/run-advanced-query-api?view=o365-worldwide) | modified |

+| 6/6/2023 | [Microsoft 365 Defender advanced hunting API](/microsoft-365/security/defender/api-advanced-hunting?view=o365-worldwide) | modified |

+| 6/6/2023 | [Manage incidents and alerts from Defender for Office 365 in Microsoft 365 Defender](/microsoft-365/security/office-365-security/mdo-sec-ops-manage-incidents-and-alerts?view=o365-worldwide) | modified |

+| 6/6/2023 | [View email security reports](/microsoft-365/security/office-365-security/reports-email-security?view=o365-worldwide) | modified |

+| 6/6/2023 | [Admin review for user reported messages](/microsoft-365/security/office-365-security/submissions-admin-review-user-reported-messages?view=o365-worldwide) | modified |

+| 6/6/2023 | [Manage submissions](/microsoft-365/security/office-365-security/submissions-admin?view=o365-worldwide) | modified |

+| 6/6/2023 | [Errors during admin submissions](/microsoft-365/security/office-365-security/submissions-error-messages?view=o365-worldwide) | modified |

+| 6/6/2023 | [Report phishing and suspicious emails in Outlook for admins](/microsoft-365/security/office-365-security/submissions-outlook-report-messages?view=o365-worldwide) | modified |

+| 6/6/2023 | [Report spam, non-spam, phishing, suspicious emails and files to Microsoft](/microsoft-365/security/office-365-security/submissions-report-messages-files-to-microsoft?view=o365-worldwide) | modified |

+| 6/6/2023 | [Submit malware and good files to Microsoft for analysis](/microsoft-365/security/office-365-security/submissions-submit-files-to-microsoft?view=o365-worldwide) | modified |

+| 6/6/2023 | [User reported message settings in Teams](/microsoft-365/security/office-365-security/submissions-teams?view=o365-worldwide) | modified |

+| 6/6/2023 | [User reported settings](/microsoft-365/security/office-365-security/submissions-user-reported-messages-custom-mailbox?view=o365-worldwide) | modified |

+| 6/6/2023 | [Manage allows and blocks in the Tenant Allow/Block List](/microsoft-365/security/office-365-security/tenant-allow-block-list-about?view=o365-worldwide) | modified |

+| 6/6/2023 | [Manage library settings in Microsoft Syntex](/microsoft-365/syntex/manage-library-settings) | added |

+| 6/6/2023 | [Set up Basic Mobility and Security](/microsoft-365/admin/basic-mobility-security/set-up?view=o365-worldwide) | modified |

+| 6/6/2023 | [Configure remediation for Microsoft Defender Antivirus detections](/microsoft-365/security/defender-endpoint/configure-remediation-microsoft-defender-antivirus?view=o365-worldwide) | modified |

+| 6/6/2023 | [Protect Dev Drive using performance mode](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-antivirus-performance-mode?view=o365-worldwide) | modified |

+| 6/6/2023 | [Protect security settings with tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide) | modified |

+| 6/6/2023 | [Overview of Microsoft Syntex](/microsoft-365/syntex/syntex-overview) | modified |

+| 6/7/2023 | [Use sensitivity labels to protect calendar items, Teams meetings, and chat](/microsoft-365/compliance/sensitivity-labels-meetings?view=o365-worldwide) | modified |

+| 6/7/2023 | [How to search the audit logs for actions performed by Defender Experts](/microsoft-365/security/defender/auditing?view=o365-worldwide) | modified |

+| 6/7/2023 | [Before you begin using Defender Experts for XDR](/microsoft-365/security/defender/before-you-begin-xdr?view=o365-worldwide) | modified |

+| 6/7/2023 | [Get started with Microsoft Defender Experts for XDR](/microsoft-365/security/defender/get-started-xdr?view=o365-worldwide) | modified |

+| 6/7/2023 | [How to use the Microsoft Defender Experts for XDR service](/microsoft-365/security/defender/start-using-mdex-xdr?view=o365-worldwide) | modified |

+| 6/7/2023 | [Accessibility mode in Microsoft Syntex](/microsoft-365/syntex/accessibility-mode) | modified |

+| 6/7/2023 | [Discover other trained models in Microsoft Syntex](/microsoft-365/syntex/discover-other-trained-models) | modified |

+| 6/7/2023 | [Overview of unstructured document processing in Microsoft Syntex](/microsoft-365/syntex/document-understanding-overview) | modified |

+| 6/7/2023 | [Get started with the Microsoft Purview extension for Chrome](/microsoft-365/compliance/dlp-chrome-get-started?view=o365-worldwide) | modified |

+| 6/7/2023 | [Learn about the Microsoft Purview extension for Chrome](/microsoft-365/compliance/dlp-chrome-learn-about?view=o365-worldwide) | modified |

+| 6/7/2023 | [Get started with the Microsoft Purview extension for Firefox](/microsoft-365/compliance/dlp-firefox-extension-get-started?view=o365-worldwide) | modified |

+| 6/7/2023 | [Learn about the Microsoft Purview extension for Firefox](/microsoft-365/compliance/dlp-firefox-extension-learn?view=o365-worldwide) | modified |

+| 6/7/2023 | [Microsoft 365 data locations](/microsoft-365/enterprise/o365-data-locations?view=o365-worldwide) | modified |

+| 6/7/2023 | [Microsoft Defender Antivirus compatibility with other security products](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide) | modified |

+| 6/7/2023 | [Create and deploy a data loss prevention policy](/microsoft-365/compliance/dlp-create-deploy-policy?view=o365-worldwide) | modified |

+| 6/7/2023 | [What's new in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/defender-for-office-365-whats-new?view=o365-worldwide) | modified |

+| 6/7/2023 | [Manage quarantined messages and files as an admin](/microsoft-365/security/office-365-security/quarantine-admin-manage-messages-files?view=o365-worldwide) | modified |

+| 6/7/2023 | [Manage submissions](/microsoft-365/security/office-365-security/submissions-admin?view=o365-worldwide) | modified |

+| 6/7/2023 | [Allow or block email using the Tenant Allow/Block List](/microsoft-365/security/office-365-security/tenant-allow-block-list-email-spoof-configure?view=o365-worldwide) | modified |

+| 6/7/2023 | [Allow or block files using the Tenant Allow/Block List](/microsoft-365/security/office-365-security/tenant-allow-block-list-files-configure?view=o365-worldwide) | modified |

+| 6/7/2023 | [Allow or block URLs using the Tenant Allow/Block List](/microsoft-365/security/office-365-security/tenant-allow-block-list-urls-configure?view=o365-worldwide) | modified |

+| 6/7/2023 | [Try and evaluate Defender for Office 365](/microsoft-365/security/office-365-security/try-microsoft-defender-for-office-365?view=o365-worldwide) | modified |

+| 6/8/2023 | [Room and equipment mailboxes](/microsoft-365/admin/manage/room-and-equipment-mailboxes?view=o365-worldwide) | modified |

+| 6/8/2023 | [Create organization-wide signatures and disclaimers](/microsoft-365/admin/setup/create-signatures-and-disclaimers?view=o365-worldwide) | modified |

+| 6/8/2023 | [Troubleshoot license issues for Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-support-license?view=o365-worldwide) | modified |

+| 6/8/2023 | [Automatically apply a sensitivity label in Microsoft 365](/microsoft-365/compliance/apply-sensitivity-label-automatically?view=o365-worldwide) | modified |

+| 6/8/2023 | [What's new in Microsoft Purview risk and compliance solutions](/microsoft-365/compliance/whats-new?view=o365-worldwide) | modified |

+| 6/9/2023 | [Cancel your Microsoft business subscription](/microsoft-365/commerce/subscriptions/cancel-your-subscription?view=o365-worldwide) | modified |

+| 6/9/2023 | [Learn about data loss prevention](/microsoft-365/compliance/dlp-learn-about-dlp?view=o365-worldwide) | modified |

+| 6/9/2023 | [Microsoft 365 data locations](/microsoft-365/enterprise/o365-data-locations?view=o365-worldwide) | modified |

+| 6/9/2023 | [Overview of Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-overview?view=o365-worldwide) | modified |

+| 6/9/2023 | [Delete a model in Microsoft Syntex](/microsoft-365/syntex/delete-a-model) | modified |

+| 6/9/2023 | [Configure shared mailbox settings](/microsoft-365/admin/email/configure-a-shared-mailbox?view=o365-worldwide) | modified |

+| 6/9/2023 | [What's new in Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-whats-new?view=o365-worldwide) | modified |

+| 6/9/2023 | [Address compromised user accounts with automated investigation and response](/microsoft-365/security/office-365-security/address-compromised-users-quickly?view=o365-worldwide) | modified |

+| 6/9/2023 | [Configure anti-malware policies](/microsoft-365/security/office-365-security/anti-malware-policies-configure?view=o365-worldwide) | modified |

+| 6/9/2023 | [Anti-malware protection](/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide) | modified |

+| 6/9/2023 | [How EOP validates the From address to prevent phishing](/microsoft-365/security/office-365-security/anti-phishing-from-email-address-validation?view=o365-worldwide) | modified |

+| 6/9/2023 | [Anti-phishing policies](/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide) | modified |

+| 6/9/2023 | [Anti-phishing protection](/microsoft-365/security/office-365-security/anti-phishing-protection-about?view=o365-worldwide) | modified |

+| 6/9/2023 | [Anti-spoofing protection](/microsoft-365/security/office-365-security/anti-phishing-protection-spoofing-about?view=o365-worldwide) | modified |

+| 6/9/2023 | [Tune anti-phishing protection](/microsoft-365/security/office-365-security/anti-phishing-protection-tuning?view=o365-worldwide) | modified |

+| 6/9/2023 | [Backscatter in EOP](/microsoft-365/security/office-365-security/anti-spam-backscatter-about?view=o365-worldwide) | modified |

+| 6/9/2023 | [Bulk complaint level values](/microsoft-365/security/office-365-security/anti-spam-bulk-complaint-level-bcl-about?view=o365-worldwide) | modified |

+| 6/9/2023 | [ASF settings in EOP](/microsoft-365/security/office-365-security/anti-spam-policies-asf-settings-about?view=o365-worldwide) | modified |

+| 6/9/2023 | [Configure spam filter policies](/microsoft-365/security/office-365-security/anti-spam-policies-configure?view=o365-worldwide) | modified |

+| 6/9/2023 | [Anti-spam protection](/microsoft-365/security/office-365-security/anti-spam-protection-about?view=o365-worldwide) | modified |

+| 6/9/2023 | [Spam confidence level](/microsoft-365/security/office-365-security/anti-spam-spam-confidence-level-scl-about?view=o365-worldwide) | modified |

+| 6/9/2023 | [What's the difference between junk email and bulk email?](/microsoft-365/security/office-365-security/anti-spam-spam-vs-bulk-about?view=o365-worldwide) | modified |

+| 6/9/2023 | [Spoof intelligence insight](/microsoft-365/security/office-365-security/anti-spoofing-spoof-intelligence?view=o365-worldwide) | modified |

+| 6/9/2023 | [Allow or block email using the Tenant Allow/Block List](/microsoft-365/security/office-365-security/tenant-allow-block-list-email-spoof-configure?view=o365-worldwide) | modified |

+description: "For Managed Service Providers (MSPs) using Microsoft 365 Lighthouse, learn how to manage your tenants' delegated access."

+Microsoft 365 Lighthouse provides delegated relationship insights across all your customer tenants in a single view. You can track your transition away from Delegated Administrative Privileges (DAP) and ensure your Granular Delegated Administrative Privileges (GDAP) relationships are set up as intended. Data is available for any customer tenant in Lighthouse, regardless of the customers' licensing, user count, or geographic region. To access these insights, select **Permissions** > **Delegated access** in the left navigation pane in Lighthouse. You must hold the Admin agent role in Partner Center.

+From this page, you can see the status of all your customers' delegated relationships at a glance, including whether GDAP is set up, if a GDAP template has been assigned, and the next upcoming GDAP relationship expiration date for a customer tenant. In this sortable view by tenant, you can filter by the following information:

+- **GDAP template:** Created by your organization through Lighthouse, GDAP templates define the service tiers, Azure Active Directory (AAD) roles used to deploy GDAP to your tenants. To learn more about GDAP templates, see [Set up GDAP for your customers](m365-lighthouse-setup-gdap.md).

+To view the Microsoft 365 Lighthouse default baseline that applies to all tenants, select **Deployment** > **Baselines** in the left navigation pane in Lighthouse.

+1. In the left navigation pane in Lighthouse, select **Users** > **Account management** > **Inactive users**.

+5. Once you've determined that a user account is no longer needed, you can delete or block the account. At the minimum, you should block the user account to reduce security risks. From the user details pane, select **Block sign-in** or **Delete user**.

+1. In the left navigation pane in Lighthouse, select **Users** > **Account management** > **Inactive users**.

+> [!NOTE]

+[Sign up for Microsoft 365 Lighthouse](m365-lighthouse-sign-up.md) (article)\

+[Overview of the Tenants page in Microsoft 365 Lighthouse](m365-lighthouse-tenants-page-overview.md) (article)\

+[Overview of the Device compliance page in Microsoft 365 Lighthouse](m365-lighthouse-device-compliance-page-overview.md) (article)\

+[Microsoft 365 Lighthouse FAQ](m365-lighthouse-faq.yml) (article)\

+ Title: "Set up GDAP for your customers in Microsoft 365 Lighthouse"

+# Set up GDAP for your customers in Microsoft 365 Lighthouse

+ To verify that Lighthouse was successfully added to your tenant, look for Microsoft 365 Lighthouse under **Billing** > **Your products** in the Microsoft 365 admin center.

+## May 2023

+### GDAP Setup now checks for required roles

+We've updated GDAP Setup in Microsoft 365 Lighthouse to check whether you have the required roles before getting started. If you don't have the required roles, a message will alert you.

+To access GDAP Setup in Lighthouse, go to the **GDAP Setup** card on the **Home** page, and then select **Set up GDAP**.

+To learn more, see [Set up GDAP for your customers in Microsoft 365 Lighthouse](m365-lighthouse-setup-gdap.md).

+<details>

+ <summary> June-2023 (Build: 101.98.89 | Release version: 30.123042.19889.0)</summary>

+## June-2023 Build: 101.98.89 | Release version: 30.123042.19889.0

+&ensp;Released: **June 12,2023**<br/>

+&ensp;Published: **June 12, 2023**<br/>

+&ensp;Build: **101.98.89**<br/>

+&ensp;Release version: **30.123042.19889.0**<br/>

+&ensp;Engine version: **1.1.20100.7**<br/>

+&ensp;Signature version: **1.385.1648.0**<br/>

+**What's new**

+- There are multiple fixes and new changes in this release

+ - Improved Network Protection Proxy handling.

+ - In Passive mode, Defender for Endpoint no longer scans when Definition update happens.

+ - Device will continue to be protected even after Defender for Endpoint agent has expired. It is still recommended to upgrade the Defender for Endpoint Linux agent to the latest available version to receive bug fixes, features and performance improvements.

+ - Removed semanage package dependency.

+ - Engine Update to 1.1.20100.7 and Signatures Ver: 1.385.1648.0.

+ - Bug fixes.

+**Known issues**

+- While upgrading from mdatp version 101.75.43 or 101.78.13, you may encounter a kernel hang. Run the following commands before attempting to upgrade to version 101.98.05. More information about the underlying issue can be found at [System hang due to blocked tasks in fanotify code](https://access.redhat.com/solutions/2838901).

+There are two ways to mitigate this upgrade issue:

+1. Use your package manager to uninstall the 101.75.43 or 101.78.13 mdatp version.

+Example:

+```bash

+sudo apt purge mdatp

+sudo apt-get install mdatp

+```

+2. As an alternative you can follow the instructions to [uninstall](/microsoft-365/security/defender-endpoint/linux-resources#uninstall), then [install](/microsoft-365/security/defender-endpoint/linux-install-manually#application-installation) the latest version of the package.

+If you don't want to uninstall mdatp you can disable rtp and mdatp in sequence before upgrading.

+Some customers (<1%) experience issues with this method.

+ ```bash

+sudo mdatp config real-time-protection --value=disabled

+sudo systemctl disable mdatp

+```

+</details>

+While deploying [Microsoft Defender for Endpoint on macOS](microsoft-defender-endpoint-mac.md), an error message with an **X** on top of the Microsoft Defender for Endpoint on macOS shield may appear.

+Click the **X** symbol and an **Action Needed** prompt should pop up. Clicking the **Action Needed** prompt will bring up the following licensing error message:

+Or if you type "mdatp health" in the terminal without the double quotes, you might see the following warning:

+### Message:

+ATTENTION: No license found. Contact your administrator for help.\

+healthy: false\

+health_issues: [ΓÇ£missing licenseΓÇ¥]\

+licensed: false

+You deployed and/or installed the Microsoft Defender for Endpoint on macOS package ("Download installation package"), but might not have run the configuration script ("Download onboarding package") that contains the license settings.

+You can also encounter this error when the Microsoft Defender for Endpoint on macOS agent isn't up to date or if you have not assigned a license to the user.

+### Solution:

+Depending on the deployment management tool used, please follow the instructions to onboard the package (register the license) as documented here:

+|Management|Onboarding instructions (License deployment instructions)|

+|-|-|

+|Intune|[Onboarding blob](/microsoft-365/security/defender-endpoint/mac-install-with-intune?view=o365-worldwide#onboarding-blob&preserve-view=true)|

+|JamF|[Onboarding package](/microsoft-365/security/defender-endpoint/mac-jamfpro-policies?view=o365-worldwide#step-1-get-the-microsoft-defender-for-endpoint-onboarding-package&preserve-view=true)|

+|Other MDM|[License settings](/microsoft-365/security/defender-endpoint/mac-install-with-other-mdm?view=o365-worldwide#license-settings&preserve-view=true)|

+|Manual installation| Go thru [Download onboarding package](/microsoft-365/security/defender-endpoint/mac-install-manually?view=o365-worldwide#download-installation-and-onboarding-packages&preserve-view=true) and go thru the registration of the license according to [client-configuration](/microsoft-365/security/defender-endpoint/mac-install-manually?view=o365-worldwide#client-configuration&preserve-view=true)|

+>[!TIP]

+> If the onboarding package runs correctly, the licensing information will be located in `/Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist`.

+For scenarios where Microsoft Defender for Endpoint on macOS isn't up to date, you'll need to [update](/microsoft-365/security/defender-endpoint/mac-updates?view=o365-worldwide&preserve-view=true) the agent.

+To assign a license to the end-user, do the following:

+1. In the Microsoft 365 Defender portal (security.microsoft.com), click on **Settings -> Endpoints -> Licenses**.

+1. Select your license.

+1. Click **Assign licenses**.

+1. Enter the name and email address of the person being assigned.

+1. Check the box for "Microsoft Defender for Endpoint" and click **Assign**.

+If the licensing issues have been resolved, when you run "mdatp health," you should see the following results:\

+healthy: true\

+health_issues: []\

+licensed: true

+### May-2023 *UPDATE* (Platform: 4.18.23050.5 | Engine: 1.1.23050.2)

+*Microsoft has released a platform update (**4.18.23050.5**) for the May 2023 release.*

+- Security intelligence update version: **1.391.860.0**

+- Released: **June 12, 2023**

+- Platform: **4.18.23050.5**

+- Engine: **1.1.23050.2**

+- Support phase: **Security and Critical Updates**

+ΓÇ»

+### What's new

+- Fixed issue that could lead to resolution of incorrect service endpoint

+

+### Known Issues

+- None

+### May-2023 (Platform: 4.18.23050.3 | Engine: 1.1.23050.2)

+- Potential issue that could lead to resolution of incorrect service endpoint

+ Title: Monthly security summary reporting in Microsoft Defender for Endpoint

+description: Use the monthly security summary to see threats detected and prevented, current status from Microsoft Secure Score, and recommended actions.

+keywords: month report, security summary, managed devices, secure score, incidents

+search.product: eADQiWindows 10XVcnh

+search.appverid: met150

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+localization_priority: Normal

+audience: ITPro

+- m365-security

+- tier2

+# Monthly security summary report in Microsoft Defender for Endpoint

+**Applies to:**

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- [Microsoft Defender for Business](../defender-business/mdb-overview.md)

+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

+The report helps organizations get a visual summary of key findings and overall preventative actions taken to enhance the organization's overall security posture completed in the last month. It helps you identify areas of strength and improvement, track your progress over time, and prioritize your actions based on risk and impact.

+To access this report, in the navigation pane, choose **Reports > Endpoints > Monthly Security Summary**. The monthly security summary report contains the following sections:

+- [Microsoft Secure Score](#microsoft-secure-score)

+- [Secure score compared to other organizations](#secure-score-compared-to-other-organizations)

+- [Devices onboarded](#devices-onboarded)

+- [Protection against threats](#protection-against-threats)

+- [Web content monitoring and filtering](#web-content-monitoring-and-filtering)

+- [Suspicious or malicious activities](#suspicious-or-malicious-activities)

+You can generate a PDF report of the summary, by selecting **Generate PDF report**. The generated report is a summary of the last 30 days.

+## Microsoft Secure score

+Microsoft Secure Score is a measurement of an organization's security posture and how well you have implemented security best practices and recommendations across the devices in your organization. The secure score card shows how the overall cybersecurity strength of an organization has improved in the past month and how it compares to other companies with similar number of managed devices.

+## Secure score compared to other organizations

+This score is an evaluation of an organization's security score in relation to organizations of a similar size. It's a way to benchmark an organization's performance in implementing security measures compared to other organizations of an equivalent size.

+## Devices onboarded

+The devices card provides information on the number of devices that were onboarded in the last month as well as devices still not onboarded. Onboarding devices are essential for enabling protection and detection capabilities.

+## Protection against threats

+This card shows how effective your defenses are against common attack vectors such as phishing and ransomware. A higher number indicates better defense in place against phishing and ransomware. The report shows how many threats were blocked or mitigated in the last month and how your protection level has increased.

+## Web content monitoring and filtering

+Shows the number of malicious URLs that were blocked by Microsoft Defender for Endpoint in the last month. The report also shows the categories of URLs that were blocked and the number of clicks for each category.

+## Suspicious or malicious activities

+Track how many incidents and alerts were resolved in the past month using the incidents card. The card also shows all active incidents and alerts that require attention. You'll also be able to see a list of the top 10 severe incidents, their status, number of alerts, and the impacted devices and users.

+

+ > The current SHA256 hash of 'XMDEClientAnalyzerBinary.zip' that is downloaded from the above link is: 'C94E3D630730E5A2B605FD295BD81D93997888F4CB2B2694076FCFDE85876C13'

+ echo 'C94E3D630730E5A2B605FD295BD81D93997888F4CB2B2694076FCFDE85876C13 XMDEClientAnalyzerBinary.zip' | sha256sum -c

+ echo '1A8004C89E8B75FF892AAC66F1B1D07F3C7030720070A1A1E677A099A9ADC32E XMDEClientAnalyzer.zip' | sha256sum -c

+ -h, --help show this help message and exit

+ -e <executable>, --exe <executable>

+ exclude by executable name, i.e: bash

+ -p <process id>, --pid <process id>

+ exclude by process id, i.e: 911

+ -d <directory>, --dir <directory>

+ exclude by target path, i.e: /var/foo/bar

+ -x <executable> <directory>, --exe_dir <executable> <directory>

+ exclude by executable path and target path, i.e: /bin/bash /var/foo/bar

+ -q <q_size>, --queue <q_size>

+ set dispatcher q_depth size

+ -r, --remove remove exclusion file

+ -s, --stat get statistics about common executables

+ -l, --list list auditd rules

+ -o, --override Override the existing auditd exclusion rules file for mdatp

+ -c <syscall number>, --syscall <syscall number>

+ exclude all process of the given syscall

+- **Continuous (NRT)**ΓÇöruns continuously, checking data from events as they are collected and processed in near real-time (NRT), see [Continuous (NRT) frequency](custom-detection-rules.md#continuous-nrt-frequency)

+> [!TIP]

+> Match the time filters in your query with the lookback duration. Results outside of the lookback duration are ignored.

+##### Continuous (NRT) frequency

+Setting a custom detection to run in Continuous (NRT) frequency allows you to increase your organization's ability to identify threats faster.

+> [!NOTE]

+> Using the Continuous (NRT) frequency has minimal to no impact to your resource usage and should thus be considered for any qualified custom detection rule in your organization.

+###### Queries you can run continuously

+You can run a query continuously as long as:

+- The query references one table only.

+- The query uses an operator from the list of supported KQL operators. **[Supported KQL features](/azure/azure-monitor/essentials/data-collection-transformations-structure#supported-kql-features)**

+- The query does not use joins, unions, or the `externaldata` operator.

+###### Tables that support Continuous (NRT) frequency

+appliesto:

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a>

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a>

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a>

+appliesto:

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a>

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a>

+appliesto:

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a>

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a>

+appliesto:

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a>

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a>

+appliesto:

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a>

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a>

+appliesto:

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a>

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a>

+appliesto:

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a>

+appliesto:

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a>

+appliesto:

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a>

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a>

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a>

+appliesto:

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a>

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a>

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a>

+- **Real-time threat response**: During some outbreaks, the anti-malware team might have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat, even before a definition is available from any of the scan engines used by the service. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks.

+In EOP, messages that are found to contain malware in _any_ attachments are quarantined. Whether the recipients can view or otherwise interact with the quarantined messages is controlled by _quarantine policies_. By default, messages that were quarantined due to malware can only be viewed and released by admins. For more information, see the following articles:

+As explained in the next section, anti-malware policies also contain a _common attachments filter_. Messages that contain the specified file types are _automatically_ identified as malware. You can choose whether to quarantine or reject the messages.

+Anti-malware policies control the settings and notification options for malware detections. The important settings in anti-malware policies are described in the following subsections.

+### Recipient filters in anti-malware policies

+In custom anti-malware policies, you can specify recipient conditions and exceptions that determine who the policy applies to. You can use the following properties for conditions and exceptions:

+- **Users**

+- **Groups**

+- **Domains**

+You can only use a condition or exception once, but the condition or exception can contain multiple values. Multiple values of the same condition or exception use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). Different conditions or exceptions use AND logic (for example, _\<recipient1\>_ and _\<member of group 1\>_).

+> [!IMPORTANT]

+> Multiple different types of conditions or exceptions are not additive; they're inclusive. The policy is applied _only_ to those recipients that match _all_ of the specified recipient filters. For example, you configure a recipient filter condition in the policy with the following values:

+>

+> - Users: romain@contoso.com

+> - Groups: Executives

+>

+> The policy is applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy is not applied to him.

+>

+> Likewise, if you use the same recipient filter as an exception to the policy, the policy is not applied to romain@contoso.com _only_ if he's also a member of the Executives group. If he's not a member of the group, then the policy still applies to him.

+### Common attachments filter in anti-malware policies

+There are certain types of files that you really shouldn't send via email (for example, executable files). Why bother scanning these types of files for malware, when you should probably block them all, anyway? That's where the common attachments filter comes in. The file types that you specify are automatically treated as malware.

+- The default file types: `ace, apk, app, appx, ani, arj, bat, cab, cmd,com, deb, dex, dll, docm, elf, exe, hta, img, iso, jar, jnlp, kext, lha, lib, library, lnk, lzh, macho, msc, msi, msix, msp, mst, pif, ppa, ppam, reg, rev, scf, scr, sct, sys, uif, vb, vbe, vbs, vxd, wsc, wsf, wsh, xll, xz, z`.

+- Additional predefined file types that you can select from in the Microsoft 365 Defender portal<sup>\*</sup>: `7z, 7zip, a, accdb, accde, action, ade, adp, appxbundle, asf, asp, aspx, avi, bin, bundle, bz, bz2, bzip2, cab, caction, cer, chm, command, cpl, crt, csh, css, der, dgz, dmg, doc, docx, dot, dotm, dtox, dylib, font, gz, gzip, hlp, htm, html, imp, inf, ins, ipa, isp, its, jnlp, js, jse, ksh, lqy, mad, maf, mag, mam, maq, mar, mas, mat, mav, maw, mda, mdb, mde, mdt, mdw, mdz, mht, mhtml, mscompress, msh, msh1, msh1xml, msh2, msh2xml, mshxml, msixbundle, o, obj, odp, ods, odt, one, onenote, ops, package, pages, pbix, pdb, pdf, php, pkg, plugin, pps, ppsm, ppsx, ppt, pptm, pptx, prf, prg, ps1, ps1xml, ps2, ps2xml, psc1, psc2, pst, pub, py, rar, rpm, rtf, scpt, service, sh, shb, shtm, shx, so, tar, tarz, terminal, tgz, tool, url, vhd, vsd, vsdm, vsdx, vsmacros, vss, vssx, vst, vstm, vstx, vsw, workflow, ws, xhtml, xla, xlam, xls, xlsb, xlsm, xlsx, xlt, xltm, xltx, zi, zip, zipx`.

+<sup>\*</sup> You can enter any text value in the Defender portal or using the _FileTypes_ parameter in the [New-MalwareFilterPolicy](/powershell/module/exchange/new-malwarefilterpolicy) or [Set-MalwareFilterPolicy](/powershell/module/exchange/set-malwarefilterpolicy) cmdlets in Exchange Online PowerShell.

+The common attachments filter uses best effort true-typing to detect the file type regardless of the filename extension. If true-typing fails or isn't supported for the specified file type, then simple extension matching is used.

+When files are detected by the common attachments filter, you can choose to **Reject the message with a non-delivery report (NDR)** or **Quarantine the message**.

+### Zero-hour auto purge (ZAP) in anti-malware policies

+ZAP for malware quarantines messages that are found to contain malware _after_ they've been delivered to Exchange Online mailboxes. By default, ZAP for malware is turned on, and we recommend that you leave it on. For more information, see [Zero-hour auto purge (ZAP) for malware](zero-hour-auto-purge.md#zero-hour-auto-purge-zap-for-malware).

+### Quarantine policies in anti-malware policies

+Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. By default, recipients don't receive notifications for messages that were quarantined as malware. For more information, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy).

+### Admin notifications in anti-malware policies

+You can specify an additional recipient (an admin) to receive notifications for malware detected in messages from internal or external senders. You can customize the **From address**, **subject**, and **message text** for internal and external notifications.

+> [!NOTE]

+> Admin notifications are sent only for _attachments_ that are classified as malware.

+>

+> The quarantine policy that's assigned to the anti-malware policy determines whether recipients receive email notifications for messages that were quarantined as malware.

+### Priority of anti-malware policies

+If you create multiple custom anti-malware policies, you can specify the order that they're applied. No two policies can have the same priority, and policy processing stops after the first policy is applied (the highest priority policy for that recipient).

+For more information about the order of precedence and how multiple policies are evaluated, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md) and [Order of precedence for preset security policies and other policies](preset-security-policies.md#order-of-precedence-for-preset-security-policies-and-other-policies).

+Every organization has a built-in anti-malware policy named Default that has the following properties:

+appliesto:

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a>

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a>

+description: Admins can learn how Exchange Online Protection (EOP) and Outlook.com enforce email address syntax to help prevent phishing.

+appliesto:

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a>

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a>

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a>

+Phishing attacks are a constant threat to any email organization. In addition to using [spoofed (forged) sender email addresses](anti-phishing-protection-spoofing-about.md), attackers often use values in the From address that violate internet standards. To help prevent this type of phishing, Exchange Online Protection (EOP) and Outlook.com require inbound messages to include an RFC-compliant From address as described in this article.

+ Also:

+ - One email address only.

+ - Don't include text after the email address.

+## Examples of good and bad From addresses

+The following table contains examples of valid From addresses:

+|Address|Comments|

+|||

+|`From: sender@contoso.com`|OK|

+|`From: <sender@contoso.com>`|OK|

+|`From: < sender@contoso.com >`|OK, but not recommended because there are spaces between the angle brackets and the email address.|

+|`From: "Sender, Example" <sender.example@contoso.com>`|OK|

+|`From: "Microsoft 365" <sender@contoso.com>`|OK|

+|`From: Microsoft 365 <sender@contoso.com>`|OK, but not recommended because the display name isn't enclosed in double quotation marks.|

+The following table contains examples of From addresses that aren't valid:

+|Address|Comments|

+|||

+|**No From address**|In the past, when Microsoft 365 or Outlook.com received a message without a From address, the service added `From: <>` to make the message deliverable. As of November 2017, messages with blank From addresses aren't accepted.|

+|`From: <firstname lastname@contoso.com>`|The email address contains a space.|

+|`From: Microsoft 365 sender@contoso.com`|The display name is present, but the email address isn't enclosed in angle brackets.|

+|`From: "Microsoft 365" <sender@contoso.com> (Sent by a process)`|Text after the email address.|

+|`From: Sender, Example <sender.example@contoso.com>`|The display name contains a comma, but isn't enclosed in double quotation marks.|

+|`From: "Microsoft 365 <sender@contoso.com>"`|The whole value is incorrectly enclosed in double quotation marks.|

+|`From: "Microsoft 365 <sender@contoso.com>" sender@contoso.com`|The display name is present, but the email address isn't enclosed in angle brackets.|

+|`From: Microsoft 365<sender@contoso.com>`|No space between the display name and the left angle bracket.|

+|`From: "Microsoft 365"<sender@contoso.com>`|No space between the closing double quotation mark and the left angle bracket.|

+## Suppress auto-replies to custom domains

+You can't use the value `From: <>` to suppress auto-replies. Instead, you need to set up a *null MX record* for the custom domain. After you set up the null MX record, *all* replies are naturally suppressed because there's no published address for the responding server to send messages to.

+For the null MX record, choose an email domain that can't receive email. For example, if the primary domain is contoso.com, you might choose noreply.contoso.com. The null MX record for this domain consists of a single period. For example:

+To bypass the From address requirements for inbound email, you can use the IP Allow List (connection filtering) or mail flow rules (also known as transport rules) as described in [Create safe sender lists in Microsoft 365](create-safe-sender-lists-in-office-365.md). Outlook.com doesn't allow overrides of any kind, even through support requests.

+You can't override the From address requirements for outbound email that you send from Microsoft 365 or Outlook.com.

+For more information on how to strengthen your organization against phishing, spam, data breaches, and other threats, see [Best practices for securing Microsoft 365 for business plans](../../business-premium/secure-your-business-data.md).

+appliesto:

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a>

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a>

+To view information about impersonation detections, select **View impersonations** in the impersonation insight to go to the **Impersonation insight** page.

+The **Impersonation insight** page at <https://security.microsoft.com/impersonationinsight> is available when you select **View impersonations** in the impersonation insight on the **Anti-phishing** page.

+On the **Impersonation insight** page, verify the **Domains** tab is selected.

+You can sort the entries by clicking on an available column header. The following columns are available:<sup>\*</sup>:

+<sup>\*</sup> To see all columns, you likely need to do one or more of the following steps:

+The **Impersonation insight** page at <https://security.microsoft.com/impersonationinsight> is available when you select **View impersonations** in the impersonation insight on the **Anti-phishing** page.

+On the **Impersonation insight** page, select the **Users** tab.

+You can sort the entries by clicking on an available column header. The following columns are available:<sup>\*</sup>:

+<sup>\*</sup> To see all columns, you likely need to do one or more of the following steps:

+appliesto:

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a>

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a>

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a>

+ When spoof intelligence is enabled, the **spoof intelligence insight** shows spoofed senders that were automatically detected and allowed or blocked by spoof intelligence. You can manually override the spoof intelligence verdict to allow or block the detected spoofed senders from the insight. But when you do, the spoofed sender disappears from the spoof intelligence insight, and is visible only on the **Spoofed senders** tab on the **Tenant Allow/Block Lists** page at <https://security.microsoft.com/tenantAllowBlockList?viewid=SpoofItem>. Or, you can manually create allow or block entries for spoofed senders in the Tenant Allow/Block List, even if they're not detected by the spoof intelligence insight. For more information, see the following articles:

+ - [Spoofed senders in the Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md#spoofed-senders-in-the-tenant-allowblock-list)

+ > - Anti-spoofing protection is enabled in the Standard and Strict preset security policies, and is enabled by default in the default anti-phishing policy and in new custom anti-phishing policies that you create.

+appliesto:

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a>

+appliesto:

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a>

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a>

+appliesto:

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a>

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a>

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a>

+- **Ransomware** that encrypts your data and demands payment to decrypt it almost always starts in phishing messages. Anti-phishing protection can't help you decrypt encrypted files, but it can help detect the initial phishing messages that are associated with the ransomware campaign. For more information about recovering from a ransomware attack, see [Ransomware incident response playbooks](/security/ransomware/).

+Microsoft 365 organizations with mailboxes in Exchange Online or standalone EOP organizations without Exchange Online mailboxes contain the following features that help protect your organization from phishing threats:

+ **Honor the sender's DMARC policy when the message is detected as spoof**: Control what happens to messages where the sender fails explicit [DMARC](email-authentication-dmarc-configure.md) checks and the DMARC policy is set to `p=quarantine` or `p=reject`. For more information, see [Spoof protection and sender DMARC policies](anti-phishing-policies-about.md#spoof-protection-and-sender-dmarc-policies).

+- **Allow or block spoofed senders in the Tenant Allow/Block List**: When you override the verdict in the spoof intelligence insight, the spoofed sender becomes a manual allow or block entry that only appears on the **Spoofed senders** tab on the **Tenant Allow/Block Lists** page at <https://security.microsoft.com/tenantAllowBlockList?viewid=SpoofItem>. You can also manually create allow or block entries for spoofed senders before they're detected by spoof intelligence. For more information, see [Spoofed senders in the Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md#spoofed-senders-in-the-tenant-allowblock-list).

+- **Attack simulation training**: Admins can create fake phishing messages and send them to internal users as an education tool. For more information, see [Get started using Attack simulation training](attack-simulation-training-get-started.md).

+appliesto:

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a>

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a>

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a>

+When it comes to protecting its users, Microsoft takes the threat of phishing seriously. Spoofing is a common technique that's used by attackers. **Spoofed messages appear to originate from someone or somewhere other than the actual source**. This technique is often used in phishing campaigns that are designed to get user credentials. The anti-spoofing technology in EOP specifically examines forgery of the From header in the message body, because that header value is the message sender that's shown in email clients. When EOP has high confidence that the From header is forged, the message is identified as spoofed.

+ EOP analyzes and blocks messages based on the combination of standard email authentication methods and sender reputation techniques.

+- **Spoof intelligence insight**: Review detected spoofed messages from senders in internal and external domains during the last seven days. For more information, see [Spoof intelligence insight in EOP](anti-spoofing-spoof-intelligence.md).

+- **Allow or block spoofed senders in the Tenant Allow/Block List**: When you override the verdict in the spoof intelligence insight, the spoofed sender becomes a manual allow or block entry that only appears on the **Spoofed senders** tab on the **Tenant Allow/Block Lists** page at <https://security.microsoft.com/tenantAllowBlockList?viewid=SpoofItem>. You can also manually create allow or block entries for spoof senders before they're detected by spoof intelligence. For more information, see [Spoofed senders in the Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md#spoofed-senders-in-the-tenant-allowblock-list).

+ Anti-phishing policies in Defender for Office 365 contain addition protections, including *impersonation* protection. For more information, see [Exclusive settings in anti-phishing policies in Microsoft Defender for Office 365](anti-phishing-policies-about.md#exclusive-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365).

+ Defender for Office 365 organizations can also use Real-time detections (Plan 1) or Threat Explorer (Plan 2) to view information about phishing attempts. For more information, see [Microsoft 365 threat investigation and response](office-365-ti.md).

+Spoofed senders in messages have the following negative implications for users:

+- **Deception**: Messages from spoofed senders might trick the recipient into selecting a link and giving up their credentials, downloading malware, or replying to a message with sensitive content (known as business email compromise or BEC).

+ This message didn't come from service.outlook.com, but the attacker spoofed the **From** header field to make it look like it did. The sender attempted to trick the recipient into selecting the **change your password** link and providing their credentials.

+- **Confusion**: Even users who know about phishing might have difficulty seeing the differences between real messages and messages from spoofed senders.

+Microsoft differentiates between two different types of spoofed senders in messages:

+ - `SFTY` is the safety level of the message. `9` indicates phishing, `.11` indicates intra-org spoofing.

+ - `SFTY` is the safety level of the message. `9` indicates phishing, `.22` indicates cross-domain spoofing.

+ For more information about **Authentication-Results** and `compauth` values, see [Authentication-results message header fields](message-headers-eop-mdo.md#authentication-results-message-header-fields).

+Mailing lists (also known as discussion lists) are known to have problems with anti-spoofing protection due to the way they forward and modify messages.

+- **Your organization owns the mailing list**:

+ - Consider installing updates on your mailing list server to support ARC. For more information, see <http://arc-spec.org>.

+- **Your organization doesn't own the mailing list**:

+ - Ask the maintainer of the mailing list to configure email authentication for the domain that the mailing list is relaying from. The owners are more likely to act if enough members ask them to set up email authentication. While Microsoft also works with domain owners to publish the required records, it helps even more when individual users request it.

+ - Create Inbox rules in your email client to move messages to the Inbox.

+ - Use the Tenant Allow/Block List to create an allow entry for the mailing list to treat it as legitimate. For more information, see [Create allow entries for spoofed senders](tenant-allow-block-list-email-spoof-configure.md#create-allow-entries-for-spoofed-senders).

+Senders in individual user (or admin) Safe Senders lists bypass parts of the filtering stack, including spoof protection. For more information, see [Outlook Safe Senders](create-safe-sender-lists-in-office-365.md#use-outlook-safe-senders).

+If at all possible, admins should avoid using allowed sender lists or allowed domain lists in anti-spam policies. These senders bypass most of the filtering stack (high confidence phishing and malware messages are always quarantined). For more information, see [Use allowed sender lists or allowed domain lists](create-safe-sender-lists-in-office-365.md#use-allowed-sender-lists-or-allowed-domain-lists).

+appliesto:

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a>

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a>

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a>

+Although Microsoft 365 comes with a variety of anti-phishing features that are enabled by default, it's possible that some phishing messages could still get through to mailboxes in your organization. This article describes what you can do to discover why a phishing message got through, and what you can do to adjust the anti-phishing settings in your Microsoft 365 organization _without accidentally making things worse_.

+- [Anti-phishing policies in Microsoft Defender for Office 365](anti-phishing-policies-mdo-configure.md). You can temporarily increase the **Advanced phishing thresholds** in the policy from **Standard** to **Aggressive**, **More aggressive**, or **Most aggressive**.

+Verify these policies are working. Safe Links and Safe Attachments protection is turned on by default, thanks to Built-in protection in [preset security policies](preset-security-policies.md). Anti-phishing has a default policy that applies to all recipients where anti-spoofing protection is turned on by default. Impersonation protection isn't turned on in the policy, and therefore needs to be configured. For instructions, see [Configure anti-phishing policies in Microsoft Defender for Office 365](anti-phishing-policies-mdo-configure.md).

+Reporting phishing messages is helpful in tuning the filters that are used to protect all customers in Microsoft 365. For instructions, see [Use the Submissions page to submit suspected spam, phish, URLs, legitimate email getting blocked, and email attachments to Microsoft](submissions-admin.md).

+Specifically, you should check the **X-Forefront-Antispam-Report** header field in the message headers for indications of skipped filtering for spam or phishing in the Spam Filtering Verdict (SFV) value. Messages that skip filtering have an entry of `SCL:-1`, which means one of your settings allowed this message through by overriding the spam or phishing verdicts that were determined by the service. For more information on how to get message headers and the complete list of all available anti-spam and anti-phishing message headers, see [Anti-spam message headers in Microsoft 365](message-headers-eop-mdo.md).

+> [!TIP]

+> You can copy and paste the contents of a message header into the [Message Header Analyzer](https://mha.azurewebsites.net/) tool. This tool helps parse headers and put them into a more readable format.

+You can also use the [configuration analyzer](configuration-analyzer-for-security-policies.md) to compare your EOP and Defender for Office 365 security policies to the Standard and Strict recommendations.

+- For messages that end up in quarantine by mistake (false positives), or for messages that are allowed through (false negatives), we recommend that you search for those messages in [Threat Explorer and real-time detections](threat-explorer-about.md). You can search by sender, recipient, or message ID. After you locate the message, go to details by clicking on the subject. For a quarantined message, look to see what the "detection technology" was so that you can use the appropriate method to override. For an allowed message, look to see which policy allowed the message.

+- Email from spoofed senders (the From address of the message doesn't match the source of the message) is classified as _phishing_ in Defender for Office 365. Sometimes spoofing is benign, and sometimes users don't want messages from specific spoofed sender to be quarantined. To minimize the impact to users, periodically review the [spoof intelligence insight](anti-spoofing-spoof-intelligence.md), [entries for spoofed senders in the Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md#use-the-microsoft-365-defender-portal-to-view-entries-for-spoofed-senders-in-the-tenant-allowblock-list), and the [Spoof detections report](reports-email-security.md#spoof-detections-report). After you review allowed and blocked spoofed senders and make any necessary overrides, you can confidently [configure spoof intelligence in anti-phishing policies](anti-phishing-policies-about.md#spoof-settings) to **Quarantine** suspicious messages instead of delivering them to the user's Junk Email folder.

+- In Defender for Office 365, you can also use the **Impersonation insight** page at <https://security.microsoft.com/impersonationinsight> to track user impersonation or domain impersonation detections. For more information, see [Impersonation insight in Defender for Office 365](anti-phishing-mdo-impersonation-insight.md).

+- Periodically review the [Threat Protection Status report](reports-defender-for-office-365.md#threat-protection-status-report) for phishing detections.

+- Some customers inadvertently allow phishing messages through by putting their own domains in the Allow sender or Allow domain list in anti-spam policies. Although this configuration allows some legitimate messages through, it also allows malicious messages that would normally be blocked by the spam and/or phishing filters. Instead of allowing the domain, you should correct the underlying problem.

+- Have users use the [built-in Report button in Outlook on the web](submissions-outlook-report-messages.md#use-the-built-in-report-button-in-outlook-on-the-web) or deploy the [Microsoft Report Message or Report Phishing add-ins](submissions-outlook-report-messages.md#use-the-report-message-and-report-phishing-add-ins-in-outlook) in your organization. Configure the [user reported settings](submissions-user-reported-messages-custom-mailbox.md) to send user reported messages to a reporting mailbox, to Microsoft, or both. User reported messages are then available to admins on the **User reported** tab on the **Submissions** page at <https://security.microsoft.com/reportsubmission?viewid=user>. Admin can report user reported messages or any messages to Microsoft as described in [Use the Submissions page to submit suspected spam, phish, URLs, legitimate email getting blocked, and email attachments to Microsoft](submissions-admin.md). User or admin reporting of false positives or false negatives to Microsoft is important, because it helps train our detection systems.

+ Use the [Autofowarded messages report](/exchange/monitoring/mail-flow-reports/mfr-auto-forwarded-messages-report) to view specific details about forwarded email.

+description: In this article, admins can about backscatter and how Microsoft Exchange Online Protection (EOP) tries to prevent it.

+appliesto:

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a>

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a>

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a>

+*Backscatter* is non-delivery reports (also known as NDRs or bounce messages) that you receive for messages that you didn't send. Spammers often use real email addresses as the From address to lend credibility to their messages, and forge (spoof) the From address (also known as the `5322.From` or P2 address) to create backscatter. When a non-existent recipient receives spam, the destination email server is essentially tricked into returning the undeliverable message in an NDR to the forged sender in the From address.

+Exchange Online Protection (EOP) makes every effort to identify and silently drop messages from dubious sources without generating an NDR. But, based on the sheer volume email flowing through the service, there's always the possibility that EOP will unintentionally send backscatter.

+Backscatterer.org maintains a blocklist (also known as a DNS blocklist or DNSBL) of email servers that were responsible for sending backscatter, and EOP servers might appear on this list. This list isn't a list of spammers.

+> The Backscatterer.org website (<http://www.backscatterer.org/?target=usage>) recommends using their service in Safe mode as large email services almost always send some backscatter.

+appliesto:

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a>

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a>

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a>

+appliesto:

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a>

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a>

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a>

+In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, Advanced Spam Filter (ASF) settings in anti-spam policies allow admins to mark messages as spam based on specific message properties. ASF specifically targets these properties because they're commonly found in spam. Depending on the property, ASF detections mark the message as **Spam** or **High confidence spam**.

+> Enabling one or more of the ASF settings is an aggressive approach to spam filtering. You can't report messages that are filtered by ASF as false positives to Microsoft. You can identify messages that were filtered by ASF by:

+> ASF adds `X-CustomSpam:` X-header fields to messages _after_ the messages have been processed by Exchange mail flow rules (also known as transport rules), so you can't use mail flow rules to identify and act on messages that were filtered by ASF. You can use [Inbox rules](https://support.microsoft.com/office/8400435c-f14e-4272-9004-1548bb1848f2) in mailboxes to affect the delivery of the message.

+- **On**: ASF adds the corresponding X-header field to the message, and marks the message as **Spam** (SCL 5 or 6 for [Increase spam score settings](#increase-spam-score-settings)) or **High confidence spam** (SCL 9 for [Mark as spam settings](#mark-as-spam-settings)).

+- **Off**: The ASF setting is disabled. This is the default value.

+- **Test**: ASF adds the corresponding X-header field to the message. What happens to the message is determined by the **Test mode** (_TestModeAction_) value:

+ - **None**: Message delivery is unaffected by the ASF detection. The message is still subject to other types of filtering and rules in EOP and Defender for Office 365.

+ - **Add default X-header text (_AddXHeader_)**: The X-header value `X-CustomSpam: This message was filtered by the custom spam filter option` is added to the message. You can use this value in Inbox rules (not mail flow rules) to affect the delivery of the message.

+ - **Send Bcc message (_BccMessage_)**: The specified email addresses (the _TestModeBccToRecipients_ parameter value in PowerShell) are added to the Bcc field of the message, and the message is delivered to the additional Bcc recipients. In the Microsoft 365 Defender portal, you separate multiple email addresses by semicolons (;). In PowerShell, you separate multiple email addresses by commas.

+ - **Conditional Sender ID filtering: hard fail** (_MarkAsSpamFromAddressAuthFail_)

+ - **NDR backscatter**(_MarkAsSpamNdrBackscatter_)

+ - **SPF record: hard fail** (_MarkAsSpamSpfRecordHardFail_)

+ - The same test mode action is applied to _all_ ASF settings that are set to **Test**. You can't configure different test mode actions for different ASF settings.

+The following **Increase spam score** ASF settings result in an increase in spam score and therefore a higher chance of getting marked as spam with a spam confidence level (SCL) of 5 or 6, which corresponds to a **Spam** filter verdict and the corresponding action in anti-spam policies. Not every message that matches the following ASF conditions is marked as spam.

+|**Image links to remote websites** (_IncreaseScoreWithImageLinks_)|Messages that contain `<Img>` HTML tag links to remote sites (for example, using http) are marked as spam.|`X-CustomSpam: Image links to remote sites`|

+|**Numeric IP address in URL** (_IncreaseScoreWithNumericIps_)|Messages that contain numeric-based URLs (typically, IP addresses) are marked as spam.|`X-CustomSpam: Numeric IP in URL`|

+|**URL redirect to other port** (_IncreaseScoreWithRedirectToOtherPort_)|Messages that contain hyperlinks that redirect to TCP ports other than 80 (HTTP), 8080 (alternate HTTP), or 443 (HTTPS) are marked as spam.|`X-CustomSpam: URL redirect to other port`|

+|**Links to .biz or .info websites** (_IncreaseScoreWithBizOrInfoUrls_)|Messages that contain `.biz` or `.info` links in the body of the message are marked as spam.|`X-CustomSpam: URL to .biz or .info websites`|

+|**Empty messages** (_MarkAsSpamEmptyMessages_)|Messages with no subject, no content in the message body, and no attachments are marked as high confidence spam.|`X-CustomSpam: Empty Message`|

+|**Embedded tags in HTML** (_MarkAsSpamEmbedTagsInHtml_)|Messages that contain `<embed>` HTML tags are marked as high confidence spam. <br><br> This tag allows the embedding of different kinds of documents in an HTML document (for example, sounds, videos, or pictures).|`X-CustomSpam: Embed tag in html`|

+|**JavaScript or VBScript in HTML** (_MarkAsSpamJavaScriptInHtml_)|Messages that use JavaScript or Visual Basic Script Edition in HTML are marked as high confidence spam. <br><br> These scripting languages are used in email messages to cause specific actions to automatically occur.|`X-CustomSpam: Javascript or VBscript tags in HTML`|

+|**Form tags in HTML** (MarkAsSpamFormTagsInHtml_)|Messages that contain `<form>` HTML tags are marked as high confidence spam. <br><br> This tag is used to create website forms. Email advertisements often include this tag to solicit information from the recipient.|`X-CustomSpam: Form tag in html`|

+|**Frame or iframe tags in HTML** (MarkAsSpamFramesInHtml_)|Messages that contain `<frame>` or `<iframe>` HTML tags are marked as high confidence spam. <br><br> These tags are used in email messages to format the page for displaying text or graphics.|`X-CustomSpam: IFRAME or FRAME in HTML`|

+|**Web bugs in HTML** (MarkAsSpamWebBugsInHtml_)|A _web bug_ (also known as a _web beacon_) is a graphic element (often as small as one pixel by one pixel) that's used in email messages to determine whether the recipient read the message. <br><br> Messages that contain web bugs are marked as high confidence spam. <br><br> Legitimate newsletters might use web bugs, although many consider this an invasion of privacy. |`X-CustomSpam: Web bug`|

+|**Object tags in HTML** (MarkAsSpamObjectTagsInHtml_)|Messages that contain `<object>` HTML tags are marked as high confidence spam. <br><br> This tag allows plug-ins or applications to run in an HTML window.|`X-CustomSpam: Object tag in html`|

+|**Sensitive words** (MarkAsSpamSensitiveWordList_)|Microsoft maintains a dynamic but non-editable list of words that are associated with potentially offensive messages. <br><br> Messages that contain words from the sensitive word list in the subject or message body are marked as high confidence spam.|`X-CustomSpam: Sensitive word in subject/body`|

+|**SPF record: hard fail** (MarkAsSpamSpfRecordHardFail_)|Messages sent from an IP address that isn't specified in the SPF Sender Policy Framework (SPF) record in DNS for the source email domain are marked as high confidence spam. <br><br> Test mode isn't available for this setting.|`X-CustomSpam: SPF Record Fail`|

+|**Sender ID filtering hard fail** (MarkAsSpamFromAddressAuthFail_)|Messages that hard fail a conditional Sender ID check are marked as spam. <br><br> This setting combines an SPF check with a Sender ID check to help protect against message headers that contain forged senders. <br><br> Test mode isn't available for this setting.|`X-CustomSpam: SPF From Record Fail`|

+|**Backscatter** (MarkAsSpamNdrBackscatter_)|_Backscatter_ is useless non-delivery reports (also known as NDRs or bounce messages) caused by forged senders in email messages. For more information, see [Backscatter messages and EOP](anti-spam-backscatter-about.md). <br><br> You don't need to configure this setting in the following environments, because legitimate NDRs are delivered and backscatter is marked as spam: <ul><li>Microsoft 365 organizations with Exchange Online mailboxes.</li><li>On-premises email organizations where you route _outbound_ email through EOP.</li></ul> <br><br> In standalone EOP environments that protect inbound email to on-premises mailboxes, turning this setting on or off has the following result: <ul><li> **On**: Legitimate NDRs are delivered, and backscatter is marked as spam.</li><li>**Off**: Legitimate NDRs and backscatter go through normal spam filtering. Most legitimate NDRs are delivered to the original message sender. Some, but not all backscatter is marked as spam. By definition, backscatter can be delivered only to the spoofed sender, not to the original sender.</li></ul> <br><br> Test mode isn't available for this setting.|`X-CustomSpam: Backscatter NDR`|

+appliesto:

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a>

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a>

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a>

+appliesto:

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a>

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a>

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a>

+appliesto:

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a>

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a>

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a>

+appliesto:

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a>

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a>

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a>

+appliesto:

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a>

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a>

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft 365 Defender</a>

+You can use the *spoof intelligence insight* in the Microsoft 365 Defender portal to quickly identify spoofed senders who are legitimately sending you unauthenticated email (messages from domains that don't pass SPF, DKIM, or DMARC checks), and manually allow those senders.

+Likewise, you can use the spoof intelligence insight to review spoofed senders that were allowed by spoof intelligence and manually block those senders.

+> - Only spoofed senders that were detected by spoof intelligence appear in the spoof intelligence insight. When you override the allow or block verdict in the insight, the spoofed sender becomes a manual allow or block entry that appears only on the **Spoofed senders** tab on the **Tenant Allow/Block Lists** page at <https://security.microsoft.com/tenantAllowBlockList?viewid=SpoofItem>. You can also manually create allow or block entries for spoofed senders before they're detected by spoof intelligence. For more information, see [Spoofed senders in the Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md#spoofed-senders-in-the-tenant-allowblock-list).

+## Find the spoof intelligence insight in the Microsoft 365 Defender portal

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Tenant Allow/Block Lists** in the **Rules** section. Or, to go directly to the **Tenant Allow/Block Lists** page, use <https://security.microsoft.com/tenantAllowBlockList>.

+2. Select the **Spoofed senders** tab.

+3. On the **Spoofed senders** tab, the spoof intelligence insight looks like this:

+ - **What if mode**: If spoof intelligence is disabled, then the insight shows you how many messages *would have been* detected by spoof intelligence during the past seven days.

+To view information about the spoof intelligence detections, select **View spoofing activity** in the spoof intelligence insight to go to the **Spoof intelligence insight** page.

+### View information about spoof detections

+> Remember, only spoofed senders that were detected by spoof intelligence appear on this page.

+The **Spoof intelligence insight** page at <https://security.microsoft.com/spoofintelligence> is available when you select **View spoofing activity** from the spoof intelligence insight on the **Spoofed senders** tab on the **Tenant Allow/Block Lists** page.

+On the **Spoof intelligence insight** page, you can sort the entries by clicking on an available column header. The following columns are available:

+- **Sending infrastructure**: Also known as the _infrastructure_. The sending infrastructure is one of the following values:

+- **Message count**: The number of messages from the combination of the spoofed domain _and_ the sending infrastructure to your organization within the last seven days.

+To change the list of spoofed senders from normal to compact spacing, select :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: **Change list spacing to compact or normal**, and then select :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false"::: **Compact list**.

+To filter the entries, select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter**. The following filters are available in the **Filter** flyout that opens:

+- **Spoof type**: The available values are **Internal** and **External**.

+- **Action**: The available values are **Allow** and **Block**

+When you're finished in the **Filter** flyout, select **Apply**. To clear the filters, select :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**.

+Use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and a corresponding value to find specific entries.

+Use :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Export** to export the list of spoof detections to a CSV file.

+### View details about spoof detections

+When you select a spoof detection from the list by clicking anywhere in the row other than the check box next to the first column, a details flyout opens that contains the following information:

+- **Why did we catch this?** section: Why we detected this sender as spoof, and what you can do for further information.

+- **Domain summary** section: Includes the same information from the main **Spoof intelligence insight** page.

+- **WhoIs data** section: Technical information about the sender's domain.

+- **Explorer investigation** section: In Defender for Office 365 organization, this section contains a link to open [Threat Explorer](threat-explorer-about.md) to see additional details about the sender on the **Phish** tab.

+- **Similar Emails** section: Contains the following information about the spoof detection:

+ - **Date**

+ - **Subject**

+ - **Recipient**

+ - **Sender**

+ - **Sender IP**

+ Select **Customize columns** to remove the columns that are shown. When you're finished, select **Apply**.

+> [!TIP]

+> To see details about other entries without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** at the top of the flyout.

+To change the spoof detection from **Allow** to **Block** or vice-versa, see the next section.

+### Override the spoof intelligence verdict

+On the **Spoof intelligence insight** page at <https://security.microsoft.com/spoofintelligence>, use either of the following methods to override the spoof intelligence verdict:

+- Select one or more entries from the list by selecting the check box next to the first column.

+ 1. Select the :::image type="icon" source="../../media/m365-cc-sc-bulk-actions-icon.png" border="false"::: **Bulk actions** action that appears.

+ 2. In the **Bulk actions** flyout that opens, select **Allow to spoof** or **Block from spoofing**, and then select **Apply**.

+- Select the entry from the list by clicking anywhere in the row other than the check box.

+ In the details flyout that opens, select **Allow to spoof** or **Block from spoofing** at the top of the flyout, and then select **Apply**.

+Back on the **Spoof intelligence insight** page, the entry is removed from the list, and is added to the **Spoofed senders** tab on the **Tenant Allow/Block Lists** page at <https://security.microsoft.com/tenantAllowBlockList?viewid=SpoofItem>.

+### About allowed spoofed senders

+Messages from an allowed spoofed sender (automatically detected or manually configured) are allowed only using the combination of the spoofed domain *and* the sending infrastructure. For example, the following spoofed sender is allowed to spoof:

+Only email from that domain/sending infrastructure pair is allowed to spoof. Other senders attempting to spoof gmail.com aren't automatically allowed. Messages from senders in other domains that originate from tms.mx.com are still checked by spoof intelligence, and might be blocked.

+In PowerShell, you use the **Get-SpoofIntelligenceInsight** cmdlet to *view* allowed and blocked spoofed senders that were detected by spoof intelligence. To manually allow or block the spoofed senders, you need to use the **New-TenantAllowBlockListSpoofItems** cmdlet. For more information, see [Use PowerShell to create allow entries for spoofed senders in the Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md#use-powershell-to-create-allow-entries-for-spoofed-senders-in-the-tenant-allowblock-list) and [Use PowerShell to create block entries for spoofed senders in the Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md#use-powershell-to-create-block-entries-for-spoofed-senders-in-the-tenant-allowblock-list).

+- Check the **Spoof Mail Report**. Use this report often to view and help manage spoofed senders. For information, see [Spoof Detections report](reports-email-security.md#spoof-detections-report).

+- Review your Sender Policy Framework (SPF) configuration. For a quick introduction to SPF and to get it configured quickly, see [Set up SPF in Microsoft 365 to help prevent spoofing](email-authentication-spf-configure.md). For a more in-depth understanding of how Microsoft 365 uses SPF, or for troubleshooting or non-standard deployments such as hybrid deployments, start with [How Microsoft 365 uses Sender Policy Framework (SPF) to prevent spoofing](email-authentication-anti-spoofing.md).

+ - The email address is not also in a block entry in the [Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md#create-block-entries-for-domains-and-email-addresses).

+In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, you typically use a connector to route email messages from EOP to your on-premises email environment. You might also use a connector to route messages from Microsoft 365 to a partner organization. When Microsoft 365 can't deliver these messages via the connector, they're queued in Microsoft 365. Microsoft 365 continues to retry delivery for each message for 24 hours. After 24 hours, the queued message expires, and the message is returned to the original sender in a non-delivery report (also known as an NDR or bounce message).

+Microsoft 365 tried to connect to the smart host that's specified in the connector, but the DNS query to find the smart host's IP addresses failed. The possible causes for this error are:

+- If the error is from a partner organization (for example, a third party cloud service provider), contact the partner to fix the issue.

+Microsoft 365 can't connect to the destination email server. The error details explain the problem. For example:

+- Find out which scenario applies to you, and make the necessary corrections. For example, if mail flow is working correctly, and you haven't changed the connector settings, check your on-premises email environment to see if the server is down, or if there were changes to your network infrastructure (for example, you changed internet service providers, so you now have different IP addresses).

+- If the error is from a partner organization (for example, a third party cloud service provider), contact the partner to fix the issue.

+Microsoft 365 encountered a connection error when it tried to connect to the destination email server. A likely cause for this error is your firewall is blocking connections from Microsoft 365 IP addresses. Or, this error might be by design if you've migrated your on-premises email system to Microsoft 365 and shut down your on-premises email environment.

+- If you have mailboxes in your on-premises environment, modify your firewall settings to allow connections from Microsoft 365 IP addresses on TCP port 25 to your on-premises email servers. For a list of the Microsoft 365 IP addresses, see [Microsoft 365 URLs and IP address ranges](../../enterprise/urls-and-ip-address-ranges.md).

+- If no more messages should be delivered to your on-premises environment, select **Fix now** in the alert so Microsoft 365 can immediately reject the messages with invalid recipients. This action reduces the risk of exceeding your organization's quota for invalid recipients, which could impact normal message delivery. Or, use the following instructions to manually fix the issue:

+ - Disable or delete the connector that delivers email from Microsoft 365 to your on-premises email environment:

+ 1. In the EAC at <https://admin.exchange.microsoft.com>, go to **Mail flow** \> **Connectors**. Or, to go directly to the **Connectors** page, use <https://admin.exchange.microsoft.com/#/connectors>.

+ 2. On the **Connectors** page, delete or disable the connector with the **From** value **Office 365** and the **To** value **Your organization's email server** by doing one of the following steps:

+ - Select the connector from the list by selecting the round check box that appears next to the **Status** column.

+ 1. Select the :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete** action that appears.

+ 2. In the confirmation flyout that opens, select **Confirm**.

+ - Select the connector from the list by clicking anywhere in the row other than the round check box that appears next to the **Status** column. In the connector details flyout that opens, do either of the following actions:

+ - Delete the connector by selecting :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete** at the top of the flyout, and then select **Confirm** in the confirmation flyout that opens.

+ - Disable the connector by selecting :::image type="icon" source="../../media/m365-cc-sc-disable-icon.png" border="false"::: **Disable** at the top of the flyout, and then select **Confirm** in the confirmation flyout that opens.

+ - In Microsoft 365, change the accepted domain that's associated with your on-premises email environment from **Internal Relay** to **Authoritative**. For instructions, see [Manage accepted domains in Exchange Online](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains).

+- If the error is from a partner organization (for example, a third party cloud service provider), contact the partner to fix the issue.

+> [!NOTE]

+> Typically, these changes take between 30 minutes and one hour to take effect. After one hour, verify that you no longer receive the error.

+Microsoft 365 connected to the destination email server, but the server responded with an immediate error or doesn't meet the connection requirements. The error details explain the problem. For example:

+- Verify the TLS settings and certificates on your on-premises email servers and the TLS settings on the connector.

+- If the error is from a partner organization (for example, a third party cloud service provider), contact the partner to fix the issue.

+Microsoft 365 is having difficulty communicating with your on-premises email environment, so the connection was dropped. Possible causes for this error are:

+- If the error is from a partner organization (for example, a third party cloud service provider), contact the partner to fix the issue.

+Microsoft 365 encountered an error while trying to validate the certificate of the destination email server. The error details explain the error. For example:

+- Certificate expired.

+- Certificate subject mismatch.

+- Certificate is no longer valid.

+- If the error is from a partner organization (for example, a third party cloud service provider), contact the partner to fix the issue.

+If the error is from a partner organization (for example, a third party cloud service provider), contact the partner to fix the issue.

+Our number one recommended option for blocking mail from specific senders or domains is the Tenant Allow/Block List. For instructions, see [Create block entries for domains and email addresses](tenant-allow-block-list-email-spoof-configure.md#create-block-entries-for-domains-and-email-addresses) and [Create block entries for spoofed senders](tenant-allow-block-list-email-spoof-configure.md#create-block-entries-for-spoofed-senders).

+Our number one recommended option for allowing mail from senders or domains is the Tenant Allow/Block List. For instructions, see [Create allow entries for domains and email addresses](tenant-allow-block-list-email-spoof-configure.md#create-allow-entries-for-domains-and-email-addresses) and [Create allow entries for spoofed senders](tenant-allow-block-list-email-spoof-configure.md#create-allow-entries-for-spoofed-senders).

+ - The email address isn't also in a block entry in the [Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md#create-block-entries-for-domains-and-email-addresses).

+You can also use the [spoof intelligence insight](anti-spoofing-spoof-intelligence.md#override-the-spoof-intelligence-verdict) and the [Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md#create-allow-entries-for-spoofed-senders) to permit senders to transmit unauthenticated messages to your organization.

+- Admins can use the [spoof intelligence insight](anti-spoofing-spoof-intelligence.md#override-the-spoof-intelligence-verdict) or the [Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md#create-allow-entries-for-spoofed-senders) to allow messages from the spoofed sender.

+appliesto:

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a>

+ - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a>

+ Report any false positives to Microsoft as early as possible through [admin submissions](submissions-admin.md), and use the [Tenant Allow/Block List](tenant-allow-block-list-about.md) feature to configure safe overrides for those false positives.

+|Messages quarantined by anti-malware policies (malware messages).|30 days|No|If you turn on the *common attachments filter* in anti-malware policies (in the default policy or in custom policies), file attachments in email messages to the affected recipients are treated as malware based solely on the file extension. A predefined list of mostly executable file types is used by default, but you can customize the list. For more information, see [Common attachments filter in anti-malware policies](anti-malware-protection-about.md#common-attachments-filter-in-anti-malware-policies).|

+ - [Azure AD RBAC](../../admin/add-users/about-admin-roles.md): Membership these roles gives users the required permissions _and_ permissions for other features in Microsoft 365:

+ - _Take action on quarantined messages for all users_: Membership in the **Global Administrator** or **Security Administrator** roles.

+ - _Submit messages from quarantine to Microsoft_: Membership in the **Security Administrator** role.

+ - _Read-only access to quarantined messages for all users_: Membership in the **Global Reader** or **Security Reader** roles.

+**Exchange Online Protection (EOP)** is the core of security for Microsoft 365 subscriptions and helps keep malicious emails from reaching your employee's inboxes. But with new, more sophisticated attacks emerging every day, improved protections are often required. **Microsoft Defender for Office 365** Plan 1 or Plan 2 contain additional features that give more layers of security, control, and investigation.

+Although we empower security administrators to customize their security settings, there are two security levels in EOP and Microsoft Defender for Office 365 that we recommend: **Standard** and **Strict**. Although customer environments and needs are different, these levels of filtering help prevent unwanted mail from reaching your employees' Inbox in most situations.

+> The Office 365 Advanced Threat Protection Recommended Configuration Analyzer (ORCA) module for PowerShell can help admins find the current values of these settings. Specifically, the **Get-ORCAReport** cmdlet generates an assessment of anti-spam, anti-phishing, and other message hygiene settings. You can download the ORCA module at <https://www.powershellgallery.com/packages/ORCA/>.

+### EOP anti-malware policy settings

+To create and configure anti-malware policies, see [Configure anti-malware policies in EOP](anti-malware-policies-configure.md).

+Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy).

+The policy named AdminOnlyAccessPolicy enforces the historical capabilities for messages that were quarantined as malware as described in the table [here](quarantine-end-user.md).

+Users can't release their own messages that were quarantined as malware, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to _request_ the release of their quarantined malware messages.

+|Security feature name|Default|Standard|Strict|Comment|

+||::|::|::||

+|**Protection settings**|||||

+|**Enable the common attachments filter** (_EnableFileFilter_)|Selected (`$true`)<sup>\*</sup>|Selected (`$true`)|Selected (`$true`)|For the list of file types in the common attachments filter, see [Common attachments filter in anti-malware policies](anti-malware-protection-about.md#common-attachments-filter-in-anti-malware-policies). <br><br> <sup>\*</sup> The common attachments filter is on by default in new anti-malware policies that you create in the Defender portal. The common attachments filter is off by default in the default anti-malware policy and in new policies that you create in PowerShell.|

+|Common attachment filter notifications: **When these file types are found** (_FileTypeAction_)|**Reject the message with a non-delivery report (NDR)** (`Reject`)|**Reject the message with a non-delivery report (NDR)** (`Reject`)|**Reject the message with a non-delivery report (NDR)** (`Reject`)||

+|**Enable zero-hour auto purge for malware** (_ZapEnabled_)|Selected (`$true`)|Selected (`$true`)|Selected (`$true`)||

+|**Quarantine policy** (_QuarantineTag_)|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy||

+|**Admin notifications**|||||

+|**Notify an admin about undelivered messages from internal senders** (_EnableInternalSenderAdminNotifications_ and _InternalSenderAdminAddress_)|Not selected (`$false`)|Not selected (`$false`)|Not selected (`$false`)|We have no specific recommendation for this setting.|

+|**Notify an admin about undelivered messages from external senders** (_EnableExternalSenderAdminNotifications_ and _ExternalSenderAdminAddress_)|Not selected (`$false`)|Not selected (`$false`)|Not selected (`$false`)|We have no specific recommendation for this setting.|

+|**Customize notifications**||||We have no specific recommendations for these settings.|

+|**Use customized notification text** (_CustomNotifications_)|Not selected (`$false`)|Not selected (`$false`)|Not selected (`$false`)||

+|**From name** (_CustomFromName_)|Blank|Blank|Blank||

+|**From address** (_CustomFromAddress_)|Blank|Blank|Blank||

+|**Customize notifications for messages from internal senders**||||These settings are used only if **Notify an admin about undelivered messages from internal senders** is selected.|

+|**Subject** (_CustomInternalSubject_)|Blank|Blank|Blank||

+|**Message** (_CustomInternalBody_)|Blank|Blank|Blank||

+|**Customize notifications for messages from external senders**||||These settings are used only if **Notify an admin about undelivered messages from external senders** is selected.|

+|**Subject** (_CustomExternalSubject_)|Blank|Blank|Blank||

+|**Message** (_CustomExternalBody_)|Blank|Blank|Blank||

+|**Bulk email threshold** (_BulkThreshold_)|7|6|5|For details, see [Bulk complaint level (BCL) in EOP](anti-spam-bulk-complaint-level-bcl-about.md).|

+|_MarkAsSpamBulkMail_)|(`On`)|(`On`)|(`On`)|This setting is only available in PowerShell.|

+|**Contains specific languages** (_EnableLanguageBlockList_ and _LanguageBlockList_)|**Off** (`$false` and Blank)|**Off** (`$false` and Blank)|**Off** (`$false` and Blank)|We have no specific recommendation for this setting. You can block messages in specific languages based on your business needs.|

+|**From these countries** (_EnableRegionBlockList_ and _RegionBlockList_)|**Off** (`$false` and Blank)|**Off** (`$false` and Blank)|**Off** (`$false` and Blank)|We have no specific recommendation for this setting. You can block messages from specific countries based on your business needs.|

+|**Spam** detection action (_SpamAction_)|**Move message to Junk Email folder** (`MoveToJmf`)|**Move message to Junk Email folder** (`MoveToJmf`)|**Quarantine message** (`Quarantine`)||

+|**Quarantine policy** for **Spam** (_SpamQuarantineTag_)|DefaultFullAccessPolicy┬╣|DefaultFullAccessPolicy|DefaultFullAccessWithNotificationPolicy|The quarantine policy is meaningful only if spam detections are quarantined.|

+|**High confidence spam** detection action (_HighConfidenceSpamAction_)|**Move message to Junk Email folder** (`MoveToJmf`)|**Quarantine message** (`Quarantine`)|**Quarantine message** (`Quarantine`)||

+|**Quarantine policy** for **Hight confidence spam** (_HighConfidenceSpamQuarantineTag_)|DefaultFullAccessPolicy┬╣|DefaultFullAccessWithNotificationPolicy|DefaultFullAccessWithNotificationPolicy|The quarantine policy is meaningful only if high confidence spam detections are quarantined.|

+|**Phishing** detection action (_PhishSpamAction_)|**Move message to Junk Email folder** (`MoveToJmf`)<sup>\*</sup>|**Quarantine message** (`Quarantine`)|**Quarantine message** (`Quarantine`)|<sup>\*</sup> The default value is **Move message to Junk Email folder** in the default anti-spam policy and in new anti-spam policies that you create in PowerShell. The default value is **Quarantine message** in new anti-spam policies that you create in the Defender portal.|

+|**Quarantine policy** for **Phishing** (_PhishQuarantineTag_)|DefaultFullAccessPolicy┬╣|DefaultFullAccessWithNotificationPolicy|DefaultFullAccessWithNotificationPolicy|The quarantine policy is meaningful only if phishing detections are quarantined.|

+|**High confidence phishing** detection action (_HighConfidencePhishAction_)|**Quarantine message** (`Quarantine`)|**Quarantine message** (`Quarantine`)|**Quarantine message** (`Quarantine`)|Users can't release their own messages that were quarantined as high confidence phishing, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to _request_ the release of their quarantined high-confidence phishing messages.|

+|**Quarantine policy** for **High confidence phishing** (_HighConfidencePhishQuarantineTag_)|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy||

+|**Bulk** detection action (_BulkSpamAction_)|**Move message to Junk Email folder** (`MoveToJmf`)|**Move message to Junk Email folder** (`MoveToJmf`)|**Quarantine message** (`Quarantine`)||

+|**Quarantine policy** for **Bulk** (_BulkQuarantineTag_)|DefaultFullAccessPolicy┬╣|DefaultFullAccessPolicy|DefaultFullAccessWithNotificationPolicy|The quarantine policy is meaningful only if bulk detections are quarantined.|

+|**Retain spam in quarantine for this many days** (_QuarantineRetentionPeriod_)|15 days|30 days|30 days|This value also affects messages that are quarantined by anti-phishing policies. For more information, see [Quarantined email messages in EOP](quarantine-about.md).|

+|**Enable spam safety tips** (_InlineSafetyTipsEnabled_)|Selected (`$true`)|Selected (`$true`)|Selected (`$true`)||

+|Enable zero-hour auto purge (ZAP) for phishing messages (_PhishZapEnabled_)|Selected (`$true`)|Selected (`$true`)|Selected (`$true`)||

+|Enable ZAP for spam messages (_SpamZapEnabled_)|Selected (`$true`)|Selected (`$true`)|Selected (`$true`)||

+|Allowed senders (_AllowedSenders_)|None|None|None||

+|Allowed sender domains (_AllowedSenderDomains_)|None|None|None|Adding domains to the allowed senders list is a very bad idea. Attackers would be able to send you email that would otherwise be filtered out. <br><br> Use the [spoof intelligence insight](anti-spoofing-spoof-intelligence.md) and the [Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md#spoofed-senders-in-the-tenant-allowblock-list) to review all senders who are spoofing sender email addresses in your organization's email domains or spoofing sender email addresses in external domains.|

+|Blocked senders (_BlockedSenders_)|None|None|None||

+|Blocked sender domains (_BlockedSenderDomains_)|None|None|None||

+|**Image links to remote sites** (_IncreaseScoreWithImageLinks_)|Off|Off|Off||

+|**Numeric IP address in URL** (_IncreaseScoreWithNumericIps_)|Off|Off|Off||

+|**URL redirect to other port** (_IncreaseScoreWithRedirectToOtherPort_)|Off|Off|Off||

+|**Links to .biz or .info websites** (_IncreaseScoreWithBizOrInfoUrls_)|Off|Off|Off||

+|**Empty messages** (_MarkAsSpamEmptyMessages_)|Off|Off|Off||

+|**Embed tags in HTML** (_MarkAsSpamEmbedTagsInHtml_)|Off|Off|Off||

+|**JavaScript or VBScript in HTML** (_MarkAsSpamJavaScriptInHtml_)|Off|Off|Off||

+|**Form tags in HTML** (_MarkAsSpamFormTagsInHtml_)|Off|Off|Off||

+|**Frame or iframe tags in HTML** (_MarkAsSpamFramesInHtml_)|Off|Off|Off||

+|**Web bugs in HTML** (_MarkAsSpamWebBugsInHtml_)|Off|Off|Off||

+|**Object tags in HTML** (_MarkAsSpamObjectTagsInHtml_)|Off|Off|Off||

+|**Sensitive words** (_MarkAsSpamSensitiveWordList_)|Off|Off|Off||

+|**SPF record: hard fail** (_MarkAsSpamSpfRecordHardFail_)|Off|Off|Off||

+|**Sender ID filtering hard fail** (_MarkAsSpamFromAddressAuthFail_)|Off|Off|Off||

+|**Backscatter** (_MarkAsSpamNdrBackscatter_)|Off|Off|Off||

+|**Test mode** (_TestModeAction_)|None|None|None|For ASF settings that support **Test** as an action, you can configure the test mode action to **None**, **Add default X-Header text**, or **Send Bcc message** (`None`, `AddXHeader`, or `BccMessage`). For more information, see [Enable, disable, or test ASF settings](anti-spam-policies-asf-settings-about.md#enable-disable-or-test-asf-settings).|

+|**Set an external message limit** (_RecipientLimitExternalPerHour_)|0|500|400|The default value 0 means use the service defaults.|

+|**Set an internal message limit** (_RecipientLimitInternalPerHour_)|0|1000|800|The default value 0 means use the service defaults.|

+|**Set a daily message limit** (_RecipientLimitPerDay_)|0|1000|800|The default value 0 means use the service defaults.|

+|**Restriction placed on users who reach the message limit** (_ActionWhenThresholdReached_)|**Restrict the user from sending mail until the following day** (`BlockUserForToday`)|**Restrict the user from sending mail** (`BlockUser`)|**Restrict the user from sending mail** (`BlockUser`)||

+|**Automatic forwarding rules** (_AutoForwardingMode_)|**Automatic - System-controlled** (`Automatic`)|**Automatic - System-controlled** (`Automatic`)|**Automatic - System-controlled** (`Automatic`)|

+|**Send a copy of outbound messages that exceed these limits to these users and groups** (_BccSuspiciousOutboundMail_ and _BccSuspiciousOutboundAdditionalRecipients_)|Not selected (`$false` and Blank)|Not selected (`$false` and Blank)|Not selected (`$false` and Blank)|We have no specific recommendation for this setting. <br><br> This setting works only in the default outbound spam policy. It doesn't work in custom outbound spam policies that you create.|

+|**Notify these users and groups if a sender is blocked due to sending outbound spam** (_NotifyOutboundSpam_ and _NotifyOutboundSpamRecipients_)|Not selected (`$false` and Blank)|Not selected (`$false` and Blank)|Not selected (`$false` and Blank)|The default [alert policy](../../compliance/alert-policies.md) named **User restricted from sending email** already sends email notifications to members of the **TenantAdmins** (**Global admins**) group when users are blocked due to exceeding the limits in policy. **We strongly recommend that you use the alert policy rather than this setting in the outbound spam policy to notify admins and other users**. For instructions, see [Verify the alert settings for restricted users](removing-user-from-restricted-users-portal-after-spam.md#verify-the-alert-settings-for-restricted-users).|

+|**Enable spoof intelligence** (_EnableSpoofIntelligence_)|Selected (`$true`)|Selected (`$true`)|Selected (`$true`)||

+|**Honor DMARC record policy when the message when the message is detected as spoof** (_HonorDmarcPolicy_)|Not selected (`$false`)|Not selected (`$false`)|Not selected (`$false`)|**This setting is currently in Preview.** <br><br> When this setting is turned on, you control what happens to messages where the sender fails explicit [DMARC](email-authentication-dmarc-configure.md) checks when the policy action in the DMARC TXT record is set to `p=quarantine` or `p=reject`. For more information, see [Spoof protection and sender DMARC policies](anti-phishing-policies-about.md#spoof-protection-and-sender-dmarc-policies).|

+|**If the message is detected as spoof and DMARC Policy is set as p=quarantine** (_DmarcQuarantineAction_)|**Quarantine the message** (_Quarantine_)|**Quarantine the message** (_Quarantine_)|**Quarantine the message** (_Quarantine_)|**This setting is currently in Preview.** <br><br> This action is meaningful only when **Honor DMARC record policy when the message when the message is detected as spoof** is turned on.|

+|**If the message is detected as spoof and DMARC Policy is set as p=reject** (_DmarcRejectAction_)|**Quarantine the message** (_Quarantine_)|**Quarantine the message** (_Quarantine_)|**Quarantine the message** (_Quarantine_)|**This setting is currently in Preview.** <br><br> This action is meaningful only when **Honor DMARC record policy when the message when the message is detected as spoof** is turned on.|

+|**If the message is detected as spoof and DMARC Policy is set as p=reject** (_DmarcRejectAction_)|**Quarantine the message** (_Quarantine_)|**Quarantine the message** (_Quarantine_)|**Quarantine the message** (_Quarantine_)|**This setting is currently in Preview.** <br><br> This action is meaningful only when **Honor DMARC record policy when the message when the message is detected as spoof** is turned on.|

+|**If the message is detected as spoof by spoof intelligence** (_AuthenticationFailAction_)|**Move the message to the recipients' Junk Email folders** (`MoveToJmf`)|**Move the message to the recipients' Junk Email folders** (`MoveToJmf`)|**Quarantine the message** (`Quarantine`)|This setting applies to spoofed senders that were automatically blocked as shown in the [spoof intelligence insight](anti-spoofing-spoof-intelligence.md) or manually blocked in the [Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md#create-block-entries-for-spoofed-senders). <br><br> If you select **Quarantine the message** as the action for the spoof verdict, an **Apply quarantine policy** box is available.|

+|**Quarantine policy** for **Spoof** (_SpoofQuarantineTag_)|DefaultFullAccessPolicy┬╣|DefaultFullAccessPolicy|DefaultFullAccessWithNotificationPolicy|The quarantine policy is meaningful only if spoof detections are quarantined.|

+|**Show first contact safety tip** (_EnableFirstContactSafetyTips_)|Not selected (`$false`)|Not selected (`$false`)|Not selected (`$false`)|For more information, see [First contact safety tip](anti-phishing-policies-about.md#first-contact-safety-tip).|

+|**Show (?) for unauthenticated senders for spoof** (_EnableUnauthenticatedSender_)|Selected (`$true`)|Selected (`$true`)|Selected (`$true`)|Adds a question mark (?) to the sender's photo in Outlook for unidentified spoofed senders. For more information, see [Unauthenticated sender indicators](anti-phishing-policies-about.md#unauthenticated-sender-indicators).|

+|**Show "via" tag** (_EnableViaTag_)|Selected (`$true`)|Selected (`$true`)|Selected (`$true`)|Adds a via tag (chris@contoso.com via fabrikam.com) to the From address if it's different from the domain in the DKIM signature or the **MAIL FROM** address. <br><br> For more information, see [Unauthenticated sender indicators](anti-phishing-policies-about.md#unauthenticated-sender-indicators).|

+> - Although there's no default Safe Attachments policy or Safe Links policy, the **Built-in protection** preset security policy provides Safe Attachments protection and Safe Links protection to all recipients who aren't defined in the Standard preset security policy, the Strict preset security policy, or in custom Safe Attachments or Safe Links policies). For more information, see [Preset security policies in EOP and Microsoft Defender for Office 365](preset-security-policies.md).

+|**Phishing email threshold** (_PhishThresholdLevel_)|**1 - Standard** (`1`)|**3 - More aggressive** (`3`)|**4 - Most aggressive** (`4`)||

+|User impersonation protection: **Enable users to protect** (_EnableTargetedUserProtection_ and _TargetedUsersToProtect_)|Not selected (`$false` and none)|Selected (`$true` and \<list of users\>))|Selected (`$true` and \<list of users\>))|We recommend adding users (message senders) in key roles. Internally, protected senders might be your CEO, CFO, and other senior leaders. Externally, protected senders could include council members or your board of directors.|

+|Domain impersonation protection: **Enable domains to protect**|Not selected|Selected|Selected||

+|**Include domains I own** (_EnableOrganizationDomainsProtection_)|Off (`$false`)|Selected (`$true`)|Selected (`$true`)||

+|**Include custom domains** (_EnableTargetedDomainsProtection_ and _TargetedDomainsToProtect_)|Off (`$false` and none)|Selected (`$true` and \<list of domains\>))|Selected (`$true` and \<list of domains\>))|We recommend adding domains (sender domains) that you don't own, but you frequently interact with.|

+|**Add trusted senders and domains** (_ExcludedSenders_ and _ExcludedDomains_)|None|None|None|Depending on your organization, we recommend adding senders or domains that are incorrectly identified as impersonation attempts.|

+|**Enable mailbox intelligence** (_EnableMailboxIntelligence_)|Selected (`$true`)|Selected (`$true`)|Selected (`$true`)||

+|**Enable intelligence for impersonation protection** (_EnableMailboxIntelligenceProtection_)|Off (`$false`)|Selected (`$true`)|Selected (`$true`)|This setting allows the specified action for impersonation detections by mailbox intelligence.|

+|**If a message is detected as user impersonation** (_TargetedUserProtectionAction_)|**Don't apply any action** (`NoAction`)|**Quarantine the message** (`Quarantine`)|**Quarantine the message** (`Quarantine`)||

+|**Quarantine policy** for **user impersonation** (_TargetedUserQuarantineTag_)|DefaultFullAccessPolicy┬╣|DefaultFullAccessWithNotificationPolicy|DefaultFullAccessWithNotificationPolicy|The quarantine policy is meaningful only if user impersonation detections are quarantined.|

+|**If a message is detected as domain impersonation** (_TargetedDomainProtectionAction_)|**Don't apply any action** (`NoAction`)|**Quarantine the message** (`Quarantine`)|**Quarantine the message** (`Quarantine`)||

+|**Quarantine policy** for **domain impersonation** (_TargetedDomainQuarantineTag_)|DefaultFullAccessPolicy┬╣|DefaultFullAccessWithNotificationPolicy|DefaultFullAccessWithNotificationPolicy|The quarantine policy is meaningful only if domain impersonation detections are quarantined.|

+|**If mailbox intelligence detects an impersonated user** (_MailboxIntelligenceProtectionAction_)|**Don't apply any action** (`NoAction`)|**Move the message to the recipients' Junk Email folders** (`MoveToJmf`)|**Quarantine the message** (`Quarantine`)||

+|**Quarantine policy** for **mailbox intelligence impersonation** (_MailboxIntelligenceQuarantineTag_)|DefaultFullAccessPolicy┬╣|DefaultFullAccessPolicy|DefaultFullAccessWithNotificationPolicy|The quarantine policy is meaningful only if mailbox intelligence detections are quarantined.|

+|**Show user impersonation safety tip** (_EnableSimilarUsersSafetyTips_)|Off (`$false`)|Selected (`$true`)|Selected (`$true`)||

+|**Show domain impersonation safety tip** (_EnableSimilarDomainsSafetyTips_)|Off (`$false`)|Selected (`$true`)|Selected (`$true`)||

+|**Show user impersonation unusual characters safety tip** (_EnableUnusualCharactersSafetyTips_)|Off (`$false`)|Selected (`$true`)|Selected (`$true`)||

+Although there's no default Safe Attachments policy, the **Built-in protection** preset security policy provides Safe Attachments protection to all recipients who aren't defined in the Standard or Strict preset security policies or in custom Safe Attachments policies. For more information, see [Preset security policies in EOP and Microsoft Defender for Office 365](preset-security-policies.md).

+|**Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams** (_EnableATPForSPOTeamsODB_)|Off (`$false`)|On (`$true`)|To prevent users from downloading malicious files, see [Use SharePoint Online PowerShell to prevent users from downloading malicious files](safe-attachments-for-spo-odfb-teams-configure.md#step-2-recommended-use-sharepoint-online-powershell-to-prevent-users-from-downloading-malicious-files).|

+|**Turn on Safe Documents for Office clients** (_EnableSafeDocs_)|Off (`$false`)|On (`$true`)|This feature is available and meaningful only with licenses that aren't included in Defender for Office 365 (for example, Microsoft 365 A5 or Microsoft 365 E5 Security). For more information, see [Safe Documents in Microsoft 365 A5 or E5 Security](safe-documents-in-e5-plus-security-about.md).|

+|**Allow people to click through Protected View even if Safe Documents identified the file as malicious** (_AllowSafeDocsOpen_)|Off (`$false`)|Off (`$false`)|This setting is related to Safe Documents.|

+> As described earlier, although there's no default Safe Attachments policy, the **Built-in protection** preset security policy provides Safe Attachments protection to all recipients who aren't defined in the Standard preset security policy, the Strict preset security policy, or in custom Safe Attachments policies.

+|**Safe Attachments unknown malware response** (_Enable_ and _Action_)|**Off** (`-Enable $false` and `-Action Block`)|**Block** (`-Enable $true` and `-Action Block`)|**Block** (`-Enable $true` and `-Action Block`)|**Block** (`-Enable $true` and `-Action Block`)|When the _Enable_ parameter is $false, the value of the _Action_ parameter doesn't matter.|

+|**Quarantine policy** (_QuarantineTag_)|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy|AdminOnlyAccessPolicy||

+|**Redirect attachment with detected attachments** : **Enable redirect** (_Redirect_ and _RedirectAddress_)|Not selected and no email address specified. (`-Redirect $false` and _RedirectAddress_ is blank)|Not selected and no email address specified. (`-Redirect $false` and _RedirectAddress_ is blank)|Selected and specify an email address. (`$true` and \<email address\>))|Selected and specify an email address. (`$true` and \<email address\>))|Redirect messages to a security admin for review. <br><br> **Note**: This setting isn't configured in the **Standard**, **Strict**, or **Built-in protection** preset security policies. The **Standard** and **Strict** values indicate our **recommended** values in new Safe Attachments policies that you create.|

+|**Apply the Safe Attachments detection response if scanning can't complete (timeout or errors)** (_ActionOnError_)|Selected (`$true`)|Selected (`$true`)|Selected (`$true`)|Selected (`$true`)||

+Although there's no default Safe Links policy, the **Built-in protection** preset security policy provides Safe Links protection to all recipients who aren't defined in the Standard preset security policy, the Strict preset security policy or in custom Safe Links policies. For more information, see [Preset security policies in EOP and Microsoft Defender for Office 365](preset-security-policies.md).

+|**On: Safe Links checks a list of known, malicious links when users click links in email. URLs are rewritten by default.** (_EnableSafeLinksForEmail_)|Selected (`$true`)|Selected (`$true`)|Selected (`$true`)|Selected (`$true`)||

+|**Apply Safe Links to email messages sent within the organization** (_EnableForInternalSenders_)|Selected (`$true`)|Not selected (`$false`)|Selected (`$true`)|Selected (`$true`)||

+|**Apply real-time URL scanning for suspicious links and links that point to files** (_ScanUrls_)|Selected (`$true`)|Selected (`$true`)|Selected (`$true`)|Selected (`$true`)||

+|**Wait for URL scanning to complete before delivering the message** (_DeliverMessageAfterScan_)|Selected (`$true`)|Selected (`$true`)|Selected (`$true`)|Selected (`$true`)||

+|**Do not rewrite URLs, do checks via Safe Links API only** (_DisableURLRewrite_)|Selected (`$false`)<sup>\*</sup>|Selected (`$true`)|Not selected (`$false`)|Not selected (`$false`)|<sup>\*</sup> In new Safe Links policies that you create in the Defender portal, this setting is selected by default. In new Safe Links policies that you create in PowerShell, the default value of the _DisableURLRewrite_ parameter is `$false`.|

+|**Do not rewrite the following URLs in email** (_DoNotRewriteUrls_)|Blank|Blank|Blank|Blank|We have no specific recommendation for this setting. <br><br> **Note**: Entries in the "Don't rewrite the following URLs" list aren't scanned or wrapped by Safe Links during mail flow. Report the URL as **Should not have been blocked (False positive)** and select **Allow this URL** to add an allow entry to the Tenant Allow/Block List so the URL isn't scanned or wrapped by Safe Links during mail flow _and_ at time of click. For instructions, see [Report good URLs to Microsoft](submissions-admin.md#report-good-urls-to-microsoft).|

+|**On: Safe Links checks a list of known, malicious links when users click links in Microsoft Teams. URLs are not rewritten.** (_EnableSafeLinksForTeams_)|Selected (`$true`)|Selected (`$true`)|Selected (`$true`)|Selected (`$true`)||

+|**On: Safe Links checks a list of known, malicious links when users click links in Microsoft Office apps. URLs are not rewritten.** (_EnableSafeLinksForOffice_)|Selected (`$true`)|Selected (`$true`)|Selected (`$true`)|Selected (`$true`)|Use Safe Links in supported Office 365 desktop and mobile (iOS and Android) apps. For more information, see [Safe Links settings for Office apps](safe-links-about.md#safe-links-settings-for-office-apps).|

+|**Track user clicks** (_TrackClicks_)|Selected (`$true`)|Selected (`$true`)|Selected (`$true`)|Selected (`$true`)||

+|**Let users click through to the original URL** (_AllowClickThrough_)|Selected (`$false`)<sup>\*</sup>|Selected (`$true`)|Not selected (`$false`)|Not selected (`$false`)|<sup>\*</sup> In new Safe Links policies that you create in the Defender portal, this setting is selected by default. In new Safe Links policies that you create in PowerShell, the default value of the _AllowClickThrough_ parameter is `$false`.|

+|**Display the organization branding on notification and warning pages** (_EnableOrganizationBranding_)|Not selected (`$false`)|Not selected (`$false`)|Not selected (`$false`)|Not selected (`$false`)|We have no specific recommendation for this setting. <br><br> Before you turn on this setting, you need to follow the instructions in [Customize the Microsoft 365 theme for your organization](../../admin/setup/customize-your-organization-theme.md) to upload your company logo.|

+|**How would you like to notify your users?** (_CustomNotificationText_ and _UseTranslatedNotificationText_)|**Use the default notification text** (Blank and `$false`)|**Use the default notification text** (Blank and `$false`)|**Use the default notification text** (Blank and `$false`)|**Use the default notification text** (Blank and `$false`)|We have no specific recommendation for this setting. <br><br> You can select **Use custom notification text** (`-CustomNotificationText "<Custom text>"`) to enter and use customized notification text. If you specify custom text, you can also select **Use Microsoft Translator for automatic localization** (`-UseTranslatedNotificationText $true`) to automatically translate the text into the user's language.|

+- Use these links for info on how to _set up_ your [EOP service](/exchange/standalone-eop/set-up-your-eop-service), and _configure_ [Microsoft Defender for Office 365](defender-for-office-365.md). Don't forget the helpful directions in [Protect Against Threats in Office 365](protect-against-threats.md).

+5. If needed, while submitting to Microsoft for analysis, admins can [create a block entry for the sender](../tenant-allow-block-list-email-spoof-configure.md#create-block-entries-for-domains-and-email-addresses) to mitigate the problem.

+4. If needed, while submitting to Microsoft for analysis, admins can [create a block entry for the sender](../tenant-allow-block-list-email-spoof-configure.md#create-block-entries-for-domains-and-email-addresses) to mitigate the problem.

+5. If needed, while submitting to Microsoft for analysis, admins can judiciously [create an allow entry for the sender](../tenant-allow-block-list-email-spoof-configure.md#create-allow-entries-for-domains-and-email-addresses) to mitigate the problem.

+ - Turn off the [common attachments filter](anti-malware-protection-about.md#common-attachments-filter-in-anti-malware-policies) (**Protection settings** section \> **Enable the common attachments filter** isn't selected or `-EnableFileFilter $false` in PowerShell).

+To create block entries for *spoofed senders*, see [this section](#create-block-entries-for-spoofed-senders) later in this article.

+Email from these blocked senders is marked as *high confidence spam* (SCL = 9). What happens to the messages is determined by the [anti-spam policy](anti-spam-policies-configure.md) that detected the message for the recipient. For more information, see the **Spam** detection action in [EOP anti-spam policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-spam-policy-settings).

+#### Use the Microsoft 365 Defender portal to create block entries for domains and email addresses in the Tenant Allow/Block List

+When you override the verdict in the [spoof intelligence insight](anti-spoofing-spoof-intelligence.md), the spoofed sender becomes a manual allow or block entry that only appears on the **Spoofed senders** tab on the **Tenant Allow/Block Lists** page.

+To create allow entries for *spoofed senders*, use any of the following methods:

+- From the **Emails** tab on the **Submissions** page at <https://security.microsoft.com/reportsubmission?viewid=email>. For instructions, see [Submit good email to Microsoft](submissions-admin.md#report-good-email-to-microsoft).

+ - When you submit a message that was detected and blocked by [spoof intelligence](anti-spoofing-spoof-intelligence.md), an allow entry for the spoofed sender is added to the **Spoofed senders** tab in the Tenant Allow/Block List.

+ - If the sender wasn't detected and blocked by spoof intelligence, submitting the message to Microsoft doesn't create an allow entry for the sender in the Tenant Allow/Block List.

+- From the **Spoof intelligence insight** page at <https://security.microsoft.com/spoofintelligence> *if* the sender was detected and blocked by spoof intelligence. For instructions, see [Override the spoof intelligence verdict](anti-spoofing-spoof-intelligence.md#override-the-spoof-intelligence-verdict).

+ - When you override the verdict in the [spoof intelligence insight](anti-spoofing-spoof-intelligence.md), the spoofed sender becomes a manual entry that appears only on the **Spoofed senders** tab on the **Tenant Allow/Block Lists** page.

+### Create block entries for spoofed senders

+To create block entries for *spoofed senders*, use any of the following methods:

+- From the **Emails** tab on the **Submissions** page at <https://security.microsoft.com/reportsubmission?viewid=email>. For instructions, see [Report questionable email to Microsoft](submissions-admin.md#report-questionable-email-to-microsoft).

+- From the **Spoof intelligence insight** page at <https://security.microsoft.com/spoofintelligence> *if* the sender was detected and allowed by spoof intelligence. For instructions, see [Override the spoof intelligence verdict](anti-spoofing-spoof-intelligence.md#override-the-spoof-intelligence-verdict).

+ - When you override the verdict in the [spoof intelligence insight](anti-spoofing-spoof-intelligence.md), the spoofed sender becomes a manual entry that appears only on the **Spoofed senders** tab on the **Tenant Allow/Block Lists** page.

+- From the **Spoofed senders** tab on the **Tenant Allow/Block Lists** page or in PowerShell as described in this section.

+> Only the combination of the spoofed user *and* the sending infrastructure defined in the [domain pair](#domain-pair-syntax-for-spoofed-sender-entries) is blocked from spoofing.

+>

+> Email from these senders is marked as *phishing*. What happens to the messages is determined by the [anti-spam policy](anti-spam-policies-configure.md) that detected the message for the recipient. For more information, see the **Phishing** detection action in [EOP anti-spam policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-spam-policy-settings).

+#### Use the Microsoft 365 Defender portal to create block entries for spoofed senders in the Tenant Allow/Block List

+The steps are nearly identical to [creating allow entries for spoofed senders](#use-the-microsoft-365-defender-portal-to-create-allow-entries-for-spoofed-senders-in-the-tenant-allowblock-list) as previously described in this article.

+The only difference is: for the **Action** value in Step 4, select **Block** instead of **Allow**.

+##### Use PowerShell to create block entries for spoofed senders in the Tenant Allow/Block List

+|**Anti-phishing**|Yes|Configure the default anti-phishing policy as described here: [Configure anti-phishing protection settings in EOP and Defender for Office 365](protect-against-threats.md#part-2anti-phishing-protection-in-eop-and-defender-for-office-365). <p> More information: <ul><li>[Anti-phishing policies in Microsoft 365](anti-phishing-policies-about.md)</li><li>[Recommended anti-phishing policy settings in Microsoft Defender for Office 365](recommended-settings-for-eop-and-office365.md#anti-phishing-policy-settings-in-microsoft-defender-for-office-365)</li><li> [Impersonation insight](anti-phishing-mdo-impersonation-insight.md)</li><li>[Spoof intelligence insight in EOP](anti-spoofing-spoof-intelligence.md)</li><li>[Spoofed senders in the Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md#spoofed-senders-in-the-tenant-allowblock-list).</li></ul>|

+|EnableSafeLinksForOffice|True|

+|EnableSafeLinksForTeams|True|

+> If you want to make your model discoverable and available for other users, you need to [create an enterprise model](create-syntex-model.md). An enterprise model is a model that is created and trained in the [content center](create-a-content-center.md). Currently, information about [model usage analytics](model-usage-analytics.md) is only available for enterprise models.

+At some point, you might want to delete a Syntex model if it's no longer being used, if it contains inaccurate or outdated information, or if it's taking up too much storage space.

+> [!NOTE]

+> Deleting a model doesn't delete the associated content type.

+## Delete a model from the model home page

+This is the easiest method to use to delete a model. It deletes the model and automatically removes it from all of the document libraries where it has been applied.

+1. On the home page of the model, select **Model settings**.

+ 

+2. On the **Model settings** panel, at the bottom of the panel, select **Delete model**.

+ 

+3. To confirm you want to delete the model, on the **Delete** screen, select **Delete**.

+ 

+ > [!NOTE]

+ > For freeform and structured models, this action doesn't delete the model in AI Builder. It only deletes it from the SharePoint document library in Syntex.

+## Delete a model from the Models library

+You can also delete a model from the **Models** library. However, before you delete the model, you must first remove the model from all of the document libraries where it has been applied.

+1. Remove the model either from the model home page or from the document library by selecting **Automate** > **View applied models** > **Remove from library**.

+ > [!NOTE]

+ > If you try to delete a model that has been applied to one or more libraries, you will receive an error message indicating that you must first remove it from all libraries to which it's been applied.

+

+2. From the **Models** library, select the model you want to delete.

+3. By using either the ribbon or the **Show actions** button (next to the model name), select **Delete**.

+4. To confirm you want to delete the model, on the **Delete** screen, select **Delete**.

+|  | **Supported languages** <br>This model supports any language that uses the Latin character set (for example, English, French, German, Italian, and Spanish). |

+|  | **Supported languages** <br>This model supports only English language contracts. |

+|  | **Supported languages** <br>This model supports invoices in English, Spanish, German, French, Italian, Portuguese, and Dutch. |

+|  | **Supported languages** <br>This model supports sales in English, Croation, Czech, Danish, Dutch, Finnish, German, Hungarian, Italian, Japanese, Latvian, Lithuanian, Norwegian, Portuguese, Spanish, Swedish, and Vietnamese. |

+ - Content assembly

+ - SharePoint lists

+ 

+An improved process is required to do more with less. A Power Platform solution is created to extract attachments from incoming emails to save them to SharePoint.

+Syntex models are then created to identify and extract information from CLIs and W-9 forms, such as name, type of coverage, amount of coverage, date. Extracted information can be used to populate other applications used during construction proposals.

+Your organization drafts and stores policies and procedures in a few large documents in SharePoint or several smaller documents, all in a document library that typically has a well-defined folder structure.

+Experienced users might know where the policy or procedure is they need to reference to do their job effectively. However, new users or users who donΓÇÖt regularly focus on a specific policy might not know where to look.

+By using Syntex and the SharePoint term store, as policies are added to the library and processed Syntex can assign the correct term. Users are then able to filter or search using these terms, or their synonyms.

+The terms can also be used to generate topics in Viva Topics. The Viva Topics curation AI will then generate topics for these terms and associate files tagged with the term.

+Instead of navigating a folder structure, users can then search for synonyms or alternate names as defined in the topic and see the appropriate policy or procedure.