DEMO: Configure Anti-Spam
Start course

This course shows how to set up Micorosft Defender for Microsoft 365 through a series of practical demonstrations from the Microsoft 365 platform. You will learn about some general cybersecurity practices before being shown how Microsoft Defender can help you implement them.

Learning Objectives

  • Understand how to protect against phishing, malware, and spam using Microsoft Defender
  • Learn about safe links and safe attachments and configure them
  • Learn how to enable zero-day malware protection

Intended Audience

This course is intended for those who wish to learn how to configure protection in Microsoft Defender for Office 365.


To get the most out of this course, you should have a basic understanding of Microsoft 365.


Hello, and welcome back in this lesson here. I'm going to walk you through the process of creating an anti-spam policy in the security and compliance center for Microsoft 365. To create an anti-spam policy. What we'll do here is browse down to threat management and then under threat management, we have the policy section here. And then from the threat policies page we could do anti-phishing, the safe attachments and links. Some of the other stuff we've already configured the anti-malware as well.

So what we'll do here is select anti-spam and we can see we already have a default policy here. We have the default spam filter policy, which is always on a default connection filter policy, an outbound policy and a spoof intelligence policy. All of these policies are turned on by default. Now what we could do here instead of creating a new policy is edit the default policies here. For example, if we click edit here for the default spam filter policy, what we can do is select the dropdown and change our settings for spam, for high confidence spam, phishing, all these different options here. But what we're gonna do do is create a new policy because I just wanna show you how to work through the process of creating a policy.

So we'll minimize this back up again. And what we'll do is we'll click the create a policy button here. Now what we'll do here is we'll call this new policy my spam filter policy. Well, as was the case with the other policies the description is optional here. I'm not gonna bother with the description here but since we're creating a policy we'll probably wanna make some changes in the spam and bulk actions, allow lists and all of these different options within the spam filter policy. So if we select the dropdown here for spam and bulk actions we can see the different actions that can be taken for incoming spam and bulk email.

Now for the spam option here, what we can do here is allow it to move the message to the junk folder. We can add an ex header. We can pre pend the subject line with text. We can redirect it. We can quarantine it. We can even delete the message but for this exercise here what we'll do is we'll select the pre pend option. And what this is gonna do is allow us to add some text to the subject line. So essentially what it allows us to do is tag a particular message with our own text to let the user know that we think it might be spam.

So if we scroll down the bottom here we can see that the pre pend subject line with this text actually becomes available to us. And what we need to do is provide a value here that will be added to the subject line of the email that is identified as spam. So what we'll do is we'll call this. We just call it spam. So now what this will do is pre pend the subject line of any email that comes in, that it thinks is spam. And it'll pre pend it with this spam text.

Now this threshold option here, this default seven what this threshold value does is allow you to set a threshold between one and nine. If you set it to one this will cause the policy to mark a bulk email as spam more frequently than it would if you set it to nine. So essentially one is really gonna be aggressive and nine is going to be least aggressive in identifying spam email, seven is the default so for this exercise, we'll accept that. And then of course we have a quarantine here where we can retain spam for how many number of days we want in this case we'll do 30 days.

Now, what we'll do, here's leave the safety tips on and what this zero hour auto purge does is it protects users automatically. And it does this by taking this policies action on spam or phishing, if it's detective after delivery. So it automatically protects your users will leave these options on. And then we have allow lists and block lists, allow lists are basically white lists that will tell the policy always deliver mail from these specific senders which are specific email addresses or specific domains. And then block list is the opposite of that. The international spam option allows us to filter emails written in specific languages or to filter messages sent from specific countries or regions. And down here with spam properties what we can do is specify whether or not we want to increase the spam score for messages that includes certain types of links or URLs in them.

So we select the dropdown here. We can tell it, hey if an email has image links to remote sites increase the score, or if there's a redirect in it increase the score. And then we can also specify these increases based by IP in the URL or whether or not there's a biz or info website which are typically associated with spam. The mark as spam dropped down here allows us to define whether or not we wanna mark messages that include all of these different properties as spam.

For example, if a message comes in that's empty do we wanna automatically mark that as spam? All these options are defaulted to off, but you can change these as you see fit in your organization. The same thing goes with SPF records, sender ID filtering and your backscatters. Basically what this means is if your email system in this case, Office 365 or Exchange Online, really detects an SPF record hard fail. If we turn this on, it'll mark that email as spam. So basically if it's looking at an email and it can't identify that it's coming from its actual domain it's gonna fail that SPF record and it's gonna send it to spam.

Now, if we scroll down further, we can see the apply to still needs to be selected. So we'll select the dropdown and then we'll add a condition here. And in the condition box here, we can specify recipient domain, a specific recipient, or if the recipient is a member of a group, we'll do recipient domain. We'll specify the recipient domain of We're not gonna do any exceptions here. And then what we'll do here, is we'll save the policy. And so now you have the new policy called my spam filter policy with a priority of zero. And with a priority of zero what'll happen is this policy will be evaluated. And then anything that doesn't fall within this policy will be evaluated by the default policies. There basically catch all policies. And so there you have it. We now have a new anti-spam policy called my spam filter policy. It's enabled and it's listed as a custom anti-spam policy.

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.