This chapter covers anti-spam and anti-malware policies in Microsoft 365, which are foundational components of Exchange Online Protection (EOP) and Microsoft Defender for Office 365. These policies are critical for securing mail flow and are heavily tested on the MS-102 exam, typically appearing in 15-20% of questions in the 'Security Threats' domain (Objective 3.2). You will learn the precise mechanisms, default values, configuration options, and common exam traps for both anti-spam and anti-malware policies.
Jump to a section
Imagine a national postal inspection service that receives all incoming mail for a country. Before delivery, every envelope is scanned and opened according to strict protocols. First, the service checks if the sender is on a government blacklist—letters from known fraudsters are immediately shredded. Next, automated machines scan for suspicious patterns: bulk mailings with identical handwriting, return addresses that don't match the postmark, or envelopes containing powders or liquids. Letters that fail these checks are quarantined in a secure facility. Human inspectors then review the most suspicious items. If a letter is definitively malicious, it is destroyed and the sender's address is added to the blacklist. If it's merely suspicious, it may be held for the recipient to decide. The recipient can also request that all mail from a certain sender be blocked. This service operates 24/7, processing millions of letters per day, and publishes a daily list of blocked senders so that other postal services can update their own blacklists. Just like this inspection service, Exchange Online Protection (EOP) scans every inbound email, applies multiple layers of filtering, and provides administrators with quarantine and blocklist controls.
Overview of Anti-Spam and Anti-Malware Policies
Anti-spam and anti-malware policies are part of Exchange Online Protection (EOP), the cloud-based email filtering service that protects Microsoft 365 mailboxes. EOP provides layered protection against spam, malware, phishing, and spoofing. Anti-spam policies control how the service handles bulk email, phishing attempts, and spam, while anti-malware policies specifically handle malicious attachments and links. These policies can be configured at the organization level and can be scoped to specific users, groups, or domains.
How Anti-Spam Filtering Works
The anti-spam filtering engine applies multiple filters in sequence. The key filters are:
Connection filtering: Checks the sending IP against IP Allow Lists, IP Block Lists, and the real-time block list (RBL) provided by Microsoft.
Sender filtering: Checks the sender's email address against allowed/blocked sender lists.
Recipient filtering: Checks recipient addresses (e.g., blocking mail to distribution groups that don't accept external mail).
Content filtering: Analyzes the message body, subject, and attachments for spam characteristics using machine learning and heuristic rules.
Advanced spam filtering (ASF): An optional set of rules that can mark messages as spam based on specific content patterns (e.g., image spam, numeric IP URLs).
Bulk email filtering: Identifies bulk email (e.g., newsletters) based on the Bulk Complaint Level (BCL) assigned by Microsoft.
Phishing filtering: Detects phishing attempts using impersonation detection, spoof intelligence, and advanced heuristics.
Each filter assigns a Spam Confidence Level (SCL) rating from -1 (not spam) to 9 (definitive spam). The SCL is used to determine the action taken on the message. The default thresholds are:
SCL 5-6: Spam (default action: move to Junk Email folder)
SCL 7-8: High confidence spam (default action: quarantine)
SCL 9: Phishing (default action: quarantine)
Anti-Malware Filtering Mechanism
Anti-malware policies scan inbound and outbound messages for malicious software. The scanning engine uses multiple antivirus engines (partner engines) in addition to Microsoft's own engine. The process is:
Attachment scanning: Each attachment is decompressed (if archived) and scanned. Common archive formats like ZIP, RAR, 7z are supported. The scan checks for known malware signatures and heuristics.
Link scanning: For URLs in the message body, the service can check against known malicious URL lists. If Defender for Office 365 is licensed, Safe Links provides time-of-click protection.
Zero-hour auto purge (ZAP): After delivery, if a new malware signature is detected, ZAP can retroactively remove the message from the user's mailbox.
Default action for malware: Quarantine the entire message (including attachments) and notify the recipient (if configured).
Policy Components and Default Values
Anti-spam policies consist of:
Spam detection: SCL thresholds (default: 5 for spam, 7 for high confidence spam)
Actions: Move to Junk, Quarantine, Add X-Header, Modify subject line (prepend text), Redirect to email address, Delete message
Bulk email: BCL threshold (default: 7) — messages with BCL >= threshold are treated as spam
International spam: Options to block email in certain languages or from certain countries
Safe senders and domains: Lists that bypass spam filtering
Blocked senders and domains: Lists that always mark as spam
Anti-malware policies consist of:
Malware detection response: Quarantine message (default) or Delete message
Notification: Notify internal senders (default off), notify external senders (default off)
Common attachment types filter: Blocks attachments by file extension (e.g., .exe, .scr, .bat) — this is separate from malware scanning and can be enabled in the anti-malware policy.
ZAP for malware: Enabled by default
Configuration Methods
You can configure anti-spam and anti-malware policies using:
Microsoft 365 Defender portal: Email & collaboration > Policies & rules > Threat policies > Anti-spam or Anti-malware
Exchange admin center (EAC): Mail flow > Rules (for transport rules) or Protection > Spam filter / Malware filter
PowerShell: Exchange Online PowerShell cmdlets
Key PowerShell cmdlets:
Get-HostedContentFilterPolicy – View anti-spam policy settings
Set-HostedContentFilterPolicy – Modify anti-spam policy
New-HostedContentFilterPolicy – Create custom anti-spam policy
Get-HostedContentFilterRule – View policy rules (scoping)
Get-MalwareFilterPolicy – View anti-malware policy settings
Set-MalwareFilterPolicy – Modify anti-malware policy
New-MalwareFilterPolicy – Create custom anti-malware policy
Example: Set the spam action to quarantine for messages with SCL >= 5:
Set-HostedContentFilterPolicy -Identity Default -SpamAction QuarantineInteraction with Related Technologies
Anti-spam and anti-malware policies work alongside:
Transport rules (mail flow rules): Can override spam filtering actions (e.g., bypass spam filtering for specific senders)
Safe Attachments: For Defender for Office 365, detonates attachments in a sandbox before delivery
Safe Links: Scans URLs at time of click
Spoof intelligence: Automatically allows or blocks spoofed senders based on authentication (SPF, DKIM, DMARC)
Tenant Allow/Block List: Admins can manually override filtering decisions for specific senders, domains, URLs, or file hashes
Verification and Monitoring
To verify policy effectiveness:
Threat Explorer: View malware and spam detections in real-time
Email & collaboration reports: Spam detection report, malware detection report
Message trace: Trace individual messages to see filtering verdict
Quarantine: Review quarantined messages (admin or user quarantine)
Use PowerShell to get filtering statistics:
Get-MailTrafficReport -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date)Configure Anti-Spam Policy
In the Microsoft 365 Defender portal, navigate to Email & collaboration > Policies & rules > Threat policies > Anti-spam. Edit the default policy or create a new custom policy. Set the SCL thresholds: for Spam (default SCL 5-6) choose an action like 'Move message to Junk Email folder' or 'Quarantine message'. For High confidence spam (SCL 7-8) and Phishing (SCL 9), quarantine is recommended. Configure the Bulk email threshold (default BCL 7) and actions. Optionally enable Advanced Spam Filter (ASF) options like 'Mark as spam if message contains a URL to an IP address'. Save the policy and assign it to users/groups/domains via the rule.
Configure Anti-Malware Policy
In the Microsoft 365 Defender portal, go to Email & collaboration > Policies & rules > Threat policies > Anti-malware. Edit the default policy or create a new one. Set the malware detection response to 'Quarantine message' (recommended) or 'Delete message'. Enable notifications for internal and/or external senders if desired. Under 'Common attachment types filter', select file extensions to block (e.g., .exe, .scr, .vbs). Ensure ZAP for malware is enabled. Assign the policy to users/groups/domains.
Create a Custom Anti-Spam Policy via PowerShell
Use Exchange Online PowerShell. Connect with `Connect-ExchangeOnline`. Create a new policy: `New-HostedContentFilterPolicy -Name CustomSpamPolicy -SpamAction Quarantine -HighConfidenceSpamAction Quarantine -PhishSpamAction Quarantine -BulkThreshold 6`. Then create a rule to apply the policy: `New-HostedContentFilterRule -Name CustomSpamRule -HostedContentFilterPolicy CustomSpamPolicy -RecipientDomainIs contoso.com`. Verify with `Get-HostedContentFilterPolicy -Identity CustomSpamPolicy | Format-List`.
Test Anti-Spam Policy with Message Trace
After configuring policies, send a test email from an external account. In the Defender portal, go to Email & collaboration > Mail flow > Message trace. Run a trace for the recipient's email address. Examine the 'Status' and 'Detailed status' columns. Look for 'Filtered as spam' or 'Filtered as malware'. The 'Custom data' field shows the SCL and BCL values. If the message was not filtered as expected, check the policy scoping and the sender's IP/domain against allow lists.
Review and Manage Quarantine
In the Defender portal, go to Email & collaboration > Review > Quarantine. Filter by quarantine type (Spam, Malware, Phishing, etc.). Review messages and take action: Release (deliver to recipient), Release and report as not junk (to improve filtering), or Delete. Admins can also configure user quarantine notifications (end-user spam notifications) so users can release their own quarantined messages. Use `Get-QuarantineMessage` in PowerShell to programmatically manage quarantine.
In a large enterprise with 10,000 mailboxes, default anti-spam policies often produce too many false positives. A common real-world scenario is configuring a custom anti-spam policy with a higher SCL threshold for spam (e.g., SCL 6 instead of 5) and moving the action to quarantine instead of Junk folder to reduce user confusion. The Bulk Email threshold is often lowered to 4 or 5 for users who receive excessive newsletters that they never read. Administrators must also manage the Tenant Allow/Block List to whitelist legitimate bulk senders (e.g., a company's own marketing emails) and block known phishing domains. Performance is not an issue as EOP scales automatically, but policy application order matters: the default policy applies to all recipients not covered by a custom policy. Misconfiguration often occurs when an admin sets both an allow list and a block list for the same sender, or when a transport rule overrides spam filtering incorrectly. Another common issue is forgetting to enable the common attachment types filter in anti-malware policies, leaving .exe files able to pass through. In a multi-tenant scenario (e.g., MSP), admins must ensure each tenant has its own policies scoped correctly. Monitoring via Threat Explorer is essential to catch zero-day malware outbreaks, where ZAP can retroactively clean mailboxes. A frequent mistake is relying solely on default policies without tuning, leading to user complaints about missed spam or malware.
The MS-102 exam (Objective 3.2) tests your ability to configure and manage anti-spam and anti-malware policies. You must know the default SCL thresholds: spam at SCL 5, high confidence spam at SCL 7. The default action for spam is 'Move message to Junk Email folder'; for high confidence spam and phishing, it's 'Quarantine'. The default BCL threshold is 7. Common wrong answers: (1) Choosing 'Delete message' as the default action for spam — Microsoft recommends quarantine, not delete, because admins should review false positives. (2) Thinking that anti-malware policies scan outbound email by default — they do, but the default action is to quarantine the outbound message, not delete. (3) Believing that the 'Common attachment types filter' is enabled by default — it is not; you must enable it and select the file types. (4) Confusing 'Safe Attachments' with anti-malware policies — Safe Attachments is a separate feature in Defender for Office 365 that detonates attachments. The exam loves to test edge cases: what happens when a message is both malware and spam? Malware takes precedence. What if a sender is on both the allow list and block list? The block list wins. What is the maximum number of custom policies? 500. Know the difference between 'Spam' and 'Bulk email' — bulk email is identified by BCL, and the action is determined by the spam policy. Also, remember that you can use PowerShell to configure policies, and the cmdlet names are *-HostedContentFilterPolicy. Finally, understand that anti-malware policies can notify internal senders (the sender inside the organization) but not external senders by default.
Default SCL thresholds: spam = 5, high confidence spam = 7, phishing = 9.
Default action for spam: Move to Junk Email folder; for high confidence spam/phishing: Quarantine.
Default BCL threshold for bulk email: 7.
Anti-malware default action: Quarantine message.
Common attachment types filter (blocking .exe, .scr, etc.) is NOT enabled by default.
Anti-spam policies only apply to inbound external messages; anti-malware applies to both inbound and outbound.
Maximum custom anti-spam policies: 500.
Tenant Allow/Block List overrides policy filtering but malware takes precedence.
Password-protected archives cannot be scanned and are treated as malware.
ZAP for malware is enabled by default; ZAP for spam is optional and disabled by default.
These come up on the exam all the time. Here's how to tell them apart.
Anti-Spam Policy
Filters based on SCL (Spam Confidence Level) and BCL (Bulk Complaint Level).
Default actions: Move to Junk (spam), Quarantine (high confidence spam/phishing).
Can be scoped to users, groups, or domains via rules.
Includes Advanced Spam Filter (ASF) options for specific patterns.
Does not scan attachments for malware; only content analysis.
Anti-Malware Policy
Scans attachments and links for malicious software using multiple antivirus engines.
Default action: Quarantine entire message.
Also scoped via rules; can be applied to internal messages as well.
Includes common attachment types filter (e.g., .exe, .scr).
Integrates with Zero-Hour Auto Purge (ZAP) for retroactive removal.
Mistake
Anti-malware policies scan all attachments including password-protected archives.
Correct
Password-protected archives cannot be scanned because the password is unknown. These messages are typically marked as malware and quarantined, but the policy can be configured to delete them instead.
Mistake
The default spam action for SCL 5-6 is 'Quarantine message'.
Correct
The default action for spam (SCL 5-6) is 'Move message to Junk Email folder', not quarantine. Only high confidence spam (SCL 7-8) and phishing (SCL 9) default to quarantine.
Mistake
You can create an unlimited number of custom anti-spam policies.
Correct
You can create up to 500 custom anti-spam policies in Exchange Online. This is a hard limit.
Mistake
Anti-spam policies apply to internal messages (within the same organization).
Correct
Anti-spam filtering applies to inbound messages from external senders only. Internal messages are not subject to spam filtering by default, though anti-malware scanning applies to both internal and external.
Mistake
If a sender is on the Tenant Allow List, all filtering is bypassed.
Correct
The Tenant Allow List bypasses spam and malware filtering for messages from that sender, but other filters like transport rules and spoof intelligence still apply. Also, the allow list does not bypass malware scanning if the message contains malware — malware takes precedence.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
SCL is a rating from -1 to 9 that indicates the likelihood that a message is spam, based on content analysis. BCL is a rating from 0 to 9 that indicates the likelihood that a message is bulk email (e.g., newsletters), based on user complaints. Both are used by anti-spam policies: you set thresholds for SCL (spam and high confidence spam) and a separate threshold for BCL. Messages exceeding the BCL threshold are treated as spam and subject to the spam action.
Yes. You can create multiple custom anti-spam policies and assign them to specific users, groups, or domains using policy rules. The default policy applies to all recipients not covered by a custom policy. Use the Microsoft 365 Defender portal or PowerShell to create rules with conditions like 'RecipientDomainIs' or 'SentToMemberOf'.
Malware takes precedence. The message is quarantined as malware, and the anti-malware policy action is applied. The anti-spam policy is not evaluated for that message.
Add the sender's email address or domain to the Tenant Allow List (in the Microsoft 365 Defender portal under Policies & rules > Threat policies > Tenant Allow/Block Lists). Alternatively, you can add them to the Safe Senders list in the anti-spam policy, but the Tenant Allow List is more flexible and can also bypass malware filtering (except for actual malware).
The default action for malware detected in outbound messages is the same as for inbound: Quarantine the message. Additionally, the system may send a notification to the sender (if configured) and the message is not delivered. Outbound malware detection helps prevent infected messages from leaving your organization.
Yes, if you enable end-user spam notifications. Users receive periodic emails listing their quarantined messages and can release them (if allowed by policy). Admins can configure which quarantine types (spam, phishing, malware) are visible to users. By default, users can only release spam (not malware or phishing).
Use the `*-HostedContentFilterPolicy` cmdlets. Example: `Set-HostedContentFilterPolicy -Identity Default -SpamAction Quarantine -BulkThreshold 6`. To create a new policy: `New-HostedContentFilterPolicy -Name CustomPolicy -SpamAction Quarantine`. Then create a rule with `New-HostedContentFilterRule` to apply it.
You've just covered Anti-Spam and Anti-Malware Policies — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?