Skip to content
Get started

Enhanced Email Message Filtering

Microsoft 365 includes some of the most capable email filtering available anywhere. Most organisations are not using it properly.

Every Microsoft 365 mailbox is protected by Microsoft's baseline filtering engine that blocks known spam, malware, and spoofed senders before messages reach your inbox called Exchange Online Protection. For organisations on Microsoft 365 Business Premium (or with Defender for Office 365 added to their plan), that protection extends significantly further: Safe Links checking URLs at the moment of click, Safe Attachments sandbox scanning before delivery, and AI-driven anti-phishing capable of detecting business email compromise with 99.99% accuracy.

The gap is not capability. It is configuration. The default settings that come out of the box catch the obvious threats. They leave meaningful gaps on the sophisticated ones including impersonation attacks, zero-day malware in attachments, cleverly crafted phishing that passes surface-level inspection. Properly configuring and maintaining Microsoft Defender for Office 365 requires a clear picture of what needs protecting, an understanding of the available controls, and the expertise to tune them without creating false positives that make the system as disruptive as the threats it is designed to block.

Microsolve configures, documents, and manages Microsoft 365 email filtering as part of the email management service keeping it integrated, properly tuned, and actively maintained as Microsoft evolves the platform.

Review your email filtering configurationsBack to Email Management

The Filtering Capability Already in Microsoft 365

Understanding Microsoft 365 email filtering starts with knowing what is actually available at each licence level and the difference between having a capability and having it configured to protect effectively.

Exchange Online Protection

Every Microsoft 365 licence that includes a mailbox includes Exchange Online Protection (EOP). EOP is a multi-layer filtering service that runs before any email reaches a user's inbox. It checks:

  • Connection filtering: the sender's IP address and domain reputation are checked against Microsoft's threat intelligence. Known malicious senders are blocked before the message is even scanned
  • Anti-malware scanning: attachments are scanned for known malware signatures
  • Anti-spam filtering: message content, structure, and metadata are analysed and assigned a Spam Confidence Level (SCL) score from 1 to 9 to determine how likely the message is to be spam. Higher scores result in quarantine or deletion
  • Anti-phishing: spoofed sender addresses, lookalike domains, and basic phishing patterns are detected and blocked
  • Email authentication: SPF, DKIM, and DMARC records are checked to verify that messages claiming to be from a domain are actually authorised to send from it

EOP provides meaningful baseline protection. It is not enough on its own for organisations handling sensitive information, high volumes of external email, or operating in sectors where targeted phishing is common.

Microsoft Defender for Office 365

Microsoft 365 Business Premium includes Defender for Office 365 Plan 1, which is a significant step up from EOP alone. For organisations on other plans, Defender for Office 365 Plan 1 or Plan 2 can be added as a licence add-on.

Defender for Office 365 adds:

  • Safe Attachments: attachments are opened in a cloud-based sandbox environment before delivery. If the attachment behaves maliciously in the sandbox, it is removed before the message reaches the user. This protects against zero-day malware that signature-based scanning would not detect
  • Safe Links: URLs in emails (and in Office documents) are checked at the moment of click, not just at the time of delivery. If a link was safe when the message arrived but has since been weaponised, Safe Links will still block it
  • Advanced anti-phishing with impersonation protection: AI and machine learning are used to detect phishing campaigns that impersonate known senders or domains, including business email compromise (BEC) attempts that do not contain malicious attachments or links, just social engineering
  • Zero-hour auto-purge (ZAP): messages already delivered to inboxes that are subsequently identified as malicious are retroactively moved to quarantine or junk, even after delivery
  • LLM-based content analysis: Microsoft introduced large language model-based detection in late 2024, adding semantic analysis of email content to identify BEC and impersonation attacks based on language and intent, not just sender reputation

The Configuration Gap

Having these capabilities available is not the same as having them work. The default settings that come with a new Microsoft 365 tenant are a starting point, not a finished security configuration. Microsoft itself publishes Standard and Strict preset security policies as recommended baselines, acknowledging that default settings are insufficient for most organisations.

Configuration decisions that affect protection quality include:

  • Bulk email threshold settings (BCL): the sensitivity at which bulk commercial email is treated as spam
  • Anti-phishing policy scope and impersonation protection lists: which users and domains are protected, and with what sensitivity
  • Safe Attachments policy: whether attachments are scanned in Dynamic Delivery (delivered with a placeholder while scanning occurs) or held until scanning completes
  • Quarantine policies: what users can do with quarantined messages and whether they receive notifications
  • Anti-spam inbound policy actions: whether high-confidence spam is quarantined or merely moved to junk
  • Outbound spam controls: restrictions on automatic forwarding, which is a common indicator of account compromise

Getting these decisions right requires an understanding of how the organisation uses email, what the acceptable false positive rate is, and how the settings interact with each other.

Why Integrated Filtering Beats Third-Party Add-Ons

Many organisations, or their previous IT providers, have added a third-party spam filtering or secure email gateway (SEG) product in front of Microsoft 365. The intention is understandable: more filtering layers should mean more protection.

The reality is more nuanced. When email is routed through a third-party filtering platform before reaching Microsoft 365, the Microsoft filtering stack sees only the third-party platform's IP addresses, not the original sender. This breaks a significant portion of Microsoft's connection-based and reputation-based filtering, because EOP cannot evaluate the actual sending source. The result is often lower protection quality from the Microsoft layer, combined with the operational complexity of maintaining two separate filtering configurations and the deliverability risk of email getting stuck or delayed between platforms.

Microsoft's own enhanced filtering for connectors was designed for this exact scenario. It helps restore some of the signal, but it adds configuration complexity and is not always correctly deployed when third-party SEGs are introduced.

For most organisations on Microsoft 365 Business Premium, the right approach is to make full use of the Defender for Office 365 capabilities already included in the licence, ensuring it is configured correctly and maintained actively, rather than adding a third-party product that partially displaces them.

47% of attacks in 2025 were found to evade Microsoft's native defences and third-party secure email gateways when default settings were in place. The issue is not the platform, it is the configuration.

 

Filtering and Reputation Management Together

Email filtering addresses the inbound threat: identifying and blocking malicious messages before they reach your users.

Email reputation management addresses the outbound credibility of your domain: ensuring that legitimate email from your organisation is recognised as trustworthy and delivered reliably.

The two services are complementary, and both depend on the same email authentication foundation: correctly configured SPF, DKIM, and DMARC records that tell receiving mail servers that your domain is who it says it is. Without this foundation, filtering on the inbound side is incomplete and delivery on the outbound side is unreliable.

Microsolve's Email Reputation Management service is designed to work alongside enhanced message filtering by establishing and maintaining the authentication infrastructure that protects both what comes in and what goes out.

Learn more about Microsolve Email Reputation Management

The Microsolve Approach

Configuring Microsoft 365 email filtering well is not a one-time task. Microsoft continues to evolve the platform by adding capabilities, changing default behaviours, and updating recommended settings. An organisation whose filtering was correctly configured in 2022 may be running on outdated settings today.

Microsolve's approach to enhanced message filtering follows four stages:

Understand the Required Outcome

Before changing any settings, Microsolve assesses the current filtering configuration against the Microsoft 365 environment in place. This includes your plan, licence assignments, existing policies, and any third-party filtering products. The assessment identifies what is configured, what is not, and what needs to change. This is not a generic audit against a checklist. It is a review that understands the organisation's email patterns, risk profile, and tolerance for false positives.

Define the Approach

Filtering configuration decisions are made explicitly, not by accepting defaults. Microsolve documents the configuration rationale and asks questions such as why specific bulk email thresholds were chosen, which users are included in impersonation protection policies, what the quarantine notification and release policy is, and how outbound filtering is managed. This documentation matters when something behaves unexpectedly and when Microsoft changes the platform.

Deploy and Test

Changes are deployed in a staged approach, typically by applying Microsoft's Standard preset to the organisation first, then adjusting specific policies based on the assessment findings. Legitimate senders that may be affected by tighter filtering are identified and handled appropriately before changes are applied broadly. Post-deployment monitoring confirms that filtering is working as intended and that false positive rates are acceptable.

Monitor and Maintain

Filtering is included in the regular monitoring and review cycle for the email management service. Changes to the Microsoft platform, shifts in threat patterns, and changes to the organisation's email environment (new services, new sending domains, staff changes) are reviewed and reflected in the configuration. Microsoft Secure Score for email is tracked as an ongoing indicator of configuration health.

Frequently asked questions

Does Microsoft 365 include spam and phishing protection?

Yes. Every Microsoft 365 plan with a mailbox includes Exchange Online Protection (EOP), which provides multi-layer filtering including anti-spam, anti-malware, anti-phishing, and email authentication checks. Microsoft 365 Business Premium adds Defender for Office 365 Plan 1, which extends that protection with Safe Links, Safe Attachments, and AI-driven impersonation protection.

What is Microsoft Defender for Office 365 and do we need it?

Microsoft Defender for Office 365 extends the baseline EOP filtering with advanced capabilities including Safe Attachments (sandbox scanning of files before delivery), Safe Links (URL checking at the moment of click), and sophisticated anti-phishing that can detect business email compromise and social engineering attacks that slip past traditional filtering. For organisations on Microsoft 365 Business Premium, it is already included. For others, it can be added as a licence add-on. Microsolve can advise on the right approach for your plan.

What is Exchange Online Protection (EOP)?

Exchange Online Protection is Microsoft's baseline email filtering engine, included in every Microsoft 365 plan with a mailbox. It provides connection filtering, anti-spam scoring, anti-malware scanning, anti-phishing detection, and email authentication checks. It is the foundation on which Defender for Office 365 builds its advanced protection.

Are the default settings in Microsoft 365 sufficient?

Microsoft's default settings provide meaningful baseline protection but are not a finished security configuration. Microsoft itself publishes Standard and Strict preset security policies as recommended baselines, which differ significantly from defaults in areas such as anti-phishing sensitivity, bulk email handling, and quarantine policy. Microsolve's assessment identifies where the current configuration falls short of a well-configured standard.

Should we add a third-party spam filter on top of Microsoft 365?

For most organisations on Microsoft 365 Business Premium, the right approach is to properly configure and use the Defender for Office 365 capabilities already included in the licence. Adding a third-party product in front of Microsoft 365 often reduces the effectiveness of Microsoft's filtering (because EOP cannot see the original sender) while adding operational complexity and deliverability risk. Microsolve can review the current setup and recommend the most effective approach.

What are Safe Links and Safe Attachments?

Safe Links is a Defender for Office 365 feature that checks URLs at the moment of click, not just at delivery. If a link was clean when the email arrived but has since been weaponised, Safe Links will still block it. Safe Attachments opens email attachments in a cloud-based sandbox environment before delivery, detecting malicious behaviour that signature-based scanning cannot identify. Both are included in Microsoft 365 Business Premium and available as add-ons for other plans.

How does email filtering connect to email reputation management?

Message filtering addresses the inbound threat: blocking malicious emails before they reach users. Email reputation management addresses the outbound credibility of your domain: ensuring your organisation's email is recognised as trustworthy and delivered reliably. Both depend on correctly configured SPF, DKIM, and DMARC authentication records. Microsolve manages both services and designs them to work together.

What happens to emails that are filtered out?

Filtered messages are handled according to the quarantine policy configured for the organisation. Depending on the policy, users may receive quarantine digest notifications and be able to review and release messages themselves, or an administrator may handle quarantine release. Microsolve configures quarantine policies to balance security with usability to ensure legitimate messages are not permanently blocked without visibility.

How often does Microsoft change the email filtering platform?

Microsoft updates Defender for Office 365 regularly by adding capabilities, adjusting recommended settings, and changing default behaviours. This means a filtering configuration that was correct at a point in time may drift from best practice as the platform evolves. Microsolve monitors these changes and reflects them in the managed configuration as part of the email management service.

Make Microsoft 365 filtering work as well as it was designed to

The capability is already in your Microsoft 365 licence. The question is whether it is configured to protect properly and whether it is being maintained as the platform and the threat landscape both continue to change.

A filtering configuration review is the starting point. It gives you a clear picture of where the current setup has gaps, what a properly configured environment looks like, and what Microsolve can do to get it there.

Review your email filtering configuration