Bypass spam filtering in Microsoft 365/Office 365

Photo of author
Jatin Makhija
0

Exchange Online Protection (EOP) is a cloud-based email filtering service that is a part of Microsoft 365. Using EOP, organizations can protect against spam, malware, phishing attacks, and other email threats by scanning inbound and outbound emails. EOP is included in all Microsoft 365 organizations with Exchange Online mailboxes.

Microsoft 365 email protection works by using its built-in algorithm and artificial intelligence to identify whether an email is categorized as spam, phishing, or if it contains malware.

Whitelisting an email address or domain involves adding that specific email address or domain to the Allow list, often referred to as a Safe Senders list.

There are several methods for whitelisting a sender or domain in Office 365. However, it’s important to note that none of these options are recommended by Microsoft, as they can override the judgments made by Microsoft 365 threat protection. By creating rules that bypass the threat protection filters, you may inadvertently allow potentially harmful messages to pass through.

If you find it necessary to temporarily bypass a sender or domain from threat protection checks, it’s advisable to do so on a short-term basis.

You can Whitelist a sender or domain in Office 365 using any of the following methods:

  1. Using Tenant Allow/Block List
  2. Create a Transport rule in Exchange Online
  3. Outlook Safe Senders list
  4. IP Allow List in Anti-spam policy
  5. Allow or Block List of Anti-Spam or Anti-Phishing Policies

Option 1 – Using Tenant Allow/Block List

If you wish to exempt a sender or domain from threat protection checks, you can utilize the Tenant Allow/Block list from the Microsoft 365 Defender portal.

You can add any domain or email address to the Block list without the requirement of submitting a sample email message to Microsoft. However, when adding a sender to the Allow list, you’ll need to submit a copy of the email message to the Microsoft team.

Microsoft will analyze the email header information and other attributes in the email to determine whether it’s a false positive or a false negative. Depending on the options selected during sample submission, the email will be allowed for a specified number of days.

You cannot keep a sender or domain on the Tenant Allow list for an unlimited duration. When the specified deadline expires, the allowed sender will be removed from the rule.

How to Add a Sender in the Office 365 Tenant Allow List?

  • Sign in to the Microsoft 365 Defender portal as either a Security Administrator or a Global administrator.
  • Under Email & collaboration > Policies & rules
  • Click on Threat policies
Using Tenant Allow/Block List
Using Tenant Allow/Block List
  • Under Rules > Tenant Allow/Block Lists.
Using Tenant Allow/Block List
Using Tenant Allow/Block List
  • Click on Submitting the email link which will open the Submissions Page.
Using Tenant Allow/Block List
Using Tenant Allow/Block List
  • On the Submissions page, click on + Submit to Microsoft for analysis.
Using Tenant Allow/Block List
Using Tenant Allow/Block List
  • On Submit to Microsoft for analysis page. Select below information:
    • Select the submissions type: Email
    • Click on Browse files and select the saved email .msg file
    • Choose a recipient who had an issue: Provide the email address of the recipient who reported this issue
    • Select Should not have been blocked (False positive)
    • Check the box Allow emails with similar attributes (URL, sender, etc.)
    • Remove allow entry after: From the drop-down Select the number of days after the whitelisting should be removed
Using Tenant Allow/Block List
Using Tenant Allow/Block List
  • Wait for the verdict from Microsoft. Once the analysis has been completed you will see the sender is added to the Tenant Allow/Block list. You can check the status from Email & collaboration > Policies & rules > Threat policies > Tenant Allow/Block Lists.

Option 2 – Create a Transport rule in Exchange Online

I understand that setting up a Tenant Allow list may not be a straightforward or quick process, although it is the recommended approach by Microsoft. If you prefer not to use Option 1, you can alternatively create a Transport rule in Exchange Online to bypass SPAM filtering checks for a specific sender or domain.

To create a Transport rule in Exchange Online, follow these steps:

  • Sign in to the Microsoft Exchange admin center as either an Exchange Administrator or a Global administrator.
  • Go to Mail flow > Rules > click on + Add a rule
Create a Transport rule in Exchange Online
Create a Transport rule in Exchange Online
  • Configure the rule conditions below and click “Next“. If necessary, include additional rule conditions to enhance strictness. For instance, if you have knowledge of the source email server’s IP address, you can add an extra condition in “Apply this rule if” and specify the source email server’s IP address. This will ensure that the bypass SPAM filtering rule is exclusively applied to a specific email server.
    • Name: Bypass <domainname> domain from SPAM filtering
    • Apply this rule if: The sender domain is <provide the domain name value>
    • AND The Sender is Outside the organization.
    • AND The message headers .. Include any of these words: Header name: Authentication-Results and Words:  ‘dmarc=pass’ or ‘dmarc=bestguesspass’   
    • Do the following: Modify the message properties to Set the spam confidence level (SCL) to -1.
    • AND Modify the message properties to set a message header: X-ETR and value as ‘Bypass spam filtering for authenticated sender <domain name>’   
Header name: Authentication-Results and Words: ‘dmarc=pass’ or ‘dmarc=bestguesspass’   
This condition checks the email authentication status of the sending email domain to ensure that the sending domain is not being spoofed. 
Create a Transport rule in Exchange Online
Create a Transport rule in Exchange Online
  • Set below rule settings and Click on Next.
    • Rule mode: Enforce.
    • Keep the rest of the settings as default.
  • Review and click on Finish to create the rule.
  • When you create any Transport rule in Exchange Online, by default it’s created in a disabled state. Select the rule and switch the toggle to Enable it.
Create a Transport rule in Exchange Online
Create a Transport rule in Exchange Online

Option 3 – Using Outlook Safe Senders list

Users have the option to create a safe sender list using Outlook for Desktop or Outlook on the web (Outlook Web App). When a safe sender list is created, emails or domains on that list will bypass content filtering and be delivered directly to the user’s inbox.

Administrators can also configure the Safe Sender list using PowerShell cmdlets. The cmdlet which can be used for this purpose is “Set-MailboxJunkEmailConfiguration

To verify the blocked or allowed senders configured for any user mailbox, you can use the following cmdlet.

Get-MailboxJunkEmailConfiguration -Identity "<MailboxIdentity>" | Format-List trusted*,contacts*,blocked*

Option 4 – Using IP Allow List

You can bypass spam filtering for all inbound emails originating from the specific email server(s) by adding their IP addresses to the Allow IP list. Additionally, you can specify a range of IP addresses in CIDR format, such as “10.2.4.1/24.”

To add an IP address to the Allow IP list using the default connection filter policy in the Microsoft 365 Defender portal under Anti-spam policies, you’ll need to have Security Administrator rights or be a member of the Organization Management group to access and edit the policy.

Here are the steps to add an IP address to the Allow list:

  • Login on Microsoft 365 Defender portal as Security administrator or Global administrator
  • Under Email & collaboration > Policies & rules
  • Click on Threat policies
  • Click on Anti-spam under Policies
  • Select the Connection filter policy (Default) and then click on Edit connection filter policy
Using IP Allow List
Using IP Allow List
  • Add the IP address or IP address range to the “Always allow messages from the following IP addresses or address range” section. Then, click “Save” to finalize the configuration.
Using IP Allow List
Using IP Allow List

Option 5 – Allow or Block List of Anti-Spam Policies

This is the least recommended option according to Microsoft because the sender will bypass all spam checks, spoofing checks, and phishing protection, except for sender authentication checks (SPF, DKIM, DMARC). Sender authentication checks must be successfully passed to skip anti-spam filtering.

You should use this option on a temporary basis or while testing email flow. The maximum number of entries that can be added here is 1000, and if it’s more than 30, it can only be done using PowerShell.

When adding a domain or sender to the Allow list in the Anti-Spam Inbound (default) policy, it’s important to regularly review and reassess this list every few weeks. The system may learn and adapt to the sender or domain’s behavior, potentially reducing the need to bypass them from content filtering. Periodic reviews help ensure that your email security settings remain effective and up-to-date.

Let’s explore the process of whitelisting a domain or sender in the Anti-Spam Inbound policy:

  • Login on Microsoft 365 Defender portal as Security administrator or Global Administrator.
  • Under Email & collaboration > Policies & rules
  • Click on Threat policies
  • Click on Anti-spam under Policies
  • Select the Anti-spam inbound policy (Default) and scroll down to the bottom of the policy to Select “Edit Allowed and blocked senders and domains
Using IP Allow List
Using IP Allow List
  • Under the Allowed section, you will find the Manage Senders and Allow domains link.
    • Manage senders – Add the sender’s email address to the whitelist.
    • Allow Domains – Add a domain to whitelist.
Using IP Allow List
Using IP Allow List
  • I have clicked on Allow domains link and then clicked on + Add domains to add a domain for example: cloudinfra.net.
Using IP Allow List
Using IP Allow List

FAQs

1. Allow or Block list of Anti-Phishing Policies

If you wish to exempt a trusted sender or domain from Anti-phishing protection, you can utilize the Allow list within the Anti-phishing policy. Let’s proceed to review the steps for doing so:

  • Login on Microsoft 365 Defender portal as Security administrator or Global administrator
  • Under Email & collaboration > Policies & rules
  • Click on Threat policies
  • Click on Anti-phishing under Policies
  • Select the Office365 AntiPhish Default (Default) or if you have created any custom policy which is protecting the all users then select that policy
  • Click on Edit protection settings
Allow or Block list of Anti-Phishing Policies
Allow or Block list of Anti-Phishing Policies
  • On Edit protection settings. Click on “Manage trusted sender(s) and domain(s)” to whitelist a sender or domain.
Allow or Block list of Anti-Phishing Policies
Allow or Block list of Anti-Phishing Policies
  • Click on either the Sender tab to whitelist a sender email address and Click on Domain tab to add a domain to whitelist.
Allow or Block list of Anti-Phishing Policies
Allow or Block list of Anti-Phishing Policies

Conclusion

In this blog post, we’ve explored various methods for whitelisting a sender or domain in Office 365 to bypass SPAM filtering. Additionally, you have the option to bypass Phishing protection alongside SPAM filtering.

If there’s no need to bypass content filtering for an entire domain, it’s advisable to only add the specific sender who reported the issue. Furthermore, it’s crucial to regularly monitor your allowed list and promptly remove any sender or domain when whitelisting is no longer necessary. This practice helps maintain a secure and up-to-date email environment.

Leave a Comment

Detailed Step-by-Step guides for Setup/Troubleshooting/Configuration solutions on Intune, Microsoft 365, Powershell, Windows, Azure, and other Cloud technologies.

About the author
Contact Us
Privacy Policies
Comment Policies
Cookie Policies

Let's Connect!