Blog Post

Microsoft Defender for Office 365 Blog
5 MIN READ

Email Protection Basics in Microsoft 365: Bulk Email

AndrewStobart's avatar
AndrewStobart
Icon for Microsoft rankMicrosoft
Jun 06, 2022

Microsoft Support is excited to start a blog series that will demystify how Microsoft 365 email protection works. We are a team of engineers with years of experience supporting Exchange and security, and we are often asked how the protections work, what protections are applied to a particular message, or how organizations should manage disagreements with the filtering verdicts.  

 

Microsoft Defender for Office 365 safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools. This blog describes the different threat protections that Microsoft Defender for Office 365 offers and reviews how Exchange Online Protection works to protect your organization against all types of email threats, and then dives into part one, how bulk (grey) email filtering works.

Click here to view additional posts in this series. Would you like us to cover more topics? Let us know in the comments.

 

Exchange Online Protection

Exchange Online Protection (EOP) is a cloud-based filtering service that helps protect your organization against spam, malware, and other email threats. EOP is included in all Microsoft 365 organizations with Exchange Online mailboxes.

 

Figure 1: EOP filtering diagram

 

 

 

Microsoft Defender for Office 365

Microsoft Defender for Office 365 helps organizations secure their enterprise with a comprehensive slate of capabilities across prevention, detection, investigation and hunting, response and remediation, awareness and training, and secure posture.

 

Figure 2: Defender for Office 365 high-level features

 

 

 

While EOP offers a certain level of protection, Microsoft Defender for Office 365 complements it with an advanced set of features. This is how the entire protection stack looks:

Figure 3: Multi-layered protection stack for EOP and Microsoft Defender for Office 365

 

 

To learn more about what keeps your organization protected from email-based threats see Step-by-step threat protection in Microsoft Defender for Office 365.

 

 

Bulk (grey) email filtering

Bulk or grey email typically refers to email campaigns that are sent to many recipients. It is often used in marketing or advertising. Some recipients want it and have subscribed to it, whereas others do not, and consider it to be spam. This makes handling these types of messages tricky.

In this article, you’ll learn how bulk filtering works, the bulk controls in Microsoft 365 Defender Anti-spam policies, and the best practices for sending and receiving bulk messages in Office 365.

Message Headers

Message headers contain valuable information about what happens during email filtering. To analyze headers, see the following resources:

 

Bulk Complaint Level (BCL)

Every incoming message is evaluated for a Bulk Complaint Level (BCL). The value of the BCL will be between 0 and 9. Higher scores indicate the message is more likely to generate a higher number of complaints.  

 

Spam Confidence Level (SCL)

Every incoming message goes through spam filtering and is assigned a spam score. Like BCL, the Spam Confidence Level (SCL) values are 0-9, with higher scores indicating the message is more likely to be spam, and there’s a special spam score (“-1”) when spam filtering is bypassed due to user or company overrides.

 

If users are either receiving bulk mail that they do not want to receive, or not receiving bulk mail that they want to receive, the first step is to look at the BCL value in the X-Microsoft-Antispam message header. This value will help you determine whether Microsoft marked the email as bulk, and whether the default bulk settings need a change. The good news is, with filtering policies, you can apply a policy to a limited set of users, groups, or domains.

 

 

Microsoft 365 Defender configurations

Microsoft 365 Defender (https://security.microsoft.com) is your one-stop-shop for all things security in Microsoft 365. Here, you can evaluate your organization’s security score, look at email protection reports, and set up alerts and policies for the different protection components of EOP and Microsoft Defender for Office 365. Bulk email threshold is configured in the Anti-spam inbound policy in the Microsoft 365 Defender portal.

:light_bulb: Tip: You may want to bookmark the direct link for quick access to this page: https://security.microsoft.com/antispam.

A recommended default setting is provided with the threshold value of “7”, which will only filter out bulk emails that generated a high number of complaints.

Figure 4: Bulk email threshold setting

 

 

To fine-tune the Bulk Email Threshold, track the BCL value in the X-Microsoft-Antispam header on messages. Also track which users are more sensitive to bulk detections. This information will give you an idea of what the bulk slider needs to be set to, and for which users. For example, a BCL value of 5 is recommended in Strict protection policies.

 

You could create custom Anti-spam policies for each group if you have some users that want to receive bulk, and others that do not. You could scope Anti-Spam policies to include users, groups, and domains. They could also exclude users, groups, and domains.

 

Figure 5: Users, groups, and domains settings in the anti-spam inbound policy

 

 

Tip: Multiple values in the same condition use OR logic (for example, <user1> OR <user2>). Different conditions use AND logic (for example, <user1> AND <member of group 1>).

 

September 2022 Update: Our public documentation has been updated with additional recommendations on tuning bulk email using threat protection reporting and Advanced Hunting.

 

Actions

Every filtering policy allows you to choose the action when policy conditions are met. For bulk, the options if the BCL is above the threshold are:

Figure 6: Bulk action options

 

 

For example, if a company sends marketing emails with bad opt-in or opt-out practices and does not provide an option to unsubscribe from their mailing list, those campaigns are often unsolicited, and get a BCL of 8, because they might generate a high number of complaints. When the message exceeds the default threshold of 7, the X-Forefront-Antispam-Report header will include categorization of CAT:BULK, and the entire message will be marked as spam with a Spam Confidence Level SCL:9.

 

Send bulk messages to Office 365

If you often conduct bulk email campaigns to Microsoft 365 users and want to ensure that your emails arrive in a safe and timely manner, follow the best practices in bulk emailing. Make sure to clearly indicate who’s sending the message, include an unsubscribe option, use double opt-in for message registration, ensure content is transparent and traceable, and remove invalid addresses from your databases.

 

Send bulk messages from Office 365

Microsoft does not recommend sending bulk messages from Office 365, as organizations are often blocked for exceeding the allowed limit (see Exchange Online limits). Instead, send bulk email through on-premises email servers or use a third-party bulk email provider, which normally has a vested interest in working with customers to ensure good email sending practices. To learn more about outbound spam controls, see Outbound spam protection in EOP.

 

Unsubscribe from bulk messages

Many times, users who have subscribed to bulk mail no longer want to receive these messages. In these situations, users can check for an Unsubscribe option in the bulk email message. Senders usually include a link to unsubscribe at the bottom of the message.

 

Important resources

What's the difference between junk email and bulk email? - Office 365 | Microsoft Docs

Bulk complaint level values - Office 365 | Microsoft Docs

Spam confidence level - Office 365 | Microsoft Docs

Outbound spam protection - Office 365 | Microsoft Docs

Exchange Online limits - Service Descriptions | Microsoft Docs

Troubleshooting mail sent to Microsoft 365 - Office 365 | Microsoft Docs

Anti-spam message headers documentation

Message Header Analyzer website

(Free) Message Header Analyzer Outlook add-on

(Defender for Office 365) Email Entity page

 

 

Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the Defender for Office 365 forum.

 

Updated Sep 01, 2022
Version 7.0
  • JonasBack's avatar
    JonasBack
    Steel Contributor

    Looking forward to these series! I support many customers with their M365 Deployment and what I see most of them struggle with False-Positives, both identifying them (they get confused if they should use Message Trace, Explorer (of they're licensed), Review Quarantine etc) but also figuring out why it occurred and how to solve it except for the normal "whitelist".

     

    I hope that you will do a deep dive on that.

  • AzureGuineaPig's avatar
    AzureGuineaPig
    Copper Contributor

    When will Microsoft publish an update on their rationale of creating the massive bulk filtering dumpster fire in recent weeks?  Messages previously marked with a BCL of 1 for years, are now suddenly getting classified with a BCL of 5 or 6, causing these messages in organizations to be marked as spam and delivered to Junk Email to scenarios where now these seemingly safe and trusted messages are getting quarantined!  Outrageous!

     

    The only recourse of pathetic solutions offered are "oh, add the senders to the Tenant Allow/Block List" and "report submissions to Microsoft" - both an utter joke.

     

    So now we have to go through hundreds of sender addresses to submit them to Microsoft repeatedly, over and over and over and over again, just to say we're doing something to appease the masses, but in reality, even when submissions verdict comes back with "oh hey, yea we messed up" or "Should not have been blocked result", messages still continue to get tagged with the same high BCLs, almost as if nothing was done to actually fix the issue!


    So we're now left with another fantastic option offered by Microsoft: just bypass all the other security protections of the Defender protection stack for these sender addresses by adding the senders to your Tenant Allow/Block List.  Ok great, one might think, email is getting delivered to the Inbox now, because all of a sudden we now trust ALL email from these senders and just don't care.  Issue fixed, onto dealing with another Microsoft introduced problem....

     

    No wait, what's that, I've spent hours sorting through these messages, adding hundreds of addresses to the TABL...501th address, new milestone...what...limit exceeded?! The maximum number of allow entries is 500! Now what....well I guess we'll just have to adjust the bulk email threshold slider to 8, yes, that will finally fix the issue.  All these emails from our trusted partners are now back again getting delivered to Inboxes...hooray! 

    .

    .

    .

    Oh no, what's that, you're now getting all this junk email delivered to your inbox? The vicious cycle continues....

  • AzureGuineaPig @ Thank you for reaching out. We would like to mention the recent changes to the bulk filter settings.

     

    Per MC467231, we have changed our recommendation for Strict bulk threshold setting from “4” to “5”. This change is aimed at improving the efficiency of our bulk filter and reducing false positives (FPs). However, we understand that this change may cause some wanted emails to be junked, especially for tenants on strict BCL threshold levels i.e. <=5

     

    We recommend fine-tuning your bulk filter settings by adjusting your bulk threshold slider to a higher value, to reduce FPs. Additionally, Microsoft Defender for Office 365 customers can use advanced hunting to identify bulk FPs and FNs to fine-tune bulk. It is important to note that different settings can be applied to different users based on the Anti-Spam policy applied to the users.

     

    We understand that TABL is not a scalable solution for issues with high volume of senders. In such cases, you may need to change configurations. That said, we are also currently working on increasing TABL limits, and it is on our roadmap 98185 for next month.

    We appreciate this feedback and will use it to improve our service.