Email Protection Basics in Microsoft 365: Spam & Phish

Hi MagicHair. Great question. In the past, many administrators had leveraged insecure configurations such as transport rules with contoso.com (their own accepted domain) or even gmail.com domain allows as "quick" ways to fix false positives. This has, of course, backfired often with spoofing or phishing emails allowed through due to overly broad overrides that otherwise Microsoft would filter. Consider a common scenario we've seen in Microsoft Support, when new administrator takes over email management for a company suffering from frequent phishing attacks or user compromise, only to discover such an override had been created by their predecessor in the role.

The first article is really a set of best practices before you consider an override, and you're right, the second one is jumping into the technical content. 

The newer, preferred, and more secure method we have today is to use Submissions to report email to Microsoft for analysis and regrading, and Tenant Allow/Block List for temporarily allowing the sender, file or URL while we learn from your submission.

For clarity, I'll copy/paste the relevant section from Create safe sender lists in EOP from most to least preferred:

1. Allow entries for domains and email addresses (including spoofed senders) in the Tenant Allow/Block List.
2. Mail flow rules (also known as transport rules). Look closely at this section, since it lists a method of safer transport rule overrides, which help you validate email authentication (DMARC pass or bestguesspass), instead of allowing entire sender domains.
3. Outlook Safe Senders (the Safe Senders list that's stored in each mailbox that affects only that mailbox).
4. IP Allow List (connection filtering)
5. Allowed sender lists or allowed domain lists (anti-spam policies)

Hope this helps and if there's a particular override scenario you needed help with, let us know! 

Alex