Forum Discussion
EOP- AntiPhish/AntiSpam rules conflict
Hi
I already have created AntiSpam, AntiPhish and AntiMalware Policies. Everything works fine except situation when mail is classified to both categories- for example High Phish/Spam then take precedence quarantine policy for antispam not for anti-phishing and email is finally landed in junk email folder (based on antispam quarantine rules) but I would like to block this email (based on the antiphish policy)... how to force antiphish policy setting precedence antispam?
From the description, you confirmed to have couple of policies configured including the Anti-Spam and Anti-Phish Policy. However, you have had cases where confusion arises as to which policy is applied to the emails.
Now you seek to know how to force a policy setting to take precedence over the other.
There are two major factors that determine which policy is applied to a message:
The order of processing for the email protection type: This order is not configurable, and is described in the following table:
Order Email protection Category Where to manage
1 Malware CAT:MALW https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-policies-configure?view=o365-worldwide 2 Phishing CAT:PHSH https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-policies-configure?view=o365-worldwide 3 High confidence spam CAT:HSPM https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-policies-configure?view=o365-worldwide 4 Spoofing CAT:SPOOF https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-spoof-intelligence?view=o365-worldwide 5* User impersonation (protected users) UIMP https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-mdo-configure?view=o365-worldwide 6* Domain impersonation (protected domains) DIMP https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-mdo-configure?view=o365-worldwide 7 Spam CAT:SPM https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-policies-configure?view=o365-worldwide 8 Bulk CAT:BULK https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-policies-configure?view=o365-worldwide These features are only available in anti-phishing policies in Microsoft Defender for Office 365.
The priority of the policy: For each type of policy (anti-spam, anti-malware, anti-phishing, etc.), there's a default policy that applies to everyone, but you can create custom policies that apply to specific users (recipients). Each custom policy has a priority value that determines the order that the policies are applied in. The default policy is always applied last.
It is important to note that if a recipient is defined in multiple policies of the same type (anti-spam, anti-phishing, etc.), only the policy with the highest priority is applied to the recipient. Any remaining policies of that type are not evaluated for the recipient (including the default policy).
So to answer your question, you need to set the anti-phish rule to the highest priority so as to be applied to the recipient. Reference: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/how-policies-and-protections-are-combined?view=o365-worldwide
Do let me know if you need further assistance. I would be glad to help!
If I have answered your question, please mark your post as Solved
If you like my response, please give it a Like
Appreciate your Kudos! Proud to contribute! 🙂
1 Reply
From the description, you confirmed to have couple of policies configured including the Anti-Spam and Anti-Phish Policy. However, you have had cases where confusion arises as to which policy is applied to the emails.
Now you seek to know how to force a policy setting to take precedence over the other.
There are two major factors that determine which policy is applied to a message:
The order of processing for the email protection type: This order is not configurable, and is described in the following table:
Order Email protection Category Where to manage
1 Malware CAT:MALW https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-policies-configure?view=o365-worldwide 2 Phishing CAT:PHSH https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-policies-configure?view=o365-worldwide 3 High confidence spam CAT:HSPM https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-policies-configure?view=o365-worldwide 4 Spoofing CAT:SPOOF https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-spoof-intelligence?view=o365-worldwide 5* User impersonation (protected users) UIMP https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-mdo-configure?view=o365-worldwide 6* Domain impersonation (protected domains) DIMP https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-mdo-configure?view=o365-worldwide 7 Spam CAT:SPM https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-policies-configure?view=o365-worldwide 8 Bulk CAT:BULK https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-policies-configure?view=o365-worldwide These features are only available in anti-phishing policies in Microsoft Defender for Office 365.
The priority of the policy: For each type of policy (anti-spam, anti-malware, anti-phishing, etc.), there's a default policy that applies to everyone, but you can create custom policies that apply to specific users (recipients). Each custom policy has a priority value that determines the order that the policies are applied in. The default policy is always applied last.
It is important to note that if a recipient is defined in multiple policies of the same type (anti-spam, anti-phishing, etc.), only the policy with the highest priority is applied to the recipient. Any remaining policies of that type are not evaluated for the recipient (including the default policy).
So to answer your question, you need to set the anti-phish rule to the highest priority so as to be applied to the recipient. Reference: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/how-policies-and-protections-are-combined?view=o365-worldwide
Do let me know if you need further assistance. I would be glad to help!
If I have answered your question, please mark your post as Solved
If you like my response, please give it a Like
Appreciate your Kudos! Proud to contribute! 🙂