Forum Discussion

YorkshireMidge's avatar
YorkshireMidge
Copper Contributor
May 28, 2024

Tenant allow/block list and Exchange rules - order of execution

I've just been trying to reduce all the emails from a particularly large global spam bot which hit my tenant daily and aren't being picked up automatically as SPAM by the service.   The bot uses many different individual email mailboxes, on many different (real) domains, registered in many countries (including European countries) - and the domains only seem to make it onto the occasional blacklist. The mail server IPs seem to be Russian ISPs , but several of those too.  So it has been difficult to stop but I'm pretty much there as there is only a small variation in the content.  

 

In the process of dealing with it, I have noticed that Exchange rules I have defined appear to take precedence over domain entries in the tenant allow/block list, where I expected it to be the other way around.   i.e I expected the TABL would be checked before anything else. 

 

e.g. I have a particular domain listed in the TABL because I want to block anything/everything from it as it is actually the predominant domain spamming us, and an Exchange rule that just looks for content rather than the source to catch all the other domains that are sending out the exact same junk.  The other day, my rule caught an email from the domain based on content, and it is clear the TABL had not had an activation against it. 

 

Is my understanding correct, and if so, is there something somewhere that describes how the various components of 365 act on incoming messages and in what order - kinda like a flow chart?  I've had a look and can't find anything. 

 

Thanks!

    • YorkshireMidge's avatar
      YorkshireMidge
      Copper Contributor
      Thanks. It's a good idea, but ours is a non-profit tenant so (extra) cost is always a significant obstacle for us. There is also the issue that the current SPAM bot network hitting our service is sending out advertising SPAM rather than scam/phishing messages, and when you look, they are even compliant with the various anti-spam protocols. We have another flavour of commercial SPAM where individuals (mainly in India) are peddling web design, SEO optimisation etc. These will appear to mail services as legitimate mail - and it's difficult to see how ATP would be any better at spotting them and trapping than we can. I will give ATP another look though.
  • KingsleyU's avatar
    KingsleyU
    Brass Contributor

    YorkshireMidge 

     

    In as much as the Advanced Threat Protection offers more features such as heuristic detection mechanism for suspicious contents in an email, it is important to consider the order of precedence that EOP applies to email. Also, when you block a domain using the TABL feature, always select the option "never expire".

     

    Useful Article

    https://learn.microsoft.com/en-us/defender-office-365/how-policies-and-protections-are-combined

    https://learn.microsoft.com/en-us/defender-office-365/protection-stack-microsoft-defender-for-office365

     

    I hope you find this useful.

     

    Thanks

Resources