Forum Discussion

rijojoy7's avatar
rijojoy7
MCT
Jul 03, 2025

Mastering Outbound Spam Protection in Microsoft Defender and Exchange Online Protection (EOP)

In today’s cloud-driven landscape, protecting your organization’s email flow is not only about stopping inbound threats—it’s also about ensuring your users aren’t the source of outbound spam. Whether caused by account compromise, misconfiguration, or shadow IT, outbound spam can damage your domain’s reputation, trigger blacklists, and even lead to service throttling from Microsoft.

What Is Outbound Spam?

Outbound spam refers to unwanted or malicious messages sent from inside your organization to external recipients. These messages can originate from:

  • Compromised accounts
  • Misused shared mailboxes
  • Automation scripts or connectors
  • Forwarding loops

Outbound spam can place your domain on blocklists, reduce deliverability, and ultimately erode trust in your brand

Tools Used: Microsoft Defender + Exchange Online Protection

Microsoft 365 includes built-in outbound protection via:
Exchange Online Protection (EOP) for all tenants
Microsoft Defender for Office 365 for advanced protection and insights

Step-by-Step: Configuring Outbound Spam Protection in EOP

Create and Apply Outbound Spam Policies

Microsoft 365 Defender Portal → Email & Collaboration → Policies & Rules → Threat Policies → Anti-Spam Policies

Select ->Create Policy → Outbound Spam Filter Policy

Give the policy a clear name 

Apply granular scoping by selecting users, groups, or domains based on risk level

Configure outbound spam policies in EOP

Message limits sections

  • Section configures the limits for outbound email messages from Exchange Online

Set an external message limit

  • Maximum number of external recipients a user can send messages to in a one-hour period

Set an internal message limit

  • Maximum number of internal recipients a user can send messages to in a one-hour period

Set a daily message limit

  • The maximum total number of recipients per day
    This limit encompasses both internal and external recipients
    Valid value is 0 to 10000

Restriction placed on users who reach the message limit

  • Restrict the user from sending mail until the following day
  • Email notifications are sent, and the user is unable to send any more messages until the following day, based on UTC time

Restrict the user from sending mail

  • User can't send email until they're removed from Restricted users by an admin
    After an admin removes the user from the list, the user won't be restricted again 
    for that day limit reset to zero 

No action, alert only

  • Email notifications are sent

Forwarding rules section

controls automatic email forwarding by Exchange Online mailboxes to external recipients

  •  Automatic - System-controlled - system to manage the automatic forwarding of email messages to external recipients
  • On - Forwarding is enabled: Automatic external email forwarding isn't disabled by the policy
  • Off - Forwarding is disabled: All automatic external email forwarding is disabled by the policy

Disabling only automatic forwarding messages to external addresses
Outbound spam policies don't affect the forwarding of messages between internal users 

Notifications section

You can configure additional recipients who should receive copies and notifications of suspicious outbound email messages

Send a copy of suspicious outbound messages that exceed these limits to these users and groups

  • Specify users or groups within your organization who should receive copies of outbound email messages that exceed the defined sending limits
  • Setting adds the specified recipients to the bcc field of suspicious outbound messages
  • Setting works only in the default outbound spam policy. It doesn't work in custom outbound spam policies

Notify these users and groups if a sender is blocked due to sending outbound spam

  • Allow you to configure who should receive a notification when a sender is blocked for sending outbound spam
  • This setting is in the process of being deprecated from outbound spam policies
  • Strongly recommend that you use the alert policy rather than this setting in the outbound spam policy to notify admins and other users

Remove blocked users from the Restricted entities page

 Email & collaboration > Review > Restricted entities

The user is restricted from sending email, but they can still receive email.

Alert settings for Restricted users

Automatically notifies admins when users are blocked from sending email

  • Email & collaboration > Policies & rules > Alert policy 
  • Search Policy Name: User restricted from sending email

Managing outbound spam is more than configuring a few switches—it's about having a layered defense posture. Microsoft Defender for Office 365 and Exchange Online Protection give you the visibility, automation, and control to protect both inbound and outbound mail traffic Managing outbound spam isn’t just about setting limits—it’s about shaping a layered, intelligent policy landscape
Detects malicious senders
Alerts admins in real time
Automatically blocks abuse
Protects domain trust and email deliverability
With Microsoft Defender for Office 365 and EOP, you have everything you need to build a resilient outbound protection framework

Instructor-led training
microsoft 365
security compliance and identity
Self-paced learning path

5 Replies

Sort By
  • Pankaj_Messaging_Specialist's avatar
    Pankaj_Messaging_Specialist
    Copper Contributor
    Jul 11, 2025

    rijojoy7​ Hello, I need help to create outbound spam policy.

    I would like to create outbound spam policy for the entire org to restrict Daily message limit.

    1. First, to test the policy if I only mention one user individual and apply restriction to Daily message limit, External and Internal message to hour. So, it will only apply to the single user but not the entire domain. I am asking because I see AND condition in the policy that is why I am little bit confused.
    2. We have Automatic forwarding enabled in the separate policy but for few users but "Automatic - forwarding - On' is selected in the policy , so the same way I need to select in the new Outbound spam policy when we apply for entire org.
    3. Also, Set hourly Internal and external message will override the Microsoft limit.?

    I just want to make sure it would impact the other thing, help me if you can.

    • rijojoy7's avatar
      rijojoy7
      MCT
      Jul 11, 2025
      • Users
        These are individual mailboxes, mail users, or mail contacts.
        Example: You want to apply the policy to email address removed for privacy reasons and email address removed for privacy reasons. You enter both email addresses in the "Users" box.
        Result: The policy applies to emails sent by Alex or Jessica
      • Groups
        You can choose
        Distribution groups
        Mail-enabled security groups
        Microsoft 365 Groups (but NOT dynamic distribution groups)
        Example -You select the group email address removed for privacy reasons.
        Result -The policy applies to all members of the SalesTeam group
      • Domains
        You can apply the policy to senders whose primary email belongs to a specific domain.
        Example: You enter contoso.com.
        Result: The policy applies to everyone in your organization with an email like email address removed for privacy reasons.
        Note: If you include contoso.com, it also automatically includes subdomains like marketing.contoso.com, unless you specifically exclude them
      • How to Add Values
        Click in the appropriate box (Users, Groups, or Domains).
        Start typing an identifier—this can be a name, alias, email, etc.
        Select from the dropdown list.
        You can repeat this step to add multiple entries.
        Example: Add email address removed for privacy reasons and email address removed for privacy reasons. Both will be included
      • Logic Applied (OR vs. AND)
        Same category (Users/Groups/Domains) = OR logic.
        If any match, policy is applied.
        Example: If either email address removed for privacy reasons OR email address removed for privacy reasons sends an email, the policy applies.
        Different categories combined (User + Group) = AND logic.
        All conditions must match.
        Example
        User: email address removed for privacy reasons
        Group: Executives
        Result: The policy only applies if Romain is a member of Executives group
      • Exclude Internal Senders (Sender Exceptions)
        This lets you exclude specific senders from the policy.
        Same category exclusions = OR logic
        Different category exclusions = OR logic too
        Example:
        You exclude:
        email address removed for privacy reasons
        email address removed for privacy reasons
        Domain: hr.contoso.com
        Result: If the sender is Lisa, or in the ITTeam group, or has an email in hr.contoso.com, the policy won’t apply

       

      • Pankaj_Messaging_Specialist's avatar
        Pankaj_Messaging_Specialist
        Copper Contributor
        Jul 15, 2025

        rijojoy7​ Hello, Is there any limit set by Microsoft for "Restrict sending to external recipients or Internal recipients" 

        If I add any value so that would work or conflict with Microsoft ?

Resources