4.2 Ensure Exchange Online Spam Policies are set correctly

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version


You should set your Exchange Online Spam Policies to copy emails and notify someone when a sender in your tenant has been blocked for sending spam emails.


A blocked account is a good indication that the account in question has been breached and an attacker is using it to send spam emails to other people.


Notification of users that have been blocked should not cause an impact to the user.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.


To set the Exchange Online Spam Policies correctly, use the Microsoft 365 Admin Center:

Go to https://protection.office.com/antispam

Click on the Anti-spam outbound policy (default).

Select Edit protection settings then under Notifications

Check Send a copy of outbound messages that exceed these limits to these users and groups then enter the desired email addresses.

Check Notify these users and groups if a sender is blocked due to sending outbound spam then enter the desired email addresses.

Click Save.

To set the Exchange Online Spam Policies correctly, use the Exchange Online PowerShell Module:

Connect to Exchange Online using Connect-ExchangeOnline.

Run the following PowerShell command:

$BccEmailAddress = @('<INSERT-EMAIL>')

$NotifyEmailAddress = @('<INSERT-EMAIL>')

Set-HostedOutboundSpamFilterPolicy -Identity Default -BccSuspiciousOutboundAdditionalRecipients $BccEmailAddress -BccSuspiciousOutboundMail $true -NotifyOutboundSpam $true -NotifyOutboundSpamRecipients $NotifyEmailAddress

Default Value:


See Also