While blocking domains in Exchange Online may seem like a drastic step to solving spam-related issues, it is a widely adopted feature that is used by many, if not most organisations that utilise Exchange Online.
By blocking a domain or email address directly from the Microsoft 365 admin center you are ensuring that:
- The block impacts all end users in your tenant
- The block cannot be overridden by end users in your tenant
In this tutorial, I am going to show you how to block a top-level domain, domain or email address in Exchange Online and explain what happens to blocked emails behind the scenes.
Block a domain or email address in Exchange Online
Microsoft 365 Defender is the central location in Microsoft 365 where you can modify security policies relating to Exchange Online. As such, we are going to use this web portal to modify the default anti-spam policy for Exchange Online to include our blocked domains and addresses.
2. Expand Email & collaboration, then select Policies & rules > Threat policies
3. Select Tenant Allow/Block List under the Rules heading.
4. Under the Domains and addresses heading, click Block.
5. From here, enter the TLD (top-level domain), domain or address you wish to block and click Add.
8. The domain is now blocked and should appear on your blocked domains list.
What happens when an email is received from a blocked address?
When an email is received from an external address that has been manually added to the block list in Microsoft Defender, the email is marked with SCL:9 which forces Exchange Online to mark messages as spam based on the default policy spam level. Messages with an SCL of 8 or 9 are marked as High confidence spam and are sent to the user’s Junk mail folder.
You can confirm this is the case with blocked messages by viewing the following header property of the sent email: X-MS-Exchange-Organization-SCL: 9. For more detail on message headers in Exchange Online, view my tutorial: Review and Interpret Message Headers in Exchange Online.
As an admin, you can modify this behaviour by modifying the same Anti-spam policy as above and clicking Edit actions. From here you can change the default behaviour for the High confidence spam action.
This behaviour is changing in August 2023
Unfortunately, configuring blocked messages to be High-confidence spam is not the best solution to block a message. In most cases, a message blocked tenant-wide should not be delivered to the user’s mailbox at all. Thankfully Microsoft recognises this issue and this year the default behaviour for how blocked messages are handled will change.
Instead of the message being marked as high-confidence spam, it will instead be marked as high-confidence phish. This means that by default the message will be sent to the Admin Quarantine and not the junk mail folder.
A high-confidence phishing email cannot be released by the user from their own quarantine. This means that if a user needs to view the email, they will need to request that it be removed from the quarantine by an admin of their organisation.
From an admin perspective, instead of the message header containing the SCL level of 9, it will instead show HPHISH in the X-Forefront-Antispam-Report header. such as X-Forefront-Antispam-Report: CAT:HPHISH. It is also imperative correct guidance and training is provided to end users, as with poor expectations, admins could be lumbered with additional administrative duties.
How to release blocked messages from the admin quarantine
Messages that are marked as high-confidence phish will be delivered to the admin quarantine. This means users that will not be able to release these emails from their own quarantine portal.
As an admin, there are 2 ways to access the admin quarantine, you can either go directly to https://defender.microsoft.com/quarantine, or follow the below steps:
2. Under Email & collaboration select Review > Quarantine
3. Select the desired email from the list and click Release
Once the message has been released it will immediately arrive in the recipient’s inbox. Additional header information will be located in the X-MS-TrafficTypeDiagnostic: header which includes the EE_ReleasedQuarantineMessage text.