Use AI to provide better spam protection and detection with exchange online

Let’s break down how AI enhances spam and phishing protection within Microsoft Exchange Online Protection (EOP) and Microsoft Defender for Office 365 (MDO), along with configuration examples.

How AI Powers Spam/Phishing Protection in Exchange Online

Instead of just relying on static rules (like blocking specific keywords or known bad IPs), AI (specifically Machine Learning models) introduces several powerful capabilities:

1. Advanced Pattern Recognition: AI models analyze vast amounts of global email data (billions of messages daily) from Microsoft’s network. They identify subtle and evolving patterns associated with spam, phishing, malware, and impersonation attempts that rule-based systems would miss. This includes:

   • Linguistic Analysis: Understanding the nuances of language, tone, urgency cues, grammatical errors common in phishing, and topic shifts often used to bypass simple filters.
     

   • Structural Analysis: Examining message headers, sending infrastructure reputation, URL structures, attachment types, and email formatting anomalies.
     

   • Behavioural Analysis: Learning normal communication patterns for your organization and flagging deviations (e.g., a sudden email from the “CEO” asking for gift cards, which is out of character).

2. Adaptive Learning: Spammers constantly change tactics. AI models continuously learn and adapt to these new threats in near real-time, significantly reducing the window of vulnerability compared to waiting for manual rule updates. When new spam campaigns emerge, the models retrain based on newly classified samples.

3. Contextual Understanding: AI helps differentiate between legitimate and malicious use of similar content. For example, an “invoice” email from a known supplier vs. a generic “invoice” from an unknown sender with a suspicious link. AI considers sender reputation, recipient history, link destinations, etc.

4. Impersonation Detection (MDO): This is heavily AI-driven.

   • User Impersonation: Mailbox Intelligence learns the frequent contacts and communication style of protected users (e.g., executives). It flags emails claiming to be from that user but originating externally or exhibiting unusual patterns.
     

   • Domain Impersonation: AI detects attempts to use domains that look very similar to your own (e.g., yourc0mpany.com instead of yourcompany.com) or legitimate external domains (e.g., spoofing a well-known supplier).

5. Enhanced Heuristics & Reputation: AI refines the calculation of Spam Confidence Levels (SCL) and Bulk Complaint Levels (BCL) by incorporating more complex signals than just IP/domain blocklists. It considers the “neighborhood” of sending IPs, historical sending behavior, and feedback loops (user submissions, junk reports).

6. Zero-Hour Auto Purge (ZAP): Even if a malicious email initially bypasses filters and lands in an inbox, AI continues analyzing signals. If the message is later identified as spam or phishing (often through updated AI models or user reports), ZAP can automatically pull it from user mailboxes.

Specific Configuration Examples (Using the Microsoft 365 Defender Portal)

Most AI capabilities are inherently part of the features. You don’t toggle “AI On/Off,” but you configure the policies that leverage AI.

Prerequisites:

• Access to the Microsoft 365 Defender portal (https://security.microsoft.com).
  

• Appropriate permissions (e.g., Security Administrator, Global Administrator).
  

• Note: Some advanced features (like Impersonation, Safe Links, Safe Attachments) require Microsoft Defender for Office 365 Plan 1 or Plan 2 licenses, beyond the basic EOP included with Exchange Online.

Example 1: Tuning Anti-Spam Inbound Policy (Leverages AI for SCL)

AI determines the SCL score based on numerous factors. You configure the actions based on those AI-determined scores.

1. Navigate to Email & collaboration > Policies & rules > Threat policies > Anti-spam.
   

2. Select the Anti-spam inbound policy (Default) or click Create policy > Inbound for a custom policy.
   

3. In the policy settings, locate the Bulk email threshold & spam properties section and click Edit actions.
   

4. Spam Confidence Level (SCL) Actions:
   • Spam: Action: Move message to Junk Email folder (Recommended Default). SCL levels typically 5, 6.
     

   • High confidence spam: Action: Quarantine message (Recommended). SCL levels typically 7, 8, 9. You could choose Redirect message to email address, Delete message, or Move message to Junk Email folder. Quarantine is generally safest.
     

   • AI Impact: The determination of which message gets an SCL of 5 vs. 7 vs. 9 is heavily AI-driven based on content, sender, structure, etc.
5. Bulk Complaint Level (BCL) Threshold: Set a threshold (e.g., 6 or 7). Messages exceeding this BCL (often unwanted marketing mail) will take the specified action (e.g., Move message to Junk Email folder). AI helps differentiate bulk from true spam.
   

6. Zero-hour auto purge (ZAP): Ensure “Enable for spam messages” and “Enable for phishing messages” are turned On. This allows AI to retroactively remove messages.
   

7. Save the changes.

Example 2: Configuring Anti-Phishing Policy (Leverages AI for Impersonation & Spoofing)

Requires MDO licenses for advanced features.

1. Navigate to Email & collaboration > Policies & rules > Threat policies > Anti-phishing.
   

2. Click Create to make a new policy (recommended) or edit the Default policy.
   

3. Phishing threshold & protection:
   • Enable spoof intelligence: Ensure this is On. AI helps identify and classify spoofing attempts (legitimate vs. malicious). You can review/override its findings later under “Spoof intelligence insight”.
     

   • Impersonation Protection (Key AI Area):
     • Click Edit next to Users to protect. Click Manage sender(s) and add email addresses of key personnel (CEO, CFO, HR Managers, up to 350). AI (Mailbox Intelligence) learns their communication patterns.
       

     • Click Edit next to Domains to protect. Add your own company domains and consider adding custom domains that are visually similar or frequently targeted. AI flags emails spoofing these domains or using lookalike domains.
     • Enable Mailbox Intelligence: Ensure this is On. This activates the AI learning for the protected users’ contact graphs and communication patterns.
       

     • Enable intelligence for impersonation protection: Ensure this is On. Uses AI to improve detection based on learned senders/patterns.
   • Actions: Configure actions for detected impersonation (User/Domain) and spoofing. Recommended actions often include Quarantine the message or Redirect message to administrator address and displaying safety tips.
4. Advanced phishing thresholds: Set the level (e.g., 2: Aggressive, 3: More aggressive, 4: Most aggressive). Higher levels use more sensitive AI/ML models but might increase false positives. Start with 1: Standard or 2: Aggressive and monitor.
   

5. Assign the policy to specific users, groups, or the entire domain.
   

6. Save the policy.

Example 3: Enabling Safe Links & Safe Attachments (Leverages AI for Analysis)

Requires MDO licenses. These features use sandboxing (detonation) and URL reputation checks, heavily augmented by AI analysis.

1. Safe Attachments:

   • Navigate to Email & collaboration > Policies & rules > Threat policies > Safe Attachments.
     

   • Click Create or edit an existing policy.
     

   • Choose an action like Block (blocks email with detected malware) or Dynamic Delivery (delivers email body immediately, attaches placeholder until attachment scan completes – often preferred for user experience).
     

   • Enable Redirect messages with detected attachments and specify an admin mailbox for review if desired.
     

   • Apply the policy to users/groups/domains.
     

   • AI Impact: AI models perform static analysis before detonation and analyze the behavior of the file during detonation in the sandbox to identify novel/zero-day malware.

2. Safe Links:

   • Navigate to Email & collaboration > Policies & rules > Threat policies > Safe Links.
     

   • Click Create or edit an existing policy.
     

   • Ensure On: Safe Links checks a list of known, malicious links when users click links in email is selected under URL & click protection settings.
     

   • Enable Apply Safe Links to email messages.
     

   • Enable Apply real-time URL scanning for suspicious links and links that point to files. (This uses AI and other heuristics).
     

   • Configure Wait for URL scanning to complete before delivering the message (more secure, slight delay) or leave it off (less secure, no delay).
     

   • Choose actions for malicious URLs within Microsoft Teams and Office 365 Apps if applicable.
     

   • Configure Do not rewrite the following URLs for any trusted internal/external sites that break due to rewriting (use sparingly).
     

   • Apply the policy to users/groups/domains.
     

   • AI Impact: AI powers the reputation lookups and real-time scanning analysis of URLs, identifying phishing sites, malware hosts, and command-and-control servers even if they aren’t on a static blocklist yet.

Key Takeaways:

• AI is Integrated: You configure features like Anti-Spam, Anti-Phishing, Safe Links/Attachments, and AI works behind the scenes within those features.
  

• MDO is Crucial: The most advanced AI-driven protections (impersonation, advanced phishing detection, Safe Links/Attachments) require Microsoft Defender for Office 365 licenses.
  

• Configuration is Tuning: You adjust thresholds (SCL, BCL), enable specific protections (Impersonation), and define actions (Quarantine, Junk, Delete).
  

• Monitor & Adapt: Regularly review quarantine, user submissions (use the Report Message Add-in!), and threat reports in the Defender portal to fine-tune policies and understand how AI is performing in your environment. Feedback helps the AI models learn.

By leveraging these AI-powered features and configuring them appropriately, you can significantly improve your organization’s defense against increasingly sophisticated spam and phishing attacks in Exchange Online.