Monday, August 28, 2017

O365 EOP Phishing Rule

I had a client last week that was constantly complaining about receiving a lot of phishing emails. I had done everything I could think of in order to try and mitigate them in Exchange Online Protection (EOP) and finally broke down and opened up a support case. Upon submitting the numerous examples to the support engineer he guided me through implementing an undocumented change to the phishing threshold via a header manipulation.

We created a mail flow rule that stated if the sender is outside of the organization and the recipient is the client's domain, then add a message header "MS-Exchange-Organization-PhishThresholdLevel" and set the value to 2 (the default is 4):

Ever since implementing this the client has said they are no longer receiving any phishing emails.


  1. Thank You! So, what exactly does setting that value to 2 do? How will this affect their legitimate external emails?

    1. Value of two increases the threshold of emails being flagged as phishing. It just runs the risk of legitimate emails being blocked/moved to the junk email folder.