MicrosoftDocs
diff --git a/‎defender-office-365/anti-spam-policies-asf-settings-about.md‎
Lines changed: 26 additions & 19 deletions b/‎defender-office-365/anti-spam-policies-asf-settings-about.md‎
Lines changed: 26 additions & 19 deletions
@@ -18,7 +18,7 @@ ms.custom:
   - seo-marvel-apr2020
 description: Admins can learn about the Advanced Spam Filter (ASF) settings that are available in anti-spam policies in Exchange Online Protection (EOP).
 ms.service: defender-office-365
-ms.date: 06/09/2023
+ms.date: 06/10/2024
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/eop-about" target="_blank">Exchange Online Protection</a>
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
@@ -40,22 +40,29 @@ In Microsoft 365 organizations with mailboxes in Exchange Online or standalone E
 
 The following sections describe the ASF settings and options that are available in anti-spam policies in the Microsoft Defender portal, and in Exchange Online PowerShell or standalone EOP PowerShell ([New-HostedContentFilterPolicy](/powershell/module/exchange/new-hostedcontentfilterpolicy) and [Set-HostedContentFilterPolicy](/powershell/module/exchange/set-hostedcontentfilterpolicy)). For more information, see [Configure anti-spam policies in EOP](anti-spam-policies-configure.md).
 
+> [!TIP]
+> ASF settings aren't enabled in [Standard or Strict preset security policies](preset-security-policies.md), so you can configure ASF settings in the default anti-spam policy or custom anti-spam policies only. For more information about using protection policies, see [Determine your protection policy strategy](mdo-deployment-guide.md#determine-your-protection-policy-strategy).
+
 ## Enable, disable, or test ASF settings
 
 For each ASF setting, the following options are available in anti-spam policies:
 
-- **On**: ASF adds the corresponding X-header field to the message, and marks the message as **Spam** (SCL 5 or 6 for [Increase spam score settings](#increase-spam-score-settings)) or **High confidence spam** (SCL 9 for [Mark as spam settings](#mark-as-spam-settings)).
+- **On**: ASF adds the corresponding X-header field to the message:
+  - For [Increase spam score settings](#increase-spam-score-settings), the message has a higher chance of being marked as**Spam**.
+  - For [Mark as spam settings](#mark-as-spam-settings), the message is marked as **Spam** or **High confidence spam**.
 - **Off**: The ASF setting is disabled. This is the default value.
 - **Test**: The ASF setting is in Test Mode. What happens to the message is determined by the **Test mode** (_TestModeAction_) value:
   - **None**: Message delivery is unaffected by the ASF detection. The message is still subject to other types of filtering and rules in EOP and Defender for Office 365.
-  - **Add default X-header text (_AddXHeader_)**: The X-header value `X-CustomSpam: This message was filtered by the custom spam filter option` is added to the message. You can use this value in Inbox rules (not mail flow rules) to affect the delivery of the message.
-  - **Send Bcc message (_BccMessage_)**: The specified email addresses (the _TestModeBccToRecipients_ parameter value in PowerShell) are added to the Bcc field of the message, and the message is delivered to the additional Bcc recipients. In the Microsoft Defender portal, you separate multiple email addresses by semicolons (;). In PowerShell, you separate multiple email addresses by commas.
+  - **Add default X-header text** (_AddXHeader_): The X-header value `X-CustomSpam: This message was filtered by the custom spam filter option` is added to the message. You can use this value in Inbox rules (not mail flow rules) to affect the delivery of the message.
+  - **Send Bcc message** (_BccMessage_): The specified email addresses (the _TestModeBccToRecipients_ parameter value in PowerShell) are added to the Bcc field of the message, and the message is delivered to the additional Bcc recipients. In the Microsoft Defender portal, you separate multiple email addresses by semicolons (;). In PowerShell, you separate multiple email addresses by commas.
+
+  Test mode isn't available for the following ASF settings:
+
+  - **Conditional Sender ID filtering: hard fail** (_MarkAsSpamFromAddressAuthFail_)
+  - **NDR backscatter** (_MarkAsSpamNdrBackscatter_)
+  - **SPF record: hard fail** (_MarkAsSpamSpfRecordHardFail_)
 
-  - Test mode isn't available for the following ASF settings:
-    - **Conditional Sender ID filtering: hard fail** (_MarkAsSpamFromAddressAuthFail_)
-    - **NDR backscatter**(_MarkAsSpamNdrBackscatter_)
-    - **SPF record: hard fail** (_MarkAsSpamSpfRecordHardFail_)
-  - The same test mode action is applied to _all_ ASF settings that are set to **Test**. You can't configure different test mode actions for different ASF settings.
+  The same test mode action is applied to _all_ ASF settings that are set to **Test**. You can't configure different test mode actions for different ASF settings.
 
 ## Increase spam score settings
 
@@ -75,18 +82,18 @@ The following **Mark as spam** ASF settings set the SCL of detected messages to
 |Anti-spam policy setting|Description|X-header added|
 |---|---|---|
 |**Empty messages** (_MarkAsSpamEmptyMessages_)|Messages with no subject, no content in the message body, and no attachments are marked as high confidence spam.|`X-CustomSpam: Empty Message`|
-|**Embedded tags in HTML** (_MarkAsSpamEmbedTagsInHtml_)|Messages that contain `<embed>` HTML tags are marked as high confidence spam. <br><br> This tag allows the embedding of different kinds of documents in an HTML document (for example, sounds, videos, or pictures).|`X-CustomSpam: Embed tag in html`|
-|**JavaScript or VBScript in HTML** (_MarkAsSpamJavaScriptInHtml_)|Messages that use JavaScript or Visual Basic Script Edition in HTML are marked as high confidence spam. <br><br> These scripting languages are used in email messages to cause specific actions to automatically occur.|`X-CustomSpam: Javascript or VBscript tags in HTML`|
-|**Form tags in HTML** (_MarkAsSpamFormTagsInHtml_)|Messages that contain `<form>` HTML tags are marked as high confidence spam. <br><br> This tag is used to create website forms. Email advertisements often include this tag to solicit information from the recipient.|`X-CustomSpam: Form tag in html`|
-|**Frame or iframe tags in HTML** (_MarkAsSpamFramesInHtml_)|Messages that contain `<frame>` or `<iframe>` HTML tags are marked as high confidence spam. <br><br> These tags are used in email messages to format the page for displaying text or graphics.|`X-CustomSpam: IFRAME or FRAME in HTML`|
-|**Web bugs in HTML** (_MarkAsSpamWebBugsInHtml_)|A _web bug_ (also known as a _web beacon_) is a graphic element (often as small as one pixel by one pixel) that's used in email messages to determine whether the recipient read the message. <br><br> Messages that contain web bugs are marked as high confidence spam. <br><br> Legitimate newsletters might use web bugs, although many consider this an invasion of privacy. |`X-CustomSpam: Web bug`|
-|**Object tags in HTML** (_MarkAsSpamObjectTagsInHtml_)|Messages that contain `<object>` HTML tags are marked as high confidence spam. <br><br> This tag allows plug-ins or applications to run in an HTML window.|`X-CustomSpam: Object tag in html`|
-|**Sensitive words** (MarkAsSpamSensitiveWordList_)|Microsoft maintains a dynamic but non-editable list of words that are associated with potentially offensive messages. <br><br> Messages that contain words from the sensitive word list in the subject or message body are marked as high confidence spam.|`X-CustomSpam: Sensitive word in subject/body`|
-|**SPF record: hard fail** (_MarkAsSpamSpfRecordHardFail_)|Messages sent from an IP address that isn't specified in the SPF Sender Policy Framework (SPF) record in DNS for the source email domain are marked as high confidence spam. <br><br> Test mode isn't available for this setting.|`X-CustomSpam: SPF Record Fail`|
+|**Embedded tags in HTML** (_MarkAsSpamEmbedTagsInHtml_)|Messages that contain `<embed>` HTML tags are marked as high confidence spam. <br/><br/> This tag allows the embedding of different kinds of documents in an HTML document (for example, sounds, videos, or pictures).|`X-CustomSpam: Embed tag in html`|
+|**JavaScript or VBScript in HTML** (_MarkAsSpamJavaScriptInHtml_)|Messages that use JavaScript or Visual Basic Script Edition in HTML are marked as high confidence spam. <br/><br/> These scripting languages are used in email messages to cause specific actions to automatically occur.|`X-CustomSpam: Javascript or VBscript tags in HTML`|
+|**Form tags in HTML** (_MarkAsSpamFormTagsInHtml_)|Messages that contain `<form>` HTML tags are marked as high confidence spam. <br/><br/> This tag is used to create website forms. Email advertisements often include this tag to solicit information from the recipient.|`X-CustomSpam: Form tag in html`|
+|**Frame or iframe tags in HTML** (_MarkAsSpamFramesInHtml_)|Messages that contain `<frame>` or `<iframe>` HTML tags are marked as high confidence spam. <br/><br/> These tags are used in email messages to format the page for displaying text or graphics.|`X-CustomSpam: IFRAME or FRAME in HTML`|
+|**Web bugs in HTML** (_MarkAsSpamWebBugsInHtml_)|A _web bug_ (also known as a _web beacon_) is a graphic element (often as small as one pixel by one pixel) that determines whether the recipient read the message. <br/><br/> Messages that contain web bugs are marked as high confidence spam. <br/><br/> Legitimate newsletters might use web bugs, although many consider them an invasion of privacy. |`X-CustomSpam: Web bug`|
+|**Object tags in HTML** (_MarkAsSpamObjectTagsInHtml_)|Messages that contain `<object>` HTML tags are marked as high confidence spam. <br/><br/> This tag allows plug-ins or applications to run in an HTML window.|`X-CustomSpam: Object tag in html`|
+|**Sensitive words** (MarkAsSpamSensitiveWordList_)|Microsoft maintains a dynamic but non-editable list of words that are associated with potentially offensive messages. <br/><br/> Messages that contain words from the sensitive word list in the subject or message body are marked as high confidence spam.|`X-CustomSpam: Sensitive word in subject/body`|
+|**SPF record: hard fail** (_MarkAsSpamSpfRecordHardFail_)|Messages sent from an IP address that isn't specified in the SPF Sender Policy Framework (SPF) record in DNS for the source email domain are marked as high confidence spam. <br/><br/> Test mode isn't available for this setting.|`X-CustomSpam: SPF Record Fail`|
 
 The following **Mark as spam** ASF settings set the SCL of detected messages to 6, which corresponds to a **Spam** filter verdict and the corresponding action in anti-spam policies.
 
 |Anti-spam policy setting|Description|X-header added|
 |---|---|---|
-|**Sender ID filtering hard fail** (_MarkAsSpamFromAddressAuthFail_)|Messages that hard fail a conditional Sender ID check are marked as spam. <br><br> This setting combines an SPF check with a Sender ID check to help protect against message headers that contain forged senders. <br><br> Test mode isn't available for this setting.|`X-CustomSpam: SPF From Record Fail`|
-|**Backscatter** (_MarkAsSpamNdrBackscatter_)|_Backscatter_ is useless non-delivery reports (also known as NDRs or bounce messages) caused by forged senders in email messages. For more information, see [Backscatter messages and EOP](anti-spam-backscatter-about.md). <br><br> You don't need to configure this setting in the following environments, because legitimate NDRs are delivered and backscatter is marked as spam: <ul><li>Microsoft 365 organizations with Exchange Online mailboxes.</li><li>On-premises email organizations where you route _outbound_ email through EOP.</li></ul> <br><br> In standalone EOP environments that protect inbound email to on-premises mailboxes, turning this setting on or off has the following result: <ul><li> **On**: Legitimate NDRs are delivered, and backscatter is marked as spam.</li><li>**Off**: Legitimate NDRs and backscatter go through normal spam filtering. Most legitimate NDRs are delivered to the original message sender. Some, but not all backscatter is marked as spam. By definition, backscatter can be delivered only to the spoofed sender, not to the original sender.</li></ul> <br><br> Test mode isn't available for this setting.|`X-CustomSpam: Backscatter NDR`|
+|**Sender ID filtering hard fail** (_MarkAsSpamFromAddressAuthFail_)|Messages that hard fail a conditional Sender ID check are marked as spam. <br/><br/> This setting combines an SPF check with a Sender ID check to help protect against message headers that contain forged senders. <br/><br/> Test mode isn't available for this setting.|`X-CustomSpam: SPF From Record Fail`|
+|**Backscatter** (_MarkAsSpamNdrBackscatter_)|_Backscatter_ is useless non-delivery reports (also known as NDRs or bounce messages) caused by forged senders in email messages. For more information, see [Backscatter messages and EOP](anti-spam-backscatter-about.md). <br/><br/> You don't need to configure this setting in the following environments, because legitimate NDRs are delivered and backscatter is marked as spam: <ul><li>Microsoft 365 organizations with Exchange Online mailboxes.</li><li>On-premises email organizations where you route _outbound_ email through EOP.</li></ul> <br/><br/> In standalone EOP environments that protect inbound email to on-premises mailboxes, turning this setting on or off has the following result: <ul><li> **On**: Legitimate NDRs are delivered, and backscatter is marked as spam.</li><li>**Off**: Legitimate NDRs and backscatter go through normal spam filtering. Most legitimate NDRs are delivered to the original message sender. Some, but not all backscatter is marked as spam. By definition, backscatter can be delivered only to the spoofed sender, not to the original sender.</li></ul> <br/><br/> Test mode isn't available for this setting.|`X-CustomSpam: Backscatter NDR`|