Add instructions about quarantining on MS365

Maddy-Cloudflare · Maddy-Cloudflare · commit b18dc3715983 · 2025-04-08T12:19:08.000+01:00
diff --git a/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/office365-email-security-mx.mdx b/src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/office365-email-security-mx.mdx
@@ -5,6 +5,8 @@ sidebar:
   order: 3
 ---
 
+import { Render, Markdown, GlossaryTooltip } from "~/components"
+
 ![A schematic showing where Email Security is in the life cycle of an email received](src/assets/email-security/Email_Security_O365_MXInline.png)
 
 In this tutorial, you will learn how to configure Microsoft Office 365 with Email Security as its MX record. 
@@ -41,6 +43,64 @@ Now that the inbound connector has been configured, you will need to enable the
 2. Select **Automatically detect and skip the last IP address** and **Apply to entire organization**.
 3. Select **Save**.
 
+## 3. Configure anti-spam policies
+
+To configure anti-spam policies:
+
+1. Open the [Microsoft 365 Defender console](https://security.microsoft.com/).
+2. Go to **Email & collaboration** > **Policies & rules**.
+3. Select **Threat policies**.
+4. Under **Policies**, select **Anti-spam**.
+5. Select the **Anti-spam inbound policy (Default)** text (not the checkbox).
+6. In **Actions**, scroll down and select **Edit actions**.
+7. Set the following conditions and actions (you might need to scroll up or down to find them):
+- **Spam**: *Move messages to Junk Email folder*.
+- **High confidence spam**: *Quarantine message*.
+  - **Select quarantine policy**: _AdminOnlyAccessPolicy_.
+- **Phishing**: *Quarantine message*.
+  - **Select quarantine policy**: _AdminOnlyAccessPolicy_.
+- **High confidence phishing**: *Quarantine message*.
+  - **Select quarantine policy**: _AdminOnlyAccessPolicy_.
+- **Retain spam in quarantine for this many days**: Default is 15 days. Email Security recommends 15-30 days.
+  - Select the spam actions in the above step:
+8. Select **Save**.
+
+## 4. Create transport rules
+
+To create the transport rules that will send emails with certain [dispositions](/cloudflare-one/email-security/reference/dispositions-and-attributes/#dispositions) to Email Security:
+
+1. Open the new [Exchange admin center](https://admin.exchange.microsoft.com/#/homepage).
+2. Go to **Mail flow** > **Rules**.
+3. Select **Add a Rule** > **Create a new rule**.
+4. Set the following rule conditions:
+
+   - **Name**: _Email Security Deliver to Junk Email folder_.
+   - **Apply this rule if**: *The message headers* > *includes any of these words*.
+     - **Enter text**: `X-CFEmailSecurity-Disposition` > **Save**.
+     - **Enter words**: ```SUSPICIOUS```, ```BULK``` > **Add** > **Save**.
+   - **Apply this rule if**: Select **+** to add a second condition.
+   - **And**: *The sender* > *IP address is in any of these ranges or exactly matches* > enter the egress IPs mentioned in <a href="/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/" target="_blank">Egress IPs</a>.
+   - **Do the following** - _Modify the message properties_ > _Set the Spam Confidence Level (SCL)_ > _5_.
+
+5. Select **Next**.
+6. You can use the default values on this screen. Select **Next**.
+7. Review your settings and select **Finish** > **Done**.
+8. Select the rule **Email Security Deliver to Junk Email folder** you have just created, and **Enable**.
+9. Select **Add a Rule** > **Create a new rule**.
+10. Set the following rule conditions:
+
+    - **Name**: *{props.five}*.
+    - **Apply this rule if**: *The message headers* > *includes any of these words*.
+      - **Enter text**: `X-CFEmailSecurity-Disposition` > **Save**.
+      - **Enter words**: `MALICIOUS`, `UCE`, `SPOOF` > **Add** > **Save**.
+    - **Apply this rule if**: Select **+** to add a second condition.
+    - **And**: *The sender* > *IP address is in any of these ranges or exactly matches* > enter the egress IPs in the <a href="/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/" target="_blank">Egress IPs</a>.
+    - **Do the following**: _Redirect the message to_ > _hosted quarantine_.
+11. Select **Next**.
+12. You can use the default values on this screen. Select **Next**.
+13. Review your settings and select **Finish** > **Done**.
+14. Select the rule *{props.five}* you have just created, and select **Enable**.
+
 ## Next steps
 
 Now that you have completed the prerequisite steps, you can set up [MX/Inline](/cloudflare-one/email-security/setup/pre-delivery-deployment/inline-deployment-setup/) on the Cloudflare dashboard.
diff --git a/src/content/partials/cloudflare-one/email-security/deployment/o365-use-cases-antispam.mdx b/src/content/partials/cloudflare-one/email-security/deployment/o365-use-cases-antispam.mdx
@@ -0,0 +1,35 @@
+---
+inputParameters: spamQuarantinePolicy;;phishingQuarantinePolicy;;highPhishingQuarantinePolicy;;img
+
+---
+
+import { Image } from "astro:assets"
+import { Markdown } from "~/components"
+
+To configure anti-spam policies:
+
+1. Open the [Microsoft 365 Defender console](https://security.microsoft.com/).
+
+2. Go to **Email & collaboration** > **Policies & rules**.
+
+3. Select **Threat policies**.
+
+4. Under **Policies**, select **Anti-spam**.
+
+5. Select the **Anti-spam inbound policy (Default)** text (not the checkbox).
+
+6. In **Actions**, scroll down and select **Edit actions**.
+
+7. Set the following conditions and actions (you might need to scroll up or down to find them):
+
+- **Spam**: *Move messages to Junk Email folder*.
+- **High confidence spam**: *Quarantine message*.
+  - **Select quarantine policy**: {props.one}.
+- **Phishing**: *Quarantine message*.
+  - **Select quarantine policy**: {props.two}.
+- **High confidence phishing**: *Quarantine message*.
+  - **Select quarantine policy**: {props.three}.
+- **Retain spam in quarantine for this many days**: Default is 15 days. Email Security recommends 15-30 days.
+  - Select the spam actions in the above step:
+
+8. Select **Save**.
