What does the Defender Anti-Spam (Inbound) policy overrule?

Question

The Defender Anti-Spam, Anti-Malware and Anti-Phish policies all sit together in the Email Policy and Rules section, but I am trying to understand what an exception to these policies would over rule?

Mainly looking at the Anti-Spam Policy, as that is the one I most frequently add too, if I add an email to its exception list, what would it take for that email to still be blocked? If that email sent malware, would the Anti-Malware rule over rule the Anti-Spam and still block it?

I found the Microsoft Documentation on it but it wasn't very helpful in the context of what protection Anti-Spam removes and the prioritisation.

Any help would be great and please could I have the source of any information provided.

Answer 1

The answer to your question is YES,

If a package contains malicious content and manages to bypass an initial phishing filter, it will be detected and removed by the content filtering action.

Below is how the layering in MDO works:

1.      Edge protection: - This covers the outer wall which includes items like: Network throttling, IP reputation and domain reputation, this helps slow don suspicious traffic at the entrance.

2.      Sender Intelligence – This checks credentials of anyone trying to enter: Here the focus is on domain impersonation, user impersonation and mailbox intelligence.

3.      Content filtering – If anything gets past the sender intelligence then, the tools check the contents of any packages being brought in for any malicious links or suspicious patterns. (Anti - Malware)

4.      Post-Delivery Protection-Finally, even if something slips through all the previous layers, features like Zero hour purge, safe links and safe attachments neutralize threats even after they have been delivered.

If you find the answer above helpful, please Accept the answer to help anyone in the community who might have a similar question to quickly find the solution.