Instead of creating a new transport rule, why not set this up in the anti-spam policy itself:
Apply transport rule per Junk mail category to prepend subject line
Exchange Online Protection adds anti-spam message headers as described here: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-message-headers?view=o365-worldwide
I tried to create transport rules to prepend subject lines accordingly. So if a mail was filtered as category SPM or HSPM, subject should be prepended with "[SPAM]"; if it was filtered as category "SPOOF" it should be prepended with "[SPOOF]" etc.
My test message contains "CAT:HSPM" in "X-Forefront-Antispam-Report" header:
Accordingly this transport rule should apply to it:
But this is not the case. The transport rule is not applied. But other transport rules (with "higher" priority, so more down in the list) are correctly applied.
Is the Forefront header added at a later stage? What am I doing wrong?
4 answers
Sort by: Most helpful
-
-
Andy David - MVP 147.6K Reputation points MVP
2020-10-14T20:30:40.067+00:00 I tested this and see the same results as you. This is expected from what I can tell. The rules are applied before the anti-spam checks.
This doc confirms this:****If you want to mark specific messages as spam before they're even scanned by spam filtering,** or mark messages so they'll skip spam filtering, you can create mail flow rules (also known as transport rules)** to identify the messages and set the spam confidence level (SCL). For more information about the SCL, see Spam confidence level (SCL) in EOP.
So I think you will have to use the anti-spam to set this as I mentioned above.
https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-your-spam-filter-policies?view=o365-worldwide#use-the-security--compliance-center-to-create-anti-spam-policiesHope this helps!
-
KyleXu-MSFT 26,256 Reputation points
2020-10-15T05:28:26.5+00:00 @Stephan van Helden
This picture below may be useful to you(From this article: Exchange Online Protection overview):
The mail flow rule works before content filtering (also known as Anti-spam)
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread. -
Stephan van Helden 31 Reputation points
2020-10-15T03:42:32.037+00:00 anonymous userDavid Thanks, but if I understand this article correctly, this doesn't help:
The anti-spam policy has only one field for the text to prepend. But I wanted to preprend text depending on the spam category.
I could define multiple policies (one for Spam, one for Phishing, one for Bulk), but per this article, only the first of these would be applied.