We have complied a list of Email Threat Protection filter tips and better practices to help maximize your Email Threat Protection experience, as well as tighten your filter and ensure that you receive only the emails you want to receive.
1. Enable Quarantined Message Reports for all users.
2. If not already enabled, turn on Quarantine Alerts to be notified when mail is held from a recent contact.
3. Set the action for both BULKMAILER (bulk mail campaign) and OPTOUT (contains "Opt Out messages") filter tests to Tag Subject With (name them), then you can create an Outlook mail rule to place these in their own folder.
4. Do not allow large domains such as gmail.com. This will open the spam floodgates. Opt to allow full email addresses instead.
5. Block countries you don't expect to ever do business with. This will cut out a lot of spam quickly.
6. Publish your SPF record and include all sources that could send mail from/as your domain.
7. For Email Threat Protection-only customers, list all users, groups, resource addresses, etc. in the user list. And consider placing your domain in Closed mode (will hold mail for unlisted users). This will reduce the traffic load on the end server as well.
8. If needed, add any blocked attached/linked filenames which are not covered in the global list already.
9. It is highly recommended to set the Documents Containing Macros Scan Option to Hold.
10. Consider setting the Encrypted Documents from Unknown Sender Scan Option to Hold.
11. Forward any spam that makes it past the filter to email@example.com so we can block it globally for everyone.
A few more aggressive tips:
1. Consider blocking Language Character sets that expected messages shouldn't utilize.
2. Consider changing the SPFHARDFAIL test to Hold. This will create FPs though since not everyone keeps their SPF records updated properly.
3. Consider adding your own domain to the Blocked Domains list. This has proven effective at preventing spoofing.