Optimize Email Management Using Bulk Sender Insights in Microsoft Defender
As businesses rely heavily on email to connect with clients, it’s vital to manage the flow of messages to ensure smooth communication. However, handling the large volume of emails, especially from bulk senders, can be difficult and may cause disruptions or security risks. To analyze and prevent the delivery of unwanted bulk emails to users’ inboxes, Microsoft Defender provides a new feature named bulk sender insights.
Bulk sender insights help M365 admins optimize email management by identifying and categorizing emails from large-scale senders. Whether it’s newsletters, promotional messages, or updates from service providers, having visibility into these emails allows admins to improve security measures and reduce clutter.
In this blog, we’ll explore how to leverage bulk sender insights in Microsoft Defender to enhance email management and minimize risk across your environment.
Bulk sender insights in Microsoft Defender allow admins to analyze incoming email identified as bulk based on the Bulk Complaint Level (BCL) in the org-wide anti-spam policy. This provides details on how emails are classified at different BCL levels (1 to 9), allow simulation of changes to the bulk email threshold in Office 365. The insights include information on the quality of bulk email senders and show how adjustments made to the threshold affect bulk email handling over the past 60 days. This helps admins make informed decisions about email management.
Note: The Bulk Complaint Level (BCL) 1 indicates a low complaint level (a good sender), while 9 indicates a high complaint level (a potentially problematic sender).
As an admin, you can access the bulk sender insights from the following locations.
- Open the bulk sender insights via anti-spam policies page
- View bulk sender insights under email & collaboration reports
In the first option, you can customize the BCL threshold value after analyzing the insights. The second option allows you to simulate the impact of adjusting the BCL threshold on the delivery or blocking of bulk email messages. Let’s explore this in detail.
To open the bulk email threshold & spam properties, go to the following navigation:
Microsoft Defender → Email & collaboration → Policies & rules → Threat policies → Anti-spam inbound policy (Default) → Edit spam threshold and properties
- In this flyout pane, at the top, you’ll see the number of bulk messages blocked at the current BCL threshold.
- Next, the table below displays the number of bulk messages received and delivered from bulk senders, categorized by their different BCL levels.
- Finally, the total number of emails detected as being sent from bulk senders, whether delivered or blocked, is shown.
After analyzing the insights above, you can update the BCL threshold to control the filtering of bulk senders, determining whether to block or allow their messages. Before adjusting the BCL threshold, keep in mind that the higher bulk email threshold means more bulk email will be delivered. For instance, a bulk threshold value of 7 indicates that messages with BCL values of 7, 8, or 9 are classified as bulk.
Adjusting the Bulk email threshold slider subsequently changes the insights based on the threshold value:
- By lowering the BCL threshold value to block a greater number of bulk emails, the insights will display the count of bulk messages that would be blocked or allowed under the new BCL threshold.
- By increasing the BCL threshold value to allow more bulk emails, the insights will show the number of bulk messages that would be blocked and allowed at the new BCL threshold.
Finally, Click the Save button to apply the selected BCL threshold for taking action on incoming messages.
Note: Microsoft recommends setting the email Bulk Complaint Level (BCL) threshold to 6 or lower to maintain a secure email system.
To analyze the bulk sender insights in detail via the email & collaboration reports, navigate to the following path:
Microsoft Defender → Reports → Email & collaboration → Email & collaboration reports → Email & collaboration reports → View details
The page will display the number of bulk messages blocked and allowed at the current BCL threshold, along with a list of identified bulk senders at the bottom.
Here, you can use the Simulate option which enables you to experiment with changes to the BCL threshold. By adjusting this threshold, you can see how it affects the classification of incoming bulk email messages as either delivered or blocked. This simulation helps in making informed decisions about email filtering policies based on sender quality and message delivery outcomes.
Before diving into the simulation, you must understand the following terms:
Current bulk email threshold: The current BCL threshold value is used to determine which emails from bulk senders are blocked. By default, this threshold is set to 7.
New bulk email threshold: The value you can set to evaluate the simulation by increasing or decreasing the current BCL threshold value.
Simulation sender quality threshold: This is a term that helps determine how trustworthy a sender is when simulating changes to the BCL. A higher value means the simulation will focus on more reliable senders, which can affect how many messages are considered bulk or not. This trustworthiness is evaluated based on previous interactions with the sender, how often they send messages, and feedback from administrators or users about their emails.
To analyze bulk email senders using the new bulk email threshold level and the new simulation sender quality threshold level, follow the steps here:
- Adjust the New bulk email threshold slider to set a value that is either higher or lower than the current BCL threshold.
- Adjust the Simulation sender quality threshold slider to specify the minimum sender quality for the desired bulk senders in simulations, ranging from 1 to 100.
- Click on the Simulate button to refresh the page, displaying the counts of blocked versus allowed messages for both the current and newly simulated BCL levels.
- Additionally, the bottom of the page will be updated with details about bulk senders identified under the new simulated BCL threshold value.
Depending on whether the new bulk email threshold is less than, greater than, or equal to the current threshold, the columns in the senders list will vary. In each case, specific filters will be available to help refine your analysis. For example, setting up the filter “Potential false positive” will list only the senders for whom the potential false positive is true.
|
Condition |
Available Columns |
Available Filters |
| If the new bulk email threshold equals to the current bulk email threshold. | Sender, BCL, Simulation sender quality threshold, Potential false positive, and Potential false negative. | Potential false positives, Potential false negatives
|
| If the new bulk email threshold is less than the current bulk email threshold. | Sender, BCL, Simulation sender quality threshold, New sender blocked, and Potential false positive. | New senders blocked, Potential false positives |
| If the new bulk email threshold is greater than the current bulk email threshold. | Sender, BCL, Simulation sender quality threshold, New sender allowed, and Potential false negative. | New senders allowed, Potential false negatives |
Tip: You can use the Export option available in the sender list to export the report as a CSV file.
To dive deeper into the analysis, the bulk sender insights in the Defender portal provide detailed information about each sender. To access these details, select the respective sender’s insight. You can also use the Search box and enter a corresponding value to find specific senders.
Once a bulk sender is clicked, the Sender details flyout pane appears, containing the following information:
| Field | Description |
| Sender | The bulk sender’s email address. |
| Messages | The total count of messages received from the sender. |
| Messages in inbox | The count of messages that were delivered to the inbox. |
| Messages in quarantine or Junk Email | The count of messages from the sender that were quarantined or delivered to Junk Email folders. |
| Admin setting | Indicates whether the sender is allowed or blocked in the Exchange Online tenant allow and block list. |
| User allowed messages | The count of messages from the sender that were added to users’ Safe Senders lists. |
| User blocked messages | The count of messages from the sender that were added to users’ Blocked Senders lists. |
| False positive submissions | The count of legitimate (good) messages from the sender that were mistakenly blocked. |
| False negative submissions | The count of harmful (bad) messages from the sender that were mistakenly delivered. |
| User moved from Junk Email to Inbox | The count of messages that users manually moved from Junk Email to their Inbox. |
| User moved from Inbox to Junk Email | The count of messages that users manually moved from their Inbox to Junk Email. |
| User deleted messages | The count of messages from the sender that users deleted manually. |
| Admin quarantined messages | The count of messages from the sender that were quarantined by an admin. |
| Admin moved emails from Inbox to Junk Email | The count of emails from the sender that were moved from the Inbox to Junk Email by an admin. |
| Admin deleted messages | The count of messages from the sender that were deleted by an admin. |
Key Considerations for Bulk Sender Insights and Simulations
- If the Mail Exchange record (which tells other mail systems where to send email) for your Microsoft 365 domain points to a third-party service or device, bulk simulation and detection may not function properly.
- If the recipient is included in the Standard or Strict preset security policies, settings in default or custom anti-spam policies are disregarded.
- The fate of bulk messages is dictated by the action specified in the Office 365 anti-spam policy for when the BCL is met or exceeded (such as moving the message to the Junk Email folder, quarantining it, or deleting it). However, taking action against such messages is referred to as “blocked” in the bulk sender insights.
- A higher simulation sender quality threshold value utilizes only high-quality senders for the simulation, while a lower value incorporates a mix of both desired and undesired senders. This sender quality threshold impacts the potential false positives and potential false negatives in the simulations.
In conclusion, bulk sender insights in Microsoft 365 provide a valuable way to optimize email management by identifying and controlling bulk messages. By leveraging these insights, admins can enhance Exchange Online security and ensure a more efficient email flow. If you have any questions related to this blog, feel free to reach us out through the comments section.
