Rule examples

Objective: Quarantine messages that contain malware or attachment that is password protected, encrypted or damaged

Create the following rule for Mail transport protection:

Condition

Type: Antivirus scan result
Operation: is not
Parameter: Clean

Action

Type: Quarantine message

Objective: Move messages that failed SPF check to a Junk folder

Create the following rule for Mail transport protection:

Condition

Type: SPF result
Operation: is
Parameter: Fail

Action

Type: Set SCL value
Value: 5 (Set the value according to SCLJunkThreshold parameter of Get-OrganizationConfig cmdlet of your Exchange server. For more details, see SCL threshold actions article)

Objective: Drop messages from specific senders

Create the following rule for Mail transport protection:

Condition

Type: Sender
Operation: is / is one of
Parameter: spammer1@domain.com, spammer2@domain.com

Action

Type: Drop message silently

Objective: Customize pre-defined rule

Details: Allow archive attachments in messages from specified IP addresses (in case of internal systems, for example) while using Forbidden archive file attachments rule

Open Mail transport protection rule set, select Forbidden archive file attachments and click Edit.

Condition

Type: Sender's IP address
Operation: is not / is not any
Parameter: 1.1.1.2, 1.1.1.50-1.1.1.99

Objective: Message body

Create the following rule for Mail transport protection:

Condition

Type: Message body
Operation: contains/contains one of, click Add type web site URL or part of URL

Action

Type: Quarantine message

Objective: Store messages for non-existent recipients
Details: If you want to have all messages to non-existent recipients quarantined (regardless of being marked by Antivirus or Antispam protection)

Condition

Type: Recipient validation result
Operation: is
Parameter: Contains invalid recipient

Action

Type: Quarantine message