Feedback by UserVoice

Office 365 Security & Compliance

We have partnered with UserVoice, a third-party service and your use of the portal and your submission is subject to the UserVoice Terms of Service & Privacy Policy. Please do not send any novel or patentable ideas, copyrighted materials, samples or demos for which you do not want to grant a license to Microsoft.

Welcome to the Security (Protection) & Compliance UserVoice forum. We’re happy you’re here! If you have suggestions or ideas on how to improve Security or Compliance related features in O365, we’d love to hear them!

How it works
◾Check out the ideas others have suggested and vote on your favorites
◾If you have a suggestion that’s not listed yet, submit your own — 25 words or less, please
◾Include one suggestion per post

Thanks for joining our community and helping improve these features in Office 365!

Need Tech Support? Please see the O365 Community for the product or feature you are having issues with, or open a support ticket through your Office 365 administrator portal.

How can we improve compliance or protect your users better in Office 365?

You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

There are two ways to get more votes:

  • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
  • You can remove your votes from an open idea you support.
  • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Change Exchange Online recipient limit

    Need to change Exchange online Recipient Limits. The default value is 500 and can't be modified.
    In this case, users are able to send bulk\Spam messages by selecting entire global address list.

    1,224 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    93 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →

    Thank you for the feedback. Most of the comments here reflect a desire to be able to LOWER the recipient limit for a specific user. This is something we will consider as priorities allow. If you’re voting or commenting — we would be curious if this is driven more by account compromises or just user behavior (e.g., don’t have permissions to send to the DL, so the user just expands the DL)?

    For issues with compromised accounts, we want you to be aware that we take this issue seriously and have been working on that problem from many angles. That said, we believe that limiting the number of recipients per email will not stop or even slow the bad guys significantly. Instead, we encourage you to visit https://securescore.office.com/ and implement best practices to protect your organization.

    For any comments regarding other issues with limits or throttling (e.g., increasing a limit),…

  2. Implement Sender Rewriting Scheme (SRS) to Resolve Forwarding Issues

    Forwarding in SMTP is fundamentally flawed unless you implement SRS.

    http://www.openspf.org/SRS

    If you maintain the Return-Path of the originating message while forwarding you effectively spoof the originating domain.

    If you modify the Return-Path to be the address of the account that forwarded a message you break the Return-Path chain and delivery issues will result in the forwarded message Delivery Status Notification (DSN) being delivered to the forwarding user and not the original sender.

    SRS resolves this by modifying the Return-Path in a way that doesn't spoof the originating domain but still allows DSNs to be sent to the original sender.

    611 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    30 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →

    Added to the roadmap (https://products.office.com/en-us/business/office-365-roadmap) for tracking. As mentioned earlier, we’re also looking very seriously at Authenticated Received Chain, which is in draft, but has good momentum for adoption. We hope to report back soon on that as well.

    If you’re interested in signing your tenant up early to help us test this out, be sure to give us your email address so you can receive an invitation when we’re ready!

  3. Phishing attacks using Office 365 compromised Accounts/ ATP safe links not working

    Hello Microsoft ATP Team,

    This is to bring to your notice that spammers/phishers have started targeting Office 365 Tenants which creates a mail loop between Office 365 hosted domains and these emails are getting circulated through which accounts gets compromised. We had a lot of incidences happening in our environment, As these emails are getting generated from the actual account hosted in Office 365 the email are considered to be safe and lands in users Inbox. We have ATP safe links policy in place however its not performing the job as expected. ATP is a great feature but we request…

    554 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    26 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →

    ATP does not consider mails from other Office 365 tenants, or even mailboxes inside of your tenant, as safe. The best way to put a stop to this is to follow the recommendations in SecureScore for your tenant; and report phishing mails to us promptly. Also, make sure that the sender is not allowed either by the tenant configuration or the user safelist.

  4. End User Spam Notifacation - Frequency

    Currently we can only have 1 email sent per day notifying the user they have spam in quarantine.

    The email is usually sent just after midnight so if the user does not check their quarantine it could be a full 24 hours until the use is notified that they have spam to release.

    Could I suggest that at least 3 times per day this email can be sent?

    Cheers

    454 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    54 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →

    Thank you for your feedback. We have a clarifying question that would help us to prioritize this better: If you need notices 3 (or more) times per day, why use quarantine at all? Why not send the mails to a junk folder which the user can check on demand? If you want a notice each time any message gets quarantined, again, what prevents just sending the mails to a junk folder instead?

  5. allow quarantined emails to be deleted from the quarantine list for clarity

    ability to delete emails in the quarantined queue that were reviewed and are irrelevant . this will make it easier to check the queue over time instead of waiting for the messages to expire.

    435 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    30 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
  6. 204 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    6 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
  7. Reduce unnecessary nested includes in your SPF record, to improve DNS efficiency

    If you run a service which might be responsible for sending mails on behalf of a customer, and consequently have an SPF record they need to "include:" in their own, I think that you should probably review it and see if you have an excessive number of DNS lookups in your SPF record.

    The problem is that if a customer of more than one of these mail service providers, and they have multiple include elements in their SPF record, it’s all too easy to breach the 10 DNS lookup limit, which could lead to random email loss (recipient MTAs giving…

    164 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    4 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
  8. Ability to disable or enable Office365 Mail Protection

    I am not a fan of mail protection or its administration in a Hybrid environment and would prefer to use a mail-filter device.
    This is especially a pain due to the fact that legitimate messages are being sent to the Junk E-Mail folder by mail protection.

    155 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    10 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →

    @Anonymous: This can be accomplished. Please see instructions and more important information here: https://technet.microsoft.com/EN-US/library/jj937232(v=exchg.150).aspx Before you do, you may want to verify that the mails are being marked as junk by EOP vs. Outlook SmartScreen filter. You may want to verify this by disabling Outlook SmartScreen under Junk Email Options. A large number of false positives which are reported to us fall in this category. A support ticket is highly recommended to assist. EOP performance is among the leaders, but any spam solution requires proper configuration.

    @Leigh: It seems that you may not be asking for disabling EOP. You are asking to be able to disable the Outlook feature. This can also be done, but again, we would highly recommend a support ticket. EOP can return emails to sender if the sender is on a block list, but it never deletes emails unless you tell it to, and typically…

  9. Please offer command to purge emails from "recover delete" using content search

    Currently the "softdelete command when used like this: example
    "New-ComplianceSearchAction -SearchName "Remove Phishing Message" -Purge -PurgeType SoftDelete"
    Will send message to recover delete. I would like there to be there a Harddelete" to send them straight to purge so the user can not accidentally recover a phishing email and click on it.
    Please advise

    127 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    5 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
  10. Allow disabling of SPF checks

    As a user using both a dedicated security based ESP (Mimecast) with Office 365 Exchange, I have no need for many of the Office 365 security features.

    Most annoyingly is the fact that forwarding from my ESP fails the Office 365 SPF checks, because the sending domain doesn't match the IP range of the source any more.

    I wouldn't mind except Office 365 won't even allow me to disable SPF checking!

    This means a typical message is stamped with an SPF 'pass' from Mimecast and an SPF 'fail' from Office 365.

    This in turn could interfere with anti-spam rules within…

    98 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    9 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
  11. Use Outlook junk mail actions to train hosted spam filters

    Junkmail filtering has been a constant pain point for me with O365 business and Outlook. The spam filters have an awfully high number of false positives, and only rarely capture real spam (I don't get much on these accounts). Most of the mail that gets filtered is from the same set of senders even though I constantly tell Outlook that these messages are not Junk. O365 needs to leverage this data to improve filtering reliability.

    84 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    10 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →

    The Junk Email Reporting Add-in is our current solution for Outlook users. You can get the download for it, and learn more here:
    https://technet.microsoft.com/library/jj723127(v=exchg.150).aspx
    We do absolutely triage these submissions and use them to improve EOP.

    If you aren’t using Outlook, simply create a new mail to junk [AT] office365.microsoft.com and attach the entire message, including headers (see https://technet.microsoft.com/library/jj723151(v=exchg.150).aspx). We are looking at better reporting options for Mac and mobile users. What might be helpful here is commenting with which applications you use most.

    Administrators can also now go to http://aka.ms/FixSpam and troubleshoot their users’ most persistent spam issues.

    If you continue having difficulties, we recommend a support ticket to investigate current samples. It is frequently the case that a simple configuration issue is to blame — and support can help you figure this out.

  12. Stop external emails being sent directly to the onmicrosoft.com ailiases

    My organisation is using a 3rd party mail gateway in front of Office 365. However we have discovered that sending emails directly to the aliases: @<domain>.mail.onmicrosoft.com and @<domain>.onmicrosoft.com bypasses our mail gateway allowing malicious emails through.

    It should be made clear that these aliases should be locked down either by a transport rule or by being able to change the MX records, the latter not being possible at this time.

    83 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    8 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
  13. Custom Safety Tips

    We would really like to be able to raise a few custom Safety Tips on inbound messages.

    For starters, it would be great to raise a Safety Tip on every message originating from an external sender, i.e. every inbound message. A simple safety tip that read "Notice: This message was sent from outside our organization. Please use caution with links an attachments" would work wonders.

    Another Safety Tip, perhaps with a warning level, to flag messages that fail SPF checks would also help.

    The idea is to provide actionable information to message recipients so that they can make better decisions…

    83 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    5 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
  14. Quarantine notifications, but no release functionalility

    Quarantine notifications, but no release functionality.
    We have currently setup the Spam quarantine notification messages for our employees. When they receive such an alert message, the users are able to release the captured messages. We would like to have the Quarantine alerts message to stay in place, but want to prevent end-users to release the messages. We want to force a 'second opinion' flow in between, to delegate this task to the Hygiene administrators. In such a configuration employees shouldn't be able to open the Quarantine URL either. Unfortunately we see some users are not able to see the difference…

    81 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    7 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
  15. To allow more than 30 messages per minute maybe up to 50?

    Currently office365 has a messaging limit of 30 per minute. It would be idial to have this increased to maybe at least 50 per minute.

    71 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    3 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →

    The referenced limits only apply to hosted mailboxes. These limits are in place to prevent abuse on multiple fronts (unlike some limits, this is not simply a matter of adding capacity, since spammers would also be able to take advantage of higher limits). For applications which need to send bulk email, it is not necessarily a current best practice to use an Office 365 hosted mailbox.

    One issue with the suggestion is that while 50 may be enough for your company’s application today, it may not be enough in the future, or for someone else — how much is enough?

    We will certainly periodically re-visit all limits in the service as we have consistently done, and raise those which we can raise. We are certainly considering all options including future features & offerings. However, at this time, we feel that using a bulk mailer or on-premises server for mass email…

  16. Block spoofing messages even when the source is a trusted relay in another tenant.

    We have discovered if an e-mail is sent through a relay trusted in one tenant, that message will be delivered as not-spam to any other O365 tenant regardless of sender address and SPF records. This seems like a large gap in the service, for example; if one client machine was to get compromised that machine could send any number of messages from any source address through the relay and they would automatically be trusted and delivered to any mailbox using EOP or Exchange Online.

    We would like to see these messages at least checked against SPF records at the receiving…

    59 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
  17. Office 365 quarantine report should have a link to view live quarantine

    This is a simple feature to implement and my users were used to it with Appriver. My users get a report of their quarantined emails daily, that emailed report should have a link (https://admin.protection.outlook.com/quarantine) for the users to click to view their quarantined email at any time, so they don't have to wait a day.

    58 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    3 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
  18. Fix DMARC implementation to match the RFC7489 defined behaviour for p=reject and p=quarantine

    Fix DMARC implementation to match the RFC 7489 defined behaviour for p=reject and p=quarantine.
    Current behaviour p=reject messages are quarantined???

    56 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    3 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
  19. Have reasonable exceptions for Advanced Threat Protection rules

    None of the exception options currently in ATP make any sense, since they permanently exclude particular users. If I wanted to exclude particular users, groups, or domains, I just wouldn't purchase ATP licenses for them. To be useful, the exceptions would have to cover use cases where for the same recipient some messages could be excluded from scanning under certain "exceptional" circumstances. There is no reason to purchase an ATP license if I was just going to entirely exclude a user's email from being scanned.

    I had expected that by creating exceptions for certain DNS domains that I could exclude…

    55 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
  20. End-user Spam Notifications by User or Group

    Have the ability to configure End-User Spam Notification by User or by Group. Currently we use a 3rd product to handle spam blocking and it sends a daily email with a list of blocked spam. Not all of our users care to receive this email so we would like to be able to control this feature within Office 365 but have the ability to configure which users want to receive the daily spam list or not. Currently Office 365 only let this be done by domain names. The ability to control who gets these notification should be able to be…

    53 votes
    Vote
    Sign in
    (thinking…)
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5 12 13
  • Don't see your idea?

Feedback and Knowledge Base