Feedback by UserVoice

Office 365 Security & Compliance

We have partnered with UserVoice, a third-party service and your use of the portal and your submission is subject to the UserVoice Terms of Service & Privacy Policy. Please do not send any novel or patentable ideas, copyrighted materials, samples or demos for which you do not want to grant a license to Microsoft.

Welcome to the Security (Protection) & Compliance UserVoice forum. We’re happy you’re here! If you have suggestions or ideas on how to improve Security or Compliance related features in O365, we’d love to hear them!

How it works
◾Check out the ideas others have suggested and vote on your favorites
◾If you have a suggestion that’s not listed yet, submit your own — 25 words or less, please
◾Include one suggestion per post

Thanks for joining our community and helping improve these features in Office 365!

Need Tech Support? Please see the O365 Community for the product or feature you are having issues with, or open a support ticket through your Office 365 administrator portal.

How can we improve compliance or protect your users better in Office 365?

You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

There are two ways to get more votes:

  • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
  • You can remove your votes from an open idea you support.
  • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Change Exchange Online recipient limit

    Need to change Exchange online Recipient Limits. The default value is 500 and can't be modified.
    In this case, users are able to send bulk\Spam messages by selecting entire global address list.

    965 votes
    Vote
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      73 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →

      Thank you for the feedback. Most of the comments here reflect a desire to be able to LOWER the recipient limit for a specific user. This is something we will consider as priorities allow. If you’re voting or commenting — we would be curious if this is driven more by account compromises or just user behavior (e.g., don’t have permissions to send to the DL, so the user just expands the DL)?

      For issues with compromised accounts, we want you to be aware that we take this issue seriously and have been working on that problem from many angles. That said, we believe that limiting the number of recipients per email will not stop or even slow the bad guys significantly. Instead, we encourage you to visit https://securescore.office.com/ and implement best practices to protect your organization.

      For any comments regarding other issues with limits or throttling (e.g., increasing a limit),…

    • Implement Sender Rewriting Scheme (SRS) to Resolve Forwarding Issues

      Forwarding in SMTP is fundamentally flawed unless you implement SRS.

      http://www.openspf.org/SRS

      If you maintain the Return-Path of the originating message while forwarding you effectively spoof the originating domain.

      If you modify the Return-Path to be the address of the account that forwarded a message you break the Return-Path chain and delivery issues will result in the forwarded message Delivery Status Notification (DSN) being delivered to the forwarding user and not the original sender.

      SRS resolves this by modifying the Return-Path in a way that doesn't spoof the originating domain but still allows DSNs to be sent to the original sender.

      590 votes
      Vote
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        Signed in as (Sign out)
        You have left! (?) (thinking…)
        28 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →

        Added to the roadmap (https://products.office.com/en-us/business/office-365-roadmap) for tracking. As mentioned earlier, we’re also looking very seriously at Authenticated Received Chain, which is in draft, but has good momentum for adoption. We hope to report back soon on that as well.

        If you’re interested in signing your tenant up early to help us test this out, be sure to give us your email address so you can receive an invitation when we’re ready!

      • Phishing attacks using Office 365 compromised Accounts/ ATP safe links not working

        Hello Microsoft ATP Team,

        This is to bring to your notice that spammers/phishers have started targeting Office 365 Tenants which creates a mail loop between Office 365 hosted domains and these emails are getting circulated through which accounts gets compromised. We had a lot of incidences happening in our environment, As these emails are getting generated from the actual account hosted in Office 365 the email are considered to be safe and lands in users Inbox. We have ATP safe links policy in place however its not performing the job as expected. ATP is a great feature but we request…

        512 votes
        Vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          Signed in as (Sign out)
          You have left! (?) (thinking…)
          24 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
        • allow quarantined emails to be deleted from the quarantine list for clarity

          ability to delete emails in the quarantined queue that were reviewed and are irrelevant . this will make it easier to check the queue over time instead of waiting for the messages to expire.

          369 votes
          Vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            Signed in as (Sign out)
            You have left! (?) (thinking…)
            22 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
          • End User Spam Notifacation - Frequency

            Currently we can only have 1 email sent per day notifying the user they have spam in quarantine.

            The email is usually sent just after midnight so if the user does not check their quarantine it could be a full 24 hours until the use is notified that they have spam to release.

            Could I suggest that at least 3 times per day this email can be sent?

            Cheers

            362 votes
            Vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              Signed in as (Sign out)
              You have left! (?) (thinking…)
              43 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →

              Thank you for your feedback. We have a clarifying question that would help us to prioritize this better: If you need notices 3 (or more) times per day, why use quarantine at all? Why not send the mails to a junk folder which the user can check on demand? If you want a notice each time any message gets quarantined, again, what prevents just sending the mails to a junk folder instead?

            • 135 votes
              Vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                Signed in as (Sign out)
                You have left! (?) (thinking…)
                6 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
              • Please offer command to purge emails from "recover delete" using content search

                Currently the "softdelete command when used like this: example
                "New-ComplianceSearchAction -SearchName "Remove Phishing Message" -Purge -PurgeType SoftDelete"
                Will send message to recover delete. I would like there to be there a Harddelete" to send them straight to purge so the user can not accidentally recover a phishing email and click on it.
                Please advise

                126 votes
                Vote
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  Signed in as (Sign out)
                  You have left! (?) (thinking…)
                  5 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
                • Reduce unnecessary nested includes in your SPF record, to improve DNS efficiency

                  If you run a service which might be responsible for sending mails on behalf of a customer, and consequently have an SPF record they need to "include:" in their own, I think that you should probably review it and see if you have an excessive number of DNS lookups in your SPF record.

                  The problem is that if a customer of more than one of these mail service providers, and they have multiple include elements in their SPF record, it’s all too easy to breach the 10 DNS lookup limit, which could lead to random email loss (recipient MTAs giving…

                  120 votes
                  Vote
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    Signed in as (Sign out)
                    You have left! (?) (thinking…)
                    3 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
                  • Ability to disable or enable Office365 Mail Protection

                    I am not a fan of mail protection or its administration in a Hybrid environment and would prefer to use a mail-filter device.
                    This is especially a pain due to the fact that legitimate messages are being sent to the Junk E-Mail folder by mail protection.

                    115 votes
                    Vote
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      Signed in as (Sign out)
                      You have left! (?) (thinking…)
                      8 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →

                      @Anonymous: This can be accomplished. Please see instructions and more important information here: https://technet.microsoft.com/EN-US/library/jj937232(v=exchg.150).aspx Before you do, you may want to verify that the mails are being marked as junk by EOP vs. Outlook SmartScreen filter. You may want to verify this by disabling Outlook SmartScreen under Junk Email Options. A large number of false positives which are reported to us fall in this category. A support ticket is highly recommended to assist. EOP performance is among the leaders, but any spam solution requires proper configuration.

                      @Leigh: It seems that you may not be asking for disabling EOP. You are asking to be able to disable the Outlook feature. This can also be done, but again, we would highly recommend a support ticket. EOP can return emails to sender if the sender is on a block list, but it never deletes emails unless you tell it to, and typically…

                    • Allow disabling of SPF checks

                      As a user using both a dedicated security based ESP (Mimecast) with Office 365 Exchange, I have no need for many of the Office 365 security features.

                      Most annoyingly is the fact that forwarding from my ESP fails the Office 365 SPF checks, because the sending domain doesn't match the IP range of the source any more.

                      I wouldn't mind except Office 365 won't even allow me to disable SPF checking!

                      This means a typical message is stamped with an SPF 'pass' from Mimecast and an SPF 'fail' from Office 365.

                      This in turn could interfere with anti-spam rules within…

                      84 votes
                      Vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        Signed in as (Sign out)
                        You have left! (?) (thinking…)
                        7 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →

                        When you have another service scanning in front of Office 365, the proper thing to do is disable the Office 365 scanning altogether and (optionally) respect the verdict from the prior system. Once you do that, even with the SPF header, the mails will not go to the users’ junk folders.

                        See https://blogs.msdn.microsoft.com/tzink/2016/06/07/hooking-up-additional-spam-filters-in-front-of-office-365/

                      • Use Outlook junk mail actions to train hosted spam filters

                        Junkmail filtering has been a constant pain point for me with O365 business and Outlook. The spam filters have an awfully high number of false positives, and only rarely capture real spam (I don't get much on these accounts). Most of the mail that gets filtered is from the same set of senders even though I constantly tell Outlook that these messages are not Junk. O365 needs to leverage this data to improve filtering reliability.

                        83 votes
                        Vote
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          Signed in as (Sign out)
                          You have left! (?) (thinking…)
                          8 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →

                          The Junk Email Reporting Add-in is our current solution for Outlook users. You can get the download for it, and learn more here:
                          https://technet.microsoft.com/library/jj723127(v=exchg.150).aspx
                          We do absolutely triage these submissions and use them to improve EOP.

                          If you aren’t using Outlook, simply create a new mail to junk [AT] office365.microsoft.com and attach the entire message, including headers (see https://technet.microsoft.com/library/jj723151(v=exchg.150).aspx). We are looking at better reporting options for Mac and mobile users. What might be helpful here is commenting with which applications you use most.

                          Administrators can also now go to http://aka.ms/FixSpam and troubleshoot their users’ most persistent spam issues.

                          If you continue having difficulties, we recommend a support ticket to investigate current samples. It is frequently the case that a simple configuration issue is to blame — and support can help you figure this out.

                        • Custom Safety Tips

                          We would really like to be able to raise a few custom Safety Tips on inbound messages.

                          For starters, it would be great to raise a Safety Tip on every message originating from an external sender, i.e. every inbound message. A simple safety tip that read "Notice: This message was sent from outside our organization. Please use caution with links an attachments" would work wonders.

                          Another Safety Tip, perhaps with a warning level, to flag messages that fail SPF checks would also help.

                          The idea is to provide actionable information to message recipients so that they can make better decisions…

                          65 votes
                          Vote
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            Signed in as (Sign out)
                            You have left! (?) (thinking…)
                            5 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
                          • To allow more than 30 messages per minute maybe up to 50?

                            Currently office365 has a messaging limit of 30 per minute. It would be idial to have this increased to maybe at least 50 per minute.

                            64 votes
                            Vote
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              Signed in as (Sign out)
                              You have left! (?) (thinking…)
                              2 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →

                              The referenced limits only apply to hosted mailboxes. These limits are in place to prevent abuse on multiple fronts (unlike some limits, this is not simply a matter of adding capacity, since spammers would also be able to take advantage of higher limits). For applications which need to send bulk email, it is not necessarily a current best practice to use an Office 365 hosted mailbox.

                              One issue with the suggestion is that while 50 may be enough for your company’s application today, it may not be enough in the future, or for someone else — how much is enough?

                              We will certainly periodically re-visit all limits in the service as we have consistently done, and raise those which we can raise. We are certainly considering all options including future features & offerings. However, at this time, we feel that using a bulk mailer or on-premises server for mass email…

                            • Office 365 quarantine report should have a link to view live quarantine

                              This is a simple feature to implement and my users were used to it with Appriver. My users get a report of their quarantined emails daily, that emailed report should have a link (https://admin.protection.outlook.com/quarantine) for the users to click to view their quarantined email at any time, so they don't have to wait a day.

                              54 votes
                              Vote
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                Signed in as (Sign out)
                                You have left! (?) (thinking…)
                                3 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
                              • Have reasonable exceptions for Advanced Threat Protection rules

                                None of the exception options currently in ATP make any sense, since they permanently exclude particular users. If I wanted to exclude particular users, groups, or domains, I just wouldn't purchase ATP licenses for them. To be useful, the exceptions would have to cover use cases where for the same recipient some messages could be excluded from scanning under certain "exceptional" circumstances. There is no reason to purchase an ATP license if I was just going to entirely exclude a user's email from being scanned.

                                I had expected that by creating exceptions for certain DNS domains that I could exclude…

                                53 votes
                                Vote
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  Signed in as (Sign out)
                                  You have left! (?) (thinking…)
                                  0 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
                                • Block spoofing messages even when the source is a trusted relay in another tenant.

                                  We have discovered if an e-mail is sent through a relay trusted in one tenant, that message will be delivered as not-spam to any other O365 tenant regardless of sender address and SPF records. This seems like a large gap in the service, for example; if one client machine was to get compromised that machine could send any number of messages from any source address through the relay and they would automatically be trusted and delivered to any mailbox using EOP or Exchange Online.

                                  We would like to see these messages at least checked against SPF records at the receiving…

                                  50 votes
                                  Vote
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    Signed in as (Sign out)
                                    You have left! (?) (thinking…)
                                    0 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
                                  • Advanced Threat Protection (ATP) - Implement in Safe Link a blacklist

                                    Please implement in ATP Safe Link a black list for single tenant where insert the bad urls that ATP not intercepts or the bad url that are malicious for the company

                                    47 votes
                                    Vote
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      Signed in as (Sign out)
                                      You have left! (?) (thinking…)
                                      9 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
                                    • Stop external emails being sent directly to the onmicrosoft.com ailiases

                                      My organisation is using a 3rd party mail gateway in front of Office 365. However we have discovered that sending emails directly to the aliases: @<domain>.mail.onmicrosoft.com and @<domain>.onmicrosoft.com bypasses our mail gateway allowing malicious emails through.

                                      It should be made clear that these aliases should be locked down either by a transport rule or by being able to change the MX records, the latter not being possible at this time.

                                      47 votes
                                      Vote
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        Signed in as (Sign out)
                                        You have left! (?) (thinking…)
                                        6 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
                                      • End-user Spam Notifications by User or Group

                                        Have the ability to configure End-User Spam Notification by User or by Group. Currently we use a 3rd product to handle spam blocking and it sends a daily email with a list of blocked spam. Not all of our users care to receive this email so we would like to be able to control this feature within Office 365 but have the ability to configure which users want to receive the daily spam list or not. Currently Office 365 only let this be done by domain names. The ability to control who gets these notification should be able to be…

                                        44 votes
                                        Vote
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          Signed in as (Sign out)
                                          You have left! (?) (thinking…)
                                          0 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →
                                        • User based per-domain safe sender and blocked sender lists not functioning with EOP

                                          Having recently undertaken a support case regarding a user and their safe sender and blocked sender lists and it's interaction with EOP it would be useful if the per-domain aspect of these lists functioned as advertised.

                                          We have been advised by Microsoft Office 365 support that only per-user (email address) exceptions override the EOP content filter rules and not per-domain. This contradicts what is stated at https://technet.microsoft.com/EN-US/library/dn636911(v=exchg.150).aspx

                                          This states that:
                                          Outlook safe sender and blocked sender lists – When synchronized to the service, these lists will take precedence over spam filtering in the service. This lets users manage their own…

                                          42 votes
                                          Vote
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            Signed in as (Sign out)
                                            You have left! (?) (thinking…)
                                            2 comments  ·  Spam & Phishing  ·  Flag idea as inappropriate…  ·  Admin →

                                            Refer to “Domains on the Outlook Safe Senders list aren’t recognized by Exchange Online or Exchange Online Protection” at https://support.microsoft.com/en-us/kb/3019657. All other Outlook safe sender and blocked sender lists’ iterations of safe senders, blocked senders and blocked domains are supported. For Safe Domains, the article lists solutions both for EOP Standalone and as part of Exchange Online.

                                          ← Previous 1 3 4 5 9 10
                                          • Don't see your idea?

                                          Feedback and Knowledge Base