Do Teams Groups (External Email) follow threat policies?

[thecomputerguy]

I have a client who we have a teams group setup as info@contoso.com and it allows external contacts to email the organization and the amount of spam that comes through that account is ... brutal. This is especially an issue because it's also setup to forward emails to members of the group... is there a way to clean this up?

All licensing is Business Premium.

 

[YeOldeStonecat]

Defender ATP policies (anti phish, anti spam, anti malware, etc)..can be applied domain wide, to certain users, to certain groups....you can create custom policies to get quite granular, or leave one policy touching all.

What do you have for existing policy settings? Any of the common aliases such as "info@ any domain" are pretty much guaranteed to get slammed hard, those common aliases are built into all spam engines for domains they spew upon.

 

[thecomputerguy]

Defender ATP policies (anti phish, anti spam, anti malware, etc)..can be applied domain wide, to certain users, to certain groups....you can create custom policies to get quite granular, or leave one policy touching all.

What do you have for existing policy settings? Any of the common aliases such as "info@ any domain" are pretty much guaranteed to get slammed hard, those common aliases are built into all spam engines for domains they spew upon.

I use the Policy PDF you sent me by default for all my tenants.

 

[Sky-Knight]

I just flip the standard switch, and it works.

 

[YeOldeStonecat]

I use the Policy PDF you sent me by default for all my tenants.

That's probably a bit old and outdated now. As new features and settings arrive, it may have drifted a bit...
I always immediately turn on the "Standard" canned policy....at least there's a fairly decent baseline..but by itself I think it's too weak. And then I create my own policy on top of that (well, we have a template in SaaS Alerts now, I just apply SaaS Alerts to a new client tenant (takes about 10 minutes) and "BOOM" by the next day all our standardized settings are in place. (saves many hours of tweaking a tenant manually). So after applying the SaaS Alerts policies...(which puts a named on in all the 5 modules of Defender)...it's stacked right along with the "Standard" one.

Have you tried tightening up the slide bar on them?

 

[thecomputerguy]

That's probably a bit old and outdated now. As new features and settings arrive, it may have drifted a bit...
I always immediately turn on the "Standard" canned policy....at least there's a fairly decent baseline..but by itself I think it's too weak. And then I create my own policy on top of that (well, we have a template in SaaS Alerts now, I just apply SaaS Alerts to a new client tenant (takes about 10 minutes) and "BOOM" by the next day all our standardized settings are in place. (saves many hours of tweaking a tenant manually). So after applying the SaaS Alerts policies...(which puts a named on in all the 5 modules of Defender)...it's stacked right along with the "Standard" one.

Have you tried tightening up the slide bar on them?

If you setup your own threat policy isn't the standard protection policy redundant? AKA should it be disabled or used in conjunction with a custom threat policy?

 

[YeOldeStonecat]

If you setup your own threat policy isn't the standard protection policy redundant? AKA should it be disabled or used in conjunction with a custom threat policy?

They can compliment each other...you can stack them. (I wondered the same question..and SaaS Alerts tech support said you can stack multiple policies)
The way I look at it, if multiple policies apply to the same users/groups/domains...the "stronger part" of each policy will trump.
When viewing emails in junk or quarantine, you can see which policy put it there..when troubleshooting.