Office 365 Mail Flow Rule: Block Messages Based on Subject
Contents
Email is a vital business enabler in most organizations, and it is a trusted medium of communication in which business or personal information is often shared. This makes email a prime target for attackers and interceptors.
Spam and phishing are the most common types of threats that an Exchange administrator must work on. However, these threats can be tricky, and at times, you may need to resort to using mail flow rules to combat those that made it past the perimeter mail checks.
In this post, you will learn how to create a mail flow rule (also known as transport rule) that will block an email based on the subject.
Prerequisites
The mail flow rule will be created in Exchange Online, which require you to have the following:
- Office 365 Subscription. If you do not have this yet, you can Sign up for an Office 365 E5 trial subscription
- Exchange Admin Role
Creating the Mail Flow Rule
Mail flow rules can be applied to messages flowing in all directions (inbound, outbound, internal). There are legitimate reasons to target one or all the mail flow depending on your requirements.
Follow the steps below to create a mail flow rule that will block all incoming and outgoing emails based on the subject’s keyword. If the mail is intercepted by the rule, the sender will receive an auto-generated response from Exchange Online.
-
Login to https://admin.microsoft.com using your office 365 admin account
-
Scroll down to view Admin Centers section then select Exchange
-
In Exchange admin center (EAC), Select Mail Flow tab then Rules tab
-
Click the “+“ symbol and select Create a new rule
-
A new blank rule dialog box will appear like screenshot below
-
Give your rule an appropriate name which is easy to identify by others. Type “Block subject of email based on keyword”
-
Set the condition “Apply this rule if…” to “The subject or body includes…”
-
Click the ‘Enter words… then type the keyword #SYSGEN# and click the “+” symbol. Then, click OK.
-
Set the action of the rule to “Do the following…to “Reject the message with the explanation… and click the “Enter text…
-
Set the specify rejection reason to “Blocked by email security policy” then click OK
-
Set the Priority of the mail flow rule to 0.
NOTE: Priority indicates the order that the rules are applied to messages. The default priority is based on when the rule is created (older rules have a higher priority than newer rules, and higher priority rules are processed before lower priority rules). 0 will be the top in the priority list.
-
Leave the audit option to Not specified as we have no intention to audit the number of times this rule will be matched.
-
Select Enforce in Choose a mode for this rule, so the rule will be applied immediately.
-
Select “Stop processing more rules” to prevent conflict to other existing mail rules.
-
Click Save
NOTE: After mail flow rule is created or modified, it can take up to 30 minutes for the new or updated rule to be applied to messages.
-
Refer to the screenshot below for the complete settings of the mail flow rule.
Testing the Mail Flow Rule
Once you’ve created the mail flow rule and configured it, you will need to conduct a series of tests to make sure that rule is working as expected. These next examples are the bare minimum that you need to do for testing and verification.
Testing External to Internal Messages (or Vice Versa)
Send an email using an external sender to an internal mailbox and make sure there is ‘#SYSGEN#’’ word in the subject line.
Auto-generated response from Exchange Online Server
Testing Internal to Internal Messages
Send an email using a sender from inside your organization to to another and make sure there is ‘#SYSGEN#’’ word in the subject line.
Auto-generated response from Exchange Online Server
Summary
In this article, you’ve learned how to create and configure a mail flow rule in an exchange online admin center to protect your users from a deemed malicious email based on the subject.
Mail flow rule offers a lot of conditions, there may be times that you need to add an exception or adjust more setting to meet the business requirement but just make sure not to mess up as it can lead to a service interruption on email service
Reference