1. Logon

  • Note: Some Microsoft web pages may not work with a browser that has the uBlock Origin add-on enabled.

  • Browse to Security - Microsoft Defender.

  • System Admin: Type bhf@tbhf.onmicrosoft.com for the account.

  • IT Helpdesk: Type bhf-it@bhf-th.org for the account.

2. Anti-phishing

2.1. Add Policy

  • Select Email & collaboration > Policies & rules > Threat policies > Policies > Anti-phishing.

  • Click Create.

  • Type SMRU Office365 AntiPhish in the Name field.

  • Click Next.

  • Type bhf-th.org in the Domains field and press Enter.

  • Type shoklo-unit.com in the Domains field and press Enter.

  • Type tbhf.onmicrosoft.com in the Domains field and press Enter.

  • Click Next.

  • Click Manage 0 trusted sender(s) and domain(s).

  • Select Domain tab.

  • Click Add domains.

  • Type crowdstrike.com and press Enter.

  • Click Add domains.

  • Click Done.

  • Click Next.

  • Click Next.

  • Click Submit.

  • Click Done.

3. Anti-spam

3.1. Add policy

  • Select Email & collaboration > Policies & rules > Threat policies > Policies > Anti-spam.

  • Select Create policy > Inbound.

  • Type SMRU anti-spam inbound policy in the Name field.

  • Click Next.

  • Type bhf-th.org in the Domains field and press Enter.

  • Type shoklo-unit.com in the Domains field and press Enter.

  • Type tbhf.onmicrosoft.com in the Domains field and press Enter.

  • Click Next.

    Bulk email threshold & spam properties

Bulk email threshold            7 (Recommended default)

*Spam properties*

Increase spam score
  Image links to remote websites        Off
  Numeric IP address in URL             Off
  URL redirect to other port            Off
  Links to .biz or .info websites       Off

Mark as spam
  Empty messages                        Off
  Embedded tags in HTML                 Off
  JavaScript or VBScript in HTML        Off
  Form tags in HTML                     Off
  Frame or iframe tags in HTML          Off
  Web bugs in HTML                      Off
  Object tags in HTML                   Off
  Sensitive words                       Off
  SPF record: hard fail                 Off
  Sender ID filtering hard fail         Off
  Backscatter                           Off
  Contains specific languages           Off
  From these countries                  Off

*Test mode*

* None
. Add default X-header text
. Send Bcc message

  • Click Next.

    Actions

*Message actions*
Spam                                            Move message to Junk Email folder
High confidence spam                            Move message to Junk Email folder
Phishing                                        Move message to Junk Email folder
High confidence phishing                        Quarantine message
        Select quarantine policy                AdminOnlyAccessPolicy
Bulk complaint level (BCL) met or exceeded      Move message to Junk Email folder
Intra-Organizational messages to take action on Default
Retain spam in quarantine for this many days    30

*Safety tips*.
+ Enable spam safety tips

*Zero-hour auto purge (ZAP)*
- Enable zero-hour auto purge (ZAP)

  • Click Next.

  • Click Next.

  • Click Create.

  • Click Done.

3.2. Allow domain and senders

  • Browse to https://security.microsoft.com.

  • Log in with Microsoft 365 Admin account.

  • Select Email & collaboration > Policies & rules.

  • Select Threat policies.

  • Select Policies > Anti-spam.

  • Select SMRU anti-spam inbound policy.

  • Click Edit allowed and blocked senders and domains.

  • Allow domains: Click Block domains under Allowed.

    • Click Add domains.

    • Type the domain/IP address in Enter a custom domain field and press Enter.

    • Click Add domains.

  • Allow senders: Click Manage <#> sender(s) under Allowed.

    • Click Add senders to add.

    • Type the sender address in Enter a custom sender address field and press Enter.

    • Click Add senders.

  • Click Done.

  • Click Save.

  • Click Close.

3.3. Block domains and senders

  • Browse to https://security.microsoft.com.

  • Log in with Microsoft 365 Admin account.

  • Select Email & collaboration > Policies & rules.

  • Select Threat policies.

  • Select Policies > Anti-spam.

  • Select SMRU anti-spam inbound policy.

  • Click Edit allowed and blocked senders and domains.

  • Block domains: Click Block domains under Blocked.

    • Click Add domains.

    • Type the domain/IP address in Enter a custom domain field and press Enter.

    • Click Add domains.

  • Block senders: Click Manage <#> sender(s) under Blocked.

    • Click Add senders to add.

    • Type the sender address in Enter a custom sender address field and press Enter.

    • Click Add senders.

  • Click Done.

  • Click Save.

  • Click Close.

3.4. Allow email forwarding

  • Select Anti-spam outbound policy (Default).

  • Click Edit protection settings.

  • Select On - Forwarding is enabled in Automatic forwarding rules dropdown list.

  • Click Save.

  • Click Close.

4. Email Authentication Settings

  • Select Email & collaboration > Policies & rules > Threat policies > Email authentication settings.

  • Select the ARC tab.

  • Select the DKIM tab.

  • Select the bhf-th.org domain.

  • Select the shoklo-unit.com domain.

  • Select the tbhf.onmicrosoft.com domain.

  • Note: See PowerShell and DKIM Keys for using PowerShell to view the status of the DKIM keys.

  • Note: Latest status on 2025-04-25 at 07:00 GMT+07.

    Domain                  Status
------                  ------
bhf-th.org              Rotating keys for this domain and signing DKIM signatures.
shoklo-unit.com         Signing DKIM signatures for this domain.
tbhf.onmicrosoft.com    Signing DKIM signatures for this domain.
    Domain                  Host Name               Value
------                  ---------               -----
bhf-th.org              selector1._domainkey    selector1-bhfth-org0i._domainkey.tbhf.onmicrosoft.com
bhf-th.org              selector2._domainkey    selector2-bhfth-org0i._domainkey.tbhf.onmicrosoft.com
shoklo-unit.com         selector1._domainkey    selector1-shoklounit-com01e._domainkey.tbhf.onmicrosoft.com
shoklo-unit.com         selector2._domainkey    selector2-shoklounit-com01e._domainkey.tbhf.onmicrosoft.com
tbhf.onmicrosoft.com    selector1._domainkey    selector1-tbhf-onmicrosoft-com._domainkey.tbhf.onmicrosoft.com
tbhf.onmicrosoft.com    selector2._domainkey    selector2-tbhf-onmicrosoft-com._domainkey.tbhf.onmicrosoft.com

4.1. Rotate DKIM Keys

  • Select the bhf-th.org domain.

  • Select the shoklo-unit.com domain.

5. Enhanced Filtering For Connectors

  • Select Email & collaboration > Policies & rules > Threat policies > Enhanced filtering.

  • Select the Mimecast to Microsoft 365 (Inbound) connector.

  • Choose Skip these IP addresses that are associated with the connector.

  • Add the following 10 IP addresses as at 2025-06-04 for Europe (Excluding Germany) that can be found at Administration - Data Centers & URLs in the Always allow messages from the following IP addresses or address range field.

    193.7.204.0/24, 193.7.205.0/24, 195.130.217.0/24, 91.220.42.0/24, 185.58.84.0/24,

    185.58.85.0/24, 185.58.86.0/24, 185.58.87.0/24, 207.82.80.0/24, 146.101.78.0/24

  • Choose Apply to entire organization.

  • Click Save.

    ○ Disable Enhanced Filtering for Connectors
○ Automatically detect and skip the last IP address
● Skip these IP addresses that are associated with the connector:

193.7.204.0/24  193.7.205.0/24  195.130.217.0/24
91.220.42.0/24  185.58.84.0/24  185.58.85.0/24
185.58.86.0/24  185.58.87.0/24  207.82.80.0/24
146.101.78.0/24

● Apply to entire organization
○ Apply to a small set of users

6. Quarantine Emails

6.1. Release Message

  • Select Email & collaboration > Review > Quarantine.

  • Select quarantine message(s) you need to release.

  • Click Release message.

  • Check Report messages to Microsoft for analysis.

  • Choose Release messages to all recipients.

  • Click Release message.

  • Click Close.

  • Select Account manager > Sign out.

  • Close Browser.