O365 Inbound Email Blacklist Procedure

This admin procedure will provide background information on how to block an external user that is sending malicious emails your domain.

This article is intended for employees of organizations that use Sittadel's security. Additionally, there are some actions that can only be accomplished by those with administrative privileges.

Block List

The Tenant Allow/Block List in the Microsoft 365 Defender portal gives you a way to manually override Threat Policy verdicts. In the case of creating a blacklist entry, if any item is detected that matches the criteria of the entry it will be blocked outright before any threat policy analyzing takes place.


Procedure ScopeAdministrators

Required Group MembershipAdmin.EmailSecurity


Blacklisting a Held Inbound Email

  1. Navigate to Email Quarantine – O365 Defender, locate the held email that includes the domain you wish to blacklist. Selecting the email will generate a pop-up that will have all the details of the hold, select the Three Dots followed by Block Sender. If this mail isn’t coming from a trusted sender, you can add this domain to a blacklist to prevent future mail being received.
  2. A confirmation pop-up will be displayed detailing the process of adding a domain to a blocked list and how their messages will be handled moving forward. Select Block to finalize the Blacklisting process.

You're Finished!

You should have successfully blacklisted the external sender from sending mail inbound, further investigation can be done to determine next steps. For any other problems or questions, reach out to us!