Business Email Compromise (BEC) continues to rise, and one of the easiest ways to prevent large-scale damage is to stop compromised mailboxes from sending excessive volumes of email.

The CIS Microsoft 365 Benchmark v6 introduces control 2.1.15 (L1) “Ensure outbound anti-spam message limits are in place”, which helps organizations contain abuse of compromised accounts and prevent domain-wide reputational damage.

This blog provides a full breakdown of why this control matters, how to implement it, and why Redeemer Cyber played a key role in bringing this control to CIS.

Why This Control Exists: Protecting Against Large-Scale Abuse

By default, Microsoft 365 allows mailboxes to send hundreds or even thousands of messages per day—far more than most users need. Attackers exploit this by taking over a single mailbox and immediately launching large-scale phishing or malware campaigns.

The consequences can be severe:

• Microsoft may block your entire domain from sending email

• Your cyber insurance carrier may deny coverage

• Legal and financial liabilities may follow

• Customer trust and organizational reputation may be damaged

  
  

Outbound message limits help stop this. By restricting how many messages a mailbox can send per hour or per day—and automatically blocking the mailbox if it exceeds those thresholds—you can dramatically reduce the blast radius of a compromised account.

Redeemer Cyber’s Role: We Helped Bring This Control Into CIS M365 v6

Giving Back to the Community

Redeemer Cyber believes cybersecurity expertise shouldn’t stop at client work. As found in Philippians 2:4, we believe in giving back to the community and using our God given talent and experience to make a broader impact. Helping shape the CIS Microsoft 365 Benchmark—which is relied on by businesses, governments, and non-profits around the world—has been an incredible way to do that.

Philippians 2:3-5

"3 Let nothing be done through selfish ambition or conceit, but in lowliness of mind let each esteem others better than himself. 4 Let each of you look out not only for his own interests, but also for the interests of others. 5 Let this mind be in you which was also in Christ Jesus:"

Official Contributor to the CIS Microsoft 365 Benchmark

Over the years, our founder has submitted more than 60 accepted improvements to the CIS Microsoft 365 Security Benchmark, including:

• New controls

• Rationale enhancements

• Impact refinements

• Control hardening guidance

  
  

This ongoing work earned him recognition as one of only 17 officially credited contributors to the CIS M365 Benchmark globally.

Driving New Standards Forward

Control 2.1.15 — Ensure outbound anti-spam message limits are in place exists today largely because Redeemer Cyber proposed, justified, and successfully lobbied for it.

We advocated directly to CIS that outbound message limits are not merely helpful—they are essential for containing BEC incidents and protecting tenant reputation.

CIS agreed. This control is now officially included in CIS M365 Benchmark v6, and organizations worldwide will benefit from stronger, more realistic security requirements.

How to Implement CIS M365 v6 Control 2.1.15

Below is the full technical walk-through, exactly as a security engineer or administrator would need it.

Strategy

High-Level Overview

Business email compromise is one of the most common and costly attack types today. A compromised mailbox can be weaponized to send thousands of malicious emails to your customers, partners, and internal staff within minutes.

By default, Microsoft 365 mailboxes can send hundreds or even thousands of messages per day—far more than most users ever need. Implementing per-hour and per-day outbound message limits helps contain this risk by automatically blocking mailboxes that exceed normal thresholds.

Without this control in place, a single compromised account could:

• Get your organization’s domain blacklisted from sending email

• Trigger cyber insurance claim denials

• Lead to legal and reputational fallout

  
  

To mitigate this, we’ll create three custom anti-spam outbound policies—for regular users, high-volume internal senders, and high-volume external senders—and begin with alert-only mode so you can fine-tune thresholds before enforcement.

Create Resources

The built-in “Anti-spam outbound policy (Default)” applies globally, but it doesn’t offer enough flexibility to target users. Instead, we’ll create three new policies.

• Custom Anti-Spam Outbound Policy

  • Applies to the entire organization (target the domain).

• Custom High-Volume Internal Anti-Spam Outbound Policy

  • For high-volume internal senders (e.g., departments authorized to email “All Employees”).

  • The limit should at least match the number of members in the “All Employees” group.

• Custom High-Volume External Anti-Spam Outbound Policy

  • For teams like Sales or Marketing that legitimately send many external emails.

  • Ideally, these users should use a mass-mailing platform (e.g., SendGrid or Mailchimp).

• We’ll also create and exclude the following two mail-enabled security groups for their respective policies:

  • high-volume inbound senders

  • high-volume outbound senders

Initial Configuration Steps

1. Add the appropriate members to each mail-enabled security group.

2. Using the steps below, create all three custom anti-spam outbound policies.

3. Initially run all three policies in “No action, alert only” mode.

   • You should receive alert emails when users exceed thresholds.

   • If you don’t, either thresholds are too high, or the alert address is misconfigured.

   • Ensure your select recipients for the alert policies: "Email sending limit exceeded", "Suspicious email sending patterns detected", and "User restricted from sending email."

4. Adjust thresholds to accommodate normal business use.

5. Once you’re confident in the limits, switch policies to “Restrict the user from sending mail.”

See: Configure outbound spam policies - Microsoft Defender for Office 365 | Microsoft Learn

To Unblock a Restricted User

If a user exceeds the limit, investigate first—this could indicate account compromise.

1. Go to Security.microsoft.com

2. Navigate to Email & Collaboration → Review → Restricted Entities

3. Select the user

4. Choose Unblock after completing your investigation and/or incident response

See: Remove blocked users from the Restricted entities page - Microsoft Defender for Office 365 | Microsoft Learn

Steps

Follow these steps to create and configure your outbound policies.

1. Go to Security.microsoft.com

2. Navigate to Email & Collaboration → Policies & rules → Threat policies → Anti-spam

3. Select Create policy → Outbound

4. Complete the following setup pages:

   • Name:

   • Description:

   • Next

   • Users / Groups / Domains:

     • Select “Exclude these users, groups, and domains” as needed.

   • Next → Protection settings → Next → Create

Policy Configuration Examples

1. Custom Anti-Spam Outbound Policy

• Users / Groups / Domains:

  • Enter domain

  • Select “Exclude these users, groups, and domains”

  • Exclude the groups: "high-volume inbound senders" and "high-volume inbound senders"

• External message limit: 100

• Internal message limit: 100

• Daily message limit: 100

• Restriction: No action, alert only

• Automatic forwarding rules: Select as appropriate (Note: “Off” and “Automatic” both disable forwarding.)

• Notifications: Select: Notify these users and groups if a send is blocked due to sending outbound spam. Enter an appropriate recipient to receive this alert.

  
  

2. Custom High-Volume Internal Anti-Spam Outbound Policy

• Users / Groups / Domains:

  • Select the group "high-volume inbound senders"

• External message limit: 100

• Internal message limit: 500

• Daily message limit: 600

• Restriction: No action, alert only

• Automatic forwarding rules:  Select as appropriate (Note: “Off” and “Automatic” both disable forwarding.)

• Notifications: Select: Notify these users and groups if a send is blocked due to sending outbound spam. Enter an appropriate recipient to receive this alert.

  
  

3. Custom High-Volume External Anti-Spam Outbound Policy

• Users / Groups / Domains:

  • Select the group "high-volume outbound senders"

• External message limit: 500

• Internal message limit: 100

• Daily message limit: 600

• Restriction: No action, alert only → Restrict the user from sending mail (once tuned)

• Automatic forwarding rules:  Select as appropriate (Note: “Off” and “Automatic” both disable forwarding.)

• Notifications: Select: Notify these users and groups if a send is blocked due to sending outbound spam. Enter an appropriate recipient to receive this alert.

Final Thoughts

Outbound message limits are one of the most effective safeguards against Business Email Compromise—and thanks to Redeemer Cyber’s direct contributions, this protection is now a standardized CIS requirement worldwide.

Implementing CIS M365 v6 control 2.1.15 protects your business from:

• Domain blacklisting

• Large-scale phishing attacks

• Insurance headaches

• Reputational damage

  
  

Want help implementing this control or aligning to all CIS M365 v6 controls? Redeemer Cyber’s Microsoft 365 Security services provide full coverage—161 controls from CIS and internal Redeemer Cyber benchmarks.

Schedule your M365 assessment or remediation today at www.redeemercyber.com.