ORCA (Office 365 ATP Recommended Configuration Analyzer)

Bulk Complaint Level threshold is between 4 and 6.

Exchange Online Protection (EOP) is enabled.

Spam filter policy settings configured.

Malware filter policy settings configured.

Phishing filter policy settings configured.

<URL> filtering policy settings configured.

Bulk is marked as spam.

Advanced Spam filter options are turned off.

Outbound spam filter policy settings configured.

High Confidence Phish action set to Quarantine message.

Safe Links Synchronous URL detonation is enabled.

Quarantine retention period is 30 days.

End-user spam notification is enabled.

DKIM signing is set up for all your custom domains.

DNS Records have been set up to support DKIM.

Senders are not being allow listed in an unsafe manner.

Internal Sender notifications are disabled.

Anti-phishing policy exists and EnableUnauthenticatedSender is true.

Anti-spoofing protection action is configured to Move message to the recipients' Junk Email folders in Anti-phishing policy.

AllowClickThrough is disabled in Safe Links policies.

No IP Allow Lists have been configured.

Mailbox intelligence based impersonation protection is enabled in anti-phishing policies.

Mailbox intelligence based impersonation protection action set to move message to junk mail folder.

Domains are not being allow listed in an unsafe manner in Anti-Spam Policies.

Domains are not being allow listed in an unsafe manner in Transport Rules.

Your own domains are not being allow listed in an unsafe manner in Anti-Spam Policies.

Your own domains are not being allow listed in an unsafe manner in Transport Rules.

Zero Hour Autopurge Enabled for Phish.

Zero Hour Autopurge Enabled for Malware.

Zero Hour Autopurge Enabled for Spam.

Supported filter policy action used.

Safe attachments unknown malware response set to block messages.

Spam action set to move message to junk mail folder or quarantine.

High Confidence Spam action set to Quarantine message.

Bulk action set to Move message to Junk Email Folder.

Phish action set to Quarantine message.

Safe Links Policies are tracking when user clicks on safe links.

Safe Attachments is enabled for SharePoint and Teams.

Safe Links is enabled intra-organization.

Anti-phishing policy exists and EnableSpoofIntelligence is true.

Safe Attachments is not bypassed.

Safe Links is not bypassed.

Common attachment type filter is enabled.

Advanced Phish filter Threshold level is adequate.

Mailbox intelligence is enabled in anti-phishing policies.

Domain Impersonation action is set to move to Quarantine.

User impersonation action is set to move to Quarantine.

Safe Documents is enabled for Office clients.

Each domain has a Safe Link policy applied to it.

Each domain has a Safe Attachments policy applied to it.

No trusted senders in Anti-phishing policy.

No trusted domains in Anti-phishing policy.

Each domain has a Anti-phishing policy applied to it, or the default policy is being used.

Each domain has a anti-spam policy applied to it, or the default policy is being used.

Each domain has a malware filter policy applied to it, or the default policy is being used.

Domains are pointed directly at EOP or enhanced filtering is used.

Domains are pointed directly at EOP or enhanced filtering is configured on all default connectors.

Click through is disabled for Safe Documents.

SPF records is set up for all your custom domains.

Safe Links is enabled for emails.

Safe Links is enabled for teams messages.

Safe Links is enabled for office documents.

No exclusions for the built-in protection policies.

Outlook is configured to display external tags for external emails.

Anti-phishing policy exists and EnableFirstContactSafetyTips is true.

Important protection alerts responsible for AIR activities are enabled.

Authenticated Receive Chain is set up for domains not pointing to EOP/MDO, or all domains point to EOP/MDO.

Policies are configured to honor sending domains DMARC.