Query Details
Outlook New Requirements For High Volume Senders
Query
// https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/strengthening-email-ecosystem-outlook%e2%80%99s-new-requirements-for-high%e2%80%90volume-senders/4399730 EmailEvents | where Timestamp > ago(3d) // Enforcement started on 5th May 2025 | where EmailDirection == "Inbound" | where DeliveryAction == "Blocked" | where DeliveryLocation == @"Failed" | where SenderFromAddress == @"[email protected]" | summarize RejectionCount=count() by RecipientEmailAddress // Impacted Users | sort by RejectionCount desc
Explanation
This query is designed to analyze email events in order to identify recipients who have had emails blocked from a specific sender, "[email protected]," over the past three days. Here's a simple breakdown of what the query does:
-
Data Source: It looks at the
EmailEventstable. -
Time Frame: It filters the data to include only events from the last three days.
-
Email Direction: It focuses on inbound emails, meaning emails coming into the system.
-
Delivery Action: It selects only those emails that were blocked.
-
Delivery Location: It further narrows down to emails that failed to be delivered.
-
Sender: It specifically looks at emails sent from "[email protected]."
-
Summarization: It counts how many times emails were rejected for each recipient email address.
-
Sorting: Finally, it sorts the results to show the recipients with the highest number of blocked emails at the top.
In essence, this query helps identify which users are most affected by blocked emails from a specific sender over the past three days.
Details
Steven Lim
Released: May 8, 2025
Tables
Keywords
Operators