Process: Mail Flow (Transport) Rule in Exchange

Mail flow rules are like the Inbox rules that are available in Outlook and Outlook on the web (formerly known as Outlook Web App). The main difference is mail flow rules act on messages while they're in transit, not after the message is delivered to the mailbox. Mail flow rules contain a richer set of conditions, exceptions, and actions, which provides you with the flexibility to implement many types of messaging policies. More details on Mail flow rule Mail flow rules (transport rules) in Exchange Online | Microsoft Learn

While dealing with a phishing incident, we will focus on how to "Block Individual Email Addresses" or "Block Domain Lists."

Block Individual Email Address

Navigate to the Exchange Admin Centre (EAC) URL: https://admin.exchange.microsoft.com.
Access the Mail Flow Rules Section. In the EAC, go to the left-hand navigation pane, and click on "Mail flow" section. Then, click on the "Rules" tab in the Mail Flow section. This will load all the mail flow (transport) rules in the Exchange Admin Centre

3. To block an individual email address, click on the Block Individual Email Address rule. This will open a new pane with details about the rule.

4. Click on Edit rule conditions as highlighted in the image above. The following details about the rule load:

5. Click on the pen icon, which is next to the list of email addresses under "The Sender is" which is highlighted above. This will load all the email addresses that are already on the block list. Scroll to the end of the list and add the email address that needs to be blocked in the User name here textbox highlighted below.

6. Once the email address is added, click on + Save just below it and Save button at the bottom.

7. Save the rule, and you will see the following notification:

8. The email address will be added to the block list. To check if the email address has been added to the block list, click on Edit Rules, and confirm the email address is on the list.

Block Domain

1. To block a domain, click on Block Domain List and follow the same process as for blocking individual email addresses.

2. Click on Edit rule conditions, which will open a pane with a list of domains that have already been added to the list. To block a domain, click on Edit rule conditions as highlighted in the image below:

3. Specify a domain you want to block and click on the "Add" button and then the "Save" button at the bottom of the page.

4. Click on Save Rule, and you will see the following notification, as shown in the image below. The domain will be added to the block list. To check if the domain has been added to the block list, click on Edit Rules, and confirm the domain is on the list.