Part of miniating high email security is teaching your users to identity and properly react to malicious emails, while other companies practice a more policy-based approach, by completely blacklisting the malicious group.
This means that you need a strategy that is suitable for your situation, in order to avoid a user to instantly end up in the group, in a totally unpredictable way.
Microsoft’s email service, Exchange, has its own whitelist of accounts that are known as privileged, and those are the accounts that have certain level of administrator rights that must be allowed access to all other privileged accounts. Other, less privileged accounts have a token that can be used for access to other privileged accounts.
The easiest way to get the right levels of access is to do some googling, which leads us to the top rule in the list:
Prioritize inbox protection with all accounts that have inbox protections enabled.
So that means that if your environment uses different policy files for mailboxes that are really separate, only to different users, you should use the rules from the more restrictive policy files to protect your regular users who don’t have any credentials to be considered as privileged.
Other ways to use malicious:
Keep it short and limited. If you have one malicious email account, do it as a single command. If you have 10, do it 10 times. If you have 1,000, do it 1,000 times. If your number of malicious emails is going up, or the number of clients grows, it becomes even more important to have good filtering options.
Companies like Fortinet recommend to create a rule that protects all malicious emails only on mailboxes with single user privileges.
Use a name that is short and memorable so that there is no confusion.
On Windows systems, there is an application called Group Policy that is able to take all these considerations into account for you. This is in addition to the use of environment variables that are based on the policy settings.
Determine the policy you want to use: To create a policy that will automatically allow malicious emails only to the appropriate users, we must first identify what is being protected.
As you probably know, a user account is only considered privileged if it is a domain administrator account, an Exchange mail administrator account, or a Microsoft account.