When working with Microsoft Defender for Office 365, one common point of confusion for security admins is the difference between the Domains & Addresses and URLs tabs in the Tenant Allow/Block List. At first glance, domains and URLs might seem interchangeable — but in practice, Microsoft Security treats them very differently.
1. Domains & Addresses
The Domains & Addresses list is for blocking or allowing:
- Entire domains (e.g.,
boomchatweb.com) - Specific sender email addresses (e.g.,
johndoe@example.com)
Behavior:
- If you block a domain, all email coming from that domain (and its subdomains) is affected.
Example: Blockingboomchatweb.comalso affectsmail.boomchatweb.com. - If you block a specific address, only that exact email address is blocked — other users from the same domain may still get through.
- Blocking here affects email flow, not just clickable links inside emails.
- Microsoft applies the block/allow decision during email filtering (before the message lands in the mailbox), and verdicts can be set “up to malware” (meaning it overrides multiple security detections if necessary).
2. URLs
The URLs section is specifically for web addresses clicked inside email messages or Teams chats.
- Example of a URL: arduinoCopyEdit
https://boomchatweb.com/login?sessionid=123 - Unlike domains, URLs can be very granular, allowing you to block a specific page or path without affecting the entire site.
Behavior:
- Microsoft Safe Links scans the URL at click-time (when a user clicks it) and applies the allow/block decision.
- Blocking a URL does not automatically block emails from the domain. The email may still be delivered, but the link will be blocked or redirected to a warning page.
- Useful for phishing or credential-harvesting sites hosted on otherwise legitimate domains (e.g., blocking
https://legitwebsite.com/phishwithout blockinghttps://legitwebsite.comentirely).
3. Why This Matters
Understanding the difference is crucial for security policy precision:
- Domains & Addresses → Control who can send you email or from where emails can come. This impacts delivery.
- URLs → Control whether a link is safe to visit when a user clicks on it. This impacts click behavior, not delivery.
Blocking a phishing site in URLs won’t stop the email from arriving, but blocking the domain in Domains & Addresses will stop the email itself before it reaches the inbox.
4. Microsoft Security Flow
When a suspicious message comes in:
- Email Filtering (Domains & Addresses) – Checks sender domain or address against block/allow rules before delivery.
- Content Scanning (Safe Links / URLs) – Scans embedded links when clicked, checking them against the URL block/allow list.
- Override Verdicts – Your allow/block decisions can override Microsoft’s built-in intelligence up to a specified level (e.g., up to phishing or malware).
💡 Pro Tip:
For full protection against a known malicious site, block it in both:
- Domains & Addresses → Stops emails from that source.
- URLs → Stops users from reaching the site if they encounter the link elsewhere.
Leave a Reply