How to Block Phishing Emails on Outlook: Practical Steps to Reduce Risk in 2026

Written by: Abigail Ivy
Published on:

Phishing attacks keep targeting Microsoft Outlook users because email remains the easiest way to steal credentials, deliver malware, and trick people into urgent action.

This guide explains how to block phishing emails on Outlook with practical settings, reporting tools, and habits that make suspicious messages less likely to reach you.

Why phishing emails keep getting through Outlook

Outlook is designed to deliver messages quickly, which means it sometimes has to make a judgment call between useful mail and harmful mail.

Attackers exploit this by using lookalike sender addresses, fake Microsoft branding, urgent language, and malicious links that lead to credential harvesting pages or infected attachments.

Phishing campaigns often bypass simple filters because they are sent from compromised legitimate accounts, rotating domains, or cloud-based services that appear trustworthy at first glance.

That is why blocking one sender is only part of the solution; layered filtering and consistent user reporting matter just as much.

How to block phishing emails on Outlook using the built-in Block feature

If a sender repeatedly sends suspicious messages, the simplest first step is to block that address directly in Outlook.

Blocking stops future mail from that sender from reaching your inbox, although it will not stop a determined attacker from changing domains or addresses.

In Outlook on the web

  • Open the suspicious message.
  • Select the More actions menu.
  • Choose Block sender or Block.
  • Confirm the action if prompted.

This tells Outlook to route future mail from that sender away from your inbox.

If the sender uses multiple identities, you may need to block each one individually.

In the Outlook desktop app

  • Right-click the message.
  • Select Junk.
  • Choose Block Sender.
  • Review the Junk Email Options if needed.

On Microsoft 365 and Outlook for Windows, blocked senders are handled through the junk email list, which can be managed from the Ribbon or settings menu depending on your version.

How to mark phishing emails as junk or phishing?

Blocking a sender helps with one source, but reporting the message as junk or phishing improves Outlook’s filtering for future threats.

This is especially important for messages that use spoofed branding, a fake invoice, or a cloned login page.

  • Mark as Junk when the message is unwanted or clearly spam-like.
  • Mark as Phishing when the message tries to steal credentials, payment details, or personal data.
  • Delete after reporting so you do not accidentally click the message again later.

In many Microsoft 365 environments, the Report Message or Report Phishing add-in sends samples to Microsoft security systems and your organization’s administrators.

That feedback helps improve filters for everyone in the tenant.

Adjust Outlook junk email settings for stronger filtering

Outlook includes junk mail controls that can reduce how much phishing lands in your inbox.

These settings are not perfect, but they can significantly reduce low-quality spam and obviously malicious messages.

Use the Junk Email Options panel

Depending on your Outlook version, you can open Junk Email Options and select a stronger filtering level.

If available, choose the option that filters more aggressively without blocking critical business mail.

  • No Automatic Filtering: not recommended for most users.
  • Low: blocks obvious junk only.
  • High: catches more suspicious mail, but may require more review.

If you use Outlook for work, coordinate with your IT team before increasing filter strength too much, since aggressive settings can sometimes hide legitimate vendor or client mail.

Create Safe Senders and Safe Recipients lists carefully

Safe lists tell Outlook which senders should not be treated as junk.

This can improve deliverability for trusted contacts, but it should be used sparingly.

Adding too many addresses weakens protection and can let spoofed mail slip through if a trusted account is compromised.

Good candidates for safe lists include:

  • Your company’s verified internal domains
  • Trusted banks or service providers with stable sender domains
  • Key partners that regularly send legitimate mail

Avoid adding personal Gmail or consumer addresses unless you have a strong reason and can confirm the sender’s identity by another channel.

Use Microsoft Defender and security features if your account supports them

For Microsoft 365 users, Outlook often works alongside Microsoft Defender for Office 365, Exchange Online Protection, and anti-phishing policies.

These layers can identify impersonation attempts, malicious URLs, and suspicious attachments before they reach the inbox.

Common protections include:

  • Anti-phishing policies that detect display-name spoofing and domain impersonation
  • Safe Links that scan URLs at click time
  • Safe Attachments that analyze files for malware
  • Quarantine for high-risk messages

If you are an end user, you may not control these settings directly.

If you are an admin, verify that impersonation protection is enabled for executives, finance teams, and anyone handling password resets or payments.

What to do when phishing emails keep coming from different addresses

Attackers often rotate senders, so a single block may not solve the problem.

In that case, focus on patterns rather than only individual addresses.

  • Block the sender and the sending domain where possible.
  • Report each message as phishing so filters learn from it.
  • Inspect the subject line, display name, and reply-to address for repeated themes.
  • Ask your organization to create mail flow rules if the campaign targets multiple users.

For persistent attacks, an administrator may need to create transport rules, sender restrictions, or tenant-level blocks.

At the enterprise level, central filtering works better than relying on each person to block messages one by one.

How to protect your account after receiving a phishing message

Blocking phishing emails on Outlook is important, but account security should be checked if you already clicked a link or entered credentials.

A phishing email can still cause damage even if it is later blocked.

  1. Change your Microsoft account or work password immediately if credentials were entered.
  2. Enable multi-factor authentication if it is not already active.
  3. Review recent sign-in activity for unfamiliar locations or devices.
  4. Check inbox rules and forwarding settings for unauthorized changes.
  5. Scan the device with Microsoft Defender or another trusted antivirus tool.

Attackers sometimes create hidden inbox rules to forward incoming mail to external addresses or to delete security alerts.

Checking account rules is one of the fastest ways to catch post-compromise abuse.

Signs an email is phishing before you click anything

Outlook can block many threats, but user review is still essential.

Phishing emails often reveal themselves through subtle mistakes or pressure tactics.

  • Urgent requests to reset passwords, verify accounts, or pay invoices
  • Unexpected attachments, especially ZIP, HTML, or document files with macros
  • Sender addresses that almost match a real company domain
  • Links that point to unfamiliar domains or shortened URLs
  • Messages that ask you to bypass normal procedures

When in doubt, open a new browser tab and navigate to the service directly instead of clicking the email link.

For business messages, verify requests using a known phone number or internal chat tool.

Best practices for long-term Outlook phishing protection

If you want better results than basic blocking, combine several controls and habits.

Outlook is strongest when its filters, Microsoft security services, and user decisions all work together.

  • Keep Outlook and Microsoft 365 apps updated.
  • Use multi-factor authentication on every account that supports it.
  • Report suspicious mail instead of only deleting it.
  • Review blocked senders and junk settings regularly.
  • Train employees to recognize impersonation and urgency tactics.

These steps reduce exposure to credential theft, malicious macros, business email compromise, and fake support notices.

For organizations, security awareness training and policy-based controls make Outlook far safer than manual cleanup alone.