Blog Post

Microsoft Defender for Office 365 Blog
4 MIN READ

Simplifying the Quarantine Experience

FaithEbenezerOquong's avatar
FaithEbenezerOquong
Icon for Microsoft rankMicrosoft
Aug 24, 2021
Managing false positives should be easy As cyber security becomes a crucial part of the day-to-day activities of every organization, it becomes vital to allow different organizations to customize t...
Updated Aug 23, 2021
Version 1.0
configuration
investigation
prevention
JeremyTBradshaw's avatar
JeremyTBradshaw
Iron Contributor
Mar 28, 2022

@VNJoe I now see what you mean.  Contrary to what I said in my last post about this being customizable, you are correct in saying that - No, it isn't.  When I attempt to Edit the Actions for my Incoming Spam Filter policies, if I change High Confidence Phishing to Move to Junk, I get this:

The learn more link is this: Secure by default in Office 365 where in there it indeed shows some false information about High Confidence Phishing specifically:

 

"Microsoft 365 organizations with mailboxes in Exchange Online are protected by Exchange Online Protection (EOP). This protection includes:

  • Email with suspected malware will automatically be quarantined. Whether recipients are notified about quarantined malware messages is controlled by the quarantine policy and the settings in the anti-malware policy. For more information, see Configure anti-malware policies in EOP.
  • Email identified as high confidence phishing will be handled according to the anti-spam policy action. See Configure anti-spam policies in EOP."


The second bullet fails to mention the behavior shown in the screenshot.  The article's last updated date is 2022-03-23, but the blue info box at the top of the page does say:

 

"Important

Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here."

 

It could stand to be corrected and clarified for sure, I agree.

 

I didn't see the point covered earlier by AndAufVCG (until after my reply to you), where even when you set the action for High Confidence Phishing to Quarantine but then assign a notifications-enabled Quarantine policy that has the Request to Release permission, it won't then trigger a notification.  This does seem to be a big miss.  The default behavior by Microsoft since the rollout of the Quarantine notifications was set so that the High Confidence Phish is Quarantined and the AdminAccessOnlyPolicy assigned, which I do agree requires administrators to monitor the quarantine or have users find out through some other means that they missed a message and contact IT.  So it's treated exactly like malware.  These are fair points.

 

The part about the scoring being off is also a fair point.  All I will say though still is that there is a lot of room for error on the sender and receiving sides which all factors into the score.  In most companies you can find something that needs to be addressed in the mail flow chain somewhere.  Like the things I mentioned, or maybe settings on a downstream IPS or other MX service in front of EOP, etc.  The company not doing SPF or DKIM out of principle is probably not going to help their emails' delivery success with that move.

 

Anyhow, at this point I'm not disagreeing with the points you guys have raised.