Forum Discussion
Did the new 'Secure by default' EOP / Defender for Office feature get out of control?
Hello - we're currently seeing an unprecedented flood of legitimate emails getting classified as SPAM and moved to quarantine. Even internal, hybrid mail flow is affected and gets SCL:5 scores across the board. Organizations who used Junk Mail policies before and are unaware of quarantine, keep missing important business emails.
The new overrides described in article https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/secure-by-default?view=o365-worldwide seem to explain that - but is this what Microsoft intended? The fallout is massive, and I find it unacceptable that carefully customized policies and exclusions are just overridden, with no opt-out possibility. Thanks for re-considering this overly drastic measure
Hi Markus_Strickler,
Regarding the internal hybrid mailflow marked as SCL:5, this is because: Microsoft 365 Roadmap | Microsoft 365
You can check details from Message Center: MC522476
"Description
We will be updating the way intra-organizational SCL ratings are assigned for intra-organizational messages. This message is associated with Microsoft 365 Roadmap ID 117487[When this will happen:] Changes to logging intra-organizational messages will begin rolling out in early April and is expected to be complete by late June. [How this will affect your organization:]All intra-organizational messages are currently marked with SCL -1 (bypass spam filtering). The updated method will assign an SCL rating based on the content and type of intra-organizational message. The ratings are SCL 1 for non-spam and SCL 5 through 9 for spam. This change will not change the way the messages are delivered. This document describes the updated function of the SFV:SKI field in the X-Forefront-Antispam-Report.[What you need to do to prepare:]At this time, there are no additional actions for admins to take. Changes to intra-organizational message logging will be reflected in Threat Protection Status (TPS) and Mail Flow reports."I'll suggest to check the configuration of your custom Threat Policies and you can also create a TR to adapt the SCL level for your IntraOrg messages.
Let's see if MS comes back with more info about this situation.
4 Replies
I am having this problem with 1 client since yesterday. many valid emails going to junk even though everything passes but SCL:5 and others to quarantine. outgoing emails are also frequently ending up in destination junk mail or quarantine.
Any one else ?
Any solutions ?
I have a ticket open with Microsoft since yesterday but no updates yet today. wondering how many other clients i am going to have this happen to in next few days.
- As per this post in Service health, the issue has been resolved: https://admin.microsoft.com/AdminPortal/home#/servicehealth/:/alerts/EX530821
Hi Markus_Strickler,
Regarding the internal hybrid mailflow marked as SCL:5, this is because: Microsoft 365 Roadmap | Microsoft 365
You can check details from Message Center: MC522476
"Description
We will be updating the way intra-organizational SCL ratings are assigned for intra-organizational messages. This message is associated with Microsoft 365 Roadmap ID 117487[When this will happen:] Changes to logging intra-organizational messages will begin rolling out in early April and is expected to be complete by late June. [How this will affect your organization:]All intra-organizational messages are currently marked with SCL -1 (bypass spam filtering). The updated method will assign an SCL rating based on the content and type of intra-organizational message. The ratings are SCL 1 for non-spam and SCL 5 through 9 for spam. This change will not change the way the messages are delivered. This document describes the updated function of the SFV:SKI field in the X-Forefront-Antispam-Report.[What you need to do to prepare:]At this time, there are no additional actions for admins to take. Changes to intra-organizational message logging will be reflected in Threat Protection Status (TPS) and Mail Flow reports."I'll suggest to check the configuration of your custom Threat Policies and you can also create a TR to adapt the SCL level for your IntraOrg messages.
Let's see if MS comes back with more info about this situation.
