Did the new 'Secure by default' EOP / Defender for Office feature get out of control?

Hi Markus_Strickler,

Regarding the internal hybrid mailflow marked as SCL:5, this is because: https://www.microsoft.com/en-sg/microsoft-365/roadmap?filters=&searchterms=117487

You can check details from Message Center: MC522476

"Description
We will be updating the way intra-organizational SCL ratings are assigned for intra-organizational messages. This message is associated with Microsoft 365 Roadmap ID 117487[When this will happen:] Changes to logging intra-organizational messages will begin rolling out in early April and is expected to be complete by late June. [How this will affect your organization:]All intra-organizational messages are currently marked with SCL -1 (bypass spam filtering). The updated method will assign an SCL rating based on the content and type of intra-organizational message. The ratings are SCL 1 for non-spam and SCL 5 through 9 for spam. This change will not change the way the messages are delivered. This document describes the updated function of the SFV:SKI field in the X-Forefront-Antispam-Report.[What you need to do to prepare:]At this time, there are no additional actions for admins to take. Changes to intra-organizational message logging will be reflected in Threat Protection Status (TPS) and Mail Flow reports."

I'll suggest to check the configuration of your custom Threat Policies and you can also create a TR to adapt the SCL level for your IntraOrg messages.

Let's see if MS comes back with more info about this situation.