Forum Discussion

LeonPavesic's avatar
LeonPavesic
Silver Contributor
Jul 05, 2023

Phish delivered due to an ETR override - Best Practice

Hello,

we are recieving some informational Phish delivered due to an ETR override alerts from Microsoft on a daily basis. We have a Mailqueue für Mail-Blacklist (Set the spam confidence level (SCL) to '-1') turned on at these alerts are created regarding this rule, which alllows some (considered phishing emails) to be delivered to the Inbox of users, but in deleted folder (if I got it right).

Our environment is hybrid (Exchange 2016 + Exchange Online) and we third party solution for blacklisting (blocking) spam and phishing emails.

What is the best practice regarding these alerts. Do we need to check them one by one and block the sender if it is phishing?

Kindest regards

Leon

 

  • What is the ETR causing the override? You are setting SCL=-1 to messages classified as phish, hence the alert, and thus delivery of these messages.
  • What is the ETR causing the override? You are setting SCL=-1 to messages classified as phish, hence the alert, and thus delivery of these messages.

Resources