Forum Discussion

Raechel Moermond's avatar
Raechel Moermond
Copper Contributor
Jan 31, 2019

Anti-Phishing Policy and Quarantined Messages

I have a customer with E3 licensing that recently created an Anti-Phishing policy (now that we can do that with E3 - although very limited in scope).  It appears to be doing a great job.  Upon furthe...
exchange
Rich Gallo's avatar
Rich Gallo
Former Employee
May 11, 2019

Hi Raechel Moermond!

A few things of note here that may shed light:

1. The Anti-Phish policy is evaluated before the Anti-Spam policy. As such, if a message triggers a match on the Anti-Phish policy, users' whitelists and org-wide whitelists in an Anti-Spam policy won't take effect. 

2. Since you have an E3 license, but not ATP (I'm assuming you don't have ATP?), the Anti-Phish policy is actually only an "Anti-Spoof" policy. What that means is that Spoof Intelligence kicks in and uses various signals in the message to determine if its allowed to spoof or not. Sender authentication failure is a big one. You can use the Get-PhishFilterPolicy command to pull the Spoof Intelligence results and then use Set-PhishFilterPolicy to adjust them for your org.

 

So if you see emails going to quarantine that shouldn't because of the Anti-Phish policy (*hint - check the X-Forefront-Antispam-Report header for two clues to see if the Anti-Phish policy took effect - a) SCL of 5 or 9, usually 5, and b) CAT:SPOOF at the end of the header), use the Set-PhishFilterPolicy to set the Allowed to spoof setting to "Yes".

 

Hope that helps!!

Resources