Forum Discussion
Office 365 threat Intelligence - PHISH emails getting delivered
Hey folks,
I need further enlightenment in order to understand why Office 365 threat Intelligence is allowing email that was identified as "PHISH" by detection technology to be delivered.
There´s something here that might be the justification for this behavior:
https://docs.microsoft.com/en-us/office365/securitycompliance/investigate-malicious-email-that-was-delivered
"[...] there are times when an attacker could send mail to your users containing a URL and only later on make that URL point to malicious content (malware, etc.)[...]"
Is this the sole reason why around 300 emails apparently classified as PHISH were delivered in one of my managed tenants?
Thanks.
4 Replies
What do the message headers show?
Hi Vasil,
The messages were bumping between both internal and external recipients.
Can´t get a hold of a header right now.
The real question is: if these were emails were marked as phish, why did they get delivered in the first place?
Thanks.
Hi Ivan
We have a similar problem.
In our case a user put: order@amazon.de via outlook > junk > never block sender mails on his allowed sender list.
The phishing mail spoofed the address order@amazon.de but came clearly from a different source as the header implied and which has been recognized by thread protection. The allowed sender list of the user overwrote the phishing rule.
Microsoft writes in this article
"However, as currently implemented by Office 365, they are vulnerable to spoofing because they are simple string matches. Fortunately, as per above, we are making a change to not respect a user's safe sender if it fails authentication. Our recommendation is for users to add to safe senders when they want to receive email from someone specific."
That was 2017
https://blogs.msdn.microsoft.com/tzink/2017/11/29/how-to-securely-add-a-sender-to-an-allow-list-in-office-365/
That might be a track on your case, too ?!
kind regards
André
