Forum Discussion
Office 365 threat Intelligence - PHISH emails getting delivered
What do the message headers show?
Hi Vasil,
The messages were bumping between both internal and external recipients.
Can´t get a hold of a header right now.
The real question is: if these were emails were marked as phish, why did they get delivered in the first place?
Thanks.
Hi Ivan
We have a similar problem.
In our case a user put: order@amazon.de via outlook > junk > never block sender mails on his allowed sender list.
The phishing mail spoofed the address order@amazon.de but came clearly from a different source as the header implied and which has been recognized by thread protection. The allowed sender list of the user overwrote the phishing rule.
Microsoft writes in this article
"However, as currently implemented by Office 365, they are vulnerable to spoofing because they are simple string matches. Fortunately, as per above, we are making a change to not respect a user's safe sender if it fails authentication. Our recommendation is for users to add to safe senders when they want to receive email from someone specific."
That was 2017
https://blogs.msdn.microsoft.com/tzink/2017/11/29/how-to-securely-add-a-sender-to-an-allow-list-in-office-365/
That might be a track on your case, too ?!
kind regards
André
Hi Mate,
Seems interesting, but I don´t think it´s the same situation because in my case the emails were from distinct senders and recipients, includind internal domain senders and recipients.
I´m just curious as to why Threat Intelligence is able to track something malicious within an email, but still allow said email to be delivered!
Thanks!
