Forum Discussion
OriginalFromAddress is different, yet ATP not blocking
Hi Guys,
we got a phishing attempt sent from someone.
the header analyzing shows that the OriginalFromAddress is different.
is there a way to block emails where the OriginalFromAddress is diferent than the From?
here's the data example:
<root><MEP Name="SourceContext" String="0xxxx"/><MEP Name="MailboxServer" String="xxx.eurprd04.prod.outlook.com"/><MEP Name="DeliveryPriority" String="Normal"/><MEP Name="TotalLatency"
Integer="3"/><MEP Name="ReturnPath" String="email address removed for privacy reasons"/><MEP Name="ClientName" String="xxx.eurprd04.prod.outlook.com"/><MEP Name="CustomData"
Blob="S:PrioritizationReason=EnvelopePriority;S:OriginalFromAddress=email address removed for privacy reasons"/><MEP Name="SequenceNumber" Long="0"/><MEP Name="RecipientReference" String=""/></root>
1 Reply
- Hi bennybarak,
This article explains one way to address this issue.
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/create-block-sender-lists-in-office-365?view=o365-worldwide
Please note the guidance in the document - "While you can use organization-wide block settings to address false negatives (missed spam), you should also submit those messages to Microsoft for analysis. Managing false negatives by using block lists significantly increases your administrative overhead."
This link explains the process for reporting false negatives to Microsoft.
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/report-junk-email-messages-to-microsoft?view=o365-worldwide
Hope this helps. Thanks, Ash
