Forum Discussion
Outgoing emails marked as SPAM and Phishing emails by O365 servers
Hi,
Since yesterday, all outgoing emails from our organization using Office365 (fully cloud) are being flagged as either spam or phishing email by Microsoft Outbound email servers. Due to this our Office365 user accounts are getting blocked every hour. We tried contacting Office365 support but they said they cannot help on outbound email spam settings as they do not have any control over the configurations. I spend more than an hour on the phone with the support person and at the end was asked to send 5 sample emails to not_junk@office365microsoft.com and wait for 48 hours. I told O365 support that each user who is blocked sends around 100 emails of which all of them are getting flagged as either spam or phishing email, so sending random samples will not help. No spam or phishing filter settings have been changed since months now so I can only think on some backend updates done by O365 team for tightening the spam filters.
I am not sure whom to contact or escalate this case now so I am posting it in this group to everyone expecting someone who might have experienced the same might help. Any help to resolve this issue will be much appreciated as our users are unable to send emails.
Thanks.
You might want to read the following article on the "health" tab in the office portal...
- Philippe_RAYNAUDCopper Contributor
ALV_Work We got exactly the same problem yesterday, I opened a ticket but Microsoft seems to have no clue about what happened.
We worked on it a while and this is what we could figure out about our case :
- It started around 7am CET and ended around 8pm CET
- It has nothing to do with SPF or whatever
- EOP was giving a SFV:SPM SCL:5 to outbound emails ONLY IF they were replies or forwards to external email addresses, so they were using the High Risk Delivery Pool and we were getting a BCC in our IT mailbox as our Outbound spam Policy specifies it. I can see in your header that it was the same for you : DIR:OUT;SFP:1501;SCL:5
- When an external person was answering one on these emails they were coming back with SFV:SPM and CAT:PHSH, so we got PLENTY of emails yesterday ending up in junk folder
- Every Outbound Spam BCC in our IT mailbox arrived twice, the second time with a huge delay (6+ hours), and message stayed in "Getting Status" for very long time in traces, maybe because they were going through the High Risk Pool.
We didn't make any changes in our SPF or policies, it just randomly happened and ended.
I'm still waiting for an explanation from Microsoft.
- RafmoerkensCopper Contributor
You might want to read the following article on the "health" tab in the office portal...
- Philippe_RAYNAUDCopper Contributor
Rafmoerkens Thanks for this, It doesn't appear in my portal, I only have the "EX176985 - Can't see message traces" ...
- ALV_WorkCopper Contributor
Hi @Philippe_RAYNAUD ,
All the scenarios mentioned by you is the same for me too. Got a lot of emails tagged as PHISH by AntiSpam policy and all went into quarantine due to our Antispam settings. Had to release them manually to the users. Also we got a lot of duplicate emails send as BCC to our IT email address since outgoing emails where getting tagged as SPAM. But now the issue seems to be have stopped. Looks like MS Team has reverted the changes.
- Rnishat0786Iron Contributor
The issue seems quite strange. How did you know that MS Outbound servers are marking your emails as Spam. Secondly I hope your domain is still able to send emails to other domains, if yes... could you share a message header.. so that I can analyze it.
- ALV_WorkCopper Contributor
HiRnishat0786 ,
We have edited the default Outgoing Spam rule to copy messages flagged as spam to one of our internal email addresses. I have pasted the header from one such email (apparently we receive almost every outgoing email now) as requested. As you will notice that the Spam Confidence Level is set to 5 by Microsoft and the Phishing Level to 8 for this outgoing email from Office365. We do have even have 2FA enabled for most users and never had any issue till yesterday.
Received: from AM6PR0602MB3589.eurprd06.prod.outlook.com
(2603:10a6:208:aa::49) by AM0PR0602MB3585.eurprd06.prod.outlook.com with
HTTPS via AM0PR06CA0072.EURPRD06.PROD.OUTLOOK.COM; Wed, 10 Apr 2019 17:13:40
+0000
Received: from VI1PR0601CA0005.eurprd06.prod.outlook.com
(2603:10a6:800:1e::15) by AM6PR0602MB3589.eurprd06.prod.outlook.com
(2603:10a6:209:e::26) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1771.19; Wed, 10 Apr
2019 17:13:39 +0000
Received: from VE1EUR01FT025.eop-EUR01.prod.protection.outlook.com
(2a01:111:f400:7e01::209) by VI1PR0601CA0005.outlook.office365.com
(2603:10a6:800:1e::15) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1792.14 via Frontend
Transport; Wed, 10 Apr 2019 17:13:39 +0000
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (52.101.129.90)
by VE1EUR01FT025.mail.protection.outlook.com (10.152.2.232) with Microsoft
SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id
15.20.1771.16 via Frontend Transport; Wed, 10 Apr 2019 17:13:38 +0000
Received: from DB5EUR01FT040.eop-EUR01.prod.protection.outlook.com
(10.152.4.56) by DB5EUR01TH003.eop-EUR01.prod.protection.outlook.com
(10.152.4.138) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1750.16; Wed, 10 Apr
2019 17:10:53 +0000
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (52.101.131.59)
by DB5EUR01FT040.mail.protection.outlook.com (10.152.5.25) with Microsoft
SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id
15.20.1771.16 via Frontend Transport; Wed, 10 Apr 2019 17:10:53 +0000
Authentication-Results: spf=none (sender IP is )
smtp.mailfrom=anna.mandia@gmsuae.com;
Received: from AM0PR0602MB3554.eurprd06.prod.outlook.com (52.133.46.17) by
AM0PR0602MB3523.eurprd06.prod.outlook.com (52.133.49.30) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.1792.14; Wed, 10 Apr 2019 17:10:45 +0000
Received: from AM0PR0602MB3554.eurprd06.prod.outlook.com
([fe80::9162:6e5e:65c1:9944]) by AM0PR0602MB3554.eurprd06.prod.outlook.com
([fe80::9162:6e5e:65c1:9944%6]) with mapi id 15.20.1771.014; Wed, 10 Apr 2019
17:10:44 +0000
Content-Type: application/ms-tnef; name="winmail.dat"
Content-Transfer-Encoding: binary
From: Anna Mandia <anna.mandia@gmsuae.com>
To: Calum Berkley <calumberkley@aol.com>, "reservations@milansuites.com.sa"
<reservations@milansuites.com.sa>, "ayman@milansuites.com.sa"
<ayman@milansuites.com.sa>, IBIS Abu Dhabi Gate FO3 <H6949-FO3@accor.com>,
NOVOTEL Abu Dhabi Gate RE1 <H6948-RE1@accor.com>
CC: Paula Cercel <paula.cercel@gmsuae.com>, William Escondo
<william.escondo@gmsuae.com>, Amit Dagar <amit.dagar@gmsuae.com>
Subject: FW: Calum Berkley/Sharqi/12 Apr [Email Ref. #1457448]
Thread-Topic: Calum Berkley/Sharqi/12 Apr [Email Ref. #1457448]
Thread-Index: AQHU7g3sNf9KY9rzwEKdxrIlBbZyQaYySW2+gAAUiICAAtK0IA==
Date: Wed, 10 Apr 2019 17:10:44 +0000
Message-ID: <AM0PR0602MB35543E59377335E66B1F11119D2E0@AM0PR0602MB3554.eurprd06.prod.outlook.com>
References: <AM0PR0602MB35549FA31C962DC1097B472A9D2C0@AM0PR0602MB3554.eurprd06.prod.outlook.com>
<AM0PR0602MB3554B2DF88EFB2AD15FCC0699D2C0@AM0PR0602MB3554.eurprd06.prod.outlook.com>
<46AED3F05A1011E9B957005056BF25F3@focalscope.com>
In-Reply-To: <46AED3F05A1011E9B957005056BF25F3@focalscope.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-Exchange-Organization-SCL: 5
X-MS-TNEF-Correlator: <AM0PR0602MB35543E59377335E66B1F11119D2E0@AM0PR0602MB3554.eurprd06.prod.outlook.com>
MIME-Version: 1.0
X-MS-Exchange-Organization-MessageDirectionality: Originating
X-MS-Exchange-Organization-AuthSource: AM0PR0602MB3554.eurprd06.prod.outlook.com
X-MS-Exchange-Organization-AuthAs: Internal
X-MS-Exchange-Organization-AuthMechanism: 04
X-Originating-IP: [217.164.74.77]
X-MS-Exchange-Organization-Network-Message-Id: 1516fec6-bb59-4dad-acf3-08d6bdd77816
X-MS-PublicTrafficType: Email
Return-Path: anna.mandia@gmsuae.com
X-MS-Exchange-Organization-ExpirationStartTime: 10 Apr 2019 17:10:45.0518
(UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval: 2:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
X-MS-Office365-Filtering-Correlation-Id: 1516fec6-bb59-4dad-acf3-08d6bdd77816
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600139)(711020)(4605104)(2017052603328)(49563074)(7193020);SRVR:AM0PR0602MB3523;BCL:0;PCL:8;RULEID:(3031054)(100001)(3032054)(3034054);SRVR:DB5EUR01TH003;
X-MS-TrafficTypeDiagnostic:
AM0PR0602MB3523:|AM0PR0602MB3523:|DB5EUR01TH003:|DB5EUR01TH003:|DB5EUR01TH003:|DB5EUR01TH003:|DB5EUR01TH003:|DB5EUR01TH003:|DB5EUR01TH003:|DB5EUR01TH003:|DB5EUR01TH003:|DB5EUR01TH003:|DB5EUR01TH003:|DB5EUR01TH003:|AM6PR0602MB3589:
X-MS-Exchange-PUrlCount: 3
X-Microsoft-Antispam-PRVS: <AM0PR0602MB352364002DE092CC23D543D69D2E0@AM0PR0602MB3523.eurprd06.prod.outlook.com>
X-Forefront-PRVS: 00032065B2
X-Forefront-Antispam-Report: SFV:SPM;SFS:(10009020)(136003)(39850400004)(396003)(346002)(366004)(376002)(199004)(189003)(9686003)(3846002)(236005)(52536014)(76176011)(4326008)(606006)(66066001)(25786009)(107886003)(102836004)(53546011)(6506007)(26005)(186003)(11346002)(476003)(71190400001)(66574012)(71200400001)(6116002)(790700001)(68736007)(486006)(44832011)(33656002)(5660300002)(5024004)(446003)(14444005)(97736004)(256004)(81156014)(81166006)(2201001)(54906003)(8936002)(8676002)(508600001)(14454004)(110136005)(7696005)(53946003)(2906002)(6306002)(2473003)(413944005)(99286004)(99936001)(316002)(229853002)(74316002)(7736002)(2501003)(105586002)(6436002)(733005)(106356001)(53936002)(55016002)(86362001)(54556002)(54896002)(59010400001);DIR:OUT;SFP:1501;SCL:5;SRVR:AM0PR0602MB3523;H:AM0PR0602MB3554.eurprd06.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;A:1;MX:1;
Received-SPF: None (protection.outlook.com: gmsuae.com does not designate
permitted sender hosts)
X-MS-Exchange-Organization-ExpirationInterval: 0:04:00:00.7865921
X-MS-Exchange-Organization-ExpirationIntervalReason: SpamEngine
X-MS-Exchange-AtpMessageProperties: sap=1;slp=1;
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR0602MB3523
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR01FT040.eop-EUR01.prod.protection.outlook.com
X-MS-Exchange-Organization-ACSExecutionContext: 04/10/2019 17:10:53;04/10/2019
17:13:38;{"SubmissionInfo":{"SubmissionToken":"PFRva2VuIFRva2VuVHlwZT0iU3VibWlzc2lvblRva2VuIiBJZD0iYjAyN2FkZWYtYjM1Yi1lOTExLWIwNzYtOWNkYzcxNTBlYjYyIiBSb2xlPSJTdWJtaXR0ZXIiIEVuZHBvaW50PSJodHRwczovL0hFMVNFVTA0VFAxMDUuZW9wLXNldTA0LnByb2QucHJvdGVjdGlvbi5vdXRsb29rLmNvbS9zb25hcmFwaS8iIFNpZ25hdHVyZT0iRmg4aFlxVGszUkhDTDQ4S0NpK1haNEFWNlRBPSIgLz4","Identity":"9960c8bc-7008-4852-a218-286be1ec6672"}};SC;S;0;04/10/2019
17:13:24;0|0|0|1|;
X-EOPAttributedMessage: 0
X-OriginatorOrg: gmsuae.com
X-MS-Exchange-Organization-SafeAttachmentProcessing:
X-MS-Exchange-Transport-EndToEndLatency: 00:02:55.2749479
X-MS-Exchange-Processed-By-BccFoldering: 15.20.1771.000
X-Microsoft-Antispam-Mailbox-Delivery:
ucf:0;jmr:0;ex:0;auth:0;dest:I;ENG:(20160513016)(750119)(520011016)(706158)(944506303)(944610083);
X-Microsoft-Antispam-Message-Info:
DAPEWkLz3LKrnttMLdcI98FZqSXR7MZz4OAxsAZSkiO6Gu6jwVcQ8UY2dnhlI4Er0hSFzRtjFw1ahUoSQuNcF8JkUWZwJKBsg22Xejcz94WydHdk/2gZ33UC9IjWff1BjQEkPJAxGAHyXXRwia3hCxqrFuM4MkRlX3wyAl+K67mNK5XXrlbmJta1I4mm2IRumAgmngf4loOkKGF7eNyYO9VBQEImTYKVEimogNG/Gb1ZyvX+/Kxix7uGzdtR/9HQvQ4cvuIkEjoVIivTdX8XgPt0TH6nwFdG/kzjpCD4ufYIAb3HxGjsgrIgX7pGgKRgzg6xVOdyFiihOo9Rr1+rxrU2/FdhsIbuKHPJM66JC02Yld6Fot5bPkNgOSDDYBicG0HxUwsbDMHbuE81ik85yTQrDCAx0lzwH4X6pWWIKzrCpVkclW79BujtKE1oPIb5WoPVj7n+WiNIWDC59kEGqYYjX3BArXj3ohDEkRI2NMmfZMt2Sy6h0i6fPpcL/YngqxwQ2+pfxDnWFJOCt4wNregwhu4gev2eR7CtduQohvInuqvP/rO62VOcX96b5HV5kmnTFZlQwr2OnnHNEKI85GXpIn9qvwxwxlS6g8TFl0EWpN4XRc0F0E8LA+k53Qmj/Zq64uvKj55GIRE9AF4YmodBgxemEV6NdlF8t3xaM2FVEVC3pXGFthJ10VjUWzi2k5oeJSFYVvmHHleLS61IiPLiwic14OtMTvh8TgKTInvvcOuhxFY6SlQLcrIMEgjsF1KaqPtTbkyrdu+yY+raGdWajsnFM6lM7GETgaX/f90=- Rnishat0786Iron Contributor
I noticed in the Message Header -
Received-SPF None (protection.outlook.com: gmsuae.com does not designate permitted sender hosts) So would suggest to check if the sender domain is added in the allowed domain settings in Security and Compliance center.
1. Sign in to O365 Admin Portal
2. Navigate to Security & Compliance center > Threat management > Policy.
3. Find Anti-spam, open it. Expend Allow lists. Add the sender’s domain to the Allow domain setting.
- Akshay_ManeIron ContributorThis is the typical case of HRDP, when your outbound emails are detected as spam and EOP tries to deliver it to recipient with already blacklisted ip.
social.technet.microsoft. com/wiki/contents/articles/36402.exchange-online-troubleshooting-high-risk-delivery-pool.aspxLooking at the headers, it seems that EOP IP 52.101.129.90 is on blacklist
Try to delist the IP on sender.office. comSometimes your tenant gets assigned a blacklisted IP in random. You can contact O365CloudExperts Support if you need more help.Regards,Akshay M - Sujesh1415Copper Contributor
We are facing same issues from past week. Did create a ticket with MS and is still being worked on.
We didn't make any recent changes to any of our policies and wondering what is the reason behind it. Its been a week that we are exchanging mail headers and extended message traces and didn't reach to isolate the issue yet.
- ALV_WorkCopper Contributor
Hi Sujesh1415 ,
Only Microsoft Team can resolve this issue. It mostly due to an issue at their servers which tags outgoing emails as spam. This affects not everyone i guess just random tenants.
- Jordan160Copper Contributor
I'm having a similar issue with a client who has Office 365 for email.
Their domain name was categorized as CAT:HPHISH due to their website being hacked. Once cleaned up they started having emails being quarantined. They put their domain name in their signature. So any customers they emailed with Office 365 wouldn't get the email, it would be quarantined. When a customer who wasn't on Office 365 got the email and replied, the client wouldn't get the email.
We've reached out to Microsoft Support, however, they're unable to understand what needs to happen. And there is no system in-place to change/remove domain names from this categorization. Even though they have https://sender.office.com for de-listing IP addresses, there is no way to submit domain names.
Other vendors like PaloAlto, FortiNET and Sohpos provide the means to submit evidence for delisting domain names categorized as Phishing or Spam.EDIT: The only method I see to report the domain name as a false positive or have the category changed or removed is through the Office 365 Protection Portal under the “Quarauntine Queue", by clicking “Submit Message” with no information on where it’s going or if I will get notified if any action was taken.
The other method is in a Microsoft article https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/submit-spam-non-spam-and-phishing-scam-messages-to-microsoft-for-analysis which states “Use the same procedure as described in the "Use email to submit junk (spam) or phishing scam messages to Microsoft ," but send the message to not_junk@office365.microsoft.com.”
- EmailIssuesCopper Contributor
We are having the exact same problem. Tomorrow will be our 3rd day of being mostly down and working with 0365 who can't figure out the problem or even understand that it is bigger than analyzing a couple email headers.
Is there a way to get in contact with higher tier support that has more to say than " tell your recipients to whitelist you."?
- Jordan160Copper Contributor
Yes, you need to keep calling them. They have access to remove the domain name from their internal list. We just got this completed by their support.
- SChicoraCopper ContributorOur organization is having this issue with incoming and outgoing mail. I have had our users remove the weblink from their signature line, after speaking with a Microsoft Tech, and mail is flowing out from us without being rejected now.
Today, we have started to see that all mail, with any type of link in it, is going into our Junk Folders. Both internal and external.- ExpertInstituteCopper Contributor
Our organization is also experiencing the same exact issues with legitimate / wanted emails that our clients are expecting. These emails are being quarantined / sent to spam, or even rejected in some cases, specifically by Microsoft 365 / Outlook receiving servers.
We've been thoroughly testing and it appears to be specific to our domain and not related to our email sending platforms or IPs. This issue has been persisting across our entire organization for the last 6 weeks. Our DKIM / SPF records are all setup correctly. We're using Dmarcian, HetrixTools to monitor / confirm our DNS settings. And we've also had two email deliverability consultants check our domain settings and confirm that they believe this is an internal false flag on Microsoft's side.
After speaking with numerous Microsoft support staff, we've finally made contact with an escalation team and have provided them with email samples of quarantined / rejected emails, which are all wanted by our clients. This issue is severely impacting our business, as our clients are unable to receive emails / work product for which they have already paid.
I'm hoping that someone from Microsoft's Team can kindly escalate this issue and advise us on next steps to delist our domain from their internal blacklists.
- rconivBrass ContributorJust to throw in a this seems to still be an issue. It seemed to happen the day before, but the next day we were spoofed. Since then all our outbound emails have been tagged as SCL9. Due to this, all replies or emails sent to our domain go to quarantine.
We had a SPF and DMARC, and have added a DKIM, but two weeks later it still doesn't work.
Microsoft said they sent it to their backend team, which I am told is their program development group who doesn't have any sort of SLA so it is a whenever they get around to looking at it.
Today we finally got Microsoft to escalate it to Tier 2 Exchange. Their Tier 1 was refusing because they said Tier 2 would have to wait for results from the backend group also.
They mentioned that they were seeing that our inbound spam policy was marking everything as spam, which got the no duh because they are coming in as high confidence spam already in the header.