Forum Discussion

ALV_Work's avatar
ALV_Work
Copper Contributor
Apr 10, 2019

Outgoing emails marked as SPAM and Phishing emails by O365 servers

Hi,

Since yesterday, all outgoing emails from our organization using Office365 (fully cloud) are being flagged as either spam or phishing email by Microsoft Outbound email servers. Due to this our Office365 user accounts are getting blocked every hour. We tried contacting Office365 support but they said they cannot help on outbound email spam settings as they do not have any control over the configurations. I spend more than an hour on the phone with the support person and at the end was asked to send 5 sample emails to not_junk@office365microsoft.com and wait for 48 hours. I told O365 support that each user who is blocked sends around 100 emails of which all of them are getting flagged as either spam or phishing email, so sending random samples will not help. No spam or phishing filter settings have been changed since months now so I can only think on some backend updates done by O365 team for tightening the spam filters.

I am not sure whom to contact or escalate this case now so I am posting it in this group to everyone expecting someone who might have experienced the same might help. Any help to resolve this issue will be much appreciated as our users are unable to send emails.

Thanks.

  • ALV_Work We got exactly the same problem yesterday, I opened a ticket but Microsoft seems to have no clue about what happened. 

     

    We worked on it a while and this is what we could figure out about our case :

     

    - It started around 7am CET and ended around 8pm CET

    - It has nothing to do with SPF or whatever

    - EOP was giving a SFV:SPM SCL:5 to outbound emails ONLY IF they were replies or forwards to external email addresses, so they were using the High Risk Delivery Pool and we were getting a BCC in our IT mailbox as our Outbound spam Policy specifies it. I can see in your header that it was the same for you : DIR:OUT;SFP:1501;SCL:5

    - When an external person was answering one on these emails they were coming back with SFV:SPM and CAT:PHSH, so we got PLENTY of emails yesterday ending up in junk folder

    - Every Outbound Spam BCC in our IT mailbox arrived twice, the second time with a huge delay (6+ hours), and message stayed in "Getting Status" for very long time in traces, maybe because they were going through the High Risk Pool.

     

    We didn't make any changes in our SPF or policies, it just randomly happened and ended.

     

    I'm still waiting for an explanation from Microsoft.

    • Rafmoerkens's avatar
      Rafmoerkens
      Copper Contributor

      Philippe_RAYNAUD 

       

      You might want to read the following article on the "health" tab in the office portal...

       

    • ALV_Work's avatar
      ALV_Work
      Copper Contributor

      Hi @Philippe_RAYNAUD ,

       

      All the scenarios mentioned by you is the same for me too. Got a lot of emails tagged as PHISH by AntiSpam policy and all went into quarantine due to our Antispam settings. Had to release them manually to the users. Also we got a lot of duplicate emails send as BCC to our IT email address since outgoing emails where getting tagged as SPAM. But now the issue seems to be have stopped. Looks like MS Team has reverted the changes. 

       

  • Rnishat0786's avatar
    Rnishat0786
    Iron Contributor

    ALV_Work 

     

    The issue seems quite strange. How did you know that MS Outbound servers are marking your emails as Spam. Secondly I hope your domain is still able to send emails to other domains, if yes... could you share a message header.. so that I can analyze it.

    • ALV_Work's avatar
      ALV_Work
      Copper Contributor

      HiRnishat0786

       

      We have edited the default Outgoing Spam rule to copy messages flagged as spam to one of our internal email addresses. I have pasted the header from one such email (apparently we receive almost every outgoing email now) as requested. As you will notice that the Spam Confidence Level is set to 5 by Microsoft and the Phishing Level to 8 for this outgoing email from Office365. We do have even have 2FA enabled for most users and never had any issue till yesterday. 

       

      Received: from AM6PR0602MB3589.eurprd06.prod.outlook.com
      (2603:10a6:208:aa::49) by AM0PR0602MB3585.eurprd06.prod.outlook.com with
      HTTPS via AM0PR06CA0072.EURPRD06.PROD.OUTLOOK.COM; Wed, 10 Apr 2019 17:13:40
      +0000
      Received: from VI1PR0601CA0005.eurprd06.prod.outlook.com
      (2603:10a6:800:1e::15) by AM6PR0602MB3589.eurprd06.prod.outlook.com
      (2603:10a6:209:e::26) with Microsoft SMTP Server (version=TLS1_2,
      cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1771.19; Wed, 10 Apr
      2019 17:13:39 +0000
      Received: from VE1EUR01FT025.eop-EUR01.prod.protection.outlook.com
      (2a01:111:f400:7e01::209) by VI1PR0601CA0005.outlook.office365.com
      (2603:10a6:800:1e::15) with Microsoft SMTP Server (version=TLS1_2,
      cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1792.14 via Frontend
      Transport; Wed, 10 Apr 2019 17:13:39 +0000
      Received: from EUR01-HE1-obe.outbound.protection.outlook.com (52.101.129.90)
      by VE1EUR01FT025.mail.protection.outlook.com (10.152.2.232) with Microsoft
      SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id
      15.20.1771.16 via Frontend Transport; Wed, 10 Apr 2019 17:13:38 +0000
      Received: from DB5EUR01FT040.eop-EUR01.prod.protection.outlook.com
      (10.152.4.56) by DB5EUR01TH003.eop-EUR01.prod.protection.outlook.com
      (10.152.4.138) with Microsoft SMTP Server (version=TLS1_2,
      cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1750.16; Wed, 10 Apr
      2019 17:10:53 +0000
      Received: from EUR02-AM5-obe.outbound.protection.outlook.com (52.101.131.59)
      by DB5EUR01FT040.mail.protection.outlook.com (10.152.5.25) with Microsoft
      SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id
      15.20.1771.16 via Frontend Transport; Wed, 10 Apr 2019 17:10:53 +0000
      Authentication-Results: spf=none (sender IP is )
      smtp.mailfrom=anna.mandia@gmsuae.com;
      Received: from AM0PR0602MB3554.eurprd06.prod.outlook.com (52.133.46.17) by
      AM0PR0602MB3523.eurprd06.prod.outlook.com (52.133.49.30) with Microsoft SMTP
      Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
      15.20.1792.14; Wed, 10 Apr 2019 17:10:45 +0000
      Received: from AM0PR0602MB3554.eurprd06.prod.outlook.com
      ([fe80::9162:6e5e:65c1:9944]) by AM0PR0602MB3554.eurprd06.prod.outlook.com
      ([fe80::9162:6e5e:65c1:9944%6]) with mapi id 15.20.1771.014; Wed, 10 Apr 2019
      17:10:44 +0000
      Content-Type: application/ms-tnef; name="winmail.dat"
      Content-Transfer-Encoding: binary
      From: Anna Mandia <anna.mandia@gmsuae.com>
      To: Calum Berkley <calumberkley@aol.com>, "reservations@milansuites.com.sa"
      <reservations@milansuites.com.sa>, "ayman@milansuites.com.sa"
      <ayman@milansuites.com.sa>, IBIS Abu Dhabi Gate FO3 <H6949-FO3@accor.com>,
      NOVOTEL Abu Dhabi Gate RE1 <H6948-RE1@accor.com>
      CC: Paula Cercel <paula.cercel@gmsuae.com>, William Escondo
      <william.escondo@gmsuae.com>, Amit Dagar <amit.dagar@gmsuae.com>
      Subject: FW: Calum Berkley/Sharqi/12 Apr [Email Ref. #1457448]
      Thread-Topic: Calum Berkley/Sharqi/12 Apr [Email Ref. #1457448]
      Thread-Index: AQHU7g3sNf9KY9rzwEKdxrIlBbZyQaYySW2+gAAUiICAAtK0IA==
      Date: Wed, 10 Apr 2019 17:10:44 +0000
      Message-ID: <AM0PR0602MB35543E59377335E66B1F11119D2E0@AM0PR0602MB3554.eurprd06.prod.outlook.com>
      References: <AM0PR0602MB35549FA31C962DC1097B472A9D2C0@AM0PR0602MB3554.eurprd06.prod.outlook.com>
      <AM0PR0602MB3554B2DF88EFB2AD15FCC0699D2C0@AM0PR0602MB3554.eurprd06.prod.outlook.com>
      <46AED3F05A1011E9B957005056BF25F3@focalscope.com>
      In-Reply-To: <46AED3F05A1011E9B957005056BF25F3@focalscope.com>
      Accept-Language: en-GB, en-US
      Content-Language: en-US
      X-MS-Has-Attach: yes
      X-MS-Exchange-Organization-SCL: 5
      X-MS-TNEF-Correlator: <AM0PR0602MB35543E59377335E66B1F11119D2E0@AM0PR0602MB3554.eurprd06.prod.outlook.com>
      MIME-Version: 1.0
      X-MS-Exchange-Organization-MessageDirectionality: Originating
      X-MS-Exchange-Organization-AuthSource: AM0PR0602MB3554.eurprd06.prod.outlook.com
      X-MS-Exchange-Organization-AuthAs: Internal
      X-MS-Exchange-Organization-AuthMechanism: 04
      X-Originating-IP: [217.164.74.77]
      X-MS-Exchange-Organization-Network-Message-Id: 1516fec6-bb59-4dad-acf3-08d6bdd77816
      X-MS-PublicTrafficType: Email
      Return-Path: anna.mandia@gmsuae.com
      X-MS-Exchange-Organization-ExpirationStartTime: 10 Apr 2019 17:10:45.0518
      (UTC)
      X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
      X-MS-Exchange-Organization-ExpirationInterval: 2:00:00:00.0000000
      X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
      X-MS-Office365-Filtering-Correlation-Id: 1516fec6-bb59-4dad-acf3-08d6bdd77816
      X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600139)(711020)(4605104)(2017052603328)(49563074)(7193020);SRVR:AM0PR0602MB3523;BCL:0;PCL:8;RULEID:(3031054)(100001)(3032054)(3034054);SRVR:DB5EUR01TH003;
      X-MS-TrafficTypeDiagnostic:
      AM0PR0602MB3523:|AM0PR0602MB3523:|DB5EUR01TH003:|DB5EUR01TH003:|DB5EUR01TH003:|DB5EUR01TH003:|DB5EUR01TH003:|DB5EUR01TH003:|DB5EUR01TH003:|DB5EUR01TH003:|DB5EUR01TH003:|DB5EUR01TH003:|DB5EUR01TH003:|DB5EUR01TH003:|AM6PR0602MB3589:
      X-MS-Exchange-PUrlCount: 3
      X-Microsoft-Antispam-PRVS: <AM0PR0602MB352364002DE092CC23D543D69D2E0@AM0PR0602MB3523.eurprd06.prod.outlook.com>
      X-Forefront-PRVS: 00032065B2
      X-Forefront-Antispam-Report: SFV:SPM;SFS:(10009020)(136003)(39850400004)(396003)(346002)(366004)(376002)(199004)(189003)(9686003)(3846002)(236005)(52536014)(76176011)(4326008)(606006)(66066001)(25786009)(107886003)(102836004)(53546011)(6506007)(26005)(186003)(11346002)(476003)(71190400001)(66574012)(71200400001)(6116002)(790700001)(68736007)(486006)(44832011)(33656002)(5660300002)(5024004)(446003)(14444005)(97736004)(256004)(81156014)(81166006)(2201001)(54906003)(8936002)(8676002)(508600001)(14454004)(110136005)(7696005)(53946003)(2906002)(6306002)(2473003)(413944005)(99286004)(99936001)(316002)(229853002)(74316002)(7736002)(2501003)(105586002)(6436002)(733005)(106356001)(53936002)(55016002)(86362001)(54556002)(54896002)(59010400001);DIR:OUT;SFP:1501;SCL:5;SRVR:AM0PR0602MB3523;H:AM0PR0602MB3554.eurprd06.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;A:1;MX:1;
      Received-SPF: None (protection.outlook.com: gmsuae.com does not designate
      permitted sender hosts)
      X-MS-Exchange-Organization-ExpirationInterval: 0:04:00:00.7865921
      X-MS-Exchange-Organization-ExpirationIntervalReason: SpamEngine
      X-MS-Exchange-AtpMessageProperties: sap=1;slp=1;
      X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR0602MB3523
      X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR01FT040.eop-EUR01.prod.protection.outlook.com
      X-MS-Exchange-Organization-ACSExecutionContext: 04/10/2019 17:10:53;04/10/2019
      17:13:38;{"SubmissionInfo":{"SubmissionToken":"PFRva2VuIFRva2VuVHlwZT0iU3VibWlzc2lvblRva2VuIiBJZD0iYjAyN2FkZWYtYjM1Yi1lOTExLWIwNzYtOWNkYzcxNTBlYjYyIiBSb2xlPSJTdWJtaXR0ZXIiIEVuZHBvaW50PSJodHRwczovL0hFMVNFVTA0VFAxMDUuZW9wLXNldTA0LnByb2QucHJvdGVjdGlvbi5vdXRsb29rLmNvbS9zb25hcmFwaS8iIFNpZ25hdHVyZT0iRmg4aFlxVGszUkhDTDQ4S0NpK1haNEFWNlRBPSIgLz4","Identity":"9960c8bc-7008-4852-a218-286be1ec6672"}};SC;S;0;04/10/2019
      17:13:24;0|0|0|1|;
      X-EOPAttributedMessage: 0
      X-OriginatorOrg: gmsuae.com
      X-MS-Exchange-Organization-SafeAttachmentProcessing:
      X-MS-Exchange-Transport-EndToEndLatency: 00:02:55.2749479
      X-MS-Exchange-Processed-By-BccFoldering: 15.20.1771.000
      X-Microsoft-Antispam-Mailbox-Delivery:
      ucf:0;jmr:0;ex:0;auth:0;dest:I;ENG:(20160513016)(750119)(520011016)(706158)(944506303)(944610083);
      X-Microsoft-Antispam-Message-Info:
      DAPEWkLz3LKrnttMLdcI98FZqSXR7MZz4OAxsAZSkiO6Gu6jwVcQ8UY2dnhlI4Er0hSFzRtjFw1ahUoSQuNcF8JkUWZwJKBsg22Xejcz94WydHdk/2gZ33UC9IjWff1BjQEkPJAxGAHyXXRwia3hCxqrFuM4MkRlX3wyAl+K67mNK5XXrlbmJta1I4mm2IRumAgmngf4loOkKGF7eNyYO9VBQEImTYKVEimogNG/Gb1ZyvX+/Kxix7uGzdtR/9HQvQ4cvuIkEjoVIivTdX8XgPt0TH6nwFdG/kzjpCD4ufYIAb3HxGjsgrIgX7pGgKRgzg6xVOdyFiihOo9Rr1+rxrU2/FdhsIbuKHPJM66JC02Yld6Fot5bPkNgOSDDYBicG0HxUwsbDMHbuE81ik85yTQrDCAx0lzwH4X6pWWIKzrCpVkclW79BujtKE1oPIb5WoPVj7n+WiNIWDC59kEGqYYjX3BArXj3ohDEkRI2NMmfZMt2Sy6h0i6fPpcL/YngqxwQ2+pfxDnWFJOCt4wNregwhu4gev2eR7CtduQohvInuqvP/rO62VOcX96b5HV5kmnTFZlQwr2OnnHNEKI85GXpIn9qvwxwxlS6g8TFl0EWpN4XRc0F0E8LA+k53Qmj/Zq64uvKj55GIRE9AF4YmodBgxemEV6NdlF8t3xaM2FVEVC3pXGFthJ10VjUWzi2k5oeJSFYVvmHHleLS61IiPLiwic14OtMTvh8TgKTInvvcOuhxFY6SlQLcrIMEgjsF1KaqPtTbkyrdu+yY+raGdWajsnFM6lM7GETgaX/f90=

      • Rnishat0786's avatar
        Rnishat0786
        Iron Contributor

        ALV_Work 

         

        I noticed in the Message Header - 

         Received-SPFNone (protection.outlook.com: gmsuae.com does not designate permitted sender hosts)

         

        So would suggest to check if the sender domain is added in the allowed domain settings in Security and Compliance center.

         

        1. Sign in to O365 Admin Portal
        2. Navigate to Security & Compliance center > Threat management > Policy.
        3. Find Anti-spam, open it. Expend Allow lists. Add the sender’s domain to the Allow domain setting.

         

         

  • Akshay_Mane's avatar
    Akshay_Mane
    Iron Contributor

    ALV_Work  

    This is the typical case of HRDP, when your outbound emails are detected as spam and EOP tries to deliver it to recipient with already blacklisted ip.

    social.technet.microsoft. com/wiki/contents/articles/36402.exchange-online-troubleshooting-high-risk-delivery-pool.aspx
     
    Looking at the headers, it seems that EOP IP 52.101.129.90 is on blacklist
    Try to delist the IP on sender.office. com
     
    Sometimes your tenant gets assigned a blacklisted IP in random. You can contact O365CloudExperts Support if you need more help.
     
    Regards,
    Akshay M
  • Sujesh1415's avatar
    Sujesh1415
    Copper Contributor

    We are facing same issues from past week. Did create a ticket with MS and is still being worked on.

     

    We didn't make any recent changes to any of our policies and wondering what is the reason behind it. Its been a week that we are exchanging mail headers and extended message traces and didn't reach to isolate the issue yet.

     

     

    • ALV_Work's avatar
      ALV_Work
      Copper Contributor

      Hi Sujesh1415 ,

       

      Only Microsoft Team can resolve this issue. It mostly due to an issue at their servers which tags outgoing emails as spam. This affects not everyone i guess just random tenants.  

  • Jordan160's avatar
    Jordan160
    Copper Contributor

    ALV_Work 

     

    I'm having a similar issue with a client who has Office 365 for email.

     

    Their domain name was categorized as CAT:HPHISH due to their website being hacked. Once cleaned up they started having emails being quarantined. They put their domain name in their signature. So any customers they emailed with Office 365 wouldn't get the email, it would be quarantined. When a customer who wasn't on Office 365 got the email and replied, the client wouldn't get the email.

     

    We've reached out to Microsoft Support, however, they're unable to understand what needs to happen. And there is no system in-place to change/remove domain names from this categorization. Even though they have https://sender.office.com for de-listing IP addresses, there is no way to submit domain names.

    Other vendors like PaloAlto, FortiNET and Sohpos provide the means to submit evidence for delisting domain names categorized as Phishing or Spam.

     

    EDIT: The only method I see to report the domain name as a false positive or have the category changed or removed is through the Office 365 Protection Portal under the “Quarauntine Queue", by clicking “Submit Message” with no information on where it’s going or if I will get notified if any action was taken.

     

    The other method is in a Microsoft article https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/submit-spam-non-spam-and-phishing-scam-messages-to-microsoft-for-analysis which states “Use the same procedure as described in the "Use email to submit junk (spam) or phishing scam messages to Microsoft ," but send the message to not_junk@office365.microsoft.com.”

    • EmailIssues's avatar
      EmailIssues
      Copper Contributor

      Jordan160 

       

      We are having the exact same problem. Tomorrow will be our 3rd day of being mostly down and working with 0365 who can't figure out the problem or even understand that it is bigger than analyzing a couple email headers. 

       

      Is there a way to get in contact with higher tier support that has more to say than " tell your recipients to whitelist you."?

      • Jordan160's avatar
        Jordan160
        Copper Contributor

        EmailIssues 

         

        Yes, you need to keep calling them. They have access to remove the domain name from their internal list. We just got this completed by their support.

  • SChicora's avatar
    SChicora
    Copper Contributor
    Our organization is having this issue with incoming and outgoing mail. I have had our users remove the weblink from their signature line, after speaking with a Microsoft Tech, and mail is flowing out from us without being rejected now.
    Today, we have started to see that all mail, with any type of link in it, is going into our Junk Folders. Both internal and external.
    • ExpertInstitute's avatar
      ExpertInstitute
      Copper Contributor

      Our organization is also experiencing the same exact issues with legitimate / wanted emails that our clients are expecting. These emails are being quarantined / sent to spam, or even rejected in some cases, specifically by Microsoft 365 / Outlook receiving servers.

      We've been thoroughly testing and it appears to be specific to our domain and not related to our email sending platforms or IPs. This issue has been persisting across our entire organization for the last 6 weeks. Our DKIM / SPF records are all setup correctly. We're using Dmarcian, HetrixTools to monitor / confirm our DNS settings. And we've also had two email deliverability consultants check our domain settings and confirm that they believe this is an internal false flag on Microsoft's side. 

      After speaking with numerous Microsoft support staff, we've finally made contact with an escalation team and have provided them with email samples of quarantined / rejected emails, which are all wanted by our clients. This issue is severely impacting our business, as our clients are unable to receive emails / work product for which they have already paid.

      I'm hoping that someone from Microsoft's Team can kindly escalate this issue and advise us on next steps to delist our domain from their internal blacklists.

  • rconiv's avatar
    rconiv
    Brass Contributor
    Just to throw in a this seems to still be an issue. It seemed to happen the day before, but the next day we were spoofed. Since then all our outbound emails have been tagged as SCL9. Due to this, all replies or emails sent to our domain go to quarantine.

    We had a SPF and DMARC, and have added a DKIM, but two weeks later it still doesn't work.

    Microsoft said they sent it to their backend team, which I am told is their program development group who doesn't have any sort of SLA so it is a whenever they get around to looking at it.

    Today we finally got Microsoft to escalate it to Tier 2 Exchange. Their Tier 1 was refusing because they said Tier 2 would have to wait for results from the backend group also.

    They mentioned that they were seeing that our inbound spam policy was marking everything as spam, which got the no duh because they are coming in as high confidence spam already in the header.

Resources