Forum Discussion

JoeMorphew's avatar
JoeMorphew
Copper Contributor
May 15, 2024

Phish delivered due to an ETR override

We recently switching from Defender to Proofpoint Essentials for email security.  During implementation they had us create a Proofpoint bypass Spam Exchange Transport Rule.  The rule marks anything coming from a Proofpoint IP address as Spam confidence level -1 (SCL -1).  This rule seems to also be stopping Microsoft from sending phishing emails to quarantine. 

 

Since implementation we’ve been receiving a lot of alerts for “Phish delivered due to an ETR override”.  We’ve investigated the emails, and most are indeed phishing emails that Proofpoint has missed.  Is it possible to adjust the transport rule to allow Microsoft to still quarantine these phishing emails?  If not, what is the impact of disabling the rule?  The emails will fail SPF, DKIM, and DMARC because they are delivered by Proofpoint, not the original sender.

 

Ultimately, I'd like to know if it's possible to allow Microsoft to quarantine phishing emails that have already been filtered and delivered by a 3rd party cyber security vendor.

  • JoeMorphew's avatar
    JoeMorphew
    Copper Contributor

    Enhanced Filtering for Connectors is what we were looking for.

Resources