Forum Discussion
Spoofing and distribution groups
Several options to explore here. You can change the spam policy action to quarantine or remove, you can create a transport rule to detect/reject such messages, report it as false negative and work with support to identify why exactly this is happening. My guess would be that the messages are still being marked as spam but some setting on recipient's end is causing them to end up in Inbox, for example headers being stripped, trusted senders list, etc.
ATP is catching them for internal users but they are still going out to external users. What I would like to do is stop them from going out at all but I dont know how to determine these emails are fake given what I have to work with in the portal for rule creation. They appear to authenticate so I cant check if they are external and use that. Im kind of at a loss.
I have a ticket open with Microsoft regarding this but no one has reached out to me yet. The last 3 Office 365 tickets Ive opened, support has been abysmal on them so Im not really expecting a lot on MS's side.