Forum Discussion

ewinonait's avatar
ewinonait
Copper Contributor
Jan 06, 2020

Tenant policy (verdict override) Exchange Online

Hey All,

 

My company recently received a spoofed phishing email from noreply@[companyname].com and it passed through both our spam and phishing filters.  Upon further inspection, it had an SPF fail and originated from Vietnam (Which we block all emails from).  My question is that when submitting the email under Threat Management -> Submissions in the Office 365 Security & Compliance Center, this is what I get when its submitted:

Review your Tenant policy (verdict override). At the time of delivery, you had sufficient security mechanisms to block this threat. However, they were overridden by your Tenant policy (verdict override)
 
I looked in all of the setting and can't find where this email would have sneaked through.
 
Any thoughts?
exchange
microsoft 365

4 Replies

  • Robert Göransson's avatar
    Robert Göransson
    Copper Contributor
    Nov 30, 2020

    ewinonait How did you discover this whitelist your domain was in? Ive got the excact same situation as you, and have done a message trace - but theres no info for me to act on. Just logs about how it was delivered OK (when it should not)

  • VasilMichev's avatar
    VasilMichev
    MVP
    Jan 07, 2020

    Just run a message trace, it will let you know why. Most likely some sort of a whitelist.

    • ewinonait's avatar
      ewinonait
      Copper Contributor
      Jan 07, 2020

      ThanksVasilMichev !

       

      It turns out we had our own domain whitelisted which led to the override of our other security policies.

      • VasilMichev's avatar
        VasilMichev
        MVP
        Jan 07, 2020

        That's not as uncommon as one might think - removing your own domain from any whitelists is practically the #1 recommendation from the EOP folks lately.