Forum Discussion
New Phishing Policy added to EOP
Today I started receiving many requests from end users that mail was not being delivered to their mailbox. Guess what I found!
A new Phishing setting in the default EOP spam filter. Sigh. This was hidden in the Spam filter settings in the security and compliance center and not shown at all in the exchange online version of the Spam filter even though they are the exact same policy.
Once I found this hidden new setting I was able to change the behavior from Microsofts Default, block messages at the edge of the network, to append them with some text in the subject line and deliver the message to the users inbox.
Once again, MS made global changes to my tenant without notifying me causing my end users to miss mail! Second time this week with the changes to Intune CA on Friday/Saturday last week. Definitely makes me eyeball the competition.
Hope this post helps someone down the line.
To get to these settings navigate to S&C/Threat Management/Policy/Antispam and edit the default policy and look for Spam and Bulk actions.
4 Replies
Microsoft are aggressively pushing a lot of new features and controls to address the phishing plague, but as usual communication proves not to be their strong side. In case you missed it, also take a look at the recent blog posts here on the MTC: https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Schooling-A-Sea-of-Phish-Part-2-Enhanced-Anti-spoofing/ba-p/176209
And please don't get me wrong, I love the enhancements and new capabilities! What I hate Microsoft, is having to scramble and figure out why mailflow has stopped for my users. Hope you guys are seeing this!
Good spot! There are some details here that shed some light on this and how some of this is quite easy to miss, as some settings are only in the S&C portal as you have discovered.
https://blogs.technet.microsoft.com/eopfieldnotes/2017/07/05/dont-forget-about-the-security-and-compliance-center/
The default is to quarantine phishing emails by the looks of it.
Today was the first day we have ever seen this control in there, and it was set to block by default. NOT quarantine.
