Forum Discussion
All the mail from one mail adress arrive in quarantine with an SCL = 5
All the emails sent to us by our customer (email address removed for privacy reasons) arrive in our quarantine with an SCL score of 5. However, the email address passes the DMARC tests perfectly ...
I often take one of the received mails, copy the header of that mail (must be the original received mail header, do not let user forward the mail to you), and paste the info to this page to analyse the flow:
https://mha.azurewebsites.net/
But another and perhaps more effective way is to analyse the output from Defender portal.
Sign in to https://security.microsoft.com/quarantine?viewid=Email
Then find the quarantined mail in mention. On the overview page, look at the "reason for quarantine", that will tell you if it is categorized as spam, malware, phishing etc. Next and the overview page, look for the "Policy Type". That will tell you that type of Defender for Office 365 policy has flagged the mail. Open the mail in the quarantine overview, then you can analyse things like "Detection technologies", "URLs", "attachments" and so on.
If this does not answer your question, please share some details from the pages I pinpointed, then I can be of assistance for finding the specific cause.
https://mha.azurewebsites.net/
But another and perhaps more effective way is to analyse the output from Defender portal.
Sign in to https://security.microsoft.com/quarantine?viewid=Email
Then find the quarantined mail in mention. On the overview page, look at the "reason for quarantine", that will tell you if it is categorized as spam, malware, phishing etc. Next and the overview page, look for the "Policy Type". That will tell you that type of Defender for Office 365 policy has flagged the mail. Open the mail in the quarantine overview, then you can analyse things like "Detection technologies", "URLs", "attachments" and so on.
If this does not answer your question, please share some details from the pages I pinpointed, then I can be of assistance for finding the specific cause.
Hi Chris_toffer0707,
Thanks for your help.
The quarantine reason is Phish and the policy-type is Anti-spam policy.
I share you the mail header i get on my quarantine dashboard :
SpoilerARC-Seal: i=2; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=pass; b=r9C6ULST7DqNTZWHElGVQQUj6qG5jdcGPODcUZ1POHiKrVA14Oh899qZRa5noAWbUXqOv0s1NpWohfBi11yqQkwlGkRmH0OXavnmvWQPjGx0H2LDpTBkvpmNnx97nKbm562uVUh7/szcvt+icmof+ImJRgPj5QyVsF7KeWWUoqe02BZHC+zhm2KWKDTLxW2UNgvqjSDCXGWAD3wT/wnTWDbV2yHXoOWZ8F5ln4zBEaPUg8t7Qx15XF85bMhLNaYG4KnLgLIuG/bgmkeW0THlxmbxVOibyejNbTbOVEwZZS+z8wPlqeIa2vMijug5cii57vzHxLcvQ7iQ9JNZhoKrhQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=tGBY5imd02tosviYrB7EuQD0LjKzYQEFq84Uno7D3VI=; b=mw4kOprPNmlASOTVHwXnpBx3s+hdKZlmcUrn9GDGylKbtw3ww+3RD1Em33YhYsSNRSKFBzUSI5OSJCOBkHwBLCuQuwIV/Ul/BwhSUrmDbynDMrRad+yssoT6tkPrJRnJ2sL/Lq7WuPqdeXT3/Brcuole62LKBsIyvbw9nARI69G25LUHcpSDudbllXWRDQMIc9+ljS+tz4dOosZuqdEpGtqbURIdh/R8DygvPSJGjti6wo8NwxmHaOGTrmCHpVaeU53VD04OdWak7ztiA//ZSTF/COW8Se2M3TesyxvdZZVgGMkgHvtPcGkO1SHU24bInK1ot5KQWq3tj8k0phoBCA== ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=pass (sender ip is 40.107.167.112) smtp.rcpttodomain=smartbee.ch smtp.mailfrom=arsante.ch; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=arsante.ch; dkim=pass (signature was verified) header.d=arsante.ch; arc=pass (0 oda=1 ltdi=1 spf=[1,1,smtp.mailfrom=arsante.ch] dkim=[1,1,header.d=arsante.ch] dmarc=[1,1,header.from=arsante.ch]) Received: from ZR0P278CA0139.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:40::18) by ZRAP278MB0045.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:12::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7828.27; Tue, 6 Aug 2024 10:07:47 +0000 Received: from ZR2PEPF0000012C.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:40:cafe::de) by ZR0P278CA0139.outlook.office365.com (2603:10a6:910:40::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7828.27 via Frontend Transport; Tue, 6 Aug 2024 10:07:47 +0000 Authentication-Results: spf=pass (sender IP is 40.107.167.112) smtp.mailfrom=arsante.ch; dkim=pass (signature was verified) header.d=arsante.ch;dmarc=pass action=none header.from=arsante.ch;compauth=pass reason=100 Received-SPF: Pass (protection.outlook.com: domain of arsante.ch designates 40.107.167.112 as permitted sender) receiver=protection.outlook.com; client-ip=40.107.167.112; helo=ZRZP278CU001.outbound.protection.outlook.com; pr=C Received: from ZRZP278CU001.outbound.protection.outlook.com (40.107.167.112) by ZR2PEPF0000012C.mail.protection.outlook.com (10.167.241.36) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7849.8 via Frontend Transport; Tue, 6 Aug 2024 10:07:46 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=QN0grlMEOsKpscJvttmXIM6LOwE/xY7kn7cjEGe9u+ijednutbx4SQNj20CYkwiMAU5dBHxrx+hSQtC7yA0gX1J5KwYxK5PaxDSlnA/h2mUlT80HdD3xe9ljX3saWxGalPWrJMSkO9ly1wFP/mw9JK35IJH/8Na6/u6OeBv0LVgvydi048DP/AWpFdBLMyfaWSa7w3Lbi3LVgqSEEXOmRwFBloSz7JwfUmR2mPCBDgyN40ha8L3zuoxt1t+qzhuCa/vzIc565aq7zbuImmhtFC7nB6UqAxHLcTqR6ySvX/10mfhSTn6yUP7/X4AB8KM1ljEDV+/wbgmqw4XXXPRTYw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=tGBY5imd02tosviYrB7EuQD0LjKzYQEFq84Uno7D3VI=; b=AnZ9NilWEEGbcV5oHinL7Ouo10XcftkMpbTovETh9ASrisr3H6jRqJl5WGQaOdphabMAhaeB+mopJSB/QvXTJwSBhdbCmhC/QJMWda7J73yjiVgw+gLXZgCuDfKOk2+3NfwdxjsZLRKNy3AIQKxNm/yGVdUL6AJW9DwRahukRDheaXCPDop2bfVKqSvSFlpS2h1SdYJF0Ps/S6wVQycp/UuE5zOHtcP8/r6WOYHliKM5dcJqisoHL6dN1UaX0btyy1NntUMhcLxe8yd9HwdiLHO4iRL1QOig9STjucHgYqZBcGdoUKNarsocfMgfwyxGK/3Q1phewcgrbyT5g9R0pQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arsante.ch; dmarc=pass action=none header.from=arsante.ch; dkim=pass header.d=arsante.ch; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arsante.ch; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tGBY5imd02tosviYrB7EuQD0LjKzYQEFq84Uno7D3VI=; b=V0DNLvsluuEJO72V5zahQbjPxZgFjUGK7fF6LX+JGv5kqYOoetH9PdaydJDXppJO7czzS8roq/OT+7JPJk4dO+ueWWtLaN5Fh8hDbTGhDyLRbc466IIvMi1kIfMzQ0yorQ8Ra6x/wFO+5CYVzYs7fsSH8QhSD0kVAbrVBuVPxZMICNuBczQgPyHYx0mV8xS8RRfyHzv4aVd3+8tICxAYDSUFK5AWzFptPVKMXksA3d8JAtwP/Q4x5zOB/lQyuvss/BEdBTEVyuK2y5QYfGfQ3tTF4ZSEUpR2uo29+i4AoNdwQMD9YNyasAOMHTw4cn6Wy6AhHg5BUJnsJgC3aTQSlg== Received: from GV0P278MB0051.CHEP278.PROD.OUTLOOK.COM (2603:10a6:710:1e::13) by ZRAP278MB0923.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:4b::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7828.27; Tue, 6 Aug 2024 10:07:44 +0000 Received: from GV0P278MB0051.CHEP278.PROD.OUTLOOK.COM ([fe80::4509:e010:c299:d5de]) by GV0P278MB0051.CHEP278.PROD.OUTLOOK.COM ([fe80::4509:e010:c299:d5de%5]) with mapi id 15.20.7828.023; Tue, 6 Aug 2024 10:07:44 +0000 From: =?utf-8?B?R2HDq2xsZSBTYWxsYXo=?= <email address removed for privacy reasons> To: "email address removed for privacy reasons" <email address removed for privacy reasons> Subject: Test Thread-Topic: Test Thread-Index: AQHa5+h7N6d4nq/Ye0CDrZaLodb7LA== Date: Tue, 6 Aug 2024 10:07:44 +0000 Message-ID: <email address removed for privacy reasons> Accept-Language: fr-FR, en-US Content-Language: fr-FR X-MS-Has-Attach: X-MS-TNEF-Correlator: Authentication-Results-Original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arsante.ch; x-ms-traffictypediagnostic: GV0P278MB0051:EE_ ZRAP278MB0923:EE_ ZR2PEPF0000012C:EE_ ZRAP278MB0045:EE_ X-MS-Office365-Filtering-Correlation-Id: 5adff72c-17bb-4889-de5e-08dcb5ff9f1b x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 X-Microsoft-Antispam-Untrusted: BCL:0;ARA:13230040 366016 1800799024 376014 38070700018; X-Microsoft-Antispam-Message-Info-Original: =?utf-8?B?NXJDVnpQRjRCeGh3Y2Y0YmJ1UkpwcDdMYU5uY1YwZys4Y0dzN25aWU1BWkJW?= =?utf-8?B?QjhKREEwTEFJZ1Z5WTN4ZldSVW5ocjl4SG5RS2oxNVhWTmJFcko3bjJ3MCth?= =?utf-8?B?alVhQTI5aUt4dXBRazBBRkptd0w0SDBQTVNqYm12RG50WnhmejBTWGh3RWwy?= =?utf-8?B?QXFYdGdIUm5YVW1Cc3VWMEhFUTVFSTBJdHVibWxBSE13QXlRRGdpSjA0VlE1?= =?utf-8?B?OTRzbFp0THR3L29ITTVjMklkOG8zNS8zektVSElDSkhMMjg3VDFqODFKVEtO?= =?utf-8?B?ZkN2T1F6aGRpdWlEeGl4anVtNXZVVFRNcDZUdFFsVG0vekZtUW40aThRS0hU?= =?utf-8?B?YXk1emN4ZEQ0eVRiRlFxY3c1M0JJcElPaHlqN25lOWRoQXBKNzVlSXUxbVVP?= =?utf-8?B?ZGgzcnd6eENSNU9GVzJqWUF4ajQ5LzJack9OMVZUU0RTcG1lWnAzTWNhMkYz?= =?utf-8?B?eG1CVytvK3UyWHJremYwYXBkdDkvYk9VUkxaalpNSG95TXJsY3pkZkN4RTgr?= =?utf-8?B?VTZVdHFrRVpOeUVvRENWNmMwV3dVbUdISURIb0t3NGsxVWFnQXlxWkZhZmNl?= =?utf-8?B?bHVkdnNtL3RWMWFGdGxTUW11RU5rbjJpSUN2RTdCazhQdEZQaENoRnRsS0dN?= =?utf-8?B?RjY1QU81Y3d0TlVub0lFai9RNUxXcjVUMjkybEtOclhSd2tsRm0vSTFmVG1F?= =?utf-8?B?eGlwTjMvZlUyZC8xTjc3Kyt0M2hycnBUcGhQMzJOUW5YQjBuTERXdjFtcWxq?= =?utf-8?B?RjhNRGpMdUxoNHc5Qzh0MHpNazg5Vll0VmxLU09xeWNDRE5jbDN1YVBYV0FV?= =?utf-8?B?eDFKMjNnRzdwK1NkODRLdTYrR2hhUmlCMUJjTVFMK2VCMmROaFY2MG9zQS9S?= =?utf-8?B?a2xUdmdSVitjOTIrT2luY0c2YWxBRytpdlhkdmJ2QmRRaGR6Y1ZPMDJ0aHZN?= =?utf-8?B?RG9zTEw2SklJOVdna1BYSnhQMFJYcVczdnpJcStianloV1F5YkZIbDBZWFVu?= =?utf-8?B?NXMzUXd4Z2lVSlVSL3pkbmpJUEZzWmlwbDZLT1Z6TENGU090NEp0SWVZZThh?= =?utf-8?B?WnRLYkVrRlFBVnZvOXlZbkhSTHlCOC8vWVRwTFYwNHBmRVRMVmJ1VHVWVkYv?= =?utf-8?B?QkJCVE1zN1MxWXBMNGxwaXFLcE5mZmhPNE9qVEJJOW1sVFE1NUdVWVdwQmtN?= =?utf-8?B?ZGdRN0ZjdVB2cmF3T3RIS0RodE55bDZ1a3FvaHViNlRSQnBBYy8zYkJycnFY?= =?utf-8?B?MUZ6cFVqQ3RKL1pNRDlQMVVSRDRnNUVjdm85MjkwdlNTVElDKzlhUWpRU01j?= =?utf-8?B?dStpMVIxVSt5TEl5OGFWajl0SGFlS3Q3NzlMNjdDcEdaVWFMMEdKci9KblVt?= =?utf-8?B?UVVZNDdWN2dmWXNleWxLbURnOWIyUWY1akxkY2grT3kzU2NaaFhlYXdySFlz?= =?utf-8?B?M3UzRG9KYnFVRlB4R1NXclZQMEJvNmpkeTRMeFdUSThmZ01VNmY3azVWTmNj?= =?utf-8?Q?WweAfHPCNw+IvuMxwV6Y+uK61ZR?= X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255;CTRY:;LANG:fr;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:GV0P278MB0051.CHEP278.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(376014)(38070700018);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-Original-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-Original-0: =?utf-8?B?aGIzdmNNWHZsb1JVT1E1SGFiNU1IeGxTdTdndThlYmN5bFU3d1c0aGRRMy9R?= =?utf-8?B?Z2NUc3N2QjBVeDNPcHprNWV4L1NXelNvaGtnUWpod2ZsT1BOb21qQzdZSmpB?= =?utf-8?B?S3R1US9VVU5QdEhKNEFNZnl3am9FYWx5eUJxd01Ob1lMREdrOG9GYU9pRWpq?= =?utf-8?B?NnVEUlhyWURaaCtzaHc1ZnpySCt2ZTFEc1lsNUx0enhUS3FzLzM2MlZiSXNJ?= =?utf-8?B?cHF0SGt3TmhTSWl1MC9XcVJlNVlqZmZLR2JCRVVzdXlOL0dhcm0rSlBsbVI4?= =?utf-8?B?bytncVRpMy9Da0hvV1RDelZlbnl6OGwyNXo2UDYwMng1Q2Fxd0QzR24wbjZJ?= =?utf-8?B?dGIyck5mK1RJMGQ0akQ2OFNtQ2tMTGQ1K3VlTENVMjRsWElnOFBOSTMyQ29E?= =?utf-8?B?SHNOWnBqdnFhdGFDeWk4bGtueDg4c3N6aVJoNFFZODdPM0dUVjYrWWtDakJC?= =?utf-8?B?NVhpUUdnRXRxVjVYVEFVRThOZmwwS3hBR0hBS2R6MUdZNDBtRGg4K0JETlNt?= =?utf-8?B?SHhhN3QyaVZPLzh6QVl3eThwQm1BbmQzUEJPMCswN2VvUExpUkdyNjhpVW5p?= =?utf-8?B?WGllZ2lXS0RLNnlMYUNmY1UrNnQ3Q0lrL2NyMHdvTEMyRHhOakZZV3lpWTR5?= =?utf-8?B?UzFheFBVTE5KbXh4QkxwOEtsd3E3UjBaQk9kN0hFSVBWQXNNTlBMcUNPN2Yv?= =?utf-8?B?bTlsZTZsQS9QNllYamh5WkdZWVYzbUtMUjBOU2NwN3Vnam9pbis1WDVZcUpT?= =?utf-8?B?cTh0cUhwZ1puQzAwQnJxUlpkdGIwVDNMRnV2VG05TTVLRmVtUUduZzhiOGRl?= =?utf-8?B?NWRXMms5eHovSFc0VnRXRVI0SDZ0MUpVaWpmVXpMWkw5UXk4WUdPQmJOeGpy?= =?utf-8?B?aWFBTkI0bVVVVm5ZTlZsOHhCM0M4c0FyVzZBYjdTZEFJdHljb3o1T2FLN0xn?= =?utf-8?B?dkpkdjFWbkUvVEZHV0FadUkwanBCZEJGVlZKcXdFaitaTUNRVXpqSEZTQm0x?= =?utf-8?B?WXBWZkdjZ1R4VmhhSWFKK2lRUEkxUDJ6NVoxNzU4b3VTdGFuclhNckE1VWN1?= =?utf-8?B?VThCa3g4Wmc1SWpkcWVta1ByMEZrMUtYNlZEQ1pKL1YzMC9RbnJZQVFBREVP?= =?utf-8?B?a2ZyVGNuTkNtbFEyaVF3YUl0TEx2UUYwYVlOdW9SbTE3U0s4eHd1b1NVNXgr?= =?utf-8?B?a3V4TlZGSkorRHoyNjh4cjdVdVNUZFdhS2dWWW9HdHBscFJlbE52MUU0OUox?= =?utf-8?B?SWtaQWlsaE9ZQkozRTU4eVRFZ01MZlh0RkFpVHZDUG1TVVg4UGxjVmRDT2Vm?= =?utf-8?B?WWNHTW5ieU9mOHl4T1N5UkRxa051UEE4VGdSN3hiYkhrV29wZ0E2Y2VzM2ww?= =?utf-8?B?WWIyenhVMjR3WkFoSEZ5REZPMW1CVC9LMElkY1lSdzBielFmWURzZlN1NERB?= =?utf-8?B?WlhwOHZwaFdleG1JaHFwMU0xeTByS1pBcmhwbkVUK0l5a2tmT0NBeVgrZS9a?= =?utf-8?B?Z2tMQkRnd2d4OG9MMjUvZTBteDYwcEJOVXdUMHltbVluTnNiSURHdFhSelhS?= =?utf-8?B?MGhyZTdLMkxSSFhDWm50QUt3b2I2cUJWb2RWS3hDNW9PUlMrT1FuMlNTNllH?= =?utf-8?B?b1Q2VnowMUNNTlpXT1U4YmxvQVBmcGNZdHhHZUgwMG1rSmQ1eTltbEUzMjlO?= =?utf-8?B?alVoL1NOckcyZkdiL1ZzemZ4blZrZXE0R0xEVk81ZExldUIrTTIzb21NK3VJ?= =?utf-8?B?SjdsY3d6T2xIa0ROL1kwMG5rZmZWcnpYR0dJc2IxZVJWQVpYVkdmOEhEaXlR?= =?utf-8?B?cC9DYndrZVBqQyt3QitiMWpFWWsrdnh1bzR4QkVtU0ZkbDNiR0hYTnpXdDdO?= =?utf-8?B?V3UyRGRhNVFHQ0xscWQ5dGZXNFUwbTlBVFNOcVpOTU5mR1NFekxFYWRsVmpi?= =?utf-8?B?dEgwOWU4aGJDdnNYUGl4MGRQd2pvWEEycHo4VDNOTXdSZERScFZiSUlMKzZl?= =?utf-8?B?MTUxc0V6ZTR3Rm9lNmxCT3EvYnZJdklTQmhmVHhuRXpnZTBCTEVHZGNiUTVT?= =?utf-8?B?bnJSRUhPTzJuRHpLalFublJTcFgvOVlqYnlCblN3NjhVZUp4NmsxSk91ek9l?= =?utf-8?B?OVlRaWJQZDk1MWg2eCt5bHF4RnVVL0hwMlZBMmo0Y0RjUXBWSmFVaGcrQ2hH?= =?utf-8?B?Vmc9PQ==?= Content-Type: text/plain; charset="utf-8" Content-ID: <email address removed for privacy reasons> Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-MS-Exchange-Transport-CrossTenantHeadersStamped: ZRAP278MB0923 Return-Path: email address removed for privacy reasons X-EOPAttributedMessage: 0 X-EOPTenantAttributedMessage: 34af5d30-e9cb-484b-86d8-2ae5ada91fe8:0 X-MS-Exchange-Transport-CrossTenantHeadersStripped: ZR2PEPF0000012C.CHEP278.PROD.OUTLOOK.COM X-MS-Exchange-Transport-CrossTenantHeadersPromoted: ZR2PEPF0000012C.CHEP278.PROD.OUTLOOK.COM X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id-Prvs: c9a130fa-b1d7-4c47-2596-08dcb5ff9dc8 X-Forefront-Antispam-Report: CIP:40.107.167.112;CTRY:CH;LANG:fr;SCL:5;SRV:;IPV:NLI;SFV:SPM;H:ZRZP278CU001.outbound.protection.outlook.com;PTR:mail-switzerlandnorthazon11021112.outbound.protection.outlook.com;CAT:PHISH;SFS:(13230040)(35042699022);DIR:INB; X-Microsoft-Antispam: BCL:0;ARA:13230040 35042699022; X-Microsoft-Antispam-Message-Info: =?utf-8?B?YVM3UldKVy9RVWJjYzZzbzExWjdxdndQdUtONVZYZGl1RWhaZGZ2Qm55dEp6?= =?utf-8?B?WGZsMFN2UTBEaXdHS1VpeHNkQ2NPdHJ0TE14eGZheFZPTTRFeTVVM01xNFZh?= =?utf-8?B?dmJnZ2tDWjQrVFN5c3lBazdsK1hCSndXdVk0aGE5VnR4emdOTW9aQ3hkWU1t?= =?utf-8?B?cGZORytOZy9kbks0NnEvOVBERllRYXVKaTl0MWFkV2VrTy96ZkEySnhuUDA1?= =?utf-8?B?MmdaTi91RVR0b3pMVkRQUmwraHBpM3lRbS9UaGtZOFhpbGt0bzB3dlFqaHJo?= =?utf-8?B?dWRpcU9oUmc0WkFqeHBhY0JWaWFkZlZZMjR4UG5ZVThRZW9JRHJrc1d5MXE4?= =?utf-8?B?SzMwNFc4T2FZd0dKVHcxOTcwTjNCbUQvdGFRYXdVT1VLMFZDbmh6OHR2Wk94?= =?utf-8?B?b3c5YXlZeG1sRlpnQm1HZno1cEdtMTJUSG9nS1ZUNmh6NVJLd1BWd0tPT2k1?= =?utf-8?B?czRnN2txK2N5bmlraS9wMDByTUJQZTZ1SWpncFk3TExuNnkydHBiUW1ZVHV4?= =?utf-8?B?Z2ViZExhR3krZHY2WjN6RURneThjQjROUWVsTjhmRnBqdkpDemhBbSt1WHFa?= =?utf-8?B?cjJ4TDJ2Y2lpYjB2MmY3U29keTM0d3cvQjZVdFl6dGJaazU0VTI1R0U4aGNt?= =?utf-8?B?d1AydGJ2cXcwU1M0Ui9sVzY5MG5TZ2wzb1pwbVY2cmNCK1c3bVZSa0NrMDh5?= =?utf-8?B?L2hIZDlqdFVFb0FNcVJCQUxkMXlLU1h6QnJDRmRSMkVJUUgybTRmSDNUZWRw?= =?utf-8?B?VHYybHZRUVplWlVkMk5IR0piVDNRejZGczFOTlNBd2phL3NnL0VIRjdseWk5?= =?utf-8?B?MSs0S3oyZUdlV2Vac3ZkQ2hHU0xzeFlZN1g2d1pWV0RxcHVaTHIyeHE0Q1hW?= =?utf-8?B?TUQxd3FNSjRWVW9UbHlsVlJWTUtnN05PaEV0NGZSKzJtVnVFdVp3K1AraDU4?= =?utf-8?B?c3k3em5CbkdEWmpvblRDdk44N0s1V0Yrckx3QjgzTklBdGpNemQwZUJVN3p4?= =?utf-8?B?TCtwd0xrVHRYMnVic2FUT1ZqSmxhUFA4WUt6dXBvZzhEMGUyR0l4N1k1MStq?= =?utf-8?B?L0JZbnVWOUtuRHpLMTZYUXYxcXZWUXJweE9Ba25ld0FXbDlIcFFLbld5V1Q1?= =?utf-8?B?OU1ON3BhbCtFbTZSWXAzc2VLTXpOUEEyZFZ0NDRQVWR2Skd2SUZnT1EzTXg2?= =?utf-8?B?Ky9BaUxnaWszdEpsbHNhOTBjaEI0Z29QYzBlZXFFSmRRWEVZc0RDQk1QTndr?= =?utf-8?B?Mk5SZE9vbUZaNmx3MlhmeXB5dTZUajVTTEVGYnZMVHVNOVZSL3ZkSFVOU2RO?= =?utf-8?B?Z0hPbEQzVVZXeDdnN0FMb1hPYVg3YkZ5UHBFZDZJVnNWc09takNRTHRTNGNU?= =?utf-8?B?VVpqbjU1MElZalREb3lrdlFoa2VvRWdqakhESVZGMHhpZ0NzZ1Ywb2dhS2NN?= =?utf-8?B?Znc0b0l4d2pXMUVCcjA3NkkzYWZVeUNKNisvcHJFVGxYMWs3L3R4ZEozdVNm?= =?utf-8?B?ald2Zzhsa3Z4ZHVUQmQ4ZVhQTnRDU3dVQXlCUzVNamNmMHJHTEZCV3doVTAv?= =?utf-8?B?dWNvYUJ3eE5LV0FRbXBsKzJNVzdxTGxDMmwrTkJhYVdhMzYvaHpTSFNzMm00?= =?utf-8?B?Y1RVRVFsWVFtZ3NGOHZZSmMzSmRrbHMwckdVU2tUTVJ1djdtQXJnbDdiZU40?= =?utf-8?B?ZmRJK1hyRUJLVk9ocW1Xc21rM2FVNXlaVm1SWjRIa2RBblJySnl4bzVkRjRm?= =?utf-8?B?K3VDb3dOMjg0MnE0U2s5bzN4V0d1dnU2YmdwREMvM2hNQ2xZbTJhRzFXUEpC?= =?utf-8?B?TjcxWGEyY3pUNmhvR3JiOGVSR1BISVg2MUZmQysreDVNdlV6KzkvS0svak1L?= =?utf-8?B?WEE4a2ExUE9FQUlmQVNHdjFEZTJpVUMycG0xdmF3SXcwTjRvSVdJL1M5YjZL?= =?utf-8?B?OWhubFIxalRSWFhqZW1zMCtzRERXc2hnVHpLYmlVVFRXZXp2VklZSExrR2hK?= =?utf-8?B?cG5EUFJJbkxvcVpFYVZaOU85cERsVGZ1ZmJ5TS9JdGF4ZEJKSEhHU0VoMlEz?= =?utf-8?B?L1hFQmlnQk1GK05rMUZlSlJhU0RSNmpsbkZVQkZDZHc0MEhGcXpkd1FjNFBR?= =?utf-8?B?TkljcC96aHpxV1huTEF2SVQyS0JVVE1QNnd6cFJ0RjNibjErbjEwejBUZWR5?= =?utf-8?B?M3Iyb2t1VDFaczVCbFp6WDVDTndtMTc0b1M2M3RkRlBJMlFMdVJ2Z3BIR3Jw?= =?utf-8?B?OW1aZS9IcDJOcVp3ZUZPeWxTeEVSV1VteXNGVmhZUWJSOG9KRHkvK1drTzZu?= =?utf-8?B?dTVxNlJHQU5XdUswQzIyUENzUlZjVUNCT0VSTnFTdGdVazZvTTJJUytnUGNq?= =?utf-8?B?Wjc0c3FwakJDczB2K0xVb29HUEJmS0lrbXliN1F5MTB2dWw1SU82M2JjeEJw?= =?utf-8?B?QXJQK0RqRWVJb0lscTVFQ3FuSlRHLzF2b0lXOGNhV2NZV2lrYlRkK1VPOW9H?= =?utf-8?B?ZlRGc3hhV3ByKzVnakxHbDczelZnY3FsR3dLRVhaM2t4UWtSR3NsT1ZVZXZK?= =?utf-8?B?Sll1dHRBWDV0bDBIdHI5ZzRtK2piZ1BRWHRPRVI4V3BtZk5BeG4vWXVGRElP?= =?utf-8?B?ckFRSEJvWEhXZE9XeFYrQTVXZ0d2M2t2V29jeDJwdFI3OUdGVTJxR2o1eWZB?= =?utf-8?B?a0k1VmsvTHpNSFJvY2RHRnNST2Yzenh3TXQ4WVo4UHFkdjN5M2JuY3BCL0Fa?= =?utf-8?B?bFFjQVhuMDN0V1BoYUYyc2t6ZFc1NW1yQ0dzUWVISEsveGJ4dlQvM3Mrb3po?= =?utf-8?B?SGVEbHpoOVplSE9HYjVuZnptMWhuSlVBKzY0Um96d0g0M3FOSFByOTNkOEZy?= =?utf-8?B?OTB1TmcvRS8xbGRoZEc5REs2NG5YbVZIZVBYcER3bHNEcjB1c0l5WmVBeS9w?= =?utf-8?B?NXd3Sm1GV05IOXhVVXVYT3RSRjlXNlhoaFRMTnBKUVcvTGZnbHc9PQ==?=Mail are quarantined even if the mail is blank.
Thanks for your help,
regards
- MX says the sender is also M365 (as per the headers) and they do not look like the sort of organisation that would cause trouble. Their ISP (going by the domain SOA) is in our bad books for unrelated reasons. You might want to sniff around any URLs they routinely include, though I believe that you said the problem was related to one sender. Being on M365, has the sender had a recent "misfortune"? If the sender's address was in your own Tenant Allow / Block list then you would not see the mails at all, unless your anti-spam policy is very weak.
- Hi,
Yes the domain dont seem to be in any blacklist : other employees can get their email received normally, this user is the only one to get problem.
What do you mean by recent "misfortune" ? We tested many sending mail during 2 weeks, sometimes blank, all of them were put in quarantine. And the account dont seem to have been corrupt by attacker.
As I said, the email arrive with an SCL score of 5 and that's why it's put in quarantine, we dont get specifics allow/block rule for this user or domain.
- Hi.
It will be difficult to trace the exact reason without access to your Defender for Office 365, but from the analysis of the mail header, it seems like a valid mail that is getting flagged by Microsofts anti-phishing system. I would go ahead and make an admin submission:
https://learn.microsoft.com/en-us/defender-office-365/submissions-admin?view=o365-worldwide#report-good-email-to-microsoft- i tried this for 2 of their mail, but new mail from her continue to come in quarantine 😞
