Forum Discussion
All the mail from one mail adress arrive in quarantine with an SCL = 5
All the emails sent to us by our customer (email address removed for privacy reasons) arrive in our quarantine with an SCL score of 5. However, the email address passes the DMARC tests perfectly ...
I often take one of the received mails, copy the header of that mail (must be the original received mail header, do not let user forward the mail to you), and paste the info to this page to analyse the flow:
https://mha.azurewebsites.net/
But another and perhaps more effective way is to analyse the output from Defender portal.
Sign in to https://security.microsoft.com/quarantine?viewid=Email
Then find the quarantined mail in mention. On the overview page, look at the "reason for quarantine", that will tell you if it is categorized as spam, malware, phishing etc. Next and the overview page, look for the "Policy Type". That will tell you that type of Defender for Office 365 policy has flagged the mail. Open the mail in the quarantine overview, then you can analyse things like "Detection technologies", "URLs", "attachments" and so on.
If this does not answer your question, please share some details from the pages I pinpointed, then I can be of assistance for finding the specific cause.
https://mha.azurewebsites.net/
But another and perhaps more effective way is to analyse the output from Defender portal.
Sign in to https://security.microsoft.com/quarantine?viewid=Email
Then find the quarantined mail in mention. On the overview page, look at the "reason for quarantine", that will tell you if it is categorized as spam, malware, phishing etc. Next and the overview page, look for the "Policy Type". That will tell you that type of Defender for Office 365 policy has flagged the mail. Open the mail in the quarantine overview, then you can analyse things like "Detection technologies", "URLs", "attachments" and so on.
If this does not answer your question, please share some details from the pages I pinpointed, then I can be of assistance for finding the specific cause.
Hi Chris_toffer0707,
Thanks for your help.
The quarantine reason is Phish and the policy-type is Anti-spam policy.
I share you the mail header i get on my quarantine dashboard :
Spoiler
ARC-Seal: i=2; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=pass;
b=r9C6ULST7DqNTZWHElGVQQUj6qG5jdcGPODcUZ1POHiKrVA14Oh899qZRa5noAWbUXqOv0s1NpWohfBi11yqQkwlGkRmH0OXavnmvWQPjGx0H2LDpTBkvpmNnx97nKbm562uVUh7/szcvt+icmof+ImJRgPj5QyVsF7KeWWUoqe02BZHC+zhm2KWKDTLxW2UNgvqjSDCXGWAD3wT/wnTWDbV2yHXoOWZ8F5ln4zBEaPUg8t7Qx15XF85bMhLNaYG4KnLgLIuG/bgmkeW0THlxmbxVOibyejNbTbOVEwZZS+z8wPlqeIa2vMijug5cii57vzHxLcvQ7iQ9JNZhoKrhQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector10001;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=tGBY5imd02tosviYrB7EuQD0LjKzYQEFq84Uno7D3VI=;
b=mw4kOprPNmlASOTVHwXnpBx3s+hdKZlmcUrn9GDGylKbtw3ww+3RD1Em33YhYsSNRSKFBzUSI5OSJCOBkHwBLCuQuwIV/Ul/BwhSUrmDbynDMrRad+yssoT6tkPrJRnJ2sL/Lq7WuPqdeXT3/Brcuole62LKBsIyvbw9nARI69G25LUHcpSDudbllXWRDQMIc9+ljS+tz4dOosZuqdEpGtqbURIdh/R8DygvPSJGjti6wo8NwxmHaOGTrmCHpVaeU53VD04OdWak7ztiA//ZSTF/COW8Se2M3TesyxvdZZVgGMkgHvtPcGkO1SHU24bInK1ot5KQWq3tj8k0phoBCA==
ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=pass (sender ip is
40.107.167.112) smtp.rcpttodomain=smartbee.ch smtp.mailfrom=arsante.ch;
dmarc=pass (p=quarantine sp=quarantine pct=100) action=none
header.from=arsante.ch; dkim=pass (signature was verified)
header.d=arsante.ch; arc=pass (0 oda=1 ltdi=1
spf=[1,1,smtp.mailfrom=arsante.ch] dkim=[1,1,header.d=arsante.ch]
dmarc=[1,1,header.from=arsante.ch])
Received: from ZR0P278CA0139.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:40::18)
by ZRAP278MB0045.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:12::14) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7828.27; Tue, 6 Aug
2024 10:07:47 +0000
Received: from ZR2PEPF0000012C.CHEP278.PROD.OUTLOOK.COM
(2603:10a6:910:40:cafe::de) by ZR0P278CA0139.outlook.office365.com
(2603:10a6:910:40::18) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7828.27 via Frontend
Transport; Tue, 6 Aug 2024 10:07:47 +0000
Authentication-Results: spf=pass (sender IP is 40.107.167.112)
smtp.mailfrom=arsante.ch; dkim=pass (signature was verified)
header.d=arsante.ch;dmarc=pass action=none
header.from=arsante.ch;compauth=pass reason=100
Received-SPF: Pass (protection.outlook.com: domain of arsante.ch designates
40.107.167.112 as permitted sender) receiver=protection.outlook.com;
client-ip=40.107.167.112; helo=ZRZP278CU001.outbound.protection.outlook.com;
pr=C
Received: from ZRZP278CU001.outbound.protection.outlook.com (40.107.167.112)
by ZR2PEPF0000012C.mail.protection.outlook.com (10.167.241.36) with Microsoft
SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.7849.8 via Frontend Transport; Tue, 6 Aug 2024 10:07:46 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
b=QN0grlMEOsKpscJvttmXIM6LOwE/xY7kn7cjEGe9u+ijednutbx4SQNj20CYkwiMAU5dBHxrx+hSQtC7yA0gX1J5KwYxK5PaxDSlnA/h2mUlT80HdD3xe9ljX3saWxGalPWrJMSkO9ly1wFP/mw9JK35IJH/8Na6/u6OeBv0LVgvydi048DP/AWpFdBLMyfaWSa7w3Lbi3LVgqSEEXOmRwFBloSz7JwfUmR2mPCBDgyN40ha8L3zuoxt1t+qzhuCa/vzIc565aq7zbuImmhtFC7nB6UqAxHLcTqR6ySvX/10mfhSTn6yUP7/X4AB8KM1ljEDV+/wbgmqw4XXXPRTYw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector10001;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=tGBY5imd02tosviYrB7EuQD0LjKzYQEFq84Uno7D3VI=;
b=AnZ9NilWEEGbcV5oHinL7Ouo10XcftkMpbTovETh9ASrisr3H6jRqJl5WGQaOdphabMAhaeB+mopJSB/QvXTJwSBhdbCmhC/QJMWda7J73yjiVgw+gLXZgCuDfKOk2+3NfwdxjsZLRKNy3AIQKxNm/yGVdUL6AJW9DwRahukRDheaXCPDop2bfVKqSvSFlpS2h1SdYJF0Ps/S6wVQycp/UuE5zOHtcP8/r6WOYHliKM5dcJqisoHL6dN1UaX0btyy1NntUMhcLxe8yd9HwdiLHO4iRL1QOig9STjucHgYqZBcGdoUKNarsocfMgfwyxGK/3Q1phewcgrbyT5g9R0pQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
smtp.mailfrom=arsante.ch; dmarc=pass action=none header.from=arsante.ch;
dkim=pass header.d=arsante.ch; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arsante.ch;
s=selector2;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=tGBY5imd02tosviYrB7EuQD0LjKzYQEFq84Uno7D3VI=;
b=V0DNLvsluuEJO72V5zahQbjPxZgFjUGK7fF6LX+JGv5kqYOoetH9PdaydJDXppJO7czzS8roq/OT+7JPJk4dO+ueWWtLaN5Fh8hDbTGhDyLRbc466IIvMi1kIfMzQ0yorQ8Ra6x/wFO+5CYVzYs7fsSH8QhSD0kVAbrVBuVPxZMICNuBczQgPyHYx0mV8xS8RRfyHzv4aVd3+8tICxAYDSUFK5AWzFptPVKMXksA3d8JAtwP/Q4x5zOB/lQyuvss/BEdBTEVyuK2y5QYfGfQ3tTF4ZSEUpR2uo29+i4AoNdwQMD9YNyasAOMHTw4cn6Wy6AhHg5BUJnsJgC3aTQSlg==
Received: from GV0P278MB0051.CHEP278.PROD.OUTLOOK.COM (2603:10a6:710:1e::13)
by ZRAP278MB0923.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:4b::6) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7828.27; Tue, 6 Aug
2024 10:07:44 +0000
Received: from GV0P278MB0051.CHEP278.PROD.OUTLOOK.COM
([fe80::4509:e010:c299:d5de]) by GV0P278MB0051.CHEP278.PROD.OUTLOOK.COM
([fe80::4509:e010:c299:d5de%5]) with mapi id 15.20.7828.023; Tue, 6 Aug 2024
10:07:44 +0000
From: =?utf-8?B?R2HDq2xsZSBTYWxsYXo=?= <email address removed for privacy reasons>
To: "email address removed for privacy reasons" <email address removed for privacy reasons>
Subject: Test
Thread-Topic: Test
Thread-Index: AQHa5+h7N6d4nq/Ye0CDrZaLodb7LA==
Date: Tue, 6 Aug 2024 10:07:44 +0000
Message-ID: <email address removed for privacy reasons>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Authentication-Results-Original: dkim=none (message not signed)
header.d=none;dmarc=none action=none header.from=arsante.ch;
x-ms-traffictypediagnostic:
GV0P278MB0051:EE_
ZRAP278MB0923:EE_
ZR2PEPF0000012C:EE_
ZRAP278MB0045:EE_
X-MS-Office365-Filtering-Correlation-Id: 5adff72c-17bb-4889-de5e-08dcb5ff9f1b
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
X-Microsoft-Antispam-Untrusted:
BCL:0;ARA:13230040
366016
1800799024
376014
38070700018;
X-Microsoft-Antispam-Message-Info-Original:
=?utf-8?B?NXJDVnpQRjRCeGh3Y2Y0YmJ1UkpwcDdMYU5uY1YwZys4Y0dzN25aWU1BWkJW?=
=?utf-8?B?QjhKREEwTEFJZ1Z5WTN4ZldSVW5ocjl4SG5RS2oxNVhWTmJFcko3bjJ3MCth?=
=?utf-8?B?alVhQTI5aUt4dXBRazBBRkptd0w0SDBQTVNqYm12RG50WnhmejBTWGh3RWwy?=
=?utf-8?B?QXFYdGdIUm5YVW1Cc3VWMEhFUTVFSTBJdHVibWxBSE13QXlRRGdpSjA0VlE1?=
=?utf-8?B?OTRzbFp0THR3L29ITTVjMklkOG8zNS8zektVSElDSkhMMjg3VDFqODFKVEtO?=
=?utf-8?B?ZkN2T1F6aGRpdWlEeGl4anVtNXZVVFRNcDZUdFFsVG0vekZtUW40aThRS0hU?=
=?utf-8?B?YXk1emN4ZEQ0eVRiRlFxY3c1M0JJcElPaHlqN25lOWRoQXBKNzVlSXUxbVVP?=
=?utf-8?B?ZGgzcnd6eENSNU9GVzJqWUF4ajQ5LzJack9OMVZUU0RTcG1lWnAzTWNhMkYz?=
=?utf-8?B?eG1CVytvK3UyWHJremYwYXBkdDkvYk9VUkxaalpNSG95TXJsY3pkZkN4RTgr?=
=?utf-8?B?VTZVdHFrRVpOeUVvRENWNmMwV3dVbUdISURIb0t3NGsxVWFnQXlxWkZhZmNl?=
=?utf-8?B?bHVkdnNtL3RWMWFGdGxTUW11RU5rbjJpSUN2RTdCazhQdEZQaENoRnRsS0dN?=
=?utf-8?B?RjY1QU81Y3d0TlVub0lFai9RNUxXcjVUMjkybEtOclhSd2tsRm0vSTFmVG1F?=
=?utf-8?B?eGlwTjMvZlUyZC8xTjc3Kyt0M2hycnBUcGhQMzJOUW5YQjBuTERXdjFtcWxq?=
=?utf-8?B?RjhNRGpMdUxoNHc5Qzh0MHpNazg5Vll0VmxLU09xeWNDRE5jbDN1YVBYV0FV?=
=?utf-8?B?eDFKMjNnRzdwK1NkODRLdTYrR2hhUmlCMUJjTVFMK2VCMmROaFY2MG9zQS9S?=
=?utf-8?B?a2xUdmdSVitjOTIrT2luY0c2YWxBRytpdlhkdmJ2QmRRaGR6Y1ZPMDJ0aHZN?=
=?utf-8?B?RG9zTEw2SklJOVdna1BYSnhQMFJYcVczdnpJcStianloV1F5YkZIbDBZWFVu?=
=?utf-8?B?NXMzUXd4Z2lVSlVSL3pkbmpJUEZzWmlwbDZLT1Z6TENGU090NEp0SWVZZThh?=
=?utf-8?B?WnRLYkVrRlFBVnZvOXlZbkhSTHlCOC8vWVRwTFYwNHBmRVRMVmJ1VHVWVkYv?=
=?utf-8?B?QkJCVE1zN1MxWXBMNGxwaXFLcE5mZmhPNE9qVEJJOW1sVFE1NUdVWVdwQmtN?=
=?utf-8?B?ZGdRN0ZjdVB2cmF3T3RIS0RodE55bDZ1a3FvaHViNlRSQnBBYy8zYkJycnFY?=
=?utf-8?B?MUZ6cFVqQ3RKL1pNRDlQMVVSRDRnNUVjdm85MjkwdlNTVElDKzlhUWpRU01j?=
=?utf-8?B?dStpMVIxVSt5TEl5OGFWajl0SGFlS3Q3NzlMNjdDcEdaVWFMMEdKci9KblVt?=
=?utf-8?B?UVVZNDdWN2dmWXNleWxLbURnOWIyUWY1akxkY2grT3kzU2NaaFhlYXdySFlz?=
=?utf-8?B?M3UzRG9KYnFVRlB4R1NXclZQMEJvNmpkeTRMeFdUSThmZ01VNmY3azVWTmNj?=
=?utf-8?Q?WweAfHPCNw+IvuMxwV6Y+uK61ZR?=
X-Forefront-Antispam-Report-Untrusted:
CIP:255.255.255.255;CTRY:;LANG:fr;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:GV0P278MB0051.CHEP278.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(376014)(38070700018);DIR:OUT;SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-Original-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-Original-0:
=?utf-8?B?aGIzdmNNWHZsb1JVT1E1SGFiNU1IeGxTdTdndThlYmN5bFU3d1c0aGRRMy9R?=
=?utf-8?B?Z2NUc3N2QjBVeDNPcHprNWV4L1NXelNvaGtnUWpod2ZsT1BOb21qQzdZSmpB?=
=?utf-8?B?S3R1US9VVU5QdEhKNEFNZnl3am9FYWx5eUJxd01Ob1lMREdrOG9GYU9pRWpq?=
=?utf-8?B?NnVEUlhyWURaaCtzaHc1ZnpySCt2ZTFEc1lsNUx0enhUS3FzLzM2MlZiSXNJ?=
=?utf-8?B?cHF0SGt3TmhTSWl1MC9XcVJlNVlqZmZLR2JCRVVzdXlOL0dhcm0rSlBsbVI4?=
=?utf-8?B?bytncVRpMy9Da0hvV1RDelZlbnl6OGwyNXo2UDYwMng1Q2Fxd0QzR24wbjZJ?=
=?utf-8?B?dGIyck5mK1RJMGQ0akQ2OFNtQ2tMTGQ1K3VlTENVMjRsWElnOFBOSTMyQ29E?=
=?utf-8?B?SHNOWnBqdnFhdGFDeWk4bGtueDg4c3N6aVJoNFFZODdPM0dUVjYrWWtDakJC?=
=?utf-8?B?NVhpUUdnRXRxVjVYVEFVRThOZmwwS3hBR0hBS2R6MUdZNDBtRGg4K0JETlNt?=
=?utf-8?B?SHhhN3QyaVZPLzh6QVl3eThwQm1BbmQzUEJPMCswN2VvUExpUkdyNjhpVW5p?=
=?utf-8?B?WGllZ2lXS0RLNnlMYUNmY1UrNnQ3Q0lrL2NyMHdvTEMyRHhOakZZV3lpWTR5?=
=?utf-8?B?UzFheFBVTE5KbXh4QkxwOEtsd3E3UjBaQk9kN0hFSVBWQXNNTlBMcUNPN2Yv?=
=?utf-8?B?bTlsZTZsQS9QNllYamh5WkdZWVYzbUtMUjBOU2NwN3Vnam9pbis1WDVZcUpT?=
=?utf-8?B?cTh0cUhwZ1puQzAwQnJxUlpkdGIwVDNMRnV2VG05TTVLRmVtUUduZzhiOGRl?=
=?utf-8?B?NWRXMms5eHovSFc0VnRXRVI0SDZ0MUpVaWpmVXpMWkw5UXk4WUdPQmJOeGpy?=
=?utf-8?B?aWFBTkI0bVVVVm5ZTlZsOHhCM0M4c0FyVzZBYjdTZEFJdHljb3o1T2FLN0xn?=
=?utf-8?B?dkpkdjFWbkUvVEZHV0FadUkwanBCZEJGVlZKcXdFaitaTUNRVXpqSEZTQm0x?=
=?utf-8?B?WXBWZkdjZ1R4VmhhSWFKK2lRUEkxUDJ6NVoxNzU4b3VTdGFuclhNckE1VWN1?=
=?utf-8?B?VThCa3g4Wmc1SWpkcWVta1ByMEZrMUtYNlZEQ1pKL1YzMC9RbnJZQVFBREVP?=
=?utf-8?B?a2ZyVGNuTkNtbFEyaVF3YUl0TEx2UUYwYVlOdW9SbTE3U0s4eHd1b1NVNXgr?=
=?utf-8?B?a3V4TlZGSkorRHoyNjh4cjdVdVNUZFdhS2dWWW9HdHBscFJlbE52MUU0OUox?=
=?utf-8?B?SWtaQWlsaE9ZQkozRTU4eVRFZ01MZlh0RkFpVHZDUG1TVVg4UGxjVmRDT2Vm?=
=?utf-8?B?WWNHTW5ieU9mOHl4T1N5UkRxa051UEE4VGdSN3hiYkhrV29wZ0E2Y2VzM2ww?=
=?utf-8?B?WWIyenhVMjR3WkFoSEZ5REZPMW1CVC9LMElkY1lSdzBielFmWURzZlN1NERB?=
=?utf-8?B?WlhwOHZwaFdleG1JaHFwMU0xeTByS1pBcmhwbkVUK0l5a2tmT0NBeVgrZS9a?=
=?utf-8?B?Z2tMQkRnd2d4OG9MMjUvZTBteDYwcEJOVXdUMHltbVluTnNiSURHdFhSelhS?=
=?utf-8?B?MGhyZTdLMkxSSFhDWm50QUt3b2I2cUJWb2RWS3hDNW9PUlMrT1FuMlNTNllH?=
=?utf-8?B?b1Q2VnowMUNNTlpXT1U4YmxvQVBmcGNZdHhHZUgwMG1rSmQ1eTltbEUzMjlO?=
=?utf-8?B?alVoL1NOckcyZkdiL1ZzemZ4blZrZXE0R0xEVk81ZExldUIrTTIzb21NK3VJ?=
=?utf-8?B?SjdsY3d6T2xIa0ROL1kwMG5rZmZWcnpYR0dJc2IxZVJWQVpYVkdmOEhEaXlR?=
=?utf-8?B?cC9DYndrZVBqQyt3QitiMWpFWWsrdnh1bzR4QkVtU0ZkbDNiR0hYTnpXdDdO?=
=?utf-8?B?V3UyRGRhNVFHQ0xscWQ5dGZXNFUwbTlBVFNOcVpOTU5mR1NFekxFYWRsVmpi?=
=?utf-8?B?dEgwOWU4aGJDdnNYUGl4MGRQd2pvWEEycHo4VDNOTXdSZERScFZiSUlMKzZl?=
=?utf-8?B?MTUxc0V6ZTR3Rm9lNmxCT3EvYnZJdklTQmhmVHhuRXpnZTBCTEVHZGNiUTVT?=
=?utf-8?B?bnJSRUhPTzJuRHpLalFublJTcFgvOVlqYnlCblN3NjhVZUp4NmsxSk91ek9l?=
=?utf-8?B?OVlRaWJQZDk1MWg2eCt5bHF4RnVVL0hwMlZBMmo0Y0RjUXBWSmFVaGcrQ2hH?=
=?utf-8?B?Vmc9PQ==?=
Content-Type: text/plain; charset="utf-8"
Content-ID: <email address removed for privacy reasons>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: ZRAP278MB0923
Return-Path: email address removed for privacy reasons
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 34af5d30-e9cb-484b-86d8-2ae5ada91fe8:0
X-MS-Exchange-Transport-CrossTenantHeadersStripped:
ZR2PEPF0000012C.CHEP278.PROD.OUTLOOK.COM
X-MS-Exchange-Transport-CrossTenantHeadersPromoted:
ZR2PEPF0000012C.CHEP278.PROD.OUTLOOK.COM
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs:
c9a130fa-b1d7-4c47-2596-08dcb5ff9dc8
X-Forefront-Antispam-Report:
CIP:40.107.167.112;CTRY:CH;LANG:fr;SCL:5;SRV:;IPV:NLI;SFV:SPM;H:ZRZP278CU001.outbound.protection.outlook.com;PTR:mail-switzerlandnorthazon11021112.outbound.protection.outlook.com;CAT:PHISH;SFS:(13230040)(35042699022);DIR:INB;
X-Microsoft-Antispam: BCL:0;ARA:13230040
35042699022;
X-Microsoft-Antispam-Message-Info:
=?utf-8?B?YVM3UldKVy9RVWJjYzZzbzExWjdxdndQdUtONVZYZGl1RWhaZGZ2Qm55dEp6?=
=?utf-8?B?WGZsMFN2UTBEaXdHS1VpeHNkQ2NPdHJ0TE14eGZheFZPTTRFeTVVM01xNFZh?=
=?utf-8?B?dmJnZ2tDWjQrVFN5c3lBazdsK1hCSndXdVk0aGE5VnR4emdOTW9aQ3hkWU1t?=
=?utf-8?B?cGZORytOZy9kbks0NnEvOVBERllRYXVKaTl0MWFkV2VrTy96ZkEySnhuUDA1?=
=?utf-8?B?MmdaTi91RVR0b3pMVkRQUmwraHBpM3lRbS9UaGtZOFhpbGt0bzB3dlFqaHJo?=
=?utf-8?B?dWRpcU9oUmc0WkFqeHBhY0JWaWFkZlZZMjR4UG5ZVThRZW9JRHJrc1d5MXE4?=
=?utf-8?B?SzMwNFc4T2FZd0dKVHcxOTcwTjNCbUQvdGFRYXdVT1VLMFZDbmh6OHR2Wk94?=
=?utf-8?B?b3c5YXlZeG1sRlpnQm1HZno1cEdtMTJUSG9nS1ZUNmh6NVJLd1BWd0tPT2k1?=
=?utf-8?B?czRnN2txK2N5bmlraS9wMDByTUJQZTZ1SWpncFk3TExuNnkydHBiUW1ZVHV4?=
=?utf-8?B?Z2ViZExhR3krZHY2WjN6RURneThjQjROUWVsTjhmRnBqdkpDemhBbSt1WHFa?=
=?utf-8?B?cjJ4TDJ2Y2lpYjB2MmY3U29keTM0d3cvQjZVdFl6dGJaazU0VTI1R0U4aGNt?=
=?utf-8?B?d1AydGJ2cXcwU1M0Ui9sVzY5MG5TZ2wzb1pwbVY2cmNCK1c3bVZSa0NrMDh5?=
=?utf-8?B?L2hIZDlqdFVFb0FNcVJCQUxkMXlLU1h6QnJDRmRSMkVJUUgybTRmSDNUZWRw?=
=?utf-8?B?VHYybHZRUVplWlVkMk5IR0piVDNRejZGczFOTlNBd2phL3NnL0VIRjdseWk5?=
=?utf-8?B?MSs0S3oyZUdlV2Vac3ZkQ2hHU0xzeFlZN1g2d1pWV0RxcHVaTHIyeHE0Q1hW?=
=?utf-8?B?TUQxd3FNSjRWVW9UbHlsVlJWTUtnN05PaEV0NGZSKzJtVnVFdVp3K1AraDU4?=
=?utf-8?B?c3k3em5CbkdEWmpvblRDdk44N0s1V0Yrckx3QjgzTklBdGpNemQwZUJVN3p4?=
=?utf-8?B?TCtwd0xrVHRYMnVic2FUT1ZqSmxhUFA4WUt6dXBvZzhEMGUyR0l4N1k1MStq?=
=?utf-8?B?L0JZbnVWOUtuRHpLMTZYUXYxcXZWUXJweE9Ba25ld0FXbDlIcFFLbld5V1Q1?=
=?utf-8?B?OU1ON3BhbCtFbTZSWXAzc2VLTXpOUEEyZFZ0NDRQVWR2Skd2SUZnT1EzTXg2?=
=?utf-8?B?Ky9BaUxnaWszdEpsbHNhOTBjaEI0Z29QYzBlZXFFSmRRWEVZc0RDQk1QTndr?=
=?utf-8?B?Mk5SZE9vbUZaNmx3MlhmeXB5dTZUajVTTEVGYnZMVHVNOVZSL3ZkSFVOU2RO?=
=?utf-8?B?Z0hPbEQzVVZXeDdnN0FMb1hPYVg3YkZ5UHBFZDZJVnNWc09takNRTHRTNGNU?=
=?utf-8?B?VVpqbjU1MElZalREb3lrdlFoa2VvRWdqakhESVZGMHhpZ0NzZ1Ywb2dhS2NN?=
=?utf-8?B?Znc0b0l4d2pXMUVCcjA3NkkzYWZVeUNKNisvcHJFVGxYMWs3L3R4ZEozdVNm?=
=?utf-8?B?ald2Zzhsa3Z4ZHVUQmQ4ZVhQTnRDU3dVQXlCUzVNamNmMHJHTEZCV3doVTAv?=
=?utf-8?B?dWNvYUJ3eE5LV0FRbXBsKzJNVzdxTGxDMmwrTkJhYVdhMzYvaHpTSFNzMm00?=
=?utf-8?B?Y1RVRVFsWVFtZ3NGOHZZSmMzSmRrbHMwckdVU2tUTVJ1djdtQXJnbDdiZU40?=
=?utf-8?B?ZmRJK1hyRUJLVk9ocW1Xc21rM2FVNXlaVm1SWjRIa2RBblJySnl4bzVkRjRm?=
=?utf-8?B?K3VDb3dOMjg0MnE0U2s5bzN4V0d1dnU2YmdwREMvM2hNQ2xZbTJhRzFXUEpC?=
=?utf-8?B?TjcxWGEyY3pUNmhvR3JiOGVSR1BISVg2MUZmQysreDVNdlV6KzkvS0svak1L?=
=?utf-8?B?WEE4a2ExUE9FQUlmQVNHdjFEZTJpVUMycG0xdmF3SXcwTjRvSVdJL1M5YjZL?=
=?utf-8?B?OWhubFIxalRSWFhqZW1zMCtzRERXc2hnVHpLYmlVVFRXZXp2VklZSExrR2hK?=
=?utf-8?B?cG5EUFJJbkxvcVpFYVZaOU85cERsVGZ1ZmJ5TS9JdGF4ZEJKSEhHU0VoMlEz?=
=?utf-8?B?L1hFQmlnQk1GK05rMUZlSlJhU0RSNmpsbkZVQkZDZHc0MEhGcXpkd1FjNFBR?=
=?utf-8?B?TkljcC96aHpxV1huTEF2SVQyS0JVVE1QNnd6cFJ0RjNibjErbjEwejBUZWR5?=
=?utf-8?B?M3Iyb2t1VDFaczVCbFp6WDVDTndtMTc0b1M2M3RkRlBJMlFMdVJ2Z3BIR3Jw?=
=?utf-8?B?OW1aZS9IcDJOcVp3ZUZPeWxTeEVSV1VteXNGVmhZUWJSOG9KRHkvK1drTzZu?=
=?utf-8?B?dTVxNlJHQU5XdUswQzIyUENzUlZjVUNCT0VSTnFTdGdVazZvTTJJUytnUGNq?=
=?utf-8?B?Wjc0c3FwakJDczB2K0xVb29HUEJmS0lrbXliN1F5MTB2dWw1SU82M2JjeEJw?=
=?utf-8?B?QXJQK0RqRWVJb0lscTVFQ3FuSlRHLzF2b0lXOGNhV2NZV2lrYlRkK1VPOW9H?=
=?utf-8?B?ZlRGc3hhV3ByKzVnakxHbDczelZnY3FsR3dLRVhaM2t4UWtSR3NsT1ZVZXZK?=
=?utf-8?B?Sll1dHRBWDV0bDBIdHI5ZzRtK2piZ1BRWHRPRVI4V3BtZk5BeG4vWXVGRElP?=
=?utf-8?B?ckFRSEJvWEhXZE9XeFYrQTVXZ0d2M2t2V29jeDJwdFI3OUdGVTJxR2o1eWZB?=
=?utf-8?B?a0k1VmsvTHpNSFJvY2RHRnNST2Yzenh3TXQ4WVo4UHFkdjN5M2JuY3BCL0Fa?=
=?utf-8?B?bFFjQVhuMDN0V1BoYUYyc2t6ZFc1NW1yQ0dzUWVISEsveGJ4dlQvM3Mrb3po?=
=?utf-8?B?SGVEbHpoOVplSE9HYjVuZnptMWhuSlVBKzY0Um96d0g0M3FOSFByOTNkOEZy?=
=?utf-8?B?OTB1TmcvRS8xbGRoZEc5REs2NG5YbVZIZVBYcER3bHNEcjB1c0l5WmVBeS9w?=
=?utf-8?B?NXd3Sm1GV05IOXhVVXVYT3RSRjlXNlhoaFRMTnBKUVcvTGZnbHc9PQ==?=
Mail are quarantined even if the mail is blank.
Thanks for your help,
regards
- MX says the sender is also M365 (as per the headers) and they do not look like the sort of organisation that would cause trouble. Their ISP (going by the domain SOA) is in our bad books for unrelated reasons. You might want to sniff around any URLs they routinely include, though I believe that you said the problem was related to one sender. Being on M365, has the sender had a recent "misfortune"? If the sender's address was in your own Tenant Allow / Block list then you would not see the mails at all, unless your anti-spam policy is very weak.
- Hi,
Yes the domain dont seem to be in any blacklist : other employees can get their email received normally, this user is the only one to get problem.
What do you mean by recent "misfortune" ? We tested many sending mail during 2 weeks, sometimes blank, all of them were put in quarantine. And the account dont seem to have been corrupt by attacker.
As I said, the email arrive with an SCL score of 5 and that's why it's put in quarantine, we dont get specifics allow/block rule for this user or domain.- "Misfortune" meaning that for a short period someone else was using that mailbox to send.
- Hi.
It will be difficult to trace the exact reason without access to your Defender for Office 365, but from the analysis of the mail header, it seems like a valid mail that is getting flagged by Microsofts anti-phishing system. I would go ahead and make an admin submission:
https://learn.microsoft.com/en-us/defender-office-365/submissions-admin?view=o365-worldwide#report-good-email-to-microsoft- i tried this for 2 of their mail, but new mail from her continue to come in quarantine 😞
- Hi, thanks for your help, we gonna try this and see if their mail stop being classified as spam.
