Forum Discussion

Hugo_Smartbee's avatar
Hugo_Smartbee
Copper Contributor
Aug 07, 2024

All the mail from one mail adress arrive in quarantine with an SCL = 5

All the emails sent to us by our customer (email address removed for privacy reasons) arrive in our quarantine with an SCL score of 5.   However, the email address passes the DMARC tests perfectly ...
Hugo_Smartbee's avatar
Hugo_Smartbee
Copper Contributor
Aug 08, 2024

Hi Chris_toffer0707,

 

Thanks for your help.

 

The quarantine reason is Phish and the policy-type is Anti-spam policy.

 

I share you the mail header i get on my quarantine dashboard :

Spoiler

 

ARC-Seal: i=2; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=pass;
 b=r9C6ULST7DqNTZWHElGVQQUj6qG5jdcGPODcUZ1POHiKrVA14Oh899qZRa5noAWbUXqOv0s1NpWohfBi11yqQkwlGkRmH0OXavnmvWQPjGx0H2LDpTBkvpmNnx97nKbm562uVUh7/szcvt+icmof+ImJRgPj5QyVsF7KeWWUoqe02BZHC+zhm2KWKDTLxW2UNgvqjSDCXGWAD3wT/wnTWDbV2yHXoOWZ8F5ln4zBEaPUg8t7Qx15XF85bMhLNaYG4KnLgLIuG/bgmkeW0THlxmbxVOibyejNbTbOVEwZZS+z8wPlqeIa2vMijug5cii57vzHxLcvQ7iQ9JNZhoKrhQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector10001;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=tGBY5imd02tosviYrB7EuQD0LjKzYQEFq84Uno7D3VI=;
 b=mw4kOprPNmlASOTVHwXnpBx3s+hdKZlmcUrn9GDGylKbtw3ww+3RD1Em33YhYsSNRSKFBzUSI5OSJCOBkHwBLCuQuwIV/Ul/BwhSUrmDbynDMrRad+yssoT6tkPrJRnJ2sL/Lq7WuPqdeXT3/Brcuole62LKBsIyvbw9nARI69G25LUHcpSDudbllXWRDQMIc9+ljS+tz4dOosZuqdEpGtqbURIdh/R8DygvPSJGjti6wo8NwxmHaOGTrmCHpVaeU53VD04OdWak7ztiA//ZSTF/COW8Se2M3TesyxvdZZVgGMkgHvtPcGkO1SHU24bInK1ot5KQWq3tj8k0phoBCA==
ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=pass (sender ip is
 40.107.167.112) smtp.rcpttodomain=smartbee.ch smtp.mailfrom=arsante.ch;
 dmarc=pass (p=quarantine sp=quarantine pct=100) action=none
 header.from=arsante.ch; dkim=pass (signature was verified)
 header.d=arsante.ch; arc=pass (0 oda=1 ltdi=1
 spf=[1,1,smtp.mailfrom=arsante.ch] dkim=[1,1,header.d=arsante.ch]
 dmarc=[1,1,header.from=arsante.ch])
Received: from ZR0P278CA0139.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:40::18)
 by ZRAP278MB0045.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:12::14) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7828.27; Tue, 6 Aug
 2024 10:07:47 +0000
Received: from ZR2PEPF0000012C.CHEP278.PROD.OUTLOOK.COM
 (2603:10a6:910:40:cafe::de) by ZR0P278CA0139.outlook.office365.com
 (2603:10a6:910:40::18) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7828.27 via Frontend
 Transport; Tue, 6 Aug 2024 10:07:47 +0000
Authentication-Results: spf=pass (sender IP is 40.107.167.112)
 smtp.mailfrom=arsante.ch; dkim=pass (signature was verified)
 header.d=arsante.ch;dmarc=pass action=none
 header.from=arsante.ch;compauth=pass reason=100
Received-SPF: Pass (protection.outlook.com: domain of arsante.ch designates
 40.107.167.112 as permitted sender) receiver=protection.outlook.com;
 client-ip=40.107.167.112; helo=ZRZP278CU001.outbound.protection.outlook.com;
 pr=C
Received: from ZRZP278CU001.outbound.protection.outlook.com (40.107.167.112)
 by ZR2PEPF0000012C.mail.protection.outlook.com (10.167.241.36) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.7849.8 via Frontend Transport; Tue, 6 Aug 2024 10:07:46 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
 b=QN0grlMEOsKpscJvttmXIM6LOwE/xY7kn7cjEGe9u+ijednutbx4SQNj20CYkwiMAU5dBHxrx+hSQtC7yA0gX1J5KwYxK5PaxDSlnA/h2mUlT80HdD3xe9ljX3saWxGalPWrJMSkO9ly1wFP/mw9JK35IJH/8Na6/u6OeBv0LVgvydi048DP/AWpFdBLMyfaWSa7w3Lbi3LVgqSEEXOmRwFBloSz7JwfUmR2mPCBDgyN40ha8L3zuoxt1t+qzhuCa/vzIc565aq7zbuImmhtFC7nB6UqAxHLcTqR6ySvX/10mfhSTn6yUP7/X4AB8KM1ljEDV+/wbgmqw4XXXPRTYw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector10001;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=tGBY5imd02tosviYrB7EuQD0LjKzYQEFq84Uno7D3VI=;
 b=AnZ9NilWEEGbcV5oHinL7Ouo10XcftkMpbTovETh9ASrisr3H6jRqJl5WGQaOdphabMAhaeB+mopJSB/QvXTJwSBhdbCmhC/QJMWda7J73yjiVgw+gLXZgCuDfKOk2+3NfwdxjsZLRKNy3AIQKxNm/yGVdUL6AJW9DwRahukRDheaXCPDop2bfVKqSvSFlpS2h1SdYJF0Ps/S6wVQycp/UuE5zOHtcP8/r6WOYHliKM5dcJqisoHL6dN1UaX0btyy1NntUMhcLxe8yd9HwdiLHO4iRL1QOig9STjucHgYqZBcGdoUKNarsocfMgfwyxGK/3Q1phewcgrbyT5g9R0pQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=arsante.ch; dmarc=pass action=none header.from=arsante.ch;
 dkim=pass header.d=arsante.ch; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arsante.ch;
 s=selector2;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=tGBY5imd02tosviYrB7EuQD0LjKzYQEFq84Uno7D3VI=;
 b=V0DNLvsluuEJO72V5zahQbjPxZgFjUGK7fF6LX+JGv5kqYOoetH9PdaydJDXppJO7czzS8roq/OT+7JPJk4dO+ueWWtLaN5Fh8hDbTGhDyLRbc466IIvMi1kIfMzQ0yorQ8Ra6x/wFO+5CYVzYs7fsSH8QhSD0kVAbrVBuVPxZMICNuBczQgPyHYx0mV8xS8RRfyHzv4aVd3+8tICxAYDSUFK5AWzFptPVKMXksA3d8JAtwP/Q4x5zOB/lQyuvss/BEdBTEVyuK2y5QYfGfQ3tTF4ZSEUpR2uo29+i4AoNdwQMD9YNyasAOMHTw4cn6Wy6AhHg5BUJnsJgC3aTQSlg==
Received: from GV0P278MB0051.CHEP278.PROD.OUTLOOK.COM (2603:10a6:710:1e::13)
 by ZRAP278MB0923.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:4b::6) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7828.27; Tue, 6 Aug
 2024 10:07:44 +0000
Received: from GV0P278MB0051.CHEP278.PROD.OUTLOOK.COM
 ([fe80::4509:e010:c299:d5de]) by GV0P278MB0051.CHEP278.PROD.OUTLOOK.COM
 ([fe80::4509:e010:c299:d5de%5]) with mapi id 15.20.7828.023; Tue, 6 Aug 2024
 10:07:44 +0000
From: =?utf-8?B?R2HDq2xsZSBTYWxsYXo=?= <email address removed for privacy reasons>
To: "email address removed for privacy reasons" <email address removed for privacy reasons>
Subject: Test
Thread-Topic: Test
Thread-Index: AQHa5+h7N6d4nq/Ye0CDrZaLodb7LA==
Date: Tue, 6 Aug 2024 10:07:44 +0000
Message-ID: <email address removed for privacy reasons>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Authentication-Results-Original: dkim=none (message not signed)
 header.d=none;dmarc=none action=none header.from=arsante.ch;
x-ms-traffictypediagnostic:
 GV0P278MB0051:EE_
ZRAP278MB0923:EE_
ZR2PEPF0000012C:EE_
ZRAP278MB0045:EE_
X-MS-Office365-Filtering-Correlation-Id: 5adff72c-17bb-4889-de5e-08dcb5ff9f1b
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
X-Microsoft-Antispam-Untrusted:
 BCL:0;ARA:13230040
366016
1800799024
376014
38070700018;
X-Microsoft-Antispam-Message-Info-Original:
 =?utf-8?B?NXJDVnpQRjRCeGh3Y2Y0YmJ1UkpwcDdMYU5uY1YwZys4Y0dzN25aWU1BWkJW?=
 =?utf-8?B?QjhKREEwTEFJZ1Z5WTN4ZldSVW5ocjl4SG5RS2oxNVhWTmJFcko3bjJ3MCth?=
 =?utf-8?B?alVhQTI5aUt4dXBRazBBRkptd0w0SDBQTVNqYm12RG50WnhmejBTWGh3RWwy?=
 =?utf-8?B?QXFYdGdIUm5YVW1Cc3VWMEhFUTVFSTBJdHVibWxBSE13QXlRRGdpSjA0VlE1?=
 =?utf-8?B?OTRzbFp0THR3L29ITTVjMklkOG8zNS8zektVSElDSkhMMjg3VDFqODFKVEtO?=
 =?utf-8?B?ZkN2T1F6aGRpdWlEeGl4anVtNXZVVFRNcDZUdFFsVG0vekZtUW40aThRS0hU?=
 =?utf-8?B?YXk1emN4ZEQ0eVRiRlFxY3c1M0JJcElPaHlqN25lOWRoQXBKNzVlSXUxbVVP?=
 =?utf-8?B?ZGgzcnd6eENSNU9GVzJqWUF4ajQ5LzJack9OMVZUU0RTcG1lWnAzTWNhMkYz?=
 =?utf-8?B?eG1CVytvK3UyWHJremYwYXBkdDkvYk9VUkxaalpNSG95TXJsY3pkZkN4RTgr?=
 =?utf-8?B?VTZVdHFrRVpOeUVvRENWNmMwV3dVbUdISURIb0t3NGsxVWFnQXlxWkZhZmNl?=
 =?utf-8?B?bHVkdnNtL3RWMWFGdGxTUW11RU5rbjJpSUN2RTdCazhQdEZQaENoRnRsS0dN?=
 =?utf-8?B?RjY1QU81Y3d0TlVub0lFai9RNUxXcjVUMjkybEtOclhSd2tsRm0vSTFmVG1F?=
 =?utf-8?B?eGlwTjMvZlUyZC8xTjc3Kyt0M2hycnBUcGhQMzJOUW5YQjBuTERXdjFtcWxq?=
 =?utf-8?B?RjhNRGpMdUxoNHc5Qzh0MHpNazg5Vll0VmxLU09xeWNDRE5jbDN1YVBYV0FV?=
 =?utf-8?B?eDFKMjNnRzdwK1NkODRLdTYrR2hhUmlCMUJjTVFMK2VCMmROaFY2MG9zQS9S?=
 =?utf-8?B?a2xUdmdSVitjOTIrT2luY0c2YWxBRytpdlhkdmJ2QmRRaGR6Y1ZPMDJ0aHZN?=
 =?utf-8?B?RG9zTEw2SklJOVdna1BYSnhQMFJYcVczdnpJcStianloV1F5YkZIbDBZWFVu?=
 =?utf-8?B?NXMzUXd4Z2lVSlVSL3pkbmpJUEZzWmlwbDZLT1Z6TENGU090NEp0SWVZZThh?=
 =?utf-8?B?WnRLYkVrRlFBVnZvOXlZbkhSTHlCOC8vWVRwTFYwNHBmRVRMVmJ1VHVWVkYv?=
 =?utf-8?B?QkJCVE1zN1MxWXBMNGxwaXFLcE5mZmhPNE9qVEJJOW1sVFE1NUdVWVdwQmtN?=
 =?utf-8?B?ZGdRN0ZjdVB2cmF3T3RIS0RodE55bDZ1a3FvaHViNlRSQnBBYy8zYkJycnFY?=
 =?utf-8?B?MUZ6cFVqQ3RKL1pNRDlQMVVSRDRnNUVjdm85MjkwdlNTVElDKzlhUWpRU01j?=
 =?utf-8?B?dStpMVIxVSt5TEl5OGFWajl0SGFlS3Q3NzlMNjdDcEdaVWFMMEdKci9KblVt?=
 =?utf-8?B?UVVZNDdWN2dmWXNleWxLbURnOWIyUWY1akxkY2grT3kzU2NaaFhlYXdySFlz?=
 =?utf-8?B?M3UzRG9KYnFVRlB4R1NXclZQMEJvNmpkeTRMeFdUSThmZ01VNmY3azVWTmNj?=
 =?utf-8?Q?WweAfHPCNw+IvuMxwV6Y+uK61ZR?=
X-Forefront-Antispam-Report-Untrusted:
 CIP:255.255.255.255;CTRY:;LANG:fr;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:GV0P278MB0051.CHEP278.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(376014)(38070700018);DIR:OUT;SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-Original-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-Original-0:
 =?utf-8?B?aGIzdmNNWHZsb1JVT1E1SGFiNU1IeGxTdTdndThlYmN5bFU3d1c0aGRRMy9R?=
 =?utf-8?B?Z2NUc3N2QjBVeDNPcHprNWV4L1NXelNvaGtnUWpod2ZsT1BOb21qQzdZSmpB?=
 =?utf-8?B?S3R1US9VVU5QdEhKNEFNZnl3am9FYWx5eUJxd01Ob1lMREdrOG9GYU9pRWpq?=
 =?utf-8?B?NnVEUlhyWURaaCtzaHc1ZnpySCt2ZTFEc1lsNUx0enhUS3FzLzM2MlZiSXNJ?=
 =?utf-8?B?cHF0SGt3TmhTSWl1MC9XcVJlNVlqZmZLR2JCRVVzdXlOL0dhcm0rSlBsbVI4?=
 =?utf-8?B?bytncVRpMy9Da0hvV1RDelZlbnl6OGwyNXo2UDYwMng1Q2Fxd0QzR24wbjZJ?=
 =?utf-8?B?dGIyck5mK1RJMGQ0akQ2OFNtQ2tMTGQ1K3VlTENVMjRsWElnOFBOSTMyQ29E?=
 =?utf-8?B?SHNOWnBqdnFhdGFDeWk4bGtueDg4c3N6aVJoNFFZODdPM0dUVjYrWWtDakJC?=
 =?utf-8?B?NVhpUUdnRXRxVjVYVEFVRThOZmwwS3hBR0hBS2R6MUdZNDBtRGg4K0JETlNt?=
 =?utf-8?B?SHhhN3QyaVZPLzh6QVl3eThwQm1BbmQzUEJPMCswN2VvUExpUkdyNjhpVW5p?=
 =?utf-8?B?WGllZ2lXS0RLNnlMYUNmY1UrNnQ3Q0lrL2NyMHdvTEMyRHhOakZZV3lpWTR5?=
 =?utf-8?B?UzFheFBVTE5KbXh4QkxwOEtsd3E3UjBaQk9kN0hFSVBWQXNNTlBMcUNPN2Yv?=
 =?utf-8?B?bTlsZTZsQS9QNllYamh5WkdZWVYzbUtMUjBOU2NwN3Vnam9pbis1WDVZcUpT?=
 =?utf-8?B?cTh0cUhwZ1puQzAwQnJxUlpkdGIwVDNMRnV2VG05TTVLRmVtUUduZzhiOGRl?=
 =?utf-8?B?NWRXMms5eHovSFc0VnRXRVI0SDZ0MUpVaWpmVXpMWkw5UXk4WUdPQmJOeGpy?=
 =?utf-8?B?aWFBTkI0bVVVVm5ZTlZsOHhCM0M4c0FyVzZBYjdTZEFJdHljb3o1T2FLN0xn?=
 =?utf-8?B?dkpkdjFWbkUvVEZHV0FadUkwanBCZEJGVlZKcXdFaitaTUNRVXpqSEZTQm0x?=
 =?utf-8?B?WXBWZkdjZ1R4VmhhSWFKK2lRUEkxUDJ6NVoxNzU4b3VTdGFuclhNckE1VWN1?=
 =?utf-8?B?VThCa3g4Wmc1SWpkcWVta1ByMEZrMUtYNlZEQ1pKL1YzMC9RbnJZQVFBREVP?=
 =?utf-8?B?a2ZyVGNuTkNtbFEyaVF3YUl0TEx2UUYwYVlOdW9SbTE3U0s4eHd1b1NVNXgr?=
 =?utf-8?B?a3V4TlZGSkorRHoyNjh4cjdVdVNUZFdhS2dWWW9HdHBscFJlbE52MUU0OUox?=
 =?utf-8?B?SWtaQWlsaE9ZQkozRTU4eVRFZ01MZlh0RkFpVHZDUG1TVVg4UGxjVmRDT2Vm?=
 =?utf-8?B?WWNHTW5ieU9mOHl4T1N5UkRxa051UEE4VGdSN3hiYkhrV29wZ0E2Y2VzM2ww?=
 =?utf-8?B?WWIyenhVMjR3WkFoSEZ5REZPMW1CVC9LMElkY1lSdzBielFmWURzZlN1NERB?=
 =?utf-8?B?WlhwOHZwaFdleG1JaHFwMU0xeTByS1pBcmhwbkVUK0l5a2tmT0NBeVgrZS9a?=
 =?utf-8?B?Z2tMQkRnd2d4OG9MMjUvZTBteDYwcEJOVXdUMHltbVluTnNiSURHdFhSelhS?=
 =?utf-8?B?MGhyZTdLMkxSSFhDWm50QUt3b2I2cUJWb2RWS3hDNW9PUlMrT1FuMlNTNllH?=
 =?utf-8?B?b1Q2VnowMUNNTlpXT1U4YmxvQVBmcGNZdHhHZUgwMG1rSmQ1eTltbEUzMjlO?=
 =?utf-8?B?alVoL1NOckcyZkdiL1ZzemZ4blZrZXE0R0xEVk81ZExldUIrTTIzb21NK3VJ?=
 =?utf-8?B?SjdsY3d6T2xIa0ROL1kwMG5rZmZWcnpYR0dJc2IxZVJWQVpYVkdmOEhEaXlR?=
 =?utf-8?B?cC9DYndrZVBqQyt3QitiMWpFWWsrdnh1bzR4QkVtU0ZkbDNiR0hYTnpXdDdO?=
 =?utf-8?B?V3UyRGRhNVFHQ0xscWQ5dGZXNFUwbTlBVFNOcVpOTU5mR1NFekxFYWRsVmpi?=
 =?utf-8?B?dEgwOWU4aGJDdnNYUGl4MGRQd2pvWEEycHo4VDNOTXdSZERScFZiSUlMKzZl?=
 =?utf-8?B?MTUxc0V6ZTR3Rm9lNmxCT3EvYnZJdklTQmhmVHhuRXpnZTBCTEVHZGNiUTVT?=
 =?utf-8?B?bnJSRUhPTzJuRHpLalFublJTcFgvOVlqYnlCblN3NjhVZUp4NmsxSk91ek9l?=
 =?utf-8?B?OVlRaWJQZDk1MWg2eCt5bHF4RnVVL0hwMlZBMmo0Y0RjUXBWSmFVaGcrQ2hH?=
 =?utf-8?B?Vmc9PQ==?=
Content-Type: text/plain; charset="utf-8"
Content-ID: <email address removed for privacy reasons>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: ZRAP278MB0923
Return-Path: email address removed for privacy reasons
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 34af5d30-e9cb-484b-86d8-2ae5ada91fe8:0
X-MS-Exchange-Transport-CrossTenantHeadersStripped:
 ZR2PEPF0000012C.CHEP278.PROD.OUTLOOK.COM
X-MS-Exchange-Transport-CrossTenantHeadersPromoted:
 ZR2PEPF0000012C.CHEP278.PROD.OUTLOOK.COM
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs:
 c9a130fa-b1d7-4c47-2596-08dcb5ff9dc8
X-Forefront-Antispam-Report:
 CIP:40.107.167.112;CTRY:CH;LANG:fr;SCL:5;SRV:;IPV:NLI;SFV:SPM;H:ZRZP278CU001.outbound.protection.outlook.com;PTR:mail-switzerlandnorthazon11021112.outbound.protection.outlook.com;CAT:PHISH;SFS:(13230040)(35042699022);DIR:INB;
X-Microsoft-Antispam: BCL:0;ARA:13230040
35042699022;
X-Microsoft-Antispam-Message-Info:
 =?utf-8?B?YVM3UldKVy9RVWJjYzZzbzExWjdxdndQdUtONVZYZGl1RWhaZGZ2Qm55dEp6?=
 =?utf-8?B?WGZsMFN2UTBEaXdHS1VpeHNkQ2NPdHJ0TE14eGZheFZPTTRFeTVVM01xNFZh?=
 =?utf-8?B?dmJnZ2tDWjQrVFN5c3lBazdsK1hCSndXdVk0aGE5VnR4emdOTW9aQ3hkWU1t?=
 =?utf-8?B?cGZORytOZy9kbks0NnEvOVBERllRYXVKaTl0MWFkV2VrTy96ZkEySnhuUDA1?=
 =?utf-8?B?MmdaTi91RVR0b3pMVkRQUmwraHBpM3lRbS9UaGtZOFhpbGt0bzB3dlFqaHJo?=
 =?utf-8?B?dWRpcU9oUmc0WkFqeHBhY0JWaWFkZlZZMjR4UG5ZVThRZW9JRHJrc1d5MXE4?=
 =?utf-8?B?SzMwNFc4T2FZd0dKVHcxOTcwTjNCbUQvdGFRYXdVT1VLMFZDbmh6OHR2Wk94?=
 =?utf-8?B?b3c5YXlZeG1sRlpnQm1HZno1cEdtMTJUSG9nS1ZUNmh6NVJLd1BWd0tPT2k1?=
 =?utf-8?B?czRnN2txK2N5bmlraS9wMDByTUJQZTZ1SWpncFk3TExuNnkydHBiUW1ZVHV4?=
 =?utf-8?B?Z2ViZExhR3krZHY2WjN6RURneThjQjROUWVsTjhmRnBqdkpDemhBbSt1WHFa?=
 =?utf-8?B?cjJ4TDJ2Y2lpYjB2MmY3U29keTM0d3cvQjZVdFl6dGJaazU0VTI1R0U4aGNt?=
 =?utf-8?B?d1AydGJ2cXcwU1M0Ui9sVzY5MG5TZ2wzb1pwbVY2cmNCK1c3bVZSa0NrMDh5?=
 =?utf-8?B?L2hIZDlqdFVFb0FNcVJCQUxkMXlLU1h6QnJDRmRSMkVJUUgybTRmSDNUZWRw?=
 =?utf-8?B?VHYybHZRUVplWlVkMk5IR0piVDNRejZGczFOTlNBd2phL3NnL0VIRjdseWk5?=
 =?utf-8?B?MSs0S3oyZUdlV2Vac3ZkQ2hHU0xzeFlZN1g2d1pWV0RxcHVaTHIyeHE0Q1hW?=
 =?utf-8?B?TUQxd3FNSjRWVW9UbHlsVlJWTUtnN05PaEV0NGZSKzJtVnVFdVp3K1AraDU4?=
 =?utf-8?B?c3k3em5CbkdEWmpvblRDdk44N0s1V0Yrckx3QjgzTklBdGpNemQwZUJVN3p4?=
 =?utf-8?B?TCtwd0xrVHRYMnVic2FUT1ZqSmxhUFA4WUt6dXBvZzhEMGUyR0l4N1k1MStq?=
 =?utf-8?B?L0JZbnVWOUtuRHpLMTZYUXYxcXZWUXJweE9Ba25ld0FXbDlIcFFLbld5V1Q1?=
 =?utf-8?B?OU1ON3BhbCtFbTZSWXAzc2VLTXpOUEEyZFZ0NDRQVWR2Skd2SUZnT1EzTXg2?=
 =?utf-8?B?Ky9BaUxnaWszdEpsbHNhOTBjaEI0Z29QYzBlZXFFSmRRWEVZc0RDQk1QTndr?=
 =?utf-8?B?Mk5SZE9vbUZaNmx3MlhmeXB5dTZUajVTTEVGYnZMVHVNOVZSL3ZkSFVOU2RO?=
 =?utf-8?B?Z0hPbEQzVVZXeDdnN0FMb1hPYVg3YkZ5UHBFZDZJVnNWc09takNRTHRTNGNU?=
 =?utf-8?B?VVpqbjU1MElZalREb3lrdlFoa2VvRWdqakhESVZGMHhpZ0NzZ1Ywb2dhS2NN?=
 =?utf-8?B?Znc0b0l4d2pXMUVCcjA3NkkzYWZVeUNKNisvcHJFVGxYMWs3L3R4ZEozdVNm?=
 =?utf-8?B?ald2Zzhsa3Z4ZHVUQmQ4ZVhQTnRDU3dVQXlCUzVNamNmMHJHTEZCV3doVTAv?=
 =?utf-8?B?dWNvYUJ3eE5LV0FRbXBsKzJNVzdxTGxDMmwrTkJhYVdhMzYvaHpTSFNzMm00?=
 =?utf-8?B?Y1RVRVFsWVFtZ3NGOHZZSmMzSmRrbHMwckdVU2tUTVJ1djdtQXJnbDdiZU40?=
 =?utf-8?B?ZmRJK1hyRUJLVk9ocW1Xc21rM2FVNXlaVm1SWjRIa2RBblJySnl4bzVkRjRm?=
 =?utf-8?B?K3VDb3dOMjg0MnE0U2s5bzN4V0d1dnU2YmdwREMvM2hNQ2xZbTJhRzFXUEpC?=
 =?utf-8?B?TjcxWGEyY3pUNmhvR3JiOGVSR1BISVg2MUZmQysreDVNdlV6KzkvS0svak1L?=
 =?utf-8?B?WEE4a2ExUE9FQUlmQVNHdjFEZTJpVUMycG0xdmF3SXcwTjRvSVdJL1M5YjZL?=
 =?utf-8?B?OWhubFIxalRSWFhqZW1zMCtzRERXc2hnVHpLYmlVVFRXZXp2VklZSExrR2hK?=
 =?utf-8?B?cG5EUFJJbkxvcVpFYVZaOU85cERsVGZ1ZmJ5TS9JdGF4ZEJKSEhHU0VoMlEz?=
 =?utf-8?B?L1hFQmlnQk1GK05rMUZlSlJhU0RSNmpsbkZVQkZDZHc0MEhGcXpkd1FjNFBR?=
 =?utf-8?B?TkljcC96aHpxV1huTEF2SVQyS0JVVE1QNnd6cFJ0RjNibjErbjEwejBUZWR5?=
 =?utf-8?B?M3Iyb2t1VDFaczVCbFp6WDVDTndtMTc0b1M2M3RkRlBJMlFMdVJ2Z3BIR3Jw?=
 =?utf-8?B?OW1aZS9IcDJOcVp3ZUZPeWxTeEVSV1VteXNGVmhZUWJSOG9KRHkvK1drTzZu?=
 =?utf-8?B?dTVxNlJHQU5XdUswQzIyUENzUlZjVUNCT0VSTnFTdGdVazZvTTJJUytnUGNq?=
 =?utf-8?B?Wjc0c3FwakJDczB2K0xVb29HUEJmS0lrbXliN1F5MTB2dWw1SU82M2JjeEJw?=
 =?utf-8?B?QXJQK0RqRWVJb0lscTVFQ3FuSlRHLzF2b0lXOGNhV2NZV2lrYlRkK1VPOW9H?=
 =?utf-8?B?ZlRGc3hhV3ByKzVnakxHbDczelZnY3FsR3dLRVhaM2t4UWtSR3NsT1ZVZXZK?=
 =?utf-8?B?Sll1dHRBWDV0bDBIdHI5ZzRtK2piZ1BRWHRPRVI4V3BtZk5BeG4vWXVGRElP?=
 =?utf-8?B?ckFRSEJvWEhXZE9XeFYrQTVXZ0d2M2t2V29jeDJwdFI3OUdGVTJxR2o1eWZB?=
 =?utf-8?B?a0k1VmsvTHpNSFJvY2RHRnNST2Yzenh3TXQ4WVo4UHFkdjN5M2JuY3BCL0Fa?=
 =?utf-8?B?bFFjQVhuMDN0V1BoYUYyc2t6ZFc1NW1yQ0dzUWVISEsveGJ4dlQvM3Mrb3po?=
 =?utf-8?B?SGVEbHpoOVplSE9HYjVuZnptMWhuSlVBKzY0Um96d0g0M3FOSFByOTNkOEZy?=
 =?utf-8?B?OTB1TmcvRS8xbGRoZEc5REs2NG5YbVZIZVBYcER3bHNEcjB1c0l5WmVBeS9w?=
 =?utf-8?B?NXd3Sm1GV05IOXhVVXVYT3RSRjlXNlhoaFRMTnBKUVcvTGZnbHc9PQ==?=

 

Mail are quarantined even if the mail is blank.

 

Thanks for your help,

regards

ExMSW4319's avatar
ExMSW4319
Iron Contributor
Aug 09, 2024
MX says the sender is also M365 (as per the headers) and they do not look like the sort of organisation that would cause trouble. Their ISP (going by the domain SOA) is in our bad books for unrelated reasons. You might want to sniff around any URLs they routinely include, though I believe that you said the problem was related to one sender. Being on M365, has the sender had a recent "misfortune"? If the sender's address was in your own Tenant Allow / Block list then you would not see the mails at all, unless your anti-spam policy is very weak.
  • Hugo_Smartbee's avatar
    Hugo_Smartbee
    Copper Contributor
    Aug 09, 2024
    Hi,
    Yes the domain dont seem to be in any blacklist : other employees can get their email received normally, this user is the only one to get problem.
    What do you mean by recent "misfortune" ? We tested many sending mail during 2 weeks, sometimes blank, all of them were put in quarantine. And the account dont seem to have been corrupt by attacker.
    As I said, the email arrive with an SCL score of 5 and that's why it's put in quarantine, we dont get specifics allow/block rule for this user or domain.
    • ExMSW4319's avatar
      ExMSW4319
      Iron Contributor
      Aug 09, 2024
      "Misfortune" meaning that for a short period someone else was using that mailbox to send.

Resources