Forum Discussion

underQualifried's avatar
underQualifried
Brass Contributor
Jun 27, 2025
Solved

Help me understand why this email was quarantined?

I'm pretty familiar with Defender's Threat Policies. I've probably set them up on 40 tenants. I know the Hosted Content Filter Policy is backend for Anti Spam Inbound policy. I know that, confusingly...
detection
investigation
  • Alikoc's avatar
    Alikoc
    Jul 05, 2025

    Thank you for the detailed breakdown. Based on what you shared and the quarantine report screenshot, the key trigger here seems to be the High Confidence Phish classification applied by the Hosted Content Filter Policy, which, as you know, is part of the Anti-Spam Inbound layer.

    Even though the BCL tolerance is set to 7 and historical data shows no BCL based filtering, BCL wouldn’t play a role in “phish” detections those are typically driven by SCL or additional anti-phish logic within the Anti-Spam Inbound policy. It appears the message likely hit an SCL of 8 or 9 behind the scenes, triggering the quarantine action.

    It’s also worth noting that Defender’s anti-phish protections are layered and sometimes ambiguous. The Anti-Phishing policies generally focus on impersonation and domain spoofing, but if the Anti-Spam Inbound policy detects strong phishing indicators especially based on heuristics, header anomalies, or content patterns it can override and trigger quarantine with a “High Confidence Phish” flag, even if impersonation policies didn’t directly contribute.

    Given the sender is a long-term business partner but exhibits unreliable sending patterns, it’s possible their infrastructure or sending behavior triggered heuristics, especially with attachments like PDFs involved.

    Suggested Approach:

    • Before bypassing both anti-phish and anti-spam protections globally, I’d recommend:
    • Reviewing message headers (especially SCL and any X-MS-Exchange-Organization-* indicators).
    • If truly confident it’s a false positive, use Allowed Senders/Domain within the specific Inbound Anti-Spam policy rather than relying solely on the Tenant Allow/Block list or global exclusions.
    • Avoid broad bypasses for both spam and phish unless absolutely necessary.

     

    Unfortunately, yes, the evidence tab you were looking for (detection reasons, AI triggers, etc.) isn’t exposed as granularly as we’d like for all cases post-release. Raising a support ticket may be the only way to extract deeper detection logs if still needed.

    Best Regards,

    Ali Koc

Matt-Apps4Rent's avatar
Matt-Apps4Rent
Iron Contributor
Jun 27, 2025

Based on what you shared, the quarantine likely came from the Anti-Spam policy due to phishing detection (SCL rating or anti-phish signals within that policy), even though it’s not the Anti-Phish policy itself. Since the sender isn’t consistent over 45 days, Defender might treat them as suspicious despite the history.

To allow this sender long-term, adding them to the Inbound Anti-Spam policy’s allow list is a good move. That way, you avoid bypassing phishing filters unless truly necessary.

Resources