Forum Discussion

underQualifried's avatar
underQualifried
Brass Contributor
Jun 27, 2025
Solved

Help me understand why this email was quarantined?

I'm pretty familiar with Defender's Threat Policies. I've probably set them up on 40 tenants. I know the Hosted Content Filter Policy is backend for Anti Spam Inbound policy. I know that, confusingly...
detection
investigation
  • Alikoc's avatar
    Alikoc
    Jul 05, 2025

    Thank you for the detailed breakdown. Based on what you shared and the quarantine report screenshot, the key trigger here seems to be the High Confidence Phish classification applied by the Hosted Content Filter Policy, which, as you know, is part of the Anti-Spam Inbound layer.

    Even though the BCL tolerance is set to 7 and historical data shows no BCL based filtering, BCL wouldn’t play a role in “phish” detections those are typically driven by SCL or additional anti-phish logic within the Anti-Spam Inbound policy. It appears the message likely hit an SCL of 8 or 9 behind the scenes, triggering the quarantine action.

    It’s also worth noting that Defender’s anti-phish protections are layered and sometimes ambiguous. The Anti-Phishing policies generally focus on impersonation and domain spoofing, but if the Anti-Spam Inbound policy detects strong phishing indicators especially based on heuristics, header anomalies, or content patterns it can override and trigger quarantine with a “High Confidence Phish” flag, even if impersonation policies didn’t directly contribute.

    Given the sender is a long-term business partner but exhibits unreliable sending patterns, it’s possible their infrastructure or sending behavior triggered heuristics, especially with attachments like PDFs involved.

    Suggested Approach:

    • Before bypassing both anti-phish and anti-spam protections globally, I’d recommend:
    • Reviewing message headers (especially SCL and any X-MS-Exchange-Organization-* indicators).
    • If truly confident it’s a false positive, use Allowed Senders/Domain within the specific Inbound Anti-Spam policy rather than relying solely on the Tenant Allow/Block list or global exclusions.
    • Avoid broad bypasses for both spam and phish unless absolutely necessary.

     

    Unfortunately, yes, the evidence tab you were looking for (detection reasons, AI triggers, etc.) isn’t exposed as granularly as we’d like for all cases post-release. Raising a support ticket may be the only way to extract deeper detection logs if still needed.

    Best Regards,

    Ali Koc

JeremyTBradshaw's avatar
JeremyTBradshaw
Iron Contributor
Sep 05, 2025

This page - View email security reports in the Microsoft Defender portal - states this about "Advanced Filter":

  • Advanced filter: Phishing signals based on machine learning.

...and it has that exact statement 3 times.  So I hope they're correct.  It seems correct when we look at their definition for "General Filter":

  • General filter: Phishing signals based on analyst rules.

Resources