Forum Discussion

MSEKIRO's avatar
MSEKIRO
Copper Contributor
Jun 19, 2024

internal user email quarantined and reason "high confidence phish"

Have you ever seen email quarantined when both sender and recipient are internal organization user and the quarantine reason is high confidence phish by the default built-in anti spam policy?

 

really confused why it happened and how to avoid such false positive..

detection
investigation
microsoft 365 defender
  • cammurray's avatar
    cammurray
    Icon for Microsoft rankMicrosoft
    Jul 24, 2024

    MSEKIRO if you look at the detection technology - you should then be able to tell why the message was caught as phish, see below, the email is Phish / Normal, and the detection technology is SPOOF - so this message was caught as Phish because it failed Spoof checks.

     

  • darrenferguson's avatar
    darrenferguson
    Copper Contributor
    Jul 09, 2024

    MSEKIRO I've seen this a few times lately.  I've been marking them as false-positives and this seems to be working-- at least for the ones I've reported.

     

    Darren

    • MarPas's avatar
      MarPas
      Brass Contributor
      Jul 18, 2024
      YES, you could mark as false positives and I suggest checking the signature or anything else that may contain a link even an image.

Resources