Forum Discussion
Defender Email threat detection and SCL different per recipient
We have been seeing phishing emails reach user inboxes when they shouldn't. A phishing email will be sent to several users, and Defender will quarantine it for some users, and deliver it to others. ...
Thank you for your reply. I have verified the example email is processed by the same anti-spam/anti-phish policy for each user, and there are no Outlook junk email overrides being applied. I also confirmed that different behavior is taken for the same network message ID (delivered to multiple recipients). Based on all of this data, this seems to be specifically to do with SCL header values being processed differently per user, and then Defender taking different threat actions based on the SCL. One person direct messaged me and had the exact same issue, and the exact same experience with Microsoft Support. If anyone else has this issue please post to help get this addressed.
If these are SCL5 verdicts arising from the Advanced Spam Filter then you want to raise a ticket with product support and be prepared to re-test example cases for them. You are correct not to modify your threshold values, though you might mitigate with a mail flow rule for specific friendly sender domains important to your organisation. As always, consider the risk factor and any other rule predicates you can use to reduce the risk of such an exemption.
