Forum Discussion
Standard Security Policy flagging too many emails as "Potential Phishing"
MicrosoftOneTechBeyond, thanks for that note, but admittedly I am a little confused.
When you say "No EOP/MDO. it's 100% native Microsoft's internal services.", do you mean you are using EOP (Exchange Online Protection) & MDO (Microsoft Defender for Office 365) exclusively, or you're not using them at all?
It sounds like you're only using EOP & MDO, in which case, follow Ben's recommendations - keep sharing the false positives with us (via admin submissions) and check out the https://aka.ms/emailtech article to get additional insight as to why we marked items as we did (perhaps something is marked due to a user's Blocked sender list, or the sender's service failed DMARC alignment).
If worse comes to worst, while you cannot adjust the sensitivity of the preset policies, you can create your own policies and adjust as necessary. The Microsoft recommendations for EOP and Defender for Office 365 security settings aticle gives the settings in each policy which align to the default settings (which are pretty low, all things considered), the Standard preset policy, and the Strict preset policy. I'd recommend starting with mirroring the Standard preset policy settings and making adjustments as necessary (based on what you find from the emailtech article), but remember Ben's note that the preset policies are updated automatically to keep up with any changes in recommendations/best practices, but custom policies are not. You would need to review your custom policies occasionally to see how they compare to our recommendations using Configuration Analyzer.
- So these notices from relatively established service providers are ending up categorised as phish, hmm? That is not where I would expect a false positive problem to appear, unless the provider has generally acknowledged problems.
Are the notices sent using your domain, the providers' domains or a third-party domain? If they are breaking the SPF or DMARC policies published for their envelopes then you would see a lot of phishing detection.
Look for the Authentication-Results header in example cases for each domain. If these show problems then you have to sort out your published policies or kick the provider or third party accordingly.
Look further down the headers for the Forefront lines. Are they showing a high SCL or BCL? If so, possibly your provider is being irresponsible either with notices (and is being reported for spam) or has rubbish shared hosting, in which case anything could happen.
Remember that if legitimate spoofing is at the heart of your problem, you can add the domains in question to the relevant part of your anti-phishing policy. It is better and safer to sort out delivery problems properly, but this can be the only solution for some components such as the Mailbox Intelligence Agent.
Could you change phishing sensitivity? Yes, but I would not recommend it. If you really have to go that way, could all of these lost notices instead be sent to a small subset of addresses, or an discreet shared mailbox? If so, you can add a higher-priority anti-phishing policy that just applies to that subset, then drop the sensitivity on that.
