Forum Discussion
Standard Security Policy flagging too many emails as "Potential Phishing"
We decided to enable the Standard Security Policy for Defender on our Microsoft 365 tenant, and immediately noticed that it was quarantining way too many emails that it flagged as either Phishing or ...
Sorry, yes I meant that we’re using Defender for M365 and EOP with no external spam filtering/mx relaying services.
So these notices from relatively established service providers are ending up categorised as phish, hmm? That is not where I would expect a false positive problem to appear, unless the provider has generally acknowledged problems.
Are the notices sent using your domain, the providers' domains or a third-party domain? If they are breaking the SPF or DMARC policies published for their envelopes then you would see a lot of phishing detection.
Look for the Authentication-Results header in example cases for each domain. If these show problems then you have to sort out your published policies or kick the provider or third party accordingly.
Look further down the headers for the Forefront lines. Are they showing a high SCL or BCL? If so, possibly your provider is being irresponsible either with notices (and is being reported for spam) or has rubbish shared hosting, in which case anything could happen.
Remember that if legitimate spoofing is at the heart of your problem, you can add the domains in question to the relevant part of your anti-phishing policy. It is better and safer to sort out delivery problems properly, but this can be the only solution for some components such as the Mailbox Intelligence Agent.
Could you change phishing sensitivity? Yes, but I would not recommend it. If you really have to go that way, could all of these lost notices instead be sent to a small subset of addresses, or an discreet shared mailbox? If so, you can add a higher-priority anti-phishing policy that just applies to that subset, then drop the sensitivity on that.
Are the notices sent using your domain, the providers' domains or a third-party domain? If they are breaking the SPF or DMARC policies published for their envelopes then you would see a lot of phishing detection.
Look for the Authentication-Results header in example cases for each domain. If these show problems then you have to sort out your published policies or kick the provider or third party accordingly.
Look further down the headers for the Forefront lines. Are they showing a high SCL or BCL? If so, possibly your provider is being irresponsible either with notices (and is being reported for spam) or has rubbish shared hosting, in which case anything could happen.
Remember that if legitimate spoofing is at the heart of your problem, you can add the domains in question to the relevant part of your anti-phishing policy. It is better and safer to sort out delivery problems properly, but this can be the only solution for some components such as the Mailbox Intelligence Agent.
Could you change phishing sensitivity? Yes, but I would not recommend it. If you really have to go that way, could all of these lost notices instead be sent to a small subset of addresses, or an discreet shared mailbox? If so, you can add a higher-priority anti-phishing policy that just applies to that subset, then drop the sensitivity on that.