I have a customer with E3 licensing that recently created an Anti-Phishing policy (now that we can do that with E3 - although very limited in scope). It appears to be doing a great job. Upon further inspection (after an email got through that maybe shouldn't have), it seems that the emails that are quarantined for Phish have a PCL of 0 and an SCL of 9. Why is this important? Because the email that got through had an SCL of -1 because the "sender" was on the recipient's safe senders list. And I say "sender" because the "from" and "envelope-from" fields in the header are different and apparently the safe senders list, as most things, works off of the "from" field. So the email bypassed spam filtering, didn't get caught for phishing, which clearly was as it was just like the other two emails that were quarantined for phishing, and was delivered.
All that to ask the question(s): Why do emails that are quarantined for Phish have a PCL of 0? It seems that a lot of these emails that are quarantined for Phish have a PCL of 0. And if an email bypasses spam filtering, why does it bypass the anti-phishing policy? It doesn't bypass the malware filtering when it bypasses spam filtering, so why does it appear that this email that was delivered bypassed the anti-phishing policy?
Are you sure they are quarantined as phish, it might be the anti-spoof policy or some other feature. Looking at the headers or a message trace should give you more info.
For the record, here are the PCL levels:
|PCL|The Phishing Confidence Level (PCL) of the message, which indicates whether it's a phishing message. This status can be returned as one of the following numerical values: • **0-3**: The message's content isn't likely to be phishing. • **4-8**: The message's content is likely to be phishing. • **-9990**: (Exchange Online Protection only) The message's content is likely to be phishing.
Well, in the quarantine in the S&C Center, I change the drop down to "Phish" so that I see emails quarantined as Phish and these emails show up there. So I'm as sure as I can be that these emails are quarantined for phishing. But the PCL is 0.
Unless, because they are E3 and only have very limited options in the anti-phishing policy (really only the anti-spoofing part of it), it is being quarantined as "phish" because the "anti-phishing policy" is really only an anti-spoofing policy.
1. The Anti-Phish policy is evaluated before the Anti-Spam policy. As such, if a message triggers a match on the Anti-Phish policy, users' whitelists and org-wide whitelists in an Anti-Spam policy won't take effect.
2. Since you have an E3 license, but not ATP (I'm assuming you don't have ATP?), the Anti-Phish policy is actually only an "Anti-Spoof" policy. What that means is that Spoof Intelligence kicks in and uses various signals in the message to determine if its allowed to spoof or not. Sender authentication failure is a big one. You can use the Get-PhishFilterPolicy command to pull the Spoof Intelligence results and then use Set-PhishFilterPolicy to adjust them for your org.
So if you see emails going to quarantine that shouldn't because of the Anti-Phish policy (*hint - check the X-Forefront-Antispam-Report header for two clues to see if the Anti-Phish policy took effect - a) SCL of 5 or 9, usually 5, and b) CAT:SPOOF at the end of the header), use the Set-PhishFilterPolicy to set the Allowed to spoof setting to "Yes".