SOLVED

Threat Management - Messages submitted for review still considered Phishing after review?

%3CLINGO-SUB%20id%3D%22lingo-sub-2488124%22%20slang%3D%22en-US%22%3EThreat%20Management%20-%20Messages%20submitted%20for%20reviewe%20still%20considered%20Phishing%20after%20review%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2488124%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%3CP%3EI%20have%20two%20legitimate%20message%20from%20sender%20at%20the%20largest%20Swiss%20ISP%20bluewin.ch%20that%20are%20considered%20%22%3CSPAN%3EHigh%20Confidence%20Phish%22%26nbsp%3B%3C%2FSPAN%3Eand%20where%20thus%20quarantined.%26nbsp%3B%3C%2FP%3E%3CP%3EI%20reported%20them%20as%20wrongly%20quarantined%20but%20the%20status%20is%20%22%3CSTRONG%3EShould%20have%20been%20blocked.%3C%2FSTRONG%3E%20Use%20your%20organizational%20settings%20to%20allow%20similar%20messages%20in%20the%20future.%22%3C%2FP%3E%3CP%3EAfter%20manual%20checking%20the%20messages%20I%20couldn't%20find%20any%20reason%20why%20those%20messages%20should%20be%20considered%20phishing.%20(Looking%20at%20one%20message%20I%20see%3A%20SPF%20pass%2C%20conversation%20between%20a%20group%20of%20people%20(multiple%20previous%20messages)%2C%20no%20links%20where%20URL%20and%20text%20would%20contradict%20-%20the%20only%20issue%20are%20some%20embedded%20pictures%20(cid%3Aimage...%40...)%20not%20being%20shown%20because%20one%20email%20client%20in%20the%20%22chain%22%20probably%20wasn't%20Outlook-compatible)%3C%2FP%3E%3CP%3EThis%20creates%20a%20real%20problem%20for%20our%20organization%20because%20users%20have%20no%20option%20to%20realize%20that%20they%20have%20missed%20messages.%3C%2FP%3E%3CP%3EI%20want%20to%20avoid%20to%20modify%20filters%20and%20wonder%20what%20steps%20you%20recommend.%3C%2FP%3E%3CP%3EThank%20you%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2488124%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EThreat%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2490972%22%20slang%3D%22en-US%22%3ERe%3A%20Threat%20Management%20-%20Messages%20submitted%20for%20reviewe%20still%20considered%20Phishing%20after%20review%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2490972%22%20slang%3D%22en-US%22%3EIf%20you%20have%20already%20submitted%20them%20as%20false%20positives%20and%20nothing%20came%20out%20of%20this%2C%20all%20I%20can%20think%20of%20right%20now%20would%20be%20to%20open%20a%20support%20case%20with%20Microsoft%20to%20see%20if%20they%20can%20clarify%20why%20they%20consider%20these%20emails%20as%20high%20confidence%20phish.%20Something%20else%20might%20be%20going%20on%20of%20course%2C%20but%20based%20on%20what%20you've%20stated%20above%20I%20cannot%20think%20of%20any%20reason%20why%20they'd%20be%20marked%20as%20high%20confidence%20phishing%20emails.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2491042%22%20slang%3D%22en-US%22%3ERe%3A%20Threat%20Management%20-%20Messages%20submitted%20for%20reviewe%20still%20considered%20Phishing%20after%20review%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2491042%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F425436%22%20target%3D%22_blank%22%3E%40NicoRotaryCH%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Fsubmit-spam-non-spam-and-phishing-scam-messages-to-microsoft-for-analysis%3Fview%3Do365-worldwide%23submit-false-positives-to-microsoft%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Fsubmit-spam-non-spam-and-phishing-scam-messages-to-microsoft-for-analysis%3Fview%3Do365-worldwide%23submit-false-positives-to-microsoft%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi!%20Check%20out%20this%20documentation%20for%20steps!%3C%2FP%3E%3CP%3Eplease%20write%20if%20you%20apply%20and%20will%20work%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi

I have two legitimate message from sender at the largest Swiss ISP bluewin.ch that are considered "High Confidence Phish" and where thus quarantined. 

I reported them as wrongly quarantined but the status is "Should have been blocked. Use your organizational settings to allow similar messages in the future."

After manual checking the messages I couldn't find any reason why those messages should be considered phishing. (Looking at one message I see: SPF pass, conversation between a group of people (multiple previous messages), no links where URL and text would contradict - the only issue are some embedded pictures (cid:image...@...) not being shown because one email client in the "chain" probably wasn't Outlook-compatible)

This creates a real problem for our organization because users have no option to realize that they have missed messages.

I want to avoid to modify filters and wonder what steps you recommend.

Thank you

3 Replies
best response confirmed by NicoRotaryCH (Occasional Contributor)
Solution
If you have already submitted them as false positives and nothing came out of this, all I can think of right now would be to open a support case with Microsoft to see if they can clarify why they consider these emails as high confidence phish. Something else might be going on of course, but based on what you've stated above I cannot think of any reason why they'd be marked as high confidence phishing emails.
It will not affect immediately. How long you have waited after submission? If it's more than two weeks raise a support ticket and ask an explanation.