Applying 2 rules on 1 single email

%3CLINGO-SUB%20id%3D%22lingo-sub-1331434%22%20slang%3D%22en-US%22%3EApplying%202%20rules%20on%201%20single%20email%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1331434%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3CBR%20%2F%3E%3CBR%20%2F%3EI%20would%20like%20to%20create%202%20rules%20to%20captured%20suspicious%20email%20by%20having%20two%20different%20action%3A%3CBR%20%2F%3E1)%20Edit%20the%20mail%20subject%20to%20redirect%20the%20email%20to%20me%2C%20so%20that%20I%20can%20get%20a%20notification.%3CBR%20%2F%3E2)%20Send%20the%20suspicious%20email%20to%20Quarantine.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20have%20set%20the%20first%20rule%20on%20higher%20priority%20and%20unchecked%20%22Stop%20processing%20more%20rules%22.%20Assuming%20that%20it%20will%20first%20redirect%20the%20email%20to%20me%2C%20and%20move%20on%20to%20second%20rule%20to%20quarantine%20the%20email.%3CBR%20%2F%3E%3CBR%20%2F%3EHowever%20upon%20testing%20the%20scenario.%20The%20email%20was%20quarantine%20without%20redirecting%20a%20copy%20of%20the%20email%20to%20me.%26nbsp%3BAm%20I%20doing%20this%20right%3F%20Anyway%20to%20achieve%20the%20above%20scenario%3F%3CBR%20%2F%3E%3CBR%20%2F%3EThanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1331434%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1331873%22%20slang%3D%22en-US%22%3ERe%3A%20Applying%202%20rules%20on%201%20single%20email%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1331873%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F573218%22%20target%3D%22_blank%22%3E%40cllee%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20you%20run%20through%20the%20two%20rules%20you've%20set%20up%20exactly%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3CBR%20%2F%3EMark%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1331893%22%20slang%3D%22en-US%22%3ERe%3A%20Applying%202%20rules%20on%201%20single%20email%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1331893%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F573218%22%20target%3D%22_blank%22%3E%40cllee%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EConsolidate%20your%20rules%20into%20one%20rule%20then%20use%20the%20following%20actions%20in%20your%20transport%20rule.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EPrepend%20the%20subject%20with%20'Your%20Message%3A%20'%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3Eand%20Deliver%20the%20message%20to%20the%20hosted%20quarantine.%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3Eand%20Send%20the%20incident%20report%20to%20yourMailbox%40yourdomain.com%2C%20include%20these%20message%20properties%20in%20the%20report%3A%20original%20mail%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1332053%22%20slang%3D%22en-US%22%3ERe%3A%20Applying%202%20rules%20on%201%20single%20email%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1332053%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F622524%22%20target%3D%22_blank%22%3E%40Michael_Larrivee%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20do%20not%20want%20the%20quarantine%20email%20to%20tagged%20with%20the%20Appended%20subject.%20Reason%20being%20if%20i%20were%20to%20release%20the%20email%20back%20to%20the%20user%20from%20quarantine.%20The%20original%20subject%20is%20intact.%3CBR%20%2F%3E%3CBR%20%2F%3EHence%20the%20reason%20I%20wanted%20to%20create%202%20separate%20rules%2C%20one%20of%20it%20is%20to%20achieve%20the%20prepend%20subject%20and%20redirect%20to%20me.%20So%20that%20i%20can%20get%20a%20notification%20if%20the%20rules%20is%20violated.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1332071%22%20slang%3D%22en-US%22%3ERe%3A%20Applying%202%20rules%20on%201%20single%20email%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1332071%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F383653%22%20target%3D%22_blank%22%3E%40HidMov%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EI%20tested%20the%20following%202%20rules%3A%3CBR%20%2F%3ERule%201%3A%20Preppend%20subject%2C%20redirect%2FBCC%20email%20to%20me%3CBR%20%2F%3ERule%202%3A%20Send%20the%20mail%20to%20Quarantine%20(without%20the%20prepend%20subject)%3CBR%20%2F%3E%3CBR%20%2F%3ECurrently%20the%20email%20hit%20both%20the%20rules%2C%20but%20it%20doesn't%20send%26nbsp%3B%20the%20mail%20to%20me%20(based%20on%20Rule%201).%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20mail%20actually%20got%20quarantine%20with%20the%20prepend%20subject.%20Hence%20i%20believe%20it%20has%20hit%20both%20the%20Rule%201%20and%20Rule%202.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1333800%22%20slang%3D%22en-US%22%3ERe%3A%20Applying%202%20rules%20on%201%20single%20email%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1333800%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F573218%22%20target%3D%22_blank%22%3E%40cllee%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'll%20see%20if%20I%20can%20replicate%20-%20it%20feels%20like%20the%20anti%20phish%20policy%20and%20transport%20rules%20are%20competing%20with%20each%20other.%20Are%20there%20two%20emails%20in%20the%20quarantine%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1334749%22%20slang%3D%22en-US%22%3ERe%3A%20Applying%202%20rules%20on%201%20single%20email%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1334749%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F383653%22%20target%3D%22_blank%22%3E%40HidMov%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%20There%20is%20only%20one%20mail%20quarantine%20based%20on%20the%20transport%20rules%20i%20created.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hi,

I would like to create 2 rules to captured suspicious email by having two different action:
1) Edit the mail subject to redirect the email to me, so that I can get a notification.
2) Send the suspicious email to Quarantine.

I have set the first rule on higher priority and unchecked "Stop processing more rules". Assuming that it will first redirect the email to me, and move on to second rule to quarantine the email.

However upon testing the scenario. The email was quarantine without redirecting a copy of the email to me. Am I doing this right? Anyway to achieve the above scenario?

Thanks.

6 Replies

Hi @cllee 

 

Can you run through the two rules you've set up exactly? 

 

Thanks,
Mark

@cllee 

 

Consolidate your rules into one rule then use the following actions in your transport rule.

 

Prepend the subject with 'Your Message: '
and Deliver the message to the hosted quarantine.
and Send the incident report to yourMailbox@yourdomain.com, include these message properties in the report: original mail

@Michael_Larrivee 

 

I do not want the quarantine email to tagged with the Appended subject. Reason being if i were to release the email back to the user from quarantine. The original subject is intact.

Hence the reason I wanted to create 2 separate rules, one of it is to achieve the prepend subject and redirect to me. So that i can get a notification if the rules is violated.


@HidMov 

I tested the following 2 rules:
Rule 1: Preppend subject, redirect/BCC email to me
Rule 2: Send the mail to Quarantine (without the prepend subject)

Currently the email hit both the rules, but it doesn't send  the mail to me (based on Rule 1).

The mail actually got quarantine with the prepend subject. Hence i believe it has hit both the Rule 1 and Rule 2.

@cllee 

 

I'll see if I can replicate - it feels like the anti phish policy and transport rules are competing with each other. Are there two emails in the quarantine? 

@HidMov 

 

Thanks. There is only one mail quarantine based on the transport rules i created.