cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Did the new 'Secure by default' EOP / Defender for Office feature get out of control?

Markus_Strickler
Copper Contributor

‎Mar 22 2023 09:38 AM

‎Mar 22 2023 09:38 AM

Did the new 'Secure by default' EOP / Defender for Office feature get out of control?

Hello - we're currently seeing an unprecedented flood of legitimate emails getting classified as SPAM and moved to quarantine. Even internal, hybrid mail flow is affected and gets SCL:5 scores across the board. Organizations who used Junk Mail policies before and are unaware of quarantine, keep missing important business emails.

The new overrides described in article https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/secure-by-default?view=... seem to explain that - but is this what Microsoft intended? The fallout is massive, and I find it unacceptable that carefully customized policies and exclusions are just overridden, with no opt-out possibility. Thanks for re-considering this overly drastic measure

Labels:
2,128 Views
3 Likes
4 Replies
Reply
4 Replies
best response confirmed by Markus_Strickler (Copper Contributor)
FcoManigrasso

‎Mar 23 2023 01:42 AM

‎Mar 23 2023 01:42 AM

Solution

Re: Did the new 'Secure by default' EOP / Defender for Office feature get out of control?

Hi @Markus_Strickler,

Regarding the internal hybrid mailflow marked as SCL:5, this is because: Microsoft 365 Roadmap | Microsoft 365

You can check details from Message Center: MC522476

"Description
We will be updating the way intra-organizational SCL ratings are assigned for intra-organizational messages. This message is associated with Microsoft 365 Roadmap ID 117487[When this will happen:] Changes to logging intra-organizational messages will begin rolling out in early April and is expected to be complete by late June. [How this will affect your organization:]All intra-organizational messages are currently marked with SCL -1 (bypass spam filtering). The updated method will assign an SCL rating based on the content and type of intra-organizational message. The ratings are SCL 1 for non-spam and SCL 5 through 9 for spam. This change will not change the way the messages are delivered. This document describes the updated function of the SFV:SKI field in the X-Forefront-Antispam-Report.[What you need to do to prepare:]At this time, there are no additional actions for admins to take. Changes to intra-organizational message logging will be reflected in Threat Protection Status (TPS) and Mail Flow reports."

 

I'll suggest to check the configuration of your custom Threat Policies and you can also create a TR to adapt the SCL level for your IntraOrg messages.

Let's see if MS comes back with more info about this situation.

0 Likes
Reply
Carmanet

‎Apr 18 2023 07:37 AM

‎Apr 18 2023 07:37 AM

Re: Did the new 'Secure by default' EOP / Defender for Office feature get out of control?

I am having this problem with 1 client since yesterday. many valid emails going to junk even though everything passes but SCL:5 and others to quarantine. outgoing emails are also frequently ending up in destination junk mail or quarantine.

 

Any one else ?

Any solutions ?

 

I have a ticket open with Microsoft since yesterday but no updates yet today. wondering how many other clients i am going to have this happen to in next few days.

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Markus_Strickler (Copper Contributor)
FcoManigrasso

‎Mar 23 2023 01:42 AM

‎Mar 23 2023 01:42 AM

Solution

Re: Did the new 'Secure by default' EOP / Defender for Office feature get out of control?

Hi @Markus_Strickler,

Regarding the internal hybrid mailflow marked as SCL:5, this is because: Microsoft 365 Roadmap | Microsoft 365

You can check details from Message Center: MC522476

"Description
We will be updating the way intra-organizational SCL ratings are assigned for intra-organizational messages. This message is associated with Microsoft 365 Roadmap ID 117487[When this will happen:] Changes to logging intra-organizational messages will begin rolling out in early April and is expected to be complete by late June. [How this will affect your organization:]All intra-organizational messages are currently marked with SCL -1 (bypass spam filtering). The updated method will assign an SCL rating based on the content and type of intra-organizational message. The ratings are SCL 1 for non-spam and SCL 5 through 9 for spam. This change will not change the way the messages are delivered. This document describes the updated function of the SFV:SKI field in the X-Forefront-Antispam-Report.[What you need to do to prepare:]At this time, there are no additional actions for admins to take. Changes to intra-organizational message logging will be reflected in Threat Protection Status (TPS) and Mail Flow reports."

 

I'll suggest to check the configuration of your custom Threat Policies and you can also create a TR to adapt the SCL level for your IntraOrg messages.

Let's see if MS comes back with more info about this situation.

View solution in original post

0 Likes
Reply