Did the new 'Secure by default' EOP / Defender for Office feature get out of control?

New Contributor

Hello - we're currently seeing an unprecedented flood of legitimate emails getting classified as SPAM and moved to quarantine. Even internal, hybrid mail flow is affected and gets SCL:5 scores across the board. Organizations who used Junk Mail policies before and are unaware of quarantine, keep missing important business emails.

The new overrides described in article seem to explain that - but is this what Microsoft intended? The fallout is massive, and I find it unacceptable that carefully customized policies and exclusions are just overridden, with no opt-out possibility. Thanks for re-considering this overly drastic measure

4 Replies
best response confirmed by Markus_Strickler (New Contributor)

Hi @Markus_Strickler,

Regarding the internal hybrid mailflow marked as SCL:5, this is because: Microsoft 365 Roadmap | Microsoft 365

You can check details from Message Center: MC522476

We will be updating the way intra-organizational SCL ratings are assigned for intra-organizational messages. This message is associated with Microsoft 365 Roadmap ID 117487[When this will happen:] Changes to logging intra-organizational messages will begin rolling out in early April and is expected to be complete by late June. [How this will affect your organization:]All intra-organizational messages are currently marked with SCL -1 (bypass spam filtering). The updated method will assign an SCL rating based on the content and type of intra-organizational message. The ratings are SCL 1 for non-spam and SCL 5 through 9 for spam. This change will not change the way the messages are delivered. This document describes the updated function of the SFV:SKI field in the X-Forefront-Antispam-Report.[What you need to do to prepare:]At this time, there are no additional actions for admins to take. Changes to intra-organizational message logging will be reflected in Threat Protection Status (TPS) and Mail Flow reports."


I'll suggest to check the configuration of your custom Threat Policies and you can also create a TR to adapt the SCL level for your IntraOrg messages.

Let's see if MS comes back with more info about this situation.

I am having this problem with 1 client since yesterday. many valid emails going to junk even though everything passes but SCL:5 and others to quarantine. outgoing emails are also frequently ending up in destination junk mail or quarantine.


Any one else ?

Any solutions ?


I have a ticket open with Microsoft since yesterday but no updates yet today. wondering how many other clients i am going to have this happen to in next few days.