Aug 28 2020 01:20 AM
I have a very strange problem with a single e-mail address from one of our customers - email to or from this address, and only this address, is being marked as spam by Exchange - all other users on the server work normally, and the mail's flagged even when it's a plain text mail with no attachments.
The relevant X-Headers are:
X-AntiMalwareExchange-RefID: str=0001.0A782F1F.5F478388.0018,ss=4,sh,re=0.000,recu=0.000,reip=0.000,cl=4,cld=1,fgs=0
X-MS-Exchange-Organization-SCL: 9
Other checks pass as shown by:
X-Spam-Flag: NO
X-UI-Out-Filterresults: notjunk:1;
X-HE-SPF: PASSED
X-HE-Spam-Level: /
X-HE-Spam-Score: 0.1
X-HE-Spam-Report: Content analysis details: (0.1 points)
Does anyone have any clues before I lodge a support ticket?
Aug 28 2020 01:39 AM
@Will_Wilkinson Hi, could be any underlying activity/analyze causing the SCL9 value. You should submit a false positive.
Manually
Admin submission
Aug 28 2020 04:16 AM
@Will_Wilkinson - you don't have a transport rule forcing that SCL 9?
If on-prem had the same bad habits as ATP, I'd be looking for a matching recipient name causing a false positive phishing detection.
Aug 28 2020 05:07 AM
@ExMSW4319No transport rules that could force this - it's happening on not only the customer's system but on all exchange servers that this single e-mail address communicates with - have submitted samples to Microsoft, and, as a work around, set up another address for the user - this works normally, from the same server & client, just from a different mail address. Original was of the form initial.surname@company.de, new is firstname.lastname@company.de - weird thing is that all other users don't have any problems, and this single one does, even on a new build.