SOLVED

Exchange Online AntiPhish

%3CLINGO-SUB%20id%3D%22lingo-sub-1200185%22%20slang%3D%22en-US%22%3EExchange%20Online%20AntiPhish%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1200185%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3EDoes%20anybody%20have%20a%20good%20explanation%20why%20some%20seemingly%20random%20messages%20from%20legit%20senders%20get%20marked%20as%20phishing%20%3F%20these%20messages%20get%20sent%20to%20junk%20folder%2C%20as%20defined%20by%20phishing%20policy%2C%20and%20MS%20adds%20an%20informational%20message%20%22'sample%40address.com'%20appears%20to%20be%20similar%20to%20someone%20who%20previously%20sent%20you%20email%2C%20but%20may%20not%20be%20that%20person%22.%20I%20check%20header%20info%20on%20several%20messages%20from%20the%20same%20sender%2C%20SMTP%20hops%20on%20the%20sender%20side%20seem%20to%20be%20the%20same%2C%20but%20some%20random%20messages%20get%20marked%20as%20%22phishing%22%20and%20others%20don't.%3C%2FP%3E%3CP%3EOne%20of%20such%20examples%20is%20notification%20email%20messages%20from%20Teams%20(%22%3CA%20href%3D%22mailto%3ANOREPLY%40EMAIL.TEAMS.MICROSOFT.COM%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ENOREPLY%40EMAIL.TEAMS.MICROSOFT.COM%3C%2FA%3E%20appears%20to%20be%20similar%20to%20someone%20who%20previously%20send%20you%20email%22)%3C%2FP%3E%3CP%3EBR%2C%20Ruslan%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1200185%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOutlook%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1237888%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%20AntiPhish%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1237888%22%20slang%3D%22en-US%22%3E%3CP%3EPosting%20some%20comments%20regarding%20this%20question%2C%20in%20case%20somebody%20else%20bumps%20into%20that.%3C%2FP%3E%3CP%3EExamining%20some%20sample%20message%20headers%20shows%20that%20they%20were%20marked%20as%20spoofing%20by%20Mailbox%20Intelligence%20in%20AntiPhish%20policy.%3C%2FP%3E%3CP%3EAfter%20disabling%20Mailbox%20Intelligence%2C%20the%20amount%20of%20legit%20messages%20marked%20as%20spoofing%20was%20dramatically%20reduced%2C%20but%20still%20some%20new%20messages%20get%20marked%20as%20spoof%20(CAT%3AGIMP)%2C%20although%20Mailbox%20Intelligence%20has%20been%20disabled%20several%20days%20ago.%20Have%20yet%20to%20find%20answer%20to%20that.%20BR%2C%20Ruslan%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

Hi all,

Does anybody have a good explanation why some seemingly random messages from legit senders get marked as phishing ? these messages get sent to junk folder, as defined by phishing policy, and MS adds an informational message "'sample@address.com' appears to be similar to someone who previously sent you email, but may not be that person". I check header info on several messages from the same sender, SMTP hops on the sender side seem to be the same, but some random messages get marked as "phishing" and others don't.

One of such examples is notification email messages from Teams ("NOREPLY@EMAIL.TEAMS.MICROSOFT.COM appears to be similar to someone who previously send you email")

BR, Ruslan

1 Reply
Highlighted
Best Response confirmed by RNalivaika (Contributor)
Solution

Posting some comments regarding this question, in case somebody else bumps into that.

Examining some sample message headers shows that they were marked as spoofing by Mailbox Intelligence in AntiPhish policy.

After disabling Mailbox Intelligence, the amount of legit messages marked as spoofing was dramatically reduced, but still some new messages get marked as spoof (CAT:GIMP), although Mailbox Intelligence has been disabled several days ago. Have yet to find answer to that. BR, Ruslan