SOLVED

Exchange Online AntiPhish

%3CLINGO-SUB%20id%3D%22lingo-sub-1200185%22%20slang%3D%22en-US%22%3EExchange%20Online%20AntiPhish%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1200185%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3EDoes%20anybody%20have%20a%20good%20explanation%20why%20some%20seemingly%20random%20messages%20from%20legit%20senders%20get%20marked%20as%20phishing%20%3F%20these%20messages%20get%20sent%20to%20junk%20folder%2C%20as%20defined%20by%20phishing%20policy%2C%20and%20MS%20adds%20an%20informational%20message%20%22'sample%40address.com'%20appears%20to%20be%20similar%20to%20someone%20who%20previously%20sent%20you%20email%2C%20but%20may%20not%20be%20that%20person%22.%20I%20check%20header%20info%20on%20several%20messages%20from%20the%20same%20sender%2C%20SMTP%20hops%20on%20the%20sender%20side%20seem%20to%20be%20the%20same%2C%20but%20some%20random%20messages%20get%20marked%20as%20%22phishing%22%20and%20others%20don't.%3C%2FP%3E%3CP%3EOne%20of%20such%20examples%20is%20notification%20email%20messages%20from%20Teams%20(%22%3CA%20href%3D%22mailto%3ANOREPLY%40EMAIL.TEAMS.MICROSOFT.COM%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3ENOREPLY%40EMAIL.TEAMS.MICROSOFT.COM%3C%2FA%3E%20appears%20to%20be%20similar%20to%20someone%20who%20previously%20send%20you%20email%22)%3C%2FP%3E%3CP%3EBR%2C%20Ruslan%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1200185%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOutlook%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1237888%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%20AntiPhish%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1237888%22%20slang%3D%22en-US%22%3E%3CP%3EPosting%20some%20comments%20regarding%20this%20question%2C%20in%20case%20somebody%20else%20bumps%20into%20that.%3C%2FP%3E%3CP%3EExamining%20some%20sample%20message%20headers%20shows%20that%20they%20were%20marked%20as%20spoofing%20by%20Mailbox%20Intelligence%20in%20AntiPhish%20policy.%3C%2FP%3E%3CP%3EAfter%20disabling%20Mailbox%20Intelligence%2C%20the%20amount%20of%20legit%20messages%20marked%20as%20spoofing%20was%20dramatically%20reduced%2C%20but%20still%20some%20new%20messages%20get%20marked%20as%20spoof%20(CAT%3AGIMP)%2C%20although%20Mailbox%20Intelligence%20has%20been%20disabled%20several%20days%20ago.%20Have%20yet%20to%20find%20answer%20to%20that.%20BR%2C%20Ruslan%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2258935%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Online%20AntiPhish%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2258935%22%20slang%3D%22en-US%22%3E%3CP%3EJennifer%20Shi%20from%20Microsoft%20posted%20this%20the%20other%20day.%20The%20last%20paragraph%20I%20found%20useful.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%20class%3D%22thread-message-content-user-info%22%3E%3CDIV%20class%3D%22message-user-info%22%3E%3CDIV%20class%3D%22message-user-info-text-and-badge%22%3E%3CDIV%20class%3D%22message-user-info-text%22%3E%3CDIV%20class%3D%22message-user-info-text-and-affiliations%22%3E%3CA%20title%3D%22Jennifer%20Shi%20MSFT%22%20href%3D%22https%3A%2F%2Fanswers.microsoft.com%2Fen-us%2Fprofile%2F57f64006-7e5f-46a6-8427-c34ab09412c6%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EJennifer%20Shi%20MSFT%3C%2FA%3E%3CSPAN%3E%7C%3C%2FSPAN%3E%3CDIV%20class%3D%22message-user-info-affiliations%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CSPAN%20class%3D%22asking-text-asked-on-link%22%3EReplied%20on%20December%208%2C%202020%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22thread-message-content-reply-and-message%22%3E%3CDIV%20class%3D%22thread-message-content-body%22%3E%3CDIV%20class%3D%22thread-message-content-body-text%20thread-full-message%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGreetings.%20Based%20on%20my%20tests%20and%20knowledge%2C%20when%20you%20enable%20impersonation%20safety%20tip%20in%20anti%20phishing%20policy%2C%20when%20a%20message%20that%20fails%20impersonation%20checks%2C%20a%20safety%20tip%20will%20notify%20recipients%20when%20the%20first%20time%20they%20get%20a%20message%20from%20the%20sender%20or%20if%20they%20don't%20often%20get%20messages%20from%20the%20sender%2C%20which%20is%20used%20warn%20the%20recipient%20about%20potentially%20harmful%20messages.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMoreover%2C%20user%20impersonation%20protection%20does%20not%20work%20if%20the%20sender%20and%20recipient%20have%20previously%20communicated%20via%20email.%20If%20the%20sender%20and%20recipient%20have%20never%20communicated%20via%20email%2C%20the%20message%20will%20be%20identified%20as%20an%20impersonation%20attempt.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20since%20the%20impersonation%20check%20is%20done%20at%20the%20email%20filter%20level%20and%20not%20rendered%20at%20the%20mail%20client%20level.%20Therefore%2C%20no%20matter%20whether%20the%20recipients%20add%20the%20sender%20as%20a%20contact%20or%20add%20the%20sender%20to%20the%20safe%20sender%20list%2C%26nbsp%3Bwhen%20a%20message%20that%20fails%20impersonation%20checks%2C%20the%20recipient%20will%20always%20see%20a%20safety%20tips%20of%20the%20message.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGiven%20this%20result%2C%20when%20a%20sender%20is%20legitimate%2C%20to%20prevent%20the%20recipient%20from%20continuing%20to%20receive%20safety%20tips%2C%20it%20is%20recommended%20that%20you%20can%20modify%20the%20anti-phishing%20policy%20to%20add%20the%20sender%20as%20a%20trusted%20sender.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20regards%2C%3C%2FP%3E%3CP%3EJennifer%3C%2FP%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E
Contributor

Hi all,

Does anybody have a good explanation why some seemingly random messages from legit senders get marked as phishing ? these messages get sent to junk folder, as defined by phishing policy, and MS adds an informational message "'sample@address.com' appears to be similar to someone who previously sent you email, but may not be that person". I check header info on several messages from the same sender, SMTP hops on the sender side seem to be the same, but some random messages get marked as "phishing" and others don't.

One of such examples is notification email messages from Teams ("NOREPLY@EMAIL.TEAMS.MICROSOFT.COM appears to be similar to someone who previously send you email")

BR, Ruslan

2 Replies
best response confirmed by RNalivaika (Contributor)
Solution

Posting some comments regarding this question, in case somebody else bumps into that.

Examining some sample message headers shows that they were marked as spoofing by Mailbox Intelligence in AntiPhish policy.

After disabling Mailbox Intelligence, the amount of legit messages marked as spoofing was dramatically reduced, but still some new messages get marked as spoof (CAT:GIMP), although Mailbox Intelligence has been disabled several days ago. Have yet to find answer to that. BR, Ruslan

Jennifer Shi from Microsoft posted this the other day. The last paragraph I found useful.

 

 

Greetings. Based on my tests and knowledge, when you enable impersonation safety tip in anti phishing policy, when a message that fails impersonation checks, a safety tip will notify recipients when the first time they get a message from the sender or if they don't often get messages from the sender, which is used warn the recipient about potentially harmful messages.

 

Moreover, user impersonation protection does not work if the sender and recipient have previously communicated via email. If the sender and recipient have never communicated via email, the message will be identified as an impersonation attempt. 

 

But since the impersonation check is done at the email filter level and not rendered at the mail client level. Therefore, no matter whether the recipients add the sender as a contact or add the sender to the safe sender list, when a message that fails impersonation checks, the recipient will always see a safety tips of the message.

 

Given this result, when a sender is legitimate, to prevent the recipient from continuing to receive safety tips, it is recommended that you can modify the anti-phishing policy to add the sender as a trusted sender.

 

Best regards,

Jennifer