May 11 2023 07:23 AM
We are using Exchange 2013 as our hybrid Exchange server. Yes, I know Exchange 2013 went EOL about a month ago. Management chose to delay migration until after another project was completed. Our build version is 15.00.1497.047. On a tangent, if anyone has the specific steps to migrate to a later Exchange and deprecate the 2013 version, that'd be great.
We have about 300 complex dynamic distribution groups which cannot be easily migrated to Exchange Online. Thus, our internet email routes to Symantec for spam filtering, which relays to our on-premise hybrid Exchange 2013 server and then relays to Exchange Online.
After about 4 months in testing, we deployed Defender for Office 365 to the entire organization in mid-April 2023. Our custom phishing policy was based upon the Strict policy, and we are trying to minimize reducing our protection in the custom policy.
This post refers to the following scenario:
* Symantec says the message they accepted has these attributes:
Sending Server: 146.20.191.103 (m103.email.mailgun.net)
Sender: bounce+59e63d.1ec2ad-leasing=[domain1].email address removed for privacy reasons
Recipient: leasing@[domain1].com
M365 Quarantine says:
Sender address [name]@gmail.com
SMTP mail from address [name1]@[domain2].com
Return path [name1]@[domain2].com
I know the difference between envelope and message body addresses. When I export the Symantec logs, there is no reference to [domain2].com. However, when it reaches Defender for M365, it's marking the message as phish because the sending server IP of 146.20.191.103 is not permitted to forge our internal domains (which includes domain2.com).
"leasing@[domain1].com" is the primary SMTP address of one of our DDGs. That DDG includes all users and groups within a specific OU. That OU contains a single normal email group, whose e-mail address correlates with the [name1]@[domain2].com syntax listed above.
Running a message log trace on the hybrid server, it adds references to [email address removed for privacy reasons]. I don't understand why it is adding/changing the "Return path" and "SMTP mail from" attributes; I feel that is the source reason for Defender falsely classifying such messages as phish. If it remained as omadimail.com or gmail.com, I bet it wouldn't get falsely flagged.
Any ideas on how to troubleshoot and resolve this issue?
Thanks!!
Jim
May 16 2023 12:39 PM
Hi @Jim_Mueller
to solve phishing issue try to enable enhanced filtering
If I have answered your question, please mark your post as Solved If you like my response, please give it a Like Appreciate your Kudos! Proud to contribute! 🙂 |
Jun 07 2023 05:21 AM