Hybrid Exchange server changing "Return path" & "Mail from" attributes

Copper Contributor

We are using Exchange 2013 as our hybrid Exchange server. Yes, I know Exchange 2013 went EOL about a month ago. Management chose to delay migration until after another project was completed. Our build version is 15.00.1497.047. On a tangent, if anyone has the specific steps to migrate to a later Exchange and deprecate the 2013 version, that'd be great.


We have about 300 complex dynamic distribution groups which cannot be easily migrated to Exchange Online. Thus, our internet email routes to Symantec for spam filtering, which relays to our on-premise hybrid Exchange 2013 server and then relays to Exchange Online.


After about 4 months in testing, we deployed Defender for Office 365 to the entire organization in mid-April 2023. Our custom phishing policy was based upon the Strict policy, and we are trying to minimize reducing our protection in the custom policy.


This post refers to the following scenario:

* Symantec says the message they accepted has these attributes:

Sending Server: (m103.email.mailgun.net)

Sender: bounce+59e63d.1ec2ad-leasing=[domain1].email address removed for privacy reasons

Recipient: leasing@[domain1].com


M365 Quarantine says:

Sender address [name]@gmail.com

SMTP mail from address [name1]@[domain2].com

Return path [name1]@[domain2].com


I know the difference between envelope and message body addresses. When I export the Symantec logs, there is no reference to [domain2].com. However, when it reaches Defender for M365, it's marking the message as phish because the sending server IP of is not permitted to forge our internal domains (which includes domain2.com).


"leasing@[domain1].com" is the primary SMTP address of one of our DDGs. That DDG includes all users and groups within a specific OU. That OU contains a single normal email group, whose e-mail address correlates with the [name1]@[domain2].com syntax listed above.


Running a message log trace on the hybrid server, it adds references to [email address removed for privacy reasons]. I don't understand why it is adding/changing the "Return path" and "SMTP mail from" attributes; I feel that is the source reason for Defender falsely classifying such messages as phish. If it remained as omadimail.com or gmail.com, I bet it wouldn't get falsely flagged.


Any ideas on how to troubleshoot and resolve this issue?






2 Replies

Hi @Jim_Mueller 

to solve phishing issue try to enable enhanced filtering 




If I have answered your question, please mark your post as Solved

If you like my response, please give it a Like :smile:

Appreciate your Kudos! Proud to contribute! :)


I this the cause of this issue is the Symantec for spam filtering is changing the message header.