SOLVED

Phish delivered due to an ETR override - Best Practice

Silver Contributor

Hello,

we are recieving some informational Phish delivered due to an ETR override alerts from Microsoft on a daily basis. We have a Mailqueue für Mail-Blacklist (Set the spam confidence level (SCL) to '-1') turned on at these alerts are created regarding this rule, which alllows some (considered phishing emails) to be delivered to the Inbox of users, but in deleted folder (if I got it right).

Our environment is hybrid (Exchange 2016 + Exchange Online) and we third party solution for blacklisting (blocking) spam and phishing emails.

What is the best practice regarding these alerts. Do we need to check them one by one and block the sender if it is phishing?

Kindest regards

Leon

 

1 Reply
best response confirmed by LeonPavesic (Silver Contributor)
Solution
What is the ETR causing the override? You are setting SCL=-1 to messages classified as phish, hence the alert, and thus delivery of these messages.
1 best response

Accepted Solutions
best response confirmed by LeonPavesic (Silver Contributor)
Solution
What is the ETR causing the override? You are setting SCL=-1 to messages classified as phish, hence the alert, and thus delivery of these messages.

View solution in original post