Mar 16 2023 12:04 PM - edited Mar 17 2023 06:24 AM
We have been seeing phishing emails reach user inboxes when they shouldn't. A phishing email will be sent to several users, and Defender will quarantine it for some users, and deliver it to others. All the users have the same Anti-Spam and Anti-Phishing policies which have been reviewed by Microsoft Gold partners and Microsoft support several times. These emails also do not have any overrides (transport rules or user settings) that are changing the behavior.
After many tickets with Microsoft support over the last 6 months (the current one open for over a month), I have discovered that the SCL is different per recipient for the same email. This doesn't show up very well in the security portal because the portal may only show one version of the header no matter which recipient you look at. But if I download the messages for each recipient I'll find that some of the recipients see the email as SCL 5 (is spam) in the header, and other recipients for the same email show SCL 1 (not spam) in the header. And it seems the SCL level directly affects the phish detection / Threat analysis. When the email comes in with suspicion of being phishing (spoofed domain), Microsoft adds the analysis to the header (SFTY:9.25). Now if the SPAM detection is SCL 5 for a recipient, they go ahead and look at the SFTY header and quarantine the message. If SPAM detection is SCL 1 for a recipient, they seam to ignore the SFTY header and do NOT quarantine the message.
Can anyone tell me if the SCL is designed to be different per recipient?! One MS Support agent suggested that this is by design, and the Defender AI is deciding the SCL value based on the recipient's past behavior, but they also are not closing the ticket and keep analyzing samples I send them (apparently the ticket is with the "product team"). It seems crazy to evaluate the same inbound email differently per recipient, especially if the Threat/Phishing detection is directly dependent on the SCL level. If it is a threat for one user, it should be threat to all users. It also means that my anti-spam and Anti-phish policies are useless to fix this, because I cannot change the SCL level that Defender's AI assigns to the email, I can only act on that analysis.
Just really frustrated with the product and support lately and looking for some clarification on how this is supposed to work. Thank You!
Mar 30 2023 11:04 AM
Apr 04 2023 01:29 PM
Apr 06 2023 10:46 AM