Aug 23 2022 08:11 AM
We recently switched our Office 365 email security provider from Mimecast to Defender plan 1. We have our Defender policy settings set as strict as possible, but we are still seeing a large increase in the amount of malicious emails (and bulk email) that makes it into our inboxes. Specifically, we have one mailbox that forwards all email to 3rd party ticketing system. That ticketing system went from malicious emails a few times a year to several per week. We reviewed some of the emails and I can't understand why they are being delivered (no SPF, failed DMARC, failed composite auth, no DKIMM) I opened a ticket with Microsoft and their explanation was that when Microsoft servers are busy, they delivered the email without Exchange Online Protection scanning. Then they use a feature called ZAP (zero hour purge) to scan and remove the emails after delivery. Last month we had 173 emails removed by ZAP. This happens after email forwarding to our ticketing system and without notification, so we don't have a way to act on them.
Is this accurate? Is Microsoft really delivering emails without security scanning? If so, what can we do to stop the emails? Create a bunch of manual mail flow rules? Switching back to Mimecast would be a significant undertaking and cost, so I would like to make Defender work if possible.
Aug 29 2022 10:55 AM - edited Aug 29 2022 12:48 PM
Any feedback would be appreciated. We are even finding emails that spoof our domain getting through, something we've never seen. They all seem to be getting pulled by ZAP about 2 minutes after delivery.
Sep 12 2022 09:33 AM
Sep 13 2022 06:08 AM