Malware Infected Messages, URL

Brass Contributor

 Hey Team, 


Hoping you can assist here. We have an issue where messages which are "Known Threats" due to the URL, are classified as Phish instead of Malware, and are then placed into quarantine, as Phish messages instead of the Malware messages. THis allows end users to release those messages.


We allow users to release Phish messages, which is usually fine except for this case. 


How can we setup Office 365, EOP so that if a messages is infected with a Known Threat, that the message cannot be released, or make it so the message is placed into the Malware Quarantine? 


Its important to note that we got these messages over several days, for example we saw messages from 6/28 that were infected and those same messages, still kept coming in on 6/30, and were still placed into the Phish queue and not the malware queue. Same Phish URL etc. 


Office 365 is our only messaging filtering service, and is the Endpoint for our MX records. We have E1 with the EOP Add ons. All mailboxes are in the cloud. 







1 Reply
We ended up opening a support ticket with Microsoft for this. As usual it wasn't a good experience. Microsoft was not able to tell us what happened with that message. nor why it was placed in the "SPAM" vs "High Confidence SPAM" quarantine.

However as an alternative, we were able to create a new Quarantine policy we set the policy to "Request Release" + "Notification" enabled.

Then set the newly created policy for the High Confidence SPAM, Phishing and Bulk Queues. We were also able to determine (from the ticket) the correct agent that acted on the message, and that's how we knew which policy group to work with (Anti Spam, Anti Phishing).