Apr 10 2019
- last edited on
Feb 01 2023
Since yesterday, all outgoing emails from our organization using Office365 (fully cloud) are being flagged as either spam or phishing email by Microsoft Outbound email servers. Due to this our Office365 user accounts are getting blocked every hour. We tried contacting Office365 support but they said they cannot help on outbound email spam settings as they do not have any control over the configurations. I spend more than an hour on the phone with the support person and at the end was asked to send 5 sample emails to email@example.com and wait for 48 hours. I told O365 support that each user who is blocked sends around 100 emails of which all of them are getting flagged as either spam or phishing email, so sending random samples will not help. No spam or phishing filter settings have been changed since months now so I can only think on some backend updates done by O365 team for tightening the spam filters.
I am not sure whom to contact or escalate this case now so I am posting it in this group to everyone expecting someone who might have experienced the same might help. Any help to resolve this issue will be much appreciated as our users are unable to send emails.
Apr 10 2019 10:42 AM
The issue seems quite strange. How did you know that MS Outbound servers are marking your emails as Spam. Secondly I hope your domain is still able to send emails to other domains, if yes... could you share a message header.. so that I can analyze it.
Apr 10 2019 11:13 AM
Hi@Robin Nishad ,
We have edited the default Outgoing Spam rule to copy messages flagged as spam to one of our internal email addresses. I have pasted the header from one such email (apparently we receive almost every outgoing email now) as requested. As you will notice that the Spam Confidence Level is set to 5 by Microsoft and the Phishing Level to 8 for this outgoing email from Office365. We do have even have 2FA enabled for most users and never had any issue till yesterday.
Received: from AM6PR0602MB3589.eurprd06.prod.outlook.com
(2603:10a6:208:aa::49) by AM0PR0602MB3585.eurprd06.prod.outlook.com with
HTTPS via AM0PR06CA0072.EURPRD06.PROD.OUTLOOK.COM; Wed, 10 Apr 2019 17:13:40
Received: from VI1PR0601CA0005.eurprd06.prod.outlook.com
(2603:10a6:800:1e::15) by AM6PR0602MB3589.eurprd06.prod.outlook.com
(2603:10a6:209:e::26) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1771.19; Wed, 10 Apr
2019 17:13:39 +0000
Received: from VE1EUR01FT025.eop-EUR01.prod.protection.outlook.com
(2a01:111:f400:7e01::209) by VI1PR0601CA0005.outlook.office365.com
(2603:10a6:800:1e::15) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1792.14 via Frontend
Transport; Wed, 10 Apr 2019 17:13:39 +0000
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (188.8.131.52)
by VE1EUR01FT025.mail.protection.outlook.com (10.152.2.232) with Microsoft
SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id
15.20.1771.16 via Frontend Transport; Wed, 10 Apr 2019 17:13:38 +0000
Received: from DB5EUR01FT040.eop-EUR01.prod.protection.outlook.com
(10.152.4.56) by DB5EUR01TH003.eop-EUR01.prod.protection.outlook.com
(10.152.4.138) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1750.16; Wed, 10 Apr
2019 17:10:53 +0000
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (184.108.40.206)
by DB5EUR01FT040.mail.protection.outlook.com (10.152.5.25) with Microsoft
SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id
15.20.1771.16 via Frontend Transport; Wed, 10 Apr 2019 17:10:53 +0000
Authentication-Results: spf=none (sender IP is )
Received: from AM0PR0602MB3554.eurprd06.prod.outlook.com (220.127.116.11) by
AM0PR0602MB3523.eurprd06.prod.outlook.com (18.104.22.168) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.1792.14; Wed, 10 Apr 2019 17:10:45 +0000
Received: from AM0PR0602MB3554.eurprd06.prod.outlook.com
([fe80::9162:6e5e:65c1:9944]) by AM0PR0602MB3554.eurprd06.prod.outlook.com
([fe80::9162:6e5e:65c1:9944%6]) with mapi id 15.20.1771.014; Wed, 10 Apr 2019
Content-Type: application/ms-tnef; name="winmail.dat"
From: Anna Mandia <firstname.lastname@example.org>
To: Calum Berkley <email@example.com>, "firstname.lastname@example.org"
<email@example.com>, IBIS Abu Dhabi Gate FO3 <H6949-FO3@accor.com>,
NOVOTEL Abu Dhabi Gate RE1 <H6948-RE1@accor.com>
CC: Paula Cercel <firstname.lastname@example.org>, William Escondo
<email@example.com>, Amit Dagar <firstname.lastname@example.org>
Subject: FW: Calum Berkley/Sharqi/12 Apr [Email Ref. #1457448]
Thread-Topic: Calum Berkley/Sharqi/12 Apr [Email Ref. #1457448]
Date: Wed, 10 Apr 2019 17:10:44 +0000
Accept-Language: en-GB, en-US
X-MS-Exchange-Organization-ExpirationStartTime: 10 Apr 2019 17:10:45.0518
Received-SPF: None (protection.outlook.com: gmsuae.com does not designate
permitted sender hosts)
X-MS-Exchange-Organization-ACSExecutionContext: 04/10/2019 17:10:53;04/10/2019
Apr 10 2019 11:49 AM - edited Apr 10 2019 11:50 AM
Apr 10 2019 12:05 PM
I noticed in the Message Header -
|Received-SPF||None (protection.outlook.com: gmsuae.com does not designate permitted sender hosts)|
So would suggest to check if the sender domain is added in the allowed domain settings in Security and Compliance center.
1. Sign in to O365 Admin Portal
2. Navigate to Security & Compliance center > Threat management > Policy.
3. Find Anti-spam, open it. Expend Allow lists. Add the sender’s domain to the Allow domain setting.
Apr 10 2019 12:40 PM
Hi@Robin Nishad ,
Thanks for the suggestion. We already have the domain added in the Allow list of Anti-Spam policy.
Could it be that the domain is showing as SPF not designated because it is still an internal email within Office365 servers ?
Apr 10 2019 12:52 PM
if the Domain is added in the Allow list, then I would suggest to submit the message to MS and let them know that it is not Spam. I know & understand that you are already working with MS on this however I would like you to refer to the steps given in the below article....
(Submit messages that were tagged as junk but should have been allowed through)
Secondly the proof that MS Servers are marking your email as Spam is that in the header - Anti Spam Report - It has SFV-SPM that means the email is marked as Spam because of the EOP Spam filters.
Moreover do check if the emails that you are sending has any HTML Signatures or they are simple text.
Apr 11 2019 11:35 AM - edited Apr 11 2019 11:55 AM
@ALV_Work We got exactly the same problem yesterday, I opened a ticket but Microsoft seems to have no clue about what happened.
We worked on it a while and this is what we could figure out about our case :
- It started around 7am CET and ended around 8pm CET
- It has nothing to do with SPF or whatever
- EOP was giving a SFV:SPM SCL:5 to outbound emails ONLY IF they were replies or forwards to external email addresses, so they were using the High Risk Delivery Pool and we were getting a BCC in our IT mailbox as our Outbound spam Policy specifies it. I can see in your header that it was the same for you : DIR:OUT;SFP:1501;SCL:5
- When an external person was answering one on these emails they were coming back with SFV:SPM and CAT:PHSH, so we got PLENTY of emails yesterday ending up in junk folder
- Every Outbound Spam BCC in our IT mailbox arrived twice, the second time with a huge delay (6+ hours), and message stayed in "Getting Status" for very long time in traces, maybe because they were going through the High Risk Pool.
We didn't make any changes in our SPF or policies, it just randomly happened and ended.
I'm still waiting for an explanation from Microsoft.
Apr 12 2019 12:05 AMSolution
You might want to read the following article on the "health" tab in the office portal...
Apr 12 2019 12:30 AM - edited Apr 12 2019 12:32 AM
@Rafmoerkens Thanks for this, It doesn't appear in my portal, I only have the "EX176985 - Can't see message traces" ...
Apr 12 2019 12:33 AM
Apr 12 2019 01:02 AM - edited Apr 12 2019 01:02 AM
Apr 12 2019 01:08 AM
Hi @@Philippe_RAYNAUD ,
All the scenarios mentioned by you is the same for me too. Got a lot of emails tagged as PHISH by AntiSpam policy and all went into quarantine due to our Antispam settings. Had to release them manually to the users. Also we got a lot of duplicate emails send as BCC to our IT email address since outgoing emails where getting tagged as SPAM. But now the issue seems to be have stopped. Looks like MS Team has reverted the changes.
Apr 12 2019 01:30 AM
@Rafmoerkens Their article is weird though, I don't understand what this has to do with "URL filtering"! Happened with every single message.
Apr 12 2019 10:50 AM
Apr 12 2019 03:29 PM
@ALV_Work Nope we tried with blank messages was the same, I think we will never know what really happened :)
Sep 16 2019 05:32 AM
We are facing same issues from past week. Did create a ticket with MS and is still being worked on.
We didn't make any recent changes to any of our policies and wondering what is the reason behind it. Its been a week that we are exchanging mail headers and extended message traces and didn't reach to isolate the issue yet.
Sep 16 2019 05:58 AM
Hi @Sujesh1415 ,
Only Microsoft Team can resolve this issue. It mostly due to an issue at their servers which tags outgoing emails as spam. This affects not everyone i guess just random tenants.
Jan 23 2020 09:17 AM - edited Jan 23 2020 09:26 AM
I'm having a similar issue with a client who has Office 365 for email.
Their domain name was categorized as CAT:HPHISH due to their website being hacked. Once cleaned up they started having emails being quarantined. They put their domain name in their signature. So any customers they emailed with Office 365 wouldn't get the email, it would be quarantined. When a customer who wasn't on Office 365 got the email and replied, the client wouldn't get the email.
We've reached out to Microsoft Support, however, they're unable to understand what needs to happen. And there is no system in-place to change/remove domain names from this categorization. Even though they have https://sender.office.com for de-listing IP addresses, there is no way to submit domain names.
Other vendors like PaloAlto, FortiNET and Sohpos provide the means to submit evidence for delisting domain names categorized as Phishing or Spam.
EDIT: The only method I see to report the domain name as a false positive or have the category changed or removed is through the Office 365 Protection Portal under the “Quarauntine Queue", by clicking “Submit Message” with no information on where it’s going or if I will get notified if any action was taken.
The other method is in a Microsoft article https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/submit-spam-non-spam-and... which states “Use the same procedure as described in the "Use email to submit junk (spam) or phishing scam messages to Microsoft ," but send the message to email@example.com.”
Jan 23 2020 02:22 PM
We are having the exact same problem. Tomorrow will be our 3rd day of being mostly down and working with 0365 who can't figure out the problem or even understand that it is bigger than analyzing a couple email headers.
Is there a way to get in contact with higher tier support that has more to say than " tell your recipients to whitelist you."?