cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Phishing Filter - M365 ATP - false positives blocked or clear spam messages get into inbox.

StephanGee
Steel Contributor

‎Apr 22 2020 02:48 AM - last edited on ‎Apr 04 2022 07:48 AM by

‎Apr 22 2020 02:48 AM - last edited on ‎Apr 04 2022 07:48 AM by

Phishing Filter - M365 ATP - false positives blocked or clear spam messages get into inbox.

Hi everyone,

 

we are having problems with our filter. We used Sophos UTM before but switched our MX now to M365 as there are 99% of the mailboxes.

But we don't really get the logic behind the filtering service.

Yesterday a mail got through that was clearly send from outside of Office365 with the "from" mailadress of our CEO which got straight to inbox. We have setup SPF!

Also those fake Office365 always get through. Even with dynamite phishing.

Are there best practices available for setting this up?

 

Some examples which should go straight to junk or quarantine.

StephanGee_0-1587548672182.png

StephanGee_1-1587548753799.png

Do you other IT Pros have similar experiences?

 

Best regards

Stephan

 

 

3,721 Views
1 Like
12 Replies
Reply
12 Replies
Thijs Lecomte

‎Apr 22 2020 04:03 AM

‎Apr 22 2020 04:03 AM

Re: Phishing Filter - M365 ATP - false positives blocked or clear spam messages get into inbox.

Have you verified from the mail that was sent out from the CEO?
have you checked headers to see where it was sent and why it might have passed your spam filter?

I assume you haven't whitelisted your own domain?


I highly recommend using the ORCA module to verify that your ATP is setup according best practices.
https://www.powershellgallery.com/packages/ORCA/1.6.3
1 Like
Reply
StephanGee

‎Apr 22 2020 04:22 AM - edited ‎Apr 22 2020 04:31 AM

‎Apr 22 2020 04:22 AM - edited ‎Apr 22 2020 04:31 AM

Re: Phishing Filter - M365 ATP - false positives blocked or clear spam messages get into inbox.

@Thijs Lecomte 

Hi. Thanks for your quick email. 

I checked the message header and it was received from an internet provider (not ours) from Germany. So it should have been blocked.

We did not add our domain on the allowed list ( i checked ;) ) and the sender ip is not in our allowed IP list in the mail rule.

 

Thanks for the tip with ORCA. I will check this tool.

 

---

Cannot install it on my Admin machine though

Name : ConsoleHost
Version : 5.1.14409.1018

 

Can be installed on my Win 1909 machine (but from there i am not allowed to perform this ;) )

 

Error:

WARNING: Source Location 'https://www.powershellgallery.com/api/v2/package/ORCA/1.6.3' is not valid.
PackageManagement\Install-Package : Package 'ORCA' failed to download.

 

1 Like
Reply
Vasil Michev

‎Apr 22 2020 09:23 AM

‎Apr 22 2020 09:23 AM

Re: Phishing Filter - M365 ATP - false positives blocked or clear spam messages get into inbox.

Best thing to do here is open a support case and work with the engineer to find out why the message was not blocked.

0 Likes
Reply
StephanGee

‎Apr 23 2020 04:19 AM

‎Apr 23 2020 04:19 AM

Re: Phishing Filter - M365 ATP - false positives blocked or clear spam messages get into inbox.

@Vasil Michev 

Yes i think i will do that. Because what Message Analyzer says - i would say 100% Junk. MS says -> straight to Inbox

StephanGee_0-1587640765046.png

 

0 Likes
Reply
StephanGee

‎May 13 2020 11:45 PM

‎May 13 2020 11:45 PM

Re: Phishing Filter - M365 ATP - false positives blocked or clear spam messages get into inbox.

@Vasil Michev 

We implemented all best practices (if suitable).

Now "internal mails" to external are filtered as SPAM (highest number 9).

How can internal mail be marked as spam? They are normal responses to mails.

StephanGee_0-1589438490879.png

 

These are filtered - but mails like these still coming through:

StephanGee_1-1589438679225.png

At this moment our Sophos UTM was a better filter than Office ATP - as we needed about 20% of the resources to manage it.

0 Likes
Reply
StephanGee

‎Jul 08 2020 02:00 AM

‎Jul 08 2020 02:00 AM

Re: Phishing Filter - M365 ATP - false positives blocked or clear spam messages get into inbox.

@Thijs Lecomte@StephanGee

Is there any possibility to check how the SPAM score was calculated?

 

eg.

Score starts at 5

SPF ok -1 points

DKIM passed -1 Point 

20 mails in the past 1h +1

= 4

 

?

 

0 Likes
Reply
Thijs Lecomte

‎Jul 08 2020 02:24 AM

‎Jul 08 2020 02:24 AM

Re: Phishing Filter - M365 ATP - false positives blocked or clear spam messages get into inbox.

Not as far as I know
Such things probably aren't published in order to protect the inner workings of ATP
0 Likes
Reply
StephanGee

‎Jul 08 2020 02:59 AM

‎Jul 08 2020 02:59 AM

Re: Phishing Filter - M365 ATP - false positives blocked or clear spam messages get into inbox.

@Thijs Lecomte 

Thanks for your fast answer. 

 

We have so many cases with false positives that we might just make more internal trainings and set the spam recognition lower.

 

Current case:

Normal mails from customer is received fine

Teams meetings are sent to quarantine. No special configuration (no picture, no disclaimer, no custom help page)

Customer uses M365 like us

 

One difference is, that a special character in the name of the customer is recognized in normal mail and in Teams meeting not.

0 Likes
Reply
StephanGee

‎Jul 08 2020 10:46 PM

‎Jul 08 2020 10:46 PM

Re: Phishing Filter - M365 ATP - false positives blocked or clear spam messages get into inbox.

@Thijs Lecomte 

This are the information is from the message analyzer (blocked teams meeting):

StephanGee_0-1594273397907.png

 

You can see in the senders display name the wrong character:

StephanGee_1-1594273557365.png

When she is sending mail - the display name is ok. I now asked her if she is creating the teams meetings from the teams client or the outlook addin.

 

 

0 Likes
Reply
Thijs Lecomte

‎Jul 09 2020 05:55 AM

‎Jul 09 2020 05:55 AM

Re: Phishing Filter - M365 ATP - false positives blocked or clear spam messages get into inbox.

There is no way to know from the headers what is causing is.
Best you open a case for this, they might be able to check in the backend
0 Likes
Reply
StephanGee

‎Oct 05 2020 11:34 PM

‎Oct 05 2020 11:34 PM

Re: Phishing Filter - M365 ATP - false positives blocked or clear spam messages get into inbox.

I have to push it back up.

Literally any newsletter is landing now in quarantine due to Phish. This is an authentication result of one of them:

spf=pass (sender IP is 185.71.127.155) smtp.mailfrom=u106878.rmh1.net; mycompany.com; dkim=pass (signature was verified) header.d=rmh6.net;mycompany.com; dmarc=fail action=none header.from=amcham.de;compauth=fail reason=001

 

SPF right, DKIM pass. 

Why not send this mail into "Junk" but into "Quarantine" where to user has to release it?

Spam Level is "5" for this. 

This takes up a lot of time ... my colleague also went through some support calls but this is just a waste of time.

"It is what it is"

0 Likes
Reply