Attack Simulation goes to Junk Folder

Iron Contributor

I tried a test simulation that only went to me. However, it went to my junk folder.

 

I didn't see anything in the Attack Simulation documentation about whitelisting and assumed that, since it is all going through Microsoft products, it would just work.

 

Are there other steps I need to have the simulations go to users' mailboxes?

4 Replies
As I've said before, the attack simulator writes directly to the target mailbox and does not go through the conventional delivery process. There isn't much scope for a Junk action. I would suggest you check your Outlook settings. Is the sender in BlockedSendersAndDomains? Are your Junk settings set to only allow your contacts? Is there a third-party product moving junk mail directly from your Inbox?

The other additional step you might need to take is to ensure that any third party proxy or next-generation firewall does not block any payload or resource URL used by the payload. It seems that none of the products I've worked with are bright enough to do that. I'm waiting for someone like CISA to knock the suppliers' heads together (most are in the US) and say "STOP BLOCKING EACH OTHERS' S**T".

@ExMSW4319 

 

That is useful to know that it goes directly to the mailbox. I was wondering why I couldn't see the message using message trace.

 

I am sure I saw it briefly flash in my inbox then I wondered where it went until I found it in Junk. I am using Outlook on the web, the sender isn't blocked, and I don't have any rules that would send it to junk.

 

We do use Trend Apex one on our mailboxes, but I can't find anywhere where it would send anything to junk. 

 

Is there an audit log or somewhere I could look to see what moved it from inbox to junk?

Bear in mind third-party tools can also include things like apps on additional platforms such as a smartphone that also have the right to read your mailbox and make anti-spam decisions.

If the problem was at the Exchange Online end then I would say try an extended message trace, but for the reason mentioned I don't think it will show anything. I find the audit tool to be fairly useless out-of-the box for our licence level.
I finally found out what was happening. When the simulation emails went to the inbox our third-party product was immediately moving them to junk. I couldn't find it because we have two products and I was looking at the wrong one.

I was able to have the product ignore the simulations in spam checking and now they stay in users' mailboxes.