Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Defender quarantining legitimate business email as Phishing

Copper Contributor

Hi All,


I'm seeing Defender disposition a lot of legitimate business email as phishing. The senders' in question do not appear on any blacklists or have any obvious misconfigurations in their public facing MX/DNS records. Additionally during our analysis we have observed that the other MS tools do not always agree on the dispositions (i.e. SCL in within Defender = "None" but the Microsoft Header Analyzer Tools lists SCL as 8 or higher). Has anyone experienced similar findings?

1 Reply
When you say "legitimate business" should we be picturing de Niro, Pacino or Pesci, and in which role? The characterisation is important.

I've seen the Exchange Online engine give apparently inexplicable high-confidence phishing verdicts when the rest of the [comprehensible] Forefront headers said no problem, but an SCL of 8 suggests the sender does have an issue. How high are the corresponding BCL values, please?

If the sender was sufficiently public, a redacted header or two would be helpful.