cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

email quarantine and reason "high confidence phish"

virtual-tech
Brass Contributor

‎May 08 2023 09:04 AM - last edited on ‎Nov 09 2023 11:09 AM by

‎May 08 2023 09:04 AM - last edited on ‎Nov 09 2023 11:09 AM by

email quarantine and reason "high confidence phish"

Hi
I started testing a phishing email campaign from an external vendor KnowBe4. The emails keep going to quarantine reason "high confidence phish" What is the best way to fix this?
I tried excluded the URL from Safe Links and added their sender IPs to O365 Tenant allow/block list.
Thank you in advanced. 
 

 

URL detonation.png

64.3K Views
0 Likes
4 Replies
Reply
4 Replies
eliekarkafy

‎May 08 2023 02:26 PM

‎May 08 2023 02:26 PM

Re: email quarantine and reason "high confidence phish"

@virtual-tech hi , from the Anti-Spam inbound policy you need to whitelist of the email or domain of the sender, check below 

eliekarkafy_0-1683581154022.png

 

Please click Mark as Best Response & Like if my post helped you to solve your issue. This will help others to find the correct solution easily.

 

0 Likes
Reply
virtual-tech

‎May 08 2023 02:37 PM

‎May 08 2023 02:37 PM

Re: email quarantine and reason "high confidence phish"

I figured out the problem on the vendor website. I needed to add their IP and sender address to the Phishing Sumulation page.

Email & Collaboration section, navigate to Policies & Rules > Threat policies > Advanced delivery.On the Advanced delivery page, select the Phishing Simulation
1 Like
Reply
eliekarkafy

‎May 08 2023 10:57 PM

‎May 08 2023 10:57 PM

Re: email quarantine and reason "high confidence phish"

sorry, didn't notice that you're testing the simulation campaign phishing, then yes that where you can whitelist the vendor address.
0 Likes
Reply
ExMSW4319

‎May 12 2023 07:50 AM

‎May 12 2023 07:50 AM

Re: email quarantine and reason "high confidence phish"

It's a bit of a disgrace that when a security stack contains solutions from different vendors, they happily list each other's test resources as "threats" presumably because users report the test resources as malicious. Given that many of them are west coast US, I'm surprised that the US DHS does not knock heads together and say "you will co-operate".

I worked with KnowB4 a few years back and they definitely offer a support paper or two to help M365 admins exempt their senders and links. If you have a proxy or intelligent firewall, you will have to do the same things there.

If you are on evaluation, don't make the mistake of letting the reseller run the test for you. It's easy to focus on the test result and forget about the usability of the interface launching and measuring the simulated attack.
0 Likes
Reply