Microsoft Security Tech Accelerator
Dec 06 2023, 07:00 AM - 12:00 PM (PST)
Microsoft Tech Community

email quarantine and reason "high confidence phish"

Brass Contributor
I started testing a phishing email campaign from an external vendor KnowBe4. The emails keep going to quarantine reason "high confidence phish" What is the best way to fix this?
I tried excluded the URL from Safe Links and added their sender IPs to O365 Tenant allow/block list.
Thank you in advanced. 


URL detonation.png

4 Replies

@virtual-tech hi , from the Anti-Spam inbound policy you need to whitelist of the email or domain of the sender, check below 



Please click Mark as Best Response & Like if my post helped you to solve your issue. This will help others to find the correct solution easily.


I figured out the problem on the vendor website. I needed to add their IP and sender address to the Phishing Sumulation page.

Email & Collaboration section, navigate to Policies & Rules > Threat policies > Advanced delivery.On the Advanced delivery page, select the Phishing Simulation
sorry, didn't notice that you're testing the simulation campaign phishing, then yes that where you can whitelist the vendor address.
It's a bit of a disgrace that when a security stack contains solutions from different vendors, they happily list each other's test resources as "threats" presumably because users report the test resources as malicious. Given that many of them are west coast US, I'm surprised that the US DHS does not knock heads together and say "you will co-operate".

I worked with KnowB4 a few years back and they definitely offer a support paper or two to help M365 admins exempt their senders and links. If you have a proxy or intelligent firewall, you will have to do the same things there.

If you are on evaluation, don't make the mistake of letting the reseller run the test for you. It's easy to focus on the test result and forget about the usability of the interface launching and measuring the simulated attack.