EOP or Defender for Office 365 not working‎ as espected

%3CLINGO-SUB%20id%3D%22lingo-sub-2230095%22%20slang%3D%22fr-FR%22%3EEOP%20or%20Defender%20for%20Office%20365%20not%20working%E2%80%8E%20as%20espected%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2230095%22%20slang%3D%22fr-FR%22%3E%3CP%3E%3CSPAN%3EDear%20Security%20Team%2C%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EWe%20try%20to%20test%20EOP%20-%20Defender%20for%20Office%20365%20by%20sending%20on%20purpose%20SPAM%20URLs%20in%20emails%20that%20I%20know%20they%20are%20SPAM%20(a%20simple%20antispam%20in%20%22EM%20Client%22)%2C%20so%20I%20forward%20them%20to%20an%20email%20of%20an%20E5%20developer%20tenant%20for%20test%20purposes.%20%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EResults%3A%20no%20of%204%20emails%20were%20detected%20with%20SPAM%20URLs.%20%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EWe%20try%20for%20two%20of%20them%2C%20to%20manually%20add%20them%20through%20the%20Threath%20Explorer%20but%20even%20then%20it%20did%20not%20detect%20any%20issue%20(See%20attachment).%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EIs%20this%20due%20to%20the%20fact%20that%20it%20were%204%20Forwarded%20emails%3F%20Other%20reasons%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3Ethank%20you%20in%20advance%20for%20your%20return%20%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EKind%20looks%2C%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EB.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2247698%22%20slang%3D%22en-US%22%3ERe%3A%20EOP%20or%20Defender%20for%20Office%20365%20not%20working%E2%80%8E%20as%20espected%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2247698%22%20slang%3D%22en-US%22%3EYes%2C%20a%20forwarded%20email%20may%20pass%20authentication%20check%20such%20as%20SPF%2C%20DKIM%2C%20and%20DMARC%20because%20the%20new%20sender%20is%20legit.%20The%20one%20case%20where%20that%20may%20not%20be%20the%20case%20is%20the%20content%20inspection%20engine%2C%20if%20it%20finds%20substantial%20keywords%20in%20the%20body%20then%20I%20would%20expect%20it%20to%20override%20the%20valid%20sender%20authentication%20records.%20So%20all%20that%20to%20say%2C%20try%20the%20testing%20without%20forwarding.%3C%2FLINGO-BODY%3E
Frequent Visitor

Dear Security Team,

We try to test EOP & Defender for Office 365 by sending on purpose SPAM URLs in emails that I know they are SPAM (a simple antispam in "EM Client"), so I forward them to an email of a an E5 developer tenant for test purposes.

Results: non of 4 emails were detected with SPAM URLs.

We try for two of them, to manually add them through the Threath Explorer but even then it did not detect any issue (See attachement).

Is this due to the fact that it were 4 Forwarded emails ? Other reasons ?

thank you in advance for your return

Kind regards,

B.

1 Reply
Yes, a forwarded email may pass authentication check such as SPF, DKIM, and DMARC because the new sender is legit. The one case where that may not be the case is the content inspection engine, if it finds substantial keywords in the body then I would expect it to override the valid sender authentication records. So all that to say, try the testing without forwarding.