Mar 21 2023 02:19 AM
Hi all. We have been using preset policies (standard and strict) for some time and were happy with the fact that they don't notify users of messages which have been quarantined (and nor is it possible to change the notification policy). However, quarantine notifications suddenly started turning up in users' mailboxes at the weekend.
Have Microsoft changed something or released an unplanned change? Hoping you can help clarify the situation.
Mar 21 2023 06:46 AM
@OzOscroft We're also seeing the same and wondered if Microsoft changed something.
Mar 21 2023 07:14 AM
@OzOscroft Our users have reported this too. My biggest concern is that a user may inadvertently release emails that have been correctly identified as phishing/malware and action them, making the quarantine system pointless.
Mar 24 2023 03:27 AM
@teetotal_mike @TV202 - thanks for confirming my suspicions that it's a change Microsoft have made, nothing we've done. For info., we first noticed it on Saturday 17th March, was this the same with you? We also think it's only affecting those covered by the strict preset policy rather than those on standard - is this your experience as well please?
For info., I've raised a ticket with Microsoft and will keep you posted.
Mar 24 2023 06:11 AM
@OzOscroft They seem to have started in the early hours of the 18th for us (UK time). Users on the standard policies are receiving the notifications here too, so it would appear to be a global issue.
Mar 24 2023 06:23 AM
@teetotal_mike the planned changes from Microsoft applied to both strict and standard policies.
(Updated) Exchange Online Protection: Bulk Filter (BCL) Improvements
MC467231 · Published Nov 15, 2022 · Last updated Feb 7, 2023
ADMIN IMPACT
FEATURE UPDATE
Message Summary
Updated February 7, 2023: We have updated the rollout timeline below. Thank you for your patience.
Exchange Online Protection (EOP) assigns a bulk complaint level (BCL) to inbound messages from bulk mailers. A higher BCL indicates a bulk message is less likely to be wanted by the user.
We are rolling out several changes in how we allocate BCL scores to messages to provide more accurate scoring and coverage for bulk messages. We are also updating the threshold for the strict policy from 4 to 5 to better align with the new scoring. In addition, customers using Microsoft Defender for Office P2 or customers with E5 licenses will be able to view the BCL score for a message in advanced hunting.
When this will happen:
We will begin rolling out in mid-November and expect to complete rollout by late April (previously January).
How this will affect your organization:
This change is expected to improve the handling of bulk messages within your organization and should not impact users. In the case of aggressive bulk settings where the threshold is 4 or less, may result in wanted bulk messages being called bulk and it is recommended that such policies be reviewed.
What you need to do to prepare:
There is nothing you need to do; however, it is good practice to review your Antispam policies to ensure that you have an appropriate value for BCL, particularly if you have a threshold of 4 or less.
Mar 24 2023 08:21 AM
@OzOscroft The "Apply quarantine policy" option has changed from "AdminOnlyAccessPolicy" to "DefaultFullAccessWithNotificationPolicy" in the action section of you Anti-Phishing Policy:
NOTE: There are several of these dropdown boxes.
Mar 24 2023 09:32 PM
SolutionMar 26 2023 03:40 AM
Mar 27 2023 02:56 AM
Thanks @WDebruyne . However, we're using the Strict and Standard preset policies which do not allow you to change (or even see) which quarantine policy is being applied. The only other policies in use are the default ones, but standard and strict take precedence so they wouldn't come into play (even so, I've checked the defaults and they're set to AdminOnlyAccessPolicy anyway). This is why I suspect Microsoft have changed the configuration of the notifications and there's nothing we can do about it.
Mar 27 2023 02:58 AM
Thanks @TV202 . The change you've highlighted is about how bulk messages are flagged and handled. It doesn't mention anything about changing notifications and even says there should be no impact on users. Unforutnately I therefore don't think this answers why users have suddenly started receiving quarantine notifications.
Mar 27 2023 03:07 AM
Thanks @alexhudish - that's the update we all seem to have missed! Not being able to configure this is terrible, but at least we know why the change has happened.
I'd encourage anyone who doesn't like this change to head to https://admin.microsoft.com/Adminportal/Home?source=applauncher#/MessageCenter/:/messages/MC505088 and hit the Dislike button at the bottom!
Here's the main text (excluding the detailed table of changes) for info.:
------------------------
Updated March 22, 2023: We have updated the rollout timeline below. Thank you for your patience.
We are updating the recommended quarantine notification policy in the Standard and Strict preset security policies.
With the DefaultFullAccessWithNotificationPolicy, Users will receive quarantine notifications for emails quarantined due to the corresponding threat policy.
*Note that the Quarantine policy assigned here is ineffective since the delivery location is Junk folder
Here is what the quarantine notification looks like:
When this will happen:
We will begin rolling this out in mid-February 2023 and complete rolling out by mid-April 2023 (previously mid-March).
How this will affect your organization:
If your organization has enabled preset security policies, these will be automatically updated to include the quarantine notification policies (DefaultFullAccessWithNotificationPolicy) as listed in the above table for the standard and strict protection preset profiles.
What you need to do to prepare:
No action required. Please review the following links to learn more:
Mar 27 2023 09:48 AM
Hi all. As well as encouraging anyone who doesn't like this change to head to https://admin.microsoft.com/Adminportal/Home?source=applauncher#/MessageCenter/:/messages/MC505088 and hit the Dislike button at the bottom, I've added a request in the feedback portal.
Please upvote if you think that Admins should be able to configure when users receive quarantine notifications:
Apr 10 2023 07:24 AM
@OzOscroft What is the reasoning behind making the default to allow users to release quarantined messages?
Is there no way to apply another notification policy when using Strict Protection?
In our env, we have a number of companies that designate one or two users to go through quarantine and release etc. This new policy undermines all of that.
Apr 20 2023 01:34 PM
Hi @tommyg845 - I've no idea why Microsoft have made this change. I agree that it's not a positive one and is increasing the risk of users releasing potentially malicious messages without appropriate due dilligence. Here's hoping the feedback request to allow us to apply different notification policies gets enough upvotes and is heeded!
May 15 2023 07:50 AM
May 16 2023 10:53 PM
@mvalecruz @OzOscroft Thanks for reporting this. This change was only made for regular phishing emails. That bucket mostly contains emails which failed dmarc/spoof and as such can have some false positives. So, giving end user notifications will enable them to see potentially useful emails stuck in quarantine and release them. But I understand why some admins feel like this is a risk. We will look to address this soon. Just a quick check, would a policy which enables end user quarantine notifications but need admin approval to release, an acceptable policy to you?
May 22 2023 06:30 AM
@nithinnara Thank you for your attention, we have a small company and came from a previous email system that was fully controlled by a white list. Our employees fully understand that the spam server is under admin control and know when to contact me when emails are expected and not reaching them.
Management here prefer not to get any notifications hitting their inbox. This the way is has worked for many years.
Jun 08 2023 06:16 AM
This is a good solution.
Jul 04 2023 10:28 AM
Mar 24 2023 09:32 PM
Solution