Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Spam/Spoofed email received differently by 3 users

Iron Contributor

Hello experts... 


today, I had a user reported a spoofed email - the email looked like it was sent from an CEO (his full name, the email address was however completely different and was a address not our domain). The user received this email to his inbox directly.... and did not realize it was a spam/phish email at the first sight.


So.. I've started to have a look why it was delivered to the inbox as I would expect that email would be either in Junk or Quarantined. I've found out that two other users received the same email address just few seconds after the 1st one was delivered, however, for those two users it was actioned as "FilteredAsSpam" when I checked Mail Flow -> Message trace.   ..So it was identified as a SPAM this time and was delivered to JUNK folder.... good here then.


I've checked also the header of the one that was delivered to inbox and comparing to the one in Junk... and I saw that for the first one, the SCL = 1... and for the other 2 users, the SCL=5.


Also, when I check Defender -> Explorer, I see that:

  • for the 1st recipient:

    Latest Threats


    Latest delivery location

    Inbox folder

    Detection technology


    Delivery action

  • for the other 2 recipients:

    Latest Threats

    Phish / Normal

    Latest delivery location

    Junk Email folder

    Detection technology

    Mailbox intelligence impersonation

    Delivery action

    Delivered to junk


Now, my question would be - why the 1st email was delivered to Inbox and the same email sent to two other users (just few seconds later) was then delivered to Junk (as I would expect also for the 1st user) . Why for the 1st recipient the SCL was 1 and for other two few seconds later SCL was 5 if it is the same email same sender.


Btw, I have added CEOs to "impersonated" user list so it hopefully helps next time?


1 Reply

The Exchange Online engine really is that adaptive - some of the time.

If you mean user impersonation protection in your anti-phishing policy then yes, I recently turned it on for one of my frequent targets and it may have helped - the rate of attacks fluctuates so much anyway that it is hard to tell. If you mean mailbox intelligence for impersonation then watch the feature for a bit to ensure it is not going rogue. The agent tends to view any instance of vip.user at freemail.tld as a spoof of vip.user at your-tenant.tld, even though both accounts may really belong to VIP user. Adding vip.user at freemail.tld to the trusted senders in the same policy generally fixes that, if you don't mind the risks of vip.user at freemail.tld being spoofed or hacked.