Are you sure they are quarantined as phish, it might be the anti-spoof policy or some other feature. Looking at the headers or a message trace should give you more info.

For the record, here are the PCL levels:

|PCL|The Phishing Confidence Level (PCL) of the message, which indicates whether it's a phishing message. This status can be returned as one of the following numerical values:
• **0-3**: The message's content isn't likely to be phishing.
• **4-8**: The message's content is likely to be phishing.
• **-9990**: (Exchange Online Protection only) The message's content is likely to be phishing.

Hi @Raechel Moermond!

A few things of note here that may shed light:

1. The Anti-Phish policy is evaluated before the Anti-Spam policy. As such, if a message triggers a match on the Anti-Phish policy, users' whitelists and org-wide whitelists in an Anti-Spam policy won't take effect. 

2. Since you have an E3 license, but not ATP (I'm assuming you don't have ATP?), the Anti-Phish policy is actually only an "Anti-Spoof" policy. What that means is that Spoof Intelligence kicks in and uses various signals in the message to determine if its allowed to spoof or not. Sender authentication failure is a big one. You can use the Get-PhishFilterPolicy command to pull the Spoof Intelligence results and then use Set-PhishFilterPolicy to adjust them for your org.

So if you see emails going to quarantine that shouldn't because of the Anti-Phish policy (*hint - check the X-Forefront-Antispam-Report header for two clues to see if the Anti-Phish policy took effect - a) SCL of 5 or 9, usually 5, and b) CAT:SPOOF at the end of the header), use the Set-PhishFilterPolicy to set the Allowed to spoof setting to "Yes".

Hope that helps!!