SOLVED

Exchange Rule Flow exception not working

%3CLINGO-SUB%20id%3D%22lingo-sub-2376016%22%20slang%3D%22en-US%22%3EExchange%20Rule%20Flow%20exception%20not%20working%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2376016%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20everyone%2C%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EI'm%20relatively%20new%20to%20all%20of%20this.%20Recently%2C%20we've%20had%20an%20influx%20of%20phishing%20attempts%20where%20a%20random%20third%20party%20email%20with%20the%20display%20name%20of%20a%20particular%20co-worker%20will%20prompt%20new%20hires%20to%20send%20personal%20info.%20Warning%20new%20employees%20and%20prepending%20warnings%20into%20the%20subject%20and%20body%20hasn't%20stopped%20them%20from%20responding%20to%20the%20phishing%20attempts%2C%20so%20I%20started%20to%20route%20any%20external%20email%20with%20that%20display%20name%20to%20myself%20where%20I%20can%20look%20at%20them%20and%20forward%20them%20on%20if%20they%20are%20legit.%20I've%20created%20some%20exceptions%20where%20we%20use%20a%20site%20that%20will%20send%20something%20on%20their%20behalf%20(such%20as%20asking%20to%20sign%20a%20document%2C%20etc)%2C%20but%20the%20exceptions%20don't%20get%20honored%2C%20and%20they%20still%20all%20get%20routed%20to%20me.%20Does%20anyone%20have%20any%20idea%20why%20the%20exceptions%20aren't%20working%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAttached%20below%20is%20a%20screenshot%20of%20the%20setup.%20Thanks%20for%20any%20insight%20you%20may%20have!%3CBR%20%2F%3EBryan%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Screen-Shot-2021-05-21-at-9.42.24-AM.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F282674iD39EA3C5DC82B31B%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Screen-Shot-2021-05-21-at-9.42.24-AM.png%22%20alt%3D%22Screen-Shot-2021-05-21-at-9.42.24-AM.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2376016%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2376324%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Rule%20Flow%20exception%20not%20working%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2376324%22%20slang%3D%22en-US%22%3EI%20would%20suggest%20using%20the%20same%20type%20of%20condition%20for%20both%20the%20match%20and%20don't%20match%20logic%2C%20and%20also%20make%20sure%20that%20the%20%22Match%20sender%20address%20in%20message%3A%22%20option%20is%20set%20to%20Header%20and%20Envelope.%20You%20can%20also%20enable%20auditing%20on%20the%20rule%20and%20run%20some%20message%20traces%20to%20see%20what's%20happening.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2404635%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Rule%20Flow%20exception%20not%20working%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2404635%22%20slang%3D%22en-US%22%3EThanks%20for%20your%20response%20Vasil!%3CBR%20%2F%3EUpdating%20the%20%22Match%20sender%20address%20in%20message%3A%22%20from%20Envelope%20to%20both%20Header%20and%20Envelope%20seems%20to%20have%20been%20the%20fix.%3C%2FLINGO-BODY%3E
New Contributor

Hi everyone,

I'm relatively new to all of this. Recently, we've had an influx of phishing attempts where a random third party email with the display name of a particular co-worker will prompt new hires to send personal info. Warning new employees and prepending warnings into the subject and body hasn't stopped them from responding to the phishing attempts, so I started to route any external email with that display name to myself where I can look at them and forward them on if they are legit. I've created some exceptions where we use a site that will send something on their behalf (such as asking to sign a document, etc), but the exceptions don't get honored, and they still all get routed to me. Does anyone have any idea why the exceptions aren't working?

 

Attached below is a screenshot of the setup. Thanks for any insight you may have!
Bryan

Screen-Shot-2021-05-21-at-9.42.24-AM.png

2 Replies
best response confirmed by bryan-butler (New Contributor)
Solution
I would suggest using the same type of condition for both the match and don't match logic, and also make sure that the "Match sender address in message:" option is set to Header and Envelope. You can also enable auditing on the rule and run some message traces to see what's happening.
Thanks for your response Vasil!
Updating the "Match sender address in message:" from Envelope to both Header and Envelope seems to have been the fix.