Office 365 threat Intelligence - PHISH emails getting delivered

Copper Contributor

Hey folks,

 

I need further enlightenment in order to understand why Office 365 threat Intelligence is allowing email that was identified as "PHISH" by detection technology to be delivered.

There´s something here that might be the justification for this behavior: 

https://docs.microsoft.com/en-us/office365/securitycompliance/investigate-malicious-email-that-was-d...

 "[...] there are times when an attacker could send mail to your users containing a URL and only later on make that URL point to malicious content (malware, etc.)[...]"

 

Is this the sole reason why around 300 emails apparently classified as PHISH were delivered in one of my managed tenants?

 

Thanks.

4 Replies

What do the message headers show?

Hi Vasil,

 

The messages were bumping between both internal and external recipients.

Can´t get a hold of a header right now.

 

The real question is: if these were emails were marked as phish, why did they get delivered in the first place?

 

Thanks.

Hi Ivan

 

We have a similar problem.

 

In our case a user put: order@amazon.de via outlook > junk > never block sender mails on his allowed sender list.

 

The phishing mail spoofed the address order@amazon.de but came clearly from a different source as the header implied and which has been recognized by thread protection. The allowed sender list of the user overwrote the phishing rule.

 

Microsoft writes in this article

"However, as currently implemented by Office 365, they are vulnerable to spoofing because they are simple string matches. Fortunately, as per above, we are making a change to not respect a user's safe sender if it fails authentication. Our recommendation is for users to add to safe senders when they want to receive email from someone specific."

That was 2017

https://blogs.msdn.microsoft.com/tzink/2017/11/29/how-to-securely-add-a-sender-to-an-allow-list-in-o...

 

That might be a track on your case, too ?!

 

kind regards

André

 

Hi Mate,

Seems interesting, but I don´t think it´s the same situation because in my case the emails were from distinct senders and recipients, includind internal domain senders and recipients.

I´m just curious as to why Threat Intelligence is able to track something malicious within an email, but still allow said email to be delivered!

Thanks!