Office365 ATP - Phishing - Many false positives

%3CLINGO-SUB%20id%3D%22lingo-sub-1066464%22%20slang%3D%22en-US%22%3EOffice365%20ATP%20-%20Phishing%20-%20Many%20false%20positives%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1066464%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewe%20are%20having%20many%20mails%20marked%20as%20phishing%20but%20just%20are%20not.%20It%20would%20not%20be%20that%20bad%20if%20these%20email%20would%20show%20up%20in%20the%20quarantine%20report%20and%20the%20users%20could%20release%20them.%3C%2FP%3E%3CP%3EBut%20the%20mails%20do%20not%20show%20up%20in%20the%20report%20nor%20the%20users%20can%20release%20them.%3C%2FP%3E%3CP%3EAs%20we%20cannot%20tell%20an%20Exchange%20admin%20%22it%20is%20your%20job%20now%20to%20check%20for%20false%20positives%20all%20day%22%20and%20i%20did%20not%20find%20that%20many%20threads%20about%20it%2C%20i%20wonder%20if%20there%20is%20something%20wrong%20with%20our%20configuration.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20level%20for%20detection%20is%200.%20The%20least%20aggressive.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20regards%26nbsp%3B%3C%2FP%3E%3CP%3EStephan%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1066464%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EATP%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ephishing%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1071545%22%20slang%3D%22en-US%22%3ERe%3A%20Office365%20ATP%20-%20Phishing%20-%20Many%20false%20positives%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1071545%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20opened%20a%20ticket%20at%20Microsoft%20to%20further%20investigate%20our%20problem(s)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1200298%22%20slang%3D%22en-US%22%3ERe%3A%20Office365%20ATP%20-%20Phishing%20-%20Many%20false%20positives%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1200298%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20ended%20up%20assigning%20one%20Exchange%20Admin%20to%20this%20task%20as%20Microsoft%20could%20not%20help%20us.%3C%2FP%3E%3CP%3EI%20believed%20that%20the%20spam%20filter%20would%20be%20better%20than%20from%20our%20Sophos%20UTM%20..%20but%20at%20the%20end%20it%20ends%20up%20with%20much%20more%20manual%20work%20than%20before.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1401182%22%20slang%3D%22en-US%22%3ERe%3A%20Office365%20ATP%20-%20Phishing%20-%20Many%20false%20positives%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1401182%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F40832%22%20target%3D%22_blank%22%3E%40Stephan%20G%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%20Stephan%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe're%20currently%20experiencing%20the%20exact%20same%20problems%20since%204%20days%20back.%20Have%20opened%20a%20ticket%20with%20MS%20but%20so%20far%20nothing.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDid%20you%20ever%20get%20this%20resolved%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20regards%2C%3C%2FP%3E%3CP%3EJoacim%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1401365%22%20slang%3D%22en-US%22%3ERe%3A%20Office365%20ATP%20-%20Phishing%20-%20Many%20false%20positives%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1401365%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F672152%22%20target%3D%22_blank%22%3E%40Joacim10%3C%2FA%3E%26nbsp%3BHello%20Joacim%2C%20so%20are%20we.%20But%20it's%20only%20messages%20from%20one%20domain%20and%20almost%20all%20get%20stuck%20in%20the%20quarantine%20(legitimate%20also%20get%20SCL%209)%20as%20that%20particular%20domain%20has%20been%20flagged%20by%20Microsoft.%20I%20have%20a%20ticket%20raised%20but%20it's%20not%20proceeding%20well%20so%20I%20have%20engaged%20our%20assigned%20incident%20manager%20and%20service%20manger%20and%20waiting%20for%20response.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

Hi,

 

we are having many mails marked as phishing but just are not. It would not be that bad if these email would show up in the quarantine report and the users could release them.

But the mails do not show up in the report nor the users can release them.

As we cannot tell an Exchange admin "it is your job now to check for false positives all day" and i did not find that many threads about it, i wonder if there is something wrong with our configuration.

 

The level for detection is 0. The least aggressive.

 

Best regards 

Stephan

 

4 Replies
Highlighted

We opened a ticket at Microsoft to further investigate our problem(s)

Highlighted

We ended up assigning one Exchange Admin to this task as Microsoft could not help us.

I believed that the spam filter would be better than from our Sophos UTM .. but at the end it ends up with much more manual work than before.

 

Highlighted

@Stephan G 

 

Hi Stephan,

 

We're currently experiencing the exact same problems since 4 days back. Have opened a ticket with MS but so far nothing.

 

Did you ever get this resolved?

 

Best regards,

Joacim

Highlighted

@Joacim10 Hello Joacim, so are we. But it's only messages from one domain and almost all get stuck in the quarantine (legitimate also get SCL 9) as that particular domain has been flagged by Microsoft. I have a ticket raised but it's not proceeding well so I have engaged our assigned incident manager and service manger and waiting for response.