OriginalFromAddress is different, yet ATP not blocking

Occasional Visitor

Hi Guys,

we got a phishing attempt sent from someone.

the header analyzing shows that the OriginalFromAddress is different.

is there a way to block emails where the OriginalFromAddress is diferent than the From?


here's the data example:


<root><MEP Name="SourceContext" String="0xxxx"/><MEP Name="MailboxServer" String="xxx.eurprd04.prod.outlook.com"/><MEP Name="DeliveryPriority" String="Normal"/><MEP Name="TotalLatency"
Integer="3"/><MEP Name="ReturnPath" String="email address removed for privacy reasons"/><MEP Name="ClientName" String="xxx.eurprd04.prod.outlook.com"/><MEP Name="CustomData"
Blob="S:PrioritizationReason=EnvelopePriority;S:OriginalFromAddress=email address removed for privacy reasons"/><MEP Name="SequenceNumber" Long="0"/><MEP Name="RecipientReference" String=""/></root>

1 Reply
Hi bennybarak,

This article explains one way to address this issue.

Please note the guidance in the document - "While you can use organization-wide block settings to address false negatives (missed spam), you should also submit those messages to Microsoft for analysis. Managing false negatives by using block lists significantly increases your administrative overhead."

This link explains the process for reporting false negatives to Microsoft.

Hope this helps. Thanks, Ash