SOLVED

Outgoing emails marked as SPAM and Phishing emails by O365 servers

Copper Contributor

Hi,

Since yesterday, all outgoing emails from our organization using Office365 (fully cloud) are being flagged as either spam or phishing email by Microsoft Outbound email servers. Due to this our Office365 user accounts are getting blocked every hour. We tried contacting Office365 support but they said they cannot help on outbound email spam settings as they do not have any control over the configurations. I spend more than an hour on the phone with the support person and at the end was asked to send 5 sample emails to not_junk@office365microsoft.com and wait for 48 hours. I told O365 support that each user who is blocked sends around 100 emails of which all of them are getting flagged as either spam or phishing email, so sending random samples will not help. No spam or phishing filter settings have been changed since months now so I can only think on some backend updates done by O365 team for tightening the spam filters.

I am not sure whom to contact or escalate this case now so I am posting it in this group to everyone expecting someone who might have experienced the same might help. Any help to resolve this issue will be much appreciated as our users are unable to send emails.

Thanks.

33 Replies

@EmailIssues 

 

Yes, you need to keep calling them. They have access to remove the domain name from their internal list. We just got this completed by their support.

@Jordan160 

 

Unfortunately we have not been so lucky. Dozens of calls and we are still down. No one at Microsoft seems to care. 

 

Do you happen to have a MS description of what they did to resolve your issue or a ticket # I can share with support?

 

I could maybe understand this run around if this was a small company, but they have nearly 100 users. I can not believe the lack of support we are getting. 

@EmailIssues 

 

I'm sorry to hear that. You have to be persistent and point them to this post and ask for an escalation.

 

Unfortunately, I am unable to provide the ticket number due to the privacy of the client. However, this is what was communicated by the person who got ahold of someone at Microsoft after 8 hours of total time with their support staff. They also had to make sure they had the appropriate SPF/DKIM/DMARC records in-place before they would even consider looking further.

 

Basically, there are third-party lists that scan sites looking for phishing stuff, they had found domain name to be a part of that.

 

They are working on clearing off the domain from those lists, and while that’s being done Microsoft is clearing the domain from the watchlist at the moment.


It should take a couple of hours for it all to propagate and take effect, and he will be calling me when it’s all done.


 

@Jordan160 

 

Thank Jordan. We have several tickets open two of which have been escalated. We provided the link to this thread with no luck. We have ~30 hours into this client and MS support now. 

 

Seems like your luck is better than ours lol. I will keep my fingers crossed that the description provided helps but it's pretty much what we already told them.

 

@EmailIssues 

 

That really sucks, trying to get past the first line of support is the hardest.

 

As long as you have the headers stating the category, it should pretty straight forward to resolve. It's just trying to get someone from support who actually understands what needs to happen or have them escalate it to someone that knows.

 

I'm going to post this resolution to Reddit just-in-case MS decides to lock this thread or delete it.

It's a shame that support can't understand their own technology stack to identify and issue and provide some sort of resolution. This type of process resolution has been in place with other vendors like PaloAlto, Fortinet and Sophos for years.

@Jordan160 

 

Update: They finally did it!

 

Here is the text from MS if anyone needs it to point support in the right direction. 

Hi ****,

 

Hope all is well. My name is *** from Office 365 Next Team,

We received an escalation request with regards to your issue on spam emails. After further investigation www[.]**********[.]com was listed as a phish URL, it appears the site may have at one time been compromised but is no longer. We have properly delisted it. Can you please check if your emails are still ending into spam/junk folder?

Thank you,

 

***

Office 365 Next Team

Wow. this seems scary. you should not have had to go through all this before finally getting this fixed. Glad it all got figured out though.

@EmailIssues 

I'm having this issue with three of my personal MSFT email accounts, not through O365.   I can receive emails but all my sent emails are being returned by the protection.outlook.com server.   It won't even let me send an email to myself.  Weird thing is that i can send emails from same accounts on my phone.

Any thoughts on who I can contact or do I just assume this is a bigger problem and hope it works itself out.    Thank you.

I've been through this now two times. 

 

Every email containing my domain was marked as high confidence spam on every O365 tenant I know. On my own, as well as on customers. Even at the bare minimum, a plain text email containing just "myDomain.org" was marked as spam. 

 

I knew about some spam incident involving our domain as an email sender from non O365 servers that fits around the starting time of the issue at the first occurence. For the second incident there is no realted event known to me.

 

Both times I have been hours in the Hotline with supportes that were honestly friendly and trying their best but tried everything to not move my ticket to second level support. They stick to their checklist and did not really take care of my mentions. E.g. he tried thousand times 'https://www.myDomain.org' at mail rules and stuff, even i showed him dozent times 'myDomain.org' was sufficinent. 

 

Both times it seemed to resolve itself after roughly 7 days, which lets me think their internal filters drop after one week. Support guy told me that they were working hard on my ticket and someone fixed it...

After the supporter saw the issue resolved itself the ticket was closed. Definetly not satisfiying. 

 

There is some panel the support guy pointed me towards: https://protection.office.com/reportsubmission where you can submit URLs that should not be marked as spam. If this is any good? Idk. 

 

Not sure if this has already been posted here, but another good link I found about this:

https://www.reddit.com/r/Office365/comments/ev98sd/an_issue_with_a_microsoft_office_365_customers/

 

So i am sitting here, waiting for the next time this starts to happen... 

@MaxWinterstein I made that Reddit post. It's a shame Microsoft doesn't have a means to resolve the issue you're facing. When a organization get's so big, really difficult issues like this seem to slip through the cracks.

Our organization is having this issue with incoming and outgoing mail. I have had our users remove the weblink from their signature line, after speaking with a Microsoft Tech, and mail is flowing out from us without being rejected now.
Today, we have started to see that all mail, with any type of link in it, is going into our Junk Folders. Both internal and external.

Our organization is also experiencing the same exact issues with legitimate / wanted emails that our clients are expecting. These emails are being quarantined / sent to spam, or even rejected in some cases, specifically by Microsoft 365 / Outlook receiving servers.

We've been thoroughly testing and it appears to be specific to our domain and not related to our email sending platforms or IPs. This issue has been persisting across our entire organization for the last 6 weeks. Our DKIM / SPF records are all setup correctly. We're using Dmarcian, HetrixTools to monitor / confirm our DNS settings. And we've also had two email deliverability consultants check our domain settings and confirm that they believe this is an internal false flag on Microsoft's side. 

After speaking with numerous Microsoft support staff, we've finally made contact with an escalation team and have provided them with email samples of quarantined / rejected emails, which are all wanted by our clients. This issue is severely impacting our business, as our clients are unable to receive emails / work product for which they have already paid.

I'm hoping that someone from Microsoft's Team can kindly escalate this issue and advise us on next steps to delist our domain from their internal blacklists.

Just to throw in a this seems to still be an issue. It seemed to happen the day before, but the next day we were spoofed. Since then all our outbound emails have been tagged as SCL9. Due to this, all replies or emails sent to our domain go to quarantine.

We had a SPF and DMARC, and have added a DKIM, but two weeks later it still doesn't work.

Microsoft said they sent it to their backend team, which I am told is their program development group who doesn't have any sort of SLA so it is a whenever they get around to looking at it.

Today we finally got Microsoft to escalate it to Tier 2 Exchange. Their Tier 1 was refusing because they said Tier 2 would have to wait for results from the backend group also.

They mentioned that they were seeing that our inbound spam policy was marking everything as spam, which got the no duh because they are coming in as high confidence spam already in the header.