04-10-2019 08:51 AM
04-10-2019 08:51 AM
Since yesterday, all outgoing emails from our organization using Office365 (fully cloud) are being flagged as either spam or phishing email by Microsoft Outbound email servers. Due to this our Office365 user accounts are getting blocked every hour. We tried contacting Office365 support but they said they cannot help on outbound email spam settings as they do not have any control over the configurations. I spend more than an hour on the phone with the support person and at the end was asked to send 5 sample emails to email@example.com and wait for 48 hours. I told O365 support that each user who is blocked sends around 100 emails of which all of them are getting flagged as either spam or phishing email, so sending random samples will not help. No spam or phishing filter settings have been changed since months now so I can only think on some backend updates done by O365 team for tightening the spam filters.
I am not sure whom to contact or escalate this case now so I am posting it in this group to everyone expecting someone who might have experienced the same might help. Any help to resolve this issue will be much appreciated as our users are unable to send emails.
04-10-2019 10:42 AM
The issue seems quite strange. How did you know that MS Outbound servers are marking your emails as Spam. Secondly I hope your domain is still able to send emails to other domains, if yes... could you share a message header.. so that I can analyze it.
04-10-2019 11:13 AM
Hi@Robin Nishad ,
We have edited the default Outgoing Spam rule to copy messages flagged as spam to one of our internal email addresses. I have pasted the header from one such email (apparently we receive almost every outgoing email now) as requested. As you will notice that the Spam Confidence Level is set to 5 by Microsoft and the Phishing Level to 8 for this outgoing email from Office365. We do have even have 2FA enabled for most users and never had any issue till yesterday.
Received: from AM6PR0602MB3589.eurprd06.prod.outlook.com
(2603:10a6:208:aa::49) by AM0PR0602MB3585.eurprd06.prod.outlook.com with
HTTPS via AM0PR06CA0072.EURPRD06.PROD.OUTLOOK.COM; Wed, 10 Apr 2019 17:13:40
Received: from VI1PR0601CA0005.eurprd06.prod.outlook.com
(2603:10a6:800:1e::15) by AM6PR0602MB3589.eurprd06.prod.outlook.com
(2603:10a6:209:e::26) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1771.19; Wed, 10 Apr
2019 17:13:39 +0000
Received: from VE1EUR01FT025.eop-EUR01.prod.protection.outlook.com
(2a01:111:f400:7e01::209) by VI1PR0601CA0005.outlook.office365.com
(2603:10a6:800:1e::15) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1792.14 via Frontend
Transport; Wed, 10 Apr 2019 17:13:39 +0000
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (184.108.40.206)
by VE1EUR01FT025.mail.protection.outlook.com (10.152.2.232) with Microsoft
SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id
15.20.1771.16 via Frontend Transport; Wed, 10 Apr 2019 17:13:38 +0000
Received: from DB5EUR01FT040.eop-EUR01.prod.protection.outlook.com
(10.152.4.56) by DB5EUR01TH003.eop-EUR01.prod.protection.outlook.com
(10.152.4.138) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1750.16; Wed, 10 Apr
2019 17:10:53 +0000
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (220.127.116.11)
by DB5EUR01FT040.mail.protection.outlook.com (10.152.5.25) with Microsoft
SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id
15.20.1771.16 via Frontend Transport; Wed, 10 Apr 2019 17:10:53 +0000
Authentication-Results: spf=none (sender IP is )
Received: from AM0PR0602MB3554.eurprd06.prod.outlook.com (18.104.22.168) by
AM0PR0602MB3523.eurprd06.prod.outlook.com (22.214.171.124) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.1792.14; Wed, 10 Apr 2019 17:10:45 +0000
Received: from AM0PR0602MB3554.eurprd06.prod.outlook.com
([fe80::9162:6e5e:65c1:9944]) by AM0PR0602MB3554.eurprd06.prod.outlook.com
([fe80::9162:6e5e:65c1:9944%6]) with mapi id 15.20.1771.014; Wed, 10 Apr 2019
Content-Type: application/ms-tnef; name="winmail.dat"
From: Anna Mandia <firstname.lastname@example.org>
To: Calum Berkley <email@example.com>, "firstname.lastname@example.org"
<email@example.com>, IBIS Abu Dhabi Gate FO3 <H6949-FO3@accor.com>,
NOVOTEL Abu Dhabi Gate RE1 <H6948-RE1@accor.com>
CC: Paula Cercel <firstname.lastname@example.org>, William Escondo
<email@example.com>, Amit Dagar <firstname.lastname@example.org>
Subject: FW: Calum Berkley/Sharqi/12 Apr [Email Ref. #1457448]
Thread-Topic: Calum Berkley/Sharqi/12 Apr [Email Ref. #1457448]
Date: Wed, 10 Apr 2019 17:10:44 +0000
Accept-Language: en-GB, en-US
X-MS-Exchange-Organization-ExpirationStartTime: 10 Apr 2019 17:10:45.0518
Received-SPF: None (protection.outlook.com: gmsuae.com does not designate
permitted sender hosts)
X-MS-Exchange-Organization-ACSExecutionContext: 04/10/2019 17:10:53;04/10/2019
04-10-2019 11:49 AM - edited 04-10-2019 11:50 AM
04-10-2019 12:05 PM
I noticed in the Message Header -
|Received-SPF||None (protection.outlook.com: gmsuae.com does not designate permitted sender hosts)|
So would suggest to check if the sender domain is added in the allowed domain settings in Security and Compliance center.
1. Sign in to O365 Admin Portal
2. Navigate to Security & Compliance center > Threat management > Policy.
3. Find Anti-spam, open it. Expend Allow lists. Add the sender’s domain to the Allow domain setting.
04-10-2019 12:40 PM
Hi@Robin Nishad ,
Thanks for the suggestion. We already have the domain added in the Allow list of Anti-Spam policy.
Could it be that the domain is showing as SPF not designated because it is still an internal email within Office365 servers ?
04-10-2019 12:52 PM
if the Domain is added in the Allow list, then I would suggest to submit the message to MS and let them know that it is not Spam. I know & understand that you are already working with MS on this however I would like you to refer to the steps given in the below article....
(Submit messages that were tagged as junk but should have been allowed through)
Secondly the proof that MS Servers are marking your email as Spam is that in the header - Anti Spam Report - It has SFV-SPM that means the email is marked as Spam because of the EOP Spam filters.
Moreover do check if the emails that you are sending has any HTML Signatures or they are simple text.
04-11-2019 11:35 AM - edited 04-11-2019 11:55 AM
@ALV_Work We got exactly the same problem yesterday, I opened a ticket but Microsoft seems to have no clue about what happened.
We worked on it a while and this is what we could figure out about our case :
- It started around 7am CET and ended around 8pm CET
- It has nothing to do with SPF or whatever
- EOP was giving a SFV:SPM SCL:5 to outbound emails ONLY IF they were replies or forwards to external email addresses, so they were using the High Risk Delivery Pool and we were getting a BCC in our IT mailbox as our Outbound spam Policy specifies it. I can see in your header that it was the same for you : DIR:OUT;SFP:1501;SCL:5
- When an external person was answering one on these emails they were coming back with SFV:SPM and CAT:PHSH, so we got PLENTY of emails yesterday ending up in junk folder
- Every Outbound Spam BCC in our IT mailbox arrived twice, the second time with a huge delay (6+ hours), and message stayed in "Getting Status" for very long time in traces, maybe because they were going through the High Risk Pool.
We didn't make any changes in our SPF or policies, it just randomly happened and ended.
I'm still waiting for an explanation from Microsoft.
04-12-2019 12:05 AMSolution
You might want to read the following article on the "health" tab in the office portal...
04-12-2019 12:30 AM - edited 04-12-2019 12:32 AM
@Rafmoerkens Thanks for this, It doesn't appear in my portal, I only have the "EX176985 - Can't see message traces" ...
04-12-2019 12:33 AM
04-12-2019 01:02 AM - edited 04-12-2019 01:02 AM
04-12-2019 01:08 AM
Hi @@Philippe_RAYNAUD ,
All the scenarios mentioned by you is the same for me too. Got a lot of emails tagged as PHISH by AntiSpam policy and all went into quarantine due to our Antispam settings. Had to release them manually to the users. Also we got a lot of duplicate emails send as BCC to our IT email address since outgoing emails where getting tagged as SPAM. But now the issue seems to be have stopped. Looks like MS Team has reverted the changes.
04-12-2019 01:30 AM
@Rafmoerkens Their article is weird though, I don't understand what this has to do with "URL filtering"! Happened with every single message.
04-12-2019 10:50 AM
04-12-2019 03:29 PM
@ALV_Work Nope we tried with blank messages was the same, I think we will never know what really happened :)
09-16-2019 05:32 AM
We are facing same issues from past week. Did create a ticket with MS and is still being worked on.
We didn't make any recent changes to any of our policies and wondering what is the reason behind it. Its been a week that we are exchanging mail headers and extended message traces and didn't reach to isolate the issue yet.
09-16-2019 05:58 AM
Hi @Sujesh1415 ,
Only Microsoft Team can resolve this issue. It mostly due to an issue at their servers which tags outgoing emails as spam. This affects not everyone i guess just random tenants.
01-23-2020 09:17 AM - edited 01-23-2020 09:26 AM
I'm having a similar issue with a client who has Office 365 for email.
Their domain name was categorized as CAT:HPHISH due to their website being hacked. Once cleaned up they started having emails being quarantined. They put their domain name in their signature. So any customers they emailed with Office 365 wouldn't get the email, it would be quarantined. When a customer who wasn't on Office 365 got the email and replied, the client wouldn't get the email.
We've reached out to Microsoft Support, however, they're unable to understand what needs to happen. And there is no system in-place to change/remove domain names from this categorization. Even though they have https://sender.office.com for de-listing IP addresses, there is no way to submit domain names.
Other vendors like PaloAlto, FortiNET and Sohpos provide the means to submit evidence for delisting domain names categorized as Phishing or Spam.
EDIT: The only method I see to report the domain name as a false positive or have the category changed or removed is through the Office 365 Protection Portal under the “Quarauntine Queue", by clicking “Submit Message” with no information on where it’s going or if I will get notified if any action was taken.
The other method is in a Microsoft article https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/submit-spam-non-spam-and... which states “Use the same procedure as described in the "Use email to submit junk (spam) or phishing scam messages to Microsoft ," but send the message to email@example.com.”
01-23-2020 02:22 PM
We are having the exact same problem. Tomorrow will be our 3rd day of being mostly down and working with 0365 who can't figure out the problem or even understand that it is bigger than analyzing a couple email headers.
Is there a way to get in contact with higher tier support that has more to say than " tell your recipients to whitelist you."?
01-23-2020 03:06 PM
Yes, you need to keep calling them. They have access to remove the domain name from their internal list. We just got this completed by their support.
01-27-2020 06:52 AM
Unfortunately we have not been so lucky. Dozens of calls and we are still down. No one at Microsoft seems to care.
Do you happen to have a MS description of what they did to resolve your issue or a ticket # I can share with support?
I could maybe understand this run around if this was a small company, but they have nearly 100 users. I can not believe the lack of support we are getting.
01-28-2020 08:50 AM
I'm sorry to hear that. You have to be persistent and point them to this post and ask for an escalation.
Unfortunately, I am unable to provide the ticket number due to the privacy of the client. However, this is what was communicated by the person who got ahold of someone at Microsoft after 8 hours of total time with their support staff. They also had to make sure they had the appropriate SPF/DKIM/DMARC records in-place before they would even consider looking further.
Basically, there are third-party lists that scan sites looking for phishing stuff, they had found domain name to be a part of that.
They are working on clearing off the domain from those lists, and while that’s being done Microsoft is clearing the domain from the watchlist at the moment.
It should take a couple of hours for it all to propagate and take effect, and he will be calling me when it’s all done.
01-28-2020 09:11 AM
Thank Jordan. We have several tickets open two of which have been escalated. We provided the link to this thread with no luck. We have ~30 hours into this client and MS support now.
Seems like your luck is better than ours lol. I will keep my fingers crossed that the description provided helps but it's pretty much what we already told them.
01-28-2020 09:16 AM
That really sucks, trying to get past the first line of support is the hardest.
As long as you have the headers stating the category, it should pretty straight forward to resolve. It's just trying to get someone from support who actually understands what needs to happen or have them escalate it to someone that knows.
I'm going to post this resolution to Reddit just-in-case MS decides to lock this thread or delete it.
It's a shame that support can't understand their own technology stack to identify and issue and provide some sort of resolution. This type of process resolution has been in place with other vendors like PaloAlto, Fortinet and Sophos for years.
01-28-2020 01:16 PM
Update: They finally did it!
Here is the text from MS if anyone needs it to point support in the right direction.
Hope all is well. My name is *** from Office 365 Next Team,
We received an escalation request with regards to your issue on spam emails. After further investigation www[.]**********[.]com was listed as a phish URL, it appears the site may have at one time been compromised but is no longer. We have properly delisted it. Can you please check if your emails are still ending into spam/junk folder?
Office 365 Next Team
01-29-2020 03:36 PM
02-05-2020 04:20 AM
I'm having this issue with three of my personal MSFT email accounts, not through O365. I can receive emails but all my sent emails are being returned by the protection.outlook.com server. It won't even let me send an email to myself. Weird thing is that i can send emails from same accounts on my phone.
Any thoughts on who I can contact or do I just assume this is a bigger problem and hope it works itself out. Thank you.