Quarantine "finger print matching" false positive

Copper Contributor

Just done my regular quarantine check on our O365 tenant and was surprised to find a couple of legit messages from an external sender which were flagged as High Confidence Phish based on finger print matching, which I understand translates to a close match to a previously detected malicious message.  I can see absolutely nothing wrong with the message and it was so very business specific in its content that I cannot see that it would closely match anything else that had ever gone before.  The recipient tells me they regularly exchange business emails with the sender without any issue. 


When I run off a report and look at other recent messages caught by finger print matching on my tenant, they were the usual phishing emails that are probably doing the rounds globally and were correctly trapped. 


Questions are:


1. Anyone know why something so highly specific in its content would be trapped in this way?


2. I feel I can't trust O365 to correctly quarantine based on this example, but High Confidence Phish is currently set to have the AdminOnlyAccessPolicy applied on my tenant - and this doesn't notify.  Is there any way for a sys admin (only) to be notified by email when something goes into quarantine?   I can set up a custom policy to allow RECIPIENT notification but I don't really want to involve them when messages are being correctly quarantined almost all of the time.  


Ours is a non-profit tenant so I can't be sitting around watching it all day - I need it to tell me when something has happened!


Thanks for any ideas!


1 Reply

This is something our organization runs into as well. I would also like to know the answer to this question.