User Profile
JoeMorphew
Copper Contributor
Joined Aug 23, 2022
User Widgets
Recent Discussions
Phish delivered due to an ETR override
We recently switching from Defender to Proofpoint Essentials for email security. During implementation they had us create a Proofpoint bypass Spam Exchange Transport Rule. The rule marks anything coming from a Proofpoint IP address as Spam confidence level -1 (SCL -1). This rule seems to also be stopping Microsoft from sending phishing emails to quarantine. Since implementation we’ve been receiving a lot of alerts for “Phish delivered due to an ETR override”. We’ve investigated the emails, and most are indeed phishing emails that Proofpoint has missed. Is it possible to adjust the transport rule to allow Microsoft to still quarantine these phishing emails? If not, what is the impact of disabling the rule? The emails will fail SPF, DKIM, and DMARC because they are delivered by Proofpoint, not the original sender. Ultimately, I'd like to know if it's possible to allow Microsoft to quarantine phishing emails that have already been filtered and delivered by a 3rd party cyber security vendor.1KViews0likes1CommentRe: Phishing and Email Security
We have this same issue. We have hundreds of obvious phishing emails being delivered to our users. Some of them contain dangerous links and attachments that go unblocked or are removed several minutes post delivery by ZAP. We use Defender and have the settings as aggressive as allowed. We're also looking for a 3rd party solution or anything to help. We tried KnowBe4 PhishER+ to manage our block list, but it was capped at 500 entries by Microsoft. We previously used Mimecast and it was great, but had to eliminate it due to the cost.737Views0likes0CommentsRe: Emails Delivered without EOP scanning
Microsoft has basically told us this is by design and not something we can change. It seems like a very big security hole to delay scanning until after delivery when the workload is too high. I wish this is something we had known about prior to switching email security providers.2.1KViews1like0CommentsEmails Delivered without EOP scanning
We recently switched our Office 365 email security provider from Mimecast to Defender plan 1. We have our Defender policy settings set as strict as possible, but we are still seeing a large increase in the amount of malicious emails (and bulk email) that makes it into our inboxes. Specifically, we have one mailbox that forwards all email to 3rd party ticketing system. That ticketing system went from malicious emails a few times a year to several per week. We reviewed some of the emails and I can't understand why they are being delivered (no SPF, failed DMARC, failed composite auth, no DKIMM) I opened a ticket with Microsoft and their explanation was that when Microsoft servers are busy, they delivered the email without Exchange Online Protection scanning. Then they use a feature called ZAP (zero hour purge) to scan and remove the emails after delivery. Last month we had 173 emails removed by ZAP. This happens after email forwarding to our ticketing system and without notification, so we don't have a way to act on them. Is this accurate? Is Microsoft really delivering emails without security scanning? If so, what can we do to stop the emails? Create a bunch of manual mail flow rules? Switching back to Mimecast would be a significant undertaking and cost, so I would like to make Defender work if possible.2.4KViews1like3Comments
Recent Blog Articles
No content to show