URL clicks not being tracked
Hi, I have url rewrite and defender EDR in the environment. It seems like clicks are missing tracking information. Both in hunting queries and the actual url and domain page show no clicks and i know for a fact users clicked it. URL is external and it is rewritten, i checked in the email to confirm, i even clicked the url myself and nothing is tracked. Also how do you translate a rewritten url to url without clicking on it? Any suggestions?
Spam/Spoofed email received differently by 3 users
Hello experts... today, I had a user reported a spoofed email - the email looked like it was sent from an CEO (his full name, the email address was however completely different and was a gmail.com address not our domain). The user received this email to his inbox directly.... and did not realize it was a spam/phish email at the first sight. So.. I've started to have a look why it was delivered to the inbox as I would expect that email would be either in Junk or Quarantined. I've found out that two other users received the same email address just few seconds after the 1st one was delivered, however, for those two users it was actioned as "FilteredAsSpam" when I checked Mail Flow -> Message trace. ..So it was identified as a SPAM this time and was delivered to JUNK folder.... good here then. I've checked also the header of the one that was delivered to inbox and comparing to the one in Junk... and I saw that for the first one, the SCL = 1... and for the other 2 users, the SCL=5. Also, when I check Defender -> Explorer, I see that: for the 1st recipient: Latest Threats None Latest delivery location Inbox folder Detection technology - Delivery action Delivered for the other 2 recipients: Latest Threats Phish / Normal Latest delivery location Junk Email folder Detection technology Mailbox intelligence impersonation Delivery action Delivered to junk Now, my question would be - why the 1st email was delivered to Inbox and the same email sent to two other users (just few seconds later) was then delivered to Junk (as I would expect also for the 1st user) . Why for the 1st recipient the SCL was 1 and for other two few seconds later SCL was 5 if it is the same email same sender. Btw, I have added CEOs to "impersonated" user list so it hopefully helps next time?