Help me understand why this email was quarantined?
I'm pretty familiar with Defender's Threat Policies. I've probably set them up on 40 tenants. I know the Hosted Content Filter Policy is backend for Anti Spam Inbound policy. I know that, confusingly, the AntiSpam Inbound Policies contain the actions for High Confidence/Normal Confidence Phishing - NOT the AntiPhishing policies (which seem more geared towards impersonation). What I DON'T know is why this was quarantined - and whether the anti-phish policy had anything to do with it. The Policy Type linked is the IB Anti Spam. This tenant is one of the few we have set at a BCL tolerance level of 7 - which shows me that 0 messages in the last 60 days would've been caught for this reason (which would include the email in question). So it was either the SCL or some 'anti phish' component of the anti-spam policy. I have none of the custom 'increase spam score' markers here. I was sure there was a 'evidence' tab within email entity, but i guess not - the only info I have about the detection (now released) is the following: This particular sender does not send reliably over 45 days, but also has been a business partner of this tenant for decades. So rather than the Tenant Allow/Block list which allows a max of 45 days, I want to add it to the offending policy. which SEEMS like it would be the inbound anti-spam - except that it also says it's phishing everywhere. I don't want to bypass both the phishing and spam policies unless I have to - but I don't really know why this got blocked. It's an external address that had sent an email days ago that got through without issue... This one has an attached pdf, but so do they all. Thoughts?
user-reported phishing emails
Dear Community I have a technical question regarding user-reported emails. In Defender, under “Action and Submissions” -> “Submissions,” I can see the emails that users have reported under the “user reported” option. There, we have the option to analyze these emails and mark them as “no threats found,” “phishing,” or “spam.” The user is then informed. Question: Do these reported emails remain in the user's inbox when they report them? If not, do we have the option to return these reported emails to the user's inbox with the “No threats found” action? Because I don't see this option. In another tenant, under “Choose response Action,” I see “move or delete,” but the “inbox” option is grayed out. Why is that? Thank you very much!'system has learned from the submission / mail is automatically allowed'
Hey folks, got an alert about a tenant allow//block list entry expiring. Only recently did we start getting these, because only recently did we start using expiring whitelisting. But I'm a little confused by the details, which says 'Mail from x is now automatically alllowed and the allow entry has been removed' and the activity that ''an allow entry is no longer required as the system has learned from the submission' The referenced email is actually an internal tenant - it receives ticket requests, and sends out ticket updates. But I'm REALLY curious about the 'automatic' allowing. Is this a feature limited to Defender 2, or part of Microsoft's AI detection framework for all 365 Defender/EOP? I don't even remember submitting this email - if I did, it was probably more than 45 days ago. So 1) Is this notice primarily that the entry had expired, but ALSO it's not needed or does this send out as soon as 'the system' recognizes it as legitimate, and removed regardless of the time left? 2) is there a way to review a list of entries Microsoft has 'accepted'? 3) What exactly does this 'allow'? I know that the tenant allow/block list allowed a certain set of lower-risk indicators in an email, but still blocked some higher-risk ones - unless there was a submission made. At that point, more is allowed. But there's still a limit, compared to a blanket bypass on the policy itself.
No URL Detection in Emails with Extensive %2580 Encoding
Hi Community, I encountered a concerning issue where emails containing URLs with extensive encoding (%2580) completely bypassed all detection and security mechanisms. These encoded URLs weren’t identified as links, which allowed them to evade security scanning. Issue Details: The email contained malicious URLs encoded with %2580. The URLs were not flagged or identified as links, allowing the payload to bypass filters entirely. Questions: Has anyone else encountered similar issues with encoded URLs bypassing detection? What’s the best process to submit this email to Microsoft for analysis and improvements to detection mechanisms, since no URL's were identified? Looking forward to your input and recommendations. Thanks in advance!looking for a test protocol defender for o365
Hi together, I am looking for a test protocol defender for o365 to generate alerts and emails. The idea is generate alerts add/or mails from Defender for EOP/O365. We have only the license Defender for O365 Plan 1 in use. We know this options: https://learn.microsoft.com/en-us/defender-office-365/anti-spam-policies-configure#send-a-gtube-message-to-test-your-spam-policy-settings https://learn.microsoft.com/en-us/defender-office-365/anti-malware-policies-configure#use-the-eicartxt-file-to-verify-your-anti-malware-policy-settings https://learn.microsoft.com/en-us/defender-office-365/safe-links-policies-configure#how-do-you-know-these-procedures-worked https://learn.microsoft.com/en-us/defender-office-365/safe-attachments-policies-configure#how-do-you-know-these-procedures-worked https://learn.microsoft.com/en-us/defender-office-365/attack-simulation-training-simulations But this options does not work very good for us or depends an Defender for O365 Plan 2 license. Does anyone have an good idea or know a option or a way i did not finde till yet? Thanks for an feedback and regards
internal user email quarantined and reason "high confidence phish"
Have you ever seen email quarantined when both sender and recipient are internal organization user and the quarantine reason is high confidence phish by the default built-in anti spam policy? really confused why it happened and how to avoid such false positive..DMARC, DKIM, SPF none but Composite authentication pass
Hi all, I have a email where DMARC, DKIM, SPF are marked as None, but still Composite authentication as passed. How can this be since the info of the composite authentication says: Combines multiple types of authentication such as SPF, DKIM, DMARC, or any other part of the message to determine whether or not the message is authenticated. If all three are none, what other part of the messages lets the message to pass composite authentication?
