No URL Detection in Emails with Extensive %2580 Encoding
Hi Community, I encountered a concerning issue where emails containing URLs with extensive encoding (%2580) completely bypassed all detection and security mechanisms. These encoded URLs weren’t identified as links, which allowed them to evade security scanning. Issue Details: The email contained malicious URLs encoded with %2580. The URLs were not flagged or identified as links, allowing the payload to bypass filters entirely. Questions: Has anyone else encountered similar issues with encoded URLs bypassing detection? What’s the best process to submit this email to Microsoft for analysis and improvements to detection mechanisms, since no URL's were identified? Looking forward to your input and recommendations. Thanks in advance!
looking for a test protocol defender for o365
Hi together, I am looking for a test protocol defender for o365 to generate alerts and emails. The idea is generate alerts add/or mails from Defender for EOP/O365. We have only the license Defender for O365 Plan 1 in use. We know this options: https://learn.microsoft.com/en-us/defender-office-365/anti-spam-policies-configure#send-a-gtube-message-to-test-your-spam-policy-settings https://learn.microsoft.com/en-us/defender-office-365/anti-malware-policies-configure#use-the-eicartxt-file-to-verify-your-anti-malware-policy-settings https://learn.microsoft.com/en-us/defender-office-365/safe-links-policies-configure#how-do-you-know-these-procedures-worked https://learn.microsoft.com/en-us/defender-office-365/safe-attachments-policies-configure#how-do-you-know-these-procedures-worked https://learn.microsoft.com/en-us/defender-office-365/attack-simulation-training-simulations But this options does not work very good for us or depends an Defender for O365 Plan 2 license. Does anyone have an good idea or know a option or a way i did not finde till yet? Thanks for an feedback and regards
internal user email quarantined and reason "high confidence phish"
Have you ever seen email quarantined when both sender and recipient are internal organization user and the quarantine reason is high confidence phish by the default built-in anti spam policy? really confused why it happened and how to avoid such false positive..DMARC, DKIM, SPF none but Composite authentication pass
Hi all, I have a email where DMARC, DKIM, SPF are marked as None, but still Composite authentication as passed. How can this be since the info of the composite authentication says: Combines multiple types of authentication such as SPF, DKIM, DMARC, or any other part of the message to determine whether or not the message is authenticated. If all three are none, what other part of the messages lets the message to pass composite authentication?
URL clicks not being tracked
Hi, I have url rewrite and defender EDR in the environment. It seems like clicks are missing tracking information. Both in hunting queries and the actual url and domain page show no clicks and i know for a fact users clicked it. URL is external and it is rewritten, i checked in the email to confirm, i even clicked the url myself and nothing is tracked. Also how do you translate a rewritten url to url without clicking on it? Any suggestions?capability to detect password protected files to during the email delivery and ZAP process of the e
Does M365 Defender & EOP has capability to detect password protected files to during the email delivery and ZAP process of the email in user mailbox? If yes how we can configure to stop such emails and put them into quarantine and stop the email delivery to end users? I have another follow-up question on this is that if we deploy this Transport rule to quarantine false or parked domains emails like phishing or spam and unwanted emails then how we would filter and allow the legit email domains to send out such files like .PDF, Docs, excel and other password protected files to users mailbox without putting them into Quarantine?
Spam/Spoofed email received differently by 3 users
Hello experts... today, I had a user reported a spoofed email - the email looked like it was sent from an CEO (his full name, the email address was however completely different and was a gmail.com address not our domain). The user received this email to his inbox directly.... and did not realize it was a spam/phish email at the first sight. So.. I've started to have a look why it was delivered to the inbox as I would expect that email would be either in Junk or Quarantined. I've found out that two other users received the same email address just few seconds after the 1st one was delivered, however, for those two users it was actioned as "FilteredAsSpam" when I checked Mail Flow -> Message trace. ..So it was identified as a SPAM this time and was delivered to JUNK folder.... good here then. I've checked also the header of the one that was delivered to inbox and comparing to the one in Junk... and I saw that for the first one, the SCL = 1... and for the other 2 users, the SCL=5. Also, when I check Defender -> Explorer, I see that: for the 1st recipient: Latest Threats None Latest delivery location Inbox folder Detection technology - Delivery action Delivered for the other 2 recipients: Latest Threats Phish / Normal Latest delivery location Junk Email folder Detection technology Mailbox intelligence impersonation Delivery action Delivered to junk Now, my question would be - why the 1st email was delivered to Inbox and the same email sent to two other users (just few seconds later) was then delivered to Junk (as I would expect also for the 1st user) . Why for the 1st recipient the SCL was 1 and for other two few seconds later SCL was 5 if it is the same email same sender. Btw, I have added CEOs to "impersonated" user list so it hopefully helps next time?
