Spam/Spoofed email received differently by 3 users
Hello experts... today, I had a user reported a spoofed email - the email looked like it was sent from an CEO (his full name, the email address was however completely different and was a gmail.com address not our domain). The user received this email to his inbox directly.... and did not realize it was a spam/phish email at the first sight. So.. I've started to have a look why it was delivered to the inbox as I would expect that email would be either in Junk or Quarantined. I've found out that two other users received the same email address just few seconds after the 1st one was delivered, however, for those two users it was actioned as "FilteredAsSpam" when I checked Mail Flow -> Message trace. ..So it was identified as a SPAM this time and was delivered to JUNK folder.... good here then. I've checked also the header of the one that was delivered to inbox and comparing to the one in Junk... and I saw that for the first one, the SCL = 1... and for the other 2 users, the SCL=5. Also, when I check Defender -> Explorer, I see that: for the 1st recipient: Latest Threats None Latest delivery location Inbox folder Detection technology - Delivery action Delivered for the other 2 recipients: Latest Threats Phish / Normal Latest delivery location Junk Email folder Detection technology Mailbox intelligence impersonation Delivery action Delivered to junk Now, my question would be - why the 1st email was delivered to Inbox and the same email sent to two other users (just few seconds later) was then delivered to Junk (as I would expect also for the 1st user) . Why for the 1st recipient the SCL was 1 and for other two few seconds later SCL was 5 if it is the same email same sender. Btw, I have added CEOs to "impersonated" user list so it hopefully helps next time?
Quarantine - Certain Users Not Showing
We have our environment setup to where we get active alerts for any emails that are requested to be released from quarantine. My team then goes in and looks at the email to make sure it is legit enough to be released. Since we have been doing this, we have noticed that certain users will not show up in the quarantine section from time to time. Even though I can pull up the email in Explorer and verify that it was sent to quarantine, it cannot be searched or found in there. I was even able to verify several OTHER users who received these quarantined emails and they do show up. I thought at one point it was just certain emails but recently verified that it is the user themselves. Even though I can verify that 100+ emails have been received and sent to quarantine in the past 30 days by a user, NONE of them show up in the actual quarantine section of Microsoft 365 Defender no matter how it is searched for. Does anyone have any possible fixes for this? It is very frustrating if we are trying to manage these emails for our end users.Attack Simulator: Company Logo not showing on landingspage
Hi All, I have the following issue: the uploaded company logo (PNG or JPEG) is not shown on the landings page once the user clicks on the phishing link. See the attached screenshot; the image source is empty. I tried this multiple times with different logos and landingpages, but the results are the same. During the upload of the logo, there is no confirmation that the logo has been uploaded successfully.... You only click next during the creation of the simulation..... When clicking on the preview-button (during simulation creation), the logo is shown.
Adding Targeted Users/Groups in Attack Simulator
Is there a setting that may have changed recently or needs to be changed that enables filtering by groups when creating a simulation. I am unable to browse our groups in our organization any longer, I can choose from other options like City, Departments, Titles, etc. but the AD groups do not populate any longer in this list when trying to add Target Users. Thank you, Jerid
