Standard Security Policy flagging too many emails as "Potential Phishing"

Question

We decided to enable the Standard Security Policy for Defender on our Microsoft 365 tenant, and immediately noticed that it was quarantining way too many emails that it flagged as either Phishing or High Confidence Phishing (mostly automated notices from cloud services like Asana, Klaviyo, etc.).&nbsp;&nbsp; These are emails that would easily be allowed through any other mail scanning firewall I've used in the past.&nbsp;&nbsp; I'm now concerned about using Defender's "Standard Security Policy" level for Defender, for fear that it's going to have my users missing emails that should easily be passing through, because Defender moved them to Quarantine or Junk.&nbsp;&nbsp;&nbsp; Is there a way to modify the aggressiveness levels for the Standard Security Policy?

ben_harris · Answer

Hey , thanks for your message!
&nbsp;
Firstly, it's great to hear you're using presets, they are an awesome way of ensuring you're up to date with the latest security recommendations, I'm sorry to hear you're finding false positives (FPs) but we can for sure get to the bottom of it.
&nbsp;
Secondly, have you tried doing admin submissions for the emails? this will do several things, it will tell us we got our verdict wrong, It will also let you know the results of our analysis. - you will also get the ability during the process to add the part of the message which caused it to be blocked (URL, Sender, Attachment, Spoof) to our Tenant Allow/Block List so it's overridden in the future while we work on getting the reason for the issue fixed.
&nbsp;
It's also important to note that sometimes, emails are sent in a way which is non-compliant, so actually instead of overriding decisions, the correct course of action is to fix the underlying issue. - for the examples you have, could you let me know the detection technology which lead to the phish verdict and I may be able to help point you in the right direction. (we also document them all here at aka.ms/emailtech)
&nbsp;
Thanks
&nbsp;
Ben.

onetechbeyond · Answer

I've definitely been submitting them during release, so the system can try to learn from the email's fingerprint that they're valid.

onetechbeyond · Answer

Hi Paul. No EOP/MDO. it's 100% native Microsoft's internal services.

onetechbeyond · Answer

Sorry, yes I meant that we’re using Defender for M365 and EOP with no external spam filtering/mx relaying services.

ben_harris · Answer

Please also ensure these are admin submissions, not just user submissions 🙂 - more details here.

https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/submissions-admin?view=o365-worldwide

Forum Discussion

Standard Security Policy flagging too many emails as "Potential Phishing"

Share

Resources