I'm having a tough time with Defender for Office 365, which keeps marking emails from a couple of vendors (different domains) as High Confidence Phishing, forcing them into quarantine. The emails are just simple PDFs and HTML files, without any links or dangerous content. This has been happening for over a week now.
I've tried various transport rules and whitelists to bypass this, but it seems like Microsoft just prevents certain emails from being delivered altogether. According to Microsoft's documentation, when an item is flagged as High Confidence Phishing, other controls we put in place no longer work. I've also been submitting these flagged emails to Microsoft, hoping for some resolution, but they're still being detected as phishing. Has anyone else encountered this issue? Any clever solutions to ensure these emails go straight to a user's inbox?
6 Answers
You might have already tried this, but make sure to create a transport rule that sets the spam confidence level to -1 for those specific sender domains. Set the priority to 0 and ensure it's enabled. That usually works!
Open Exchange might be a good route! We're starting the migration process away from Microsoft. Less hassle dealing with their quirks.
Have you checked the 'detection technology' and 'primary override source' in the quarantine notice? That info could shed light on why these emails are being flagged.
The detection technology is blank, and the primary override source is listed as 'none'. Not sure what that indicates.
It seems like Microsoft tightens control over their Exchange Online environment to maintain their reputation. If you're used to running an on-prem Exchange, this could be tough to adjust to. Your best bet might be using a separate mail filter that gives you more control, or just keep reporting the issues to MS and hope they adjust their classification.
First, check that the vendors' email authentication is solid. High Confidence Phishing flags often relate to DMARC failures or broken DKIM alignment on their end, which affects how Defender views their emails. Use a header analyzer on their messages to see what passes.
Yeah, it’s important to make sure their setup is correct. If they're on a relay not in their SPF, or if DKIM is misaligned, that could be the issue.
That’s an interesting point. One of the vendors has a broken DKIM and fails DMARC, but the other one is clean. It’s frustrating that even with clean authentication, we're still having these issues!
I’ve found Avanan/Checkpoint to be a workaround. They can rescan emails that Microsoft quarantines and re-deliver if they confirm they're not malicious. It's crazy this isn’t fixed in Office 365 yet.
We've given that a shot, but it didn’t work. Microsoft’s documentation indicates that high confidence phishing overrides transport rules, which is pretty frustrating!