I'm managing a hybrid environment with an Office 365 tenant for email and various other services, alongside a Google Workspace where email is turned off. The setup is for our admin office that supports educational areas, leading us to use both platforms together. However, we're facing a significant issue: many notifications from Google Workspace are being flagged for phishing and quarantined by Office 365 security. This is particularly frustrating since these emails are sent from a domain.com address to another domain.com address, but through a different system.
I've tried several solutions, such as adding the notification addresses to bypass filters and setting up mail rules, but despite turning off AI initiatives on phishing and malware detection, emails continue to be quarantined. Has anyone experienced something similar in a hybrid setup and found a way to allow these notifications through? I'm also curious about any strategies to tackle this issue effectively. I currently have an open support ticket with Microsoft, but I'm not sure how long that will take to resolve.
2 Answers
I’ve run into the same problems with Google Workspace notifications in a 365 environment. Even if you set up mail flow rules to bypass filtering, Microsoft Defender often still quarantines messages that look like potential internal spoofing. A more effective approach I've found is to allow notifications in Defender based on Google headers rather than relying solely on the EAC rules.
It's crucial to ensure that your Google Workspace is included in your domain's SPF record. If those notifications aren’t recognized as legitimate sources, they could easily get flagged. Just a heads-up, I had a similar situation, and this really helped in clearing up the issue for me!
Thanks for the tip! Just so you know, the notifications in question are coming from [email protected]. They pass all checks but still end up being blocked. I’m guessing the filtering thinks it might be spoofing because the sender's name is from Google while their actual address is from google.com. It feels like Microsoft's AI might be misinterpreting these.
That sounds like a solid approach! Microsoft had me add it to the tenant allow list, but it’s only good for 45 days. I worry about the cutoff, but I’ll definitely look into double-checking the headers next.