Hey everyone, I've noticed that Defender and Exchange security have been soft deleting what seem to be legitimate Docusign emails in our tenant today. These emails are getting routed to Quarantine even though they pass SPF checks. While I understand that Docusign phishing attempts are common, I've had to restore over 50 legitimate emails today, which is a first for me. Has anyone else encountered this issue?
6 Answers
It feels like Microsoft really went overboard with the security settings today. Check to see if any policies in your tenant got auto-updated because Docusign didn’t suddenly turn unsafe overnight.
I had Avanan marking Docusign emails as phishing today. It was flagged partly because the domain was new, coming from docusign.net instead of the more common docusign.com. ICANN updated docusign.net recently, and that might have triggered some alarms in email security.
Yeah, I started seeing this today too. It flagged Docusign support URLs as phishing.
Honestly, good riddance! Most emails with Docusign are probably phishing attempts anyway, so I’ve set mine to manual approval.
Yeah, I faced a similar situation a month or two ago where all Docusign emails were being flagged as malicious. They get used for many sketchy things, so I guess the filters are just super sensitive right now.
This seems to be a classic Defender issue. Docusign is widely spoofed, so tightening security measures makes sense, but it’s frustrating when it disrupts legitimate communications without a heads-up. It’s worth checking if there was a recent update to the anti-phishing settings or if they changed how impersonation is detected. Adding Docusign’s domains to your allow list might help while they resolve this.
Right? It was like half of the emails got flagged, and the rest didn’t seem to have any obvious issues. They really need to update their filtering details.