We're having a frustrating problem where our O365 system is marking known good emails as high confidence phishing and quarantining them. We've tried several solutions, like setting the SCL to -1 for all emails, turning off anti-phishing and anti-spam policies, and even creating a security operations mailbox, but nothing seems to work. We're considering completely disabling the O365 mail filtering since we have another product that does a better job. Any advice on how to handle this?
5 Answers
We faced a similar issue and set our filtering to -1 for emails coming from our on-premises IPs and made sure it was the first transport rule. However, if you're in a hybrid setup without an on-prem IP, that could be tricky.
If that doesn't do it, you might consider resetting your settings back to default. Sometimes, troubleshooting helps reset any underlying issues. If you're still stuck after that, opening a ticket with Microsoft could be your best bet.
Just a heads up, from my experience, the High Confidence Phish setting can't be overridden. You could potentially look into using tools like Avanan that allow you to release emails without needing admin approval. It’s annoying, but their filtering is strict for a reason. Just wish we had more flexibility in setting our protection levels!
Exactly! I feel you on that one! We should have more options for how much protection we want.
Is your filtering tool Proofpoint? If so, that might be causing the issue due to URL rewriting, which can mess with your DMARC and SPF rules.
Nope, we're using Mimecast, which is cloud-based.
One thing you could try is moving your rules around. Make sure the one you're using to allow legitimate emails is the very first rule in the list. That could help prioritize it over the others.
Done! We'll see if that makes a difference.
Yeah, we don’t have an on-prem service to direct things to. Our filtering setup is kind of in limbo.