I've got a tenant with M365's anti-phishing features enabled, but I'm still seeing emails that appear to be spoofed ending up in users' inboxes. When I check the message trace and look at the emails in detail, I find the following: Final System Override = Allowed by organization policy and Tenant system overrides = Allowed by organization policy / 3rd party filter. I can't seem to find the policy that is allowing these overrides. Does anyone have any suggestions? Thanks in advance!
3 Answers
You can check out the latest policies at the Microsoft Security portal. It's likely where the overrides are coming from. Also, make sure you're looking into Defender, as it holds additional policy settings beyond just the anti-phishing rules.
Are the emails actually spoofed or just impersonating someone? It’s crucial to check the sender's details to verify their authenticity. Sometimes they might look legit at first glance!
Right? Always check the mail headers just to be sure!
Do you have any third-party mail filtering services in front of EOP? If so, they might have a transport rule allowing emails through from their IPs, bypassing double scanning. That's a common issue!
Yes, that could definitely be it! You should review your transport rules immediately.
Exactly! If you also have mail flow rules set up in Exchange, make sure to navigate through Defender to identify those other filters.