My Microsoft Attack Simulator emails get quarantined when user's report them, why is that?

Question

I am working on creating a phishing simulation for my organization; normally when we have a phishing campaign simulation, we send a copy of our reported emails to our shared security team mailbox. This gives us quick reference for user reports and forwards.

In a recent simulation test, I am able to receive the message in my inbox, but when I report, it goes straight to quarantine or gets ZAPped shortly after it's delivered to the shared inbox with the detection technology 'File Reputation'. This is the case, as the payload type is a Link in Attachment. Is there a way that I can prevent this this from happening?

For context: here are some of the key components I used in the simulation: Phishing URL - https[:]//www[.]techidal[.]com Document Type - Docx

Answer 1

Hello Alyse Hart,
When you have messages going to quarantined, first thing to check is the reason it is getting blocked and sent to quarantine. It could be due to your Anti-spam policies, Anti-phish, Safe links policy or safe attachment policy.

You may also allow specific senders by following this guidance https://learn.microsoft.com/en-us/defender-office-365/tenant-allow-block-list-email-spoof-configure.

Additionally, If you want to try 3rd Party Phishing simulation follow this guidance https://learn.microsoft.com/en-gb/defender-office-365/advanced-delivery-policy-configure?view=o365-worldwide