How to let an email with specific header bypass all filters

Question

Why, why, why can we not do this? I have Transport rules, Threat policies--all kinds of stuff set up to just. stop. blocking. But it seems I don't get to decide that. I know the rules are matching because when I look in the administrators' view of quarantined email it tells me what rules are applied. No matter what or where I try this, my test email (a phishing simulation from a well-known solution provider) keeps getting blocked. Add'l details:

1. I'm aware of the section specifically for phishing simulators, but trying to set up something (reliable) based on source IP is just silly. Has been for years because it's been unreliable for years. Anyway this option is not an option because as the question states, I want to qualify emails by header.
2. the quarantine report for the email in question always says "Quarantine reason:Malware Policy type:Anti-malware policy Policy name:Test Bypass. That's one of many I've tried, but in truth this is no surprise because, mind-bogglingly, none of the Threat policies actually has an option to bypass scanning. The only option I was given in this section was to turn off "Common Attachments Filter". Again, silly.
3. I've set a Transport Rule with 0 priority that names a specific header, reduces the SCL to -1, but still insists on stopping it for "Malware" reasons. I bring it up not because I conflate Malware with Spam, but because MicroSoft does. Various articles saying to use the above setting to (mysteriously) stop Malware processing. I know this rule is working because the reporting in Quarantine and Transport Rules tells me so.

Please make it stop. Pretty please.

Answer 1

Hi，@Curtis Jackburn

Thanks for posting your question in the Microsoft Q&A forum.

I understand your feelings very well. You are unable to receive a specific attachment because it has been incorrectly identified as malware.

I checked the official Microsoft documentation and found that it is not possible to use Exchange mail flow rules to skip malware filtering.

The only way to skip malware filtering for a recipient is to identify the mailbox as a SecOps mailbox. For more information, see Use the Microsoft Defender portal to configure SecOps mailboxes in the advanced delivery policy.

If my answer is helpful to you, please mark it as the answer so that other users can refer to it. Thank you for your support and understanding.

Answer 2

I have found that the only way to bypass all the checking for phishing simulations is to use the Defender Advanced Delivery option:

https://learn.microsoft.com/en-us/defender-office-365/advanced-delivery-policy-configure

Are you saying that isnt working?

Answer 3

Thanks for those answers. The problem with advanced delivery is that it is only based on IP or URL. I'm trying to allow things that are based on an email header. IPs and URLs are sometimes either unavailable or otherwise unreliable as they can change. When a fishing simulation service sends something out they are indeed apt to change both of those things.

Answer 4

Is there a way to bypass EOP altogether and let a true enterprise-grade, ready-for-primetime, capable solution handle email risks instead?