The message properties or headers are not detected by Transport Rule

Alex Rechs 40 Reputation points
2023-07-24T15:47:31.6033333+00:00

Hello,

I'm try to compose a transport rule to generate an incident report when an inbound mail has SCL more than 3.

My transport rule has the following conditions:
1. The sender is located "NonInOrganization"
2. The sender address includes any of these words "test@contoso.com"
3. The message includes an SCL greater than or equal to '3'

The report is generated only when conditions 1 and 2 are set. However, when 3 is set, the transport rule is bypassed. A testing message header has SCL of 6. I tried also change condition to
The message header "X-MS-Exchange-Organization-SCL" includes "3", "4", "5", "6"..., but that wouldn't work either.
I read this may happen to Edge Transport Rule, but I use Microsoft Exchange Online.

Any ideas?

Microsoft Exchange Online
Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,061 questions
0 comments No comments
{count} votes

Accepted answer
  1. Shaofan Lv-MSFT 6,690 Reputation points Microsoft Vendor
    2023-07-28T07:26:35.2966667+00:00

    Hi @Alex Rechs ,

    Great to know that the issue has already been resolved and thanks for sharing the solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I'll repost your solution in case you'd like to "Accept" the answer : )


    [ The message properties or headers are not detected by Transport Rule.]

    Goal:

    notify an admin if an important mail got quarantined or moved to spam without whitelisting an e-mail address.

    Resolution:

    The way is to use Advanced Hunting API to detect threats in mails (despite their delivery location).

    EmailEvents 
        | where SenderFromAddress == '$($senderAddress)'
        | where ThreatTypes has 'Spam' or ThreatTypes has 'Phish' or ThreatTypes has 'Malware' or ThreatTypes has 'Unknown' 
        | summarize Total = count() by SenderFromAddress
    
    

    Using the KQL snippet above in the Powershell you can query $senderAddress from CSV or SQL database or even directly from Get-HostedContentFilterPolicy (Antispam policy).

    If result is positive (not null) you can send a notification to an admin via email or Teams.

    Regards

    Shaofan

     

    0 comments No comments

3 additional answers

Sort by: Most helpful
  1. Andy David - MVP 138.6K Reputation points MVP
    2023-07-24T16:34:44.2933333+00:00

    Thats because the anti spam checks are done after the rules are evaluated:

    Whats the goal here? Typically, you use rules to set a SCL so it can be handled as SPAM or allowed.

    https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/eop-about?view=o365-worldwide

    User's image


  2. Shaofan Lv-MSFT 6,690 Reputation points Microsoft Vendor
    2023-07-25T09:58:00.1766667+00:00

    Hi @Alex Rechs ,

    It's found that when the value of SCL is less than or equal to "1", it will not be marked as spam.

    User's image

    If it works for you when the value is "2", how about "The message includes an SCL greater than or equal to '2' "?

    Regards

    Shaofan


  3. Shaofan Lv-MSFT 6,690 Reputation points Microsoft Vendor
    2023-07-27T10:02:29.5766667+00:00

    Hi @Alex Rechs

    What I meant, that conditions 1 and 2 work (received from outside and sender matches words), but condition the message includes an SCL greater than or equal to '3' is not working at all, despite what level you enter and what SCL level is received.

    Thanks for the clarification and sorry for the misunderstanding in my previous reply.

    After searching and researching, this is indeed the expected behavior as Andy said, "it's because the antispam check is done after the rules are evaluated".

    ![A diagram of a mailbox

     

    If the anti-spam checks are done after the rules are evaluated, then why is that condition there at all? If it basically does nothing?

    The value of SCL is either set by mail flow rule or given in the spam filtering stage. In your case, before this rule, no other mail flow rule has set SCL for mail, so the condition "The message includes an SCL greater than or equal" is invalid.

    So, the meaning of this condition is to affect mails that have been given SCL values by other higher-level mail flow rules.

     

    The goal is to notify an admin if an important mail got quarantined or moved to spam without whitelisting an e-mail address.

    As far as I understand, there is no way to fully achieve this.

    For mail in quarantine, there is only end-user notification, which can be set through quarantine policy. At present, there is no option to send a notification to the administrator. There is a parameter in the link below that is very similar, but "reserved for internal Microsoft use."

    https://learn.microsoft.com/en-us/powershell/module/exchange/set-quarantinepolicy?view=exchange-ps#-adminnotificationsenabled

    In view of this situation, one idea is to build a mail flow rule and add admin to the recipients of end-user quarantine notification.

    For mails moved to spam, I am afraid there is no way to achieve it. We can only suggest end-users to check the junk mail folder regularly, which is also the official recommended practice.

    Regards

    Shaofan