This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hello Experts,
hope you are doing well.
We are facing and issue where we see a large amounts of emails being moved to quarantine for a particular user. The emails are not spam or phish.
The user is using the integration for Outlook in Workable - https://www.workable.com/
However, communication is not only done through the integration in workable it's also done through the Outlook App in macOS, just adding this info for reference.
The issue seems to happen most often with "mail pyramids" where "reply" has been clicked more than a few times.
As of now the only way for me to release those those emails for the user is to go to:
https://security.microsoft.com/quarantine and manually release all the messages there.
Unfortunately, when the user navigates to the above link, does not see anything, so I have to do it as an admin.
What have I done to possibly solve this? Please feel free to correct me, if anything of the below is not as it should be.
In here:
https://security.microsoft.com/antispam -> I have created a separate Anti-Spam policy
Under "Users, groups, and domains" I have added only the particular user we are seeing this predominantly happen to.
Bulk email threshold - I have set this to 9, with the hopes that this will reduce the sending of the email pyramids to Quarantine. I don't know if it's correlated, correct me if it isn't.
I've configured this setting to redirect High confidence phish emails:
"High confidence phishing message action
Redirect message to email address"
-Screenshots of the configuration attached for reference.
And the redirection email is set to the users email.
Will this newly configured granular policy work side by side with our default policy?
The idea is for the user to have the ability to receive the emails that are sent to quarantine, or somehow to review and release them.
The domains of the emails put in quarantine for the specific user are google, yahoo etc. Mostly popular and verified domains.
And this happens sometimes while using the Outlook integration and replying from it, but happens also while the user is going through the Outlook app for macOS.
Would there be some best practice configuration from Microsoft side in order to prevent this from happening when using the integration in Workable?
Although, we have emails put in quarantine for other uses too, we'd like to make an exception for the specific user if needed.
Any thoughts and advice on the matter is appreciated.
Thanks.
Yes, you could set this policy for the specific user as a workaround. And like Andy mentioned above, it's better to determine why the mails are getting quarantined.
In addition, we can see the official document: Find and release quarantined messages as a user in EOP
Admins can also enable end-user spam notifications in anti-spam policies. Users can release quarantined spam messages directly from these notifications. Users can review quarantined phishing messages (not high confidence phishing messages) directly from these notifications. For more information, see End-user spam notifications in EOP
By default, end-user spam notifications are disabled in anti-spam policies. When an admin enables end-user spam notifications, recipients (including shared mailboxes with automapping enabled) will receive periodic notifications about their messages that were quarantined as spam, bulk email, or (as of April 2020) phishing.
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Have you determined why they are marked as high confidence phish?
EOP is now proactively blocking high confidence phish:
https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/secure-by-default?view=o365-worldwide
So I suspect your redirect will work for now, but maybe not in the future.
For your specific question, yes you can set a policy for just that user, ensure its a higher priority than the default. and hope that user doesnt click on a real phishing message.
anonymous userDavid @Joyce Shen - MSFT Thank you for the answers.
After consideration we have removed this policy as it poses a risk for real phishing emails to get delivered to the users mailbox.
Instead we have modified our "Anti-spam inbound policy (Default)" as follows:
Send end-user spam notifications every (days)
1
Could someone confirm that this setting would be able to make it so that each user in the organization will be able to get notified, review and release emails marked as "High Confidence Phish"?
It appears that the original issue for the specific user ha stopped after manually reviewing and releasing(by an Admin) 34 false positives. Perhaps the algorithm has gotten better at not flagging false positives as High Confidence Phish, after selecting the function to "Report to Microsoft" after release.
Hi
Configure end-user spam notifications: 1. In the Microsoft 365 Defender portal, go to Email & Collaboration > Policies & Rules > Threat policies page > Policies section > Anti-spam. 2. On the Anti-spam policies page, select an anti-spam policy from the list by clicking on the name: - A custom policy that you created where the value in the Type column is Custom anti-spam policy. - The default policy named Anti-spam inbound policy (Default). 3. In the policy details flyout that appears, click Edit in the Actions section. In the Actions flyout that appears, configure the following settings: Enable end-user spam notifications: Select the checkbox to enable notifications or clear the checkbox to disable notifications. When you select the checkbox, the following additional settings appear: Send end-user spam notifications every (days): Select how frequently notifications are sent. The default value is 3 days. You can enter 1 to 15 days. There are 3 cycles of end-user spam notification within a 24 hour period that start at the following times: 01:00 UTC, 08:00 UTC, and 16:00 UTC. Language: Click the drop down an select an available language from the list. The default value is Default, which means English. When you're finished, click Save.
4.Back on the policy details flyout, click Close.
Hi @Azure Apprentice
Any progress here? Have you tried the steps above?
Yes, that is the exact configuration that we did. The only difference is that we changed the default value for the notifications to 1 day, since we want everyone to get the notifications ASAP. The "01:00 UTC, 08:00 UTC, and 16:00 UTC." time frame is interesting, so if the value is configured to "1day=24 hours" users should get notified in theory 3 times a day?
How should such a notification email look like? Is there an example in Microsoft documentation about it?
The original issue appears has stopped after manually reporting 34 false positives, possibly due to the algorithm automatically adjusting.
@Joyce Shen - MSFT