Emails being put in Quarantine for a specific user with the reason "High Confidence Phish"

Azure Apprentice 191 Reputation points
2021-07-14T10:11:55.45+00:00

Hello Experts,
hope you are doing well.

We are facing and issue where we see a large amounts of emails being moved to quarantine for a particular user. The emails are not spam or phish.

The user is using the integration for Outlook in Workable - https://www.workable.com/

However, communication is not only done through the integration in workable it's also done through the Outlook App in macOS, just adding this info for reference.
The issue seems to happen most often with "mail pyramids" where "reply" has been clicked more than a few times.

As of now the only way for me to release those those emails for the user is to go to:
https://security.microsoft.com/quarantine and manually release all the messages there.
Unfortunately, when the user navigates to the above link, does not see anything, so I have to do it as an admin.

What have I done to possibly solve this? Please feel free to correct me, if anything of the below is not as it should be.

In here:
https://security.microsoft.com/antispam -> I have created a separate Anti-Spam policy

Under "Users, groups, and domains" I have added only the particular user we are seeing this predominantly happen to.

Bulk email threshold - I have set this to 9, with the hopes that this will reduce the sending of the email pyramids to Quarantine. I don't know if it's correlated, correct me if it isn't.

I've configured this setting to redirect High confidence phish emails:
"High confidence phishing message action
Redirect message to email address"

-Screenshots of the configuration attached for reference.

And the redirection email is set to the users email.

Will this newly configured granular policy work side by side with our default policy?
The idea is for the user to have the ability to receive the emails that are sent to quarantine, or somehow to review and release them.

The domains of the emails put in quarantine for the specific user are google, yahoo etc. Mostly popular and verified domains.
And this happens sometimes while using the Outlook integration and replying from it, but happens also while the user is going through the Outlook app for macOS.
Would there be some best practice configuration from Microsoft side in order to prevent this from happening when using the integration in Workable?

Although, we have emails put in quarantine for other uses too, we'd like to make an exception for the specific user if needed.

Any thoughts and advice on the matter is appreciated.

Thanks.
114536-1.png114507-2.png114537-3.png114554-4.png114555-5.png

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,397 questions
0 comments No comments
{count} vote

Accepted answer
  1. Joyce Shen - MSFT 16,646 Reputation points
    2021-07-15T06:04:57.9+00:00

    Hi @Azure Apprentice

    Yes, you could set this policy for the specific user as a workaround. And like Andy mentioned above, it's better to determine why the mails are getting quarantined.

    In addition, we can see the official document: Find and release quarantined messages as a user in EOP

    Admins can also enable end-user spam notifications in anti-spam policies. Users can release quarantined spam messages directly from these notifications. Users can review quarantined phishing messages (not high confidence phishing messages) directly from these notifications. For more information, see End-user spam notifications in EOP

    By default, end-user spam notifications are disabled in anti-spam policies. When an admin enables end-user spam notifications, recipients (including shared mailboxes with automapping enabled) will receive periodic notifications about their messages that were quarantined as spam, bulk email, or (as of April 2020) phishing.


    If an Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Andy David - MVP 142.8K Reputation points MVP
    2021-07-14T11:39:58.683+00:00

    Have you determined why they are marked as high confidence phish?

    EOP is now proactively blocking high confidence phish:
    https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/secure-by-default?view=o365-worldwide

    So I suspect your redirect will work for now, but maybe not in the future.

    For your specific question, yes you can set a policy for just that user, ensure its a higher priority than the default. and hope that user doesnt click on a real phishing message.

    0 comments No comments

  2. Azure Apprentice 191 Reputation points
    2021-07-19T10:10:11.153+00:00

    anonymous userDavid @Joyce Shen - MSFT Thank you for the answers.

    After consideration we have removed this policy as it poses a risk for real phishing emails to get delivered to the users mailbox.

    Instead we have modified our "Anti-spam inbound policy (Default)" as follows:
    Send end-user spam notifications every (days)
    1

    Could someone confirm that this setting would be able to make it so that each user in the organization will be able to get notified, review and release emails marked as "High Confidence Phish"?

    It appears that the original issue for the specific user ha stopped after manually reviewing and releasing(by an Admin) 34 false positives. Perhaps the algorithm has gotten better at not flagging false positives as High Confidence Phish, after selecting the function to "Report to Microsoft" after release.