EOP how to restore an user if a false positive activate the phishing user block

Marc 631 Reputation points
2021-10-04T15:12:45.337+00:00

During an EOP mail flow test I sent various emails using the same user. The EOP phishing system (configured at 1) blocked the user thinking we were in a phisching regime.
I have noticed that in this scenario there are no direct actions to unblock the user.
I have also noticed the "add trasted sender" option in phishing doesn't work at all. Although the user is added is not permanently saved. In fact, once I go out of the rule and returning back, the user is gone (he is no longer present).
Is there a way to fix this strange behavior?
Thanks

137455-trusted-phishing.png

Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,373 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Marc 631 Reputation points
    2021-10-04T20:18:11.31+00:00

    Unfortunately, I couldn't find a solution.

    If the anti-phishing blocks a user thinking mistakenly that there is a phishing activity, how can we revert back this error?
    This is relevant because in that case the user emails will be moved every-time to quarantine.
    Hopefully someone can help.
    Thanks

    0 comments No comments

  2. KyleXu-MSFT 26,241 Reputation points
    2021-10-05T02:30:24.367+00:00

    @Marc

    The anti-spam policies and anti-phishing policies takes effect after the transport rule. So, you could try to use transport rule to allow this user bypass spam filter, such as:
    137535-qa-kyle-10-24-23.png

    About the phenomenon that you cannot save the trusted user, I would suggest you open a service request to Office 365 team from Microsoft 365 admin center, they may could help you check the confirmation from the backend.


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.