![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 80%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJF%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Defender | Microsoft Defender for Office 365
Protection against phishing, malware, and other threats targeting email and collaboration tools in Microsoft 365
High confidence phishing and malware are always protected by “secure by default” behavior in Microsoft 365. That means:
- Messages classified as High confidence phishing are always quarantined.
- Organization-level overrides such as allowed sender/domain lists, Outlook Safe Senders, IP Allow Lists, and mail flow rules are not honored for these messages.
So even though the sender is trusted and validated, Defender for Office 365 will still quarantine messages if they are scored as high confidence phish.
To handle this scenario while keeping protection in place, use the supported workflows instead of allowlists:
- Use quarantine workflows
- High confidence phishing messages are quarantined and cannot be turned off. Admins can manage them in the Microsoft Defender portal quarantine experience. For details on quarantine behavior and admin controls, see Quarantined email messages in cloud organizations and Manage quarantined messages and files as an admin.
- Report the messages as false positives to Microsoft
- When legitimate email is repeatedly classified as spam/phish, the supported approach is to submit the messages to Microsoft for analysis so detection logic can be improved.
- For Defender for Office 365, use admin submissions to report the quarantined messages as “good” (false positive). See Submit suspected spam, phish, URLs, and files to Microsoft for scanning as referenced in the Defender XDR false-positive guidance.
- This is explicitly recommended over bypassing filters. See Address false positives or false negatives in Microsoft Defender XDR.
- Avoid using Safe Senders / allowlists to bypass filtering
- Outlook Safe Senders and organization allowlists are not applied to malware or high confidence phishing due to secure-by-default behavior. See Secure by default in cloud organizations.
- Even where Safe Senders or allowlists do apply, they are discouraged because they bypass parts of the filtering stack and can allow malicious mail if the trusted sender is compromised. See Create sender allowlists for cloud mailboxes.
- End-user handling of quarantined messages
- By default, end users cannot release high confidence phishing messages themselves; this is by design. Other quarantine reasons (spam, phishing, bulk, etc.) may allow user release, but high confidence phishing is restricted. See Manage quarantined messages and files as a user.
Operationally, the best practice is:
- Continue to let Defender quarantine high confidence phish.
- Have admins review and release legitimate messages from quarantine as needed.
- Consistently submit these legitimate quarantined messages as false positives via admin submissions so Microsoft can adjust detections over time.
References:
- Create sender allowlists for cloud mailboxes
- Secure by default in cloud organizations
- Quarantined email messages in cloud organizations
- Manage quarantined messages and files as a user
- Manage quarantined messages and files as an admin
- Address false positives or false negatives in Microsoft Defender XDR