Mail flow rule anti spam message header

Tomer Grega 1 Reputation point
2022-04-07T10:12:51.713+00:00

Hi,
I've created a mail flow rule with the intention of sending a notification to the recipient when the email is flagged as malicious with the following details:
Apply this rule if...
The sender is located: outside the organization
A message header includes: 'X-Forefront-Antispam-Report' header includes 'CAT:AMP'
Do the following...
Notify the recipient with a message...(and the message itself)

The test email i'm sending is flagged as malicious with the header flag of CAT:AMP but the email doesn't go through the mail flow rule, what am i missing?

From the message header (of the test email):
ForefrontAntiSpamReport
Country/Region: US
Language: en
Spam Confidence Level: -1
Spam Filtering Verdict: SKQ
IP Filter Verdict: NLI
HELO/EHLO String: mail-lj1-f176.google.com
PTR Record: mail-lj1-f176.google.com
Connecting IP Address: 209.85.208.176
Protection Policy Category: AMP
Spam rules: (13230001)(4636009)(166002)(86362001)(22186003)(5660300002)(6916009)(42186006)(1096003)(7116003)(55446002)(8676002)(356005)(7596003)(33964004)(26005)(7636003)(82202003)(564344004)(6666004)(3480700007)(73392003)(58800400005)(966005)(336012)(76482006)(220243001)(67856001)

Source header: CIP:209.85.208.176;CTRY:US;LANG:en;SCL:-1;SRV:;IPV:NLI;SFV:SKQ;H:mail-lj1-f176.google.com;PTR:mail-lj1-f176.google.com;CAT:AMP;SFS:(13230001)(4636009)(166002)(86362001)(22186003)(5660300002)(6916009)(42186006)(1096003)(7116003)(55446002)(8676002)(356005)(7596003)(33964004)(26005)(7636003)(82202003)(564344004)(6666004)(3480700007)(73392003)(58800400005)(966005)(336012)(76482006)(220243001)(67856001);DIR:INB;

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,426 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Andy David - MVP 143.6K Reputation points MVP
    2022-04-07T14:39:55.74+00:00

    How is this being tested? Malware would be quarantined or dropped before it hit the transport pipeline and you would set the notifications in the anti-malware policy.

    https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/how-policies-and-protections-are-combined?view=o365-worldwide