My org is using a SaaS app (intercom.io) for customer support
We have an Exchange online mailbox with rule in place to auto forward all mail over to the intercom domain
What we are finding is the message is forwarded prior to any threat scanning taking place, meaning that spam/phishing mail is being sent over before being sent to quarantine by MS365 Defender
I have replicated the flow and tried different ways of forwarding (internal mailbox rule/SMTP forward through EAC/Transport rule) and they are all processed the same way. I've also looked for an answer to what sounds like a simple setup and have come up with nothing (closest thing I've found is here https://learn.microsoft.com/en-us/answers/questions/648337/apply-atpspamphishing-protection-on-forwarded-mess.html)
What I want to know is if this is expected behaviour and should we be relying on inbound protection on the other side
Mail trace excerpt included below
Sender: ******@domain1.com
Recipient: ******@mydomain.com
Received -> Processed -> Delivered
Status: The message was forwarded to the Inbox folder of the following address:<br/><br/><b>Redirected to:</b> ******@intercomdomain.com
Date (UTC) | Event | Detail |
5/22/2022, 4:58 PM | Receive | Message received by: XXXX.prod.outlook.com using TLS1.2 with AES256
5/22/2022, 4:58 PM | Redirect | The message was directed to ******@intercomdomain.com.
5/22/2022, 4:58 PM | Defer | Reason: 400 4.7.721 Advanced Threat Protection scanning in progress.
5/22/2022, 5:01 PM | Receive |
5/22/2022, 5:01 PM | Spam | No detail information available.
5/22/2022, 5:01 PM | Spam | No detail information available.
5/22/2022, 5:01 PM | Receive |
5/22/2022, 5:01 PM | Send external |
5/22/2022, 5:01 PM | Send | Message sent to quarantine.
5/22/2022, 4:58 PM | Send external |
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 12%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHB%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYS%3C/text%3E%3C/svg%3E)