Phishing email goes through because of an Exchange Transport Rule that cannot be found

Question

Hello everyone,

I have got a Phishing email go through to the user's inbox.

When going to the phishing email Explorer page on Security Center to get more details on why the email was let through, I found the following:

• Exchange Transport Rule has been applied to this email. I can see the GUID of the rule.

I have checked the following so far:

• Get-TransportRule, nothing found using the GUID or by listing all the rules.
• Safe senders, mail flow rules, or block and allow organizational settings.
• Anti-Spam, Anti-Phishing and other policies that might have a whitelist.

We couldn't find any setting that would allow the email to pass through.

Is there a way to find where and what is this rule by it's GUID only? Or, what policy and configuration allowed this email to pass to the user although it was detected as a phishing email?

Thank you!

Regards,

Answer 1

Hello @Said A !

Can you run the

Get-InboxRule -Mailbox user@domain.com -includehidden | Select-object *

Maybe it is a Hidden rule on a specific Mailbox

So if you ryn Get-TransportRule with the Guid , it does not return nothing ?

Please try the command i send you and tell us how it went !

I hope this helps!

Kindly mark the answer as Accepted and Upvote in case it helped!

Regards

Answer 2

Did you check the safe sender list of the user who received the message? Not sure which you checked

Get-MailboxJunkEmailConfiguration -Identity "<user>"

Answer 3

Hello @Said A !

DId you run the hidden revealing command ?

Please see my answer and let us know!

I hope this helps!

Kindly mark the answer as Accepted and Upvote in case it helped!

Regards