question

DanJohnson-0923 avatar image
0 Votes"
DanJohnson-0923 asked ·

Microsoft Quarantined emails and 'Machine learning'

Hi

We have an issue in our organisation and we are struggling along with Microsoft support re a solution.

We send phishing emails and in particular impersonation emails to quarantine.

We have users who have created personal accounts that match the name of their organisational accounts. So jxx@hotmail.com send email to jxx@corporateaccont.com

Now the system is doing its job here and these emails are being flagged as CAT UIMP or GIMP etc and the emails are sent to quarantine. So far so good.

Now as these emails are genuine we have raised with Microsoft and asked the best way to allow genuine impersonation emails to land in the users inbox. Microsoft have advised that the user should release the email, submit it to Microsoft and reply back and forth and the machine will 'learn' and eventually emails from Jxx@hotmail.com sent to jxx@corporateaccont.com will no longer be quarantined.

This is true to an extent. If Jxx releases one of these emails he is able to reply back and forth within that email conversation with no issues.

If however a fresh email is sent from Jxx@hotmail.com sent to jxx@corporateaccount.com this will still hit quarantine. No matter how many times we release and submit we can never get a new email to bypass quarantine.

So it looks like this machine is not fully learning.

We have been advised by non microsoft folk that users can simply add the personal account to their safe sender list and this resolves the issue. My business has rejected this as they dont want any bypasses in place. They want the system to 'learn'

My question is when we add users to safe sender list does this bypass the full protection stack?

Are we being naïve as to expect the system to learn in this way?

Does anyone have any experience with this and the best way to approach it? Other than telling users not to create personal accounts and send to their corporate accounts?

office-exchange-server-administration
· 1
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @DanJohnson-0923
I am following up to see if you have had a chance to check the suggestion provided by Andy. If that is helpful, it would be appreciated that you can accept his post as answer. If you still have further questions on this, feel free to post back.


If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

0 Votes 0 ·

1 Answer

AndyDavid avatar image
0 Votes"
AndyDavid answered ·

Well, I would was going to say "telling users not to create personal accounts and send to their corporate accounts" haha

In these instances, we typically tell users to simply add to their safe senders list . It does bypass some of the filtering stack when you do this - except malware and high confidence phishing, however its not much different IMO than ATP learning since the ML should be applying that only to the mailbox in question. From what I have seen, the machine learning only goes so far - and there is also an element of time here and the need to communicate and not wait for the ML to kick in and creating multiple transport rules versus using safe sender lists is going to be a never-ending moving target.

Im sure you have seen this already:
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/create-safe-sender-lists-in-office-365?view=o365-worldwide

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.