We have an issue in our organisation and we are struggling along with Microsoft support re a solution.
We send phishing emails and in particular impersonation emails to quarantine.
Now the system is doing its job here and these emails are being flagged as CAT UIMP or GIMP etc and the emails are sent to quarantine. So far so good.
Now as these emails are genuine we have raised with Microsoft and asked the best way to allow genuine impersonation emails to land in the users inbox. Microsoft have advised that the user should release the email, submit it to Microsoft and reply back and forth and the machine will 'learn' and eventually emails from Jxx@hotmail.com sent to email@example.com will no longer be quarantined.
This is true to an extent. If Jxx releases one of these emails he is able to reply back and forth within that email conversation with no issues.
If however a fresh email is sent from Jxx@hotmail.com sent to firstname.lastname@example.org this will still hit quarantine. No matter how many times we release and submit we can never get a new email to bypass quarantine.
So it looks like this machine is not fully learning.
We have been advised by non microsoft folk that users can simply add the personal account to their safe sender list and this resolves the issue. My business has rejected this as they dont want any bypasses in place. They want the system to 'learn'
My question is when we add users to safe sender list does this bypass the full protection stack?
Are we being naïve as to expect the system to learn in this way?
Does anyone have any experience with this and the best way to approach it? Other than telling users not to create personal accounts and send to their corporate accounts?