Hi,
since we moved our mailboxes to Exchange Online, our quarantine is getting hammed with e-mails that are legit. I managed to calm the situation with adding certain domains to "Allowed to spoof". But there are so many exceptions that I am asking myself if this is worth having enabled.
The E-Mails are getting blocked from the default AntiPhish Policy because the way I understand it, some of my colleagues are included in a distribution list that is from another company, not ours. And every time an e-mail comes with this distribution group in cc where my colleagues reside - mail will land in quarantine.
From Message Header Anaylzer about this particular e-mail:
Spam Confidence Level 5
Spam Filtering Verdict SPM
IP Filter Verdict NLI
Protection Policy Category SPOOF

Cheers