What policy applies when multiple protection methods and detection scans run on your email
Potentially, your incoming mail may be flagged by multiple forms of protection (for example both EOP and ATP), and multiple detection scans (such as spam and phishing). This is possible because there are ATP Anti-phishing policies for ATP customers, and EOP Anti-phishing policies for EOP customers. This also means the message may navigate multiple detection scans for malware, phishing, and user-impersonation, for example. Given all this activity, there may be some confusion as to which policy applies.
In general, a policy applied to a message is identified in the X-Forefront-Antispam-Report header in the CAT (Category) property. If you have multiple Anti-phishing policies, the one at the highest priority will apply.
The Policies below apply to all organizations.
|2||Phishing||PHSH||Configure your spam filter policies|
|3||High confidence spam||HSPM||Configure your spam filter policies|
|4||Spoofing||SPOOF||Anti-phishing policy, spoof intelligence|
|5||Spam||SPM||Configure your spam filter policies|
|6||Bulk||BULK||Configure your spam filter policies|
In addition, these policies apply to organizations with ATP.
|7||Domain Impersonation||DIMP||Set up Office 365 ATP anti-phishing and anti-phishing policies|
|8||User Impersonation||UIMP||Set up Office 365 ATP anti-phishing and anti-phishing policies|
As an example, if you have two policies with their respective priorities:
If a message comes in identified as both user impersonation and spoofing (see anti-spoofing in the table above), and the same set of users scoped to policy A is scoped to policy B, then the message is flagged and treated as a spoof. However, no action is applied because though spoof runs at a higher priority (4) than User Impersonation (8), Anti-spoofing is turned off.
Keep in mind, administrators can create a prioritized list of policies (see the priority field above), but only one policy will run and apply its actions. That means a user in both policy A and B will have the higher priority policy (A is #1) run, and the message will not filter through any further policies. If the anti-spoofiing is off, no actions will be run.
Because there is a potential to have many groups of users in many policies, it may behoove administrators to consider using fewer policies with more capabilities. It is also important to be certain that all users are covered by a comprehensive policy.
To make other types of phishing policy apply, you will need to adjust the settings of who the various policies apply to.