Tenant policy (verdict override) Exchange Online

New Contributor

Hey All,

 

My company recently received a spoofed phishing email from noreply@[companyname].com and it passed through both our spam and phishing filters.  Upon further inspection, it had an SPF fail and originated from Vietnam (Which we block all emails from).  My question is that when submitting the email under Threat Management -> Submissions in the Office 365 Security & Compliance Center, this is what I get when its submitted:

Review your Tenant policy (verdict override). At the time of delivery, you had sufficient security mechanisms to block this threat. However, they were overridden by your Tenant policy (verdict override)
 
I looked in all of the setting and can't find where this email would have sneaked through.
 
Any thoughts?
4 Replies

Just run a message trace, it will let you know why. Most likely some sort of a whitelist.

Thanks@Vasil Michev !

 

It turns out we had our own domain whitelisted which led to the override of our other security policies.

That's not as uncommon as one might think - removing your own domain from any whitelists is practically the #1 recommendation from the EOP folks lately.

@ewinonait How did you discover this whitelist your domain was in? Ive got the excact same situation as you, and have done a message trace - but theres no info for me to act on. Just logs about how it was delivered OK (when it should not)

www.000webhost.com