Simplifying the Quarantine Experience

Published Aug 24 2021 08:00 AM 22.4K Views

Managing false positives should be easy

As cyber security becomes a crucial part of the day-to-day activities of every organization, it becomes vital to allow different organizations to customize their security tools in a way that best fits and meets their needs while ensuring that such customization do not compromise on the productivity of its employees. This is why in Microsoft Defender for Office 365 we look at not only offering the best protection and tools to manage detected threats and possible misses, but also focus on continually improving the solutions we offer for protection from false positives. After all, email remains the number one attack vector used by bad actors. Our key principles remain:

  • Making it easy for end user to identity false positive across a variety of situations such as individual mailboxes, shared mailboxes, and delegated scenarios
  • Keeping users secure as they interact with these emails
  • Ensuring security teams can efficiently review and act on quarantine messages.


Exciting new updates are coming soon!

Microsoft Defender for Office 365 is rolling out key quarantine management features that will help empower SecOps professionals and end users when triaging emails:

  • Quarantine folder policy and user release request workflow
  • Customer organization branding
  • Streamlined email submission from the quarantine portal
  • Robust release of bulk quarantined emails  
  • Secured preview of quarantined emails
  • Quarantine support for shared mailboxes  


Quarantine folder policy and user release request workflow

Today Microsoft allows organizations to empower their end users to triage phishing messages. Some organizations would prefer to limit these triage capabilities to their security teams, and others find the capability allows them to augment a smaller SecOps team by extending the process to end users.


With the new quarantine folder policy, SecOps will be able to configure custom end user access (including request release permissions) to messages quarantined by Exchange Online Protection and Microsoft Defender for Office 365 policies which will help alleviate the inefficiencies that comes with fixed controls.



Figure 1: New quarantine policy allows for granular control of user accessFigure 1: New quarantine policy allows for granular control of user access



Custom organization branding

Deception is a key component of phishing attacks, and customers want to eliminate any hesitation when it comes to legitimate system automated messages. We are adding capabilities to making it possible for SecOps to customize end user quarantine notifications with their respective organization logo, email display name, and disclaimer. Doing so helps ensure that users have safe and secure access to their quarantined messages and trains them to recognize legitimate notifications.


Figure 2: Custom organizational branding for quarantine notifications.Figure 2: Custom organizational branding for quarantine notifications.



Streamlined email submission from quarantine portal

With this change we’re giving SecOps the ability to allow senders for a specified period, right from the quarantine workflow. When releasing emails to end users, admins can now opt to remember this decision by creating an entry in the tenant allow/block list that corresponds to the indicator of compromise aligned with the message in question. SecOps can now also choose to allow or prevent users from submitting messages to Microsoft for analysis.



Robust release of bulk quarantined emails

Quarantine release should be efficient, not tedious. In large organizations it can take time to triage quarantine mails. The previous structure in place was aimed at releasing emails in a serialized approach but will now be replaced with a parallel form, helping streamline the process and save your SecOps team valuable time.   


Secured preview of quarantined emails

To limit exposure to unwanted or malicious content, we are enhancing how users preview quarantined messages to provide additional security against embedded threats.  With this change some components in quarantined messages will be distorted and not displayed by default. To see the full contents of the message, users can choose to reveal the full message.


Figure 3: Images are withheld from users to prevent embedded threats.Figure 3: Images are withheld from users to prevent embedded threats.



Quarantine support for shared mailboxes

With this update, users who have been granted delegate access to shared mailbox either through direct access or security group access will now be able to triage the quarantine folder items of those mailboxes. This makes managing the quarantine for shared mailboxes easier for users.


Support for priority accounts

In 2020 we launched Priority Account Protection in Defender for Office 365, helping security teams focus on the most visible and most targeted users in their environments. We’re expanding this visibility by incorporating priority account tags in the quarantine experience, enabling security teams to focus on these priority accounts as they triage the quarantine folder. 


Sending end user quarantine notification with user mailbox language locale

We are providing the possibility for end user spam notification to go out by default in the end user mailbox language setting.

Previously, security admins had to choose the user specific language for Office 365 to use while sending user quarantine notifications. In an organization where users speak multiple languages this becomes a challenge.


A new look for the quarantine portal

We are revamping the design of the quarantine portal to allow for a better user experience when triaging false positive emails. This new look and feel is more than a cosmetic change – we’ve designed the new experience to help surface more data in a more useful and simple way. The screenshots below show what the new UX adds, like more filters, a revamped flyout, and better filter visibility.



Figure 4: The quarantine portal todayFigure 4: The quarantine portal today



Figure 5: The new look for the quarantine portalFigure 5: The new look for the quarantine portal


New email detail panel

Earlier this year we launched the email entity page, which gives SecOps a 360-degree view of an email, putting all the relevant details in the hands of the analyst. We are replacing the email details panel in quarantine with a panel that provides the same in-depth view of each email in quarantine which will bolster SecOps confidence when making decisions.



Figure 6: We've added components from the email entity page to the quarantine experience.Figure 6: We've added components from the email entity page to the quarantine experience.



Stay tuned!

We’re continuing to enhance the quarantine experience and workflow for both end users and security teams. Here’s a few enhancements you can expect to see in the coming months:

  • We’ll be adding an hourly frequency for end user spam notifications to enable customers to increase the frequency of these notifications to users when the need arises
  • Large scale bulk release, allowing SecOps to release more than 100 mails at a time
  • Enhanced search functionality to accommodate things like such as partial string matches





Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the Defender for Office 365 forum.




Occasional Visitor



For shared mailbox quarantine management, will this be possible via the quarantine portal as well as the ESN?

@Geckotek correct. it will be possible through the portal and the End user spam notification 

New Contributor

Hi when you say custom branding...are we going to only have 1 branding choice? Or can we have mulitple branding choices.  We have 4 companies in our tenant and usually only see 1 branding choice which is not ideal and we really need to be able to use different logos per domain. 

@Brian Knipfel for the first release the plan is to support a single branding choice. however, I have taken note of this feedback for our next phase of triage. thank you 

Frequent Contributor

Just an FYI, but the EOP spam notification emails still look like Office 365 from 2015 (i.e., dated "Office 365" red on white logo, which is very low resolution.  It seems like something that should have been updated along with the improvements mentioned here, if not before.


@Jeremy Bradshaw completely agree, for most people it looks like phishing. But have no fear, many Microsoft genuine messages are also identified as phishing by... Microsoft 365 Defender. So, all good, stays within the family!

Occasional Visitor


@Jeremy Bradshaw thanks for the feedback. we will look into leveraging our updated artifacts for the notification emails we send out. 

@KrisDeb we will be more than happy to investigate the False positive messages your organization is seeing. please use the support channel available to share the concerns. 


@Faith-Ebenezer_Oquong I am a huge fan of Microsoft 365, people who know me are even joking about it. I am sending support messages and feedbacks straight from M365 Admin Center and I can see things are changing.

Regular Contributor


I still cannot see the option "Secured preview of quarantined emails". Is it already available everywhere?

@AtanasM  the feature should be enabled in all tenants now. could you leverage your available support channel to escalate the concern so we can investigate? 

Occasional Visitor

The font in the quarantine list is horrible, the preview has been rendered nearly unusable, handling emails has been made more complicated, this seems like a downgrade, not update.

edit: Also cannot select email from list with clicking on it when clicked on one already.

edit2: From my wiewpoint, you completely ruined an almost-working tool.

Frequent Contributor

@pauka Sounds like you need a higher res monitor or something.  I don't find any of those claims to be the case for me.  I use it daily a lot.  Preview sometimes only shows a very plain text rendition of the emails, but usually does a good job.  Now, if my resolution was lower, I'm sure it would be a problem to have to live out of the right side pane that everything has to me viewed through (wish there was an option to maximize that pane in the entire MS cloud new UI).


Just thinking it was designed on a big monitor, and doesn't do well on all resolutions. I use a 27" 4K with scaling set to 200%, and then I wear reading glasses.  That makes most things look best for me.

Regular Contributor

@Faith-Ebenezer_Oquong how can I check my available support channel? Please provide the steps. Thanks you.

@AtanasM you can open a support ticket from the portal itself by clicking on "Need help" and provide the issue description. thank you 

New Contributor

@Faith-Ebenezer_Oquong Quick question about Enduser-Notifications. The article here does not mention that enduser notifications will be configured with the Quarantine Policy. 

Now a few tenants of our customers had enabled the enduser notifications. We do see by default the "NotificationEnabledPolicy" within Anti-Spam-Policies. Within AntiPhishing the DefaultFullAccessPolicy is applied so users did not get a notification for such messages. This was very confusing. Do you have any details why for Spam the NotificationEnabledPolicy was automatically configured but not within the AntiPhishingPolicy?

@Peter Forster we have initiated communications in customers health dashboard regarding the Anti-phishing policy changes. thanks for sharing. 

Occasional Visitor

Great work, waiting for the release 


I was excited but not for long... The same notifications as before, sent not even in the real time? Customers are complaining they are not being notified, what is this? There is no way anyone will wait for so much time for AN EMAIL, people will look for workarounds, sending emails between themselves = more shadow IT and larger attack surface! Why there is no Teams notifications, why alerts are not integrated with Power Automate yet, so we can be creative, configure notifications on mobile, Teams, email etc.

Regular Contributor

Quarantine is the worst feature, that Microsoft ever had. I cannot understand, how is it possible such big and famous company to tolerate such situation. Quarantine is genarally defective. Notifications are not sent, admins cannot receive notifications, it's not possible to see a preview of the content, nothing works here normally. Full disaster. And it is not working not anly by me, but by many other customers. I expect that the responsible people solve these issue immidiatelly. Hopefully. 

Occasional Visitor

Someone has sworn to ruin this tool completely, now they removed the attachment info, there is no longer no way of knowing what and if any files are attached before releasing the email - what in the world could explain the removal of the info that is so needed for this tool to function???????? Have you gone mad, devs???? Also before you could add sender as safe sender, now there is some kind of weird toggle button that doesn't do anything, if i set it on an email, the next email is stopped by the filter again.


Regarding "Quarantine support for shared mailboxes", when will this be available and/or where may I find out more information?


@KrisDeb @AtanasM thanks for sharing your feedback. Hourly end user quarantine notifications and Admin quarantine digest will be among the items in our next phase of release. stay tuned 


regarding quarantine message preview, we are working on bringing the feature back to normalcy. updated changes should be reflected in the product in coming weeks 


@James_Mattus "Quarantine support for shared mailboxes" is actively in public previews. please use the support channel available to your organization and request to be added to the previews. the feature will be generally available on or before the end of Q1 2022.  

New Contributor

@Faith-Ebenezer_Oquong Hi. Since this feature was rolled out our users have reported their notification emails are no longer showing the "phish" email notifications ,only "spam". The new policy settings only have a simple tick box for "Enable End User Spam Notifications", is there a way to re-enable "phish" emails to get notifications too?

Frequent Contributor

Related to what others and @Jarrad_McMullen have been pointing at, I will add that the Anti-Phishing policies' quarantine notification policy assignment capability appears like confusing overlap with the Phish/High Confidence Phil actions in an Inbound Spam policy.


In an Anti-Phishing policy (e.g. "Office365 AntiPhish Default (Default)"), what category do these actions line up with (Phish, High Confidence Phish, something else?)?:


If the message is detected as an impersonated user: _____________________??

If the message is detected as an impersonated domain:___________________??

If Mailbox Intelligence detects an impersonated user:_____________________??

If the message is detected as spoofed:_____________________________________??


Each one of those has the ability to use the Quarantine action, and then assign a quarantine policy.  But then, we have no way to know what category this is going to show up to users as.  If it's "Phish", they should be able to see it; if it's "High Confidence Phish", they shouldn't be able to see it, and if it's something else, well what then?


Regular Contributor

I've setup in the Global policy a custom disclaimer , subject and ticked the box that says use a custom logo (I can see our company logo).


All is sent via the notification except for the company logo. Instead we get the Office 365 logo.


Is this a bug or is there another way to force it to change?

@Jarrad_McMullen thanks for informing us. can you file a support case so we can investigate further? 


@Jeremy Bradshaw 

If the message is detected as an impersonated user, impersonated domain, spoof, or Mailbox Intelligence detects an impersonated user, it is all categorized as Phish and users can see it in quarantine by default. Admins can also use the quarantine policy to hide the messages from user view. 


@David Gorman thanks for informing us. we are actively working to address the logo. updates should be reflected in coming weeks.      

Regular Contributor



Can I check if this is the right link for end users to access their quarantine page? They can also see a side menu with links to Polices or Creating Tags, etc. While they can't do anything, it's confusing them. Is there an option so they just see the quarantine page? 

@David Gorman you have the correct link. we have heard similar concerns from our customers, and we are hoping to resolve this in less than a month. I will update accordingly if the timing changes. thanks. 

Regular Contributor

Hi @Faith-Ebenezer_Oquong 

the parameter EndUserSpamNotificationFrequencyInDays is set to 1 for NotificationEnabledPolicy. Nevertheless the quarantine notifications are sent once per 3 days. Is there something, what overrides this setting? Is this behavior by design? If so, please send me a reference article. Thank you!


Can you please turn this OFF by default? Emails are getting quarantined and users don't know about it. You're quarantining messages from the Migration Wizard reports in Exchange because it's going to the vendor tenant and it's using the domain because it's pre-cutover and we don't know when they complete. The product takes 30+ seconds to get from screen to screen just to get into configuring it, the screens are getting interference from the side menu, some screens are completely blank like when you attempt to configure email alerts in Defender settings, and it's just not ready for production, period. Couple that with having to convert all our customers to the New Commerce Experience and the burden too much at one time.


The product is not ready, at least until it's built in to Outlook client directly like Junk Mail is, and turning it on by default is irresponsible.



@VNJoe thanks for sharing your feedback with us. we will explore the built-in outlook client 


regarding your other concerns, so I can better assist you and understand your use case with more details are you able to open a request directly with our support channel?  

Occasional Visitor

I saw today's post about quarantine support in admin portal. I'd say finally, but there is some huge issue...

There is no "show all recipients I have access to".

A user who maintains multiple shared mailbox with many different aliases has to check every single alias one by one. That's pretty useless for us :(


Regarding the quarantine-notification:

We cannot configure the message (sender display name or logo). Also the mail is not sent reliably. I already did open a ticket about a user not getting his, while hundreds of colleagues with the very same configuration receive theirs.

Ticket was closed with the answer: it was HCP which does not trigger quarantine notification by default and you cannot change default behavior for HCP. 


I think, the product team needs to fix some things and train supporters.


@Faith-Ebenezer_Oquong I already have tickets in about this.  "Support" requests I send them copies of the quarantine notifications that Microsoft is sending.  It's as if they aren't paying attention.  This is being sent by Microsoft from a fake email address Microsoft makes up, usually Email address removed, but because it's a fake address, it's high confidence phishing and therefore is quarantined, instead of going to Junk Mail like it should.


The other issue was for a Mail Migration Report from a customer I'm migrating to hybrid, and the report email that it sends to alert of the results (from the Migration Batch Wizard) is blocked as high confidence phishing because the domain isn't fully migrated yet.


Look, EVERYTHING just needs to go to Junk Mail.  Nobody want to go into a different site if they have Outlook client.  The quarantine and entire Defender portal runs very very slowly, and there's no need to send people there unless you run an Enterprise.  These people are SMB's and midsize, and they just need to get their mail.  They don't know quarantine; they just know they lost mail and business.


Bring back Junk Mail!

@AndAufVCG  thanks for sharing. we are tracking the feature that will allow "Show all recipient I have access to" for shared mailbox in our to-do list 

regarding including HCP in quarantine notification, this should start working by end of April 2022 for all customers. 



@VNJoe, the support of Custom sender address is in our to-do list. we hope to have this readily available for all customers before the Year 2022 is over. 

we will also explore bringing Quarantine folder to outlook   


Yes, but the overwhelming issue is:


Your scoring system for high confidence phishing is a failure, you automatically force those messages into Quarantine instead of Junk Mail, and you disabled notifications for high confidence phishing quarantined emails. It's a trifecta that leads to the simple fact that Microsoft is failing to provide the service being paid for.


You have to open one of the three options above. Otherwise, you're simply failing to deliver mail.


I can't comprehend why no one at Microsoft sees the significant flaw this implementation has introduced, because my customers all do... They don't know their customers are emailing them and they are losing business to the point of considering alternatives.




Frequent Contributor

@VNJoe all the things you mentioned are customizable.  I've just come through months of working with and tuning EOP for a large client whose MX records point to on-premises and who have a to-be-retired 3rd party spam gateway near-passively there, then Exchange on-premises, and then to EXO/EOP where the mailboxes are.  It's actually two distinct/separate on-premises setups like that, which merge into one tenant (2 hybrids).  If you can imagine, we had to make use of Enhanced Filtering for Connectors to make sure EOP's SPF tests would happen against the correct IP addresses.  We also had to stop using on-premises transport rules to add an 'external email' disclaimer and let EXO so that instead, in order to preserve the DKIM body hash so EOP's DKIM tests wouldn't fail erroneously.


We've rolled out quarantine notifications to 40K+ mailboxes.


We got to a point where we had to take the time to submit many samples to MS support because we couldn't tell what else we could do to prevent some false positives.  They were able to find some Machine Learning gone wrong which they corrected.


Apart from that one glitch, it truly does seem like everything works great.  There are lots of false positives in EOP but I'd be willing to bet a huge portion of them are due to problems that should be corrected rather than EOP lowering it's guard.  I think that is the point that Microsoft can't just outright say, but it is important for vendors to try and push the world to be better at not only their own SPF/DKIM/DMARC implementations, but also proper infrastructure design and configuration.


The setting for high confidence phish going to quarantine and not letting users release those is a smart default.  Most phishing attacks include links that are not detectable by Safe Links as malicious initially (i.e., lay dormant for some time).  Users are horrible at NOT getting phished.  So it makes sense to protect against those emails by default and then let customers dial it back from there.  If the opposite were the case, you'd have 10X as many people here telling MS they're not protecting their paying customers well enough.  So it's a lose lose for MS, but they picked the correct side in being safer.  If an important message is missed, it should at least be resendable.  If it is a very important email then everything under the sun should have been done by both the sender and the recipient orgs to ensure deliverability.


That last point is the most important to consider.  If certain emails are very important not to miss, those emails (the messages and attachments themselves) and the sending/receiving infrastructures had better be setup properly.  If they're getting caught as high confidence phish, they are flawed in some way (or there's a glitch which MS Support should be able to address).  The right thing to do is quarantine them.

Occasional Visitor

"The setting for high confidence phish going to quarantine and not letting users release those is a smart default. "


I'd agree with that, BUT!

Since late 2021 we are able to exactly define what should be done to HCP mails. Without even knowing, this is the default behavior, I set it up like this. Go to quarantine, users can only request release and to do so, they need to be notified.

And that's the problem. The very last part.

Until now, the users don't get notified!

So if you have a false-HCP (which occurs, no blame in that), the mail is lost!

There is no information (like some NDR) for sender, and also there is no notification for recipient - despite the fact, that you are literally configured it that way!



New Contributor

@AndAufVCG - HCF Notifications are in feature ID 93198 due in April 2022. You can keep track of this on the Microsoft Roadmap: Microsoft 365 Roadmap - 93198




@Jeremy Bradshaw This configuration you mention is overridden. As @AndAufVCG and myself have mentioned, there's no notification for HCP, it's been turned off no matter how you configure it, it's documented to be the case.


In addition, while I appreciate you setting that up for a very large client, the SMB's that grew Office when no large client would touch O365 have been left behind with undelivered mail, no notice, no NDR on the sending side and an email gatekeeper they didn't ask for and can't opt out of... It's a breach of the service contract in it's current config. And most importantly, those SMB's don't have admins policing a quarantine. They want it in Junk Mail like Outlook has done, not this whole recruitment into training the AI they are attempting to get for free from customers. Customers simply submit marketing messages from their competitors and boom, those marketing messages don't get delivered any more, and they are no where NEAR being a phishing attempt.. much of what Microsoft has high confidence as phishing is low confidence.


- Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message.


Emails from my existing customers and contacts are NOT phishing attempts...


By the way, why are the HCP settings under anti-spam when there's an anti-phishing section?


Nobody in the small and mid-size customer base even know a quarantine exists because up until end of last year, everything went to Junk Mail. Microsoft decided to be the mail police with these new policies but didn't inform anybody except partners hidden inside hundreds of other partner notifications of new "features".


It's gotta get fixed

New Contributor


One of the most common false positives we find are "impersonation" or "spoofing" type emails. In a perfect world everyone would have their SPF/DKIM/DMARC correctly configured but many businesses send marketing through 3rd party marketing services without this correctly setup. When you receive an email from Email address removed but the route has come from Email address removed it often flags as impersonation because that is exactly what it is. Not sure what the best way to get around this particular type of "phishing" is but having a clearly defined policy around email security standards you can give to internal and external contacts (and making sure your own emails meet these standards) is the first step. If a certain "type" is a particular pain point for your organisation/client then there are options to turn off specific checks in the anti-phish and anti-spam configurations (this is obviously discouraged from a security viewpoint). I often direct customers to Best practices for configuring EOP | Microsoft Docs and Email security and anti-spoofing - NCSC.GOV.UK when emails regularly hit quarantine with no SPF/DKIM/DMARC from the sender.

Occasional Visitor

Problem with SPF/DKIM is, that many senders refuse to make use of it. And it is by far not just 3rd party marketing services and 2-people-serverless-crypto-start-ups. One of the biggest Microsoft CSPs in Germany (Deutsche Telekom) refuse to use SPF. They just don't want to. 


I have no solution for this in general.

But the fact, that it is also not possible to whitelist specific words for spam filtering is a REAL PITA for us right now. We have EXTREMELY many SCL=5 false-positives and everything MS has to offer isn't solving the issue.

(My ticket about this was closed just last week as unresolvable)


@Jarrad_McMullen  I'm aware of the clause Secure by Default, but that implies you can CHANGE those settings.  The correct term is locked down because you cannot change them. You've attempted to 'parent' your customers and 'grounded' their messages...

Message Center is not functional because the correct configuration is to have global admins without license accounts, and therefore, incapable of receiving emails; yet those are the accounts that get the messages.... Factor in the hundreds of meaningless notifications being sent from it and it becomes white noise.  Viva? Yammer? Exchange outages in small parts of the world? Small percentage of users can't get their distribution lists updated?  It's all so cluttered and obfuscated by design.


Anti-phishing policies need to go in the anti-phishing category instead of being secretly tucked away in anti-spam and overriding existing anti-phishing policies.


Impersonation and Spoofing emails are not a category of Phishing email. You have miscategorized these. Impersonation and Spoofing are tactics or mechanics; Phishing is an intention to gain credentials or information.  SPAM is an inundation of emails from a source.  Words matter.  Moreso, you are categorizing things like multiple emails in short periods of time or emails with certain keywords or even hyperlinks that aren't 'Safe Links' all as phishing which they certainly aren't. I had one message from a customer trying to get around the anti-phishing problems created by Microsoft so they could test their users knowledge, and they sent me an Excel sheet with the domains to include for whitelisting for the test, and THAT got labeled anti-phishing... So it's the language that is key, understanding that the tactics are different from the intention, and that you are consistently miscategorizing email across the board. Simply because Safe Links is something you want people to use doesn't mean it's something they have to use, and by blocking everything except those and disallowing access to fix the problem at the tenant level, you've created an incredibly intrusive system that's blocking the service people are paying you for.  They aren't paying you to filter their mail, they're paying you to deliver it and are relying on other vendors or methods to eliminate those they don't want.


Just bring back Junk Mail already....

New Contributor

@VNJoe I don’t work for Microsoft. Like many people in the community I am trying to help  in learning together how to utilise Microsoft products and share helpful configuration experiences. If you are having trouble configuring the product or following their documentation, I suggest you raise a ticket with Microsoft support.


The Junk folder is still an option for those who want it:

1. Go to “Anti-Spam” in the 365 Defender portal under Threat Policies where you can change the Anti-Spam inbound policy settings for phish and spam to send to junk instead of quarantine.

2. Go to “Anti-Phishing” where you can set the default AntiPhish policy to move detected spoof to Junk Folder.

3. Depending on your licence you may also have the option in “Anti-Phishing” to change the phishing threshold (The more aggressive the threshold the more emails get treated as High Confidence).


As mentioned previously, Microsoft’s roadmap shows they are working on notification emails for High Confidence (Roadmap ID 93198) so that users can get notifications for the emails that fall under those:


All these settings are well documented by Microsoft so if you have trouble following them please speak to your Microsoft advisor or raise a ticket through the 365 portal using the “Need Help” icon in the bottom right.


@Jeremy Bradshaw Unfortunately, this is inaccurate information you've provided.  Yes, the documentation says it's true, but it's not.  HCP has the three qualities mentioned above:  Not in Anti-Phishing as it should be, not able to be filtered other than Quarantine, and does not notify user when it's quarantined.


Roadmap or not, it's a not a 'feature', its a necessity they notify users they are withholding mail or stop withholding it and put it back in Junk Mail until it's complete, because as of now, you are disallowed from doing so.  You have to go into the policy, try to change it, and you'll see the warning saying it's disallowed.


I understand you have good intentions of trying to be helpful, but the issue here is how you think it works and how Microsoft now makes it work since the end of January are two different things, and the scoring system is marking far more items as anti-phishing than it should, using the anti-spam policy to do so.  They do the same thing with Malware, where they don't deliver it and don't notify you, but they've lumped HCP in to the same bucket and their high confidence is very low confidence and highly over scored.  If a customer I work with sends me a message, there is no way it should ever score above a 5; yet it sometimes will score an 8 because it has KnowBe4 in an attached Excel sheet or doesn't follow some draconian measure Microsoft wants you to adhere to simply to get your mail. The customer and I are both on O365 and properly configured; it's the scoring that's broken.  Heck, it even scores it's own emails from the O365 Mail Migration Batch reporting as HCP...


I appreciate your time, but I do promise, what I've said above is how things have been working for the past couple of months, and @AndAufVCG seems to be seeing the same thing.  I also have tickets open for this and they are not fixing it.  Check it out yourself.


Here's one to check with the full Outlook client installed:


In Outlook, click the 'Junk Mail' folder

Now, type in a search term at the top from a trusted source Email address removed.


Even though you selected Junk Mail and Outlook knows you mean the Junk Mail folder, it still gives you results from everywhere.  In addition, click a result, and you'll see 'Links and other functionality have been disabled...' come up on that message even though it's not in the Junk Mail folder...


The roapmap needs a significant review and adjustment, and the existing features blocking email or the scoring of those emails and the classification of what's phishing and what isn't need to be re-evaluated long before the roadmap task is completed.

Frequent Contributor

@VNJoe I now see what you mean.  Contrary to what I said in my last post about this being customizable, you are correct in saying that - No, it isn't.  When I attempt to Edit the Actions for my Incoming Spam Filter policies, if I change High Confidence Phishing to Move to Junk, I get this:

Screenshot 2022-03-28 181832.png

The learn more link is this: Secure by default in Office 365 where in there it indeed shows some false information about High Confidence Phishing specifically:


"Microsoft 365 organizations with mailboxes in Exchange Online are protected by Exchange Online Protection (EOP). This protection includes:

  • Email with suspected malware will automatically be quarantined. Whether recipients are notified about quarantined malware messages is controlled by the quarantine policy and the settings in the anti-malware policy. For more information, see Configure anti-malware policies in EOP.
  • Email identified as high confidence phishing will be handled according to the anti-spam policy action. See Configure anti-spam policies in EOP."

The second bullet fails to mention the behavior shown in the screenshot.  The article's last updated date is 2022-03-23, but the blue info box at the top of the page does say:



Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here."


It could stand to be corrected and clarified for sure, I agree.


I didn't see the point covered earlier by @AndAufVCG (until after my reply to you), where even when you set the action for High Confidence Phishing to Quarantine but then assign a notifications-enabled Quarantine policy that has the Request to Release permission, it won't then trigger a notification.  This does seem to be a big miss.  The default behavior by Microsoft since the rollout of the Quarantine notifications was set so that the High Confidence Phish is Quarantined and the AdminAccessOnlyPolicy assigned, which I do agree requires administrators to monitor the quarantine or have users find out through some other means that they missed a message and contact IT.  So it's treated exactly like malware.  These are fair points.


The part about the scoring being off is also a fair point.  All I will say though still is that there is a lot of room for error on the sender and receiving sides which all factors into the score.  In most companies you can find something that needs to be addressed in the mail flow chain somewhere.  Like the things I mentioned, or maybe settings on a downstream IPS or other MX service in front of EOP, etc.  The company not doing SPF or DKIM out of principle is probably not going to help their emails' delivery success with that move.


Anyhow, at this point I'm not disagreeing with the points you guys have raised.


Again, your terminology is inaccurate, making the filters inaccurate. SPF/DKIM/DMARC are anti-spoofing technologies which are SPAM mechanisms and have nothing to do with PHISHING. PHISHING is an intent, and blanket categorizing these emails with no SPF that have a hyperlink in them that isn't a "Safe Link" DOES NOT make them Phishing emails alone. They are SPAM. They may be high confidence spam, but they're still SPAM.  There's far more to it.... The mere fact that these "High Confidence Phishing" email rules are located in Anti-Spam filters instead of the actual Anti-Phishing filters in EOP are a testament to them being miscategorized and in the wrong place. It's a poorly conceived notion. Simply put, it's 100% incorrect.


It's just a design flaw that's not getting properly addressed.

Frequent Contributor

@VNJoe The Anti-Phishing policies have settings for impersonation.  Would you agree that spoofing and impersonation are at least related concepts?  You must agree there is some overlap in the concepts of spoofing and phishing.  I'm not sure whose definition of "phishing" you will accept as tolerable.  But here's the definition from


What Is Phishing?
Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.

When the SPF/DKIM tests fail, that is potential spoofing.  When somebody is intentionally spoofing somebody else, that is potential phishing.  The rest of that spoofed email's traits are what they have to go off of to determine if it is just spoofing with no intent to lure, or if it is actually phishing.  If there's a non-safe link in the body, and we already concluded the message is spoofing, then what is so bad about treating this message as a phish or high confidence phish?  If there is no SPF, that sender is leaving themselves open to be spoofed, and composite authentication should give them negative points for that.  I would side with Microsoft on this one and say a message with no SPF and a URL in the body that is detected as bad by Safe Links is more likely, or at least equally likely, to be phishing than it is to be spam.  Spam has nothing to do with spoofing.  Phishing has all kinds to do with spoofing.


I'm not trying to be argumentative just for the sake of it, more so just friendly debate to flush some more details.  And I already was persuaded earlier to agree with your other points.  The issue that you're pointing out about the misclassification seems up for debate.  Below is another excerpt from


Phishing and Spoofing
Phishing is a serious problem that is achieved in a number of different ways. Email spoofing and website spoofing are two of the primary methods by which phishers acquire sensitive information from unsuspecting Internet users.

Can you maybe just include how you think it ought to be designed in EOP/MDO?  If there is a better way, maybe they need to be told/shown rather than just criticized for not having gotten it right yet.


I do agree about the point that the actions for Phishing / High Confidence Phishing being in the Anti-Spam policies is a misplacement.  My best guess is that it's because Anti-Phishing policies didn't come along until way later on in EOP's life, whereas Anti-Spam policies have been there all along.  I'm betting they will eventually fix this, probably even sooner thanks to your efforts spent here.

Version history
Last update:
‎Aug 23 2021 04:01 PM
Updated by: