ok... two questions really...
(1) Referencing here, it is pretty clear the order of the policy applications for threat protection (ie, malware first, then phishing, then spam, then bulk), but I just can't make sense of how it explains the application of the priority order of policies for any of those sub-categories. Does it only apply the first rule that applies to a user's mailbox and then stop processing further, or does it cascade down to evaluate the next level down rule assuming the first rule didn't quarantine or delete the email.
(2) I think I have the rules for detection set pretty well, but right now everything goes to quarantine and there are some occasional false positives that I'm not comfortable just deleting, but I can't tell the difference in the results between "high confidence" and just normal since they both go to quarantine. Is there a way to change the notifications on the messages that are high confidence to not report to the recipient and instead report only to another designated mailbox instead? It seems like the quarantine options are "report to recipient" or "don't report", but I'd like to just report to another person for a bit before switching over to just delete.
Thanks
(1) Referencing here, it is pretty clear the order of the policy applications for threat protection (ie, malware first, then phishing, then spam, then bulk), but I just can't make sense of how it explains the application of the priority order of policies for any of those sub-categories. Does it only apply the first rule that applies to a user's mailbox and then stop processing further, or does it cascade down to evaluate the next level down rule assuming the first rule didn't quarantine or delete the email.
(2) I think I have the rules for detection set pretty well, but right now everything goes to quarantine and there are some occasional false positives that I'm not comfortable just deleting, but I can't tell the difference in the results between "high confidence" and just normal since they both go to quarantine. Is there a way to change the notifications on the messages that are high confidence to not report to the recipient and instead report only to another designated mailbox instead? It seems like the quarantine options are "report to recipient" or "don't report", but I'd like to just report to another person for a bit before switching over to just delete.
Thanks