M365 - Sudden Increase in outgoing "phishing" false positives

oikjn · Oct 17, 2023

Any M365 admins out there seeing a sudden surge in outgoing mail getting flagged as phishing/spam starting a few hours ago in the OUTBOUND direction?

I had the outbound filter rule set to send me a copy of all flagged emails and in the last couple of YEARS I think maybe I've seen one or two emails come in. Today I'm at 28 so far. I"ve checked most of them and they are just normal email exchanges between employees and outside mailboxes.

In the Defender realtime detection screen, it shows as "Latest Threats" = "Phish / Normal, Spam" and the "Detection Technologies" = "General filter, Mixed analysis detection".

The Sender IP is our local IP. I used mxtoolbox.com to check blacklists for our IP and our domain and nothing has changed on that end nor in our DNS records. So I don't think its me, but...

SandyTech · Oct 17, 2023

Haven't noticed any. Are you using a hybrid deployment or just 365?

jzsmpsn · Oct 17, 2023

I have noticed an significant increase today in the false positive phish email that are being caught in 365 defender today for sure.

sryan2k1 · Oct 17, 2023

There are several reddit threads seeing the same.

SandyTech · Oct 17, 2023

They did this late last week too IIRC. Maybe a continuation of that issue?

moosemaimer · Oct 18, 2023

might be this:

Microsoft disables bad spam rule flagging all sent emails as junk

Microsoft has disabled a bad anti-spam rule flooding Microsoft 365 admins' inboxes with blind carbon copies (BCC) of outbound emails mistakenly flagged as spam.

www.bleepingcomputer.com

oikjn · Oct 19, 2023

SandyTech said:
Haven't noticed any. Are you using a hybrid deployment or just 365?

just 365.

It seems to have chilled back out again. It seems like it was just a 12 hour spurt and my rule didn't block the traffic and just forwarded me a copy (assuming it wasn't also incorrectly flagged on the inbound side if that end recipient was also using M365).

mrkag · Oct 23, 2023

I believe it's related to the Microsoft Tech blog post titled "Announcing New DMARC Policy Handling Defaults for Enhanced Email Security". I have been seeing DMARC rejects in both our commercial and GCC tenants, starting about a month ago.

It's irritating that some email admins don't understand how DMARC and SPF work, or even what spoofing means.

oikjn · Oct 24, 2023

I think what @moosemaimer linked was correct and my experience was pretty much exact to what was described in that link.

@mrkag while I agree that there are far too many "admins" out there that don't understand DMARC let alone SPF or DKIM, in this case, I can say it wasn't the cause here. This was all internal authenticated users sending emails from my domain which is setup properly with DMARC/SPF/DKIM and the quarantine report confirmed they were all passed... that being said, they were all authenticated users sending emails using Outlook, so I wouldn't put it past M$ to have flagged their own servers as spam sources for whatever reason.

Search

Search

M365 - Sudden Increase in outgoing "phishing" false positives

More options

oikjn

Ars Scholae Palatinae

More options

SandyTech

Ars Legatus Legionis

More options

jzsmpsn

Smack-Fu Master, in training

More options

sryan2k1

Ars Legatus Legionis

More options

SandyTech

Ars Legatus Legionis

More options

moosemaimer

Ars Scholae Palatinae

Microsoft disables bad spam rule flagging all sent emails as junk

More options

oikjn

Ars Scholae Palatinae

More options

mrkag

Smack-Fu Master, in training

More options

oikjn

Ars Scholae Palatinae

More options