Issue
Users reporting that some incoming emails sent to their Office 365 mailboxes never reach them and don’t even appear in Junk Mail folders.
Resolution
A quick Office 365 message trace revealed that emails in question were sent to Office 365 Quarantine.
The quarantine can be accessed here and an admin can preview, download, or release the quarantined messages. As the screenshot below shows, the emails were sent to quarantine instead of the user’s Junk Mail folder, because Office 365 Anti-Spam Policy identified them as High Confidence Phish (which was incorrect, the emails were completely legitimate text emails containing a single job sheet type PDF attachment).
Digging further, I checked the Anti-Spam Policy settings (Office 365 Compliance Admin Centre > Threat Management > Policy > Anti-Spam > Anti-Spam Inbound Policy).
As expected, under Actions, High Confidence Phishing was set to be quarantined.
Now, you could argue that this is a good thing and high confidence phishing should not be delivered even to the end user’s Junk Mail folder. Obviously, this argument is somewhat less strong when quite a few of those “high confidence phishing” emails appear to be legitimate business emails. In any case, this is a somewhat moot point now, as from March 2021 Microsoft no longer allows to send such emails to the Junk Email folder. If you try to do that, you will be greeted with the following warning:
To enhance default protection, the option to move messages to the Junk Email folder has been deprecated. Messages will be quarantined instead.
I don’t have any issues with this policy as long as false positives are extremely rare, and users are notified when emails are sent to quarantine. Not sure why, but Microsoft decided that end-users do not need to be notified about their incoming emails sitting in quarantine. This obviously results in the whole “missing and disappearing” emails issue. This can be changed in the same Anti-Spam Inbound Policy > Actions section.
July 2021
Microsoft Office 365 (Exchange Online)
Leave a Reply