EOP Escalates Fight Against High-Confidence Phish
Author: Tony Redmond – Office 365 IT Pros
…Office 365 notification MC226683 “Secure by Default – Honoring EOP/ATP detonation verdicts”…
…Exchange Online Protection will no longer take allowed senders and allowed domains into account when it filters out high-confidence phish (messages that EOP is very sure are phishing attempts)…
…Microsoft’s advice is to replace the allowed senders and allowed domains list with a mail flow rule to skip anti-spam filtering for messages originating from absolutely safe sources. The mail flow (transport) rule can be made much more specific about where messages come from, so it is inherently safer than the “accept everything from this domain or sender” approach in allow lists…
The legal hold notice market is dominated by cloud services that use a wide variety of security methods to send out your notices from their trusted domains. Having implemented a large number of these systems recently, I can tell you how difficult it can be to establish that trust relationship and bypass all the spam/virus/phishing filters to ensure that all custodians receive their hold notices. Legal hold notices with embedded forms and links look like phishing attempts. I have seen custodians report them to security because they believed that they were a phish attempt. This change by Microsoft means that your hold notices could be ‘detonated’ and deleted before reaching custodians. Send your Email admin and your LHN support team that Microsoft MC226683 notice and ask them to verify that your LHN domain uses a mail flow rule rather than just being whitelisted.