Transport Rules SCL -1 Failure to Bypass

Manually using transport rules to whitelist emails can be good for a tailored approach for ensuring email makes it to the users inbox. Well... until it doesn't!

Did you know... creating transport rules to bypass spam filtering won't bypass High Confidence Phish emails (HPHISH) and messages with Malware.

Like me you might have wondered why some emails were blocked whereas others were delivered while all of them triggered the transport rule.

In the message header X-Forefront-Antispam-Report look for the value of CAT:HPHISH or HPHSH.

HPHSH or HPHISH = High confidence phishing

To resolve this issue Microsoft suggests the following:

You can use the Tenant Allow Block List (TABL) to temporarily override a HPHISH verdict in false positive scenarios when an email was classified as High Confidence Phish (HPHISH) by one of our machine learning models. To do so, you must do an admin submission. If the MX record for the recipient domain doesn't point to Microsoft 365 (mail is routed through a third-party service or device first), a rule with Bypass spam filtering allows messages detected as High Confidence Phish by Microsoft 365 anti-spam filtering to be delivered to the Inbox. - MS Doc's

Of course be very 'very' careful about allowing messages to skip spam filtering The mail flow rule should use more conditions than just the sender's email address or domain. 

Stay safe out there!

J