1 Reply

  • There is a way of whitelisting, but typically you want to avoid whitelisting domain since spoofing is a thing and if that address or domain is ever spoofed then you're going to have all sorts of bad things sliding past your quarantine. Ideally you want to talk to the website about the issue and see what they can do or recommend. 

    I'm not sure about the volume of emails your users are receiving that are being caught in quarantine, but you could always just set-up quarantine alerts and filtering and keep an eye on quarantine. We currently do that because we get some emails that are legitimate but are sent in a way where quarantine will catch it as phishing (such as html files, or older file formats) and we manually review and release\delete them. We filter it by transport rule and only keep an eye on those since those are most likely to be legit emails.

    If you want to whitelist, there is an option to set that up in the 365 Security console. Below where Review is, there is Policies and Rules where you can setup a whitelist, and other rules to help shape your quarantine to best fit you, both to catch potential threats and reduce the amount of false positives. Personally I am just not a fan of whitelisting since that can open you up to threats easily.

    I'd rather just have alerts whenever certain things get caught in quarantine and manually review/release them to users than whitelist and open myself up to spoofs or breached external accounts. Phishers and other baddies will even spoof internal accounts from your domain and try and send those to your users.

    Ideally, talk to the website's people and also create some rules (but not whitelists) to maybe let those through without opening yourself up. I'm not sure what are in these emails and if they have attachments or links but you can definitely set something up to help without whitelisting. Any baddies aren't just going to send text, there are certain keywords in emails you can setup. For example "Password" "Pass" "Word" (You're going to want to split things up since phishers are pretty clever), but filtering things like this can allow you to let through the legitimate emails and block the malicious ones.

    Spice (2) flagReport
    1 found this helpful thumb_up thumb_down

Read these next...