M365 Junking legitimate emails (Resolved) Investigating / Notice
22 days

We have been able to narrow down the issue with Microsoft M365 incorrectly classifying messages as Junk mail or High Confidence Phishing. The problem has been reproduced from external senders (Gmail), from internal senders (M365->M365), and through a security service (M365->ExchangeDefender & similar ->M365).

The problem appears to be related to an undocumented Microsoft "feature" that tracks the age of URLs:

X-MS-Exchange-Organization-UrlMinimumDomainAge

The X-Header is used to track the days since the domain was registered and it appears that Microsoft is tracking threads that contain recently created URLs. There is absolutely no documentation from Microsoft on this header nor guidance on how to control it. Our own guidance is as follows:

1. Whenever possible, send plain-text messages not rich HTML. Microsoft is aggressively filtering multipart messages (attachments, inline images, threads) and the bigger the thread or more images the less likely it will end up in the Inbox.

2. Whenever possible, trim back and forth conversations entirely to just the last message. 

3. Whenever possible, start a new thread instead of just hitting Reply. Microsoft is tracking message threads and the longer the thread the less likely it will end up in the Inbox.

4. Whenever you encounter an error, rely on https://bypass.exchangedefender.com

We are continuing to work with Microsoft and continue to escalate the issue. 

Update 05/25/2023 19:23 PM 3 days

The following advisory is issued based on ExchangeDefenders troubleshooting with our clients, competitors, and 3rd parties. 

As of May 24th we have seen inconsistency in Microsoft's ability to reliably deliver email to M365 users Inbox. Legitimate messages are moved to M365 Junk Mail with SCL:5. So far we've been able to replicate this issue with:

-HTML messages (multipart w/ and w/o text body)

-Text only messages

-Messages from M365

-Messages outside M365


Identical message coming from an the exact same sender email address, server IP address, and to the same recipient will randomly arrive in the Junk Mail or Inbox in the same 5 minute span. It doesn't matter whether messages are coming from M365 hosted domain, through ExchangeDefender smarthost, directly via SMTP from Exchange or sendmail. 


We have shared our findings with our clients and with our competitors and it appears to be affecting everyone intermittently. 


We have escalted this issue within Microsoft and as of now they don't have a solution.


Based on our research and our work over the past day, the issue appears to be intermittent and isolated to M365. We believe it has to do with Microsoft updating something with it's antispam protection based on the fact that the issue can be replicated intermittently without regard for the senders email address/server/software/content.


--------------


If you're currently experiencing this problem please ask your recipients to create a trusted sender policy for the following IP ranges:


174.136.31.16/28

207.210.228.192/28


This is the only known method that works at the moment.


If your domain is protected by ExchangeDefender, send an email to postmaster@exchangedefender.net and we will escalate the issue within Microsoft/M365 on your behalf. 


Admin M365: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/create-safe-sender-lists-in-office-365?view=o365-worldwide


Outlook: https://support.microsoft.com/en-us/office/add-recipients-of-my-email-messages-to-the-safe-senders-list-be1baea0-beab-4a30-b968-9004332336ce