MC265759 – Updated September 30, 2021: Microsoft has updated the rollout timeline below. Thank you for your patience.
Microsoft believes it’s critical to keep their customers secure by default. Microsoft has determined that legacy overrides tend to be too broad and cause more harm than good. As a security service, Microsoft believes it’s imperative that they act on your behalf to prevent your users from being compromised. This means these legacy overrides will no longer be honored for email messages Microsoft believes are malicious. Microsoft has already applied this approach with malware messages and now they have extended it to messages with high confidence phish verdicts. Microsoft has been taking a very deliberate approach to rolling out these changes in phases to ensure customers are not surprised and there are no negative side effects. Microsoft began to rollout Secure by Default for high confidence phishing messages by the override type starting in December 2020 (Roadmap ID 60827). Today, Microsoft is at a point in their Secure by Default journey where the following overrides are not honored for malicious emails (malware or high confidence phish emails):
Microsoft is now extending Secure by Default to cover high confidence phishing messages for the remaining legacy override type, Exchange mail flow rules (also known as transport rule or ETRs).
Key Points
How this will affect your organization:
After the last phase of Secure by Default is enabled in August for ETRs, Defender for Office 365:
What you need to do to prepare:
If you are currently using Exchange mail flow rules (also known as transport rules or ETRs) to configure your third-party phishing simulation campaigns or delivery for security operation mailboxes, you should begin to configure these with the new Advanced Delivery policy when the feature is launched in July (Roadmap ID 72207). For more information, please refer to message center post MC256473. Administrators should also use the submission portal to report messages whenever they believe a message has the wrong verdict so that the filter can improve organically. Microsoft is further improving this experience with the integration of the Tenant Allow/Block List (TABL) in the Admin submission portal. With this update, you will be able to override filtering verdicts and allow similar messages while your submission is being reviewed. Please see message center post MC267137 to learn more.
Note: If your organization has compliance requirements that make it necessary to opt out of this change, that requirement is met by Microsoft Defender for Office 365 continuing to honor the ETR when MX record points away from us (not O365).
Learn more:
Previous Exchange Online Changelog Messages
Whether it’s Security or Cloud Computing, we have the know-how for you. Sign up for our newsletters here.