Anti-phishing policy | User notification | Self release
It's is great that Microsoft provides the possibility to block phishing messages but it is not clear why it is not able to provide the same functionality like in the anti-spam policy , so that the user gets an info that a mail has been moved to the quarantine and he could preview the message and decide to let it there or to release.
Anti-phishing policy is no perfect, it creates a lot of false positives and the user will not be informed in order to check the mail and release it.
I didn't see any argument why Microsoft is not providing there a notification and self release option to the user.
In the most cases a company doesn't have a 24x7 postmaster who is looking all the time to the incoming mails and releasing them to the recipient in case of false positives.
Colin Slater commented
The current anti-phishing design is badly flawed. If users can be "trusted" to look through the emails classified and quarantined as spam why are they not afforded the same ability for phishing? Why are the options in the policies so restricted.
It is one of:
on - in which case the only person that can be tasked with releasing false positives are administrators and who has the time to go through quantities of quarantined emails every day on the off chance that we can find a false positive. I look after 5 major tenants.
on but don't quarantine the emails just send them to Junk - A marginal protection as all the phishing emails will appear in the Junk folder and there is nothing stopping the user simply moving them to the inbox
There is no flexibility to have a whitelist
There is very little information about what triggered the phishing alert and yes I know that if the triggers were published it would allow the generators to develop more sophisticated attacks. However in discussing the issue with a company that has been hit by false positives, how can i suggest what it is that is causing the issue.
This makes this tool pretty useless as it is, it doesn't help at all
Plenty of false positives being caught, users need to be able to release or at the very minimum, receive notification that they have been quarantined and can ask an administrator to release. At the moment in small business, email conversations are being blocked/lost as the user has no idea it’s been classed as ‘phishing’ and quarantined without notice.
I do see your point as there is a lot of false positives however there’s a lot of legitimately malicious phishing being caught too and I don’t want my users unknowingly releasing those messages to their inbox, whether to allow users to release phishing messages should be optional for your tenant, if at all.
We have a requirement for this to be worked on please.