only generate one notification for phishing/impersonated user events
There are two default alert policies,
"Phish delivered due to tenant or user override"
"User impersonation phish delivered to inbox/folder"
When a phishing message is received, because our anti-phishing policy Action is to "take no action" we get (2) two notifications. One, that the message was delivered due to an override, and a second that a phish message was delivered to folder/inbox.
It's unclear what is considered an override. Based on our experience the assumption is that "Take no action" is considered an override. What else is considered an override?
Adding an address to the tp anti-spam policy "safelist"?
User adding address to the mailbox level safelist?
Need more information