Internal email messages incorrectly marked as spam

Internal email messages in Exchange Online are improperly handled as spam

- Updated:
- 18 May 2020
- Product/Version:
- Cloud App Security
- Platform:

Summary

Internal email messages in Exchange Online are improperly handled as spam by the Advanced Spam Protection security filter ignoring the administrator-configured settings in an Advanced Threat Protection policy for Exchange Online. The administrator can configure how to handle their internal email messages by the Trend Micro Anti-spam Engine (TMASE) as follows:

To have Cloud App Security (TMCAS) not scan internal messages, set the security filter to apply to Incoming messages.
To have TMCAS scan internal messages but not take configured actions if they fall into other spam, set the security filter to apply to All messages and select Pass all the messages sent from internal domains if detected as other spam in the Action section.

However, TMCAS does more in the back end. For example, Sender Policy Framework (SPF) setting and email header checks, to identify fake internal emails.

Therefore, upon the above settings, if some internal messages of your organization are still handled as other spam, you can check the affected messages for further actions.

Details

Set up the Advanced Spam Protection filter to only apply to Incoming messages to prevent internal emails from being scanned.
If all messages need to be scanned by Advanced Spam Protection filter, but you do not want the filter to take actions for incoming mails detected as “Other spam”, configure the following settings:
1. Configure the Advanced Spam Protection filter to apply to All messages.
2. Check the option Pass all the messages sent from internal domains if detected as other spam.

With the above settings, when internal messages are still detected as spam, go ahead and check the detected messages by doing the following:

Confirm whether the detected messages have failed information of Sender Policy Framework (SPF) on the email header. For example, Fail or softfail.
- If the detected messages have a failed SPF header on the mail header, check the related SPF setting for the sender domains.
- Or you can choose to add the email sender from the detected messages into the Approved Sender List if you confirm that the sender can be trusted.
Confirm whether you have inconsistent Reply-to or Return-path on the detected message mail headers, in which the domain name is not included in the internal domain list.
- If the mail headers are not consistent with the sender’s domain, go ahead and check whether you have a special setting or whether this mail is forged in the internal mail.
- If you implement some special settings, which modifies the mail header, go ahead and check whether TMCAS' current approved list setting can bypass them. It includes the following:
  - Approved sender
  - Approved header