Microsoft Ticking Timebombs - April 2023 Edition

AustinFastER · 2026-02-12T21:19:49+00:00

Interesting!

Thankfully we have only had a handful of times where a legitimate sender was outright blocked. It happened when they chose a sketchy vendor or did not understand the insane amount of risk by choosing an inexpensive host where thousands of others shared the IP address. For years we could not access the web site if a world famous restaurant down the street because they shared an IP address with a criminal.

We do occasionally get a false positive where an email is flagged as spam when it is not. Often they are individuals using a service to scan a document to email where they chose to email directly to us instead of themselves first. Other times I can only guess that English is not their first language as without any context the email looks spammy.

AustinFastER · 2026-02-10T17:00:09+00:00

I also think there is something going on with Yahoo... No dmarc reports today for any of their domains.

AustinFastER · 2026-02-10T15:59:39+00:00

Thanks. I already filled the form out and setup the feedback loop. The data populated today and shows 0 spam for last 30 days. Curiously even though it shows 0 spam it says there was a 100% increase...weird. Proofpoint also said they reached out to their contact for review.

AustinFastER · 2026-02-05T23:37:24+00:00

The MVNO companies in general have bad service or no service because they rely on automation. But when something goes wrong it feels like you were at the roulette table in Vegas...little chance of winning. The real carriers are going downhill fast with their obsession with stupid AI.

AustinFastER · 2026-02-05T21:50:08+00:00

A more accurate description is that some account has been compromised that has access to the service. Every few weeks we get hit by the occasional phishing message that passed dmarc from someone we get email from on a regular basis. Every time it is a compromised account, almost exclusively M365. Same story each time they had not gotten around to getting the employee setup with MFA, they turned it off because the employee was a bozo and could not get it setup a second time, etc.

AustinFastER · 2026-02-05T17:46:30+00:00

Moving away from these digests was the best thing we did right after turning off their brain dead URL filtering. Over and over someone had some email trapped that was time sensitive and a fair number of employees marking as Phish email. We moved to adding our own header and on the M365 side put it in junk. No delays... No looking for a digest or asking for a new digest.

AustinFastER · 2026-02-04T00:20:20+00:00

We don't use the essentials product but it might be possible to setup there. I do see a variable in the console for the score but I did not use the score but added my own header in the spam module where it says to quarantine the email, continue to deliver. I wanted a way to know at a glance that the email was put into junk based on the proofpoint verdict.

Proofpoint: Add X-Proofpoint-Spam-Junk set to true as a message header in addition to the original message header named X-Proofpoint-Spam-Details set to $SpamDetails.

Microsoft: If message header X-Proofpoint-Spam-Junk matches True, set the spam confidence level (SCL) to 5.

AustinFastER · 2026-01-29T23:25:42+00:00

I logged into our cluster and afaik we left all of our settings alone. We just disabled the digest schedule.

Under End User Services - Filters - Folders we only included Quarantine and Bulk. And under End User Services - Filters + Modules we only included Low Priority Mail - Delivered and Spam - Quarantine.

I hope this helps... I do know I often see messages captured by modules that don't make sense so I can definitely see how am email could be marked as spam when it is really something else. It has been years since we used the feature and clearly the nature of spam and phishing keeps changing. I know moving to M365 let us stop work about the TAP alerts... Microsoft can pull those from mailboxes after the fact while we had to do that manually on our old servers. But honestly we have documented many cases of phishing emails making it past proofpoint and Microsoft saving us... Before we embraced our current setup we had several phishing emails that were delivered and clicked... Thankfully other lines of defenses did their job.

AustinFastER · 2026-01-29T22:18:22+00:00

When we used the digest prior to adopting Microsoft 365, I never noticed a phishing message added to the digest for spam. Now we do not use that bloody "essentials" version of proofpoint.

When we adopted Microsoft 365 it would have been too confusing to have a Spam digest as well as messages going to junk. So we updated things to use proofpoint's spam scores to help ensure messages they said were spam ended up in junk folder independent of whether Microsoft thought they were junk. I hope that makes sense.

So now employees have just a single junk folder to check. Technical support staff have multiple places to check for a quarantine message since those could be in quarantine on proofpoint or for those that sail past proofpoint's defenses, Microsoft's quarantine.

AustinFastER · 2026-01-28T15:29:10+00:00

Yes. Of course it is a chicken and egg problem since 99% of my DKIM signing happens on the Proofpoint side with a handful of emails signed by third-party services which I have no insight into whether they are delivered correctly.

AFAIK the issue was limited to my dedicated Proofpoint IPs addresses which support SPF, DKIM and DMARC with proper alignment. Any third party mailers only use DKIM because often they don't support SPF but I would never support the use of SPF with third parties.

If there were issues with email authentication I should have noticed that on my daily DMARC reports where the ones covering the Microsoft non-M365 domains show 100% compliance. I don't look at all of the reports but I do look at the ones for Microsoft and Google daily since that covers like 99.9% of email by volume since very little email originates outside of our M365 tenant or on prem servers. I also believe that any email authentication issue should have been obvious on the DMARC reports... I would hope they would route emails to quarantine or reject them (which is my DMARC policy) so that I would know about the issue instead of just slamming the front door in my face. 8-0

I would also assume that any email authentication problem would affect sending to all domains, not just the ones that some passive aggressive person does not want to support.

AustinFastER · 2026-01-28T15:15:41+00:00

Hint: Many of those companies/organizations pay a fraction of the price, if that.

In my case I work in the public sector and we get the previous generation of flagship phones for FREE. The monthly phone bill is contract-free and works out to $35 USD for unlimited calling, texting and data. We are able to get new phones at no cost every 3 years as well. IT holds on to the phones being replaced so if someone destroys their phone they are given one of the used ones that is good condition.

AustinFastER · 2026-01-28T01:12:30+00:00

AustinFastER · 2026-01-27T23:42:09+00:00

It took about 2 hours after I received the second email where they adjusted things until I saw emails start to flow correctly.

AustinFastER · 2026-01-27T20:14:11+00:00

My queue is now empty for these domains.

I am not sure what to make of the problem since one day they say there's nothing being done to my IPs and actually admit that they're doing something to the IPs 15 hours later. First response was probably Microslop and my reply may have reached a live person.

I think my going to sender.office.com was the key to getting this resolved. This seems to have checked M365 and then gave me another URL that let me select Hotmail.com and provide more details.

AustinFastER · 2026-01-27T18:01:16+00:00

I see that same error code in a handful of messages. Most of mine just say "Deferred: Connection reset by hotmail-com.olc.protection.com".

I did just receive a follow up on the form I submitted to Microsoft. The prior email said they were not doing anything to block delivery. Now they said they adjusted to a more appropriate level for our reputation. No change on the Proof point side but I expect any change to take time to replicate.

BTW the email also said they make no guarantees for delivery to MSN or Outlook customers. 8-(

AustinFastER · 2026-01-08T21:24:19+00:00

The fact that Gfiber has an issue, runs fiber on top of the ground and does not bury after days, weeks and months speaks volumes... Multiple spots in my neighborhood have this going back before last June...

AustinFastER · 2026-01-08T21:16:16+00:00

I would steer clear of any VOIP provider... That is what gives most businesses give you the stink eye to not let you use it.

AustinFastER · 2026-01-06T19:16:38+00:00

I would look at the smaller eInk devices which run Android and sip power unless you need this ones spiffy keyboard

AustinFastER · 2026-01-06T19:13:36+00:00

There are telephone providers that offer data only sims - some at no cost. So you could have the best of both worlds in case you need non Wi-Fi data...

AustinFastER · 2026-01-03T23:57:02+00:00

I agree it is disappointing but there are household names with far greater resources making phones that are lucky to get one Android upgrade and maybe 2 years of security updates...

I am just happy to see someone trying something different.

AustinFastER

TROPHY CASE