Situation
Admin is seeing exchange transport rule alerts in phishing emails
Question
How can the Microsoft ETR override alert be removed from Phishing emails?
Answer
Beginning in February 2021, Microsoft implemented an alert rule in the Office 365 Security Center titled, Phish delivered due to an ETR override. This alert is categorized as Informational and is aggregated in the Security Center as a single event that takes no action. Office 365 generates an alert when Microsoft detects an Exchange Transport Rule (ETR) that allowed delivery of a high confidence phishing message to a mailbox. This policy is informational only and does not trigger any action to be taken by Microsoft.
To disable these ETR alert please do the following:
a) View the alert policy:
- Go to the Microsoft Purview Compliance portal
- Log into the portal (https://compliance.microsoft.com)
- Select Policies > Alert > Alert policies
- Microsoft 365 Defender
- Log into the Microsoft 365 Defender portal (https://security.microsoft.com)
- Go to Email & Collaboration -> Policies & Rules > Alert Policies
- You can also go https://security.microsoft.com/alertpolicies
b) Search for "ETR" and click "Phish Dlievered due to an ETR override"
c) Turn off the alert policy using the toggle