How to disable ETR Alerts in Office365

Created by Yves Lacombe, Modified on Wed, 31 Jan 2024 at 10:23 AM by Yves Lacombe


Admin is seeing exchange transport rule alerts in phishing emails


How can the Microsoft ETR override alert be removed from Phishing emails?


Beginning in February 2021, Microsoft implemented an alert rule in the Office 365 Security Center titled, Phish delivered due to an ETR override. This alert is categorized as Informational and is aggregated in the Security Center as a single event that takes no action. Office 365 generates an alert when Microsoft detects an Exchange Transport Rule (ETR) that allowed delivery of a high confidence phishing message to a mailbox. This policy is informational only and does not trigger any action to be taken by Microsoft.

To disable these ETR alert please do the following:

a) View the alert policy:

- Go to the Microsoft Purview Compliance portal

- Log into the portal (

- Select Policies > Alert > Alert policies

- Microsoft 365 Defender

- Log into the Microsoft 365 Defender portal (

- Go to Email & Collaboration -> Policies & Rules > Alert Policies

- You can also go

b) Search for "ETR" and click "Phish Dlievered due to an ETR override" 

c) Turn off the alert policy using the toggle