Microsoft will send you an informational email alert when they detect that an Exchange Transport Rule (ETR) has allowed the delivery of a high confidence phishing message to a mailbox. The alert is titled "Phish delivered due to an ETR override" and you may received this after launching a phishing simulation campaign.This policy has an Informational severity (Lowest) setting.
Example of email received by your Microsoft O365 Admin:
Example of alert page in Microsoft 365 Defender:
We recommend that you keep these alerts switched on as they will remind you of the transport rules you have in place, however the alerts can be switched off by following these steps:
- Disable the Exchange Transport Rule override in the Alert policy
- Go to Microsoft O365 - Alert policy
- Search for Phish delivered due to an ETR override
- Click the policy
- Turn off the alert policy from the status toggle
- Click close