Updates
March 18, 2024
- Added links to Documentation and Configuration links for Microsoft Preset Security Policies / Microsoft Defender Threat Policies
March 19, 2024
- Microsoft continues to make unilateral adjustments. Microsoft appears to have made adjustments, and emails are no longer blocked for customers. We have adjusted the section What ContactMonkey is Planning to Do to reflect the current state of the situation and recommended steps
- Added links to ContactMonkey's Microsoft Defender - Suggested Maintenance Best Practices For Policies
Summary
On Thursday, March 14, 2024, a number of our ContactMonkey customers experienced problems sending emails to recipients on Microsoft’s email system, Exchange Online. This directly correlates to the issues Microsoft has been having with its Microsoft Endpoint/Quarantine system, where ContactMonkey emails are incorrectly flagged as Spam and Quarantined.
Customers may experience the following:
- Campaigns appear delivered, and customers can see Campaigns in their ContactMonkey Dashboard.
- A “delivered” message is sent from ContactMonkey advising the customer that the email was sent.
- All (Microsoft) recipients of the campaign do not receive the email.
Other issues that may be related:
- Customers receive notifications that the links in the emails may be malicious.
- Customers may see previously sent emails disappear (and then reappear.)
Microsoft has been tracking this issue as a part of their internal ticket, EX719348, “Some users' outbound Exchange Online email messages may be marked as spam and not delivered.”
Customers can only see this ticket with access to their Office 365 Administration Console (https://admin.exchange.microsoft.com/) under the Health section.
ContactMonkey has run many tests and verified independently that our customers can be affected by these issues. ContactMonkey can confirm that no changes were implemented to our Outlook Add-Ins or the ContactMonkey processes for the entire week before March 14. All changes made on March 14 were made unilaterally by Microsoft without consultation with ContactMonkey.
Why is this occurring starting on March 14
ContactMonkey suspects that Microsoft has been changing how it chooses to quarantine emails and the algorithms it uses to select what emails are malicious and what are not as an attempt to resolve EX719348. The adjustments made today have now mistakenly started to include ContactMonkey email campaigns.
To emphasize that this is an issue contained within the Microsoft ecosystem, there are no errors anywhere in ContactMonkey’s system when attempting to send the email. Microsoft’s systems all indicate that the email process owned by ContactMonkey has been completed successfully.
Emails not being delivered
In our ContactMonkey test, we noticed that campaign emails reach the end destination servers but not the customer’s mailboxes. This is because the emails have been flagged for quarantine. Customer's Microsoft Exchange administration teams can see these emails and remove them from quarantine according to the following Microsoft article, Manage quarantined messages and files as an admin.
Individual users can also manage these emails. However, since campaigns often have many recipients, the customer’s Office 365 administrator often should make changes to release the emails.
Office 365 administrators are encouraged to make further adjustments to ensure that future emails are not flagged. They can do so by following Microsoft's suggestions to adjust alerts on false positives.
To investigate, Office 365 administrators can run a mail trace by following Microsoft's article. Once running a trace, they may see a similar screen to the one below:
Office 365 administrators can also look at their Microsoft Defender Quarantine Page and search for the emails. They will typically have a release status of needs review.
Emails showing up with a “possible malicious link” warning
Some users have also seen that emails are warning about possible malicious links. This is also tied to the aggressive changes brought by Microsoft’s adjustments.
Customers can have their IT reach out and look to add our URLs to their trusted links to remove this warning/false positive. To provide added context, this issue has previously been reported, creating false positives for links from Zoom and Yahoo.ca as some historical examples.
Campaign emails disappearing and reappearing as new emails
Some users are also reporting that emails are disappearing and reappearing. This can also be a common occurrence due to how Microsoft quarantines emails. Once Microsoft has flagged an email or site for being malicious, previous emails can be quarantined. This process occurs entirely independently from ContactMonkey.
Once the email is released, the email may then reappear as a “new message” afterward, also because of how Microsoft handles quarantines and releases of emails afterward. This can happen due to the Office 365 administrators making changes or when Microsoft themselves readjusts the quarantine values.
Customers uncertain if they are affected should search and check if they have multiple copies of the campaign email in their mailbox or just one email. While it may appear as though ContactMonkey has delivered a second email message, our systems have not sent a second email. Instead, this is Microsoft's quarantining system, removing and rereleasing the email.
Customers looking for proof can have their Office 365 administrator look at their Microsoft Defender Quarantine Page and search for the emails.
Campaign emails from previously successful campaigns are showing up as a new email
This issue appears that an email from a previous campaign is being redelivered again. However, it is the same issue as Campaign emails disappearing and reappearing as new emails. It is just that the original email has not been noticed to have been quarantined/disappeared yet. Customers should check to see if the first email successfully delivered (which could have been delivered before March 14) is still in their mailbox.
Office 365 administrators should perform the same investigations suggested in the Campaign emails disappearing and reappearing as new emails section.
What are some changes customers can make now to work around the issue?
Set up a Custom URL
Customers can also explore the longer-term solution of implementing a custom URL for their environment. This will involve implementation by a customer’s IT team.
Adjusting various filters and quarantine policies
As advised above, there are various places customers can make adjustments to fine-tune the security of their environment. A customer’s IT team will need to fine-tune the Microsoft security protocols so the emails will no longer be caught. Administrators should consider reviewing the following:
- Microsoft Preset Security Policies / Microsoft Defender Threat Policies
- Microsoft Zero Hour Auto Purge Policies
- Microsoft Quarantine Settings
- Microsoft Allow/Block URLs for Tenants [for Email at Scale Customers]
- Microsoft Threat Hunting
ContactMonkey uses endpoints to communicate with customers' devices/systems, and these endpoints may need to be added to a customer’s IT policy. Customers who do not already have these endpoints can contact a ContactMonkey representative to obtain this list.
Remove click tracking
While not ideal for customers, the campaign tracking can be adjusted to remove link/click tracking. We have noticed some positive effects from turning off click tracking for campaigns while this issue is currently live and occurring.
What is ContactMonkey planning to do
ContactMonkey remains closely engaged with Microsoft on the matter. We are actively working on making additional back-end adjustments to lessen the possibility that our emails will be affected by this issue.
Update March 19: Microsoft continues to make unilateral adjustments without communication. These Microsoft adjustments have appeared to help the situation, as emails are no longer blocked for customers. However, we encourage customers to test independently for their environment, as these changes continue without notice.
We recommend customers engage their internal Microsoft Administration teams at this stage to follow the guidance outlined in our Microsoft Defender - Suggested Maintenance Best Practices For Policies.
Customers should also continue to test their campaigns while their Microsoft Administration teams make the abovementioned adjustments.
At this time, ContactMonkey will not be making any immediate changes, as they can potentially be disruptive.