The system currently uses mail flow rules to manage mail flow with Microsoft 365, which means all emails from the Internet must first be filtered through the gateways before being routed to Microsoft 365.
When using the mail flow rules method, all emails are assigned a Spam Confidence Level (SCL) of -1. This ensures that emails relayed through our gateways are delivered to the user's inbox and not placed in the junk mail folder or the hosted quarantine.
Any blocked senders that a user has configured will still have their emails placed in the junk mail folder, even if we have set the SCL to -1 using the mail flow rule.
Customers using the mail flow rule method may receive alerts from Microsoft for an ETR (Exchange Transport Rule) override alert.
A phishing email delivered due to an ETR override is an alert generated by Microsoft that identifies an email as a potential phishing attempt and would have placed the email in the junk folder, but this action was not taken due to the mail flow rule.
Follow the instructions below to disable ETR alerts:
Microsoft Purview Compliance Portal
Log in to the compliance portal at https://compliance.microsoft.com, then select Policies > Alerts > Alert policies.
Microsoft 365 Defender Portal
Log in to the Microsoft 365 Defender portal at https://security.microsoft.com, and under Email & collaboration, select Policies & rules > Alert policy. You can also go directly to https://security.microsoft.com/alertpolicies.
Search for "ETR" and click on Phish delivered due to an ETR override to edit.
Then disable the setting.