We are considering increasing the phishing threshold within Defender for Office Anti-Phishing policies, but we want to get a good understanding of how many emails this will effect when we do. I tried looking at the EmailEvents table within defender to see how many had a phishing confidence of medium, but it appears those readouts are now limited to "Normal" and "High". Is there any way to get a more granular breakdown of phishing confidence levels for emails so we can better understand the effect of have a more strict phishing policy? Thank you,

Hi, @ George Zerphey Unfortunately, Exchange Online environments are not currently able to see PCL scores with refined scores, and the focus has shifted more to phishing threshold levels. In order to implement a more stringent phishing policy, you can try the following suggestions: 1.If your email platform supports custom filtering rules, you can fine-tune these settings to adjust the sensitivity of your phishing filters. This may include setting different thresholds for various phishing indicators. 2.Conduct regular audits and phishing simulation tests within your organization. This helps to evaluate the effectiveness of your phishing strategy and to understand the level of confidence in catching real threats. 3.Encourage users to report suspicious phishing emails. The data reported by these users can then be analyzed to see how often they are correctly identified at different confidence levels. If the answer is helpful, please click " Accept Answer " and kindly upvote it. If you have extra questions about this answer, please click " Comment ".

Phishing Confidence - Microsoft Q&A

Accepted answer

Xintao Qiao-MSFT 5,630 Reputation points Microsoft Vendor

2025-01-03T06:18:07.18+00:00

Hi, @George Zerphey

Unfortunately, Exchange Online environments are not currently able to see PCL scores with refined scores, and the focus has shifted more to phishing threshold levels.

In order to implement a more stringent phishing policy, you can try the following suggestions:

1.If your email platform supports custom filtering rules, you can fine-tune these settings to adjust the sensitivity of your phishing filters. This may include setting different thresholds for various phishing indicators.

2.Conduct regular audits and phishing simulation tests within your organization. This helps to evaluate the effectiveness of your phishing strategy and to understand the level of confidence in catching real threats.

3.Encourage users to report suspicious phishing emails. The data reported by these users can then be analyzed to see how often they are correctly identified at different confidence levels.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Please sign in to rate this answer.
George Zerphey 176 Reputation points

2025-01-03T14:06:35.1566667+00:00

If i can say so, this is disappointing to hear. Its really hard to understand the business impact without being able to see the data within the system. PCL is calculated. If that and SCL could be added to EmailEvents I'm sure I'm not the only one who would appreciate it.

Thank you for the response.

George Zerphey 176 Reputation points

2025-01-03T16:09:51.8966667+00:00

Can you dig into #3 a little bit more? If we cannot see the PCL how can we tell if the user reported emails are being categorized correctly? I dont want to assume a 100% hit rate by our users and assume that all user reported email should be High phishing.

I would like to see if they are reporting low confidence or medium confidence emails that are not being caught by the system. Is there a way to do this at all?

Xintao Qiao-MSFT 5,630 Reputation points Microsoft Vendor

2025-01-06T08:52:15.28+00:00

Hi, @George Zerphey

It may be a bit difficult to try to implement this feature.

Can you see the markup in the message header as shown below: X-MS-Exchange-Organization-PCL:<status>

You can also refer to the SCL values, and while this is more spam related, understanding these its workings can provide some context for PCL.

From a user perspective, implement easy-to-use reporting mechanisms, such as dedicated buttons or simple forms in your email client, so that users can quickly report suspicious emails. Collect and analyze data from user-reported emails. Evaluate the accuracy of user reports by comparing them to actual phishing incidents identified by the cybersecurity team. Through similar steps, continually try to modify the anti-phishing email policy to achieve the best fit for the organization.

George Zerphey 176 Reputation points

2025-01-06T15:53:50.84+00:00

Thank you for your reply @Xintao Qiao-MSFT

I have looked at a few headers of emails users reported and I see X-MS-Exchange-Organization-SCL but I dont see the PCL version. Is there a reason this would be missing or has the name changed at some point?

Xintao Qiao-MSFT 5,630 Reputation points Microsoft Vendor

2025-01-07T03:29:40.25+00:00

Hi, @George Zerphey

After my previous testing, this parameter is no longer viewable in the header (Microsoft's documentation may not be up to date, this may be a legacy issue), see View antispam stamps in Outlook | Microsoft Learn

There is no up-to-date documentation from Microsoft informing users how to view this value. There have been suggestions that this value may be merged with SCL.

George Zerphey 176 Reputation points

2025-01-07T13:26:17.7633333+00:00

Thats what i suspected. Thank you
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Phishing Confidence

0 additional answers

Your answer