| Likely false positive in quarantine | Keep quarantined until sender, business purpose, URLs, attachments, authentication, message history, policy hits, and related recipients are reviewed. Escalate time-sensitive business impact. | Submit the original item as clean from quarantine or an admin submission path; capture the submission ID and internal rationale. | Release only intended recipients. If required, create the narrowest temporary allow during supported submission, then fix the policy, sender authentication, connector, content, or block entry that caused the issue. | Delivered item is safe and usable; similar legitimate mail is validated; temporary entry has owner/expiration; root cause and user notice are recorded. |
| Likely false negative / reported phishing | Do not merely delete the reporter’s copy. Identify similar deliveries, contain or purge when authorized, block appropriate indicators, investigate clicks/replies/credentials/files, and escalate an incident when warranted. | Submit the original email, URL, or attachment as spam/phish/malware; preserve headers, IDs, hashes, recipient scope, detection gap, and user actions. | Use appropriately scoped Tenant Allow/Block List blocks, policy changes, sender/domain controls, Safe Links/Safe Attachments tuning, identity or endpoint containment, and user protection. | All known copies and affected users are addressed; indicators are controlled; Microsoft/internal verdicts and remediation are recorded; recurrence test passes. |
| User marked legitimate mail as junk or phishing | Validate the item independently; a user’s “not junk” decision is context, not proof. Check whether the message is bulk, graymail, spoofed, compromised-vendor mail, or a policy violation. | Review the User reported entry and submit/resubmit only when Microsoft analysis is needed or the original verdict is disputed. | Provide user feedback, adjust personal or organizational handling only where justified, and avoid tenant-wide sender/domain bypass for a single preference. | User receives a clear disposition; no unsafe broad allow is created; recurring classification issues have a named owner. |
| URL or attachment verdict dispute | Use isolated analysis and existing security evidence; do not open or execute a suspicious item on a production workstation. Consider delivery-time and click-time verdict changes. | Submit the exact URL or file/attachment through the supported submission path and record hash, source message, recipients, detonation/reputation evidence, and business owner. | Use a time-bound URL/file allow only after confirmed-clean review; use a block for a confirmed threat. Review Safe Links, Safe Attachments, endpoint, browser, and application controls. | Exact entity and variants are tested; override is removed or expires; the protected channel behaves correctly; evidence is retained. |
| Recurring sender or vendor problem | Separate “business critical” from “technically trustworthy.” Look for compromised accounts, forwarding changes, new platforms, shared infrastructure, authentication failures, and content/URL patterns. | Correlate multiple cases, headers, authentication alignment, sending IPs, policy hits, Microsoft results, vendor change records, and known-good baselines. | Require sender-side SPF/DKIM/DMARC, platform, link, attachment, or list-hygiene repair; correct connectors and rules. Use only a narrow, approved bridge if business continuity requires it. | Sender fixes are independently validated; repeated exceptions decline; any bridge is removed; vendor and internal records are updated. |
| Inconclusive or high-impact dispute | Apply the safer temporary state: quarantine/suspend action for threats, or controlled alternate delivery for critical legitimate business processes. Engage the incident, legal, privacy, finance, clinical, or executive owner as appropriate. | Preserve chain of custody, request peer review, submit to Microsoft, correlate Defender, Exchange, identity, endpoint, application, and business evidence. | No permanent exception. Use documented compensating controls, strict scope, short expiration, enhanced monitoring, and explicit approval. | Independent decision, business acceptance, technical validation, and any compensating-control retirement are documented. |