| Reject, delete, quarantine, moderation | Legitimate business mail is blocked, hidden, expired, or delayed; NDR/reason is unclear; owner/approver unavailable; broad condition applies tenant-wide. | Business owner, security, messaging, legal/compliance where applicable; exact condition/exception and user experience; quarantine/approver operations. | Expected block, expected allow, internal/external directions, multiple recipients, replies/forwards, app senders, groups, aliases, attachments, encrypted cases, failure notification. | Disable or revert the exact rule; restore prior priority/properties; release/trace affected mail under the relevant runbook; validate both previously blocked and allowed cases. |
| Redirect, add recipient, Bcc, forwarding/routing | Disclosure to unintended recipient, mail loop, broken trace continuity, duplicated delivery, regulatory/journaling conflict, application workflow failure. | Data owner/privacy/legal, routing architecture, connectors/domains, recipient rewriting, loop prevention, external sharing, retention/eDiscovery implications. | Every source/destination direction, multi-recipient forks, redirected identity, loop headers, connector route, downstream archive/journal, trace by original and new recipient. | Disable/revert, remove unintended recipient path, stop loop, trace before/after rewrite, contain disclosures, notify incident/privacy owners where required. |
| SCL, filtering bypass, trusted header | Spam/phishing protection weakened, spoofable marker trusted, malware/high-confidence threat assumption is wrong, preset/secure-by-default behavior misunderstood. | Email-security owner; authentication, connector, enhanced filtering, Tenant Allow/Block List, Advanced Delivery and anti-spam design; spoof-resistance of any header. | Known-good and known-bad samples, spoofed header, external/untrusted source, authenticated application path, phishing/malware, bulk, quarantine and message headers. | Disable/revert bypass, remove trusted marker, contain delivered threats, use supported narrow exception path, tune anti-spam/Defender/connector root cause. |
| Header, subject, disclaimer, classification | Repeated disclaimers/prefixes, broken signatures or DKIM downstream, spoofable classification, excessive size, inaccessible content, localization failure. | Communications/legal/security, message format, unique-marker exception, replies/forwards, signed/encrypted mail, external gateway behavior and accessibility. | HTML/plain/RTF, replies/forwards, messages already containing marker, encrypted/signed, internal/external, mobile clients, localization and downstream signing. | Disable/revert; restore prior marker/exception; monitor duplicate artifacts; retest representative formats and downstream authentication. |
| Encryption, rights protection, decryption | Sensitive content exposed, legitimate recipient cannot open, automation fails, unsupported encrypted content is misclassified, compliance policy conflicts. | Security, privacy/legal/compliance, Purview owners, recipient/client/application compatibility, transport-decryption authority and protected-content scope. | Internal/external recipients, guests, multiple clients, mobile, automation, S/MIME, Microsoft Purview encryption, protected attachments, reply/forward, audit/retention. | Disable/revert under incident oversight; preserve affected samples; restore prior protection route; notify data owner; validate access and confidentiality. |
| Priority or StopRuleProcessing | Lower rules no longer run, header/encryption/order dependency reverses, duplicate actions occur, previously protected exceptions become reachable. | Full ordered collection and dependency graph, neighboring rules, all overlapping message populations, security/DLP/journal/routing owners. | Messages matching new rule only, neighboring rule only, both, neither, every protected exception, forked recipients, and downstream action evidence. | Restore exact previous priority and stop-processing value; wait for propagation; rerun interaction corpus and compare trace events. |
| Regex, words, groups, directory attributes | False positives/negatives, catastrophic backtracking or excessive evaluation, stale membership/attributes, primary-address mismatch, Unicode/encoding surprise. | Pattern test corpus, data/identity owner, directory source, group type/membership, normalization, boundary/escaping, performance and evasion review. | True/false/boundary values, case/spacing/Unicode, long content, nested/empty attributes, aliases, primary addresses, guests, dynamic membership latency and evasion strings. | Disable/revert expression or membership predicate; restore prior values; inspect affected messages; fix source attribute/group or split OR logic into separate rules. |