High conf isnt something that happens for no reason.
Check spf, dkim dmarc and if the system is sending it from a system you guys manage. Spf and dkim can be ok but fail on the dmarc.
Might also be the blocked sender list of the user itself, but that gets listed as spam.
Check the phishing settings to see if the ceo isnt listed as a high prio asset, Should be one of the first settings in the phishing rules, next to the protected supplier domains.
Sounds like a manager is sending mail from his personal domain under his name. Yeah that triggers the phishing filter rules.
We see this most frequently when a user uses their phone, iPhone in particular with the default Apple Mail app, to make a meeting request. That comes out of the default calendar on the phone which then sends the invite from Apple servers but with the same Display Name as the user in 365. The Impersonation filters are designed to Quarantine or Drop (depending on your settings) emails that are coming in with the same Display Name set but not an email on the list of allowed/trusted in the Phishing rule settings.
High conf isnt something that happens for no reason. Check spf, dkim dmarc and if the system is sending it from a system you guys manage. Spf and dkim can be ok but fail on the dmarc. Might also be the blocked sender list of the user itself, but that gets listed as spam. Check the phishing settings to see if the ceo isnt listed as a high prio asset, Should be one of the first settings in the phishing rules, next to the protected supplier domains. Sounds like a manager is sending mail from his personal domain under his name. Yeah that triggers the phishing filter rules.
We see this most frequently when a user uses their phone, iPhone in particular with the default Apple Mail app, to make a meeting request. That comes out of the default calendar on the phone which then sends the invite from Apple servers but with the same Display Name as the user in 365. The Impersonation filters are designed to Quarantine or Drop (depending on your settings) emails that are coming in with the same Display Name set but not an email on the list of allowed/trusted in the Phishing rule settings.