Issue:
Let's say person A (which uses Microsoft 365) sends an email to person B on any other server. The used e-mail address is wrong or no longer existent and the server sends a response back, that this message couldn’t be delivered. In this notice there is the IP address of the responding server, which gets classified from our system as malicious. So, the message couldn’t be delivered is now going to quarantine and the user does not know, that it wasn’t or received any notifications. Hence is this the way it should work or is this an issue?
Resolution:
In terms of product behavior, the detected emails are handled according to the action setting configured in the policy on the Collaboration Protection portal where the default action setting is to move the item into quarantine. Of course, it is possible to change to other action setting during detection such as "Change Subject and unlink URLs" and etc by going to "Exchange" tab > "URL Scanning" > "Malicious URL" > "If a malicious URL is detected, the system will take the following action:" and select a desired action from the list.
As for your concern on the users/recipients who is not aware of the quarantined email, this could be avoided by enabling the setting of "Notify the user about detections with the following severities:" setting at the same place as the action setting above. Please refer to the attached screenshot for more details.
Article no: 000043484