This is an automated archive.
The original was posted on /r/sysadmin by /u/-dumbtube- on 2024-01-20 19:21:41+00:00.
I've been trying to wrap my head around this issue for about a month now. Our quarantine folder gets around 200-500 hits a day from emails sent to/from this domain, since employees in China use the Chinese domain name to email employees in the US.
I've tried allow-listing the domain in O365 Defender and creating mail flow rules in Exchange Online but no dice. I contacted Microsoft about it but they don't offer any useful advice.
Exchange Mail Flow Rules
When the emails are viewed in quarantine they get marked as "DMARC Spoofing" which I don't understand, since our Chinese domain has proper DMARC setup. At least that's what MXToolbox says. It appears that both the primary and secondary MX records are present in the "UCEPROTECTL3" blacklist, but this is likely just due to qq.com.
I've been considering pretending that the domain is a phishing simulation domain like KnowBe4 to bypass Defender like in this article but i'm unsure where to even start, since qq.com is such a massive email provider.
Any help or advice would be much appreciated.