Email Verdicts
This article explains email verdicts shown in the Live Email Tracker and Policy pages.
Threat verdicts
Verdict | What the verdict means | How to bypass |
|---|---|---|
IMPERSONATION | Email contains Business Email Compromise indicators and sender information matches or is similar to an internal user. For more information on registering users and impersonation detection, please see this article. | Allow rule |
MALWARE | The email contains malicious content such as a URL or attachment. | Custom rule |
PHISHING | The email contains content such as a URL or attachment that is considered phishing. | Custom rule |
Spam verdicts
Verdict | What the verdict means | How to bypass |
|---|---|---|
SPAM-LIKELY | The email has received a spam score of 6.25-9.00 | Allow rule |
SPAM-HIGH | The email has received a spam score of 9.00-18.00 | Allow rule |
SPAM-DEFINITE | The email has received a spam score of 18.00+ | Allow rule |
Policy based verdicts
Verdict | What the verdict means | How to bypass |
|---|---|---|
INFOMAIL | The email contains an unsubscribe link and/or advertising, marketing, newsletter type content. Tip: Many transactional emails contain unsubscribe links and will be quarantined if your policy is configured to quarantine Infomail. | Remove from policy / Allow rule |
POLICY - ATTACHMENT/ BANNED | Email contains an attachment which is banned by policy. For trusted senders, a custom rule can be created to bypass this policy check. Tip: Allow rules DO NOT bypass this verdict. To bypass the banned verdict, you must create a custom rule or remove the attachment type from the policy option. | Remove from policy / Custom rule |
POLICY-GEO | Email originates from a country OR envelope-from top-level-domain (TLD) that has been blocked by policy. Tip: Allow rules DO NOT bypass this verdict. To bypass the policy-geo verdict, you must create a custom rule or remove country from the policy option. | Remove from policy / Custom rule |
Additional verdicts
Verdict | What the verdict means | How to bypass |
|---|---|---|
CLEAN | Email has been scanned and given a clean verdict. | n/a |
THREAT-SCANNING | This is a temporary verdict indicating the emails is currently undergoing sandbox analysis. Once complete, the verdict will be automatically updated. | n/a |
Microsoft Defender verdicts
If using Mesh 365 or Mesh Unified, the Live Email Tracker will display the verdict given by Microsoft Defender. The verdicts are informational and do not require an allow rule to bypass.
Note
The Mesh filtering engine and Microsoft Defender are independent systems - meaning verdicts will not be one-to-one. Because of this, a Microsoft Defender spam verdict does not guarantee a Mesh spam verdict.
Verdict | Verdict meaning | Bypass method |
|---|---|---|
MS365-BULK | Microsoft Defender has given the email a bulk verdict. | N/A |
MS365-SPAM | Microsoft Defender has given the email a spam verdict. | N/A |
MS365-IMPERSONATION | Microsoft Defender has given the email an impersonation verdict. | N/A |
MS365-MALWARE | Microsoft Defender has given the email a malware verdict. | N/A |
MS365-PHISHING | Microsoft Defender has given the email a phishing verdict. | N/A |