Visibility into Microsoft Defender Verdict and Enforcement
Harmony Email & Collaboration provides visibility to how Microsoft Defender classified the emails and which enforcement action it intended to perform on it.
You can view the Microsoft Defender's visibility for an email in the Security Stack section of the email profile page.
|
|
Note - Microsoft Defender's visibility is available only for incoming and internal emails. |
Spam confidence level (SCL)
Microsoft assigns a spam confidence level (SCL) to inbound messages that go through spam filtering and are assigned a spam score. That score is mapped to an individual spam confidence level (SCL) that's added to the email. A higher SCL indicates a message is more likely to be spam.
|
SCL Value |
Description |
|---|---|
|
-1 |
The message skipped spam filtering. For example, the message is from a safe sender, was sent to a safe recipient, or is from an email source server on the IP Allow List. |
|
0, 1 |
Spam filtering determined the message wasn't spam. |
|
5, 6 |
Spam filtering marked the message as spam. |
|
8, 9 |
Spam filtering marked the message as high confidence spam. |
For more information, see Spam confidence level (SCL).
Bulk complaint level (BCL)
Microsoft assigns a bulk complaint level (BCL) to inbound messages from bulk mailers. A higher BCL indicates a bulk message is more likely to generate complaints (and is therefore more likely to be spam).
|
BCL Value |
Description |
|---|---|
|
0 |
The message isn't from a bulk sender. |
|
1, 2, 3 |
The message is from a bulk sender that generates few complaints. |
|
4, 5, 6, 7* |
The message is from a bulk sender that generates a mixed number of complaints. |
|
8, 9 |
The message is from a bulk sender that generates a high number of complaints. |
|
* This is the default threshold value used in anti-spam policies. |
|
For more information, see Bulk complaint level (BCL).
Phishing confidence level (PCL)
The phishing confidence level (PCL) indicates the likelihood that a message is a phishing message based on its content.
|
PCL Value |
Description |
|---|---|
|
1, 2, 3 |
The message content isn't likely to be phishing. |
|
4, 5, 6, 7, 8 |
The message content is likely to be phishing. |
For more information, see Phishing confidence level (PCL).
Enforcement Flow
The Enforcement Flow shows the enforcement action taken by Microsoft and Check Point on an email. You can view the Enforcement Flow for an email in the Security Stack section of the email profile page.
|
|
Note - The Enforcement Flow does not include manual actions taken on the email. |
Depending on the Protection mode selected in the threat detection policy, the Enforcement Flow would be different.
-
Example of an email inspected by a policy in Prevent (Inline) protection mode.
Microsoft finds the email Clean and intends to deliver it to the user's mailbox; Check Point scans the email, finds it Malicious, and quarantines it before it gets to the user's mailbox since it's inspected by a Prevent (Inline) policy.
-
Microsoft finds the email Clean and intends to deliver it to the user's mailbox. Enforcement: Deliver to Inbox.
-
Check Point scans the email and finds it malicious. Check Point quarantines the email before it gets delivered to the user's mailbox and quarantines it. Enforcement: Quarantine.
-
-
Example of an email inspected by a policy in Detect & Remediate protection mode.
-
Microsoft finds the email Clean and delivers it to the user's mailbox. Enforcement: Deliver to Inbox.
-
Check Point scans the email and finds it malicious. Check Point pulls the email from the user's mailbox and quarantines it. Enforcement: Quarantine.
-
-
Example of an email inspected by a policy in Detect protection mode.
-
Microsoft finds the email Clean and delivers it to the user's mailbox. Enforcement: Deliver to Inbox.
-
Check Point only scans the email and does not perform any enforcement as the policy protection is in Detect mode. Enforcement: Deliver to Inbox (Monitoring).
-
-
When Harmony Email & Collaboration is configured to automatically restore emails quarantined by Microsoft 365 for being High Confidence Phishing, and if Check Point classifies them as Clean.
-
Microsoft finds the email High Confidence Phishing and quarantines it.
-
Check Point scans the email and finds it clean. Check Point restores the email to the user's inbox.
For information about how to configure Harmony Email & Collaboration to automatically restore emails quarantined by Microsoft 365 for being High Confidence Phishing, see Overriding Microsoft High-Confidence Phishing False Positives.
-