Microsoft 365 (Outlook) - Messages Flagged with a "This sender failed our fraud detection checks and may not be who they appear to be." Message
Users may see more messages being flagged as failing fraud detection checks. The anti-spam service checks the headers of messages to verify the "From" field is the same as where the message originates.
Spoofing is one of the common tactics of spammers. Spammers are becoming more creative in their messages. As a result many email domains are choosing to either block these messages more aggressively or to flag them for their users in hope that the user will stop and think or confirm a message before they click a link in the message.
For instance, if you use an outside vendor to send email with a From address of @uwm.edu, the recipients may get the below message across the top of their email:
PantherList emails are also frequently tagged with this message because the sender is using their email account as the From field. However, PantherList emails will say From: "firstname.lastname@example.org", which the anti-spam service thinks is spoofing the From field.
- Jane sends a message to email@example.com from Jane@gmail.com
- PantherList asks Jane to confirm that she sent the message.
- Jane says yes/ok.
- PantherList sends Jane's message to the firstname.lastname@example.org PantherList on behalf of Jane.
- Jane's email gets delivered to her inbox and to the inbox of the other test-list subscribers.
Jane sees the failed fraud detection message because the email that she received has hidden information in it, referred to as message headers. The message header shows the message originated from Jane@gmail.com using an email server for @gmail.com. But the message header also shows that the pantherLIST server sent the message from @uwm.edu. @uwm.edu is not part of @gmail.com email servers, so Jane's spoofing check says that the message failed the fraud detection test (@gmail.com and @uwm.edu do not match nor do they trust each other).
We were able to fix this error for PantherList senders and recipients within the @uwm.edu domain by our server admins making certain changes to allow it. Unfortunately, for senders and recipients outside @uwm.edu there is nothing that we can do to make this warning not happen.
For further information see: https://blogs.msdn.microsoft.com/tzink/2016/02/23/how-antispoofing-protection-works-in-office-365/