Back to All Scenarios
PASSEDinfrastructure / exchange_online_protection_block
Exchange Online Protection Blocking Legitimate Email
Exchange Online Protection (EOP) begins quarantining legitimate business emails from a major client after a policy update. The mail flow disruption goes unnoticed for 6 hours until the client calls to complain about unanswered communications.
Pattern
EXCHANGE_EVENT
Severity
CRITICAL
Confidence
95%
Remediation
Remote Hands
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | EXCHANGE_EVENT | EXCHANGE_EVENT | |
| Severity Assessment | CRITICAL | CRITICAL | |
| Incident Correlation | Yes | 6 linked | |
| Cascade Escalation | N/A | No | |
| Remediation | — | Remote Hands — Corax contacts on-site support via call, email, or API |
Scenario Conditions
Microsoft 365 with Exchange Online Protection. Transport rule updated to quarantine emails with certain attachment types. Client sends proposals as .zip attachments. 47 emails quarantined in 6 hours. No quarantine notification configured for end users.
Injected Error Messages (1)
Exchange Online Protection blocking legitimate email — mail flow disrupted for client domain partner.com, 47 emails quarantined by transport rule in 6 hours, exchange quarantine policy catching .zip attachments from trusted sender, mail flow trace showing all messages from partner.com being quarantined, no end-user notification configured, exchange message queue growing for partner.com domain
Neural Engine Root Cause Analysis
Exchange Online Protection (EOP) transport rule is incorrectly quarantining legitimate emails from partner.com domain, specifically targeting .zip attachments from trusted senders. The quarantine policy configuration is overly restrictive and lacks proper sender whitelisting, resulting in 47 legitimate emails being quarantined in 6 hours. This is a configuration issue with the EOP transport rules rather than a technical system failure, causing mail flow disruption for the entire partner domain.
Remediation Plan
1. Immediately review and modify the Exchange transport rule that is quarantining emails from partner.com domain. 2. Create or update sender whitelist to include partner.com domain for .zip attachments. 3. Release the 47 quarantined emails from the Exchange quarantine. 4. Configure end-user notifications for future quarantine events to prevent silent failures. 5. Test mail flow from partner.com to ensure proper delivery. 6. Review and adjust quarantine policies to balance security with legitimate business communication needs.
Tested: 2026-03-30Monitors: 1 | Incidents: 1Test ID: cmnck1elx065qobqeioipbquo