Phishing/Junk User Submissions to MS dropped by Transport Agent

Question

Phishing/Junk User Submissions to MS dropped by Transport Agent

EDB 20

I use outlook web app. When spam/phish gets through, I use the 'Report Phishing' or 'Report Junk' feature within the web app, on the surface looks like it works. HOWEVER in Exchange Admin Mail Trace, I can see that these reports from to me junk@ or phishing@ office365.microsoft.com all Fail! The reason is always the same: Reason: [{LED=550 4.3.2 QUEUE.TransportAgent; message deleted by transport agent: [Name=Antispam Feedback Processing Agent][AGT=AFP][MxId=11BB897D5BAC9793]};{MSG=};{FQDN=};{IP=};{LRT=}]

So the spam I'm trying to report to MS using their built-in feature is being flagged as spam??? How do I get around this?

Alexis-NG 2,425 Reputation points Microsoft External Staff Moderator

2025-07-19T23:16:01.85+00:00

Hi EDB,
I just wanted to check in and ask for a quick update on the progress of your situation. I'd love to be informed of any developments. If there’s anything else you need or if you have any questions, please don’t hesitate to reach out

I’m here to help!

Sincerely,

Alexis-NG - Microsoft Support Specialist
EDB 20 Reputation points

2025-07-21T17:03:56.5933333+00:00

Hi, Thank you for the response. I did #1 on your list (set junk@ and phish@ to bypass) but that did not resolve problem, message delivery still failing. Re #2, is there a quick/easy way to add all the ips? or do I have to do a DNS record lookup foroffice365.microsoft.com and just whitelist everything that comes up?
Alexis-NG 2,425 Reputation points Microsoft External Staff Moderator

2025-07-21T20:33:27.5433333+00:00
Hi EDB,
Thank you for your prompt response.

At this point, you've already configured a transport rule to bypass spam filtering by setting the Spam Confidence Level (SCL) accordingly.

You've correctly created a transport rule in the Exchange Admin Center:

Condition: If recipient is ******@office365.microsoft.com or ******@office365.microsoft.com

Action: Set SCL to -1 (bypass spam filtering)

This is a recommended initial step to prevent the AFP agent from intercepting feedback submissions. However, even with a transport rule in place, messages may still be blocked under the following conditions:

The IP addresses associated with Microsoft’s feedback system are not whitelisted.

Aggressive spam filtering policies are enabled, such as Advanced Spam Filter (ASF) settings, which override transport rules

The domain or IP reputation is temporarily degraded due to false positives or misclassification

To simplify the IP whitelisting process, manual DNS lookups are not necessary. Instead, you can utilize the Connection Filter Policy available in the Exchange Admin Center for a more efficient configuration.

Option 1: Use the Connection Filter Policy

Go to Exchange Admin Center → Protection → Connection Filter.

Select your policy and click Edit.

Under IP Allow List, add the IP addresses or ranges associated with Microsoft’s feedback system

Option 2: Use Microsoft Defender Portal

Visit Microsoft Defender Portal.

Navigate to Email & Collaboration → Policies & Rules → Threat Policies → Tenant Allow/Block List.

Add IPv4 or IPv6 addresses associated with Microsoft feedback endpoints

Please note: IPv4 ranges are supported directly within the Connection Filter Policy. However, IPv6 ranges must be added through the Tenant Allow/Block List.

Refer to: Allow or block IPv6 addresses using the Tenant Allow/Block List - Microsoft Defender for Office 365 | Microsoft Learn

Furthermore, I have to remind you Microsoft strongly recommends against permanently bypassing spam filters or whitelisting widely used domains such as microsoft.com or office.com. Doing so can increase your tenant’s vulnerability to threats. These configurations should only be applied temporarily and exclusively for verified feedback channels to maintain a secure environment.

Accepted answer

0 additional answers

Your answer

Alexis-NG 2,425 Reputation points Microsoft External Staff Moderator

2025-07-19T23:16:01.85+00:00

Hi EDB,
I just wanted to check in and ask for a quick update on the progress of your situation. I'd love to be informed of any developments. If there’s anything else you need or if you have any questions, please don’t hesitate to reach out

I’m here to help!

Sincerely,

Alexis-NG - Microsoft Support Specialist
EDB 20 Reputation points

2025-07-21T17:03:56.5933333+00:00

Hi, Thank you for the response. I did #1 on your list (set junk@ and phish@ to bypass) but that did not resolve problem, message delivery still failing. Re #2, is there a quick/easy way to add all the ips? or do I have to do a DNS record lookup foroffice365.microsoft.com and just whitelist everything that comes up?

Answer 1

Hi EDB ,

Thanks for reaching out to the Q&A Forum.

Based on your query,You're encountering an issue where spam or phishing reports submitted via Outlook Web App are being dropped by the Exchange transport agent, specifically the Antispam Feedback Processing Agent (AFP).

The error message:

Reason: [{LED=550 4.3.2 QUEUE.TransportAgent; message deleted by transport agent: [Name=Antispam Feedback Processing Agent][AGT=AFP]}]

indicates that the AFP agent is intercepting and deleting the report emails before they reach Microsoft’s feedback addresses (e.g., ******@office365.microsoft.com, ******@office365.microsoft.com)

This behavior is part of Exchange Online Protection (EOP), where certain content filtering policies or spam rules may mistakenly classify your report submissions themselves as spam, leading to their deletion

Bypass Spam Filters for Feedback Addresses

Create a transport rule in Exchange Admin Center to bypass spam filtering for emails sent to Microsoft’s feedback addresses. This can help ensure that your reports are not intercepted by the AFP agent.

Rule condition: If recipient is ******@office365.microsoft.com or ******@office365.microsoft.com
Action: Set spam confidence level (SCL) to -1 (bypass spam filtering)

Whitelist Domains and IPs

Ensure that the domains and IPs associated with Microsoft’s feedback system are whitelisted in your tenant. This reduces the chance of false positives by the spam filter

Use Safe Sender Lists

Add Microsoft’s feedback domains to your safe sender list. This can be configured in the Spam Filter Policy settings in EOP

Review and Adjust Spam Policies

Check your spam policy configuration in the Exchange Admin Center. You may need to adjust thresholds or disable aggressive filtering rules that are causing legitimate reports to be dropped

Submit via Alternate Channels

If the built-in reporting tools continue to fail, consider submitting samples directly through the Microsoft Security Intelligence portal or using the MSA Ask a Question Teams channel if available internally

Please let me know if you have any questions.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Share via

Phishing/Junk User Submissions to MS dropped by Transport Agent

0 additional answers

Your answer