ACSC Logo
© 2026 GEMXIT
GEMXIT Logo
Microsoft 365 • Phishing • Exchange Online

The Missing Click

A real-world phishing issue where Microsoft 365 protections appeared to be in place, but a disabled Exchange transport rule meant the control was never actually doing anything. A reminder that security is not just about configuration — it is about verification.

Discuss your environment Back to briefings
Agent Foskett The Missing Click briefing
Briefing summary

The environment looked protected on paper: block lists, anti-spam settings, transport rules and Microsoft Defender were all present. But phishing emails still landed in inboxes.

Transport rule created
Transport rule disabled
False sense of protection

What happened

A simple oversight quietly undermined the whole control.
The environment looked readyDomains had been added to the Tenant Allow/Block List, Exchange transport rules existed, anti-spam policies were configured and Microsoft Defender was in place.
The issueA critical Exchange transport rule had been built correctly, but was left set to disabled. That meant mail flow enforcement never triggered, even though everyone assumed the protection was active.
Lesson learnedSecurity is not just about deploying controls. It is about validating them, testing them, and continuously verifying that they are operational when needed.
Need a practical Microsoft 365 security review?
GEMXIT helps identify configuration gaps, validate protections and strengthen real-world email security controls.
Contact GEMXIT
ACSC Logo  GEMXIT PTY LTD   GEMXIT UK LTD   © GEMXIT 2026

Agent Foskett The Missing Click

This Agent Foskett cyber briefing covers a Microsoft 365 phishing protection issue caused by a disabled Exchange Online transport rule.

It highlights the importance of validating security controls, testing mail flow enforcement and confirming Microsoft Defender protections are operational.