ACSC Logo
© 2026 GEMXIT
GEMXIT Logo
Microsoft 365 • Phishing • Exchange Online

The Missing Click

A real-world phishing issue where Microsoft 365 protections appeared to be in place, but a disabled Exchange transport rule meant the control was never actually doing anything. A reminder that security is not just about configuration — it is about verification.

Discuss your environment Back to briefings
Agent Foskett Friday Cyber Briefings
Briefing summary

The environment looked protected on paper: block lists, anti-spam settings, transport rules and Microsoft Defender were all present. But phishing emails still landed in inboxes.

Transport rule created
Transport rule disabled
False sense of protection

What happened

A simple oversight quietly undermined the whole control.
The environment looked readyDomains had been added to the Tenant Allow/Block List, Exchange transport rules existed, anti-spam policies were configured and Microsoft Defender was in place.
The issueA critical Exchange transport rule had been built correctly, but was left set to disabled. That meant mail flow enforcement never triggered, even though everyone assumed the protection was active.
Lesson learnedSecurity is not just about deploying controls. It is about validating them, testing them, and continuously verifying that they are operational when needed.

Related investigations

DMARC Fail Emails Find emails where authentication failed but delivery still occurred. Read more →
AuthenticationDetails explained Before following clicks, understand how the email was trusted in the first place.

Review SPF, DKIM, DMARC and CompAuth signals in Microsoft Defender. Read more →
EmailEvents investigation guide Understand sender fields, authentication results, delivery behaviour and investigation pivots. Read more →
Spoofed Sender Domains Detect mismatched sender domains and potential spoofing attempts. Read more →
After-Hours File Access If access continues after a click, timing often tells the real story. Detect late-night SharePoint downloads and unusual data access patterns. Read more →
KQL Threat Hunting Guide Full investigation playbook across Defender, identity, endpoint and cloud activity. Read more →
Start with the email story Look at the subject, message tone and intent. Crypto scams rely on urgency, rewards and user action — not exploits.

This investigation shows how a simple email can lead to wallet access and user-approved compromise.
Need a practical Microsoft 365 security review?
GEMXIT helps identify configuration gaps, validate protections and strengthen real-world email security controls.
Contact GEMXIT

If phishing is still getting through, it’s usually not the attacker — it’s configuration gaps. 👉 Review your Microsoft security posture

ACSC Logo  GEMXIT PTY LTD   GEMXIT UK LTD   © GEMXIT 2026

Agent Foskett The Missing Click

This Agent Foskett cyber briefing covers a Microsoft 365 phishing protection issue caused by a disabled Exchange Online transport rule.

It highlights the importance of validating security controls, testing mail flow enforcement and confirming Microsoft Defender protections are operational.