Update anti-spoofing-spoof-intelligence.md

puneethmeister · web-flow · commit db10dc6fdb12 · 2025-01-31T13:34:57.000+05:30
diff --git a/defender-office-365/anti-spoofing-spoof-intelligence.md b/defender-office-365/anti-spoofing-spoof-intelligence.md
@@ -54,7 +54,7 @@ The rest of this article explains how to use the spoof intelligence insight in t
 
 > [!NOTE]
 >
-> - Only spoofed senders that were detected by spoof intelligence appear in the spoof intelligence insight. When you override the allow or block verdict in the insight, the spoofed sender becomes a manual allow or block entry that appears only on the **Spoofed senders** tab on the **Tenant Allow/Block Lists** page at <https://security.microsoft.com/tenantAllowBlockList?viewid=SpoofItem>. You can also manually create allow or block entries for spoofed senders before they're detected by spoof intelligence. For more information, see [Spoofed senders in the Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md#spoofed-senders-in-the-tenant-allowblock-list).
+> - Only spoofed senders detected by Spoof Intelligence appear in this report. Emails that fail DMARC with an action of reject/quarantine do not appear, as they are processed based on Honor DMARC policies rather than Spoof Intelligence detection. When you override the allow or block verdict in the insight, the spoofed sender becomes a manual allow or block entry that appears only on the **Spoofed senders** tab on the **Tenant Allow/Block Lists** page at <https://security.microsoft.com/tenantAllowBlockList?viewid=SpoofItem>. You can also manually create allow or block entries for spoofed senders before they're detected by spoof intelligence. For more information, see [Spoofed senders in the Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md#spoofed-senders-in-the-tenant-allowblock-list).
 >
 > - The **Action** values **Allow** or **Block** in the spoof intelligence insight refer to spoof _detection_ (whether Microsoft 365 identified the message as spoofed or not). The **Action** value doesn't necessarily affect the overall filtering of the message. For example, to avoid false positives, a spoofed message might be delivered if we find that it doesn't have malicious intent.
 >
@@ -106,7 +106,7 @@ To view information about the spoof intelligence detections, select **View spoof
 ### View information about spoof detections
 
 > [!NOTE]
-> Remember, only spoofed senders that were detected by spoof intelligence appear on this page.
+> Remember, Only spoofed senders detected by Spoof Intelligence appear in this report. Emails that fail DMARC with an action of reject/quarantine do not appear, as they are processed based on Honor DMARC policies rather than Spoof Intelligence detection.
 
 The **Spoof intelligence insight** page at <https://security.microsoft.com/spoofintelligence> is available when you select **View spoofing activity** from the spoof intelligence insight on the **Spoofed senders** tab on the **Tenant Allow/Block Lists** page.
 

Original file line number	Diff line number	Diff line change
`@@ -54,7 +54,7 @@ The rest of this article explains how to use the spoof intelligence insight in t`
`54`	`54`
`55`	`55`	`> [!NOTE]`
`56`	`56`	`>`
`57`		-> - Only spoofed senders that were detected by spoof intelligence appear in the spoof intelligence insight. When you override the allow or block verdict in the insight, the spoofed sender becomes a manual allow or block entry that appears only on the Spoofed senders tab on the Tenant Allow/Block Lists page at <https://security.microsoft.com/tenantAllowBlockList?viewid=SpoofItem>. You can also manually create allow or block entries for spoofed senders before they're detected by spoof intelligence. For more information, see [Spoofed senders in the Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md#spoofed-senders-in-the-tenant-allowblock-list).
	`57`	+> - Only spoofed senders detected by Spoof Intelligence appear in this report. Emails that fail DMARC with an action of reject/quarantine do not appear, as they are processed based on Honor DMARC policies rather than Spoof Intelligence detection. When you override the allow or block verdict in the insight, the spoofed sender becomes a manual allow or block entry that appears only on the Spoofed senders tab on the Tenant Allow/Block Lists page at <https://security.microsoft.com/tenantAllowBlockList?viewid=SpoofItem>. You can also manually create allow or block entries for spoofed senders before they're detected by spoof intelligence. For more information, see [Spoofed senders in the Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md#spoofed-senders-in-the-tenant-allowblock-list).
`58`	`58`	`>`
`59`	`59`	`> - The Action values Allow or Block in the spoof intelligence insight refer to spoof _detection_ (whether Microsoft 365 identified the message as spoofed or not). The Action value doesn't necessarily affect the overall filtering of the message. For example, to avoid false positives, a spoofed message might be delivered if we find that it doesn't have malicious intent.`
`60`	`60`	`>`
`@@ -106,7 +106,7 @@ To view information about the spoof intelligence detections, select **View spoof`
`106`	`106`	`### View information about spoof detections`
`107`	`107`
`108`	`108`	`> [!NOTE]`
`109`		`-> Remember, only spoofed senders that were detected by spoof intelligence appear on this page.`
	`109`	`+> Remember, Only spoofed senders detected by Spoof Intelligence appear in this report. Emails that fail DMARC with an action of reject/quarantine do not appear, as they are processed based on Honor DMARC policies rather than Spoof Intelligence detection.`
`110`	`110`
`111`	`111`	`The Spoof intelligence insight page at <https://security.microsoft.com/spoofintelligence> is available when you select View spoofing activity from the spoof intelligence insight on the Spoofed senders tab on the Tenant Allow/Block Lists page.`
`112`	`112`