Skip to main content
Skip table of contents

M365 Defender: Deactivate "Phish delivered due to an ETR override" alert

If the alert "Phish delivered due to an ETR override" is triggered due to our phishing simulation, you will not be able to change the alert manually. Please contact your Implementation Manager/ Customer Success Manager or to resolve this issue. 

You will be provided with a PowerShell script that creates a custom rule developed by SoSafe that extends the default Microsoft rule to the extent that our servers are excluded,but otherwise the functionality remains the same.

You will need the appropriate Security & Compliance M365 admin rights to run it.


  1. Press Windows key + enter PowerShell in search.

  2. Run PowerShell as admin.

  3. Either copy and paste the script or enter the path to the script in PowerShell.

Important: After execution, please disable the default "Phish delivered due to an ETR override" rule at Unfortunately, this cannot be done via PowerShell.

The contents of this article and instructions have been created with the utmost care. However, due to the varie of computer systems and the possibility of information becoming outdated (e.g. because of updates), SoSafe GmbH accepts no liability for the topicality, correctness ,or functionality of the content. Likewise, no liability is assumed for damages or consequential damages resulting from the use of the contents provided herein.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.