Blog Post

Microsoft Defender for Office 365 Blog
3 MIN READ

Announcing quarantine release integration in Microsoft Defender for Office 365 hunting experience!!

soumyamishra's avatar
soumyamishra
Icon for Microsoft rankMicrosoft
Jul 29, 2024

We are excited to introduce the new quarantine release integration within Microsoft Defender for Office 365 as part of the hunting experience. This enhancement allows Security Operators (SecOps) to address false positives more efficiently and with greater flexibility in Microsoft Defender for Office 365. 

 

With this new capability, SecOps can now move quarantined messages to Inbox across hunting experiences - Threat Explorer, Advanced Hunting, Email summary panel, Email Entity Page, and custom detection.

SecOps team members can act on both single and quarantine messages in bulk. To act on a single message, use the Email Entity page, to act on multiple messages use Threat Explorer, Advanced hunting, custom detection rules in Defender XDR.

 

The previous workflow for false positive triage was cumbersome and required SecOps to go through approximately 5 different steps and switch tabs from hunting surfaces like Threat explorer and Advanced hunting. With this new functionality, these extra steps are no longer needed and SecOps can quickly release messages from where they are without losing context. This also allows SecOps teams to define and better filter on messages with custom queries and take release action directly from Threat explorer and Advanced hunting. 

 

Additionally, SecOps can carry out a bulk quarantine release operation on more than 100 messages asynchronously. For best result, release remediation should be done in batches of 50,000 or fewer.

 

Some examples of how Threat explorer, email entity page/ email summary panel, Advanced hunting and API can deal with false positives effectively are given below.

 

  • SecOps can search for a False positive URL in threat explorer find related Quarantined messages and directly Move to inbox/release from Quarantine – while in Threat explorer
  • SecOps can search for a False positive URL in Advanced hunting that have been blocked/ Quarantined, find all messages quarantined based on the URL and threat type and directly trigger Move to inbox/release from Quarantine – while using Advance hunting in Microsoft Defender XDR.

EmailEvents

| where ThreatTypes contains "Phish" and LatestDeliveryLocation contains "Quarantine"

| join EmailUrlInfo on NetworkMessageId

| where Url in ( 'http://contoso.com/.i')

| project Timestamp,NetworkMessageId,RecipientEmailAddress,Subject,DeliveryAction,LatestDeliveryLocation,Url,UrlCount, ReportId

 

  • SecOps can act on the quarantine release from Email entity page and Email Summary Panel –
  •  Quarantine release through custom detection rules-
    • Email action with Microsoft Defender for Office 365 is natively integrated with custom detections in Microsoft Defender XDR. This means SecOps can easily write sophisticated kql queries to find any messages which got quarantined incorrectly and respond to these events and take release / move to inbox action even automatically. Please learn more about custom detection here.

 

Learn more:

 Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the Defender for Office 365 forum 

Updated Jul 30, 2024
Version 2.0

8 Comments

  • MikeP751860's avatar
    MikeP751860
    Copper Contributor

    Any support coming to allow checking for pending actions like soft mail deletions which require admin approval and grant approval?

  • Brok3NSpear Email marked as Phish and URL marked as Phish are two different aspects. URL extracted from an email can be marked phish but final verdict on the email can be malware. The query you have mentioned will give you email marked as phish with current location as quarantine which had given URL in it.
    As of today, Advanced Hunting does not have URL level verdict details in EmailUrlInfo table. You can look for emails with given URLs first and then see the threat type on email. 

  • rko8fe  Only search and purge role is eligible to take the move mails from Quarantine to inbox through Advance hunting / Explorer. However, we have taken note of this feedback and will explore the feasibility around a more scope role further. cc: soumyamishra 

  • Ching_Hooi's avatar
    Ching_Hooi
    Copper Contributor

    Will MS consider automating release for admin reported false positive emails if MS rescan result is "no threat found" or "Unknown"?

    There are at least 80% admin submission return results is false positive especially for URLs detect as HPHISH. When SecOps verify these emails, there's no URLs was identify as Phish. It creates high volume of operations workload for SecOps.

  • rko8fe's avatar
    rko8fe
    Copper Contributor

    soumyamishra What are the permissions needed to be able to move mails from the Quarantine to Inbox via Advanced Hunting / Explorer?

    Please note that "Search and Purge" rights are very powerful and may not be granted to SecOps as it allows to delete any email from any mailbox! Can these rights be scoped so that only release from quarantine is possible?

  • Brok3NSpear's avatar
    Brok3NSpear
    Copper Contributor

    That KQL query mentioned. It doesn't seem to be picking up all instances for where a URL was seen as Phishing in an email (in my example below, I found over 10 emails affected)

     

    MS started (as of today) to flag the below URL as Phishing , but when I ran the below KQL as shown above, it only picked up one email. Previously, that URL (where someone has accepted a Teams meeting) was never flagged

     

    URL: hxxps://www.google[.]com/maps/search/Microsoft+Teams+Meeting?hl=en

    Query ran: (defanged URL in query)

    EmailEvents
    | where ThreatTypes contains "Phish" and LatestDeliveryLocation contains "Quarantine"
    | join EmailUrlInfo on NetworkMessageId
    | where Url in ("hxxps://www[.]google.com/maps/search/Microsoft+Teams+Meeting?hl=en")
    | project Timestamp,NetworkMessageId,RecipientEmailAddress,Subject,DeliveryAction,LatestDeliveryLocation,Url,UrlCount, ReportId

     

    When running the same URL via Explorer in Defender, it found them all.