Blog Post

Microsoft Defender for Office 365 Blog

3 MIN READ

Announcing quarantine release integration in Microsoft Defender for Office 365 hunting experience!!

Microsoft

Jul 29, 2024

We are excited to introduce the new quarantine release integration within Microsoft Defender for Office 365 as part of the hunting experience. This enhancement allows Security Operators (SecOps) to a...

Updated Jul 30, 2024

Version 2.0

Microsoft

Joined June 21, 2021

View Profile

Microsoft Defender for Office 365 Blog

Follow this blog board to get notified when there's new activity

Brok3NSpear

Brass Contributor

Jul 30, 2024

That KQL query mentioned. It doesn't seem to be picking up all instances for where a URL was seen as Phishing in an email (in my example below, I found over 10 emails affected)

MS started (as of today) to flag the below URL as Phishing , but when I ran the below KQL as shown above, it only picked up one email. Previously, that URL (where someone has accepted a Teams meeting) was never flagged

URL: hxxps://http://www.google[.]com/maps/search/Microsoft+Teams+Meeting?hl=en

Query ran: (defanged URL in query)

EmailEvents
| where ThreatTypes contains "Phish" and LatestDeliveryLocation contains "Quarantine"
| join EmailUrlInfo on NetworkMessageId
| where Url in ("hxxps://www[.]google.com/maps/search/Microsoft+Teams+Meeting?hl=en")
| project Timestamp,NetworkMessageId,RecipientEmailAddress,Subject,DeliveryAction,LatestDeliveryLocation,Url,UrlCount, ReportId

When running the same URL via Explorer in Defender, it found them all.