We are excited to announce the GA release of auto-remediation of malicious messages through automated investigation and response (AIR) expanding this powerful tool and deliver on full end to end automation of key SOC scenarios.
AIR works to triage, investigate and remediate and respond to high-impact, high-volume security alerts providing tenant level analysis to increase customer protection and optimize SOC teams. With this enhancement, customers will be able to configure AIR to automatically execute remediations for messages within malicious entity clusters saving SOC teams time and further expediting remediation by removing the need to for SOC teams to approve these actions!
To highlight the key user submission scenario, in addition to AIR completing triage, investigation, remediation identification, and end user feedback responses, customers may now configure AIR to take this a step even further to automatically execute on identified remediations.
Auto-Remediation Action
When AIR recognizes a malicious file or URL, it creates a cluster around the malicious file or URL grouping all messages that contain that file or URL into the respective cluster. The automated investigation then checks the location of the messages within the cluster and if it finds messages within user’s mailboxes, AIR will produce a remediation action. With the auto-remediation enhancement, if the customer has configured the cluster type to auto-remediate, this action will automatically be executed without the need for SecOps approval - removing identified threats at machine speed!
Auto-remediated clusters showing in action center history with decided by stating automation:
Configuration
Auto-remediation will be controlled by a configuration within Settings > Email & Collaboration > MDO automation settings. Within the message clusters section, organizations may specify which types of message clusters they would like to be auto-remediated:
- Similar files: When the automated investigation recognizes a malicious file, it creates a cluster around the malicious file grouping all messages that contain that file into the cluster. Selecting this checkbox will opt the organization into auto-remediation for these malicious file clusters.
- Similar URLs: When the automated investigation recognizes a malicious URL, it creates a cluster around the malicious URL grouping all messages that contain the URL into the cluster. Selecting this checkbox will opt the organization into auto-remediation for these malicious URL clusters.
The next configuration is for the remediation action, designating soft delete as soft delete is currently the only action supported through AIR.
Auto-remediation of malicious entity clusters configuration found in settings>Email & collaboration>MDO automation settings:
Note: Customers interested in auto-remediation must turn it on through the MDO automation settings page as it will not be on by default.
Auto-Remediation Action Logging
The Defender portal provides several ways for customers to review remediation actions to stay cognizant of the actions executed. These include within the investigation, action center, email entity as well as threat explorer and advanced hunting. Should customers disagree with the action executed, the ability to move the messages back to mailboxes is available as well based on configuration and timing.
Auto-remediated messages showing in Threat Explorer Additional actions as Automated Remediation: automated:
Auto-remediated messages showing in Advanced Hunting with ActionType as Automated Remediation and ActionTrigger as Automation:
Learn More
Register for the deep dive webinar on Microsoft Defender for Office 365 automated investigation and response (AIR) on June 25, 2025, at 8:00am PDT / 3:00pm UTC. Learn more about the feature enhancements, as well as how AIR can help optimize SOC teams and accelerate threat response.
To learn more about the auto-remediation in AIR, please visit Automated remediation in AIR - Microsoft Defender for Office 365 | Microsoft Learn.
To learn more about investigations in MDO, please visit the following pages:
Microsoft