Blog Post

Microsoft Defender for Office 365 Blog
4 MIN READ

Simplifying the Quarantine Experience

FaithEbenezerOquong's avatar
FaithEbenezerOquong
Icon for Microsoft rankMicrosoft
Aug 24, 2021
Managing false positives should be easy As cyber security becomes a crucial part of the day-to-day activities of every organization, it becomes vital to allow different organizations to customize t...
Updated Aug 23, 2021
Version 1.0
configuration
investigation
prevention
Jarrad_McMullen's avatar
Jarrad_McMullen
Iron Contributor
Mar 28, 2022

VNJoe 

  • Microsoft apply the "Secure by default" term to make sure default settings are as secure as possible. You can find out more info here: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/secure-by-default
  • Microsoft regularly keep 365 customers up to date via the "Message Center" with details and user impact for incoming changes. You can configure email alerts/digests from the Message Center. You can find out more info here: https://docs.microsoft.com/en-us/microsoft-365/admin/manage/message-center
  • Microsoft have documentation on configuring Anti-Phish policies: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-mdo-anti-phishing-policies
  • Whether something is a breach of contract is a discussion for you legal team and Microsoft. This is a tech community site so you are mostly only going to find tech support/communication here.

One of the most common false positives we find are "impersonation" or "spoofing" type emails. In a perfect world everyone would have their SPF/DKIM/DMARC correctly configured but many businesses send marketing through 3rd party marketing services without this correctly setup. When you receive an email from Email address removed but the route has come from Email address removed it often flags as impersonation because that is exactly what it is. Not sure what the best way to get around this particular type of "phishing" is but having a clearly defined policy around email security standards you can give to internal and external contacts (and making sure your own emails meet these standards) is the first step. If a certain "type" is a particular pain point for your organisation/client then there are options to turn off specific checks in the anti-phish and anti-spam configurations (this is obviously discouraged from a security viewpoint). I often direct customers to https://docs.microsoft.com/en-us/exchange/standalone-eop/best-practices-for-configuring-eop and https://www.ncsc.gov.uk/collection/email-security-and-anti-spoofing when emails regularly hit quarantine with no SPF/DKIM/DMARC from the sender.