In today’s evolving threat landscape, phishing attacks are becoming increasingly sophisticated, often leveraging meeting invites to bypass traditional defenses. While Security Operations (SOC) teams rely on Microsoft Defender’s remediation actions to remove malicious emails, a hidden risk persists: calendar entries created by Outlook during email delivery. These entries can remain active even after the email is deleted, leaving users exposed to harmful content. This update addresses that gap.
Remediation supports cleaning up calendar entries
SOC teams currently use remediation actions such as Move to Junk, Delete, Soft Delete, and Hard Delete to quickly eliminate email threats from user inboxes. However, meeting invite emails introduce an additional challenge. Even after the email is removed, Outlook automatically creates a calendar entry during delivery, which remains accessible to users.
For example, consider a phishing email sent as a meeting invite. Despite the admin removing the email from the user’s inbox, the user can still interact with the same malicious content via the calendar entry.
This residual entry may contain harmful links or phishing content, creating a security gap. With this update, we’re taking the first step toward closing that gap. Hard Delete will now also remove the associated calendar entry for any meeting invite email. This ensures threats are fully eradicated—not just from the inbox but also from the calendar—reducing the risk of user interaction with malicious content.
This change applies to Hard Delete actions taken from any surface, including Explorer, Advanced Hunting, and API.
Note:
1) Deleted calendar entries can be restored by resending the meeting invite.
2) This action does not remove calendar entries manually added by users via .ics files.
Ability to Block URL domains via submission/TABL actions from Explorer
SOC teams can currently add senders and URLs to the TABL block list when submitting false negatives to Microsoft. However, phishing campaigns often use variations of URLs under the same parent domain, making full URL blocking less effective.
With this update, TABL options for URL domains are now dynamically surfaced, enabling SOC teams to block entire domains without leaving their workflow. This enhancement simplifies remediation and strengthens defenses against domain-based phishing attacks.
These updates strengthen SOC remediation workflows by closing critical security gaps and ensuring threats are fully neutralized across all user touchpoints. By extending remediation to calendar entries and enabling domain-level URL blocking, we deliver comprehensive protection that reduces risk, streamlines operations, and safeguards user experiences. At Microsoft, our priority is your security, and we remain committed to empowering SOC teams with tools that make defense smarter and more effective.
Learn more:
Microsoft