Forum Widgets
Latest Discussions
Block all internet traffic except some sites
Hi, i've a subset of machines that need only access to some sites, like internal websites, office365 and av updates but i'm being asked to block all other sites. Can i use office365 defender (https://security.microsoft.com/securitysettings/endpoints) to do this? what is the best option? ThxjoaquimlopesJun 08, 2025Copper Contributor48Views0likes2CommentsAttack Simulator emails bypass mail flow rules
Is there any documentation for Attack Simulator emails bypassing mail flow rules? We have a mailflow rule that marks and appends a disclaimer to all external emails coming in. When using the Attack Simulator, emails are bypassed.SolvedFixxser2Jun 04, 2025Copper Contributor48KViews1like3CommentsAll Excel Macro Files Suddenly Flagged as Malware (X97M/Slacker.gen!A) Across M365 Starting April 16
Starting around 8 PM GMT+8 on April 16, 2025, macro-enabled Excel files with extensions such as .xlsm, .xlsb, or .xls began being automatically flagged as malware, specifically identified as X97M/Slacker.gen!A—when opened or edited in SharePoint, OneDrive, or Teams. Before this, the same files were not flagged as malicious, even when opened or edited, and this behavior had remained consistent for several months. This issue affects our entire tenant, with over 800 files being flagged as malware under the name X97M/Slacker.gen!A. These files are located across various locations and have been modified by different users. We are a Cloud-only tenant, and we have not done any configuration changes in Threat Policies for the past few months.TiamMay 07, 2025Copper Contributor831Views0likes0CommentsMarking Quarantine Notice senders as safe for entire tenant
Our users get quarantine notices weekly. They're configured to come from email address removed for privacy reasons (the domain specific to tenant).. sometimes they come from email address removed for privacy reasons anyways, but this is fine. The thing is, I end up with a LOT of users who end up receiving these in their junk mail. We have a lot of tenants - I don't really have the time to keep checking them, taking action on mis-junked items. Most stuff is configured to go to quarantine anyway. What's the best way to allow these senders? The IB Anti-Spam safe-senders component is not Secure-Score recommended, and we try to keep these scores high. But the tenant allow/block list allows a max of 45days since last use. There's so many options, I'm a little confused as to what's 'right' ThanksunderQualifriedMay 06, 2025Copper Contributor27Views0likes0CommentsDefender bulk unsanction
I want to unsanctioned all Generative AI apps in cloud catalogue with a risk score 7 or below. But this is 970 apps and I don't feel like doing this one page of 20 at a time I'll be there all day. Can someone suggest a powershell script to set anything in that category risk score 0-7 as unsanctioned?lfk73Apr 23, 2025Copper Contributor274Views0likes12CommentsAutomated Investigation and Response
Upgraded to Defender for 365 P2 based on the idea of setting automated responses to certain alerts. That's how it was described. Now I'm trying to enable and configure it. The documentation has bounced me around 20 different articles for XDR, Defender Enterprise, Defender for Business... I do not see anywhere to configure the automation in Defender. One doc points me here for making sure it's enabled. when I open this, and go down to Automation, it's simply an empty list of device groups. We don't use Device groups - we don't use Defender Endpoint. Has anyone configured this in a non-XDR environment? What I'm encountering and what was advertised seem very different...98Views1like2Commentsupgraded from P1 to P2... how do I configure this?
Upgraded to Defender 365 P2 from P1, based on the automated responses. Kinda figured we'd be able to tweak these, but I guess not? Anyway, I'm a little bit confused about how to set this up maximally. Realized yesterday we had a 'User click a malicious link" investigation that was pending - but no one knew. When I click 'Email Notification' in the 'Incidents' window, it brings me to the XDR settings menu, with options for setting emails to notify of Alerts, Incidents and Threat Analytics. Except we don't have XDR? So I can't tell if these are even valid? The documentation on the AIR component is really hard to decipher - wondering if anyone has much experience with this, and knows how to configure it optimally? As in, how do I notify someone of a Critical Investigation, or something needing approval for remediation? Can I configure certain things to not require approval? Like... removing a reported phishing email from everyone's inbox?underQualifriedApr 21, 2025Copper Contributor86Views0likes2CommentsLimit access to Quarantine (and only quarantine)
The enduser quarantine is reachable at https://security.microsoft.com/quarantine Based on our security policies, we have limited access using Conditional Access and the cloud app “Microsoft Admin Portals.” Consequently, no user can directly access the quarantine. We have made the necessary exceptions to ensure the quarantine functions properly. However, there is an issue: Users without proper permissions can still navigate extensively within the portal. For example: On the left-side navigation, they can click on “Start.” Within the “Next steps” section, there is a link to “Advanced Hunting.” Although they cannot perform any actions there, the link remains accessible. Additionally, under “Additional Resources,” users can click on any admin center, albeit with limited functionality. Is there anyone with an idea on how to restrict users to the quarantine area only, preventing access to other sections of the portal?PeterForsterApr 04, 2025Iron Contributor1.6KViews3likes8Commentspurchased windows defender but account is with godaddy - cannot setup
i purchased windows defender from microsoft, who told me i could use this even though account was hosted through godaddy. when i go to start using microsoft defender for business, it redirects me to godaddy page and there is nothing I can do. I need to know if this works and if so, how to set it up or I need to cancel it.robmerchantMar 27, 2025Copper Contributor258Views0likes1CommentEnhanced Filtering for (CSE)Connectors
One of my customer is using the Cisco Secure Email as their default gateway with a connector into M365. They would like to enable the enhanced filtering on the connector to improve their anti spam/malware protection. Enhanced Filtering on the “Inbound from Cisco Secure Email” connector: https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors#use-the-microsoft-defender-portal-to-configure-enhanced-filtering-for-connectors-on-an-inbound-connector Do you know if there are any caveats adding a few mailboxes to the policy to test the behavior before they cutover the entire enterprise?sharmanitinMar 14, 2025Microsoft27Views0likes0Comments
Resources
Tags
- microsoft 365 defender97 Topics
- phishing40 Topics
- configuration31 Topics
- detection19 Topics
- investigation14 Topics
- prevention11 Topics
- remediation9 Topics
- threat intelligence9 Topics
- Awareness6 Topics
- hunting6 Topics