Microsoft Defender for Office 365 | Microsoft Community Hub

Forum Widgets

Latest Discussions

Is it possible to block emails containing QR CODE?
Is it possible to block emails containing QR CODE?
lucanz73
Copper Contributor
Sep 28, 2023
22KViews
3likes
24Comments
Preset policies have suddenly started notifying users of quarantined messages
Hi all. We have been using preset policies (standard and strict) for some time and were happy with the fact that they don't notify users of messages which have been quarantined (and nor is it possible to change the notification policy). However, quarantine notifications suddenly started turning up in users' mailboxes at the weekend. Have Microsoft changed something or released an unplanned change? Hoping you can help clarify the situation.
Solved
OzOscroft
Iron Contributor
Mar 21, 2023
10KViews
0likes
24Comments
Enable Quarantine Notifications for Strict protection (Strict Preset Security Policy)
How can I enable quarantine notifications for the preset strict protection policies. There is no way to assign a quarantine policy to strict protection policies.
Solved
Kiril
Iron Contributor
Dec 07, 2022
configuration
detection
microsoft 365 defender
phishing
prevention
11KViews
0likes
19Comments
Phishing attack simulator incorrectly emails people the message, "Because you were recently phished"
Hi folks, * I am evaluating Microsoft Phishing Attack Simulator with a 4 user pilot * None of the 4 users were phished in any of the 3 simulations that I actioned * At the end of each simulation, users are correctly being emailed a message with a link to phishing traning * However, the email with the link to the phishing training contains this wording: "Because you were recently phished, we require you to take training(s) to recognize phishing attacks in future." * The wording I quote is troublesome since it: a) Is inaccurate; none of the users were phished b) Presents me (and potentially my colleagues in IT Support), negatively, since it makes us look like we aren't in control of the simulation technology (ie it looks like we don't understand the reality of how each user responded in the simulations) c) Risks alienating us from our users My questions thus are: 1) Is anyone else impacted with this issue? 2) Is there a way for the wording I refer to, to be constructively edited? Any help is always appreciated. Regards, Steve
SteveCRF
Copper Contributor
Mar 02, 2022
Attack Simulation Training
email security
7.8KViews
0likes
19Comments
add to whitelist or safe senders from quarantine
Hello all I see its possible to block a sender from within the quarantine. Is it also possible to whitelist or add a sender to "safe senders" list from within the quarantine ?
Solved
Skipster311-1
Iron Contributor
Nov 15, 2021
microsoft 365 defender
phishing
73KViews
1like
18Comments
Defender bulk unsanction
I want to unsanctioned all Generative AI apps in cloud catalogue with a risk score 7 or below. But this is 970 apps and I don't feel like doing this one page of 20 at a time I'll be there all day. Can someone suggest a powershell script to set anything in that category risk score 0-7 as unsanctioned?
lfk73
Brass Contributor
Mar 17, 2025
microsoft 365 defender
412Views
0likes
12Comments
All the mail from one mail adress arrive in quarantine with an SCL = 5
All the emails sent to us by our customer (email address removed for privacy reasons) arrive in our quarantine with an SCL score of 5. However, the email address passes the DMARC tests perfectly (test carried out with https://www.dmarctester.com/). The domain is not blacklisted, and emails from his colleagues email address removed for privacy reasons and email address removed for privacy reasons arrive with no problem. The content of the email shouldn't be the problem either, as an empty email is also quarantined. What additional diagnostic work can I do to understand why the SCL for each of his emails scores 5?
Hugo_Smartbee
Copper Contributor
Aug 07, 2024
2.2KViews
0likes
12Comments
Defender for Office Policy Assignment by Domain
Hello - Sorry, this is a little bit long... We've been testing MDO and have run into an issue that seems like a 'bug' but, I've been unable to find any other reports of it online. I have a ticket open with MS but, that's moving along very slowly as they're insistent on re-doing all the troubleshooting I've already done. But, I digress... The problem we've found is in the MDO policy assignment - confirmed in anti-phish and anti-malware. If I assign the policy to a user and/or group/DL, the policy works as expected. However, if I use the domain assignment (as we were hoping to do for the full deployment), the assigned policy is being ignored and the message(s) is being passed on to the Default policy. For example, I have a custom anti-malware policy that's my priority 0 policy. In it, I have assigned a specific group with some test accounts. I also assigned a domain (one of my owned/registered tenant domains). I also added a specific file extension to the disallowed list so that I could test. Then, I send a test email, with an attachment with that extension, to an account that's a member of the assigned group as well as another account that's a member of the assigned domain. The expectation is that both of those messages should be blocked. However, that's not the case. The message to the account that's part of the assigned group is blocked (as expected) but, the message to the accounts that's part of the assigned domain is successfully delivered (attachment and all). It doesn't seem to matter which accounts, groups or domains I use, I can readily repeat the issue everytime. As an additional test, I added a random extension to the block list of the Default malware policy - one that's not included in my custom policy - and sent test emails again with an attachment of that file type. The expectation being that all accounts should receive the message. But, nope, that's not what happened. The account(s) assigned to the custom policy by group/account received the message (as expected) and the one assigned by domain was blocked. To me, that's pretty clear evidence that there's some kind of issue with domain assignment in the policies. That particular message basically bypassed the policy to which it was assigned and was handled by the Default policy. As mentioned, I haven't found any other similar reports online, and to this point, Microsoft hasn't alluded to any issues. Surely others are using domains to assign their MDO policies. Has anyone run into this and, if so, have you found some sort of resolution for it? Thanks, Robin
Solved
robinhailey
Copper Contributor
Feb 09, 2024
configuration
detection
microsoft 365 defender
2.6KViews
0likes
10Comments
My emails are being quarantined by Office 365 and I need help
I am having really bad issue. We use Google Business for email and Sendgrid SMTP service via our ERP Odoo to send transactional emails. But since last week all of the customers and suppliers that use office 365 are not seeing our emails. Their are being quarantined for suspicion of phishing. WE have been sending the same emails since 2021 so I don't understand how all of a sudden our emails are being blocked. If i send an email with any attachment including my logo in my signature, the email gets blocked but If i send the email with nothing in it it goes through... Let me know if anyone has an idea because I am loosing my mind, i do not know what to do.
Solved
alex_ase
Copper Contributor
May 24, 2023
23KViews
0likes
10Comments
Report Message Add-in going away?
Logging on to the Threat Policy page today and was presented with the below message. "The User reported message settings page will start moving for some tenants in late-March 2022 from the Policies & rules section to the Settings section of the Microsoft 365 Defender portal. Also to simplify reporting messages in your organization, we'll be integrating the report feature directly into Outlook's default Junk and Phishing buttons starting. You will no longer need the Report Message add-in. All tenants will see the new change by end of April 2022. " Does this mean the Report Message-Add In is going away? How will users report Phishing? Will the Report Message-Add In quit working? I can't find any additional information on this topic so I would appreciate any info. Thanks.
Marco Bunschoten
Copper Contributor
Mar 17, 2022
5KViews
0likes
10Comments

Resources

Tags

microsoft 365 defender103 Topics
phishing44 Topics
configuration34 Topics
detection25 Topics
investigation17 Topics
prevention13 Topics
threat intelligence13 Topics
remediation11 Topics
hunting10 Topics
Awareness9 Topics