Forum Widgets
Latest Discussions
Defender false positive on SharePoint links
We have an external business partner emailing SharePoint links for sensitive information. M365 Defender is consistently flagging the link as malicious with no clear indication as to why. So we get the following: alerts generated in Defender emails flagged in email explorer and quarantined Defender Smart Screen blocks the safe link/original URL but displays a different URL I have already added the domain to the Allow list in the IoC. I have submitted the domain and specific URL to Microsoft for review. Questions: how to edit the Defender Smart Screen blocks? is there a quicker way to list a URL or domain as safe so users can load?
Assessing Microsoft Defender for Office365 Effectiveness
I'm looking to gather three data points from Defender for Office365. I'm looking for true positives (emails that have been detected as malicious), false positives (emails detected as malicious but released from quarantine) and false negatives (emails not detected as malicious but later reported by users as phishing). Is there any easy way to find these in logs? Or get counts of these?Anti-malware policy doesn't block files
Hello Microsoft Community, We have recently found that Anti-malware policy doesn't block files that are set to be blocked by the policy. For example, when we send an *.ics file with a cmd/exe/jse/rdp and other files inside of the ics, the email is not blocked and is delivered to users. We did several tests with external security vendor by sending real malwares, ransomwares and exploits attached to the ics and all of them passed the filtering system. Is anyone aware of the issue? Doesn't MDO scans nested files?! This has happened with a few tenants. Those tenants have Microsoft E5 licenses.
Configure Quarantine Notifications to Admins when the any Email is quarantined
Hi All, Good morning, I would like to understand the possible options in EOP and defender for O365 to send an alert or notification mail to the E-mail administrator as soon as any mail is quarantined for any user mailbox in Exchange online. I searched most of the options, but I don't see any solid solution for this. Please share your thoughts and experience on this. Thanks in advance.
Automating User Tags
When we create a custom user tag we can select a group and have all the users in the group tagged. However if a user is removed or added to that group at a later stage the tag is not removed/added. Is there a way to automate this? Only thing I found is that this was before on the roadmap but seems to have been removed? https://m365admin.handsontek.net/microsoft-defender-for-office-365-tagging-support-for-groups/ https://learn.microsoft.com/en-us/defender-office-365/user-tags-about If you assign a group to a user tag, members of the group at the time of tag creation are assigned tag. Users later added to the group aren't automatically assigned the user tag.
Add "Add Sender to Safe Senders" button to quarantine email
We're really liking the email filtering with Defender for Office overall, and the quarantine emails are great (if maybe a bit too spaced out), but one feature that really feels missing is an "Add to Safe Senders" button for end users. I understand they can do it by actually going to the quarantine page if they know where to look, but most of our users never actually do that. It would be amazing to have the option next to "Review Message" and "Release" to "Add to Safe Senders." We often get users submitting tickets to our help desk to ask for addresses to be whitelisted (which also isn't best practice generally), and they don't really understand that they can just add the sender to their own Safe Sender list. I think this would be a massive boost to the user experience and quality of the product- hope the product group will consider it. Thanks
Tenant Allow/Block Lists not working as expected
The following is stated on Microsoft's docs related to adding an allow entry in a tenant's Allow/Block lists: When you submit a blocked message asI've confirmed it's cleanand then selectAllow this message, an allow entry for the sender is added to theDomains & email addressestab on theTenant Allow/Block Listspage. ref:https://learn.microsoft.com/en-us/defender-office-365/tenant-allow-block-list-email-spoof-configure#create-allow-entries-for-domains-and-email-addresses I've been submitting quarantined messages for a while now with the specified verdict, both directly from quarantine queue while also usinghttps://security.microsoft.com/reportsubmission. Either way, none of these result in an email address allow entry to be added in Tenant Allow list page. What am I missing?What steps can I take, given Microsoft Defender's report?
In September I posted a question in this forum,I'm not sure what to do with the data breaches Microsoft Defender reports. I've proceeded to use the "Take Action" button. After clicking on that button Microsoft Defender took me to its report on what it found. It listed a website I've never heard of before. I use a password manager, so I double checked there. I don't have an account on that website. The information it has there is about half correct, a quarter of the information is wrong, and the rest is out of date by 10+ years. There were a few other websites that it reported on. Some I can manage, as Microsoft Defender gave me enough information about them. Others are not helpful, as Defender just says, "From an unknown source", then the rest of the information isn't helpful at all. Anyway, my concern is that this information is out there especially with the first reported incident, and I don't see how I can stop this spurious website from displaying it. And I certainly have no idea how it got it in the first place. So, what can I do about some website that got this information from somewhere and displays it for whoever to see it?IP whitelist not working - Phishing Simulation setup
I am trying to setup 3rd party (TrendMicro) Phishing Simulation for Exchange online. The very first step is add the source IP into whitelist. But whatever whitelists I have added source IPs in, won't stop the server pickup the test messages as spam. 1. I added an Exchange Rule for the group of IPs, and changed the priority to 0: 2. In the Security, I setup Advanced Delivery rule - Phishing Simulation exemption list 3. I also added an anti-spam policy - connection filter policy to white list the range of IPs. Unfortunately I still have these test message blocked for high spam SCL, even the Exchange Transport rule on above step 1 did apply, the message is still pickup by the system as SCL 9 and Quarantined. Any help will be appreciated very much.
MS 365 Defender - What permissions are needed to move and delete emails in Explorer?
I need a tech with limited permissions to be able to Remediate malicious email delivered in Office 365 These are the options I have in Admin. I tried a bunch of recommended actions, yet I don't seem to have the correct Admin portals as shown here. For example, I don't have MS 365 Defender Permissions Group shown in the video:
