Forum Widgets
Latest Discussions
Do XDR Alerts cover the same alerts available in Alert Policies?
The alerts in question are the 'User requested to release a quarantined message', 'User clicked a malicious link', etc. About 8 of these we send to 'email address removed for privacy reasons'. That administrator account has an EOM license, so Outlook rules can be set. We set rules to forward those 8 alerts to our 'email address removed for privacy reasons' address. This is, very specifically, so the alert passes through the @tenant.com address, and our ticketing endpoint knows what tenant sent it. But this ISN'T ideal because it requires an EOP license (or similar - this actually hasn't been an issue until now just because of our customer environments). I've looked at the following alternatives: - Setting email address removed for privacy reasons as the recipient directly on the Alert Policies in question. This results in the mail going directly from microsoft to our Ticketing Portal - so it ends up sorted into Microsoft tickets. and the right team doesn't get it. SMTP Forwarding via either Exchange AC User controls or Mail Flow Rules. But these aren't traditional forwarding, and they have the same issue as above. Making administrator @tenant.com a SHARED mailbox that we can also login to (for administration purposes). But this doesn't allow you to set Outlook rules (or even login to Outlook). I've checked out the newer alerts under Defender's Settings panel - XDR alerts, I think they're called. Wondering if these can be leveraged at all for this? Essentially, trying to get these Alerts to come to our external ticketing address, from the tenants domain (instead of Microsoft). I could probably update Autotask's rules to check for a header, and set that header via Mail Flow rules, but.. just hoping I don't have to do that for everyone.Impersonation Protection: Users to Protect should also be Trusted Senders
Hey all, sort of a weird question here. Teaching my staff about Impersonation Protection, and it's kind of occurred to me that any external sender added to 'Senders to Protect' sort of implicitly should also be a 'Trusted Sender'. Example - we're an MSP, and we want our Help Desk (email address removed for privacy reasons) to be protected from impersonation. Specifically, we want to protect the 'Help Desk' name. So we add email address removed for privacy reasons to Senders to protect. However, we ALSO want to make sure our emails come thru. So we've ALSO had to add email address removed for privacy reasons to Trusted Senders on other tenants. Chats with Copilot have sort of given me an understanding that this is essentially a 'which is more usefuI' scenario. But CoPilot makes things up, and I want some human input. In theory, ANYONE we add to 'trusted senders' we ALSO want protected from Impersonation. Anyone we protect from Impersonation we ALSO want to trust. Copilot says you SHOULDN'T do both. Which is better / more practical?
I would like to know the complete list of alerts whose serviceSource is MDO
Hi all In order to determine the alerts that should be monitored by the SOC, I would like to identify, from the alerts listed at the link below, those whose serviceSource is Microsoft Defender for Office 365 (MDO). https://learn.microsoft.com/en-us/defender-xdr/alert-policies I couldn’t find where this is documented, no matter how thoroughly I searched, so I would appreciate it if you could point me to the relevant documentation. thxSecure Score rec. out of date - Entra consent settings
TLDR: 1. SecureScore recommendation for user consent settings does not match the User Consent settings recommendation. 2. Also, the recommendation on User Consent page is not described in a sensible way. This recommendation - Ensure user consent to apps accessing company data on their behalf is not allowed - instructs people to set the Consent Settings to 'Allow users to consent to low-level permissions', and select the low-level permissions. Optionally, to also set up admin workflow. This is the SecureScore recommended process we've been using. It was bugged, so we'd set it to 'Resolved by ____' usually once completed. It looks like this is fixed and now properly shows Completed (from testing, the manual resolve statuses aren't overwritten by the automatic completion - it'll wait until those are set to something else to update it to completed. Anyway,, that's not the issue. Recently noticed on the actual Consent blade, it shows that the recommendation is Microsoft-managed. I've never noticed this before - i believe it's new. So now it's kinda unclear what's ACTUALLY recommended. Reading the associated KB, it is described currently as 'end users can consent for any user consentable delegated permissions EXCEPT: Files.Read.All, Files.ReadWrite.All, Sites.Read.All, Sites.ReadWrite.All.'. But it doesn't actually describe what are 'user consentable' is... is that whatever 'low impact' permissions you set? is it something completely different? So the options are 1. Users can't consent 2. Users can consent to permissions you deem low-risk 3. Users can consent to permissions users can consent to, but not these x There isn't a feedback button on SecureScore.Searching for Activities in Audit Log returns repeated results - appears broken
I'm in Defender, using the Audit Log tool, trying to find out who changed the Anti-Phishing policy on the 23rd of January. Selecting the 'Activities - friendly names' drop-down, and inputting 'policy' returns A number of different categories + activities for stuff unrelated to Defender (ie, Purview, CoPilot in Outlook,, SharePoint AI use, the 365 AC, 'Places Directory' - whatever that is) but nothing related to Defender (the tool I'm opening it within)... The same category - M365 Apps Admin Services cloud policy activities - about 30 times, with every activity it includes. Probably 70% of the results, are just this same thing over and over. I looked into it - because I've never heard of this, yet it SOUNDS like something related to what I do. First off, on the [audit log activities](https://learn.microsoft.com/en-us/purview/audit-log-activities#microsoft-365-apps-admin-services-cloud-policy-activities) KB, this category is listed once, with 4 activities. there's about 13 that show up in each duplicated category in the search, so that's unhelpful. It links to https://learn.microsoft.com/en-us/microsoft-365-apps/admin-center/overview-cloud-policy which seems to imply that 'Cloud Policy service' is not an actual thing - it's just a marketing/conceptual term for a functionality of InTune. Why it's not in the InTune KB - I do not know - I've made some suggestions to the KB's The first KB I mentioned does not list any activities for Defender's policies - there's stuff for Endpoint (multiple categories), XDR (multiple categories)... So I have 2 questions. 1) Is anyone able to advise how to get the data I want? At this point, I'm not even sure this audit log would PULL any relevant data, based on the lack of activities - so I don't really want to just blanket search for that date, and sift through stuff. 2) Does anyone know how to use this tool effectively? Know of a KB that is good and reliable and helpful? Thanks
All Excel Macro Files Suddenly Flagged as Malware (X97M/Slacker.gen!A) Across M365 Starting April 16
Starting around 8 PM GMT+8 on April 16, 2025, macro-enabled Excel files with extensions such as .xlsm, .xlsb, or .xls began being automatically flagged as malware, specifically identified as X97M/Slacker.gen!A—when opened or edited in SharePoint, OneDrive, or Teams. Before this, the same files were not flagged as malicious, even when opened or edited, and this behavior had remained consistent for several months. This issue affects our entire tenant, with over 800 files being flagged as malware under the name X97M/Slacker.gen!A. These files are located across various locations and have been modified by different users. We are a Cloud-only tenant, and we have not done any configuration changes in Threat Policies for the past few months.
Enhanced Filtering for (CSE)Connectors
One of my customer is using the Cisco Secure Email as their default gateway with a connector into M365. They would like to enable the enhanced filtering on the connector to improve their anti spam/malware protection. Enhanced Filtering on the “Inbound from Cisco Secure Email” connector: https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors#use-the-microsoft-defender-portal-to-configure-enhanced-filtering-for-connectors-on-an-inbound-connector Do you know if there are any caveats adding a few mailboxes to the policy to test the behavior before they cutover the entire enterprise?Setting up Admin Quarantine
Hi, We are looking to set up admin quarantine as per the instructions in here: https://learn.microsoft.com/en-us/defender-cloud-apps/use-case-admin-quarantine We have followed this step by setting up a location for admin quarantine: However, when editing the 'Malware Detection' rule in Defender we do not get an option for 'Put in admin quarantine', only 'Put in user quarantine': Does anyone have any idea how to resolve this? Thank you.XM/Laroux.CF
Hello Expert, Need your assistance to XM/Laroux.CF issue . Mails are being quarantine due to the XM/Laroux.CF and we have to manually release the mails Can we make any changes in our O365 Defender anti-malware policy so mails containing XM/Laroux.CF does not quarantine ? Thanks in advanceWhat steps can I take, given Microsoft Defender's report?
In September I posted a question in this forum, I'm not sure what to do with the data breaches Microsoft Defender reports. I've proceeded to use the "Take Action" button. After clicking on that button Microsoft Defender took me to its report on what it found. It listed a website I've never heard of before. I use a password manager, so I double checked there. I don't have an account on that website. The information it has there is about half correct, a quarter of the information is wrong, and the rest is out of date by 10+ years. There were a few other websites that it reported on. Some I can manage, as Microsoft Defender gave me enough information about them. Others are not helpful, as Defender just says, "From an unknown source", then the rest of the information isn't helpful at all. Anyway, my concern is that this information is out there especially with the first reported incident, and I don't see how I can stop this spurious website from displaying it. And I certainly have no idea how it got it in the first place. So, what can I do about some website that got this information from somewhere and displays it for whoever to see it?
