Forum Widgets
Latest Discussions
Configuring 'Quarantine release request' alert via powershell?
I'm working on a big fat script to configure the Threat policies in compliance with Secure Score. I'd like to configure a quarantine policy allowing the user to request release (done), that emails the request to email address removed for privacy reasons (problem). Most of this I've done via ExchangeOnline, but the Alerts policy that notifies us when a user requests release - that is apparently managed via the ippsSession components. I've tried to 1) Get the system alert policy named "User requested to release a quarantined email", pull its Identity, and set "NotifyUser" to my desired email using it's Identity. For reasons I don't understand, it seems to truncate the Identity param when I try to set it, so it can't find it. ```powershell PS C:\Users\woof\Documents> $alertPolicy.Identity > FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/User requested to release a quarantined message > Set-ProtectionAlert -Identity $alertPolicy.Identity -NotifyUser "email address removed for privacy reasons" Write-ErrorMessage : There is no rule matching identity 'f00ed340-8f84-4eb4-83f3-0075a22b262e\User requested to release a quarantined message'. At C:\Users\woof\AppData\Local\Temp\tmpEXO_jw5lvpdc.vtl\tmpEXO_jw5lvpdc.vtl.psm1:1189 char:13 + Write-ErrorMessage $ErrorObject ``` 2) Create a new alert policy with `PS C:\Users\woof\Documents> New-ProtectionAlert -Name "test2" -NotifyUser "email address removed for privacy reasons" -Operation "QuarantineRequestReleaseMessage" -NotificationEnabled $true -Severity "Low" -Disabled $false -ThreatType "Activity"` ... This returns that I'm not allowed to make "advanced alert policies" with my P2 license - only "single event alerts", and that I'd need an Enterprise license to do this? Considering I can do both of these things without issue on the web portal, and there's really nothing 'advanced' about wanting to add an alert recipient, I have to imagine I'm approaching this wrong. I just want to set these alerts to go to a different email.SolvedunderQualifriedFeb 28, 2025Brass Contributor230Views0likes4Comments
IP whitelist not working - Phishing Simulation setup
I am trying to setup 3rd party (TrendMicro) Phishing Simulation for Exchange online. The very first step is add the source IP into whitelist. But whatever whitelists I have added source IPs in, won't stop the server pickup the test messages as spam. 1. I added an Exchange Rule for the group of IPs, and changed the priority to 0: 2. In the Security, I setup Advanced Delivery rule - Phishing Simulation exemption list 3. I also added an anti-spam policy - connection filter policy to white list the range of IPs. Unfortunately I still have these test message blocked for high spam SCL, even the Exchange Transport rule on above step 1 did apply, the message is still pickup by the system as SCL 9 and Quarantined. Any help will be appreciated very much.Solvedjames3149Oct 17, 2024Copper Contributor752Views0likes3Comments
Clarification on Microsoft Teams Encryption: E2EE vs. Default Encryption
I’m seeking some clarity on the differences between the end-to-end encryption (E2EE) offered with the Teams Premium license and the default encryption for data at rest and in transit within Microsoft Teams. From what I understand, Teams data is already encrypted both in transit and at rest by default. However, I’m unsure how the E2EE provided under the Teams Premium license differs from this standard encryption. Could someone explain in simple terms the specific differences between these two encryption methods? I’m particularly interested in understanding how I can effectively communicate these differences to my clients, who may not be very technical but need to grasp the security advantages of the Premium license.SolvedMarnikAug 22, 2024Brass Contributor2.9KViews1like1Comment' Malware not zapped because ZAP is disabled ' severity inconsistency
The alert policy ' Malware not zapped because ZAP is disabled ' is set to medium severity in the default alert policies for MDO, while it's documented as informational severity in official MSFT docs: https://learn.microsoft.com/en-us/purview/alert-policies?view=o365-worldwide#threat-management-alert-policies Is this a documentation inconsistency, or am I overlooking something?SolvedMarnikAug 08, 2024Brass Contributor656Views0likes1Comment
MDO Attack Simulation and false "positives."
In our last 3 attack simulations (MDO) we've sent out to employees, we've had increasingly more and more employees who are saying they didn't open the attachment and/or didn't click on the link. (They received the training email and asked "why" they received it.......) Is there a way to prove/disprove they did or did not? I've checked the settings on our simulations and they have been configured correctly. I don't want to point "blame" on any of our "compromised" users as now I'm uncertain as to whether or not they were truly compromised. Is there something I'm missing here? Thanks everyoneSolvedItsUnknownJul 18, 2024Copper Contributor635Views0likes3Comments
How to change the language for an end user eLearning module in attack simulation e-learning
Hello, I have started a campaign and some users would like have the content delivered in their preferred language that might be different from the browser or the M365 account language settings. How is it possible for an end user to select another language for an e-learning module. I remember that their was a drop down menu but it seems to no longer appears . The campaign is based on the standard e-learning from the library that supports more than 20 languages.Solved_Salim_Jun 13, 2024Copper Contributor1.1KViews0likes1CommentSafe Links API
Hi all, I'm confused about the Safe Links feature which is called "Do not rewrite URLs, do checks via SafeLinks API only". There are two descriptions which are contradictory to me. 1st: Do not rewrite URLs, do checks via SafeLinks API only: Select this option to prevent URL wrapping and skip reputation check during mail flow. Safe Links is called exclusively via APIs at the time of URL click by Outlook clients that support it. (https://learn.microsoft.com/en-us/defender-office-365/safe-links-policies-configure) 2nd: Do not rewrite URLs, do checks via SafeLinks API only: If this setting is selected (on), no URL wrapping takes place but the URLs are scanned prior to message delivery. In supported versions of Outlook (Windows, Mac, and Outlook on the web), Safe Links is called exclusively via APIs at the time of URL click. (https://learn.microsoft.com/en-us/defender-office-365/safe-links-about) So what exactly happens, if I enable the API check only? Are links scanned prior delivery or not? ThanksSolvedRobertR2Jun 11, 2024Copper Contributor1.2KViews0likes2Comments
2024 Sender Requirements - How are you handling valid e-mails sent to junk?
With the new Sender Requirements rolled out beginning in February 2024, how are you handling legitimate e-mails getting "Filtered As Junk" in O365? I am seeing very large corporations with e-mails landing in our junk e-mail now, but they are one offs. When checking the e-mail headers using MX Toolbox, I'm seeing that usually somewhere in the hops before they hit our servers, they are on a blacklist (or X-CustomSpam header is coming back as "SPF Record Fail"). And O365 seems to be sending those to spam. In our case, I don't think it's great to continually add domains to the whitelist, as it's really up to the sender to ensure they have a good "reputation", aren't on blacklists, and following the sender requirements having full DMARC, DKIM, and SPF compliance. 365 admins, are you seeing more e-mails quarantined or sent to spam and how are you dealing with it?SolvedrmoatMar 21, 2024Brass Contributor2.3KViews0likes3Comments
Filter Quarantined Items by Recipient Mailbox
Hi all, we've been trying to find a way to filter the Quarantine list (https://security.microsoft.com/quarantine) based on mailbox. Many of our users have numerous aliases, which make filtering by "recipient address" rather tedious/difficult. Is there an easy way to filter by the mailbox, for instance with the Mailbox GUID? I don't see a way to do this from the "Filter" tab (outside filtering based on your own mailbox, which is not what we need), and the PowerShell command Get-QuarantineMessage does not seem to have support for this (https://learn.microsoft.com/en-us/powershell/module/exchange/get-quarantinemessage?view=exchange-ps). If it is not possible, is there a way to submit this as a feature request?SolvedDomOcchFeb 22, 2024Copper Contributor597Views0likes1Comment
Defender for Office Policy Assignment by Domain
Hello - Sorry, this is a little bit long... We've been testing MDO and have run into an issue that seems like a 'bug' but, I've been unable to find any other reports of it online. I have a ticket open with MS but, that's moving along very slowly as they're insistent on re-doing all the troubleshooting I've already done. But, I digress... The problem we've found is in the MDO policy assignment - confirmed in anti-phish and anti-malware. If I assign the policy to a user and/or group/DL, the policy works as expected. However, if I use the domain assignment (as we were hoping to do for the full deployment), the assigned policy is being ignored and the message(s) is being passed on to the Default policy. For example, I have a custom anti-malware policy that's my priority 0 policy. In it, I have assigned a specific group with some test accounts. I also assigned a domain (one of my owned/registered tenant domains). I also added a specific file extension to the disallowed list so that I could test. Then, I send a test email, with an attachment with that extension, to an account that's a member of the assigned group as well as another account that's a member of the assigned domain. The expectation is that both of those messages should be blocked. However, that's not the case. The message to the account that's part of the assigned group is blocked (as expected) but, the message to the accounts that's part of the assigned domain is successfully delivered (attachment and all). It doesn't seem to matter which accounts, groups or domains I use, I can readily repeat the issue everytime. As an additional test, I added a random extension to the block list of the Default malware policy - one that's not included in my custom policy - and sent test emails again with an attachment of that file type. The expectation being that all accounts should receive the message. But, nope, that's not what happened. The account(s) assigned to the custom policy by group/account received the message (as expected) and the one assigned by domain was blocked. To me, that's pretty clear evidence that there's some kind of issue with domain assignment in the policies. That particular message basically bypassed the policy to which it was assigned and was handled by the Default policy. As mentioned, I haven't found any other similar reports online, and to this point, Microsoft hasn't alluded to any issues. Surely others are using domains to assign their MDO policies. Has anyone run into this and, if so, have you found some sort of resolution for it? Thanks, RobinSolvedrobinhaileyFeb 09, 2024Copper Contributor2.6KViews0likes10Comments
Resources
Tags
- microsoft 365 defender103 Topics
- phishing44 Topics
- configuration34 Topics
- detection25 Topics
- investigation17 Topics
- prevention13 Topics
- threat intelligence13 Topics
- remediation11 Topics
- hunting10 Topics
- Awareness9 Topics