Microsoft Defender for Office 365 | Microsoft Community Hub

Forum Widgets

Latest Discussions

Help me understand why this email was quarantined?
I'm pretty familiar with Defender's Threat Policies. I've probably set them up on 40 tenants. I know the Hosted Content Filter Policy is backend for Anti Spam Inbound policy. I know that, confusingly, the AntiSpam Inbound Policies contain the actions for High Confidence/Normal Confidence Phishing - NOT the AntiPhishing policies (which seem more geared towards impersonation). What I DON'T know is why this was quarantined - and whether the anti-phish policy had anything to do with it. The Policy Type linked is the IB Anti Spam. This tenant is one of the few we have set at a BCL tolerance level of 7 - which shows me that 0 messages in the last 60 days would've been caught for this reason (which would include the email in question). So it was either the SCL or some 'anti phish' component of the anti-spam policy. I have none of the custom 'increase spam score' markers here. I was sure there was a 'evidence' tab within email entity, but i guess not - the only info I have about the detection (now released) is the following: This particular sender does not send reliably over 45 days, but also has been a business partner of this tenant for decades. So rather than the Tenant Allow/Block list which allows a max of 45 days, I want to add it to the offending policy. which SEEMS like it would be the inbound anti-spam - except that it also says it's phishing everywhere. I don't want to bypass both the phishing and spam policies unless I have to - but I don't really know why this got blocked. It's an external address that had sent an email days ago that got through without issue... This one has an attached pdf, but so do they all. Thoughts?
Solved
underQualifried
Brass Contributor
Jun 27, 2025
detection
investigation
271Views
0likes
4Comments
Configuring 'Quarantine release request' alert via powershell?
I'm working on a big fat script to configure the Threat policies in compliance with Secure Score. I'd like to configure a quarantine policy allowing the user to request release (done), that emails the request to email address removed for privacy reasons (problem). Most of this I've done via ExchangeOnline, but the Alerts policy that notifies us when a user requests release - that is apparently managed via the ippsSession components. I've tried to 1) Get the system alert policy named "User requested to release a quarantined email", pull its Identity, and set "NotifyUser" to my desired email using it's Identity. For reasons I don't understand, it seems to truncate the Identity param when I try to set it, so it can't find it. ```powershell PS C:\Users\woof\Documents> $alertPolicy.Identity > FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/User requested to release a quarantined message > Set-ProtectionAlert -Identity $alertPolicy.Identity -NotifyUser "email address removed for privacy reasons" Write-ErrorMessage : There is no rule matching identity 'f00ed340-8f84-4eb4-83f3-0075a22b262e\User requested to release a quarantined message'. At C:\Users\woof\AppData\Local\Temp\tmpEXO_jw5lvpdc.vtl\tmpEXO_jw5lvpdc.vtl.psm1:1189 char:13 + Write-ErrorMessage $ErrorObject ``` 2) Create a new alert policy with `PS C:\Users\woof\Documents> New-ProtectionAlert -Name "test2" -NotifyUser "email address removed for privacy reasons" -Operation "QuarantineRequestReleaseMessage" -NotificationEnabled $true -Severity "Low" -Disabled $false -ThreatType "Activity"` ... This returns that I'm not allowed to make "advanced alert policies" with my P2 license - only "single event alerts", and that I'd need an Enterprise license to do this? Considering I can do both of these things without issue on the web portal, and there's really nothing 'advanced' about wanting to add an alert recipient, I have to imagine I'm approaching this wrong. I just want to set these alerts to go to a different email.
Solved
underQualifried
Brass Contributor
Feb 28, 2025
260Views
0likes
4Comments
IP whitelist not working - Phishing Simulation setup
I am trying to setup 3rd party (TrendMicro) Phishing Simulation for Exchange online. The very first step is add the source IP into whitelist. But whatever whitelists I have added source IPs in, won't stop the server pickup the test messages as spam. 1. I added an Exchange Rule for the group of IPs, and changed the priority to 0: 2. In the Security, I setup Advanced Delivery rule - Phishing Simulation exemption list 3. I also added an anti-spam policy - connection filter policy to white list the range of IPs. Unfortunately I still have these test message blocked for high spam SCL, even the Exchange Transport rule on above step 1 did apply, the message is still pickup by the system as SCL 9 and Quarantined. Any help will be appreciated very much.
Solved
james3149
Copper Contributor
Oct 17, 2024
812Views
0likes
3Comments
Clarification on Microsoft Teams Encryption: E2EE vs. Default Encryption
I’m seeking some clarity on the differences between the end-to-end encryption (E2EE) offered with the Teams Premium license and the default encryption for data at rest and in transit within Microsoft Teams. From what I understand, Teams data is already encrypted both in transit and at rest by default. However, I’m unsure how the E2EE provided under the Teams Premium license differs from this standard encryption. Could someone explain in simple terms the specific differences between these two encryption methods? I’m particularly interested in understanding how I can effectively communicate these differences to my clients, who may not be very technical but need to grasp the security advantages of the Premium license.
Solved
Marnik
Brass Contributor
Aug 22, 2024
configuration
microsoft 365 defender
3KViews
1like
1Comment
' Malware not zapped because ZAP is disabled ' severity inconsistency
The alert policy ' Malware not zapped because ZAP is disabled ' is set to medium severity in the default alert policies for MDO, while it's documented as informational severity in official MSFT docs: https://learn.microsoft.com/en-us/purview/alert-policies?view=o365-worldwide#threat-management-alert-policies Is this a documentation inconsistency, or am I overlooking something?
Solved
Marnik
Brass Contributor
Aug 08, 2024
683Views
0likes
1Comment
MDO Attack Simulation and false "positives."
In our last 3 attack simulations (MDO) we've sent out to employees, we've had increasingly more and more employees who are saying they didn't open the attachment and/or didn't click on the link. (They received the training email and asked "why" they received it.......) Is there a way to prove/disprove they did or did not? I've checked the settings on our simulations and they have been configured correctly. I don't want to point "blame" on any of our "compromised" users as now I'm uncertain as to whether or not they were truly compromised. Is there something I'm missing here? Thanks everyone
Solved
ItsUnknown
Copper Contributor
Jul 18, 2024
664Views
0likes
3Comments
Display Name Spoofing very often recently - how to prevent it
Hi experts, recently, I have noticed increase in emails that tries to impersonate sender (Display Name Spoofing). The Display name shows a real user from our organization, however the sender email/domain is totally different. I thought I had the protection configured properly but looks like that is not the case :/. I have anti-phish policy with Impersonation as below: few critical users listed in "Enable users to protect" was going to enable it for all now, but there is no option like that, ..and it looks I need to manually add all internal users Enable domains to protect Include domains I own (does this include all domains I have registered in M365? See below). I would expect this will prevent these emails Include custom domains - I have nothing here, but I am not sure now whether my few domains created in M365 - including default domain, needs to be added here? As from what I know, the custom domains are the domains I create in M365. Would like to check what is the proper way to configure protection against these email attacks. We use M365 E3 + M365 E5 Security
Solved
sumo83
Iron Contributor
Jun 24, 2024
microsoft 365 defender
phishing
1.3KViews
0likes
2Comments
How to change the language for an end user eLearning module in attack simulation e-learning
Hello, I have started a campaign and some users would like have the content delivered in their preferred language that might be different from the browser or the M365 account language settings. How is it possible for an end user to select another language for an e-learning module. I remember that their was a drop down menu but it seems to no longer appears . The campaign is based on the standard e-learning from the library that supports more than 20 languages.
Solved
_Salim_
Copper Contributor
Jun 13, 2024
microsoft 365 defender
1.1KViews
0likes
1Comment
Safe Links API
Hi all, I'm confused about the Safe Links feature which is called "Do not rewrite URLs, do checks via SafeLinks API only". There are two descriptions which are contradictory to me. 1st: Do not rewrite URLs, do checks via SafeLinks API only: Select this option to prevent URL wrapping and skip reputation check during mail flow. Safe Links is called exclusively via APIs at the time of URL click by Outlook clients that support it. (https://learn.microsoft.com/en-us/defender-office-365/safe-links-policies-configure) 2nd: Do not rewrite URLs, do checks via SafeLinks API only: If this setting is selected (on), no URL wrapping takes place but the URLs are scanned prior to message delivery. In supported versions of Outlook (Windows, Mac, and Outlook on the web), Safe Links is called exclusively via APIs at the time of URL click. (https://learn.microsoft.com/en-us/defender-office-365/safe-links-about) So what exactly happens, if I enable the API check only? Are links scanned prior delivery or not? Thanks
Solved
RobertR2
Copper Contributor
Jun 11, 2024
1.3KViews
0likes
2Comments
2024 Sender Requirements - How are you handling valid e-mails sent to junk?
With the new Sender Requirements rolled out beginning in February 2024, how are you handling legitimate e-mails getting "Filtered As Junk" in O365? I am seeing very large corporations with e-mails landing in our junk e-mail now, but they are one offs. When checking the e-mail headers using MX Toolbox, I'm seeing that usually somewhere in the hops before they hit our servers, they are on a blacklist (or X-CustomSpam header is coming back as "SPF Record Fail"). And O365 seems to be sending those to spam. In our case, I don't think it's great to continually add domains to the whitelist, as it's really up to the sender to ensure they have a good "reputation", aren't on blacklists, and following the sender requirements having full DMARC, DKIM, and SPF compliance. 365 admins, are you seeing more e-mails quarantined or sent to spam and how are you dealing with it?
Solved
rmoat
Brass Contributor
Mar 21, 2024
configuration
microsoft 365 defender
Secure Posture
2.3KViews
0likes
3Comments

Resources

Tags

microsoft 365 defender102 Topics
phishing43 Topics
configuration34 Topics
detection24 Topics
investigation17 Topics
prevention13 Topics
threat intelligence12 Topics
remediation11 Topics
hunting9 Topics
Awareness8 Topics