Recent Discussions
Phishing attack simulator incorrectly emails people the message, "Because you were recently phished"
Hi folks, * I am evaluating Microsoft Phishing Attack Simulator with a 4 user pilot * None of the 4 users were phished in any of the 3 simulations that I actioned * At the end of each simulation, users are correctly being emailed a message with a link to phishing traning * However, the email with the link to the phishing training contains this wording: "Because you were recently phished, we require you to take training(s) to recognize phishing attacks in future." * The wording I quote is troublesome since it: a) Is inaccurate; none of the users were phished b) Presents me (and potentially my colleagues in IT Support), negatively, since it makes us look like we aren't in control of the simulation technology (ie it looks like we don't understand the reality of how each user responded in the simulations) c) Risks alienating us from our users My questions thus are: 1) Is anyone else impacted with this issue? 2) Is there a way for the wording I refer to, to be constructively edited? Any help is always appreciated. Regards, Steve
Defender bulk unsanction
I want to unsanctioned all Generative AI apps in cloud catalogue with a risk score 7 or below. But this is 970 apps and I don't feel like doing this one page of 20 at a time I'll be there all day. Can someone suggest a powershell script to set anything in that category risk score 0-7 as unsanctioned?
All the mail from one mail adress arrive in quarantine with an SCL = 5
All the emails sent to us by our customer (email address removed for privacy reasons) arrive in our quarantine with an SCL score of 5. However, the email address passes the DMARC tests perfectly (test carried out with https://www.dmarctester.com/). The domain is not blacklisted, and emails from his colleagues email address removed for privacy reasons and email address removed for privacy reasons arrive with no problem. The content of the email shouldn't be the problem either, as an empty email is also quarantined. What additional diagnostic work can I do to understand why the SCL for each of his emails scores 5?
Report Message Add-in going away?
Logging on to the Threat Policy page today and was presented with the below message. "The User reported message settings page will start moving for some tenants in late-March 2022 from the Policies & rules section to the Settings section of the Microsoft 365 Defender portal. Also to simplify reporting messages in your organization, we'll be integrating the report feature directly into Outlook's default Junk and Phishing buttons starting. You will no longer need the Report Message add-in. All tenants will see the new change by end of April 2022. " Does this mean the Report Message-Add In is going away? How will users report Phishing? Will the Report Message-Add In quit working? I can't find any additional information on this topic so I would appreciate any info. Thanks.
How to classify E-Mails with *.html or *.htm attachments as spam?
A tenant is receiving currently an enormous amount of phishing emails with *.html or *.htm attachments. 99% of the e-mail which contain such an attachment are phishing e-mails. What's the best approach to filter out those e-mails? They are using the standard protection threat policies.Limit access to Quarantine (and only quarantine)
The enduser quarantine is reachable at https://security.microsoft.com/quarantine Based on our security policies, we have limited access using Conditional Access and the cloud app “Microsoft Admin Portals.” Consequently, no user can directly access the quarantine. We have made the necessary exceptions to ensure the quarantine functions properly. However, there is an issue: Users without proper permissions can still navigate extensively within the portal. For example: On the left-side navigation, they can click on “Start.” Within the “Next steps” section, there is a link to “Advanced Hunting.” Although they cannot perform any actions there, the link remains accessible. Additionally, under “Additional Resources,” users can click on any admin center, albeit with limited functionality. Is there anyone with an idea on how to restrict users to the quarantine area only, preventing access to other sections of the portal?
ZAP Failed to move the messages
Hi Community, we are getting for two weeks a lot of "Messages containing malicious entity not removed after delivery" Alerts, which i could not understand the reason. In Email Entity it says "ZAP failed to move the message". As one sample Email from Alert; Email was classified as Spam and into the Junk Folder sent. But after 12 Minutes it was as Phish / Normal classified but it could not be moved to quarantine (it should be so because we set the anti-spam Policy with this action). Is there anything related to our Policies? or is it a a problem at microsoft backend? How can i find the reason and solution for that ? ThanksBlocking International Countries
We have a conditional access policy that logs off accounts after 5 failed attempts. We also have an international policy blocking all international countries and IPs. unfortunately, these attempts on our accounts happen before our international blocks. I have spent way too much time with Msoft support to get nowhere. Does anyone know how to just block even the attempt of logging on from international countries?Outlook report add-in
Hello In an effort to move away from users using "safe senders" in outlook we are considering using the report add-in. However when i review the permissions the add-in has its a bit concerning. Im reluctant to push out this add-in because the add-in has permissions to read and change email in a users mailbox. Seems excessiveTrojan:HTML/Phish.JS9
Had 67 detections of Trojan:HTML/Phish.JS9 over 2 days from C:\Users\***\AppData\Local\Microsoft\Windows\INetCache\IE\6JGSCFQJ\authorize[1].htm. Have tried to "collect file" but am being constantly advised that it can take up to 3 days. I have used Hunting to try to find where the file originated but there is nothing in email or web traffic that links it. My instinct is that this is a false positive. How do I speed the process of collection or actually track where the file originated?
Secure Score and preset security policies
Dear community members, I have a 365 tenant with Business Standard and Defender for Office P1 licenses. At the moment, Secure Score for this tenant is ~50%, even though Standard Protection preset policy is applied to all recipients. If I also manually create all the different policies, Secure Score jumps to ~80%, however to my understanding this is purely cosmetic as these policies never get applied - the preset policy always take precedence. Am I missing anything here, or Secure Score ignores preset policies? EDIT: One more example for this issue is that in Recommended Actions there are recommendations to enable Safe Links and Safe Attachments, which are already enabled by Standard Protection.
Recent Blogs
- We are pleased to announce that Microsoft Defender for Office 365 now features large language model (LLM)-powered responses within the submission workflow. This update provides security and Exchange ...Jul 01, 2025
