Category: Microsoft Defender for Office 365

Recent Discussions

email quarantine and reason "high confidence phish"
Hi I started testing a phishing email campaign from an external vendor KnowBe4. The emails keep going to quarantine reason "high confidence phish" What is the best way to fix this? I tried excluded the URL from Safe Links and added their sender IPs to O365 Tenant allow/block list. Thank you in advanced.
virtual-tech
Brass Contributor
May 08, 2023 Place Microsoft Defender for Office 365
microsoft 365 defender
phishing
threat intelligence
90KViews
0likes
4Comments
add to whitelist or safe senders from quarantine
Hello all I see its possible to block a sender from within the quarantine. Is it also possible to whitelist or add a sender to "safe senders" list from within the quarantine ?
Solved
Skipster311-1
Iron Contributor
Nov 15, 2021 Place Microsoft Defender for Office 365
microsoft 365 defender
phishing
73KViews
1like
18Comments
Attack Simulation Phishing Tool - IP whitelist
I'm trying to find IP's or domains to whitelist when using the Attack Simulation Phishing Tool. We currently use proofpoint but are planning to move into O365/Exchange online. Would a whitelist for MS's own simulation tool be needed once we move away from Proofpoint?
drathbo15
Copper Contributor
Feb 15, 2023 Place Microsoft Defender for Office 365
53KViews
0likes
4Comments
Attack Simulation goes to Junk Folder
I tried a test simulation that only went to me. However, it went to my junk folder. I didn't see anything in the Attack Simulation documentation about whitelisting and assumed that, since it is all going through Microsoft products, it would just work. Are there other steps I need to have the simulations go to users' mailboxes?
John Twohig
Iron Contributor
Feb 23, 2023 Place Microsoft Defender for Office 365
phishing
50KViews
0likes
4Comments
Attack Simulator emails bypass mail flow rules
Is there any documentation for Attack Simulator emails bypassing mail flow rules? We have a mailflow rule that marks and appends a disclaimer to all external emails coming in. When using the Attack Simulator, emails are bypassed.
Solved
Fixxser2
Brass Contributor
Feb 16, 2023 Place Microsoft Defender for Office 365
48KViews
1like
3Comments
Office 365 Defender Phishing Simulation - No Templates
A couple of months ago we upgraded from E3 plan to E5 plan. My understanding is the E5 Plan gives us full access to Office 365 Defender Phishing Simulation & Training. Using a global admin account, if I try to setup a simple policy for a Credential Simulation Attack in my org there is not a single pre-configured template displayed to use for this :-(. Basically no templates anywhere, only training videos. Does anyone know what causes no templates to show in a O365 tenant? When I work through the MS training videos they shows plenty of example templates to choose from without having to resort to designing your own. There is a thread on a Sophos forum about a year ago suggesting Microsoft may have taken all the Templates away due to some copyright issue. Some others have suggested they couldn't see them due to a setup issue on their tenant or it was a problem after they migrated from a 90 trial. Grateful if anyone can shed any light on this. Thanks in advance
_JonP_
Copper Contributor
May 21, 2023 Place Microsoft Defender for Office 365
47KViews
0likes
0Comments
My emails are being quarantined by Office 365 and I need help
I am having really bad issue. We use Google Business for email and Sendgrid SMTP service via our ERP Odoo to send transactional emails. But since last week all of the customers and suppliers that use office 365 are not seeing our emails. Their are being quarantined for suspicion of phishing. WE have been sending the same emails since 2021 so I don't understand how all of a sudden our emails are being blocked. If i send an email with any attachment including my logo in my signature, the email gets blocked but If i send the email with nothing in it it goes through... Let me know if anyone has an idea because I am loosing my mind, i do not know what to do.
Solved
alex_ase
Copper Contributor
May 24, 2023 Place Microsoft Defender for Office 365
23KViews
0likes
10Comments
Is it possible to block emails containing QR CODE?
Is it possible to block emails containing QR CODE?
lucanz73
Copper Contributor
Sep 28, 2023 Place Microsoft Defender for Office 365
22KViews
3likes
24Comments
Microsoft Defender Licensing Requirements
Hello, I have always been under the impression that when licensing Microsoft Defender (Previously ATP) Plan 1 & Plan 2 that you needed a license for each user (You could technically just purchase one license and get all the features but MS advised you need a license per user) Today MS support explained that the defender licenses are tenant wide (i.e. you only need one license to get defender for you entire tenant) can anyone confirm their understanding of this? Here is a link to the license terms which in my mind seems to support my original understanding https://docs.microsoft.com/en-us/office365/servicedescriptions/office-365-advanced-threat-protection-service-description#licensing-terms Thanks
Solved
Swiftzn
Copper Contributor
Feb 01, 2022 Place Microsoft Defender for Office 365
21KViews
0likes
2Comments
Defender Licensing shared mailboxes
Hi, to add Defender to a shared mailbox it is required the Defender license only, or the Defender + an exchange P1 license? In the past I'm quite sure the P1 was required, today seems not, but I cannot find explicit doc. thanks
Solved
topogigio
Copper Contributor
Apr 20, 2022 Place Microsoft Defender for Office 365
microsoft 365 defender
21KViews
0likes
2Comments
Defender for Office 365 Plan 1 license
Hi, Does Defender for Office 365 Plan 1 not come with Microsoft 365 E3? seems crazy that it comes with business premium but not E3 if that is so, whats the thinking?
Peter Holland
Iron Contributor
Oct 17, 2022 Place Microsoft Defender for Office 365
16KViews
0likes
4Comments
DMARC, DKIM, SPF none but Composite authentication pass
Hi all, I have a email where DMARC, DKIM, SPF are marked as None, but still Composite authentication as passed. How can this be since the info of the composite authentication says: Combines multiple types of authentication such as SPF, DKIM, DMARC, or any other part of the message to determine whether or not the message is authenticated. If all three are none, what other part of the messages lets the message to pass composite authentication?
Solved
Gunter Danzeisen
Brass Contributor
Aug 04, 2022 Place Microsoft Defender for Office 365
detection
microsoft 365 defender
15KViews
0likes
4Comments
User accessed link in ZAP-quarantined email <-> Safe Links reports
Currently I am working on an alert telling me a user accessed a link in ZAP-quarantined email. If I check the Safe Links report and filter it for the domain in the link I get zero results. Can anyone enlighten me how these features work together? I assumed that Safe Links keeps a list of Clicks and whena mail is Zapped that was successfully accessed Defender throughs the above alert. But shouldn't I be able to find the click in the Safe links report then? Thanks
Solved
JS70
Copper Contributor
Sep 26, 2022 Place Microsoft Defender for Office 365
14KViews
0likes
3Comments
Enable Quarantine Notifications for Strict protection (Strict Preset Security Policy)
How can I enable quarantine notifications for the preset strict protection policies. There is no way to assign a quarantine policy to strict protection policies.
Solved
Kiril
Iron Contributor
Dec 07, 2022 Place Microsoft Defender for Office 365
configuration
detection
microsoft 365 defender
phishing
prevention
11KViews
0likes
19Comments
Advanced Delivery for third party phishing attack scenario
Hello MSFT Team, Normally every quarterly we perform the third party phishing attack simulator in the Organization to educate the end user's but this time all the phishing testing emails are getting quarantined by marking as high phishing. After searching on the google found below link to use O365 advanced delivery policy for third party phishing. In the advanced delivery policy we have added: Domain : added sending domain Sending IP : added sending IP Simulation URLs to allow : added simulation URLs as well https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-advanced-delivery?view=o365-worldwide&source=docs Followed the above msft blog and added the rule successfully but still the testing phishing emails are getting quarantined and marked as high phish. But one thing has been observed that third party phishing simulator is hosted on amazonses.com and sending domain is different but we have added only the sending domain. Do I need to add the amazonses.com domain as well in advanced delivery policy. Please can someone shed some light on it as I searching lot of blogs on advanced delivery policy but found nothing. Any help really appreciated. Regards Anand Sunka
ANAND_SUNKA
Brass Contributor
Oct 24, 2021 Place Microsoft Defender for Office 365
phishing
11KViews
0likes
6Comments
Kali ISO download shows as current threat on Virus and Threat protection list
Hi guys, I recently downloaded the KALI Linux ISO. Every time i go to Windows Security is shows 'Threats found...'. On further inspection shows 'Threat found - action needed and I cannot remove it with Defender.
AntonvRooyen1715
Copper Contributor
Jan 19, 2024 Place Microsoft Defender for Office 365
11KViews
1like
2Comments
Preset policies have suddenly started notifying users of quarantined messages
Hi all. We have been using preset policies (standard and strict) for some time and were happy with the fact that they don't notify users of messages which have been quarantined (and nor is it possible to change the notification policy). However, quarantine notifications suddenly started turning up in users' mailboxes at the weekend. Have Microsoft changed something or released an unplanned change? Hoping you can help clarify the situation.
Solved
OzOscroft
Iron Contributor
Mar 21, 2023 Place Microsoft Defender for Office 365
10KViews
0likes
24Comments
Safe attachments and encrypted or password protected attachments
I'm looking for information of how Safe Attachments in Defender for Office 365 deals with attachments that are password protected or encrypted. I can't find anything documented by Microsoft on this scenario. Does anyone have this information at all?
Dan_Snape
Iron Contributor
Jul 25, 2022 Place Microsoft Defender for Office 365
9.9KViews
0likes
3Comments
Blocking International Countries
We have a conditional access policy that logs off accounts after 5 failed attempts. We also have an international policy blocking all international countries and IPs. unfortunately, these attempts on our accounts happen before our international blocks. I have spent way too much time with Msoft support to get nowhere. Does anyone know how to just block even the attempt of logging on from international countries?
Dan Moran
Copper Contributor
Nov 18, 2022 Place Microsoft Defender for Office 365
9.9KViews
0likes
7Comments
Moving mx records to O365
Hello We are medium sized company, around 7000 mailboxes. We own several domains that we accept email for. Currently all mx records point to IronPorts. The emails are go through the messaging hygiene at the ironports and then the message is delivered to Exchange online. We want to move all mx records to O365. What i would like to understand, is what is the best strategy to do this? Should i move a domain that doesn't receive a high volume of mail traffic first. I think doing this will allow for fine tuning of the O365 filtering polices, and give us me some indication regarding how successful the move was and what the success rate will be for future domain moves. Also how should i construct my anti spam, anti malware polices? Should i start with the using Preset Security Policies" ? My concern with using the preset policies is you cant edit them. We will have a lot of safe and blocked senders that we will need to export from the IronPort's and import into O365. If i cant edit preset polices, then what is my best course of action? will i need to create custom polices ? I know these are a lot of questions. I'm trying to understand how i should construct the roadmap or process for moving domains to O365 Thank you
Solved
skipster311-175
Brass Contributor
Jun 14, 2022 Place Microsoft Defender for Office 365
configuration
detection
microsoft 365 defender
phishing
prevention
9.1KViews
0likes
6Comments

Recent Discussions

email quarantine and reason "high confidence phish"

add to whitelist or safe senders from quarantine

Attack Simulation Phishing Tool - IP whitelist

Attack Simulation goes to Junk Folder

Attack Simulator emails bypass mail flow rules

Office 365 Defender Phishing Simulation - No Templates

My emails are being quarantined by Office 365 and I need help

Is it possible to block emails containing QR CODE?

Microsoft Defender Licensing Requirements

Defender Licensing shared mailboxes

Defender for Office 365 Plan 1 license

DMARC, DKIM, SPF none but Composite authentication pass

User accessed link in ZAP-quarantined email <-> Safe Links reports

Enable Quarantine Notifications for Strict protection (Strict Preset Security Policy)

Advanced Delivery for third party phishing attack scenario

Kali ISO download shows as current threat on Virus and Threat protection list

Preset policies have suddenly started notifying users of quarantined messages

Safe attachments and encrypted or password protected attachments

Blocking International Countries

Moving mx records to O365

Events

Recent Blogs

Protection against multi-modal attacks with Microsoft Defender

Submissions Response Using AI for Enhanced Result Explainability

Resources

Tags