Recent Discussions
Microsoft Defender for Office (MDO) - Customize Results Email for User Reported Messages
Hi all, I would like to customize the results email from MDO to the users. From the documentation, I can see the option to modify "Email body results text" and "Email footer text": Unfortunately, the documentation doesn't specify anything beyond that. Therefore, I have the following questions: What exactly is the Email "body" and "footer" in this template? (Compare to screenshot below) Is the title/header part of the "body"? What type of text from is available? (Plain/HTML/Markdown etc.) Does anyone have experience with customizing these result emails? Feedback would be appreciated, thanks!
Searching for Activities in Audit Log returns repeated results - appears broken
I'm in Defender, using the Audit Log tool, trying to find out who changed the Anti-Phishing policy on the 23rd of January. Selecting the 'Activities - friendly names' drop-down, and inputting 'policy' returns A number of different categories + activities for stuff unrelated to Defender (ie, Purview, CoPilot in Outlook,, SharePoint AI use, the 365 AC, 'Places Directory' - whatever that is) but nothing related to Defender (the tool I'm opening it within)... The same category - M365 Apps Admin Services cloud policy activities - about 30 times, with every activity it includes. Probably 70% of the results, are just this same thing over and over. I looked into it - because I've never heard of this, yet it SOUNDS like something related to what I do. First off, on the [audit log activities](https://learn.microsoft.com/en-us/purview/audit-log-activities#microsoft-365-apps-admin-services-cloud-policy-activities) KB, this category is listed once, with 4 activities. there's about 13 that show up in each duplicated category in the search, so that's unhelpful. It links to https://learn.microsoft.com/en-us/microsoft-365-apps/admin-center/overview-cloud-policy which seems to imply that 'Cloud Policy service' is not an actual thing - it's just a marketing/conceptual term for a functionality of InTune. Why it's not in the InTune KB - I do not know - I've made some suggestions to the KB's The first KB I mentioned does not list any activities for Defender's policies - there's stuff for Endpoint (multiple categories), XDR (multiple categories)... So I have 2 questions. 1) Is anyone able to advise how to get the data I want? At this point, I'm not even sure this audit log would PULL any relevant data, based on the lack of activities - so I don't really want to just blanket search for that date, and sift through stuff. 2) Does anyone know how to use this tool effectively? Know of a KB that is good and reliable and helpful? Thanks
All Excel Macro Files Suddenly Flagged as Malware (X97M/Slacker.gen!A) Across M365 Starting April 16
Starting around 8 PM GMT+8 on April 16, 2025, macro-enabled Excel files with extensions such as .xlsm, .xlsb, or .xls began being automatically flagged as malware, specifically identified as X97M/Slacker.gen!A—when opened or edited in SharePoint, OneDrive, or Teams. Before this, the same files were not flagged as malicious, even when opened or edited, and this behavior had remained consistent for several months. This issue affects our entire tenant, with over 800 files being flagged as malware under the name X97M/Slacker.gen!A. These files are located across various locations and have been modified by different users. We are a Cloud-only tenant, and we have not done any configuration changes in Threat Policies for the past few months.
Enhanced Filtering for (CSE)Connectors
One of my customer is using the Cisco Secure Email as their default gateway with a connector into M365. They would like to enable the enhanced filtering on the connector to improve their anti spam/malware protection. Enhanced Filtering on the “Inbound from Cisco Secure Email” connector: https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors#use-the-microsoft-defender-portal-to-configure-enhanced-filtering-for-connectors-on-an-inbound-connector Do you know if there are any caveats adding a few mailboxes to the policy to test the behavior before they cutover the entire enterprise?Setting up Admin Quarantine
Hi, We are looking to set up admin quarantine as per the instructions in here: https://learn.microsoft.com/en-us/defender-cloud-apps/use-case-admin-quarantine We have followed this step by setting up a location for admin quarantine: However, when editing the 'Malware Detection' rule in Defender we do not get an option for 'Put in admin quarantine', only 'Put in user quarantine': Does anyone have any idea how to resolve this? Thank you.
XM/Laroux.CF
Hello Expert, Need your assistance to XM/Laroux.CF issue . Mails are being quarantine due to the XM/Laroux.CF and we have to manually release the mails Can we make any changes in our O365 Defender anti-malware policy so mails containing XM/Laroux.CF does not quarantine ? Thanks in advanceWhat steps can I take, given Microsoft Defender's report?
In September I posted a question in this forum, I'm not sure what to do with the data breaches Microsoft Defender reports. I've proceeded to use the "Take Action" button. After clicking on that button Microsoft Defender took me to its report on what it found. It listed a website I've never heard of before. I use a password manager, so I double checked there. I don't have an account on that website. The information it has there is about half correct, a quarter of the information is wrong, and the rest is out of date by 10+ years. There were a few other websites that it reported on. Some I can manage, as Microsoft Defender gave me enough information about them. Others are not helpful, as Defender just says, "From an unknown source", then the rest of the information isn't helpful at all. Anyway, my concern is that this information is out there especially with the first reported incident, and I don't see how I can stop this spurious website from displaying it. And I certainly have no idea how it got it in the first place. So, what can I do about some website that got this information from somewhere and displays it for whoever to see it?
Microsoft Defender for Office 365 Implementation
Hello. I would like to discuss and get few information as mentioned below, 1) Which plan of Defender for Office 365 is included in Microsoft 365 Business Basics? 2) Can I buy only Microsoft Defender for Office 365 licenses? Which plan will be included in that license? 3) If only Defender for Office 365 license is bought then will this license only provide protection to the user that has the license assigned or the whole organization? 4) Are there any steps that I can follow to configure/ implement Microsoft Defender for Office 365? 5) What are the features of Microsoft Defender for Office 365 (plan 1 and Plan 2)? Thank you for your attention.ZAP/Post-delivery reporting for Teams, Sharepoint & OneDrive
It seems that the email & collaboration report for 'post-delivery activities' only covers ZAP activity for emails. While in other E&C reports, a pivot by workload is supported, this doesn't seem to be the case. Are there ZAP/Post-delivery reports available for Teams, SPO & ODB?Access denied, sending domain does not pass DMARC verification and has a DMARC policy of reject
This is super annoying. I'm not using Microsoft "defender". I'm on the receiving end of its stick. I noticed that when I start sending emails back and forth with some business that uses Microsoft 365 Defender to handle their emails, it works for a few initial emails. Maybe .about 5. But then all of a sudden my messages start bouncing back with the following message: "Diagnostic-Code: smtp;550 5.7.509 Access denied, sending domain ____.com does not pass DMARC verification and has a DMARC policy of reject." I tested my email for passing DMARC and found no issues with multiple services that do those DMARC tests. So the problem is clearly with the "defender". I also noticed that if I resend the message the next day, it goes through. But only if I don't send too many emails - which is generally about 5. Does anyone have any idea when will they fix it?
Error trying to create a DKIM key for my custom domain
I'm trying to create a DKIM key for my custom domain. I'm going to https://security.microsoft.com/dkimv2. When I click "Create DKIM Keys" I get the following error: |Microsoft.Exchange.Management.Tasks.ValidationException|Error in retrieving encrypted key. Diagnostic information:{Version:17.01.2050.000,Environment:EUSPROD,DeploymentId:12712fb5-4d56-4278-a07a-c5fe4e727652,InstanceId:WebRole_IN_77,SID:7459fef8-f40f-479e-9eab-39db22358c82,CID:c643511b-7dc8-421e-9ae5-4d8908b5e239} Time:2024-07-29T19:46:02.9377098Zlooking for a test protocol defender for o365
Hi together, I am looking for a test protocol defender for o365 to generate alerts and emails. The idea is generate alerts add/or mails from Defender for EOP/O365. We have only the license Defender for O365 Plan 1 in use. We know this options: https://learn.microsoft.com/en-us/defender-office-365/anti-spam-policies-configure#send-a-gtube-message-to-test-your-spam-policy-settings https://learn.microsoft.com/en-us/defender-office-365/anti-malware-policies-configure#use-the-eicartxt-file-to-verify-your-anti-malware-policy-settings https://learn.microsoft.com/en-us/defender-office-365/safe-links-policies-configure#how-do-you-know-these-procedures-worked https://learn.microsoft.com/en-us/defender-office-365/safe-attachments-policies-configure#how-do-you-know-these-procedures-worked https://learn.microsoft.com/en-us/defender-office-365/attack-simulation-training-simulations But this options does not work very good for us or depends an Defender for O365 Plan 2 license. Does anyone have an good idea or know a option or a way i did not finde till yet? Thanks for an feedback and regardsMDO Attack Simulation and false "positives."
In our last 3 attack simulations (MDO) we've sent out to employees, we've had increasingly more and more employees who are saying they didn't open the attachment and/or didn't click on the link. (They received the training email and asked "why" they received it.......) Is there a way to prove/disprove they did or did not? I've checked the settings on our simulations and they have been configured correctly. I don't want to point "blame" on any of our "compromised" users as now I'm uncertain as to whether or not they were truly compromised. Is there something I'm missing here? Thanks everyone
Archive Email Search across all emails going back 3 years or more
Hi, In Mimecast I am able to perform an archive search on emails very quickly (less than 10 seconds) and easily being able to go back 5-10 years (we have a retention of 10yrs for Mimecast) How can I do this with the 365 tooling that I have within the E5 license scope. In Explorer in the Defender portal, I can only go back 30 days, so want to know how I would go about doing this for say 3-5yrs using Microsoft tools. Example, I want to look for any emails from joe.bloggs@gmail sent to any of our users going back 3 or 5yrs without having to do a full eDiscovery each time which is extremely time consuming. Do Microsoft have any plans to have a similar way to easily search through all corporate email quickly and efficiently as it really seems like a no-brainer product that Microsoft could give to their users, and would mean they wouldn't have to rely on third-party tooling to do this in a field where Microsoft really should be stronger. I asked the same question the other day on https://old.reddit.com/r/Office365/comments/1dyg3zd/archive_email_search_across_all_emails_going_back/ as I was hoping that I was missing something, but it seems that it is a feature that is lacking at the moment. Thought I would also raise the question here as well in the hope that someone has a suggestion of what we could use that may work and would be faster than a full blown eDiscovery, or maybe even get the attention of someone at MS that has the ability to create such a needed feature.Painful setting up notification in Alert Policy
I have been trying to setup default system alerts in security portal for email, and adding a simple email has been very painful. Most rules don't get updated on 1st attempt, some after 10-15 attempts and some never. I am doing this in security portal, and not able to update these to add our email to these 2Stop internal emails from being reported to sec ops mailbox
Our users are paranoid about phishing at this point and many report emails from other employees. Because of sensitivity of some of our information, it can't be reported to Microsoft. So, we have to have an admin wade through all the user reported messages and weed out the ones that don't have [External] in the subject. This wastes a lot of time for our admins. I even tried a mail flow rule to delete anything that didn't have [External] in the subject from going to the submission mailbox and it did delete the message silently, but it still shows up in the user reported messages portal and we have to sort through it. Is there any other way to stop those messages from showing up in the portal? PS. This wasn't an issue until recently because we used to be able to put [External] in the name filter and it would act like a wild card, but that has stopped working.
How to cancel Microsoft Defender free trial, when GoDaddy is my Tenant?
I signed up for a 3-month free trial of Microsoft Defender through https://security.microsoft.com/, a few months ago while exploring security options for my domain, which is hosted by GoDaddy. However, GoDaddy informed me that they are not authorized to sell me the product directly, as I need to migrate away from them and have Microsoft to be my tenant to make the purchase. Now, as the trial period is coming to an end, I've been trying to cancel it through https://security.microsoft.com/ (The option is there), but it redirects me to GoDaddy instead. GoDaddy, in turn, advised me to contact Microsoft directly for assistance, but I've had difficulty reaching a real person through their support line. I'm unsure about what happens after the trial period ends. Will it cancel automatically? Will GoDaddy be charged? I would greatly appreciate any guidance on how to proceed as the trial deadline approaches.
Direct action quietly dropped
Has anyone else noticed that under MC788953 / roadmap 393937 we lose the ability to run remediations direct from Threat Explorer? Instead, the action goes to the Action Center where I have to (a) wait for it to appear, (b) find it amongst all of the automated clutter with none of the information I originally input in the Threat Explorer and (c) approve it. Is the rest of the civilised universe all on third-party tools working through the APIs? https://www.microsoft.com/en-GB/microsoft-365/roadmap?filters=&searchterms=393937
Recent Blogs
- We are pleased to announce that Microsoft Defender for Office 365 now features large language model (LLM)-powered responses within the submission workflow. This update provides security and Exchange ...Jul 01, 2025
