Hold user reported Emails to see if later they become malicious.

Question

Hello Team,Our Security Operations Center has identified a phishing report from a user. We activated email notifications for users to receive updates from Microsoft about the investigation results. In this case, the user was initially informed that the email was safe, but soon after they received another similar email from the same malicious sender, which was quarantined by ZAP. And after this ZAP went back and quarantined the initial email too.&nbsp;&nbsp;Even though &nbsp;ZAP and Safe Links continuously re-evaluate emails post-delivery, it's concerning that initially the report came as clean and later it was quarantined based on the investigation done on another email. I would like to know if there are additional measures we can take to detect emails that may turn malicious after delivery, aside from ZAP.&nbsp;Also, can we implement a mechanism to hold reported emails for 2-3 hours to see if later it becomes malicious and &nbsp;until we assess their safety, preventing users from receiving a false safe notification and later you see ZAP quarantines them? Thanks in advance.&nbsp;

kidd_ip · Answer

Take this:
&nbsp;
Investigate malicious email that was delivered in Microsoft 365, find and investigate malicious email - Microsoft Defender for Office 365 | Microsoft Learn
&nbsp;
Admin review for user reported messages - Microsoft Defender for Office 365 | Microsoft Learn

Forum Discussion

Hold user reported Emails to see if later they become malicious.

1 Reply