Forum Discussion
Instant/Live Alerts for Quarantined Emails
Hello and hopefully this is the right forum. My work email is Outlook and is filtered through Windows Defender. I'm still not sure of what Defender does that the regular Junk email folder doesn't do?...
Microsoft slaps the word Defender on what, five, six related products now? This group is for Defender for Office 365, the rebrand of the Advanced Threat Protection add-on for Exchange Online. I have it on good authority that the accepted abbreviation is MDO, and I'm going to assume that MDO / Exchange Online is your problem.
I cannot think of any defensive layer in MDO or EXO that insists that the messages it detects shall go to hosted quarantine. Even the malware filter can be circumvented by nominating an account for SecOps, though you probably don't want to do that.
The product default action for a filter might be to quarantine, or a threat policy set by your organisation might be to quarantine. That does not have to apply to everyone. Most threat policies can be duplicated to apply an action just to one group, with everyone else under a general policy. Your "fast reaction" group might have hits from the problematic policy delivered to their Junk Email folders or might receive an instant notification mail for each hit; there are lots of possibilities. If your in-house IT do not have the time or the expertise, ask them to involve your Microsoft partner. In this climate, lost business should be a fairly compelling argument.
Some caveats:
Turning the dial down on a defence may increase the risk to your organisation. Quarantine gives time for the zero-hour automated purge and other mitigating factors to apply. You may need to convince your IT that you have the skills to handle this extra risk, or you may need to accept protective measures such as multi-factor authentication or conditional access.
Some of the changes I have suggested will add to your Inbox noise. If you pass the load to your Junk Email folder you may find it harder to find items wrongly sent to Junk Email for other reasons.
There is generally a reason why Microsoft sent an item to quarantine. There has been a lot of noise this year about clever supply chain attacks, but the simplest form of this is where an attacker breaks into a party on your supply chain to send you malware using the spoofed reply tactic. You should be wary of opening quarantined attachments from known customers unless you have an idea of why the message was quarantined.
I cannot think of any defensive layer in MDO or EXO that insists that the messages it detects shall go to hosted quarantine. Even the malware filter can be circumvented by nominating an account for SecOps, though you probably don't want to do that.
The product default action for a filter might be to quarantine, or a threat policy set by your organisation might be to quarantine. That does not have to apply to everyone. Most threat policies can be duplicated to apply an action just to one group, with everyone else under a general policy. Your "fast reaction" group might have hits from the problematic policy delivered to their Junk Email folders or might receive an instant notification mail for each hit; there are lots of possibilities. If your in-house IT do not have the time or the expertise, ask them to involve your Microsoft partner. In this climate, lost business should be a fairly compelling argument.
Some caveats:
Turning the dial down on a defence may increase the risk to your organisation. Quarantine gives time for the zero-hour automated purge and other mitigating factors to apply. You may need to convince your IT that you have the skills to handle this extra risk, or you may need to accept protective measures such as multi-factor authentication or conditional access.
Some of the changes I have suggested will add to your Inbox noise. If you pass the load to your Junk Email folder you may find it harder to find items wrongly sent to Junk Email for other reasons.
There is generally a reason why Microsoft sent an item to quarantine. There has been a lot of noise this year about clever supply chain attacks, but the simplest form of this is where an attacker breaks into a party on your supply chain to send you malware using the spoofed reply tactic. You should be wary of opening quarantined attachments from known customers unless you have an idea of why the message was quarantined.