cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Add a safe sender to Quarantine (Defender for Office 365)

Carole_Dawood
Microsoft

‎Feb 08 2023 06:00 AM

‎Feb 08 2023 06:00 AM

Add a safe sender to Quarantine (Defender for Office 365)

Hello,

 

How can we avoid having the Outlook support mails (support response) going to the quarantine ? Is there a way to mark the Microsoft support mail reply as safe so it hits the inbox right away ?

 

In earlier forums, there was a way to release the mail and mark it safe but seems to be just for a period of time, looking for a permanent solution.

 

Thanks a lot

2,732 Views
0 Likes
1 Reply
Reply
1 Reply
ExMSW4319

‎Feb 12 2023 06:59 AM

‎Feb 12 2023 06:59 AM

Re: Add a safe sender to Quarantine (Defender for Office 365)

@Carole_Dawood 

 

The question could do with clarification. These are mails from Microsoft Product Support, replies from your own internal service desk or messages automatically generated by one of your Outlook installations?

 

If you examine a case using Threat Explorer, why does it say the support response is going to quarantine?

 

I would bet that the reason is because the quarantined mail contains enough of the original threat to be considered or at least mistaken for a malicious mail. Given the niche that Exchange Online is intended to fill, that's not actually wrong. You don't want your support team handling live threat material, or it finding its way into your internal service desk system where it might be downloaded again at a later date.

 

It is still possible to designate a SecOps account and assign it policies that largely deactivate EOP and MDO. Sadly the Secure by Design philosophy now means that malware will always be deleted and high-confidence phish will always be quarantined, regardless of your policies. In any case, a SecOps mailbox is not exactly what you wanted. The policies exempt a recipient, and you want to exempt a sender.

 

Others have complained that the temporary exemption offered by the Tenant Allow / Block List feature doesn't allow accommodation of persistent problem senders. Again, my understanding of the design philosophy is that we will not see any revision of that position. Where you need a forensic copy of an original payload, your only option is to download it as an EML to an area exempted by your own endpoint protection. Links can be safely discussed by obfuscating them in an agreed format. I typically put a space between the schema and the hostname, and square-bracket the periods before anything that could be a TLD or file suffix. If your service desk are replying to a forwarded sighting, the only really safe option is to cut everything after the subject line of the cited mail.

If that is the problem then you also really want to cure your users of forwarding sightings as that behaviour also triggers any web bugs telling the spammer or phisher that the recipient address was good. The Outlook Report Message add-in is a much better option and can be easily programmed to send a copy into your SecOps mailbox if you don't want to monitor the Submissions table.

0 Likes
Reply