Forum Widgets
Latest Discussions
Issues with Phishing & Malware Classification, Quarantine, and ZAP Not Triggering
Hello, We are facing issues with Office 365 Defender email alerts related to phishing and malware detection. Below are the key concerns: Emails with Malicious Attachments Emails classified as phishing/malware due to malicious attachments are delivered to users. If quarantined, they are blocked upon release, preventing delivery to recipients. Is this expected behavior? Are there any workarounds to allow delivery after manual review? Retroactive Classification Based on User Actions Emails are later classified as phishing/malware when another user clicks a link. We need better visibility and control over such cases. Any insights on handling this effectively? ZAP Not Triggering We’ve noticed that ZAP (Zero-hour Auto Purge) is not triggering as expected in certain cases. Has anyone experienced similar issues, and are there any known fixes or configurations that might help?
Configure Quarantine Notifications to Admins when the any Email is quarantined
Hi All, Good morning, I would like to understand the possible options in EOP and defender for O365 to send an alert or notification mail to the E-mail administrator as soon as any mail is quarantined for any user mailbox in Exchange online. I searched most of the options, but I don't see any solid solution for this. Please share your thoughts and experience on this. Thanks in advance.
No URL Detection in Emails with Extensive %2580 Encoding
Hi Community, I encountered a concerning issue where emails containing URLs with extensive encoding (%2580) completely bypassed all detection and security mechanisms. These encoded URLs weren’t identified as links, which allowed them to evade security scanning. Issue Details: The email contained malicious URLs encoded with %2580. The URLs were not flagged or identified as links, allowing the payload to bypass filters entirely. Questions: Has anyone else encountered similar issues with encoded URLs bypassing detection? What’s the best process to submit this email to Microsoft for analysis and improvements to detection mechanisms, since no URL's were identified? Looking forward to your input and recommendations. Thanks in advance!
Anti-malware policy doesn't block files
Hello Microsoft Community, We have recently found that Anti-malware policy doesn't block files that are set to be blocked by the policy. For example, when we send an *.ics file with a cmd/exe/jse/rdp and other files inside of the ics, the email is not blocked and is delivered to users. We did several tests with external security vendor by sending real malwares, ransomwares and exploits attached to the ics and all of them passed the filtering system. Is anyone aware of the issue? Doesn't MDO scans nested files?! This has happened with a few tenants. Those tenants have Microsoft E5 licenses.
Setting up Admin Quarantine
Hi, We are looking to set up admin quarantine as per the instructions in here: Protect files with admin quarantine - Microsoft Defender for Cloud Apps | Microsoft Learn We have followed this step by setting up a location for admin quarantine: However, when editing the 'Malware Detection' rule in Defender we do not get an option for 'Put in admin quarantine', only 'Put in user quarantine': Does anyone have any idea how to resolve this? Thank you.
Allow specific user to release their own quarantined messages
Hello everyone, I have been searching for a few days, but I can't find anything that details how we can grant a specific user (not everyone) the ability to release their own quarantined e-mails. We have some trusted users in our organization we would like to allow to release their own (not others) quarantined e-mails. Can someone tell me how to do this or point me to the resources that give the instructions? Or is this even possible for specific users? ThanksAssessing Microsoft Defender for Office365 Effectiveness
I'm looking to gather three data points from Defender for Office365. I'm looking for true positives (emails that have been detected as malicious), false positives (emails detected as malicious but released from quarantine) and false negatives (emails not detected as malicious but later reported by users as phishing). Is there any easy way to find these in logs? Or get counts of these?XM/Laroux.CF
Hello Expert, Need your assistance to XM/Laroux.CF issue . Mails are being quarantine due to the XM/Laroux.CF and we have to manually release the mails Can we make any changes in our O365 Defender anti-malware policy so mails containing XM/Laroux.CF does not quarantine ? Thanks in advanceDefender false positive on SharePoint links
We have an external business partner emailing SharePoint links for sensitive information. M365 Defender is consistently flagging the link as malicious with no clear indication as to why. So we get the following: alerts generated in Defender emails flagged in email explorer and quarantined Defender Smart Screen blocks the safe link/original URL but displays a different URL I have already added the domain to the Allow list in the IoC. I have submitted the domain and specific URL to Microsoft for review. Questions: how to edit the Defender Smart Screen blocks? is there a quicker way to list a URL or domain as safe so users can load?
Whitelist external email to internal distribution group
Hi all, Question for the team.... If a user is calling off for the day, they can send an email from their personal email address to one of our distribution groups that get delivered to a number of managers, so they are aware that the person will not be in for the day. Issue is that Defender will quarantine some of these emails, marking it as SPAM. Then, the managers will not get the email and have no idea that the person is calling off. How can I whitelist all emails going to that particular distribution group so that nothing gets quarantined? I tried creating a whitelist rule in Exchange Online mailflow rules, but it does not allow distribution groups to be whitelisted..ie set to SCL -1
