Forum Widgets
Latest Discussions
Undected phish from senders with LONG addresses
I posted about this earlier, but something seems to have deleted my post. A certain kind of phish is currently coming in hot. Senders who have very long addresses, from my obervation > 300 characters are being overlooked and lots of dangerous phish is making its way into EXO mailboxes. Do this in Advanced Hunting to see if you are victim and please report the messages as phish so the "system" can learn about it. EmailEvents | extend sndrAddrLen = strlen(SenderFromAddress) | where sndrAddrLen >= 200 and (LatestDeliveryLocation in~ (@'Inbox/folder')) | project-reorder sndrAddrLen, Subject, SenderFromAddress, LatestDeliveryLocation, DeliveryLocation, RecipientEmailAddress
Marking Quarantine Notice senders as safe for entire tenant
Our users get quarantine notices weekly. They're configured to come from mailto:email address removed for privacy reasons (the domain specific to tenant).. sometimes they come from mailto:email address removed for privacy reasons anyways, but this is fine. The thing is, I end up with a LOT of users who end up receiving these in their junk mail. We have a lot of tenants - I don't really have the time to keep checking them, taking action on mis-junked items. Most stuff is configured to go to quarantine anyway. What's the best way to allow these senders? The IB Anti-Spam safe-senders component is not Secure-Score recommended, and we try to keep these scores high. But the tenant allow/block list allows a max of 45days since last use. There's so many options, I'm a little confused as to what's 'right' ThanksHelp me understand why this email was quarantined?
I'm pretty familiar with Defender's Threat Policies. I've probably set them up on 40 tenants. I know the Hosted Content Filter Policy is backend for Anti Spam Inbound policy. I know that, confusingly, the AntiSpam Inbound Policies contain the actions for High Confidence/Normal Confidence Phishing - NOT the AntiPhishing policies (which seem more geared towards impersonation). What I DON'T know is why this was quarantined - and whether the anti-phish policy had anything to do with it. The Policy Type linked is the IB Anti Spam. This tenant is one of the few we have set at a BCL tolerance level of 7 - which shows me that 0 messages in the last 60 days would've been caught for this reason (which would include the email in question). So it was either the SCL or some 'anti phish' component of the anti-spam policy. I have none of the custom 'increase spam score' markers here. I was sure there was a 'evidence' tab within email entity, but i guess not - the only info I have about the detection (now released) is the following: This particular sender does not send reliably over 45 days, but also has been a business partner of this tenant for decades. So rather than the Tenant Allow/Block list which allows a max of 45 days, I want to add it to the offending policy. which SEEMS like it would be the inbound anti-spam - except that it also says it's phishing everywhere. I don't want to bypass both the phishing and spam policies unless I have to - but I don't really know why this got blocked. It's an external address that had sent an email days ago that got through without issue... This one has an attached pdf, but so do they all. Thoughts?user-reported phishing emails
Dear Community I have a technical question regarding user-reported emails. In Defender, under “Action and Submissions” -> “Submissions,” I can see the emails that users have reported under the “user reported” option. There, we have the option to analyze these emails and mark them as “no threats found,” “phishing,” or “spam.” The user is then informed. Question: Do these reported emails remain in the user's inbox when they report them? If not, do we have the option to return these reported emails to the user's inbox with the “No threats found” action? Because I don't see this option. In another tenant, under “Choose response Action,” I see “move or delete,” but the “inbox” option is grayed out. Why is that? Thank you very much!'system has learned from the submission / mail is automatically allowed'
Hey folks, got an alert about a tenant allow//block list entry expiring. Only recently did we start getting these, because only recently did we start using expiring whitelisting. But I'm a little confused by the details, which says 'Mail from x is now automatically alllowed and the allow entry has been removed' and the activity that ''an allow entry is no longer required as the system has learned from the submission' The referenced email is actually an internal tenant - it receives ticket requests, and sends out ticket updates. But I'm REALLY curious about the 'automatic' allowing. Is this a feature limited to Defender 2, or part of Microsoft's AI detection framework for all 365 Defender/EOP? I don't even remember submitting this email - if I did, it was probably more than 45 days ago. So 1) Is this notice primarily that the entry had expired, but ALSO it's not needed or does this send out as soon as 'the system' recognizes it as legitimate, and removed regardless of the time left? 2) is there a way to review a list of entries Microsoft has 'accepted'? 3) What exactly does this 'allow'? I know that the tenant allow/block list allowed a certain set of lower-risk indicators in an email, but still blocked some higher-risk ones - unless there was a submission made. At that point, more is allowed. But there's still a limit, compared to a blanket bypass on the policy itself.Disabling Auto Align Feature in Microsoft Defender 365 Console Alerts
The Microsoft Defender 365 console has recently started auto aligning the alert screen upon clicking on an alert name, which seems to be part of the updated alert management experience. This change is quite bothersome and distracting. How can this feature be disabled?
Microsoft Defender for Office (MDO) - Customize Results Email for User Reported Messages
Hi all, I would like to customize the results email from MDO to the users. From the documentation, I can see the option to modify "Email body results text" and "Email footer text": Unfortunately, the documentation doesn't specify anything beyond that. Therefore, I have the following questions: What exactly is the Email "body" and "footer" in this template? (Compare to screenshot below) Is the title/header part of the "body"? What type of text from is available? (Plain/HTML/Markdown etc.) Does anyone have experience with customizing these result emails? Feedback would be appreciated, thanks!
Block all internet traffic except some sites
Hi, i've a subset of machines that need only access to some sites, like internal websites, office365 and av updates but i'm being asked to block all other sites. Can i use office365 defender (https://security.microsoft.com/securitysettings/endpoints) to do this? what is the best option? Thx
