Blog Post

Microsoft Defender for Office 365 Blog
3 MIN READ

Introducing tenant blocks via admin submissions

Dhairyya_Agarwal's avatar
Aug 22, 2022

 

 We are excited to announce that you can now block suspicious entities when submitting emails, URLs, or attachments for Microsoft to review.  In the Microsoft 365 Defender portal (https://security.microsoft.com), security operations team can now block the sender or domain, URL or attachment while submitting suspicious emails, URLs or attachments from the admin submission flyout panel. You’ll no longer need to switch to the Tenant allow/block list page to block a suspicious entity.

 

 

Let’s look at how it works! 

 

Blocking email addresses or domains through email admin submission flyout

From the Emails tab under the submissions portal in Actions & submissions in the Microsoft 365 Defender portal, select Submit to Microsoft for analysis to report phishing, malware or spam email. You can choose to block the sender or domain and provide block expiry date and optional notes.  Make sure that you have the required permissions before submitting to Microsoft.

 

 

To learn more about blocking email addresses or domains in Tenant allow/block list, See Allow or block emails using the Tenant Allow/Block List.

 

Blocking URL through URL admin submission flyout

 

From the URLs tab under the submissions portal in Actions & submissions in the Microsoft 365 Defender portal, select Submit to Microsoft for analysis to report phishing or malware URL. You can choose to block the URL and provide block expiry date and optional notes.  Make sure that you have the required permissions before submitting to Microsoft.

 

 

To learn more about blocking urls in Tenant allow/block list, see Allow or block URLs using the Tenant Allow/Block List.

 

Blocking email attachment through email attachment admin submission flyout

From the Email attachments tab, under the submissions portal in Actions & submissions in the Microsoft 365 Defender portal, select Submit to Microsoft for analysis to report phishing or malware email attachment. You can choose to block the email attachment and provide block expiry date and optional notes.  Make sure that you have the required permissions before submitting to Microsoft.

 

 

To learn more about blocking email attachment in Tenant allow/block list, see Allow or block files using the Tenant Allow/Block List.

Viewing blocked entities from the admin submission flyout

 

All of the blocked entities created from the admin submission panel for URL, email attachment and emails will show up in Tenant allow/block list under the URL, file and Domains & addresses tab, respectively.

 

 

To learn more about Tenant allow/block list, see View entries in the Tenant Allow/Block List.

 

All other aspects of the submission experience, such as submitting a sample for analysis and viewing the results, remain as it is. 

 

Let us know what you think! 

The experience will start rolling out by the end of August. You can expect to see these changes over the next few weeks. The new submissions experience will be available to customers with Exchange Online Protection, Defender for Office 365 Plan 1, Defender for Office 365 Plan 2, including those with Office 365 E5, Microsoft 365 E5, or Microsoft 365 E5 Security licenses. 

 

We’re excited for you to try out these new capabilities. Let us know what you think using the Defender for Office 365 forum. 

 

Updated Aug 22, 2022
Version 1.0
  • Good question. URL and file blocks send email containing them to admin quarantine.

    Sender (or domains & addresses) does not do it which we plan to address soon so that there is parity and visibility. 

  • Hello Dhairyya,

    This is very useful. Removes the copy and past of URLs and jumping around in the M365D portal. 

    Will this also be possible if I turn a user submission into an admin submission? 

    Thanks 

    Gunter

  • Pawel Kowalski's avatar
    Pawel Kowalski
    Copper Contributor

    Is there anyway to retrieve or review these blocked messages? Or are they gone once blocked?

     

    It would be helpful, and hopefully already possible, to send these "blocked" messages directly to an admin...or an area and admin has access to (like the quarantine page)...so the messages can be reviewed and released if they have legitimate non-harmful content. If all the blocked messages are simply deleted and there is no way to get them back that's a bit less useful at least for us.

     

    We often have a subcontractor or some other partner that gets infected. We can't block their domain entirely since we do work with them and many of the messages are still legitimate. So right now it's a complicated process of setting up transport rules to intercept the message so someone can review it before getting it to the end user. This is basically unworkable on a larger scale at least when working in the UI (there is probably a way to efficiently script this). So it would be nice to have this option in the UI where with one click the messages can be sent for review instead of getting deleted entirely.