Self-healing in Microsoft 365 Defender
Published Sep 30 2020 08:40 AM 14.5K Views

Microsoft security workloads, such Microsoft Defender for Endpoint and Microsoft Defender for Office 365 have automated investigation and remediation capabilities that include self-healing of your organization’s devices and mailboxes. However, modern threats are usually running across security workloads. For example, an attack can start with a malicious document in Office 365, continue by compromising a device when a targeted user opens the document, and proceed through lateral movement, attempting to compromise other devices and user accounts in an organization. In such cases, individual workload capabilities are not enough. You need an infrastructure with playbooks that investigate and remediate threats across workloads. This is where self-healing through automated investigation and response capabilities in Microsoft 365 Defender comes into play.


Microsoft 365 Defender

Microsoft 365 Defender stops attacks across Microsoft 365 services and auto-heals affected assets. As threats become more complex and persistent, alerts increase, and security teams are overwhelmed, Microsoft 365 Defender leverages the Microsoft 365 security portfolio to automatically analyze threat data across endpoints, identities, apps and cloud apps, email and docs, building a complete picture of each attack in a single dashboard. With this breadth and depth of clarity defenders can focus on the critical threats and hunting across their data utilizing their unique organizational expertise, trusting that Microsoft 365 Defender’s powerful automation detects and stops attacks anywhere in the kill chain and returns the organization to a secure state.


How does self-healing work?

Self-healing is an integral part of Microsoft 365 Defender that automatically investigates and remediates potentially compromised assets—identities, mailboxes, and devices—by orchestrating signals and remediation actions across workloads.

Currently, self-healing in Microsoft 365 Defender provides the following capabilities:

  • Zero-hour auto-purge (ZAP) malware playbook that orchestrates investigation and cleanup of impacted mailboxes and devices as soon as malware is detected after delivery.
  • Automated investigation and remediation of potentially compromised devices triggered by Microsoft Defender for Identity alerts.
  • The Action center, a single pane of glass experience for reviewing and approving pending actions, and an audit log across security workloads

Example: Emotet threat

Let see an example of the ZAP malware playbook in action. This is an Emotet threat example.

Emotet has evolved from being just a banking trojan to a downloader. It has recently been observed introducing Trickbot to infected systems. The most common attack kill chain for Emotet looks like this:




Emotet uses a malicious document with macro code as its delivery mechanism. Once clicked and running, a PowerShell script downloads additional modules to devices. The malicious document is usually crafted to target specific users, and is highly polymorphic. Within a few minutes, Microsoft Defender for Office 365 can detect the document as malicious, block the file from being delivered to other mailboxes within the organization, and trigger the automated investigation and response playbook that removes all the email messages that have the malicious file (ZAP).

ZAP signal is also sent to Microsoft 365 Defender, and the ZAP malware playbook initiates.

The playbook identifies devices with malicious document (as reported by Microsoft Defender for Office 365) and then quarantines the document. In addition, Microsoft 365 Defender triggers a suspicious host investigation playbook to clean up additional malware from users’ devices and ensure that no more threats remain. Remediation actions across both mailboxes and endpoints are tracked in the Action center, and are listed on the Pending actions or History tabs, based on your tenant configuration.


Speaking of configuration, we recommend configuring Microsoft Defender for Endpoint for full automation. That can help ensure automatic cleanup and self-healing from malware on infected devices.

Want to learn more?


See the following resources:


Let us know what you think! Feel free to leave us a comment.


Microsoft 365 Defender team




Version history
Last update:
‎Sep 30 2020 08:40 AM
Updated by: