How to exclude emails from future ZapPhish auto investigations (AIR)

%3CLINGO-SUB%20id%3D%22lingo-sub-1411229%22%20slang%3D%22en-US%22%3EHow%20to%20exclude%20emails%20from%20future%20ZapPhish%20auto%20investigations%20(AIR)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1411229%22%20slang%3D%22en-US%22%3E%3CP%3ESome%20emails%20identified%20by%20the%20AIR%20are%20false%20positives.%20Is%20it%20possible%20to%20exclude%20them%20from%20future%20investigations%3F%20Is%20there%20a%20manual%20way%20to%20add%20emails%20to%20exclusion%20or%20whitelist%20or%20is%20the%20system%20intelligent%20enough%20to%20learn%20this%20from%20the%20Reject%20action%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1434455%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20exclude%20emails%20from%20future%20ZapPhish%20auto%20investigations%20(AIR)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1434455%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F213787%22%20target%3D%22_blank%22%3E%40Dimitry%20Izotov%3C%2FA%3E%26nbsp%3BWe've%20been%20looking%20in%20to%20this%20and%2C%20sadly%2C%20I%20think%20the%20answer%20is%20no%2C%20there%20is%20no%20way%20to%20bypass%20this.%20We've%20tried%20everything%20to%20get%20certain%20domains%20excluded%20and%20no%20matter%20what%20we%20do%2C%20they%20continue%20to%20trigger%20AIR%20investigations.%20This%20causes%20our%20Investigations%20list%20to%20be%20cluttered%20with%20false%20positive%20investigations%20making%20it%20less%20likely%20that%20we'll%20be%20able%20to%20identify%20and%20act%20on%20real%20threats%20in%20a%20timely%20manner.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1435712%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20exclude%20emails%20from%20future%20ZapPhish%20auto%20investigations%20(AIR)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1435712%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F103183%22%20target%3D%22_blank%22%3E%40Alex%20Rourke%3C%2FA%3E%26nbsp%3BI'm%20thinking%20maybe%20there%20is%20a%20way%20to%20do%20this%20with%20the%20Azure%20Sentinel%20but%20seems%20like%20overkill%20for%20a%20whitelist%20task.%20I'm%20hoping%20MSFT%20team%20can%20provide%20guidance%20on%20this%20one.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1436772%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20exclude%20emails%20from%20future%20ZapPhish%20auto%20investigations%20(AIR)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1436772%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F213787%22%20target%3D%22_blank%22%3E%40Dimitry%20Izotov%3C%2FA%3E%26nbsp%3BFor%20us%2C%20the%20false%20positives%20are%20from%20phishing%20simulation%20test%20emails%20sent%20by%20a%20partner%20we%20work%20with%20(KnowBe4).%20In%20this%20case%2C%20they%20have%20a%20list%20of%20domains%20they%20use%20for%20these%20tests%2C%20they've%20asked%20Microsoft%20(and%20Microsoft%20almost%20certainly%20knows)%20that%20these%20domains%20are%20not%20malicious%2C%20yet%20Microsoft%20continues%20to%20classify%20them%20as%20such%20and%20provides%20no%20straight-forward%20workarounds.%20I%20think%20with%20Microsoft%20now%20offering%20its%20own%20%22Attack%20Simulator%22%2C%20we're%20going%20to%20see%20them%20become%20increasingly%20hostile%20and%20inhospitable%20towards%20companies%20like%20KnowBe4%20who%2C%20despite%20offering%20a%20far%20superior%20and%20more%20mature%20product%20that%20what%20Microsoft%20is%20offering%2C%20are%20being%20treated%20as%20a%20competitive%20threat.%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20were%20planning%20on%20upgrading%20all%20of%20our%20users%20to%20Office%20365%20ATP%20Plan%202%20but%20because%20we%20can't%20resolve%20this%20issue%2C%20new%20features%20like%20AIR%20that%20make%20this%20upgrade%20worth%20it%20are%20virtually%20useless.%20Its%20really%20quite%20sad%20that%20Microsoft%20can't%20play%20nicely%20with%20others.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Some emails identified by the AIR are false positives. Is it possible to exclude them from future investigations? Is there a manual way to add emails to exclusion or whitelist or is the system intelligent enough to learn this from the Reject action? 

 

 

3 Replies

@Dimitry Izotov We've been looking in to this and, sadly, I think the answer is no, there is no way to bypass this. We've tried everything to get certain domains excluded and no matter what we do, they continue to trigger AIR investigations. This causes our Investigations list to be cluttered with false positive investigations making it less likely that we'll be able to identify and act on real threats in a timely manner.

@Alex Rourke I'm thinking maybe there is a way to do this with the Azure Sentinel but seems like overkill for a whitelist task. I'm hoping MSFT team can provide guidance on this one.

@Dimitry Izotov For us, the false positives are from phishing simulation test emails sent by a partner we work with (KnowBe4). In this case, they have a list of domains they use for these tests, they've asked Microsoft (and Microsoft almost certainly knows) that these domains are not malicious, yet Microsoft continues to classify them as such and provides no straight-forward workarounds. I think with Microsoft now offering its own "Attack Simulator", we're going to see them become increasingly hostile and inhospitable towards companies like KnowBe4 who, despite offering a far superior and more mature product that what Microsoft is offering, are being treated as a competitive threat.

We were planning on upgrading all of our users to Office 365 ATP Plan 2 but because we can't resolve this issue, new features like AIR that make this upgrade worth it are virtually useless. Its really quite sad that Microsoft can't play nicely with others.