<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>rss.livelink.threads-in-node</title>
    <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/ct-p/microsoft-defender-for-office-365</link>
    <description>rss.livelink.threads-in-node</description>
    <pubDate>Fri, 10 Jul 2026 09:33:04 GMT</pubDate>
    <dc:creator>microsoft-defender-for-office-365</dc:creator>
    <dc:date>2026-07-10T09:33:04Z</dc:date>
    <item>
      <title>Defending the Inbox Against Prompt Injection Attacks</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/defending-the-inbox-against-prompt-injection-attacks/ba-p/4534636</link>
      <description>&lt;P&gt;AI assistants are quickly becoming part of everyday work—summarizing emails, drafting responses, triaging requests, and even potentially acting across connected business systems. As email becomes an automated input to AI systems, it can also become a new attack surface. Attackers no longer need to convince a human to click; they can target the AI. This shift changes how email threats operate and why traditional protections aren’t enough on their own. Publicly disclosed research—&lt;STRONG&gt;Morris II&lt;/STRONG&gt;, &lt;STRONG&gt;EchoLeak,&lt;/STRONG&gt; and a steady stream of indirect prompt injection findings—shows this isn’t theoretical. Email can be the highest-volume, lowest-friction ingress channel into your AI estate, and it needs its own purpose-built control.&lt;/P&gt;
&lt;P&gt;Today, we’re announcing a new capability in Microsoft Defender that addresses this. Microsoft Defender can now detect and isolate malicious AI instructions embedded in email, commonly referred to as prompt injection, before delivery. This reduces the risk of prompt injection reaching the inbox and activating against AI systems. By detecting these threats, organizations are better protected from prompt injection-driven compromise and unintended data exposure.&lt;/P&gt;
&lt;P&gt;Rather than responding to attacks after an AI system has already processed them, Defender can remove the threat at the earliest control point: the inbox itself.&lt;/P&gt;
&lt;H3&gt;When attackers stop phishing humans and start targeting AI&lt;/H3&gt;
&lt;P&gt;For decades, email attacks relied on social engineering—convincing a user to click a link, open an attachment, or follow instructions. AI assistants connected to email change that model.&lt;/P&gt;
&lt;P&gt;For illustrative purposes, an attack chain could look like this:&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;An attacker can send an email containing hidden instructions often invisible to a human because they’re encoded, white-on-white, zero-width Unicode, or embedded in HTML the renderer hides.&lt;/LI&gt;
&lt;LI&gt;The recipient, or an autonomous agent, asks Copilot to summarize or process the unread mail or inbox.&lt;/LI&gt;
&lt;LI&gt;The AI could unknowingly follow the embedded instructions, which can trigger actions like exposing sensitive data, calling tools, or poisoning downstream context.&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;This emerging class of attack, commonly referred to as indirect prompt injection, represents a clear evolution of email‑borne risk and calls for protections specifically designed for AI‑targeted threats.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;div data-video-id="https://www.youtube.com/watch?v=WGRHVJTeXqA /1783429649783" data-video-remote-vid="https://www.youtube.com/watch?v=WGRHVJTeXqA /1783429649783" class="lia-video-container lia-media-is-center lia-media-size-large"&gt;&lt;iframe src="https://cdn.embedly.com/widgets/media.html?src=https%3A%2F%2Fwww.youtube.com%2Fembed%2FWGRHVJTeXqA%3Ffeature%3Doembed&amp;amp;display_name=YouTube&amp;amp;url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DWGRHVJTeXqA&amp;amp;image=https%3A%2F%2Fi.ytimg.com%2Fvi%2FWGRHVJTeXqA%2Fhqdefault.jpg&amp;amp;type=text%2Fhtml&amp;amp;schema=youtube" allowfullscreen="" style="max-width: 100%"&gt;&lt;/iframe&gt;&lt;/div&gt;
&lt;H3&gt;How Microsoft Defender protects against prompt injection attempts&lt;/H3&gt;
&lt;P&gt;Protection against prompt injection is built into Defender’s existing email security pipeline, allowing organizations to reduce AI-targeted threats without requiring new tools, workflows, or operational complexity.&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;STRONG&gt;Helps stop attacks before delivery&lt;/STRONG&gt; – Malicious AI instructions embedded in emails can be detected and quarantined before they reach the inbox.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Reduces downstream AI exploitation&lt;/STRONG&gt; – By blocking these messages at ingress, prompt injection attempts are less likely to become available to Copilot, Microsoft 365 agents, or any AI tool grounded in Exchange Online data.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Starts working automatically&lt;/STRONG&gt; – For eligible customers, protection is enabled by default, allowing security teams to benefit without policy changes or admin opt-in.&lt;/LI&gt;
&lt;/OL&gt;
&lt;H3&gt;How to view detections&lt;/H3&gt;
&lt;P&gt;Detections are classified under the existing &lt;STRONG&gt;High Confidence Phish&lt;/STRONG&gt; verdict with a new &lt;STRONG&gt;Detection Technology&lt;/STRONG&gt; value: &lt;STRONG&gt;Prompt Injection Protection&lt;/STRONG&gt;.&lt;/P&gt;
&lt;P&gt;Analysts will be able to interact with this experience across familiar Defender surfaces:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Email Quarantine&lt;/STRONG&gt; – Messages containing detected prompt injection are isolated before delivery, with the relevant detection technologies visible as part of the message details.&lt;/LI&gt;
&lt;/UL&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Explorer and email entity pages&lt;/STRONG&gt; – Analysts can review the full message context, investigate why it was flagged, and understand how the threat fits within the broader email investigation flow.&lt;/LI&gt;
&lt;/UL&gt;
&lt;img /&gt;
&lt;H3&gt;Securing the AI data perimeter&lt;/H3&gt;
&lt;P&gt;Email can be the first, and highest-volume, entry point into AI systems, making it a critical control plane for preventing AI-driven compromise. But email is only the beginning. As AI systems increasingly interact with documents, collaboration platforms, and third‑party data sources, protecting the AI data perimeter becomes critical. Detecting and blocking prompt injection at the inbox represents an important step toward that future—where Defender can stop AI‑targeted threats wherever untrusted data meets autonomous systems. As the threat landscape continues to evolve, Defender is designed to evolve with the threat landscape, so organizations can deploy AI more securely while helping reduce new attack risks.&amp;nbsp;&lt;/P&gt;
&lt;H3&gt;Get started&lt;/H3&gt;
&lt;P&gt;Prompt injection protection is now in Public Preview. For eligible customers, protection is enabled automatically without requiring policy changes or additional configuration. To learn more about this feature, visit our &lt;SPAN class="lia-text-color-10"&gt;&lt;U&gt;&lt;STRONG&gt;&lt;A class="lia-external-url" href="https://learn.microsoft.com/en-us/defender-office-365/step-by-step-guides/prompt-injection-protection-defender-for-office-365" target="_blank" rel="noopener"&gt;documentation&lt;/A&gt;.&lt;/STRONG&gt;&lt;/U&gt;&lt;/SPAN&gt;&lt;/P&gt;</description>
      <pubDate>Wed, 08 Jul 2026 18:16:22 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/defending-the-inbox-against-prompt-injection-attacks/ba-p/4534636</guid>
      <dc:creator>nithinnara</dc:creator>
      <dc:date>2026-07-08T18:16:22Z</dc:date>
    </item>
    <item>
      <title>Microsoft Defender (GCC) - User Submitted "Mark and Notify" for Third Party Phishing Simulations</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/microsoft-defender-gcc-user-submitted-quot-mark-and-notify-quot/m-p/4531019#M1154</link>
      <description>&lt;P&gt;Our Microsoft 365 tenant is in the GCC environment, and we use a third party phishing simulation platform along with the built in&lt;STRONG&gt; Outlook Report Message&lt;/STRONG&gt; button (not a third party reporting add in).&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;When a user correctly reports one of our simulated phishing emails, the message appears in &lt;STRONG&gt;Microsoft Defender &amp;gt; User Submitted&lt;/STRONG&gt; as expected.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;The problem is what happens next.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;When we select &lt;STRONG&gt;Mark and notify&lt;/STRONG&gt;, the only available options are:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Phishing&lt;/P&gt;&lt;P&gt;Spam&lt;/P&gt;&lt;P&gt;No threat found&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;There is no option to notify the user that the email was actually part of a phishing simulation.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;This creates a difficult situation:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;If we choose &lt;STRONG&gt;No threat found&lt;/STRONG&gt;, Defender tells the user the message was safe, making it appear they incorrectly reported the email even though they did exactly what we trained them to do.&lt;/P&gt;&lt;P&gt;If we choose &lt;STRONG&gt;Phishing&lt;/STRONG&gt;, the user receives the correct feedback, but the message is counted as a real phishing event, affecting our Defender metrics and potentially generating false incidents and reporting.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;It feels like we're stuck in a design loop where neither option provides the desired outcome.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;My questions are:&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Is there a supported way in Microsoft Defender (particularly GCC) to notify users that a reported message was a simulated phishing email when using the native Outlook Report Message button?&lt;/P&gt;&lt;P&gt;Is this capability available in Commercial tenants but not GCC, or is it unavailable across all environments?&lt;/P&gt;&lt;P&gt;If this functionality does not exist, what is the recommended process for submitting a feature request specifically for the GCC version of Microsoft Defender? This seems like a valuable enhancement for organizations that use third party phishing simulation platforms while relying on Microsoft's native reporting experience.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Has anyone else found a good workflow for this scenario?&lt;/P&gt;</description>
      <pubDate>Thu, 25 Jun 2026 16:03:00 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/microsoft-defender-gcc-user-submitted-quot-mark-and-notify-quot/m-p/4531019#M1154</guid>
      <dc:creator>GalgoArmy</dc:creator>
      <dc:date>2026-06-25T16:03:00Z</dc:date>
    </item>
    <item>
      <title>Microsoft Defender for Office 365 Plan 1 is now rolling out to Microsoft 365 E3 and Office 365 E3</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/microsoft-defender-for-office-365-plan-1-is-now-rolling-out-to/ba-p/4527287</link>
      <description>&lt;P&gt;Starting today, Microsoft Defender for Office 365 Plan 1 is rolling out to customers with Microsoft 365 E3/G3 and Office 365 E3/G3 licenses, with rollout expected to complete by Fall 2026. For security teams, this means added protection against phishing, malware, and malicious links across email and collaboration, without needing to purchase or deploy a separate email security solution. It also means some protections will turn on automatically, so now is the right time to review your configuration and prepare for any changes to mail flow, policies, and end-user experience.&lt;/P&gt;
&lt;H4&gt;What E3 customers are getting&lt;/H4&gt;
&lt;P&gt;Previously, these subscriptions included &lt;A href="https://learn.microsoft.com/en-us/defender-office-365/eop-about" target="_blank" rel="noopener"&gt;built-in security&lt;/A&gt; to help filter spam and known malware. Defender for Office 365 Plan 1 builds on that foundation with additional protections designed to catch more sophisticated phishing attempts, malicious links, and zero-day threats, while giving your team better visibility into what is happening in your environment.&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Safe Links:&lt;/STRONG&gt; Helps protect users with time-of-click protection by checking URLs and blocking malicious destinations, including QR code-based attacks.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Safe Attachments:&lt;/STRONG&gt; Helps stop unknown and zero-day malware before harmful files reach users.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Advanced anti-phishing:&lt;/STRONG&gt; Helps detect impersonation attacks that target your users, executives, and trusted domains.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Expanded visibility and reporting:&lt;/STRONG&gt; Gives security teams more actionable detections, alerts, and reporting in the Microsoft Defender portal.&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4&gt;What changes automatically&lt;/H4&gt;
&lt;P&gt;As the plan rolls out, protection will turn on automatically for licensed users. That is good news from a security perspective, but it is still important to understand what is changing in your environment. New protections can affect how messages are processed, how suspicious links are handled, what users see when they click blocked content, and how your team monitors and tunes policy settings after rollout.&amp;nbsp;&lt;/P&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;Read more about it here:&lt;/STRONG&gt; &lt;/SPAN&gt;&lt;A href="https://learn.microsoft.com/en-us/defender-office-365/preset-security-policies" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="auto"&gt;https://learn.microsoft.com/en-us/defender-office-365/preset-security-policies#use-the-microsoft-defender-portal-to-add-exclusions-to-the-built-in-protection-preset-security-policy&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;.&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;H4&gt;How to prepare for the rollout&lt;/H4&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Review your current mail flow and security configuration.&lt;/STRONG&gt; If you know how mail is routed today and which protections are already in place, it will be easier to spot what changes once Defender for Office 365 Plan 1 is active.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Decide how you want to manage policies.&lt;/STRONG&gt; When the plan becomes available in your tenant, built-in protection is applied automatically for licensed users. If you want Microsoft recommended settings beyond that baseline, consider enabling the &lt;A href="https://learn.microsoft.com/en-us/defender-office-365/step-by-step-guides/ensuring-you-always-have-the-optimal-security-controls-with-preset-security-policies" target="_blank" rel="noopener"&gt;Standard or Strict preset security policies&lt;/A&gt;.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Prepare your help desk and users.&lt;/STRONG&gt; Users may start seeing warning or block experiences when Safe Links identifies a malicious destination. A simple heads-up can reduce confusion and support tickets. For more details and how to customize user notification, see &lt;A href="https://learn.microsoft.com/en-us/defender-office-365/safe-links-policies-configure" target="_blank" rel="noopener"&gt;Set up Safe Links policies&lt;/A&gt;.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Plan for exceptions and tuning.&lt;/STRONG&gt; If you have specific users, domains, or workflows that need exclusions, review those requirements early so your team is ready to adjust policies after rollout.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Monitor what changes.&lt;/STRONG&gt; Use the Microsoft Defender portal and Microsoft Secure Score to track new detections, review improvement actions, and prioritize follow-up configuration work.&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4&gt;If you use a third-party secure email gateway&lt;/H4&gt;
&lt;P&gt;If your organization routes email through a third-party secure email gateway such as Proofpoint, Mimecast, or Barracuda before it reaches Microsoft 365, you should review your configuration now. In many environments, it is recommended to configure &lt;A href="https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors" target="_blank" rel="noopener"&gt;Enhanced Filtering for Connectors&lt;/A&gt;, preserve original sender details in Exchange Online, and decide which service will handle link rewriting to avoid unnecessary overlap. If you are evaluating a broader consolidation of your email security stack, our guides on &lt;A href="https://learn.microsoft.com/en-us/defender-office-365/step-by-step-guides/defense-in-depth-guide" target="_blank" rel="noopener"&gt;defense in depth&lt;/A&gt; and &lt;A href="https://learn.microsoft.com/en-us/defender-office-365/migrate-to-defender-for-office-365" target="_blank" rel="noopener"&gt;migration to Defender for Office 365&lt;/A&gt; can help.&lt;/P&gt;
&lt;H4&gt;Protection also extends to Microsoft Teams&lt;/H4&gt;
&lt;P&gt;The plan also extends protection to Microsoft Teams chats and channels. That includes protection for shared links and files, post-delivery removal of malicious content, admin controls to manage enforcement, and user reporting to help your security team investigate suspicious messages faster. For practitioners, this adds another layer of coverage across the collaboration tools users rely on every day.&lt;/P&gt;
&lt;H4&gt;Learn more&lt;/H4&gt;
&lt;P&gt;For implementation guidance, visit the &lt;A href="https://learn.microsoft.com/en-us/defender-office-365/" target="_blank" rel="noopener"&gt;Microsoft Defender for Office 365 security documentation&lt;/A&gt;, review the &lt;A href="https://learn.microsoft.com/en-us/defender-office-365/step-by-step-guides/step-by-step-guide-overview" target="_blank" rel="noopener"&gt;step-by-step guides&lt;/A&gt;, and use the preset policy, defense in depth, migration, and connector configuration resources linked above to plan your rollout.&lt;/P&gt;</description>
      <pubDate>Thu, 18 Jun 2026 16:29:24 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/microsoft-defender-for-office-365-plan-1-is-now-rolling-out-to/ba-p/4527287</guid>
      <dc:creator>VipulPandey</dc:creator>
      <dc:date>2026-06-18T16:29:24Z</dc:date>
    </item>
    <item>
      <title>No way to automate restoring user‑reported emails after “no threats found”</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/no-way-to-automate-restoring-user-reported-emails-after-no/m-p/4525644#M1152</link>
      <description>&lt;P&gt;When a user reports an email as phishing in Defender, the message gets moved to Deleted Items. After we triage it, if we mark it as “no threats found,” there’s no way to push it back to the user’s inbox as part of that workflow.&lt;/P&gt;&lt;P&gt;That creates a bit of a broken experience:&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;User is told the email is safe with our customized email response, but has to go find it themselves&lt;/LI&gt;&lt;LI&gt;In a lot of cases they don’t (Outlook search won’t find it)&lt;/LI&gt;&lt;LI&gt;We end up with follow‑ups like “where did it go?”&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;Technically we could restore the email as part of our triage process, but that just shifts the effort onto the SOC. It doesn’t scale, and it’s not really the right place for that work.&amp;nbsp; We have tried to create an automation to do this, but we have not been able to create an advanced hunting query based on our triage result that can then trigger an action to restore it to the mailbox.&amp;nbsp;&amp;nbsp;&lt;/P&gt;&lt;P&gt;So we end up choosing between:&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;Users having a bad experience, or&lt;/LI&gt;&lt;LI&gt;Analysts doing manual mailbox work&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;Neither is ideal.&lt;/P&gt;&lt;P&gt;Other platforms (like Proofpoint) handle this end‑to‑end — once something is confirmed clean, it can be returned to the user automatically.&lt;/P&gt;&lt;P&gt;Right now Defender stops at classification instead of completing the workflow.&lt;/P&gt;&lt;P&gt;Is there a reason this isn’t wired in, or anything on the roadmap to address it?&lt;/P&gt;</description>
      <pubDate>Thu, 04 Jun 2026 17:30:51 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/no-way-to-automate-restoring-user-reported-emails-after-no/m-p/4525644#M1152</guid>
      <dc:creator>GT_deb</dc:creator>
      <dc:date>2026-06-04T17:30:51Z</dc:date>
    </item>
    <item>
      <title>Granular email content access with unified RBAC – now the default for new Defender tenants</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/granular-email-content-access-with-unified-rbac-now-the-default/ba-p/4505344</link>
      <description>&lt;P&gt;Email investigations are a key part of detecting and responding to phishing and malware. As security workflows continue to evolve, there is an increasing need to align email content visibility more closely with specific roles and scenarios, such as Tier‑1 analysis or specialized workflows like user‑reported phishing triage.&lt;/P&gt;
&lt;P&gt;Today we’re announcing additional “read-only” controls for more granular email access in Microsoft Defender and that starting on May 30&lt;SUP&gt;th&lt;/SUP&gt;, 2026, unified RBAC will become the new default for permission modeling for new tenants.&lt;/P&gt;
&lt;H4&gt;Unified RBAC in Microsoft Defender: a single, consistent permissions model&lt;/H4&gt;
&lt;P&gt;Microsoft Defender &lt;A href="https://learn.microsoft.com/en-us/defender-xdr/manage-rbac" target="_blank" rel="noopener"&gt;&lt;STRONG&gt;unified role&lt;/STRONG&gt;‑&lt;STRONG&gt;based access control&lt;/STRONG&gt;&lt;/A&gt;&lt;STRONG&gt; (RBAC)&lt;/STRONG&gt; provides a centralized way to manage permissions across the Defender security portfolio, replacing the need to configure and audit access separately for each solution, including endpoint, identity, SaaS, Cloud, and more. Instead of stitching together service‑specific role models, unified RBAC gives security teams one consistent authorization framework to control what users can see and do across the Microsoft Defender portal.&lt;/P&gt;
&lt;P&gt;Unified RBAC is designed to support modern security operations by aligning access with real‑world roles, such as analysts, investigators, and administrators, while reducing the risk that comes from over‑permissioned accounts including:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Enforcing least‑privilege access consistently&lt;/LI&gt;
&lt;LI&gt;Understanding who has access to sensitive data across services&lt;/LI&gt;
&lt;LI&gt;Performing clean access reviews and audits&lt;/LI&gt;
&lt;LI&gt;Scaling permissions safely in tiered SOC or partner‑managed environments&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;Unified RBAC addresses these challenges by converging permissions into a single model and separates read-only (data access) and manage (action‑taking) permissions by design, making access intent explicit and reducing accidental overexposure of sensitive security data.&lt;/P&gt;
&lt;H4&gt;More granular email permissions within unified RBAC&lt;/H4&gt;
&lt;P&gt;Unified RBAC now supports additional read‑only permissions for specific email content scenarios—so access can be matched precisely to investigation and review workflows.&lt;/P&gt;
&lt;P&gt;&lt;SPAN style="color: rgb(30, 30, 30); font-size: 20px;"&gt;1. New permission-Email &amp;amp; collaboration content: Emails associated with alerts&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;The new &lt;STRONG&gt;Emails associated with alerts &lt;/STRONG&gt;permission allows analysts to preview or download emails only when they are directly associated with a security alert, without granting access to all email content. Initially, this permission applies to alerts of type &lt;STRONG&gt;&lt;EM&gt;Email reported by user as malware or phish and Email reported by user as junk&lt;/EM&gt;&lt;/STRONG&gt;, which is one of the most common investigation entry points for security teams. Only emails tied to that alert type can be previewed or downloaded. Support for additional alert types will expand in future updates.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Why this matters:&lt;/STRONG&gt; Tier‑1 analysts and triage teams can investigate user‑reported threats quickly and effectively, without being granted visibility into unrelated emails.&lt;/P&gt;
&lt;img /&gt;
&lt;H5&gt;2. New permission- Email and Collaboration content: Quarantine Emails&lt;/H5&gt;
&lt;P&gt;This new permission allows previewing and downloading &lt;STRONG&gt;only emails that are in admin quarantine&lt;/STRONG&gt;, supporting roles responsible for reviewing or validating quarantined messages – without broader email access.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Important:&lt;/STRONG&gt; After this update, &lt;STRONG&gt;Email &amp;amp; collaboration quarantine&lt;/STRONG&gt; and &lt;STRONG&gt;Security data basics&lt;/STRONG&gt; will no longer provide email content preview or download by themselves. To allow content visibility for quarantined messages, you must explicitly assign &lt;STRONG&gt;Emails in Quarantine&lt;/STRONG&gt;. This change clarifies role boundaries and simplifies audits by making content access intentional and explicit. Read more &lt;A href="https://learn.microsoft.com/en-us/defender-office-365/quarantine-admin-manage-messages-files#what-do-you-need-to-know-before-you-begin" target="_blank" rel="noopener"&gt;here&lt;/A&gt;.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Why this matters:&lt;/STRONG&gt; Quarantine review teams can access exactly what they need—no more, no less—supporting least-privilege access by design.&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;These permissions extend the Unified RBAC model for email &amp;amp; collaboration by separating visibility from action. They allow security teams to grant targeted access to email content only where it’s required, while preserving full content access for senior investigators and incident response teams.&lt;/P&gt;
&lt;P&gt;Full email content access remains available through existing permissions—such &lt;STRONG&gt;as Email &amp;amp; collaboration content: All emails&lt;/STRONG&gt;—for senior investigators and incident response teams who require unrestricted visibility.&lt;/P&gt;
&lt;H5&gt;Unified RBAC becomes the default for new Microsoft Defender tenants&lt;/H5&gt;
&lt;P&gt;Starting &lt;STRONG&gt;May 30&lt;SUP&gt;th&lt;/SUP&gt;, 2026, Unified RBAC&lt;/STRONG&gt; &lt;STRONG&gt;will be enabled by default&lt;/STRONG&gt; for new Microsoft Defender for Office 365 Plan 2 tenants, making it the primary permissions model that enables a single, unified authorization model across the Defender suite. Permissions are managed through Defender unified RBAC roles, alongside Microsoft Entra roles where applicable (e.g. for Attack Simulation Training). Making Unified RBAC the default for new tenants is a key step toward simplifying permissions management and embeds &lt;STRONG&gt;least-privilege access by design&lt;/STRONG&gt;.&lt;/P&gt;
&lt;H4&gt;Learn more&lt;/H4&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;A href="https://learn.microsoft.com/en-us/defender-xdr/manage-rbac" target="_blank" rel="noopener"&gt;Microsoft Defender Unified role-based access control (RBAC) &lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A href="https://learn.microsoft.com/en-us/defender-xdr/create-custom-rbac-roles" target="_blank" rel="noopener"&gt;Create custom roles with Microsoft Defender Unified role-based access control (RBAC)&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A href="https://learn.microsoft.com/en-us/defender-office-365/quarantine-admin-manage-messages-files" target="_blank" rel="noopener"&gt;Manage quarantined messages and files as an admin&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A href="https://learn.microsoft.com/en-us/defender-office-365/mdo-email-entity-page" target="_blank" rel="noopener"&gt;The Email entity page in Defender for Office 365&lt;/A&gt;&lt;/LI&gt;
&lt;/OL&gt;</description>
      <pubDate>Wed, 29 Apr 2026 16:00:00 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/granular-email-content-access-with-unified-rbac-now-the-default/ba-p/4505344</guid>
      <dc:creator>VipulPandey</dc:creator>
      <dc:date>2026-04-29T16:00:00Z</dc:date>
    </item>
    <item>
      <title>Declutter and Defend: Reducing promotional mail noise with Microsoft Defender</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/declutter-and-defend-reducing-promotional-mail-noise-with/ba-p/4511732</link>
      <description>&lt;P&gt;Enterprise inboxes are overwhelmed with &lt;STRONG&gt;graymail&lt;/STRONG&gt; — legitimate, bulk email like newsletters, vendor promotions, and product updates that isn't malicious but buries the messages that matter. When high volumes of these mails land in the inbox, it crowds out priority communications and can dull security vigilance. Employees conditioned to ignore repetitive emails may miss signs of a real threat. It also creates recurring work for admins and security teams who must continuously tune filters, manage exception requests, and chase noise from user reports for email that isn’t malicious. Because graymail passes every spam filter check, traditional defenses don't separate it — leaving this signal-to-noise gap unaddressed.&lt;/P&gt;
&lt;P&gt;Today we’re excited to announce that &lt;STRONG&gt;Microsoft Defender now includes built-in graymail filtering. &lt;/STRONG&gt;It is delivered natively through a new &lt;STRONG&gt;Promotions experience in Outlook&lt;/STRONG&gt; that automatically classifies and separates bulk email, so it no longer competes with business-critical communication in the inbox. Now in&amp;nbsp;&lt;STRONG&gt;Public Preview&lt;/STRONG&gt;, this capability learns from how users interact with graymail to become more accurate over time. Coupled with the existing &lt;A href="https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/introducing-bulk-senders-insight-optimizing-bulk-email-management-for-enterprise/4193963" target="_blank" rel="noopener"&gt;Bulk Senders Insight report&lt;/A&gt;, Defender brings data-driven bulk classification and control into the security workflows you already use.&lt;/P&gt;
&lt;H5&gt;What Is Graymail?&lt;/H5&gt;
&lt;P&gt;Graymail is legitimate bulk email that isn't malicious—product newsletters, event announcements, marketing promotions, and software update notifications from reputable, authenticated senders. It is distinct from spam and from phishing - graymail comes from real organizations with proper authentication and traditional spam filters aren't designed to handle it.&amp;nbsp;&lt;/P&gt;
&lt;H4&gt;Graymail handling in Microsoft Defender&lt;/H4&gt;
&lt;P&gt;Microsoft Defender's approach is built on three principles: &lt;STRONG&gt;classify intelligently, deliver natively, and learn continuously&lt;/STRONG&gt;.&lt;/P&gt;
&lt;H5&gt;Promotions Folder — Intelligent Inbox Organization&lt;/H5&gt;
&lt;P&gt;A dedicated &lt;STRONG&gt;Promotions folder,&lt;/STRONG&gt; natively provisioned in Outlook, now keeps legitimate bulk mail out of the primary inbox. Promotional content is separated from priority emails without being sent to &lt;STRONG&gt;Junk&lt;/STRONG&gt;, which means users can still access and browse newsletters and updates at their own pace. The folder appears at the top level of the mailbox for easy discovery and is visible across all Outlook experiences.&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Non-spam bulk mail&lt;/STRONG&gt; below the organization's configured &lt;A href="https://learn.microsoft.com/en-us/defender-office-365/anti-spam-bulk-complaint-level-bcl-about" target="_blank" rel="noopener"&gt;Bulk Complaint Level&lt;/A&gt; threshold is automatically routed to the Promotions folder.&lt;/LI&gt;
&lt;LI&gt;Messages from senders the user has explicitly&amp;nbsp;&lt;STRONG&gt;allowed&lt;/STRONG&gt; continue to land in the Inbox.&lt;/LI&gt;
&lt;LI&gt;Messages identified as&amp;nbsp;&lt;STRONG&gt;spam&lt;/STRONG&gt; continue to go to Junk.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;To enable the Promotions folder administrators need to enable the &lt;STRONG&gt;"Bulk Moves Enabled"&lt;/STRONG&gt; setting in their anti-spam policy. The Promotions folder is then created for all users and used for routing only when this setting is ON.&lt;/P&gt;
&lt;P&gt;Existing mail flow is unaffected.&lt;/P&gt;
&lt;img&gt;&lt;EM&gt;Figure 1: system tagging of “Promotions” in outlook client and promotions folder (previously tagged as “Bulk” in private and public preview)&lt;/EM&gt;&lt;/img&gt;
&lt;H5&gt;Promotional mail tagging and Mailbox Rule Support&lt;/H5&gt;
&lt;P&gt;Messages classified as graymail will automatically be labeled with a &lt;STRONG&gt;"Promotions" system tag&lt;/STRONG&gt; in Outlook. The tag provides instant visual context without requiring users to open each message and is visible in Outlook on the Web and the native Outlook desktop apps for Windows and Mac. During Public Preview, the tagging component is opt-in, requiring administrators to &lt;STRONG&gt;enable it by configuring an Exchange Transport Rule&lt;/STRONG&gt;. Once generally available, it will be enabled by default.&lt;/P&gt;
&lt;P&gt;Because this classification is integrated at the client level, the Promotions tag can also be used as a condition in Outlook mailbox rules. This enables custom routing logic for advanced scenarios like moving all promotions-tagged messages from a specific sender to a custom folder, flagging certain promotional emails for follow-up, or auto-forwarding or deleting promotions that meet specific criteria. This transforms the Promotions classification from a one-way filter into a flexible building block for personal and organizational workflows—particularly valuable for power users and teams with compliance or archival requirements.&lt;/P&gt;
&lt;img&gt;&lt;EM&gt;Figure 2: User inbox rules using “Promotion” tag (previously “Bulk” in private and public preview)&lt;/EM&gt;&lt;/img&gt;
&lt;H5&gt;Adaptive Learning&lt;/H5&gt;
&lt;P&gt;Microsoft Defender's graymail filtering gets smarter with every interaction. The system learns directly from how users handle their mail. When a user moves a message out of the Promotions folder and back to the Inbox, future emails from that sender will no longer be placed in the Promotions folder. When a user moves a message from the Inbox into the Promotions folder, future emails from that sender will be routed to the Promotions folder automatically.&lt;/P&gt;
&lt;P&gt;This creates a personalized, self-improving experience that becomes more accurate over time - no manual rule configuration required, no safe-sender lists to maintain, and no filtering rules for IT teams to manage on behalf of individual employees.&lt;/P&gt;
&lt;H5&gt;Built into existing Security Workflows&lt;/H5&gt;
&lt;P&gt;Administrators also gain visibility through the &lt;A class="lia-internal-link lia-internal-url lia-internal-url-content-type-blog" href="https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/introducing-bulk-senders-insight-optimizing-bulk-email-management-for-enterprise/4193963" target="_blank" rel="noopener" data-lia-auto-title="Bulk Senders Insight report" data-lia-auto-title-active="0"&gt;&lt;STRONG&gt;Bulk Senders Insight report&lt;/STRONG&gt;&lt;/A&gt;, which provides data-driven guidance on what your organization actually receives and can help tune your bulk mail filtering.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Graymail has long been the unsolved middle ground of email security—too legitimate to block, too noisy to ignore. Microsoft Defender now handles it where it should be handled: inside the platform, inside the mailbox, and inside the security workflows your organization already relies on. No new portals, no new vendors, no compromise between security and user experience.&lt;/P&gt;
&lt;H4&gt;Get Started&lt;/H4&gt;
&lt;OL&gt;
&lt;LI&gt;Configure promotions tagging and the promotions folder today - &lt;A href="https://learn.microsoft.com/en-us/defender-office-365/anti-spam-bulk-complaint-level-bcl-about" target="_blank" rel="noopener"&gt;Bulk email detection documentation on Microsoft Learn&lt;/A&gt;.&lt;/LI&gt;
&lt;LI&gt;Monitor the experience using the &lt;A class="lia-internal-link lia-internal-url lia-internal-url-content-type-blog" href="https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/introducing-bulk-senders-insight-optimizing-bulk-email-management-for-enterprise/4193963" target="_blank" rel="noopener" data-lia-auto-title="Bulk Senders Insight report" data-lia-auto-title-active="0"&gt;Bulk Senders Insight report&lt;/A&gt;.&lt;/LI&gt;
&lt;/OL&gt;</description>
      <pubDate>Thu, 23 Apr 2026 03:59:21 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/declutter-and-defend-reducing-promotional-mail-noise-with/ba-p/4511732</guid>
      <dc:creator>FaithEbenezerOquong</dc:creator>
      <dc:date>2026-04-23T03:59:21Z</dc:date>
    </item>
    <item>
      <title>Enable per‑user language selection for phishing simulation emails and landing pages</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/enable-per-user-language-selection-for-phishing-simulation/m-p/4513454#M1146</link>
      <description>&lt;P&gt;We use&amp;nbsp;&lt;STRONG&gt;Attack Simulation Training&lt;/STRONG&gt; to deliver phishing simulations to a global, multilingual user base. While Microsoft Defender supports multi‑language content, phishing simulation &lt;STRONG&gt;emails and landing pages are currently delivered in a single selected language per campaign&lt;/STRONG&gt;.&lt;/P&gt;&lt;P&gt;We are requesting a feature that allows &lt;STRONG&gt;phishing simulation emails and associated landing pages (including credential‑harvest pages)&lt;/STRONG&gt; to automatically render in each user’s preferred language, based on:&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;Outlook mailbox language settings, and/or&lt;/LI&gt;&lt;LI&gt;Microsoft Entra ID user language preferences&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;This capability would:&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;Improve realism and accuracy of phishing simulations&lt;/LI&gt;&lt;LI&gt;Ensure users experience simulations in the same language they normally work in&lt;/LI&gt;&lt;LI&gt;Improve behavioral measurement in global organizations&lt;/LI&gt;&lt;LI&gt;Reduce the need to create and manage multiple parallel simulations by language&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;Providing consistent, per‑user language alignment across &lt;STRONG&gt;simulation emails, landing pages, and follow‑up training&lt;/STRONG&gt; would significantly enhance the effectiveness of Attack Simulation Training for large, multilingual enterprises.&lt;/P&gt;</description>
      <pubDate>Tue, 21 Apr 2026 17:17:40 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/enable-per-user-language-selection-for-phishing-simulation/m-p/4513454#M1146</guid>
      <dc:creator>POlsen</dc:creator>
      <dc:date>2026-04-21T17:17:40Z</dc:date>
    </item>
    <item>
      <title>Enable automatic per‑user language selection for Defender training modules</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/enable-automatic-per-user-language-selection-for-defender/m-p/4513453#M1145</link>
      <description>&lt;P&gt;We use&amp;nbsp;&lt;STRONG&gt;Attack Simulation Training and Microsoft Defender training modules&lt;/STRONG&gt; as part of our security awareness program for a global audience.&lt;/P&gt;&lt;P&gt;Currently, training content is assigned in a single language per campaign, even though users already have &lt;STRONG&gt;preferred language settings defined in Outlook and Microsoft Entra ID (Azure AD)&lt;/STRONG&gt;. This creates challenges for multinational organizations and often requires duplicating campaigns or accepting that some users receive training in a non‑preferred language.&lt;/P&gt;&lt;P&gt;We are requesting a capability that allows &lt;STRONG&gt;Defender training modules to automatically display in each user’s preferred language&lt;/STRONG&gt;, based on:&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;Outlook mailbox language settings, and/or&lt;/LI&gt;&lt;LI&gt;Microsoft Entra ID user language preferences&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;Enabling per‑user language selection would:&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;Improve comprehension and learning outcomes&lt;/LI&gt;&lt;LI&gt;Increase training effectiveness for non‑native speakers&lt;/LI&gt;&lt;LI&gt;Reduce administrative overhead and duplicated campaigns&lt;/LI&gt;&lt;LI&gt;Align Defender training with existing Microsoft 365 localization behavior&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;Defender already supports training content in multiple languages. Allowing &lt;STRONG&gt;dynamic language delivery per user&lt;/STRONG&gt; would significantly improve scalability and usability for enterprise security awareness programs.&lt;/P&gt;</description>
      <pubDate>Tue, 21 Apr 2026 17:15:09 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/enable-automatic-per-user-language-selection-for-defender/m-p/4513453#M1145</guid>
      <dc:creator>POlsen</dc:creator>
      <dc:date>2026-04-21T17:15:09Z</dc:date>
    </item>
    <item>
      <title>Announcing Public Preview: Security Copilot’s Email Summary in Microsoft Defender</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/announcing-public-preview-security-copilot-s-email-summary-in/ba-p/4510357</link>
      <description>&lt;H5&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Co-Authors: &lt;A class="lia-internal-link lia-internal-url lia-internal-url-user" href="https://techcommunity.microsoft.com/users/cristinadagamah/2944483" target="_blank" rel="noopener" data-lia-auto-title="Christina Da Gama Henriquez" data-lia-auto-title-active="0"&gt;Cristina Da Gama Henriquez&lt;/A&gt; and &lt;A class="lia-internal-link lia-internal-url lia-internal-url-user" href="https://techcommunity.microsoft.com/users/ajaj_shaikh/1489303" target="_blank" rel="noopener" data-lia-auto-title="Ajaj Shaikh" data-lia-auto-title-active="0"&gt;Ajaj Shaikh&lt;/A&gt;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/H5&gt;
&lt;P&gt;AI is rapidly reshaping both sides of the security landscape, and email remains one of the most common and complex entry points for attacks. As adversaries use AI to scale more sophisticated phishing and email-based threats, defenders are under pressure not just to detect them, but to quickly understand what actually happened. Microsoft continues to apply generative and agentic AI across the email protection stack to help stop threats before they reach the inbox and catch what inevitably gets through in the SOC. Still, for security analysts, understanding an email threat requires piecing together context across the incident and its related artifacts. Much of that context exists within the Email entity experience, but it is spread across metadata, timelines, URLs, and attachments, making it time-consuming to connect the dots and act with confidence.&lt;/P&gt;
&lt;P&gt;Today, we are excited to announce the public preview of Security Copilot’s Email summary capability, designed to bring those insights together and make email threat investigations faster, clearer, and more actionable. With Security Copilot included in Microsoft 365 E5, organizations will be able to bring AI directly into their flow of work—extending these benefits across the SOC at no additional cost.*&lt;/P&gt;
&lt;H4&gt;Bringing clarity into the investigation workflow&lt;/H4&gt;
&lt;img /&gt;&lt;img /&gt;
&lt;P&gt;Email summary brings AI-generated context directly into the Email entity page, transforming fragmented detection data into a clear, natural-language explanation of what happened and why. Analysts can access it from the Security Copilot right-side pane, the same place where Copilot activity across Microsoft Defender is surfaced. Instead of navigating across multiple views to reconstruct the story, analysts can generate a summary that connects the signals and highlights what matters most. And it all happens in seconds.&lt;/P&gt;
&lt;P&gt;Built on Security Copilot’s summarization capabilities, Email summary uses the same data analysts already rely on, like email metadata, timeline events, URLs, and attachments, and turns it into a cohesive narrative. It explains how a message was evaluated, what actions were taken, and where risk exists, without requiring manual correlation.&lt;SPAN style="color: rgb(30, 30, 30);"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H4&gt;A summary that follows how analysts think&lt;/H4&gt;
&lt;P&gt;The experience is intentionally embedded in the Email entity page, where investigations already happen, so analysts don’t have to change how they work to benefit from it. The output is structured to match how analysts approach an investigation. It starts with a concise overview of the email, including what was detected, what actions were taken, and any key indicators. From there, it walks through the timeline of events, helping reconstruct how the email was delivered, interacted with, and remediated. It also breaks down URLs and attachments, calling out malicious signals and explaining associated risks in plain language.&lt;/P&gt;
&lt;P&gt;Importantly, this is a user-triggered experience. Analysts generate a summary when they need it, ensuring the capability is both intentional and efficient.&lt;/P&gt;
&lt;H4&gt;From fragmented data to confident decisions&lt;/H4&gt;
&lt;P&gt;Email summary is a foundational step toward making email threat investigations more explainable and efficient. Today, it brings together existing signals into a clear, actionable narrative. Over time, it will evolve to incorporate additional signal depth: detonation (sandboxing) results, submission responses, and more granular insights from the filtering stack, further strengthening the completeness and fidelity of each investigation.&lt;/P&gt;
&lt;P&gt;As threats continue to grow in speed and sophistication, the ability to quickly understand and act is just as critical as detection itself. Email summary helps close that gap, giving analysts the clarity they need to respond with confidence.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-ccp-props="{}"&gt;*&lt;EM&gt;Eligible Microsoft 365 E5 customers will have 400 Security Compute Units (SCUs) per month for every 1,000 user licenses, up to 10,000 SCUs per month. This included capacity is expected to support typical scenarios. Customers will have an option to pay for scaling beyond the allocated amount at a future date with $6 per SCU on a pay-as-you-go basis, and will get a 30-day advanced notification when this option is available. &lt;/EM&gt;&lt;A class="lia-external-url" href="https://aka.ms/scpinclusioninfo" target="_blank"&gt;Learn more.&lt;/A&gt;&lt;/SPAN&gt;&lt;/P&gt;</description>
      <pubDate>Tue, 14 Apr 2026 20:19:58 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/announcing-public-preview-security-copilot-s-email-summary-in/ba-p/4510357</guid>
      <dc:creator>cristinadagamah</dc:creator>
      <dc:date>2026-04-14T20:19:58Z</dc:date>
    </item>
    <item>
      <title>Do XDR Alerts cover the same alerts available in Alert Policies?</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/do-xdr-alerts-cover-the-same-alerts-available-in-alert-policies/m-p/4508139#M1144</link>
      <description>&lt;P&gt;The alerts in question are the 'User requested to release a quarantined message', 'User clicked a malicious link', etc. About 8 of these we send to 'email address removed for privacy reasons'. That administrator account has an EOM license, so Outlook rules can be set. We set rules to forward those 8 alerts to our 'email address removed for privacy reasons' address. This is, very specifically, so the alert passes through the @tenant.com address, and our ticketing endpoint knows what tenant sent it. But this ISN'T ideal because it requires an EOP license (or similar - this actually hasn't been an issue until now just because of our customer environments). I've looked at the following alternatives: -&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;OL&gt;&lt;LI&gt;Setting email address removed for privacy reasons as the recipient directly on the Alert Policies in question. This results in the mail going directly from &lt;a href="javascript:void(0)" data-lia-user-mentions="" data-lia-user-uid="2865264" data-lia-user-login="microsoft" class="lia-mention lia-mention-user"&gt;microsoft&lt;/a&gt; to our Ticketing Portal - so it ends up sorted into Microsoft tickets. and the right team doesn't get it.&amp;nbsp;&lt;/LI&gt;&lt;LI&gt;SMTP Forwarding via either Exchange AC User controls or Mail Flow Rules. But these aren't traditional forwarding, and they have the same issue as above.&amp;nbsp;&amp;nbsp;&lt;/LI&gt;&lt;LI&gt;Making administrator @tenant.com a SHARED mailbox that we can also login to (for administration purposes). But this doesn't allow you to set Outlook rules (or even login to Outlook).&lt;BR /&gt;&lt;BR /&gt;&lt;/LI&gt;&lt;/OL&gt;&lt;P&gt;I've checked out the newer alerts under Defender's Settings panel - XDR alerts, I think they're called. Wondering if these can be leveraged at all for this? Essentially, trying to get these Alerts to come to our external ticketing address, from the tenants domain (instead of Microsoft). I could probably update Autotask's rules to check for a header, and set that header via Mail Flow rules, but.. just hoping I don't have to do that for everyone.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Thu, 02 Apr 2026 18:43:55 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/do-xdr-alerts-cover-the-same-alerts-available-in-alert-policies/m-p/4508139#M1144</guid>
      <dc:creator>underQualifried</dc:creator>
      <dc:date>2026-04-02T18:43:55Z</dc:date>
    </item>
    <item>
      <title>Impersonation Protection: Users to Protect should also be Trusted Senders</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/impersonation-protection-users-to-protect-should-also-be-trusted/m-p/4508138#M1143</link>
      <description>&lt;P&gt;Hey all, sort of a weird question here. Teaching my staff about Impersonation Protection, and it's kind of occurred to me that any external sender added to 'Senders to Protect' sort of implicitly should also be a 'Trusted Sender'. Example - we're an MSP, and we want our Help Desk (email address removed for privacy reasons) to be protected from impersonation. Specifically, we want to protect the 'Help Desk' name.&amp;nbsp; So we add email address removed for privacy reasons to Senders to protect. However, we ALSO want to make sure our emails come thru. So we've ALSO had to add email address removed for privacy reasons to Trusted Senders on other tenants.&amp;nbsp;&lt;BR /&gt;&lt;BR /&gt;Chats with Copilot have sort of given me an understanding that this is essentially a 'which is more usefuI' scenario. But CoPilot makes things up, and I want some human input.&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;In theory, ANYONE we add to 'trusted senders' we ALSO want protected from Impersonation. Anyone we protect from Impersonation we ALSO want to trust. Copilot says you SHOULDN'T do both.&amp;nbsp;&lt;BR /&gt;&lt;BR /&gt;Which is better / more practical?&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Thu, 02 Apr 2026 18:30:38 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/impersonation-protection-users-to-protect-should-also-be-trusted/m-p/4508138#M1143</guid>
      <dc:creator>underQualifried</dc:creator>
      <dc:date>2026-04-02T18:30:38Z</dc:date>
    </item>
    <item>
      <title>I would like to know the complete list of alerts whose serviceSource is MDO</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/i-would-like-to-know-the-complete-list-of-alerts-whose/m-p/4507270#M1142</link>
      <description>&lt;P&gt;Hi all&lt;BR /&gt;&lt;BR /&gt;&lt;/P&gt;&lt;P&gt;In order to determine the alerts that should be monitored by the SOC, I would like to identify, from the alerts listed at the link below, those whose serviceSource is Microsoft Defender for Office 365 (MDO).&lt;/P&gt;&lt;P&gt;&lt;A href="https://learn.microsoft.com/en-us/defender-xdr/alert-policies" target="_blank"&gt;Alert policies in the Microsoft Defender portal - Microsoft Defender XDR | Microsoft Learn&lt;/A&gt;&lt;/P&gt;&lt;P&gt;I couldn’t find where this is documented, no matter how thoroughly I searched, so I would appreciate it if you could point me to the relevant documentation.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;thx&lt;/P&gt;</description>
      <pubDate>Tue, 31 Mar 2026 12:14:37 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/i-would-like-to-know-the-complete-list-of-alerts-whose/m-p/4507270#M1142</guid>
      <dc:creator>Kota2</dc:creator>
      <dc:date>2026-03-31T12:14:37Z</dc:date>
    </item>
    <item>
      <title>From Impersonation Calls to Transparent Reporting: Defending the New Front Door of Attacks</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/from-impersonation-calls-to-transparent-reporting-defending-the/ba-p/4503050</link>
      <description>&lt;P&gt;Email is still a major entry point—but it’s no longer the only one that matters. Today’s attackers are increasingly shifting to &lt;STRONG&gt;collaboration channels like Microsoft Teams&lt;/STRONG&gt;, where trust is implicit and interaction is real time. Decisions happen fast, and that changes the economics of attacks. Adversaries can pressure users, adapt on the fly, and accelerate their objectives before traditional controls have time to respond. They can then pivot laterally across identities, endpoints, and cloud apps.&lt;/P&gt;
&lt;P&gt;And it’s not just chats and shared links anymore. &lt;STRONG&gt;Teams calling has emerged as a high-impact social-engineering path&lt;/STRONG&gt;—a “front door” attackers can use to bypass inbox defenses. They can impersonate familiar brands or internal functions. They can also try to extract credentials or persuade a user to take immediate action. In a typical flow, an attacker leverages urgency and context. For example, they may reference an “account issue” following suspicious email activity. They then use the real-time pressure of a call to drive a user toward compromise. That’s why protection must happen directly in the collaboration experience.&lt;/P&gt;
&lt;P&gt;At &lt;STRONG&gt;RSA 2026&lt;/STRONG&gt;, we’re announcing new Microsoft Defender capabilities designed for exactly this reality. They give SOC teams visibility that matches how attacks unfold across Microsoft Teams. They also help end users easily identify impersonation attempts, so they can stop them before compromise. And we’re introducing the new Protection and Posture Insights report, which provides tenant-specific insights about your collaboration security with Microsoft Defender.&lt;/P&gt;
&lt;H4&gt;Protect your organization from voice-based attacks in Microsoft Teams&lt;/H4&gt;
&lt;P&gt;&lt;STRONG&gt;Voice phishing (vishing) is a fast-growing vector&lt;/STRONG&gt; because it lets attackers bypass message-based filters and manipulate targets in real time. But security teams haven’t had the same level of coverage for Teams calls that they’ve come to expect for email and messages. That’s why we’re excited to announce inline protection and SOC- investigation capabilities for Microsoft Teams calls. Microsoft Defender can now stop the interaction&amp;nbsp;&lt;EM&gt;while it’s happening&lt;/EM&gt; and SOC teams can then investigate the full path &lt;EM&gt;after the fact&lt;/EM&gt;.&lt;/P&gt;
&lt;H4&gt;Hunt and remediate suspicious calls&lt;/H4&gt;
&lt;P&gt;When attackers use Teams calls to impersonate a brand, internal IT, or a trusted organization, security teams need more than anecdotal user reports—they need forensic visibility and the ability to act. Microsoft Defender has turned Teams calling from a blind spot into a &lt;STRONG&gt;first-class SOC signal&lt;/STRONG&gt;, so you can now:&lt;/P&gt;
&lt;P&gt;Investigate Teams calling activity at scale through Advanced hunting. Use new call-focused data to identify suspicious patterns and validate risk across the organization. This includes unusual external callers, first-time contacts, or activity that aligns with brand impersonation patterns.&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Pivot directly into a call’s details using a call entity experience. Analysts can quickly understand what happened and who was involved, without stitching together context across multiple tools.&lt;/LI&gt;
&lt;LI&gt;Take mitigation actions inline by blocking malicious domains or addresses in Teams via the Tenant Allow/Block List. This turns investigation into immediate containment and helps prevent repeat attempts.&lt;/LI&gt;
&lt;LI&gt;Close the loop with end-user reporting. Pair what users flag as a security risk with what analysts can hunt and confirm. The SOC can move faster and reduce ambiguity when seconds matter.&lt;/LI&gt;
&lt;/UL&gt;
&lt;img&gt;Figure 1: Teams call activity events in advanced hunting&lt;/img&gt;&lt;img&gt;Figure 2: Call entity panel for deeper investigation in advanced hunting&lt;/img&gt;
&lt;H4&gt;Stop impersonation in real time&lt;/H4&gt;
&lt;P&gt;While insights are critical, the most effective way to reduce vishing impact is to interrupt social engineering while the user is still deciding what to do.&lt;/P&gt;
&lt;P&gt;Now, when a Teams call appears to be impersonating a known organization or trusted entity, users will see a persistent in-call warning banner. It shows during the incoming-call experience and while on the call. That gives users clear, contextual guidance &lt;EM&gt;before&lt;/EM&gt; they comply with attacker instructions. It also extends the same protection approach used for chat impersonation into the calling surface.&lt;/P&gt;
&lt;img&gt;Figure 3: Teams call real-time notification informing the user that the call is suspicious.&lt;/img&gt;
&lt;P&gt;And because improving protection depends on learning from real interactions, users can also provide feedback by reporting a call as not a security risk to help improve the accuracy of warnings over time.&lt;/P&gt;
&lt;P&gt;That makes Defender the only collaboration security tool that provides inline user feedback – in real-time.&lt;/P&gt;
&lt;H4&gt;Turn Defender telemetry into executive-ready security understanding with the Protection &amp;amp; Posture Insights report&lt;/H4&gt;
&lt;P&gt;To help organizations clearly understand the threats targeting their environment and how Defender is helping protect against them, we are introducing the&lt;STRONG&gt; Protection &amp;amp; Posture Insights report.&lt;/STRONG&gt; It is available directly in the Defender portal and built on tenant-specific telemetry. The report provides a customized view of the spam, phishing, and malware campaigns observed against users—showing how attackers are attempting to gain access, what techniques are being used, who is being targeted, and where risk is concentrated across the environment.&lt;/P&gt;
&lt;P&gt;The Protection &amp;amp; Posture Insights report goes beyond surface-level threat counts to highlight patterns and exposure unique to each tenant, including emerging phishing techniques, malware delivery methods, and zero-day threats identified through detonation analysis. It also shows how these threats are handled across delivery locations—such as inbox, junk, and quarantine—and which detection technologies and policies are engaged, giving teams a clearer understanding of how attackers are interacting with their environment.&lt;/P&gt;
&lt;P&gt;In addition to threat visibility, the report delivers &lt;STRONG&gt;personalized insights and targeted security policy recommendations&lt;/STRONG&gt; based on each customer’s configuration and observed threat activity. By surfacing coverage gaps, priority account targeting, and opportunities to strengthen policy enforcement, teams can take focused action to reduce exposure and improve security posture. With consistent, tenant-specific reporting over time, organizations can validate results, track progress, and share credible, executive-ready security outcomes—without manual data assembly.&lt;/P&gt;
&lt;img&gt;Figure 4: Executive summary of the new Protection &amp;amp; Posture Insights report&lt;/img&gt;
&lt;P&gt;This kind of personalized visibility answers the most important question for any security team: what was stopped in &lt;EM&gt;my&lt;/EM&gt; environment, and why. It’s also helpful to pair those tenant-specific insights with an objective, industry-wide view. That’s why we publish official email security performance benchmarking. We use consistent, real-world measurements of detection and efficacy across phishing, malware, and spam. That way, you can compare Microsoft Defender against other secure email gateway (SEG) and integrated cloud email security (ICES) solutions. For a deeper look at what the latest results reveal, check out &lt;A href="https://www.microsoft.com/en-us/security/blog/2026/03/12/from-transparency-to-action-what-the-latest-microsoft-email-security-benchmark-reveals/" target="_blank" rel="noopener"&gt;From transparency to action: What the latest Microsoft email security benchmark reveals.&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;These new Microsoft Defender capabilities close a critical gap in collaboration security. They help customers interrupt Teams call–based social engineering. They also give the SOC actionable call visibility and faster containment to prevent repeat attempts. Combined with the Protection &amp;amp; Posture Insights report, security teams can more easily report what was stopped in their tenant. They can also prioritize the next control improvements and strengthen end‑to‑end SOC outcomes across email and Teams.&lt;/P&gt;
&lt;H4&gt;Visit Us at RSA 2026&amp;nbsp;&lt;/H4&gt;
&lt;P&gt;Join us at the Microsoft booth at the Moscone Center to see these innovations in action!&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;More information:&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Learn more about &lt;/STRONG&gt;&lt;A href="https://www.microsoft.com/security/business/siem-and-xdr/microsoft-defender-office-365" target="_blank" rel="noopener"&gt;Defender for Office 365&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;Find out how to &lt;A href="https://aka.ms/protect-against-multi-modal-attacks" target="_blank" rel="noopener"&gt;protect your organization&lt;/A&gt; against multi-modal attacks&lt;/LI&gt;
&lt;LI&gt;Check out our recent blog: &lt;A href="https://aka.ms/disrupting-threat-targeting-teams" target="_blank" rel="noopener"&gt;Disrupting threats targeting Microsoft Teams&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;</description>
      <pubDate>Fri, 27 Mar 2026 23:13:51 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/from-impersonation-calls-to-transparent-reporting-defending-the/ba-p/4503050</guid>
      <dc:creator>JeffreyPinkston</dc:creator>
      <dc:date>2026-03-27T23:13:51Z</dc:date>
    </item>
    <item>
      <title>Defender for iOS: “This account has reached its devices limit” even though no devices are listed</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/defender-for-ios-this-account-has-reached-its-devices-limit-even/m-p/4499180#M1136</link>
      <description>&lt;UL&gt;&lt;LI&gt;I am using all 5 devices available (2 PC's, 1 Mac, 2 IOS devices)&lt;/LI&gt;&lt;LI&gt;I was trying to install Microsoft Defender for IOS on a new iPhone created by copying from the old phone (iPhone 11) to the new phone (iPhone 17).&lt;/LI&gt;&lt;LI&gt;I erased my old iPhone 11 while Defender was still installed&lt;/LI&gt;&lt;LI&gt;My Microsoft account shows&amp;nbsp;&lt;STRONG&gt;zero&lt;/STRONG&gt; mobile devices (none were linked to my MS account)&lt;/LI&gt;&lt;LI&gt;Defender on the new iPhone never completed sign‑in with my MS account&lt;/LI&gt;&lt;LI&gt;“Sign out everywhere” and app removal didn’t help (also app removal, restart IOS device, reinstall Defender for IOS)&lt;/LI&gt;&lt;LI&gt;You suspect a &lt;STRONG&gt;stuck Defender mobile enrollment token&lt;/STRONG&gt;&lt;/LI&gt;&lt;LI&gt;You need Microsoft to reset the backend mobile device slot&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;&lt;EM&gt;&lt;STRONG&gt;From Office Copilot:&lt;/STRONG&gt;&lt;/EM&gt;&lt;/P&gt;&lt;H2&gt;What to tell the agent (so you don’t get bounced)&lt;/H2&gt;&lt;P&gt;Use this exact wording:&lt;/P&gt;&lt;P&gt;“Microsoft Defender for iOS says ‘This account has reached its devices limit’ even though no devices appear in my Microsoft account. My old iPhone was erased while Defender was still signed in. I need my Defender mobile device enrollment reset.”&lt;/P&gt;&lt;P&gt;This sends them straight to the backend reset tool.&lt;/P&gt;&lt;H2&gt;Why this works when everything else doesn’t&lt;/H2&gt;&lt;P&gt;The issue isn’t on your devices or in your account UI — it’s a &lt;STRONG&gt;server-side Defender mobile quota flag&lt;/STRONG&gt; that only Microsoft support can clear. The consumer Defender team (under Microsoft 365 support) is the only group with access to that system.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;img /&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Tue, 03 Mar 2026 23:35:06 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/defender-for-ios-this-account-has-reached-its-devices-limit-even/m-p/4499180#M1136</guid>
      <dc:creator>Herzlich</dc:creator>
      <dc:date>2026-03-03T23:35:06Z</dc:date>
    </item>
    <item>
      <title>Part 3: Build custom email security reports with Power BI and workbooks in Microsoft Sentinel</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/part-3-build-custom-email-security-reports-with-power-bi-and/ba-p/4490127</link>
      <description>&lt;P&gt;&lt;STRONG&gt;&lt;EM&gt;TL;DR&lt;/EM&gt;&lt;/STRONG&gt;&lt;EM&gt;: We're releasing a brand-new Power BI template for email security reporting and a major update (v3) to the Microsoft Sentinel workbook. Both solutions share the same rich visuals and insights. Choose Power BI for quick deployment without Sentinel, or the Sentinel workbook for extended data retention and multi-tenant scenarios. Get started in minutes with either option.&lt;/EM&gt;&lt;/P&gt;
&lt;H2&gt;Introduction&lt;/H2&gt;
&lt;P&gt;Security teams in both small and large organizations track key metrics to make critical security decisions and identify meaningful trends in their organizations. &amp;nbsp;While Microsoft Defender for Office 365 provides rich, built-in reporting capabilities, many security teams need custom reporting solutions to create dedicated views, combine multiple data sources, and derive deeper insights tailored to their unique requirements.&lt;/P&gt;
&lt;P&gt;Earlier last year (&lt;A href="https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/build-custom-email-security-reports-and-dashboards-with-workbooks-in-microsoft-s/4352242" target="_blank" rel="noopener"&gt;Part 1&lt;/A&gt; and &lt;A href="https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303" target="_blank" rel="noopener"&gt;Part 2&lt;/A&gt;) we shared examples of how you can use &lt;A href="https://learn.microsoft.com/azure/sentinel/monitor-your-data?tabs=azure-portal" target="_blank" rel="noopener"&gt;workbooks in Microsoft Sentinel&lt;/A&gt; to build a custom email security insights dashboard for Microsoft Defender for Office 365.&lt;/P&gt;
&lt;P&gt;Today, we are excited to announce the release of a &lt;STRONG&gt;new Power BI template file&lt;/STRONG&gt; for Microsoft Defender for Office 365 customers, along with an &lt;STRONG&gt;updated version&lt;/STRONG&gt; of the &lt;STRONG&gt;Microsoft Defender for Office 365 Detections and Insights workbook in Microsoft Sentinel.&lt;/STRONG&gt; Both &amp;nbsp;solutions share the same visual design and structure, giving you a consistent experience regardless of which platform you choose.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Power BI template file - &lt;/STRONG&gt;Microsoft Defender for Office 365 Detections and Insights:&lt;/P&gt;
&lt;img /&gt;&lt;img /&gt;
&lt;P&gt;&lt;STRONG&gt;Microsoft Sentinel workbook&lt;/STRONG&gt;&amp;nbsp;- Microsoft Defender for Office 365 Detections and Insights:&lt;/P&gt;
&lt;img /&gt;
&lt;H2&gt;NEW: Power BI template file for Microsoft Defender for Office 365 Detections and Insights&lt;/H2&gt;
&lt;P&gt;This custom reporting template file utilizes Power BI and Microsoft Defender XDR Advanced Hunting through the &lt;A href="https://learn.microsoft.com/en-us/graph/api/resources/security-api-overview?view=graph-rest-1.0" target="_blank" rel="noopener"&gt;&lt;STRONG&gt;Microsoft Graph security API&lt;/STRONG&gt;&lt;/A&gt;&lt;STRONG&gt;.&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;It is designed for Microsoft Defender for Office 365 customers who have access to Advanced Hunting but are not using Microsoft Sentinel.&lt;/P&gt;
&lt;P&gt;Advanced Hunting data in Microsoft Defender for Office 365 tables is available for up to 30 days. The reporting template uses these same data tables to visualize insights into an organization's email security, including protection, detection, and response metrics provided by Microsoft Defender for Office 365.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;U&gt;Note:&lt;/U&gt;&lt;/STRONG&gt; If data retention beyond 30 days is required, customers can use the Microsoft Defender for Office 365 Detections and Insights workbook in Microsoft Sentinel.&lt;/P&gt;
&lt;P&gt;You can find the new .pbit template file and detailed instructions on how to set up and use it in the &lt;A href="https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Microsoft%20Defender%20for%20Office%20365" target="_blank" rel="noopener"&gt;&lt;STRONG&gt;unified Microsoft Sentinel and Microsoft 365 Defender GitHub repository&lt;/STRONG&gt;&lt;/A&gt;&lt;STRONG&gt;.&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;This new Power BI template uses the same visuals and structure as the Microsoft Defender for Office 365 Detections and Insights workbook in Microsoft Sentinel, providing an easy way to gain deep email security insights across a wide range of use cases.&lt;/P&gt;
&lt;img /&gt;&lt;img /&gt;
&lt;H2&gt;UPDATED: Microsoft Defender for Office 365 Detections and Insights workbook in Microsoft Sentinel&lt;/H2&gt;
&lt;P&gt;We are excited to announce the release of a &lt;STRONG&gt;new version (3.0.0)&lt;/STRONG&gt; of the &lt;STRONG&gt;Microsoft Defender for Office 365 Detections and Insights&lt;/STRONG&gt; workbook in &lt;STRONG&gt;Microsoft Sentinel&lt;/STRONG&gt;.&lt;/P&gt;
&lt;P&gt;The workbook is part of the &lt;STRONG&gt;Microsoft Defender XDR&lt;/STRONG&gt; &lt;STRONG&gt;solution&lt;/STRONG&gt; in Microsoft Sentinel and can be installed and started to use with a few simple clicks.&lt;/P&gt;
&lt;P&gt;In this new release we incorporated feedback we have received from many customers in the past few months to add new visuals, updated existing visuals and add insights focusing on security operations.&lt;/P&gt;
&lt;H3&gt;What’s New&lt;/H3&gt;
&lt;P&gt;Here are some notable changes and new capabilities available in the updated workbook template.&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Improved structure:&lt;/STRONG&gt; Headings and grouped insights have been added to tabs for easier navigation and understanding of metrics.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Contextual explanations:&lt;/STRONG&gt; Each tab, section, and visual now includes descriptions to help users interpret insights effectively.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Drill-down capability:&lt;/STRONG&gt; A single “Open query link” action allows users to view the underlying KQL query for each visual, enabling quick investigation and hunting by modifying conditions or removing summaries to access raw data.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Detection Dashboard tab enhancements:&lt;/STRONG&gt; Added an &lt;A href="https://learn.microsoft.com/en-us/defender-office-365/reports-mdo-email-collaboration-dashboard#phish--malware-efficacy-card" target="_blank" rel="noopener"&gt;example Effectiveness metric&lt;/A&gt;, updated visuals to focus on overall Microsoft Defender for Office 365 protection values, and introduced new sections for &lt;A href="https://go.microsoft.com/fwlink/?linkid=2323913" target="_blank" rel="noopener"&gt;Emerging Threats&lt;/A&gt; and &lt;A href="https://www.microsoft.com/en-us/security/blog/2025/07/17/transparency-on-microsoft-defender-for-office-365-email-security-effectiveness/" target="_blank" rel="noopener"&gt;Microsoft 365 Secure Email Gateway Performance.&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;New Security Operations Center (SOC) Insights tab:&lt;/STRONG&gt; Provides operational metrics such as Security Incident Response, Investigation, and Response Actions for SOC teams.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Advanced threat insights:&lt;/STRONG&gt; Includes &lt;A href="https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/microsoft-defender-for-office-365s-language-ai-for-phish-enhancing-email-securit/4410446" target="_blank" rel="noopener"&gt;new LLM-based content analysis&lt;/A&gt; detections and threat classification insights on the &lt;STRONG&gt;Emails – Phish Detections&lt;/STRONG&gt; tab.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;External forwarding insights:&lt;/STRONG&gt; Added deep visibility into &lt;STRONG&gt;Inbox rules&lt;/STRONG&gt; and &lt;STRONG&gt;SMTP forwarding in Outlook&lt;/STRONG&gt;, including destination details to assess potential data leakage risks.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Geo-location improvements:&lt;/STRONG&gt; Sender IPv4 insights now include top countries for better geographic context for each Threat types (Malware, Spam, Phish).&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Enhanced top attacked users and top senders:&lt;/STRONG&gt; Added &lt;STRONG&gt;TotalEmailCount&lt;/STRONG&gt; and &lt;STRONG&gt;Bad_Traffic_Percentage&lt;/STRONG&gt; for richer context in top attacked users and senders charts.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Expanded URL click insights:&lt;/STRONG&gt; URL click-based threat detection visuals now include &lt;A href="https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/safelinks-protection-for-links-generated-by-m365-copilot-chat-and-office-apps/4396828" target="_blank" rel="noopener"&gt;&lt;STRONG&gt;Microsoft 365 Copilot&lt;/STRONG&gt;&lt;/A&gt; as a workload.&lt;/LI&gt;
&lt;/UL&gt;
&lt;H3&gt;How to use the workbook across multiple tenants&lt;/H3&gt;
&lt;P&gt;If you manage multiple environments with Microsoft Sentinel — or you are an &lt;STRONG&gt;MSSP (Managed Security Service Provider)&lt;/STRONG&gt; working across multiple customer tenants — you can also use the workbook in multi‑tenant scenarios.&lt;/P&gt;
&lt;P&gt;&lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/extend-sentinel-across-workspaces-tenants#use-cross-workspace-workbooks" target="_blank" rel="noopener"&gt;Once the required configuration is in place,&lt;/A&gt; you can change the Subscription and Workspace parameters in the workbook to be multi select and load data from one or multiple tenants.&lt;/P&gt;
&lt;P&gt;This enables to see deep email security insights in multi‑tenant environments, including:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Aggregated multi‑tenant view:&lt;/STRONG&gt;&lt;BR /&gt;You can view aggregated insights across tenants in a &lt;STRONG&gt;single workbook view&lt;/STRONG&gt;. By multi‑selecting tenants in the &lt;STRONG&gt;Subscription&lt;/STRONG&gt; and &lt;STRONG&gt;Workspace&lt;/STRONG&gt; parameters, the workbook automatically loads and combines data from all selected environments for all visuals on all tabs.&lt;/LI&gt;
&lt;/UL&gt;
&lt;img /&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Side‑by-side‑ comparison:&lt;/STRONG&gt;&lt;BR /&gt;For example, you can compare phishing detection trends or top attacked users across two or more tenants simply by opening the workbook in two browser windows placed side by side.&lt;/LI&gt;
&lt;/UL&gt;
&lt;img /&gt;
&lt;P&gt;&lt;STRONG&gt;Note:&lt;/STRONG&gt; For the multiselect option‑ to work in the current workbook version, you need to manually adjust the &lt;STRONG&gt;Subscription&lt;/STRONG&gt; and &lt;STRONG&gt;Workspace&lt;/STRONG&gt; parameters. This configuration is planned to become the default in the next release of the workbook. Until then, you &lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/extend-sentinel-across-workspaces-tenants#use-cross-workspace-workbooks" target="_blank" rel="noopener"&gt;can simply apply this change using the workbook’s &lt;STRONG&gt;Edit&lt;/STRONG&gt; mode.&lt;/A&gt;&lt;/P&gt;
&lt;H3&gt;How to get the updated workbook version&lt;/H3&gt;
&lt;P&gt;The latest&amp;nbsp;version of the&amp;nbsp;&lt;STRONG&gt;Microsoft Defender for Office 365 Detections and Insights&lt;/STRONG&gt;&amp;nbsp;workbook is available&amp;nbsp;as part of&amp;nbsp;the&amp;nbsp;&lt;STRONG&gt;Microsoft&amp;nbsp;Defender XDR&lt;/STRONG&gt;&amp;nbsp;solution in the &lt;STRONG&gt;Microsoft Sentinel - Content hub&lt;/STRONG&gt;. Version&amp;nbsp;&lt;STRONG&gt;3.0.13&lt;/STRONG&gt;&amp;nbsp;of the solution has the updated workbook template.&lt;/P&gt;
&lt;P&gt;If you already have the&amp;nbsp;&lt;STRONG&gt;Microsoft Defender XDR&lt;/STRONG&gt;&amp;nbsp;solution deployed, &lt;STRONG&gt;version 3.0.13&lt;/STRONG&gt; is available now as an update. After you install the update, you will have the new workbook template available to use.&amp;nbsp;&lt;BR /&gt;&lt;STRONG&gt;Note&lt;/STRONG&gt;: If you had the workbook saved from a previous template version, make sure you delete the old workbook and use the save button on the new template to recreate a new local version with the latest updates.&lt;/P&gt;
&lt;img /&gt;&lt;img /&gt;
&lt;P&gt;If you install the&amp;nbsp;&lt;STRONG&gt;Microsoft Defender XDR&lt;/STRONG&gt; solution for the first time, you are deploying the latest version and will have the updated template ready to use.&lt;/P&gt;
&lt;H3&gt;How to edit and share the workbook with others&lt;/H3&gt;
&lt;P&gt;You can customize each visual easily. Simply edit the workbook after saving,&amp;nbsp;then&amp;nbsp;adjust the underlying KQL query,&amp;nbsp;change the type of&amp;nbsp;the&amp;nbsp;visual,&amp;nbsp;or&amp;nbsp;create new insights.&amp;nbsp;&lt;/P&gt;
&lt;P&gt;More information:&amp;nbsp;&lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/monitor-your-data?tabs=azure-portal" target="_blank" rel="noopener"&gt;Visualize your data using workbooks in Microsoft Sentinel | Microsoft Learn&lt;/A&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Granting other users access to the workbook also possible, see the &lt;A href="https://techcommunity.microsoft.com/blog/microsoftsentinelblog/manage-access-to-microsoft-sentinel-workbooks-with-lower-scoped-rbac/3906280" target="_blank" rel="noopener"&gt;Manage Access to Microsoft Sentinel Workbooks with Lower Scoped RBAC&lt;/A&gt; on the Microsoft Sentinel Blog.&amp;nbsp;&lt;/P&gt;
&lt;H3&gt;Do you have feedback related to reporting in Microsoft Defender for Office 365?&lt;/H3&gt;
&lt;P&gt;&lt;SPAN data-teams="true"&gt;You can provide direct feedback via filling the form:&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-teams="true"&gt;&lt;A href="https://aka.ms/mdoreportingfeedback" target="_blank" rel="noopener" aria-label="Link aka.ms/mdoreportingfeedback"&gt;aka.ms/mdoreportingfeedback&lt;/A&gt;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Do you have questions or feedback about Microsoft Defender for Office 365?&lt;/P&gt;
&lt;P&gt;Engage with the community and Microsoft experts in the &lt;A href="https://aka.ms/MDOForum" target="_blank" rel="noopener"&gt;Defender for Office 365 forum&lt;/A&gt;. &amp;nbsp;&lt;/P&gt;
&lt;H2&gt;More information&lt;/H2&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/microsoft-365-defender-sentinel-integration?tabs=azure-portal" target="_blank" rel="noopener"&gt;Integrate Microsoft Defender XDR with Microsoft Sentinel&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;Learn more about Microsoft Sentinel&amp;nbsp;&lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/monitor-your-data?tabs=azure-portal" target="_blank" rel="noopener"&gt;workbooks&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;Learn more about&amp;nbsp;&lt;A href="https://learn.microsoft.com/defender-xdr/microsoft-365-defender" target="_blank" rel="noopener"&gt;Microsoft Defender XDR&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;</description>
      <pubDate>Tue, 10 Feb 2026 22:50:16 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/part-3-build-custom-email-security-reports-with-power-bi-and/ba-p/4490127</guid>
      <dc:creator>dmozes</dc:creator>
      <dc:date>2026-02-10T22:50:16Z</dc:date>
    </item>
    <item>
      <title>Secure collaboration in Microsoft Teams with efficient and automated Threat Protection and response</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/secure-collaboration-in-microsoft-teams-with-efficient-and/ba-p/4484479</link>
      <description>&lt;H3&gt;New Layers of Protection for Teams Messages&lt;/H3&gt;
&lt;P&gt;With more than 300 million monthly active users on Microsoft Teams, ensuring secure collaboration has become increasingly critical. As the threat landscape continues to change, our security measures must adapt accordingly. To address these challenges, we are pleased to announce enhanced protection and Security Operations response capabilities for enterprise messages containing URLs in Teams, utilizing Microsoft Defender.&lt;/P&gt;
&lt;H3&gt;Threat Profile – Tech Support Impersonation with Phishing URLs&lt;/H3&gt;
&lt;P&gt;In previous &lt;A href="https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/protection-against-multi-modal-attacks-with-microsoft-defender/4438786" target="_blank" rel="noopener"&gt;blogs&lt;/A&gt;, we’ve discussed how threat actors are employing multimodal attacks and targeting users in an organization over Teams by impersonating tech support.&amp;nbsp; Lately some of these attackers have been observed steering their victims towards malicious websites that appear purpose-built to complete their harmful objectives while allaying the victim’s suspicions.&lt;/P&gt;
&lt;P&gt;The typical attack chain proceeds as follows:&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;Hybrid attacks often begin with mail bombing (spam) directed at the targeted individual, followed by Teams messages or calls in which the attacker impersonates IT support personnel offering to resolve the spam issue.&lt;/LI&gt;
&lt;LI&gt;Victims may then be deceived into granting system access to the attacker via remote management and monitoring tools such as Quick Assist or AnyDesk.&lt;/LI&gt;
&lt;LI&gt;In recent incidents, attackers have directed victims to malicious URLs that closely resemble legitimate internal IT security update or patching tools, featuring falsified logos and branding.&lt;/LI&gt;
&lt;LI&gt;These sites are actually conventional phishing platforms intended to capture user credentials and enable malware deployment, while victims believe their spam problem is being resolved.&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;&lt;STRONG&gt;Below: &lt;/STRONG&gt;Rendering of a malicious URL shared over Teams by an attacker to an intended victim&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;Microsoft Defender uses robust detection engines and threat intelligence to support URL warnings, post-delivery protection, and advanced hunting for Teams, enabling comprehensive protection against evolving attack vectors.&lt;/P&gt;
&lt;H3&gt;Near real-time defense&lt;/H3&gt;
&lt;P&gt;&lt;EM&gt;For Worldwide customers with Teams enterprise licenses and above &lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;Our new advanced near-real-time protection ensures that any message containing URLs is thoroughly scanned and appropriately flagged before delivery. End users are notified with a warning tip upon messages delivery when malicious URLs are detected, helping them recognize and avoid potential risk. Threats don’t always appear right away, to stay ahead of evolving attacks, protection continues for up to 48 hours after a message is delivered. If a previously safe URL later becomes weaponized, the message is automatically updated with a warning tip, ensuring users remain protected even after the message reaches them.&lt;/P&gt;
&lt;P&gt;This dual-layered approach means:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Immediate warnings&lt;/STRONG&gt; for messages with known malicious URLs.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Post-delivery detection&lt;/STRONG&gt; that adapts to evolving threats.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Protection across internal and external communications&lt;/STRONG&gt;, including chats and channels, regardless of tenant origin.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;These capabilities powered by Microsoft Defender will provide out-of-the-box protection as it will be enabled by default and will be available for all Teams enterprise users, with no additional configuration required. This ensures that every user benefits from advanced protection.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img&gt;Figure 1: Recipient view of message warnings&lt;/img&gt;&lt;img&gt;Figure 2: Sender view of message warnings&lt;/img&gt;
&lt;H3&gt;Empowering Users and SOC Teams&lt;/H3&gt;
&lt;P&gt;&lt;EM&gt;For worldwide customers with an MDO (Microsoft Defender for Office 365) P2 license or an E5 license&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;Security is a shared responsibility. We’re enabling &lt;A href="https://learn.microsoft.com/defender-office-365/submissions-teams" target="_blank" rel="noopener"&gt;users to report&lt;/A&gt; false negatives (FN) and false positives (FP) directly from Teams messages. These reports feed into Microsoft Defender investigation workflows, helping improve detection accuracy and reduce support overhead.&lt;/P&gt;
&lt;P&gt;Users can now report potentially malicious messages or messages incorrectly detected as malicious directly from the message context menu in Microsoft Teams:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Report as security risk&lt;/STRONG&gt;: For messages that seem suspicious but weren’t flagged.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Report as not security risk&lt;/STRONG&gt;: For messages that were flagged but are actually safe.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;This enables users to actively contribute to their organization's security management and protection efforts, while simultaneously enhancing the accuracy of Microsoft Defender detection controls. Reports may be submitted for both internal and external communications including chats, meetings, and channels ensuring comprehensive coverage across all collaboration platforms such as Teams web, desktop, and mobile clients. Upon submission, these reports are accessible to administrators and security operations personnel in the Microsoft Defender portal as incidents, where they can efficiently triage, investigate, and respond.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img&gt;Figure 3: Report a concern&lt;/img&gt;&lt;img&gt;Figure 4: Report a wrong detection&lt;/img&gt;
&lt;H3&gt;Holistic Visibility for Security Operation Teams&lt;/H3&gt;
&lt;P&gt;&lt;EM&gt;For worldwide customers with an MDO (Microsoft Defender for Office 365) P2 license or an E5 license&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;Security Operation teams need context, coverage, and control. That’s why we’ve introduced three new Advanced Hunting tables in Microsoft Defender designed specifically to surface Microsoft Teams message metadata and enable deep investigations across both internal and external communications.&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;MessageEvents&lt;/STRONG&gt;: Captures metadata for all Teams messages containing URLs at the time of delivery.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;MessagePostDeliveryEvents&lt;/STRONG&gt;: Surfaces messages that were flagged as malicious after delivery, including Zero-hour auto purge (ZAP) actions.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;MessageURLInfo&lt;/STRONG&gt;: Provides granular details on URLs extracted from Teams messages.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;These tables are now generally available in the &lt;A href="https://security.microsoft.com/v2/advanced-hunting" target="_blank" rel="noopener"&gt;Microsoft Defeder portal&lt;/A&gt; providing direct insight into Teams message flows.&lt;/P&gt;
&lt;P&gt;SOC teams can now hunt across all external (federated) messages, not just messages that contain URLs. This is a major step forward in enabling cross-tenant threat detection and response, especially in today’s hybrid collaboration environments. All three tables are accessible via &lt;A href="https://learn.microsoft.com/en-us/graph/api/security-security-runhuntingquery?view=graph-rest-1.0&amp;amp;tabs=http" target="_blank" rel="noopener"&gt;Advanced Hunting APIs&lt;/A&gt; and &lt;A href="https://learn.microsoft.com/en-us/defender-xdr/streaming-api" target="_blank" rel="noopener"&gt;Streaming APIs&lt;/A&gt;, allowing SOC teams to integrate hunting workflows into their existing automation pipelines.&lt;/P&gt;
&lt;P&gt;To further enhance visibility, we’ve added a new column called &lt;STRONG&gt;SafetyTip&lt;/STRONG&gt; to both the MessageEvents and MessagePostDeliveryEvents tables. This column flags whether a &lt;STRONG&gt;URL warning tip&lt;/STRONG&gt; was shown to the user in the Teams client, helping SOC teams distinguish between warning and block detections.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img&gt;Figure 5: Hunt on message warnings&lt;/img&gt;
&lt;P&gt;Third-party security information and event management (SIEM) solutions can also integrate with and utilize these hunting tables via the Microsoft Defender Streaming API. For instance, in Splunk, the new tables may be configured to automatically flow into your Splunk instance, supporting extended data retention by leveraging the latest version of the Microsoft Defender Splunk connector. It is important to ensure that the new Teams protection tables are selected during connector configuration to enable the continuous transfer of relevant data.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img&gt;Figure 6: Connector config and version needed to connect to 3rd party SIEMs&lt;/img&gt;
&lt;H3&gt;Empower Security Teams to Act Against Threats&lt;/H3&gt;
&lt;P&gt;&lt;EM&gt;For worldwide customers with an MDO (Microsoft Defender for Office 365) P2 license or an E5 license&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;We’ve introduced a powerful new capability that gives security teams greater control and confidence when managing potential risks in Teams. With this feature, security admins can investigate suspicious conversations in Advanced Hunting and instantly &lt;A href="https://learn.microsoft.com/en-us/defender-office-365/teams-message-entity-panel" target="_blank" rel="noopener"&gt;remove internal users&lt;/A&gt; from unsafe chats, revoking their access and clearing all prior chat history to prevent further exposure. This proactive step ensures employees stay protected from threat actors and sensitive information remains secure.&lt;/P&gt;
&lt;P&gt;The experience is streamlined through the &lt;STRONG&gt;Action Wizard&lt;/STRONG&gt;, accessible directly from the Teams entity flyout, making remediation fast and intuitive. Every action is fully traceable in &lt;STRONG&gt;Action Center&lt;/STRONG&gt;, providing a centralized view for monitoring and validating security interventions, while &lt;STRONG&gt;audit logs&lt;/STRONG&gt; deliver records for reporting. These capabilities empower organizations to contain risks in real time, strengthen collaboration security, and maintain trust across their digital workplace.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img&gt;Figure 7: remove a user from a conversation directly from the defender portal&lt;/img&gt;
&lt;H3&gt;Response capabilities for Security Teams&lt;/H3&gt;
&lt;P&gt;&lt;EM&gt;For worldwide customers with an MDO (Microsoft Defender for Office 365) P2 license or an E5 license&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;In addition to these enhanced detection, investigation and hunting capabilities, security team members are now able to perform advanced response actions for Microsoft Teams directly in the Microsoft Defender portal. Security Operations Center (SOC) analysts and admins can directly block malicious domains from within the &lt;A href="https://security.microsoft.com/tenantAllowBlockList" target="_blank" rel="noopener"&gt;Microsoft Defender portal&lt;/A&gt;, seamlessly adding targeted entries to the Teams Admin Center (TAC) blocked domains list without leaving their security workflows and switching portals. This capability enables near real-time protection when suspicious or abusive external organizations are identified. SOC teams can immediately block suspicious organizations, effectively halting new external chat messages, invites, and channel communications from those domains while deleting existing ones. These controls empower organizations to react to emerging risks in minutes, all while maintaining compliance and reducing operational overhead.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img&gt;Figure 8: Block domains in Teams via TABL&lt;/img&gt;
&lt;H3&gt;Expanding Admin Quarantine and Zero-Hour Auto-Purge (ZAP) to MDO P1&lt;/H3&gt;
&lt;P&gt;We are also extending the power of Zero-hour auto-purge (ZAP) and Teams admin quarantine to even more customers, bringing this post-delivery protection layer to Microsoft Defender for Office 365 Plan 1. This reinforces our commitment to secure-by-default protection across all Microsoft Teams environments.&lt;/P&gt;
&lt;P&gt;ZAP automatically moves malicious messages containing phishing or malware URLs from internal Teams chats and channels to admin quarantine in the Microsoft Defender portal. This post-delivery protection ensures that even if a threat evades initial detection, it can be neutralized before causing harm.&lt;/P&gt;
&lt;P&gt;This capability will be enabled by default for all Microsoft Teams customers with Microsoft Defender for Office Plan 1, providing immediate protection without requiring additional configuration. Security admins maintain full control through the Microsoft Defender portal, where quarantined Teams messages can be reviewed, managed, and released if needed. This expansion ensures more customers benefit from continuous, automated threat removal, strengthening protection across Teams with no extra effort required&lt;/P&gt;
&lt;P&gt;These new protections reflect our commitment to delivering security that scales effortlessly with the way people work today. By combining real-time detection, post-delivery protection, and user-driven feedback loops, we’re giving organizations the tools to stay ahead of emerging threats without slowing down collaboration.&lt;/P&gt;
&lt;P&gt;These capabilities are engineered to operate efficiently in the background, providing assurance and proactive security measures. This enables frontline workers, IT administrators, and SOC analysts to concentrate on their core responsibilities while maintaining a secure working environment.&lt;/P&gt;
&lt;H3&gt;To learn more&lt;/H3&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;A href="https://learn.microsoft.com/defender-office-365/mdo-support-teams-about" target="_blank" rel="noopener"&gt;https://learn.microsoft.com/defender-office-365/mdo-support-teams-about&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A href="https://learn.microsoft.com/defender-office-365/mdo-support-teams-quick-configure" target="_blank" rel="noopener"&gt;https://learn.microsoft.com/defender-office-365/mdo-support-teams-quick-configure&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A href="https://learn.microsoft.com/defender-office-365/mdo-support-teams-sec-ops-guide" target="_blank" rel="noopener"&gt;https://learn.microsoft.com/defender-office-365/mdo-support-teams-sec-ops-guide&lt;/A&gt;&lt;/LI&gt;
&lt;/OL&gt;</description>
      <pubDate>Wed, 14 Jan 2026 17:00:00 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/secure-collaboration-in-microsoft-teams-with-efficient-and/ba-p/4484479</guid>
      <dc:creator>MalvikaBalaraj</dc:creator>
      <dc:date>2026-01-14T17:00:00Z</dc:date>
    </item>
    <item>
      <title>I have absolutely no idea what Microsoft Defender 365 wants me to do here</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/i-have-absolutely-no-idea-what-microsoft-defender-365-wants-me/m-p/4481993#M1132</link>
      <description>&lt;P&gt;The process starts with an emal:&lt;/P&gt;&lt;img /&gt;&lt;P&gt;There's more below on the email - an offer for credit monitoring, an option to add another device, an option to download the mobile app - but I don't want to do any of the, so I click on the "Open Defender" button, which results in this:&lt;/P&gt;&lt;img /&gt;&lt;P&gt;OK, so my laptop is the bad boy here, there's that Status not of "Action recommended", with no "recommendations" and the only live link here is "Add device", something I don't need to do.&amp;nbsp; The only potential "problem" I can even guess at here is that Microsoft is telling me that the laptop needs updating.&amp;nbsp; Since I seldom use the laptop, only when traveling, I'd guess the next time I'd fire it up the update will occur, but of course I really don't know that's the recommended action it's warning me about, do I?&amp;nbsp;&lt;/P&gt;&lt;P&gt;You'd expect that if something is warning you "ACTION NEEDED!!!" they'd be a little more explicit, wouldn't you?&lt;/P&gt;</description>
      <pubDate>Tue, 30 Dec 2025 15:30:01 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/i-have-absolutely-no-idea-what-microsoft-defender-365-wants-me/m-p/4481993#M1132</guid>
      <dc:creator>JustTom</dc:creator>
      <dc:date>2025-12-30T15:30:01Z</dc:date>
    </item>
    <item>
      <title>Tenant Forwarding - Trusted ARC Sealer</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/tenant-forwarding-trusted-arc-sealer/m-p/4478434#M1131</link>
      <description>&lt;P&gt;As part of a tenant to tenant migration we often need to forward mail from one tenant to another. This can cause some issues with email authentication verdicts on the destination tenant. Is it possible or best practice to configure another tenant as a Trusted ARC sealer to help with forwarded email deliverability?&lt;/P&gt;</description>
      <pubDate>Tue, 16 Dec 2025 16:57:00 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/tenant-forwarding-trusted-arc-sealer/m-p/4478434#M1131</guid>
      <dc:creator>weebles</dc:creator>
      <dc:date>2025-12-16T16:57:00Z</dc:date>
    </item>
    <item>
      <title>Strengthening calendar security through enhanced remediation</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/strengthening-calendar-security-through-enhanced-remediation/ba-p/4456876</link>
      <description>&lt;P&gt;In today’s evolving threat landscape, phishing attacks are becoming increasingly sophisticated, often leveraging meeting invites to bypass traditional defenses. While Security Operations (SOC) teams rely on Microsoft Defender’s remediation actions to remove malicious emails, a hidden risk persists: calendar entries created by Outlook during email delivery. These entries can remain active even after the email is deleted, leaving users exposed to harmful content. This update addresses that gap.&lt;/P&gt;
&lt;H4&gt;Remediation supports cleaning up calendar entries&lt;/H4&gt;
&lt;P&gt;SOC teams currently use remediation actions such as &lt;STRONG&gt;Move to Junk&lt;/STRONG&gt;, &lt;STRONG&gt;Delete&lt;/STRONG&gt;, &lt;STRONG&gt;Soft Delete&lt;/STRONG&gt;, and &lt;STRONG&gt;Hard Delete&lt;/STRONG&gt; to quickly eliminate email threats from user inboxes. However, meeting invite emails introduce an additional challenge. Even after the email is removed, Outlook automatically creates a calendar entry during delivery, which remains accessible to users.&lt;/P&gt;
&lt;P&gt;For example, consider a phishing email sent as a meeting invite. Despite the admin removing the email from the user’s inbox, the user can still interact with the same malicious content via the calendar entry.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;&lt;img /&gt;
&lt;P&gt;This residual entry may contain harmful links or phishing content, creating a security gap. With this update, we’re taking the first step toward closing that gap. &lt;STRONG&gt;Hard Delete&lt;/STRONG&gt; will now also remove the associated calendar entry for any meeting invite email. This ensures threats are fully eradicated—not just from the inbox but also from the calendar—reducing the risk of user interaction with malicious content.&lt;/P&gt;
&lt;P&gt;This change applies to &lt;STRONG&gt;Hard Delete&lt;/STRONG&gt; actions taken from any surface, including Explorer, Advanced Hunting, and API.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;Note&lt;/STRONG&gt;:&amp;nbsp;&lt;/P&gt;
&lt;P&gt;1) Deleted calendar entries can be restored by resending the meeting invite.&lt;/P&gt;
&lt;P&gt;2) This action does not remove calendar entries manually added by users via .ics files.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;H4&gt;Ability to Block URL domains via submission/TABL actions from Explorer&lt;/H4&gt;
&lt;P&gt;SOC teams can currently add senders and URLs to the TABL block list when submitting false negatives to Microsoft. However, phishing campaigns often use variations of URLs under the same parent domain, making full URL blocking less effective.&lt;/P&gt;
&lt;P&gt;With this update, TABL options for URL domains are now dynamically surfaced, enabling SOC teams to block entire domains without leaving their workflow. This enhancement simplifies remediation and strengthens defenses against domain-based phishing attacks.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;These updates strengthen SOC remediation workflows by closing critical security gaps and ensuring threats are fully neutralized across all user touchpoints. By extending remediation to calendar entries and enabling domain-level URL blocking, we deliver comprehensive protection that reduces risk, streamlines operations, and safeguards user experiences. At Microsoft, our priority is your security, and we remain committed to empowering SOC teams with tools that make defense smarter and more effective.&lt;/P&gt;
&lt;H4&gt;Learn more:&lt;/H4&gt;
&lt;P&gt;&lt;A href="https://learn.microsoft.com/en-us/defender-office-365/remediate-malicious-email-delivered-office-365" target="_blank"&gt;Remediate malicious email that was delivered in Office 365 - Microsoft Defender for Office 365 | Microsoft Learn&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Mon, 24 Nov 2025 17:00:00 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/strengthening-calendar-security-through-enhanced-remediation/ba-p/4456876</guid>
      <dc:creator>nithinnara</dc:creator>
      <dc:date>2025-11-24T17:00:00Z</dc:date>
    </item>
    <item>
      <title>Email - Override/Bypass Events</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/email-override-bypass-events/m-p/4472544#M1129</link>
      <description>&lt;P&gt;Hi Community,&lt;/P&gt;&lt;P&gt;how can i extract the override/bypass informations by using EXO Powershell Module, Advanced Hunting or Graph API? I have searched in cmdlets but no luck.&amp;nbsp;&lt;/P&gt;&lt;img /&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Mon, 24 Nov 2025 10:39:23 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/email-override-bypass-events/m-p/4472544#M1129</guid>
      <dc:creator>mhmmdrn</dc:creator>
      <dc:date>2025-11-24T10:39:23Z</dc:date>
    </item>
  </channel>
</rss>

