Microsoft Defender for Office 365 Blog articles

Declutter and Defend: Reducing promotional mail noise with Microsoft Defender

FaithEbenezerOquong — Thu, 23 Apr 2026 03:59:21 GMT

Enterprise inboxes are overwhelmed with graymail — legitimate, bulk email like newsletters, vendor promotions, and product updates that isn't malicious but buries the messages that matter. When high volumes of these mails land in the inbox, it crowds out priority communications and can dull security vigilance. Employees conditioned to ignore repetitive emails may miss signs of a real threat. It also creates recurring work for admins and security teams who must continuously tune filters, manage exception requests, and chase noise from user reports for email that isn’t malicious. Because graymail passes every spam filter check, traditional defenses don't separate it — leaving this signal-to-noise gap unaddressed.

Today we’re excited to announce that Microsoft Defender now includes built-in graymail filtering. It is delivered natively through a new Promotions experience in Outlook that automatically classifies and separates bulk email, so it no longer competes with business-critical communication in the inbox. Now in Public Preview, this capability learns from how users interact with graymail to become more accurate over time. Coupled with the existing Bulk Senders Insight report, Defender brings data-driven bulk classification and control into the security workflows you already use.

What Is Graymail?

Graymail is legitimate bulk email that isn't malicious—product newsletters, event announcements, marketing promotions, and software update notifications from reputable, authenticated senders. It is distinct from spam and from phishing - graymail comes from real organizations with proper authentication and traditional spam filters aren't designed to handle it.

Graymail handling in Microsoft Defender

Microsoft Defender's approach is built on three principles: classify intelligently, deliver natively, and learn continuously.

Promotions Folder — Intelligent Inbox Organization

A dedicated Promotions folder, natively provisioned in Outlook, now keeps legitimate bulk mail out of the primary inbox. Promotional content is separated from priority emails without being sent to Junk, which means users can still access and browse newsletters and updates at their own pace. The folder appears at the top level of the mailbox for easy discovery and is visible across all Outlook experiences.

Non-spam bulk mail below the organization's configured Bulk Complaint Level threshold is automatically routed to the Promotions folder.
Messages from senders the user has explicitly allowed continue to land in the Inbox.
Messages identified as spam continue to go to Junk.

To enable the Promotions folder administrators need to enable the "Bulk Moves Enabled" setting in their anti-spam policy. The Promotions folder is then created for all users and used for routing only when this setting is ON.

Existing mail flow is unaffected.

Figure 1: system tagging of “Promotions” in outlook client and promotions folder (previously tagged as “Bulk” in private and public preview)

Promotional mail tagging and Mailbox Rule Support

Messages classified as graymail will automatically be labeled with a "Promotions" system tag in Outlook. The tag provides instant visual context without requiring users to open each message and is visible in Outlook on the Web and the native Outlook desktop apps for Windows and Mac. During Public Preview, the tagging component is opt-in, requiring administrators to enable it by configuring an Exchange Transport Rule. Once generally available, it will be enabled by default.

Because this classification is integrated at the client level, the Promotions tag can also be used as a condition in Outlook mailbox rules. This enables custom routing logic for advanced scenarios like moving all promotions-tagged messages from a specific sender to a custom folder, flagging certain promotional emails for follow-up, or auto-forwarding or deleting promotions that meet specific criteria. This transforms the Promotions classification from a one-way filter into a flexible building block for personal and organizational workflows—particularly valuable for power users and teams with compliance or archival requirements.

Figure 2: User inbox rules using “Promotion” tag (previously “Bulk” in private and public preview)

Adaptive Learning

Microsoft Defender's graymail filtering gets smarter with every interaction. The system learns directly from how users handle their mail. When a user moves a message out of the Promotions folder and back to the Inbox, future emails from that sender will no longer be placed in the Promotions folder. When a user moves a message from the Inbox into the Promotions folder, future emails from that sender will be routed to the Promotions folder automatically.

This creates a personalized, self-improving experience that becomes more accurate over time - no manual rule configuration required, no safe-sender lists to maintain, and no filtering rules for IT teams to manage on behalf of individual employees.

Built into existing Security Workflows

Administrators also gain visibility through the Bulk Senders Insight report, which provides data-driven guidance on what your organization actually receives and can help tune your bulk mail filtering.

Graymail has long been the unsolved middle ground of email security—too legitimate to block, too noisy to ignore. Microsoft Defender now handles it where it should be handled: inside the platform, inside the mailbox, and inside the security workflows your organization already relies on. No new portals, no new vendors, no compromise between security and user experience.

Get Started

Configure promotions tagging and the promotions folder today - Bulk email detection documentation on Microsoft Learn.
Monitor the experience using the Bulk Senders Insight report.

Announcing Public Preview: Security Copilot’s Email Summary in Microsoft Defender

cristinadagamah — Tue, 14 Apr 2026 20:19:58 GMT

Co-Authors: Cristina Da Gama Henriquez and Ajaj Shaikh

AI is rapidly reshaping both sides of the security landscape, and email remains one of the most common and complex entry points for attacks. As adversaries use AI to scale more sophisticated phishing and email-based threats, defenders are under pressure not just to detect them, but to quickly understand what actually happened. Microsoft continues to apply generative and agentic AI across the email protection stack to help stop threats before they reach the inbox and catch what inevitably gets through in the SOC. Still, for security analysts, understanding an email threat requires piecing together context across the incident and its related artifacts. Much of that context exists within the Email entity experience, but it is spread across metadata, timelines, URLs, and attachments, making it time-consuming to connect the dots and act with confidence.

Today, we are excited to announce the public preview of Security Copilot’s Email summary capability, designed to bring those insights together and make email threat investigations faster, clearer, and more actionable. With Security Copilot included in Microsoft 365 E5, organizations will be able to bring AI directly into their flow of work—extending these benefits across the SOC at no additional cost.*

Bringing clarity into the investigation workflow

Email summary brings AI-generated context directly into the Email entity page, transforming fragmented detection data into a clear, natural-language explanation of what happened and why. Analysts can access it from the Security Copilot right-side pane, the same place where Copilot activity across Microsoft Defender is surfaced. Instead of navigating across multiple views to reconstruct the story, analysts can generate a summary that connects the signals and highlights what matters most. And it all happens in seconds.

Built on Security Copilot’s summarization capabilities, Email summary uses the same data analysts already rely on, like email metadata, timeline events, URLs, and attachments, and turns it into a cohesive narrative. It explains how a message was evaluated, what actions were taken, and where risk exists, without requiring manual correlation.

A summary that follows how analysts think

The experience is intentionally embedded in the Email entity page, where investigations already happen, so analysts don’t have to change how they work to benefit from it. The output is structured to match how analysts approach an investigation. It starts with a concise overview of the email, including what was detected, what actions were taken, and any key indicators. From there, it walks through the timeline of events, helping reconstruct how the email was delivered, interacted with, and remediated. It also breaks down URLs and attachments, calling out malicious signals and explaining associated risks in plain language.

Importantly, this is a user-triggered experience. Analysts generate a summary when they need it, ensuring the capability is both intentional and efficient.

From fragmented data to confident decisions

Email summary is a foundational step toward making email threat investigations more explainable and efficient. Today, it brings together existing signals into a clear, actionable narrative. Over time, it will evolve to incorporate additional signal depth: detonation (sandboxing) results, submission responses, and more granular insights from the filtering stack, further strengthening the completeness and fidelity of each investigation.

As threats continue to grow in speed and sophistication, the ability to quickly understand and act is just as critical as detection itself. Email summary helps close that gap, giving analysts the clarity they need to respond with confidence.

*Eligible Microsoft 365 E5 customers will have 400 Security Compute Units (SCUs) per month for every 1,000 user licenses, up to 10,000 SCUs per month. This included capacity is expected to support typical scenarios. Customers will have an option to pay for scaling beyond the allocated amount at a future date with $6 per SCU on a pay-as-you-go basis, and will get a 30-day advanced notification when this option is available. Learn more.

From Impersonation Calls to Transparent Reporting: Defending the New Front Door of Attacks

JeffreyPinkston — Fri, 27 Mar 2026 23:13:51 GMT

Email is still a major entry point—but it’s no longer the only one that matters. Today’s attackers are increasingly shifting to collaboration channels like Microsoft Teams, where trust is implicit and interaction is real time. Decisions happen fast, and that changes the economics of attacks. Adversaries can pressure users, adapt on the fly, and accelerate their objectives before traditional controls have time to respond. They can then pivot laterally across identities, endpoints, and cloud apps.

And it’s not just chats and shared links anymore. Teams calling has emerged as a high-impact social-engineering path—a “front door” attackers can use to bypass inbox defenses. They can impersonate familiar brands or internal functions. They can also try to extract credentials or persuade a user to take immediate action. In a typical flow, an attacker leverages urgency and context. For example, they may reference an “account issue” following suspicious email activity. They then use the real-time pressure of a call to drive a user toward compromise. That’s why protection must happen directly in the collaboration experience.

At RSA 2026, we’re announcing new Microsoft Defender capabilities designed for exactly this reality. They give SOC teams visibility that matches how attacks unfold across Microsoft Teams. They also help end users easily identify impersonation attempts, so they can stop them before compromise. And we’re introducing the new Protection and Posture Insights report, which provides tenant-specific insights about your collaboration security with Microsoft Defender.

Protect your organization from voice-based attacks in Microsoft Teams

Voice phishing (vishing) is a fast-growing vector because it lets attackers bypass message-based filters and manipulate targets in real time. But security teams haven’t had the same level of coverage for Teams calls that they’ve come to expect for email and messages. That’s why we’re excited to announce inline protection and SOC- investigation capabilities for Microsoft Teams calls. Microsoft Defender can now stop the interaction while it’s happening and SOC teams can then investigate the full path after the fact.

Hunt and remediate suspicious calls

When attackers use Teams calls to impersonate a brand, internal IT, or a trusted organization, security teams need more than anecdotal user reports—they need forensic visibility and the ability to act. Microsoft Defender has turned Teams calling from a blind spot into a first-class SOC signal, so you can now:

Investigate Teams calling activity at scale through Advanced hunting. Use new call-focused data to identify suspicious patterns and validate risk across the organization. This includes unusual external callers, first-time contacts, or activity that aligns with brand impersonation patterns.

Pivot directly into a call’s details using a call entity experience. Analysts can quickly understand what happened and who was involved, without stitching together context across multiple tools.
Take mitigation actions inline by blocking malicious domains or addresses in Teams via the Tenant Allow/Block List. This turns investigation into immediate containment and helps prevent repeat attempts.
Close the loop with end-user reporting. Pair what users flag as a security risk with what analysts can hunt and confirm. The SOC can move faster and reduce ambiguity when seconds matter.

Figure 1: Teams call activity events in advanced huntingFigure 2: Call entity panel for deeper investigation in advanced hunting

Stop impersonation in real time

While insights are critical, the most effective way to reduce vishing impact is to interrupt social engineering while the user is still deciding what to do.

Now, when a Teams call appears to be impersonating a known organization or trusted entity, users will see a persistent in-call warning banner. It shows during the incoming-call experience and while on the call. That gives users clear, contextual guidance before they comply with attacker instructions. It also extends the same protection approach used for chat impersonation into the calling surface.

Figure 3: Teams call real-time notification informing the user that the call is suspicious.

And because improving protection depends on learning from real interactions, users can also provide feedback by reporting a call as not a security risk to help improve the accuracy of warnings over time.

That makes Defender the only collaboration security tool that provides inline user feedback – in real-time.

Turn Defender telemetry into executive-ready security understanding with the Protection & Posture Insights report

To help organizations clearly understand the threats targeting their environment and how Defender is helping protect against them, we are introducing the Protection & Posture Insights report. It is available directly in the Defender portal and built on tenant-specific telemetry. The report provides a customized view of the spam, phishing, and malware campaigns observed against users—showing how attackers are attempting to gain access, what techniques are being used, who is being targeted, and where risk is concentrated across the environment.

The Protection & Posture Insights report goes beyond surface-level threat counts to highlight patterns and exposure unique to each tenant, including emerging phishing techniques, malware delivery methods, and zero-day threats identified through detonation analysis. It also shows how these threats are handled across delivery locations—such as inbox, junk, and quarantine—and which detection technologies and policies are engaged, giving teams a clearer understanding of how attackers are interacting with their environment.

In addition to threat visibility, the report delivers personalized insights and targeted security policy recommendations based on each customer’s configuration and observed threat activity. By surfacing coverage gaps, priority account targeting, and opportunities to strengthen policy enforcement, teams can take focused action to reduce exposure and improve security posture. With consistent, tenant-specific reporting over time, organizations can validate results, track progress, and share credible, executive-ready security outcomes—without manual data assembly.

Figure 4: Executive summary of the new Protection & Posture Insights report

This kind of personalized visibility answers the most important question for any security team: what was stopped in my environment, and why. It’s also helpful to pair those tenant-specific insights with an objective, industry-wide view. That’s why we publish official email security performance benchmarking. We use consistent, real-world measurements of detection and efficacy across phishing, malware, and spam. That way, you can compare Microsoft Defender against other secure email gateway (SEG) and integrated cloud email security (ICES) solutions. For a deeper look at what the latest results reveal, check out From transparency to action: What the latest Microsoft email security benchmark reveals.

These new Microsoft Defender capabilities close a critical gap in collaboration security. They help customers interrupt Teams call–based social engineering. They also give the SOC actionable call visibility and faster containment to prevent repeat attempts. Combined with the Protection & Posture Insights report, security teams can more easily report what was stopped in their tenant. They can also prioritize the next control improvements and strengthen end‑to‑end SOC outcomes across email and Teams.

Visit Us at RSA 2026

Join us at the Microsoft booth at the Moscone Center to see these innovations in action!

More information:

Learn more about Defender for Office 365
Find out how to protect your organization against multi-modal attacks
Check out our recent blog: Disrupting threats targeting Microsoft Teams

Part 3: Build custom email security reports with Power BI and workbooks in Microsoft Sentinel

dmozes — Tue, 10 Feb 2026 22:50:16 GMT

TL;DR: We're releasing a brand-new Power BI template for email security reporting and a major update (v3) to the Microsoft Sentinel workbook. Both solutions share the same rich visuals and insights. Choose Power BI for quick deployment without Sentinel, or the Sentinel workbook for extended data retention and multi-tenant scenarios. Get started in minutes with either option.

Introduction

Security teams in both small and large organizations track key metrics to make critical security decisions and identify meaningful trends in their organizations. While Microsoft Defender for Office 365 provides rich, built-in reporting capabilities, many security teams need custom reporting solutions to create dedicated views, combine multiple data sources, and derive deeper insights tailored to their unique requirements.

Earlier last year (Part 1 and Part 2) we shared examples of how you can use workbooks in Microsoft Sentinel to build a custom email security insights dashboard for Microsoft Defender for Office 365.

Today, we are excited to announce the release of a new Power BI template file for Microsoft Defender for Office 365 customers, along with an updated version of the Microsoft Defender for Office 365 Detections and Insights workbook in Microsoft Sentinel. Both solutions share the same visual design and structure, giving you a consistent experience regardless of which platform you choose.

Power BI template file - Microsoft Defender for Office 365 Detections and Insights:

Microsoft Sentinel workbook - Microsoft Defender for Office 365 Detections and Insights:

NEW: Power BI template file for Microsoft Defender for Office 365 Detections and Insights

This custom reporting template file utilizes Power BI and Microsoft Defender XDR Advanced Hunting through the Microsoft Graph security API.

It is designed for Microsoft Defender for Office 365 customers who have access to Advanced Hunting but are not using Microsoft Sentinel.

Advanced Hunting data in Microsoft Defender for Office 365 tables is available for up to 30 days. The reporting template uses these same data tables to visualize insights into an organization's email security, including protection, detection, and response metrics provided by Microsoft Defender for Office 365.

Note: If data retention beyond 30 days is required, customers can use the Microsoft Defender for Office 365 Detections and Insights workbook in Microsoft Sentinel.

You can find the new .pbit template file and detailed instructions on how to set up and use it in the unified Microsoft Sentinel and Microsoft 365 Defender GitHub repository.

This new Power BI template uses the same visuals and structure as the Microsoft Defender for Office 365 Detections and Insights workbook in Microsoft Sentinel, providing an easy way to gain deep email security insights across a wide range of use cases.

UPDATED: Microsoft Defender for Office 365 Detections and Insights workbook in Microsoft Sentinel

We are excited to announce the release of a new version (3.0.0) of the Microsoft Defender for Office 365 Detections and Insights workbook in Microsoft Sentinel.

The workbook is part of the Microsoft Defender XDR solution in Microsoft Sentinel and can be installed and started to use with a few simple clicks.

In this new release we incorporated feedback we have received from many customers in the past few months to add new visuals, updated existing visuals and add insights focusing on security operations.

What’s New

Here are some notable changes and new capabilities available in the updated workbook template.

Improved structure: Headings and grouped insights have been added to tabs for easier navigation and understanding of metrics.
Contextual explanations: Each tab, section, and visual now includes descriptions to help users interpret insights effectively.
Drill-down capability: A single “Open query link” action allows users to view the underlying KQL query for each visual, enabling quick investigation and hunting by modifying conditions or removing summaries to access raw data.
Detection Dashboard tab enhancements: Added an example Effectiveness metric, updated visuals to focus on overall Microsoft Defender for Office 365 protection values, and introduced new sections for Emerging Threats and Microsoft 365 Secure Email Gateway Performance.
New Security Operations Center (SOC) Insights tab: Provides operational metrics such as Security Incident Response, Investigation, and Response Actions for SOC teams.
Advanced threat insights: Includes new LLM-based content analysis detections and threat classification insights on the Emails – Phish Detections tab.
External forwarding insights: Added deep visibility into Inbox rules and SMTP forwarding in Outlook, including destination details to assess potential data leakage risks.
Geo-location improvements: Sender IPv4 insights now include top countries for better geographic context for each Threat types (Malware, Spam, Phish).
Enhanced top attacked users and top senders: Added TotalEmailCount and Bad_Traffic_Percentage for richer context in top attacked users and senders charts.
Expanded URL click insights: URL click-based threat detection visuals now include Microsoft 365 Copilot as a workload.

How to use the workbook across multiple tenants

If you manage multiple environments with Microsoft Sentinel — or you are an MSSP (Managed Security Service Provider) working across multiple customer tenants — you can also use the workbook in multi‑tenant scenarios.

Once the required configuration is in place, you can change the Subscription and Workspace parameters in the workbook to be multi select and load data from one or multiple tenants.

This enables to see deep email security insights in multi‑tenant environments, including:

Aggregated multi‑tenant view:
You can view aggregated insights across tenants in a single workbook view. By multi‑selecting tenants in the Subscription and Workspace parameters, the workbook automatically loads and combines data from all selected environments for all visuals on all tabs.

Side‑by-side‑ comparison:
For example, you can compare phishing detection trends or top attacked users across two or more tenants simply by opening the workbook in two browser windows placed side by side.

Note: For the multiselect option‑ to work in the current workbook version, you need to manually adjust the Subscription and Workspace parameters. This configuration is planned to become the default in the next release of the workbook. Until then, you can simply apply this change using the workbook’s Edit mode.

How to get the updated workbook version

The latest version of the Microsoft Defender for Office 365 Detections and Insights workbook is available as part of the Microsoft Defender XDR solution in the Microsoft Sentinel - Content hub. Version 3.0.13 of the solution has the updated workbook template.

If you already have the Microsoft Defender XDR solution deployed, version 3.0.13 is available now as an update. After you install the update, you will have the new workbook template available to use.
Note: If you had the workbook saved from a previous template version, make sure you delete the old workbook and use the save button on the new template to recreate a new local version with the latest updates.

If you install the Microsoft Defender XDR solution for the first time, you are deploying the latest version and will have the updated template ready to use.

How to edit and share the workbook with others

You can customize each visual easily. Simply edit the workbook after saving, then adjust the underlying KQL query, change the type of the visual, or create new insights.

More information: Visualize your data using workbooks in Microsoft Sentinel | Microsoft Learn

Granting other users access to the workbook also possible, see the Manage Access to Microsoft Sentinel Workbooks with Lower Scoped RBAC on the Microsoft Sentinel Blog.

Do you have feedback related to reporting in Microsoft Defender for Office 365?

You can provide direct feedback via filling the form: aka.ms/mdoreportingfeedback

Do you have questions or feedback about Microsoft Defender for Office 365?

Engage with the community and Microsoft experts in the Defender for Office 365 forum. 

More information

Integrate Microsoft Defender XDR with Microsoft Sentinel
Learn more about Microsoft Sentinel workbooks
Learn more about Microsoft Defender XDR

Secure collaboration in Microsoft Teams with efficient and automated Threat Protection and response

MalvikaBalaraj — Wed, 14 Jan 2026 17:00:00 GMT

New Layers of Protection for Teams Messages

With more than 300 million monthly active users on Microsoft Teams, ensuring secure collaboration has become increasingly critical. As the threat landscape continues to change, our security measures must adapt accordingly. To address these challenges, we are pleased to announce enhanced protection and Security Operations response capabilities for enterprise messages containing URLs in Teams, utilizing Microsoft Defender.

Threat Profile – Tech Support Impersonation with Phishing URLs

In previous blogs, we’ve discussed how threat actors are employing multimodal attacks and targeting users in an organization over Teams by impersonating tech support. Lately some of these attackers have been observed steering their victims towards malicious websites that appear purpose-built to complete their harmful objectives while allaying the victim’s suspicions.

The typical attack chain proceeds as follows:

Hybrid attacks often begin with mail bombing (spam) directed at the targeted individual, followed by Teams messages or calls in which the attacker impersonates IT support personnel offering to resolve the spam issue.
Victims may then be deceived into granting system access to the attacker via remote management and monitoring tools such as Quick Assist or AnyDesk.
In recent incidents, attackers have directed victims to malicious URLs that closely resemble legitimate internal IT security update or patching tools, featuring falsified logos and branding.
These sites are actually conventional phishing platforms intended to capture user credentials and enable malware deployment, while victims believe their spam problem is being resolved.

Below: Rendering of a malicious URL shared over Teams by an attacker to an intended victim

Microsoft Defender uses robust detection engines and threat intelligence to support URL warnings, post-delivery protection, and advanced hunting for Teams, enabling comprehensive protection against evolving attack vectors.

Near real-time defense

For Worldwide customers with Teams enterprise licenses and above

Our new advanced near-real-time protection ensures that any message containing URLs is thoroughly scanned and appropriately flagged before delivery. End users are notified with a warning tip upon messages delivery when malicious URLs are detected, helping them recognize and avoid potential risk. Threats don’t always appear right away, to stay ahead of evolving attacks, protection continues for up to 48 hours after a message is delivered. If a previously safe URL later becomes weaponized, the message is automatically updated with a warning tip, ensuring users remain protected even after the message reaches them.

This dual-layered approach means:

Immediate warnings for messages with known malicious URLs.
Post-delivery detection that adapts to evolving threats.
Protection across internal and external communications, including chats and channels, regardless of tenant origin.

These capabilities powered by Microsoft Defender will provide out-of-the-box protection as it will be enabled by default and will be available for all Teams enterprise users, with no additional configuration required. This ensures that every user benefits from advanced protection.

Figure 1: Recipient view of message warningsFigure 2: Sender view of message warnings

Empowering Users and SOC Teams

For worldwide customers with an MDO (Microsoft Defender for Office 365) P2 license or an E5 license

Security is a shared responsibility. We’re enabling users to report false negatives (FN) and false positives (FP) directly from Teams messages. These reports feed into Microsoft Defender investigation workflows, helping improve detection accuracy and reduce support overhead.

Users can now report potentially malicious messages or messages incorrectly detected as malicious directly from the message context menu in Microsoft Teams:

Report as security risk: For messages that seem suspicious but weren’t flagged.
Report as not security risk: For messages that were flagged but are actually safe.

This enables users to actively contribute to their organization's security management and protection efforts, while simultaneously enhancing the accuracy of Microsoft Defender detection controls. Reports may be submitted for both internal and external communications including chats, meetings, and channels ensuring comprehensive coverage across all collaboration platforms such as Teams web, desktop, and mobile clients. Upon submission, these reports are accessible to administrators and security operations personnel in the Microsoft Defender portal as incidents, where they can efficiently triage, investigate, and respond.

Figure 3: Report a concernFigure 4: Report a wrong detection

Holistic Visibility for Security Operation Teams

For worldwide customers with an MDO (Microsoft Defender for Office 365) P2 license or an E5 license

Security Operation teams need context, coverage, and control. That’s why we’ve introduced three new Advanced Hunting tables in Microsoft Defender designed specifically to surface Microsoft Teams message metadata and enable deep investigations across both internal and external communications.

MessageEvents: Captures metadata for all Teams messages containing URLs at the time of delivery.
MessagePostDeliveryEvents: Surfaces messages that were flagged as malicious after delivery, including Zero-hour auto purge (ZAP) actions.
MessageURLInfo: Provides granular details on URLs extracted from Teams messages.

These tables are now generally available in the Microsoft Defeder portal providing direct insight into Teams message flows.

SOC teams can now hunt across all external (federated) messages, not just messages that contain URLs. This is a major step forward in enabling cross-tenant threat detection and response, especially in today’s hybrid collaboration environments. All three tables are accessible via Advanced Hunting APIs and Streaming APIs, allowing SOC teams to integrate hunting workflows into their existing automation pipelines.

To further enhance visibility, we’ve added a new column called SafetyTip to both the MessageEvents and MessagePostDeliveryEvents tables. This column flags whether a URL warning tip was shown to the user in the Teams client, helping SOC teams distinguish between warning and block detections.

Figure 5: Hunt on message warnings

Third-party security information and event management (SIEM) solutions can also integrate with and utilize these hunting tables via the Microsoft Defender Streaming API. For instance, in Splunk, the new tables may be configured to automatically flow into your Splunk instance, supporting extended data retention by leveraging the latest version of the Microsoft Defender Splunk connector. It is important to ensure that the new Teams protection tables are selected during connector configuration to enable the continuous transfer of relevant data.

Figure 6: Connector config and version needed to connect to 3rd party SIEMs

Empower Security Teams to Act Against Threats

For worldwide customers with an MDO (Microsoft Defender for Office 365) P2 license or an E5 license

We’ve introduced a powerful new capability that gives security teams greater control and confidence when managing potential risks in Teams. With this feature, security admins can investigate suspicious conversations in Advanced Hunting and instantly remove internal users from unsafe chats, revoking their access and clearing all prior chat history to prevent further exposure. This proactive step ensures employees stay protected from threat actors and sensitive information remains secure.

The experience is streamlined through the Action Wizard, accessible directly from the Teams entity flyout, making remediation fast and intuitive. Every action is fully traceable in Action Center, providing a centralized view for monitoring and validating security interventions, while audit logs deliver records for reporting. These capabilities empower organizations to contain risks in real time, strengthen collaboration security, and maintain trust across their digital workplace.

Figure 7: remove a user from a conversation directly from the defender portal

Response capabilities for Security Teams

For worldwide customers with an MDO (Microsoft Defender for Office 365) P2 license or an E5 license

In addition to these enhanced detection, investigation and hunting capabilities, security team members are now able to perform advanced response actions for Microsoft Teams directly in the Microsoft Defender portal. Security Operations Center (SOC) analysts and admins can directly block malicious domains from within the Microsoft Defender portal, seamlessly adding targeted entries to the Teams Admin Center (TAC) blocked domains list without leaving their security workflows and switching portals. This capability enables near real-time protection when suspicious or abusive external organizations are identified. SOC teams can immediately block suspicious organizations, effectively halting new external chat messages, invites, and channel communications from those domains while deleting existing ones. These controls empower organizations to react to emerging risks in minutes, all while maintaining compliance and reducing operational overhead.

Figure 8: Block domains in Teams via TABL

Expanding Admin Quarantine and Zero-Hour Auto-Purge (ZAP) to MDO P1

We are also extending the power of Zero-hour auto-purge (ZAP) and Teams admin quarantine to even more customers, bringing this post-delivery protection layer to Microsoft Defender for Office 365 Plan 1. This reinforces our commitment to secure-by-default protection across all Microsoft Teams environments.

ZAP automatically moves malicious messages containing phishing or malware URLs from internal Teams chats and channels to admin quarantine in the Microsoft Defender portal. This post-delivery protection ensures that even if a threat evades initial detection, it can be neutralized before causing harm.

This capability will be enabled by default for all Microsoft Teams customers with Microsoft Defender for Office Plan 1, providing immediate protection without requiring additional configuration. Security admins maintain full control through the Microsoft Defender portal, where quarantined Teams messages can be reviewed, managed, and released if needed. This expansion ensures more customers benefit from continuous, automated threat removal, strengthening protection across Teams with no extra effort required

These new protections reflect our commitment to delivering security that scales effortlessly with the way people work today. By combining real-time detection, post-delivery protection, and user-driven feedback loops, we’re giving organizations the tools to stay ahead of emerging threats without slowing down collaboration.

These capabilities are engineered to operate efficiently in the background, providing assurance and proactive security measures. This enables frontline workers, IT administrators, and SOC analysts to concentrate on their core responsibilities while maintaining a secure working environment.

To learn more

Strengthening calendar security through enhanced remediation

nithinnara — Mon, 24 Nov 2025 17:00:00 GMT

In today’s evolving threat landscape, phishing attacks are becoming increasingly sophisticated, often leveraging meeting invites to bypass traditional defenses. While Security Operations (SOC) teams rely on Microsoft Defender’s remediation actions to remove malicious emails, a hidden risk persists: calendar entries created by Outlook during email delivery. These entries can remain active even after the email is deleted, leaving users exposed to harmful content. This update addresses that gap.

Remediation supports cleaning up calendar entries

SOC teams currently use remediation actions such as Move to Junk, Delete, Soft Delete, and Hard Delete to quickly eliminate email threats from user inboxes. However, meeting invite emails introduce an additional challenge. Even after the email is removed, Outlook automatically creates a calendar entry during delivery, which remains accessible to users.

For example, consider a phishing email sent as a meeting invite. Despite the admin removing the email from the user’s inbox, the user can still interact with the same malicious content via the calendar entry.

This residual entry may contain harmful links or phishing content, creating a security gap. With this update, we’re taking the first step toward closing that gap. Hard Delete will now also remove the associated calendar entry for any meeting invite email. This ensures threats are fully eradicated—not just from the inbox but also from the calendar—reducing the risk of user interaction with malicious content.

This change applies to Hard Delete actions taken from any surface, including Explorer, Advanced Hunting, and API.

Note:

1) Deleted calendar entries can be restored by resending the meeting invite.

2) This action does not remove calendar entries manually added by users via .ics files.

Ability to Block URL domains via submission/TABL actions from Explorer

SOC teams can currently add senders and URLs to the TABL block list when submitting false negatives to Microsoft. However, phishing campaigns often use variations of URLs under the same parent domain, making full URL blocking less effective.

With this update, TABL options for URL domains are now dynamically surfaced, enabling SOC teams to block entire domains without leaving their workflow. This enhancement simplifies remediation and strengthens defenses against domain-based phishing attacks.

These updates strengthen SOC remediation workflows by closing critical security gaps and ensuring threats are fully neutralized across all user touchpoints. By extending remediation to calendar entries and enabling domain-level URL blocking, we deliver comprehensive protection that reduces risk, streamlines operations, and safeguards user experiences. At Microsoft, our priority is your security, and we remain committed to empowering SOC teams with tools that make defense smarter and more effective.

Learn more:

Remediate malicious email that was delivered in Office 365 - Microsoft Defender for Office 365 | Microsoft Learn

Microsoft Ignite 2025: Transforming Phishing Response with Agentic Innovation

JeffreyPinkston — Tue, 18 Nov 2025 16:00:00 GMT

Phishing attacks remain one of the most persistent and damaging threats to organizations worldwide. Security teams are under constant pressure to investigate a growing number of user reported phishing emails daily, ensuring accurate verdicts and timely responses. As threats grow in volume and sophistication, SOC teams are forced to spend valuable time triaging and investigating, often at the expense of strategic defense and proactive threat hunting.

At Microsoft Ignite 2025 we are delivering innovation that showcases our continued commitment to infuse AI agents, and agentic workflows into the core of our email security solution and SOC operations to automate repetitive tasks, accelerate investigations, and provide transparent, actionable insights for every reported phishing email. In addition, we continue to invest in our ecosystem partnerships to empower customers with seamless integrations, as they adopt layered security solutions to comply with regulatory requirements, enhance detection, and ensure robust protection.

Today I’m excited to announce:

General Availability of the Security Copilot Phishing Triage Agent
Agentic Email Grading System in Microsoft Defender
Cisco and VIPRE Security Group join the Microsoft Defender ICES ecosystem

The Security Copilot Phishing Triage Agent is now generally available

In March 2025, we introduced the Phishing Triage Agent, designed to autonomously handle user-submitted phishing reports at scale. The agent classifies incoming alerts, resolves false positives, and escalates only the malicious cases that require human expertise. Today, we’re announcing its general availability. We will also be extending the agent to triage alerts for identity and cloud alerts.

The Phishing triage agent automates repetitive tasks, accelerates investigations, and every decision is transparent, allowing security teams to focus on what matters most—investigating real threats and strengthening the overall security posture. Early results prove how it is transforming analyst work:

Identified 6.5X more malicious alerts
Improved verdict accuracy by 77%
Agent supported analysts spent 53% more time investigating real threats

Agentic email grading: Advanced analysis of phishing email submissions

When customers report suspicious messages to Microsoft, they expect clarity, speed, and actionable insights to protect their environment. They expect a response they can trust, understand easily, and take additional investigation and response action for the organization.

Previously, when customers reported messages to Microsoft, our response depended largely on manual human grader reviews, creating delays and inconsistent verdicts. Customers often waited several hours for a response, and sometimes it lacked clarity on how a verdict was reached.

Today, we are excited to announce that we integrated an agentic grading system into the Microsoft Defender submission analysis and response workflow when customers report phishing messages to Microsoft.

Image 2: Agentic Email Grading: Advanced analysis of phishing email submissions

The agentic grading system brings a new level of speed and transparency to phishing analysis. It uses large language models (LLMs) orchestrated within an agentic workflow to analyze phishing emails, assess the full content of a submitted email, and communicate context and related metadata. This system combines advanced AI with existing machine learning models and human review for additional levels of accuracy and transparency for decision making. Every verdict comes with higher quality, clear verdicts, and context-rich explanations tailored to each phishing email submission. Additionally, it establishes a feedback mechanism that enhances continuous learning and self-healing, thereby strengthening and optimizing protection over time.

By reducing reliance on manual reviews, users will experience lower wait times, faster responses and higher-quality results. It will enable security teams to respond promptly and act confidently against phishing threats.

Over time we plan to expand beyond phishing verdicts to include spam, scam, bulk, and clean classifications, making the process more comprehensive. The system will continue to evolve through feedback and adapt to emerging attack patterns.

How to view agentic submission responses in Microsoft Defender

When you report a suspicious email—whether as an admin or an end user—you can now see how Microsoft Defender’s new agentic grading system evaluates your submission. To view agentic grading system responses, follow the steps below:

Report the suspicious email
Submit the email through the admin submission or user-reported submission process.
Sign in to Microsoft Defender
Go to https://security.microsoft.com.
Navigate to Submissions
From the left menu, select:
Investigation & response > Actions & submissions > Submissions.
Choose the correct tab

Emails for admin submissions
User reported for user submissions

Open the submission details
Click the email submission you want to review. A flyout panel will display Result details.
Look for the Agentic AI note
If the verdict was generated by Agentic AI, you’ll see:
“AI-generated content may be incorrect. Check it for accuracy.”

Image 3: AI generated explainable verdicts

Expanding the Integrated Cloud Email Security (ICES) ecosystem

In June, we introduced the Microsoft Defender ICES vendor ecosystem, a unified framework that enables seamless integration of Microsoft’s Defender’s email security solution with trusted third-party vendors. Today we are excited to announce two new partners: Cisco and VIPRE Security Group.

The addition of these partners to our ecosystem reinforces our ongoing commitment to support customers in their choice to strategically layer their email security solutions. Organizations benefit from a unified quarantine experience, and a deep integration across the various SOC experiences including threat explorer, advanced hunting, and the email entity page, while providing clear insight into detection efficacy of each solution.

As we continue to innovate, our commitment remains steadfast: empowering defenders with intelligent, transparent, and integrated security solutions that adapt to the evolving threat landscape. By infusing agentic AI into every layer of Microsoft Defender, expanding our ecosystem of trusted partners, and delivering faster, more actionable insights, we’re helping organizations build resilience and stay ahead of attackers. Our strategy is rooted in delivering real value making security simpler, more effective, and adapted to the needs of every customer.

Learn More:

Want to know what else is new in Microsoft Defender at Ignite 2025 check out the blog here.
For info on how to complete admin phish submissions, please see
For end user reported phish submissions, you need to have it configured for reporting messages to Microsoft. Set it up today.

Join us at Microsoft Ignite

Join us at Microsoft Ignite to see these advancements in action and discover how intelligent, agentic defense is becoming accessible to every organization. Don’t miss our featured sessions:

AI vs AI: Protect email and collaboration tools with Microsoft Defender on Thursday, November 20^th. Learn More.

Microsoft Defender: Building the agentic SOC with guest Allie Mellen on Wednesday, November 19^th. Learn more.
Empowering the SOC: Security Copilot and the rise of Agentic Defense on Friday, November 21^st. Learn more.

Microsoft Defender for Office 365: Fine-Tuning

RenWoods — Wed, 19 Nov 2025 20:52:09 GMT

In incident response, most business email compromise doesn’t start with “sophisticated zero-day malware.” It starts with configuration gaps: forwarding mail outside the tenant, users clicking through Safe Links warnings, impersonation policies left at day-one defaults, or post-delivery cleanup still relying on a human analyst at 2:00 AM. Those gaps are what attackers actually exploit.

This blog covers our top recommendations for fine-tuning Microsoft Defender for Office 365 configuration from hundreds of deployments and recovery engagements:

Core fine-tuning actions every email or security admin should land right now
Data-driven bulk mail tuning (BCL and Bulk Mail Insights)
Impersonation and anti-phishing policy hygiene for executive protection
Automate post-delivery cleanup by enabling Automated Remediation

Each section includes a short video and practical guidance you can apply immediately in Microsoft Defender for Office 365.

These recommendations align with Microsoft’s “secure by default” direction: applying the Standard and Strict preset security policies to users, using Configuration analyzer to catch configuration drift, and enforcing least-privilege release of high-risk mail.

When possible, enable the Preset security policies to give you Microsoft’s recommended settings for Safe Links, Safe Attachments, Anti-Phishing, and Anti-Spam.

If you use custom policies (or if you exclude users from the Presets) then use Configuration analyzer regularly to compare custom policies to the Standard/Strict baselines, since those get updated as Microsoft updates the Preset policies.

Core Fine-Tuning Checklist for Defender for Office 365

This section highlights six controls we recommend implementing broadly. These are “day one hardening” items we repeatedly validate with customers.

Block automatic external forwarding by default
Attackers often create hidden inbox rules that quietly forward mail (invoices, purchase orders, wire info) to an external account they control. Use outbound spam policies to block automatic external forwarding for the entire org and then create tightly scoped exceptions only for the handful of mailboxes that legitimately need it.

This prevents data leakage and payment fraud scenarios where mail auto-forwards out of your tenant without anyone noticing. Although this setting is on by default (“System Controlled” means that external forwarding is disabled), we’ve found many tenants where this was disabled because the admin didn’t know how to create a custom policy for authorized forwarders. The trick is to order custom outbound policies to run as a higher priority than the default outbound policy which should be set to block auto-forwarded emails. It is a good idea to regularly review the auto forwarded message report (located in the Exchange Admin Center).
Use Enhanced Filtering for Connectors (“skip listing”) when necessary
If you’re routing inbound mail through a third-party Secure Email Gateway or an on-prem hop before Microsoft 365, Defender will see that intermediary as the source IP instead of the original sending IP, which degrades anti-spoofing effectiveness.Enhanced Filtering for Connectors — also called skip listing — lets Microsoft 365 look past that last hop and evaluate the real sending IP and headers, so SPF / DKIM / DMARC and anti-spam logic work correctly.

This setting does not support centralized mail routing (unless the routing is linear; see the Enhanced Filtering for Connectors learn article), so make sure you are not using that before enabling Enhanced Filtering. Centralized routing is sometimes used by organizations running a hybrid Exchange deployment, connecting Exchange Online with an on-premises Exchange Server organization.

Important: Do this instead of blanket SCL -1 transport rules that “bypass spam filtering for anything coming from our gateway.” Over-bypassing means phishing that slipped through the third-party filter can sail straight to user inboxes, which Microsoft specifically warns against.
Turn on Safe Attachments protection beyond email (SharePoint, OneDrive, Teams)
In the Safe Attachments “Global settings,” make sure Defender for Office 365 is set to protect files in SharePoint, OneDrive, and Microsoft Teams. When enabled, if a file is identified as malicious, Defender automatically locks the file in-place so users can’t open it in Teams or OneDrive. This gives you malware detonation and containment in collaboration channels, not just email.

This step closes a gap we still see a lot: customers protect mail attachments well, but shared files and Teams chats are wide open. In the 1st part of this blog series, Microsoft MVP Purav Desai describes (here) how to prevent users from downloading malicious files by running a SharePoint PowerShell cmdlet:
```
Set-SPOTenant -DisallowInfectedFileDownload $true
```
Don’t let users click through Safe Links warnings
Safe Links rewrites and time-of-click scans URLs in mail, Office apps, and Teams. In the Safe Links policy, clear “Let users click through to the original URL.” That prevents the classic “I know it says it’s malicious, but I really need to see it…” moment. Users get blocked instead of “warned but allowed.”

This setting is also enforced in Microsoft’s Standard AND Strict preset security policies where click-through is explicitly disabled.
Go beyond the default Common Attachment filter
The anti-malware policy’s Common Attachment filter blocks known dangerous file extensions (executable content, scriptable content, etc.). Microsoft ships a default list (historically 50+ high-risk extensions), and you can customize it to block additional file types common in malware delivery, like HTML droppers or password-protected archives. Messages with those file types are treated as malware and quarantined.
Do this centrally rather than relying on users to “spot a suspicious attachment.” Automation beats user judgment here.
Use custom quarantine policies that require admin approval (instead of self-release)
If you are not using the Preset Policies, you can create a quarantine policy to customize the user experience with quarantined messages. For anything phishing-related, I recommend creating a custom policy that allows the user to “request release from admin.” That means users can raise a hand if they think something should not have been quarantined, and an Incident is created for administrators to review before it is released. To me, this strikes the best balance between security and productivity.

This keeps containment intact and gives the SOC final say. It also creates an auditable workflow: who asked for release, who approved it, and why.

Bulk Mail Insights: Tune BCL using your tenant’s mail

Bulk email (“graymail”) is noisy. Payroll alerts and benefits notifications are legitimate, but they look exactly like phishing. At the same time, true marketing email (graymail) are also bulk. The traditional response (“just whitelist the sender so users stop complaining”) often opens the door for attacker-looking mail to get delivered straight to executives.

Defender for Office 365 gives you something better: Bulk Mail Insights (a.k.a. Bulk senders insight). This report shows, over the last 60 days, how much mail at each Bulk Complaint Level (BCL 1–9) was delivered vs. blocked, which senders are generating volume, and where users are likely to experience false positives or false negatives. You can interactively simulate raising or lowering the bulk threshold and immediately see, “If we tighten BCL, how many more messages get quarantined? How many of those were probably junk? How many were probably wanted?”

Why this matters:

You stop tuning bulk mail based on anecdotes and start tuning based on real telemetry from your own tenant.

You can justify decisions to leadership and audit (“We set BCL at X because here is the simulation showing false positive/false negative impact”).

You avoid blanket allow rules. Instead, you adjust bulk thresholds for legitimate high-volume senders while keeping stricter actions for everyone else.

Note: You can modify the BCL threshold in your default or custom anti-spam policy, but you can’t change it inside the Standard (BCL:6) or Strict (BCL:5) preset security policies themselves. Standard and Strict are already aligned to Microsoft’s recommended baselines.

Additional Links:

Anti-Phishing / Impersonation Tuning: Protect the people attackers actually spoof

Business email compromise very often looks like this: “Hi, can you handle this payment today?” sent from an address that looks like your CFO or CEO. Microsoft Defender for Office 365 includes targeted impersonation protection, but it only really works if you target your most targeted executives.

Here are five pitfalls we see over and over:

Empty or stale VIP list
Populate “users to protect / high value targets” with executives, finance approvers, legal, anyone authorized to move money or data. Review it monthly. Roles change, and you only get a finite number of protected users (for example, ~350 entries). An out-of-date list silently weakens protection for the people attackers actually impersonate.
Phishing email threshold stuck at 1 forever
We find organizations that are not using the preset policies have left their phishing threshold values at the default “1” because of initial false positives. We recommend raising it to match the Standard Preset (“3”) or Strict (“4”).
Weak action
If suspicious “CFO” mail just goes to Junk, users can still act on it. High-confidence impersonation of executives should be quarantined with AdminOnly or request-release workflows, not left in end-user control. Tie this back to the custom quarantine policies (discussed later in this article).
Common-name overload
If your CEO’s name is something extremely common, you’ll get noise. Expect it. Don’t “turn off” protection for that name — add that address to the Trusted Senders otherwise it will be blocked as an impersonation attempt. Use Trusted Senders / Trusted Domains for known-good partners and vendors so you keep protection high without drowning in alerts. Add only legitimate senders/domains to the Trusted Senders or Trusted Domains instead of lowering enforcement.
No scheduled review
This control can’t be “set and forget.” Put impersonation tuning and spoof intelligence review on a monthly checklist. That lets you catch new vendors pretending to be finance, new “urgent wire” lure patterns, and any drift from Standard / Strict baseline that Configuration analyzer will also call out.

When done right, impersonation protection is not just “spam reduction.” It’s payment fraud prevention.

Automated Investigation & Response (AIR): Let Defender remove malicious email before your SOC has to!

One of the biggest wins you can land quickly is letting Microsoft Defender for Office 365 automatically remove clusters of malicious messages — without waiting for analyst approval on every single item.

Here’s how it works. Defender’s Automated Investigation and Response (AIR) groups messages into “clusters” based on shared indicators like the same malicious URL or malicious file hash. If you opt in to automatic remediation for those cluster types, AIR will go find every matching copy of that threat across the tenant and soft-delete those messages, not just the one that triggered the alert.

Why this matters:

It turns post-delivery cleanup into something that happens immediately instead of “after Tier 1 has time to review.”

It removes known-bad messages from user mailboxes (and related collaboration surfaces like Teams) before a target can click.

It dramatically cuts the classic “Did anyone else get this?” manual hunt-and-purge work that burns out SOC analysts.

When you configure AIR automation settings in the Microsoft Defender portal (Settings > Email & collaboration > MDO automation settings), you’ll see checkboxes for “Similar files” and “Similar URLs.” Selecting those opts you into automatic soft delete for those clusters. Today, soft delete is the default supported action for these automatic remediations, enabling administrators to undo a deletion, if necessary.

This is Defender for Office 365 Plan 2 / Microsoft 365 E5 functionality, and it’s exactly the kind of “secure operations by default” Microsoft has been pushing: detect, contain, and clean up automatically, then let humans investigate with context instead of manually chasing every copy of a phish.

This automation triggers when malicious clusters are detected. For automating the classification and triage of user-submitted phishing incidents, check out the Security Copilot Phishing Triage Agent (Preview).

Additional Links:

Final Thoughts

Defender for Office 365 is more than “email filtering.” It’s part of your security operations surface. The decisions you make about automated remediation (AIR), bulk mail thresholds, Safe Links/Attachment behavior, outbound forwarding, connector hygiene, quarantine policy, and impersonation tuning directly determine how easy — or how hard — it is for an attacker to penetrate your organization.

Microsoft’s current guidance is clear:

Apply Standard or Strict preset security policies so users get the recommended protections by default (for example, Safe Links with no click-through).

If you must use a custom policy, review the recommendations from the Configuration analyzer monthly for new recommendations, or to catch and correct drift whenever someone weakens a control.

Align internal procedures with the excellent Security Operations Guide for Defender for Office 365.

Lock down quarantine so only admins can release high-risk messages, with an auditable “request release” path for users.

Turn on automated remediation so Defender can remove malicious clusters of messages before anyone clicks.

Organizations that land these basics are in a dramatically better position during an incident. Instead of “Who clicked the link?” you can say, “AIR already pulled it, users were blocked from clicking through, outbound forwarding is disabled, and impersonation of the CFO is quarantined for admin review.” That’s what “secure by default” actually looks like in production.

________
This blog was authored by Joe Stocker, Microsoft Security MVP and Founder of Patriot Consulting Technology Group, in partnership with the Microsoft Defender for Office 365 product team, including Paul Newell, Senior Product Manager, Microsoft Defender for Office 365.

Joe Stocker
Microsoft Security MVP

Learn More and Meet the Author

1) December 16th Ask the Experts Webinar:

Microsoft Defender for Office 365 | Ask the Experts: Tips and Tricks (REGISTER HERE)
DECEMBER 16, 8 AM US Pacific

You’ve watched the latest Microsoft Defender for Office 365 best practices videos and read the blog posts by the esteemed Microsoft Most Valuable Professionals (MVPs). Now bring your toughest questions or unique situations straight to the experts. In this interactive panel discussion, Microsoft MVPs will answer your real-world scenarios, clarify best practices, and highlight practical tips surfaced in the recent series. We’ll kick off with a who’s who and recent blog/video series recap, then dedicate most of the time to your questions across migration, SOC optimization, fine-tuning configuration, Teams protection, and even Microsoft community engagement. Come ready with your questions (or pre-submit here) for the expert Security MVPs on camera, or the Microsoft Defender for Office 365 product team in the chat! REGISTER NOW for 12/16.

2) Additional MVP Tips and Tricks Blogs and Videos in this Four-Part Series:

Microsoft Defender for Office 365: Migration & Onboarding by Purav Desai
Safeguarding Microsoft Teams with Microsoft Defender for Office 365 by Pierre Thoor
You may be right after all! Disputing Submission Responses in Microsoft Defender for Office 365 by Mona Ghadiri
(This post) "Microsoft Defender for Office 365: Fine-Tuning" by Joe Stocker

Learn and Engage with the Microsoft Security Community

Log in and follow this Microsoft Defender for Office 365 blog and follow/post in the Microsoft Defender for Office 365 discussion space.
- Follow = Click the heart in the upper right when you're logged in 🤍
Learn more about the Microsoft MVP Program.
Join the Microsoft Security Community and be notified of upcoming events, product feedback surveys, and more.
Get early access to Microsoft Security products and provide feedback to engineers by joining the Microsoft Customer Connection Community.
Join the Microsoft Security Community LinkedIn

You may be right after all! Disputing Submission Responses in Microsoft Defender for Office 365

RenWoods — Wed, 19 Nov 2025 14:59:01 GMT

Introduction

As a Microsoft MVP (Most Valuable Professional) specializing in SIEM, XDR, and Cloud Security, I have witnessed the rapid evolution of cybersecurity technologies, especially those designed to protect organizations from sophisticated threats targeting email and collaboration tools. Microsoft Defender for Office 365 introduced an LLM-based engine to help better classify phishing emails that, these days, are mostly written using AI anyways about a year ago. Today, I'm excited to spotlight a new place AI has been inserted into a workflow to make it better…a feature that elevates the transparency and responsiveness of threat management: the ability to dispute a submission response directly within Microsoft Defender for Office 365.

Understanding the Challenge 

While the automated and human-driven analyses are robust in Defender for Office 365, there are occasions where the response—be it a verdict of "benign" or "malicious"— doesn’t fully align with the security team's context or threat intelligence. If you are a Microsoft 365 organization with Exchange Online mailboxes, you’re probably familiar with how admins can use the Submissions page in the Microsoft Defender portal to submit messages, URLs, and attachments to Microsoft for analysis.  As a recent enhancement, now all the admin submissions use LLM based response for better explainability.

In the past, disputing such verdicts required separate support channels, using Community support, or manual email processes, often delaying resolution and impacting the speed of cyber operations.

 Introducing the Dispute Submission Response Feature 

With the new dispute submission response feature, Microsoft Defender for Office 365 bridges a critical gap in the incident response workflow. Now, when a security analyst or administrator receives a verdict on a submitted item, they have the option to dispute the response directly within the Microsoft 365 Defender portal. This feature streamlines feedback, allowing teams to quickly flag disagreements and provide additional context for review at the speed of operations. 

  How It Works 

Upon submission of a suspicious item, Microsoft Defender for Office 365 provides a response indicating its assessment—malicious, benign, or other categorizations. 
If the security team disagrees with the verdict, they can select the "Dispute" option and submit their rationale, including supporting evidence and threat intelligence. 
The disputed case is escalated directly to Microsoft’s threat research team for further review, and the team is notified of progress and outcomes.

This direct feedback loop not only empowers security teams to advocate for their organization's unique context, but also enables Microsoft to continually refine detection algorithms and verdict accuracy based on real-world input, because security is a team sport.

Benefits for Security Operations 

Faster Resolution: Streamlined dispute submission eliminates the need for external support tickets and escalations, reducing turnaround time for critical cases.

Greater Transparency: The feature fosters a collaborative relationship between customers and Microsoft, ensuring that verdicts are not final judgments but points in an ongoing dialogue.

Continuous Improvement: Feedback from disputes enhances Microsoft’s threat intelligence and improves detection for all Defender for Office 365 users.

Empowerment: Security teams gain a stronger voice in the protection of their environment, reinforcing trust in automated defenses.

MVP Insights: Real-World Impact 

Having worked with global enterprises, I’ve seen how nuanced and context-specific threats can be. Sometimes, what appears benign to one organization may be a targeted attack for another, a slight modification to a URL may catch one email, but not others, as slight changes are made as billions of emails are sent. We are only as good as the consortium. The ability to dispute submission responses creates a vital safety net, ensuring that security teams are not forced to accept verdicts that could expose them to risk. It’s a welcome step toward adaptive, user-driven security operations. 

Conclusion 

The dispute submission response feature in Microsoft Defender for Office 365 is one of the most exciting features for me, because it focuses on enabling organizations striving for agility and accuracy in threat management. By enabling direct, contextual feedback, Microsoft empowers security teams to play an active role in shaping their defenses. As an MVP, I encourage all users to leverage this feature, provide detailed feedback, and help drive the future of secure collaboration in the cloud. You may be right after all.  

_________
This blog has been generously and expertly authored by Microsoft Security MVP, Mona Ghadiri with support of the Microsoft Defender for Office 365 product team.

Mona Ghadiri
Microsoft Security MVP

Learn More and Meet the Author

1) December 16th Ask the Experts Webinar:

Microsoft Defender for Office 365 | Ask the Experts: Tips and Tricks (REGISTER HERE)
DECEMBER 16, 8 AM US Pacific

2) Additional MVP Tips and Tricks Blogs and Videos in this Four-Part Series:

1. Microsoft Defender for Office 365: Migration & Onboarding by Purav Desai

2. Safeguarding Microsoft Teams with Microsoft Defender for Office 365 by Pierre Thoor

3. (This blog post) You may be right after all! Disputing Submission Responses in Microsoft Defender for Office 365 by Mona Ghadiri

4. Microsoft Defender for Office 365: Fine-Tuning | Real-world Defender for Office 365 tuning that closes real attack paths by Joe Stocker

Learn and Engage with the Microsoft Security Community

Log in and follow this Microsoft Defender for Office 365 blog and follow/post in the Microsoft Defender for Office 365 discussion space.
- Follow = Click the heart in the upper right when you're logged in 🤍
Learn more about the Microsoft MVP Program.
Join the Microsoft Security Community and be notified of upcoming events, product feedback surveys, and more.
Get early access to Microsoft Security products and provide feedback to engineers by joining the Microsoft Customer Connection Community.
Join the Microsoft Security Community LinkedIn

Ensure your ICES solution works seamlessly alongside Microsoft Defender

JeffreyPinkston — Thu, 06 Nov 2025 04:36:32 GMT

In today’s evolving threat landscape, organizations increasingly rely on layered email security solutions to protect users and sensitive data. Microsoft supports and collaborates with Integrated Cloud Email Security (ICES) vendors that work in conjunction with Microsoft Defender, and customers who choose a layered approach to email security to ensure the maximum level of email protection.

It is, however, key that when integrating ICES solutions with Microsoft Defender, to follow best practices to maximize security and operational efficiency.

In this blog, we explain these best practices in more detail and outline three other routing techniques commonly used across ICES vendors. This will allow organizations to understand the impact of non-standard mail routing configurations on their security operations (SOC) effectiveness and partner with their ICES vendors on the best approach.

Best practices for ICES vendor integration

Microsoft has outlined best practices for third-party solutions integrating with Microsoft 365, where recommended and supported approaches include DNS mail routing or the Graph API. This article provides more details on these approaches and also outlines integration techniques that we do not recommend. By using these best practices, any 3rd party email security vendor can ensure that their solution works seamlessly alongside Microsoft Defender. In addition, we recently launched the Microsoft Defender ICES vendor ecosystem. This gives partners an additional option for integration, where we partner directly with the solution provider to build a deeper integration between the ICES solution and Microsoft Defender. We harmonize telemetry, email verdicts, security policies, and more, to provide joint customers with optimized protection and SOC workflows in the Defender portal.

Non-standard email routing techniques used by ICES vendors

We know that as the ICES space evolved, several vendors integrated with Microsoft Exchange using non-standard email routing techniques, such as journaling, connector-based routing, and post-delivery actions. These functions were originally designed for different purposes. When deployed alongside Microsoft Defender, these integration approaches can introduce unique complexities for mail flow and SOC operations. Understanding how these techniques work and their potential impact is essential for making informed decisions about your organization’s email security architecture and are outlined below.

Journaling for email security benchmarking

Email journaling (Figure 1) is a legacy Exchange Online feature originally designed for archiving and to help organizations meet legal, regulatory, and organizational compliance requirements by recording inbound and outbound email communications.

While journaling was designed for archiving and similar use cases, we know that various ICES vendors utilize journaling rules to route emails to the vendor’s test environment to evaluate the effectiveness of their solution. Journaling occurs before Defender filtering, so both solutions act independently and partially, complicating operational clarity for SOC teams.

This approach can lead to duplicate catch scenarios, therefore misstating the unique catch rate of the ICES vendor. If a journaled copy of a phishing email is routed to an ICES vendor, this occurs before it was filtered by Microsoft Defender. Consequently, both Microsoft Defender and the ICES vendor now simultaneously assess the message, and both solutions may act on it independently. This often results in duplicate catch scenarios and creates ambiguity around which solution blocked the threat, ultimately making it challenging to assess the true effectiveness of each layer. Some ICES vendors may consider every email they filter “a miss by Microsoft Defender”. However, as journaling occurs before Defender filtering, it’s generally an incomplete representation.

Therefore, we do not recommend the implementation of journaling for benchmarking or operational clarity purposes of ICES vendor solutions that operate next to Microsoft Defender.

Journaling + post-delivery actions

Some vendors combine journaling with post-delivery actions via Graph API or Exchange Web Services (EWS). This approach enables them to take remediation actions on emails after they have been delivered to users’ mailboxes, such as moving messages to the Junk folder or adding labels to alert users of potential threats. However, if Defender quarantines a message first, the ICES vendor may not be able to perform these actions, limiting their impact. Furthermore, when a vendor deletes and recreates a message using EWS, it can result in duplicate message IDs, which fragments SOC visibility and slows incident response. As a result, these configurations should be avoided, as they can lead to unreliable investigations and operational complexity.

Connector-based implementations

Connectors are typically used to route mail between Exchange Online and on-premises or non-Microsoft systems. Some vendors repurpose this mechanism to:

Route messages out of Exchange Online after Microsoft Defender filtering.

Apply their own filtering.

Reinject the message as a new email.

Using connectors to send messages out of Exchange Online after Microsoft Defender filtering, apply additional vendor filtering, and then return them as new emails introduces major operational risks. Reinjecting messages strips the original sender authentication context (SPF, DKIM, DMARC), which can lead to false positives, duplicate quarantines, and inconsistent reporting across tools like Explorer, Advanced Hunting, and Message Trace in Microsoft Defender. With this configuration, SOC teams may see multiple message IDs for the same email, making it difficult to correlate events and accurately track message disposition. This also impacts post-delivery protections such as Zero-hour Auto Purge, which may fail or be misapplied. These issues increase investigation time, reduce visibility, and can undermine existing protections, impacting the overall security of an

organization. That’s why our documentation states that we strongly recommend avoiding this configuration.

When assessing statistics or performance claims about Microsoft Defender’s effectiveness, it’s important to keep in mind how deployment configurations can shape outcomes. As outlined above, techniques such as journaling, connector-based routing, and post-delivery actions may introduce complexities that affect how performance is measured. These integration approaches can result in discrepancies within metrics, making it challenging to accurately attribute detections or gauge overall effectiveness. It is essential for security leaders and SOC teams to interpret results and make informed decisions about your organization’s email security posture.

Microsoft’s commitment to effective ICES vendor integration

By understanding the impact of the various integration techniques, security leaders can ensure their layered email security delivers streamlined SOC workflows and the highest level of protection for email.

Microsoft is committed to working collaboratively with all ICES vendors to help them embrace best practices in integrating with Microsoft Exchange so they can work effectively alongside Microsoft Defender. Whether using the documented best practices with Microsoft Exchange or joining the Defender ecosystem to build an even deeper integration, either approach will help ensure that the solutions work seamlessly alongside Microsoft Defender.

Learn more

Integration best practices

Microsoft Defender ICES vendor ecosystem

Email security effectiveness benchmarking

Safeguarding Microsoft Teams with Microsoft Defender for Office 365

RenWoods — Thu, 13 Nov 2025 16:37:54 GMT

As organizations rely more on Microsoft Teams for daily collaboration, securing this platform has become a top priority. Threat actors are increasingly targeting Teams chats and channels with phishing links and malicious files, making it critical for IT admins and security professionals to extend protection beyond email. Enter Microsoft Defender for Office 365, now armed with dedicated Teams protection capabilities. Microsoft Defender for Office 365 enables users to report suspicious messages, brings time-of-click scanning of URLs and files into Teams conversations, and provides rich alerts and hunting insights for SecOps teams.

As a collaborative piece between Pierre Thoor, a Microsoft Security Most Valuable Professional (MVP), and the Defender for Office 365 Product Engineering Team, the below guides with accompanying videos emphasize a proactive, user-driven approach to threat detection and response, turning everyday Teams interactions into actionable security signals for SecOps.

See something, say something: Reporting suspicious messages in Microsoft Teams

Your fastest sensor isn’t AI – it’s your people. Report this message in Microsoft Teams lets anyone flag a suspicious conversation in two clicks and routes a triageable submission to your security team in the Microsoft Defender portal.

Why this matters:

Speed to signal: Catch threats at the conversation layer, not just in email.

Complete context: Original message, participants, URLs, and verdicts in one place.

Habit-forming: A simple, repeatable action employees remember under pressure.

How to report (desktop, web, and mobile)

In Desktop/Web

1. Hover the message → … More options → Report this message
2. Select Security concern → (optional) add a short note → Report

In Mobile (iOS/Android) app

1. Long-press the message → Report message
2. Select Security concern → (optional) add a short note → Report

*Tip: Short notes like “Unexpected MFA reset link” help analysts triage faster.

Where reports go (for security teams)

In the Microsoft Defender portal, navigate to:
Investigation & response → Actions and submissions → Submissions → User reported.
Open an item to view the Teams message entity (sender/domain, Teams message ID, extracted URLs, verdict) and take action – mark as phish/clean, pivot to Explorer or Advanced Hunting, or copy indicators.

Quick setup check

- Defender portal → Settings → Email & collaboration → User reported settings: enable Monitor reported messages in Microsoft Teams.
- Licensing: Microsoft Defender for Office 365 Plan 2 (included in Microsoft 365 E5).

What good looks like (mini playbook)

User reports the message.
Security triages the submission and captures the URL/domain and other indicators.
Block or allow as appropriate via the Tenant Allow/Block List (TABL).
Hunt for related activity or clicks (see Video 3).
Close the loop: thank the reporter and share the outcome to reinforce the behavior.

Common gotchas

Reporting is disabled in the Teams messaging policy – verify before rollout.
Some users assume “Report” notifies the sender – clarify that it routes to the Security team, not the sender.

Call to action: Enable reporting for your users and add this line to your awareness site:
“If it feels phishy, report – don’t click.”

Think before you click - Safe Links catches threats at click-time

Links can change after delivery. Safe Links waits until click-time, evaluates the destination, and shows an in-app warning page in Teams. Pair it with the Tenant Allow/Block List (TABL) to tune quickly across the tenant.

Why this matters

Prevents delayed redirects: Avoids “clean-at-send” methods.
Consistent protection in Teams: Familiar warning UX reduces risky clicks.
Rapid tuning: Block newly observed domains in seconds; no advanced transport rules required.

What you’ll see in the video

Policy check (Teams in scope)
- Defender portal → Email & collaboration → Policies & rules → Threat policies → Safe Links → ensure Apply Safe Links to Microsoft Teams is enabled for target users or groups OR that you use Standard/Strict Preset Policy.
Warning page at click-time
- Post a benign test URL in Teams and click it to show the Safe Links warning experience.
Block it as you spot it (Allow/Block)
- Defender portal → Threat policies → Tenant Allow/Block List → URLs → Add (domain or URL).
- Re-click in Teams – now blocked at click-time.
Optional telemetry (Advanced Hunting)
- Confirm outcomes and adoption:

UrlClickEvents 

| where Timestamp > ago(24h) and Workload == "Teams" 

| summarize Clicks=count(), Users=dcount(AccountUpn) by ActionType 

| order by Clicks desc

Deployment tips

Start with a pilot group that includes IT + power users; expand after validation.
Create a review cadence for TABL (e.g., monthly) and expire temporary blocks.

Troubleshooting

No warning page? Verify policy scope includes the user and the Teams workload.
Block not taking effect? Give TABL a short sync window, then re-test; confirm you blocked the correct domain/URL pattern.

“Hunt the chat”: Advanced hunting for Teams threats

Overview
With Advanced Hunting you can quickly reconstruct activity in Microsoft Teams – who sent the message, who clicked the link, and what protections kicked in. This section shows how the four Teams-relevant tables work together, so you can move from signal to action quickly.

New: message warnings for malicious URLs (internal and external)

Teams now shows a warning banner on messages that contain URLs flagged as spam, phishing, or malware. Warnings appear in internal and external chats/channels, and can be added after delivery (up to ~48 hours) if a URL’s reputation changes. This complements Safe Links (time-of-click) and doesn’t replace ZAP; when ZAP removes a message, that action takes precedence. Public preview began September 2025; GA November 2025, enabled by default at GA and manageable in Teams admin center → Messaging settings.

See Message Center: https://admin.cloud.microsoft/?#/MessageCenter/:/messages/MC1150984

The four tables you’ll use

MessageEvents – delivery context (sender, thread, internal vs. external).

MessagePostDeliveryEvents – post-delivery actions, including Phish ZAP and Malware ZAP.

MessageUrlInfo – URLs extracted from Teams messages.

UrlClickEvents – time-of-click outcomes for links, including those clicked in Teams.

What you’ll learn in the video

Surface active external domains in your tenant’s Teams chats.

Identify who clicked risky links and the click outcomes (via Safe Links telemetry).

See where message warnings appear in the chat UI.

Pivot to an incident and block indicators fast via the Tenant Allow/Block List (TABL).

A couple hunts to try right now

1) Malicious verdicts in Teams (last 24 hours)
Find messages that already carry a Spam/Phish/Malware verdict – your fastest triage queue.


MessageEvents

| where Timestamp > ago(1d) 

| where ThreatTypes has "Phish" or ThreatTypes has "Malware" or ThreatTypes has "Spam" 

| project Timestamp, SenderDisplayName, SenderEmailAddress, 

          RecipientDetails, IsOwnedThread, ThreadType, IsExternalThread, ReportId

Use it for: a quick sweep + pivot to incident/entities, then TABL block if needed.

2) “IT helpdesk” imposters in external DMs (last 5 days)

Surface social-engineering lures that impersonate support.

MessageEvents 

| where Timestamp > ago(5d) 

| where IsExternalThread == true 

| where (RecipientDetails has "help" and RecipientDetails has "desk") 

   or (RecipientDetails has "it"   and RecipientDetails has "support") 

   or (RecipientDetails has "working" and RecipientDetails has "home") 

   or (SenderDisplayName has "help" and SenderDisplayName has "desk") 

   or (SenderDisplayName has "it"   and SenderDisplayName has "support") 

   or (SenderDisplayName has "working" and SenderDisplayName has "home") 

| project Timestamp, SenderDisplayName, SenderEmailAddress, 

          RecipientDetails, IsOwnedThread, ThreadType, ReportId

Use it for: first-contact scams (external tenant posing as IT). Pair with Safe Links telemetry to see who clicked.

Tip: has is token-aware and generally faster/cleaner than contains for word matches. Keep both hunts detection-ready by ensuring the final projection includes Timestamp and ReportId.

3) BONUS! External DMs with links (last 7 days)

MessageEvents 

| where Timestamp > ago(7d) and IsExternalThread == true 

| join kind=inner (MessageUrlInfo) on TeamsMessageId 

| summarize Links=dcount(Url), Senders=dcount(SenderEmailAddress) by UrlDomain 

| top 10 by Links desc 

4) Who clicked (Teams workload) – exposure view: 

UrlClickEvents 

| where Timestamp > ago(7d) and Workload == "Teams" 

| project Timestamp, AccountUpn, Url, ActionType 

| order by Timestamp desc

“From Hunt to Action”: Respond & contain

Finding a risky link in Teams is only half the job. This walkthrough shows how to go from detection to containment – block the domain, clean up delivered messages, and cut attacker access.

Why this matters

Speed: Shrink time from “we saw it” to “it’s blocked”.
Consistency: Turns ad-hoc hunting into a repeatable response flow.
Coverage: Pair URL blocking with identity and device containment.

What you’ll see in the video

Turn a hunt into an alert
In Advanced Hunting, run a short query (below) and choose Create detection rule to schedule it. Alerts auto-create incidents you can triage.
Block at click-time (Safe Links + TABL)
In the incident, open the URL entity and add the URL/domain to the Tenant Allow/Block List (TABL) so future Teams clicks are blocked by Safe Links.
Post-delivery cleanup (ZAP)
If a malicious message slipped through, ZAP can remove or mark it after delivery. You’ll see evidence on the incident timeline.
Contain accounts and devices
- Revoke user sessions in Entra ID to invalidate active tokens.

- Reset the password (and require strong, unique credentials), then enforce MFA for the account.

- Review MFA methods and remove anything suspicious; review app consents and revoke illicit grants.

- If endpoints are onboarded, isolate the device in Microsoft Defender for Endpoint to stop outbound connections while you investigate.

The Microsoft Learn guide, https://learn.microsoft.com/en-us/defender-office-365/responding-to-a-compromised-email-account, for compromised accounts recommends session revocation, password reset, MFA enforcement, reviewing OAuth app consents and admin roles, and checking mail forwarding/rules – steps that complement the Teams response you see here.

The hunt

This KQL surfaces rare external domains in Teams and any user clicks.

let lookback = 1d;

// External Teams messages 

let externalMsgs = 

    MessageEvents 

    | where Timestamp > ago(lookback) and IsExternalThread == true

    | project MsgTime = Timestamp, TeamsMessageId, SenderEmailAddress, ME_ReportId = ReportId; 

// URLs found in Teams messages 

let urlsInMsgs = 

    MessageUrlInfo 

    | where Timestamp > ago(lookback) 

    | project MUI_Time = Timestamp, TeamsMessageId, Url, UrlDomain, MUI_ReportId = ReportId; 

// Clicks coming from Teams 

let clicks = 

    UrlClickEvents 

    | where Timestamp > ago(lookback) and Workload == "Teams" 

    | project ClickTime = Timestamp, Url, Clicker = AccountUpn, ClickAction = ActionType, UCE_ReportId = ReportId; 

// Define “rare” domains in the period 

let rareDomains = 

    urlsInMsgs 

    | summarize msgCount = dcount(TeamsMessageId) by UrlDomain 

    | where msgCount < 3; 

rareDomains 

| join kind=inner (urlsInMsgs) on UrlDomain 

| join kind=leftouter (externalMsgs) on TeamsMessageId

| join kind=leftouter (clicks) on Url 

| project 

    Timestamp = coalesce(ClickTime, MUI_Time, MsgTime), 

    UrlDomain, 

    Url, 

    SenderEmailAddress, 

    Clicker, 

    ClickTime, 

    ClickAction, 

    TeamsMessageId, 

    ReportId  = coalesce(UCE_ReportId, MUI_ReportId, ME_ReportId)

After verifying results, select Create detection rule, set a schedule (e.g., hourly), and map entities so incidents include the right artifacts.

What good looks like (response playbook)

Alert fires → open incident; confirm scope and entities.
Block URL/domain via TABL to stop future clicks.
Confirm ZAP removed or marked delivered messages.
Revoke sessions and reset password; enforce MFA.
Review MFA methods and remove unknown devices/methods.
Audit app consents (revoke illicit grants) and verify the user holds no unexpected admin roles.
If email abuse is suspected, check for forwarding or malicious Inbox rules.
Isolate device if execution is suspected; collect artifacts and un-isolate after remediation.

FAQs

Does the block remove the message? No – TABL blocks at click-time. Post-delivery removal is handled by ZAP when detections apply.
Will revoking sessions disrupt users? It forces sign-in again (expected). Communicate this in your response template.
What if the attacker used consent phishing? Revoke the offending enterprise app consent and review publisher verification status.

Call to action: Save the query, create the detection, and attach this playbook to your incident template. The goal every time: find → block → clean up → contain

Securing Microsoft Teams is most effective when technology and people work together. By enabling user reporting, leveraging real-time protections, and empowering security teams to act quickly, organizations can turn everyday collaboration into a strong defense against threats.

##

Please take two minutes to take this survey to let us know what you think of this blog (series), video, and community content.

Questions or comments on this blog "Microsoft Defender for Office 365 – A Four-Part Guide to Secure Collaboration" for the author or other readers? Please log in and post your response below!

_____________

This blog has been generously and expertly authored by Microsoft Security MVP, Pierre Thoor with support of the Microsoft Defender for Office 365 product team.

Pierre Thoor
Microsoft Security MVP | Microsoft Defender for Office 365 Champ

Learn More and Meet the Author

1) December 16th Ask the Experts Webinar:

Microsoft Defender for Office 365 | Ask the Experts: Tips and Tricks (REGISTER HERE)
DECEMBER 16, 8 AM US Pacific

You’ve watched the latest Microsoft Defender for Office 365 best practices videos and read the blog posts by the esteemed Microsoft Most Valuable Professionals (MVPs), now bring your toughest questions or unique situations straight to the experts. In this interactive panel discussion, Microsoft MVPs will answer your real world scenarios, clarify best practices, and highlight practical tips surfaced in the recent series. We’ll kick off with a who’s who and recent blog/video series recap, then dedicate most of the time to your questions across migration, SOC optimization, fine-tuning configuration, Teams protection, and even Microsoft community engagement. Come ready with your questions (or pre-submit here) for the expert Security MVPs on camera, or the Microsoft Defender for Office 365 product team in the chat! REGISTER NOW for 12/16.

2) Additional MVP-Authored Blogs in this Four- Part Series:

1. Microsoft Defender for Office 365: Migration & Onboarding by Purav Desai
2. (This post) Safeguarding Microsoft Teams with Microsoft Defender for Office 365
3. You may be right after all! Disputing Submission Responses in Microsoft Defender for Office 365 by Mona Ghadiri
4. Microsoft Defender for Office 365: Fine-Tuning by Joe Stocker

Learn and Engage with the Microsoft Security Community

- Log in and follow this Microsoft Defender for Office 365 blog and follow/post in the Microsoft Defender for Office discussion space.
  - Follow = Click the heart in the upper right when you're logged in 🤍
- Learn more about the Microsoft MVP Program.
- Join the Microsoft Security Community and be notified of upcoming events, product feedback surveys, and more.
- Get early access to Microsoft Security products and provide feedback to engineers by joining the Microsoft Customer Connection Community.
- Join the Microsoft Security Community LinkedIn

Microsoft Defender for Office 365: Migration & Onboarding

RenWoods — Thu, 13 Nov 2025 16:34:57 GMT

This blog covers four key areas that are frequently missed, but they are essential for a secure and auditable deployment of Defender for Office 365. Before diving into the technical details, it is important to clarify a common misconception about Defender for Office 365 protections.

Blocking Malicious File Downloads in SharePoint and OneDrive

A common assumption during onboarding is that Microsoft Defender for Office 365 protections only apply to email. In reality, Safe Attachments also integrates with SharePoint Online, OneDrive for Business and Microsoft Teams. It scans files for malware even after they are uploaded or shared internally.

However, this protection is only effective when the configuration explicitly prevents users from downloading files flagged as malicious. Without this setting, files detected as threats can still be downloaded locally. This creates a major risk particularly if the malware is detected post-delivery.

In one investigation, I found that this setting had been left at its default, allowing users to download malicious files from SharePoint. This oversight created a significant exposure risk until it was corrected. This setting is part of the Safe Attachments for SPO/ODB policy and is critical in reducing internal exposure. Once enabled, this setting protects users in real time and acts as a powerful audit point. If someone disables this setting, whether intentionally or by accident, that action is recorded in Purview's Unified Audit Log under the DisallowInfectedFileDownloadDisabled operation.

The video below offers a brief walkthrough on how to enable the setting, details the associated audit log events, and provides guidance on configuring alerts for any modifications:

Video 1 – Enable, Audit, Alert: Full Setting Overview

Regularly auditing for this event can help identify misconfiguration or potentially malicious administrative activity that could indicate insider threat behaviour. Including this check as part of your continuous security monitoring process is a smart, proactive move. Learn more at Step 2: (Recommended) Use SharePoint Online PowerShell to prevent users from downloading malicious files

Once you have established protection against malicious files, the next step is ensuring your tenant is correctly set up to create and manage threat policies.

Ensuring Organization Customization is Enabled

A frustrating yet common hurdle during Defender for Office 365 onboarding is the inability to create threat policies such as anti-phishing or Safe Attachments policies. This confusion often stems from a basic configuration oversight: the tenant has not been enabled for organization customization. Without this step, the Microsoft 365 platform prevents the creation or editing of many critical security policies in Defender for Office 365.

Figure 1 – Defender for Office 365 policies blocked until Enable-OrganizationCustomization is run.

A few years prior with a new client being onboarded to Defender for Office 365, I encountered a situation where policy creation kept failing because this step wasn’t followed. It caused unnecessary delays and frustrated the security team until we identified the missing customization.

The fix is simple. Run the Enable-OrganizationCustomization PowerShell cmdlet from Exchange Online. It is a one-time configuration task, but it is essential for policy management and overall service functionality.

Figure 2 - Output if you re-run the Enable-OrganizationCustomization command

Including this step early in your deployment or migration plan prevents unnecessary delays and ensures the security team can fully leverage Defender for Office 365's capabilities from day one. This is particularly important for consultants who are brought in to assist after issues have already arisen. Getting ahead of this configuration means one less troubleshooting rabbit hole.

Figure 3 - Output shows 'false' when customization is enabled.

With customization enabled, you can now take advantage of the preset security policies to quickly build a solid baseline.

Using Preset Security Policies for a Strong Starting Point

One of the best tools Microsoft has provided for onboarding is the Preset Security Policies feature. These come in two flavors: Standard and Strict.

Figure 4 - Defender for Office 365 Preset security policies (Standard & Strict protection)

They represent Microsoft’s recommended baseline configurations for anti-malware, anti-phishing, and spam protection. Learn more at Preset security policies in cloud organizations.

For customers with limited security maturity or time to deeply understand the inner workings of Defender for Office 365, these presets are a game-changer.

Figure 5 - Microsoft recommendation is to apply standard protection to all users

In several cases, I have seen organizations with limited security teams benefit from activating these presets early. This approach gave them immediate protection while freeing up time to better understand and tune policies over time. For incident response, having a consistent and known-good baseline also helps reduce noise and false positives in the initial stages of deployment.

Figure 6 - Apply strict Defender for Office 365 protection for priority users

After setting foundational policies, controlling who has access to what within Defender for Office 365 is crucial to maintaining a secure environment.

Implementing Unified RBAC for Least Privilege Access

As more business units engage with Defender for Office 365 for everything from investigation to reporting, it is important to ensure each role has access only to what they need. Unified Role-Based Access Control (RBAC) in Defender for Office 365 makes this possible by allowing granular control over who can see and change what within the security portal.

Figure 7 – Example least privilege role configuration for a Defender for Office 365 Incident Responder (image trimmed).

This becomes critically valuable in larger or more complex organizations where responsibilities are split between security, compliance, IT, and operations teams.

Figure 8 - Activating Microsoft Defender for Office 365 Workload in Defender XDR Roles.

By using unified RBAC, you can avoid the dangerous and often default behavior of assigning Security Administrator rights to everyone involved. Instead, define roles based on function. For example, Tier 1 analysts might only need view and investigation access, while admins can manage policies.

Figure 9 - Assigning a user to a Custom Microsoft Defender for Office 365 role, Entra Security Groups are also supported.

This approach aligns with zero trust principles and makes it easier to audit who has access to sensitive areas. During onboarding, I recommend mapping stakeholders to the available roles and applying this model as early as possible. This helps establish accountability and improves your security posture before an incident occurs. Learn more at Map Defender for Office 365 permissions to the Microsoft Defender XDR Unified RBAC permissions

Having set the right roles and permissions, it is vital to understand how these configurations contribute to a resilient and well-prepared security posture.

Final Thoughts

Successful onboarding to Microsoft Defender for Office 365 is not just about flipping switches. It is about making intentional configuration choices that support operational efficiency and long-term security goals. The points covered here are often missed in quick start guides but they are essential for building a solid foundation. Those who invest time in proper configuration are far better prepared when incidents arise. Migration is just the beginning. Set up Defender for Office 365 right to reduce risk and build real resilience.

Please take two minutes to take this survey to let us know what you think of this blog (series), video, and community content.

Questions or comments on this blog "Microsoft Defender for Office 365 Migration & Onboarding" for the author or other readers? Please log in and post your response below!

_____________

This blog has been generously and expertly authored by Microsoft Security MVP, Purav Desai. with support of the Microsoft Defender for Office 365 product team.

Purav Desai
Lead M365 Incident Responder, Financial Services | Dual Microsoft Security MVP

Learn More and Meet the Author

1) December 16th Ask the Experts Webinar:

Microsoft Defender for Office 365 | Ask the Experts: Tips and Tricks (REGISTER HERE)
DECEMBER 16, 8 AM US Pacific

2) Additional MVP Tips and Tricks Blogs and Videos in this Four-Part Series:

(This post) Microsoft Defender for Office 365: Migration & Onboarding by Purav Desai
Safeguarding Microsoft Teams with Microsoft Defender for Office 365 by Pierre Thoor
You may be right after all! Disputing Submission Responses in Microsoft Defender for Office 365 by Mona Ghadiri
Microsoft Defender for Office 365: Fine-Tuning by Joe Stocker

Learn and Engage with the Microsoft Security Community

Log in and follow this Microsoft Defender for Office 365 blog and follow/post in the Microsoft Defender for Office 365 discussion space.
- Follow = Click the heart in the upper right when you're logged in 🤍
Learn more about the Microsoft MVP Program.
Join the Microsoft Security Community and be notified of upcoming events, product feedback surveys, and more.
Get early access to Microsoft Security products and provide feedback to engineers by joining the Microsoft Customer Connection Community.
Join the Microsoft Security Community LinkedIn

Protection against multi-modal attacks with Microsoft Defender

birchj — Thu, 12 Feb 2026 20:06:00 GMT

Multi-modal (or hybrid) attacks are increasingly used by threat actors to orchestrate multi-phase campaigns. In Part 1 of our blog series, we explored how attackers use email bombing as a distraction technique to overwhelm users and bypass security controls. Today, we’re expanding that conversation to showcase how Microsoft Defender can detect and correlate certain hybrid, multi-modal attacks that span across email, Teams, identity, and endpoint vectors; and how these insights surface in the Microsoft Defender portal.

From distraction to deception: The rise of multi-modal attacks

Multi-modal attacks are on the rise and evolving! One type of such hybrid attacks, begins with a mail bombing event—flooding a user’s inbox with legitimate subscription emails—followed by using Microsoft Teams to send messages to and call targeted users. The goal? To gain trust, distract defenders, and establish persistence.

For example, attackers may pose as IT support personnel responding to a mail bombing incident, urging users to grant remote access in turn victimizing them to download malware-laced files. Our telemetry shows more than 300 threat actors executing multi-modal attacks, some of which involve Microsoft Teams. These tactics are not isolated—they’re coordinated. Learn more here.

Defender continuously adapts to attacker behavior, enabling detection of emerging threats. Initially, attackers used simple terms like 'Help Desk' as their display name in Teams to deceive users, but evolved their tactics by incorporating other words like 'Cyber', using Unicode characters such as ‘☑️’, and inserting invisible characters to bypass detection. We also see these hybrid attacks resolving to compromises that may become evident through suspicious encoded PowerShell execution initiating a network connection. Now, Microsoft Defender for Office 365 can not only detect, but also correlate these signals across email, collaboration, and other modalities.

Better attacker tracking and new detection types

It’s now easier to see coordinated multi-modal (hybrid) attack patterns directly in the Defender portal via the Incident experience. This means security teams can easily:

Identify linked incidents across email, Teams, and identity platforms.
Track attacker movement from initial access to command-and-control (C2) stages.
Disrupt attacks in real time using robust detection and automated response.

New alerts include:

Mail bombing activity detected – Identifies high-volume email flood activity.
Potentially malicious IT support Teams impersonation post mail bombing – Flags suspicious Teams threads following email-based flooding activity.

Related alert includes:

Suspicious encoded PowerShell execution initiating a network connection – Detects obfuscated scripts reaching out to attacker infrastructure.

These alerts are designed to work together, painting a full picture of the attacker’s strategy and enabling defenders to act decisively.

Empowering SOC analysts with advanced hunting and IOCs

Detection is just the beginning. Security teams can pivot from incidents and alerts to deeper investigations using Advanced Hunting in Microsoft Defender and Microsoft Sentinel.

By leveraging Indicators of Compromise (IOCs)—such as suspicious email addresses, IPs, or keywords like “IT Support”—customers can:

Craft custom queries to uncover hidden threats.
Search across identities, endpoints, and Office 365 data.
Investigate post-breach activities like MFA changes or emergency password resets.

IOCs can be collected via the incidents and alerts in the portal and in Advanced Hunting queries below:

Use AlertInfo to collect general information and clickable links to more IOCs:
AlertInfo

| where Timestamp >= ago(2h)

| where Title == "Microsoft Teams chat initiated by a suspicious external user"

| top 100 by Timestamp

Use AlertEvidence to collect potentially related IOCs from an alert:
AlertEvidence

| where Timestamp >= ago(2h)

| where Title == "Microsoft Teams chat initiated by a suspicious external user"

| top 100 by Timestamp

Below are some example queries that can be used as Custom detection rules in Advanced Hunting to detect mail bombing, malicious Teams content and password spray attempts respectively:

Use EmailEvents to detect mail bombing:
EmailEvents

| where Timestamp > ago(1d)

| where DetectionMethods contains "Mail bombing"

| project Timestamp, NetworkMessageId, SenderFromAddress, RecipientEmailAddress, Subject, ReportId

Use MessageEvents, a newly released table from our GA of Collaboration for Teams, to detect malicious Teams content:
MessageEvents

   | where Timestamp > ago(1d)

   | where ThreatTypes has "Phish"

       or ThreatTypes has "Malware"

       or ThreatTypes has "Spam"

   | project Timestamp, SenderDisplayName, SenderEmailAddress, RecipientDetails, IsOwnedThread, ThreadType, IsExternalThread, ReportId

Use MessageEvents to detect bi-directional communication with external Help Desk\Support representatives:
MessageEvents

| where Timestamp > ago(5d)

| where (RecipientDetails contains "help" and RecipientDetails contains "desk")

    or (RecipientDetails contains "it" and RecipientDetails contains "support")

    or (RecipientDetails contains "working" and RecipientDetails contains "home")

| where IsExternalThread == true

| project Timestamp, SenderDisplayName, SenderEmailAddress, RecipientDetails, IsOwnedThread, ThreadType

Use IdentityLogonEvents to detect password spray attempts:
IdentityLogonEvents

| where Timestamp > ago(5d)
| where ActionType == "LogonFailed"
| where FailureReason has_any ("bad", "invalid")
| where FailureReason has_any ("username", "password")
| summarize FailedAttempts = count(), UniqueUsers = dcount(AccountUpn), UserList = make_set(AccountUpn, 10) by IPAddress, bin(Timestamp, 5m)

| where LogonError in ("UserAccountNotFound", "BadPassword") --- has an error

Additional detection and response strategies include:

Monitor for news mentions of your organization and create detection rules for related message subjects.
Track impersonation attempts of key personnel (e.g., CIO, IT support), especially if they are on social media or are publicized.
Investigate unusual IP addresses or abnormal activity involving targeted individuals.
Configure automatic remediation action in the custom detection rule to detect and remediate any potential threats without manual intervention

You can also block these external calls in Teams by blocking interaction with Trial tenants on Microsoft teams by using the Teams federation controls.

These queries help Defenders pivot from one IOC to another, uncovering the full scope of hybrid campaigns. Microsoft Sentinel can also be used to search, store, and share IOCs. More information about this offering is available at Threat intelligence - Microsoft Sentinel | Microsoft Learn

Conclusion

Multi-modal attacks are complex, but with the right tools, defenders are equipped to detect, correlate, and respond across modalities. By combining built-in detections with hunting strategies, organizations can stay ahead of evolving threats and protect their users from distraction-based deception.

Note: The above alerts are available for customers with Microsoft Defender for Office 365 and Microsoft Defender for Cloud Apps licenses. These updates are gradually rolling out to all customers worldwide.

Watch this video to learn more: Microsoft Defender for Office 365 | Mail Bombing and Mixed-Mode Attack Protection

Learn:

Submissions Response Using AI for Enhanced Result Explainability

soumyamishra — Tue, 01 Jul 2025 12:00:00 GMT

We are pleased to announce that Microsoft Defender for Office 365 now features large language model (LLM)-powered responses within the submission workflow. This update provides security and Exchange admins with clear, actionable insights into the reasons behind the classification of each submission whether as spam, phishing, bulk, or clean - enabling more informed decision-making and response.

What's new?

Historically, submission results such as Threats found or No threats found have provided limited insight into the reasoning behind classification decisions. The implementation of AI-LLM-based responses addresses this limitation by delivering intuitive and context-rich explanations that clarify why a message was categorized as spam, phishing, bulk, or clean. This enhancement reduces ambiguity and facilitates faster, more accurate responses by administrators. LLM-based responses are now available for administrative email submissions made from any location within the Defender portal.

Where can you see LLM based responses?

Submissions page at https://security.microsoft.com/reportsubmission

: On the Emails tab, select entry to view the LLM based explanation in the details flyout.

Example-

Example where submissions response came as clean-

No threats found. The email is a simple and benign message with no malicious content or suspicious links. The sender and recipient both belong to the same domain (contoso.com), indicating internal communication. Interacting with this email poses no risk as it contains no harmful elements.

Example where submissions response came as malicious-

Threats found. The sender's email address (bad-vaibhav@contosoo.com) is suspicious and not associated with any legitimate organization. The email subject uses excessive promotional language and emojis, which is typical of spam emails. Interacting with the message could lead to unwanted advertisements or potential scams. Clicking on the provided link leads to a Contoso login page, which is a standard procedure for accessing internal resources.

Key Result Types with LLM Support

For the result types like Threats found, No threat found, Bulk, Spam and a few Unknowns, you will see the LLM-based explanation. However, if for any reason the AI-generated explanation is unavailable, the system will fall back to the existing explanation, ensuring continuity in the experience.

Learn more:

Check out our documentation for more details on submission workflows and AI-LLM based integration.
Have feedback or questions about LLM based response? Join the conversation in the Microsoft Defender for Office 365 community forum.

Protection Against Email Bombs with Microsoft Defender for Office 365

UrjaGandhi — Thu, 12 Feb 2026 20:03:29 GMT

In today's digital age, email remains a critical communication tool for businesses and individuals. However, with the increasing sophistication of cyberattacks, email security has become more important than ever. One such threat that has been growing is the email bombing, a form of net abuse that sends large volumes of email to an address to overflow the mailbox, overwhelm the server, or distract attention from important email messages indicating a security breach. Email bomb - Wikipedia

Understanding Email Bombing

Email bombing, typically involves subscribing victims to a large number of legitimate newsletter and subscription services. Each subscription service sends email notifications, which in aggregate create a large stream of emails into the victim’s inbox, making email triage for legitimate emails very difficult. This form of attack is essentially a denial-of-service (DDOS) on the victim's email triaging attention budget.

Hybrid Attacks

More recently, email subscription bombs have been coupled with simultaneous lures on Microsoft Teams, Zoom, or via phone calls. Attackers impersonate IT support and offer to help solve the email problem caused by the spike of unwanted emails, ultimately compromising the victim's system or installing malware on their system. This type of attack is brilliant because it creates a sense of urgency and legitimacy, making victims more likely to accept remote assistance and inadvertently allow malware planting or data theft. Read about the use of mail bombs where threat actors misused Quick Assist in social engineering attacks leading to ransomware | Microsoft Security Blog.

Incidence and Purpose of Email Bombing

Email bombing attacks have been around for many years but can have significant impacts on targeted individuals, such as enterprise executives, HR or finance representatives. These attacks are often used as precursors to more serious security incidents, including malware planting, ransomware, and data exfiltration. They can also mute important security alerts, making it easier for attackers to carry out fraudulent activities without detection.

New Detection technology for Mail Bombing attacks

To address these types of attacks Microsoft Defender has now released a comprehensive solution involving a durable block to limit the influx of emails, the majority of which are often spam. By intelligently tracking message volumes across different sources and time intervals, this new detection leverages historical patterns of the sender and signals related to spam content. It prevents mail bombs from being dropped into the user’s inbox and the messages are rather sent to the Junk folder (of Outlook). Note: Safe sender lists in Outlook continue to be honored, so emails from trustworthy sources are not unexpectedly moved to the Junk folder (in order to prevent false positives). Since the initial rollout that started in early May, we’ve seen a tremendous impact in blocking mail bombing attacks out of our customers’ inboxes:

Statistic: Average 20-30K mail bombs blocked daily across 200-300 users.

How to leverage new “Mail bombing” detection technology in SOC experiences

1. Investigation and hunting: SOC analysts can now view the new Detection technology as Mail bombing within the following surfaces: Threat Explorer, Email entity page and Advanced Hunting empowering them to investigate, filter and hunt for threats related to mail bombing.

2. Custom detection rule: To analyze the frequency and volume of attacks from mail bombing vector, or to have automated alerts configured to notify SOC user whenever there is a mail bombing attack, SOC analysts can utilize the custom detection rules in Advanced hunting by writing a KQL query using data in DetectionMethods column of EmailEvents table. Here’s a sample query to get you started:

EmailEvents 
   | where Timestamp > ago(1d) 
   | where DetectionMethods contains "Mail bombing" 
   | project Timestamp, NetworkMessageId, SenderFromAddress, Subject, ReportId

The SOC experiences are rolled out worldwide to all customers.

Conclusion

Email bombs represent an incidental threat in the world of cybersecurity. With the new detection technology for Mail Bombing, Microsoft Defender for Office 365 protects users from these attacks and empowers Security Operations Center Analysts to ensure to gain visibility into such attacks and take quick actions to keep organizations safe!

Note: The Mail bombing protection is available by default in Exchange Online Protection and Microsoft Defender for Office 365 plans.

This blog post is associated with Message Center post MC1096885. 

Also read Part 2 of our blog series to learn more about protection against multi-modal attacks involving mail bombing and correlation of Microsoft Teams activity in Defender. Watch this video to learn more: Microsoft Defender for Office 365 | Mail Bombing and Mixed-Mode Attack Protection

Learn:

Detection technology details table

What's on the Email entity page

Filterable properties in the All email view in Threat Explorer

Introducing the Microsoft Defender for Office 365 ICES vendor ecosystem

Ramya_Chitrakar — Wed, 18 Jun 2025 21:43:12 GMT

In today's digital landscape, the need for comprehensive security measures is more critical than ever, as email continues to be a primary vector for cyberattacks such as phishing and malware. To address this, Microsoft Defender for Office 365 leverages the extensive scale of Microsoft's threat intelligence, which processes trillions of signals daily. By integrating Large Language Models (LLMs) and advanced Natural Language Processing, Defender for Office 365 empowers organizations with AI-driven threat detection, behavioral analytics, and automated responses thus proactively identifying and neutralizing risks before they reach end users. This collaborative defense approach reinforces the principle that security is a team sport, requiring shared intelligence and coordinated action across the ecosystem.

We recognize in today’s dynamic cyber threat landscape, defense-in-depth strategy has become a vital approach not only for Microsoft customers but also across the broader Secure Email Gateway (SEG) market. Organizations are increasingly adopting layered security solutions to comply with regulatory requirements, enhanced detection, and ensure robust protection.

To address this, we’re announcing the Microsoft Defender for Office 365 ICES Vendor Ecosystem — a unified framework that enables seamless integration with trusted third-party vendors. This ecosystem is designed to eliminate integration friction and deliver:

Broader detection coverage through vendor diversity

Transparency across Microsoft Defender for Office 365 and partner detections

Streamlined SOC workflows through consistent policy enforcement and shared investigation tools

Stronger compliance alignment with layered security mandates

This partner ecosystem is about creating a cohesive defense fabric that enhances SOC efficiency with Microsoft Defender for Office 365 as the foundation. The ecosystem also provides flexibility, scalability, and preparedness for the complexities of contemporary enterprise security.

With this in mind, we are pleased to announce that our trusted ICES security vendors, Darktrace and KnowBe4, have become the first launch partners within our ecosystem. They offer customers a seamless and collaborative defense framework where each solution enhances the strengths of the others. We welcome additional partners soon as we continue to expand this integrated ecosystem.

“Our integration with Microsoft gives security teams the tools they need to act faster and more precisely to detect and respond to threats,” said Jill Popelka, CEO of Darktrace. “Together, we’re strengthening defenses where it matters most to our customers —at the inbox.”

“I’m incredibly excited at the opportunity afforded by this partnership with Microsoft and the deeper integrations it enables. Leveraging this integration allows us to use our vast quorum of data around email security and human risk in a way that provides the most comprehensive layered security approach available to the market. A complementary defense strategy is mandatory and this integration with Microsoft M365 furthers that vision by combining our capabilities to create comprehensive defense strategies that address the full spectrum of modern cyber threats.” noted Greg Kras, Chief Product Officer @ KnowBe4

Unified Quarantine

The core strength of this new ecosystem is the seamless integration between Defender for Office 365 and its ICES partners, through the Unified Quarantine feature. Managing quarantined messages from multiple solutions can often be complex and inefficient. Unified Quarantine streamlines the process by consolidating quarantined items identified by both Defender for Office 365 and third-party (3P) solutions into a single, unified interface, enhancing customer ease and visibility.

Administrators can efficiently review, release, or remediate messages through this unified interface, irrespective of the provider that identified the threat. This approach not only optimizes time management but also guarantees uniform policy enforcement and facilitates transparency on detections, resulting in improved operational efficiency and a more coherent user experience. As part of the Unified Quarantine, security admins can also see which provider quarantined the message.

Transparency and Insight Across Solutions

In environments with multiple email security solutions, transparency is crucial to understanding each vendor's detections. Microsoft Defender for Office 365 offers a unified dashboard that clearly distinguishes between threats stopped by Defender and those identified by third-party solutions, ensuring transparent and fair attribution of protection value.

This dashboard provides security teams with a comprehensive view of how each solution contributes to protection, helping to identify overlapping coverage and areas of unique value. This clarity supports more informed decision-making around threat trends, policy optimization, and vendor strategy fostering stronger collaboration between internal teams and external partners.

Deeper SOC Investigation Capabilities: Threat Explorer, Advanced Hunting, and Email Entity Page

Modern defenders need tools for rapid investigation, root cause analysis, and tactical response. The Defender for Office 365 ecosystem unifies investigative workflows across partner solutions.

Within Threat Explorer, security analysts can seamlessly pivot between messages actioned by Microsoft Defender for Office 365 and those flagged by integrated partners. The side-by-side display of verdicts and actions enables quick correlation and pattern recognition.

Advanced Hunting brings even greater depth, allowing analysts to craft queries that span both Microsoft Defender for Office 365S and 3P data sources. This holistic view accelerates threat hunting and helps organizations surface novel attack techniques or gaps in coverage.

EmailEvents 
| where Timestamp > ago(7d) 
//List emails caught by a Third-party solution 
| where DetectionMethods contains "Thirdparty" 
| project NetworkMessageId, RecipientEmailAddress, ThreatTypes, DetectionMethods, AdditionalFields, LatestDeliveryLocation

On the Email Entity Page, every message surfaces a complete action history, including which product took action and what verdict was assigned. This granular visibility demystifies complex incidents and builds confidence in the layered defense model.

Summary

As the threat landscape continues to evolve, so must our defenses. While organizations embrace defense-in-depth, fragmented integrations may lead to unintended consequences such as diminished detection capabilities, overlapping controls, and SOC inefficiencies. With the Defender for Office 365 ICES vendor ecosystem, Microsoft is setting a new standard for collaborative, integrated security platforms. By combining proven protection, seamless partnerships, and unified visibility, organizations can embrace defense-in-depth without complexity or compromise.

Whether combating phishing, malware, or the next generation of email-borne threats, customers benefit from a defense-in-depth strategy built for agility and efficiency. With hands-off enablement, unified experiences, and unmatched transparency, the Defender for Office 365 ecosystem empowers every organization to stay one step ahead—today and tomorrow.

Learn More

To learn more about the Microsoft Defender for Office 365 ICES Vendor Ecosystem, please visit https://learn.microsoft.com/defender-office-365/mdo-ices-vendor-ecosystem.

Auto-Remediation of Malicious Messages in Automated Investigation and Response (AIR) is GA

KellyCrider — Thu, 29 May 2025 13:00:00 GMT

We are excited to announce the GA release of auto-remediation of malicious messages through automated investigation and response (AIR) expanding this powerful tool and deliver on full end to end automation of key SOC scenarios.

AIR works to triage, investigate and remediate and respond to high-impact, high-volume security alerts providing tenant level analysis to increase customer protection and optimize SOC teams. With this enhancement, customers will be able to configure AIR to automatically execute remediations for messages within malicious entity clusters saving SOC teams time and further expediting remediation by removing the need to for SOC teams to approve these actions!

To highlight the key user submission scenario, in addition to AIR completing triage, investigation, remediation identification, and end user feedback responses, customers may now configure AIR to take this a step even further to automatically execute on identified remediations.

Auto-Remediation Action

When AIR recognizes a malicious file or URL, it creates a cluster around the malicious file or URL grouping all messages that contain that file or URL into the respective cluster. The automated investigation then checks the location of the messages within the cluster and if it finds messages within user’s mailboxes, AIR will produce a remediation action. With the auto-remediation enhancement, if the customer has configured the cluster type to auto-remediate, this action will automatically be executed without the need for SecOps approval - removing identified threats at machine speed!

Auto-remediated clusters showing in action center history with decided by stating automation:

Configuration

Auto-remediation will be controlled by a configuration within Settings > Email & Collaboration > MDO automation settings. Within the message clusters section, organizations may specify which types of message clusters they would like to be auto-remediated:

Similar files: When the automated investigation recognizes a malicious file, it creates a cluster around the malicious file grouping all messages that contain that file into the cluster. Selecting this checkbox will opt the organization into auto-remediation for these malicious file clusters.

Similar URLs: When the automated investigation recognizes a malicious URL, it creates a cluster around the malicious URL grouping all messages that contain the URL into the cluster. Selecting this checkbox will opt the organization into auto-remediation for these malicious URL clusters.

The next configuration is for the remediation action, designating soft delete as soft delete is currently the only action supported through AIR.

Auto-remediation of malicious entity clusters configuration found in settings>Email & collaboration>MDO automation settings:

Note: Customers interested in auto-remediation must turn it on through the MDO automation settings page as it will not be on by default.

Auto-Remediation Action Logging

The Defender portal provides several ways for customers to review remediation actions to stay cognizant of the actions executed. These include within the investigation, action center, email entity as well as threat explorer and advanced hunting. Should customers disagree with the action executed, the ability to move the messages back to mailboxes is available as well based on configuration and timing.

Auto-remediated messages showing in Threat Explorer Additional actions as Automated Remediation: automated:

Auto-remediated messages showing in Advanced Hunting with ActionType as Automated Remediation and ActionTrigger as Automation:

Learn More 

Register for the deep dive webinar on Microsoft Defender for Office 365 automated investigation and response (AIR) on June 25, 2025, at 8:00am PDT / 3:00pm UTC. Learn more about the feature enhancements, as well as how AIR can help optimize SOC teams and accelerate threat response.

To learn more about the auto-remediation in AIR, please visit Automated remediation in AIR - Microsoft Defender for Office 365 | Microsoft Learn.

To learn more about investigations in MDO, please visit the following pages: 

Automated investigation and response in Microsoft Defender for Office 365 - Office 365 | Microsoft Learn

View the results of an automated investigation in Microsoft 365 - Office 365 | Microsoft Learn

How automated investigation and response works in Microsoft Defender for Office 365 - Office 365 | Microsoft Learn

Automatic user notifications for user reported phishing results in AIR - Microsoft Defender for Office 365 | Microsoft Learn

Part 2: Build custom email security reports and dashboards with workbooks in Microsoft Sentinel

dmozes — Wed, 14 Jan 2026 18:26:45 GMT

Security teams in both small and large organizations track key metrics to make critical security decisions and identify meaningful trends in their organizations. Defender for Office 365 has rich, built-in reporting capabilities that provide insights into your security posture to support these needs. However, sometimes security teams require custom reporting solutions to create dedicated views, combine multiple data sources, and get additional insights to meet their needs.

In January of this year, we shared an example of how you can use workbooks in Microsoft Sentinel to build a custom dashboard for Defender for Office 365.

Today, we are excited to announce the release of an updated version of the Microsoft Defender for Office 365 Detections and Insights – Microsoft Sentinel workbook.

Over the past few months, we have received feedback from numerous security teams, offering a multitude of ideas for new insights, updated visuals, and improved structure for the workbook. We have incorporated these suggestions into this update to enhance the experience for all users of the Microsoft Defender for Office 365 Detections and Insights workbook.

What’s new?

We have changed the workbook structure and divided visuals and insights related to the same topic to be on their own tab. We have also added many new visuals and updated existing visuals.

Using tabs for easier navigation

Simply use the tabs now on the top of the workbook to navigate between the various insights' groups.

Notable changes:

False Positive and False Negative Submissions insights are separated to have their own tab
A new tab added for Quarantine Insights.

The complete list of tabs is:

Please note: The workbook has a total of 12 tabs. If all tabs are not visible, you can access the remaining tabs using the "..." located at the end of the tab list on the right side.

New insights and visuals

We have added new insights and visuals to help security team members better understand their Email security posture.

Some examples:

Detection Overview tab - Bad traffic percentage (%) - Inbound Emails Visualizes bad traffic (% of emails with threats) compared to total inbound emails over time summarizing the data daily.
Email – Malware/Email-Phish detection tabs - Zero Day detections (URL & Attachment detonation)
Visualizes total emails with Malware/Phish detections over time summarizing the data daily by detection technologies/controls used for detecting unknown-unique malware and phish (URL detonation, File detonation).
Email - Phish Detections tab - Top Domains Outbound with Emails with Threats Inbound (Partner BEC)
Visualizes top outbound recipient domains by outbound email volume and shows total number of inbound emails with Threats from the same domains (as inbound senders).

Email – Malware/Phish/Spam Detection tabs - Detections by delivery location
Visualizes total emails with Malware/Phish/Spam detections over time summarizing the data daily by Delivery Location. These insights can help security teams drive towards stronger security posture by adopting Quarantine as filter verdict action replacing Move to Junk email folder.
URL Detections and Clicks tab – Top malicious URLs clicked by users
Visualizes top malicious URLs with the number of clicks attempts performed by users.
False Negative (FN) Submissions tab – new insights added for user defined filter verdict override configuration impacting the delivery action of the reported email, top 10 inbound P2 senders' domains of reported emails, top subjects of the internal emails reported by users as Phish, number if user reported Phish emails where the email is already in the Junk email folder.

Updated Insights

We have updated existing insights by adding additional information to them or visualizing the raw data in a different way.

Some examples:

Email – Malware/Phish/Spam Detection tabs - Email Top 10 Domains sending Malware table view now has Total emails sent by the sender domain and bad traffic % from the sender domain.
Grid views are now searchable:
False Negative (FN) Submissions/ False Positive (FP) Submissions are separated now on their own tab, existing insights got updated to understand better what users and security team members are submitting.
Malware family related visuals on Email – Malware detections and File - Malware Detections (SharePoint, Teams and OneDrive) are using searchable grid now:

How can I get the updated version?

The latest version of the Microsoft Defender for Office 365 Detections and Insights workbook is available as part of the Microsoft Defender XDR solution in the Microsoft Sentinel - Content hub. Version 3.0.12 of the solution has the updated workbook template.

If you already have the Microsoft Defender XDR solution deployed, version 3.0.12 is available now as an update. After you install the update, you will have the new workbook template available to use.

If you install the Microsoft Defender XDR solution for the first time, you are deploying the latest version and will have the updated template ready to use.

How to share the workbook with others

Leveraging Microsoft Sentinel workbooks for reporting to leadership is a common use case. A common concern is granting recipients access to Microsoft Sentinel or all of the tables within the workspace. Using some different RBAC components, this can be done.

For details, see the Manage Access to Microsoft Sentinel Workbooks with Lower Scoped RBAC on the Microsoft Sentinel Blog.

Can I edit the workbook and change the visuals?

Yes, absolutely. The Microsoft Defender for Office 365 Detections and Insights is a workbook template in Microsoft Sentinel. It is ready to use with a few simple clicks, however when needed you can save and edit the workbook based on your organization’s need.

You can customize each visual easily or review the underlying KQL.

Simply edit the workbook after saving, then adjust the underlying KQL query, change the type of the visual, or create new insights.

More information: Visualize your data using workbooks in Microsoft Sentinel | Microsoft Learn

Why use workbooks in Microsoft Sentinel for email security reports and insights?

There are many potential benefits to using workbooks if you already use Microsoft Sentinel and already stream the hunting data tables:

You can choose to store data for a longer period of time via configuring longer retention for tables you use for your workbooks. For example, you can store Defender for Office 365 Email Events table data for 1 year and build visuals over a longer period of time.

You can configure auto-refresh for the workbook to keep the data shown up to date.

You can access ready-to-use workbook templates and customize them if it's needed.

Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the Defender for Office 365 forum. 

More information

Integrate Microsoft Defender XDR with Microsoft Sentinel
Learn more about Microsoft Sentinel workbooks
Microsoft Defender for Office 365 Detection Details Report – Updated Power BI template for Microsoft Sentinel and Log Analytics
Learn more about Microsoft Defender XDR

Microsoft Defender for Office 365's Language AI for Phish: Enhancing Email Security

Melanie_Cohen — Mon, 19 May 2025 19:30:09 GMT

Email security presents a complex challenge for individuals and organizations alike. Over the years, attackers have evolved from simple spam campaigns to sophisticated threats including ransomware, identity theft schemes, and carefully crafted phishing scams. Now, malicious actors are armed with Generative AI and are advancing at an alarming pace.

In response, Microsoft Defender for Office 365 has dedicated extensive research and development efforts to making email security smarter, more flexible, and more proactive. This dedication led to the introduction of specialized language intelligence to fight Business Email Compromise (BEC) attacks, announced last year at Ignite 2024 (Microsoft Ignite: Redefining email security with LLMs to tackle a new era of social engineering | Microsoft Community Hub). With that announcement, we offered a significant leap in analyzing suspicious messages using advanced natural language processing, enabling organizations to better detect subtle manipulative emails designed to lure unsuspecting users into revealing confidential data or transferring funds.

The threats, however, have not stopped with BEC. Phishing attacks are constantly evolving, leveraging new tactics and forms. As part of Defender for Office’s mission to stay one step ahead of these threats, we’re taking the same robust Language AI approach we used for BEC analysis and applying it to a broader spectrum of phishing attacks.

Today we’re excited to announce Microsoft Defender for Office 365’s new Language AI for Phish model. This model progressively learns from thousands of real-world phishing attempts and analyzes all messages classified as phish. Furthermore, it incorporates advanced Machine Learning and Natural Language Processing (NLP) techniques to read, process, and understand email content the way a human analyst might, yet in a fraction of the time and at an immense scale. Our model has been operational since April 2025, achieving over 99.99% accuracy and blocking 1 million phishing emails daily.

Statistics: 99.9998% accuracy in identifying malicious phishing messages / 1 million phishing emails blocked daily

By advancing our language AI and rigorously training it on phishing email threats, we are further strengthening the comprehensive protections established by our BEC-focused innovations. These enhanced capabilities create an integrated security framework designed to proactively address evolving risks and accelerate response times to emerging threats. Through Microsoft Defender for Office 365’s commitment to continuous improvement, this expanded approach empowers organizations and individuals to maintain a strong security posture in the face of ever-changing cyber challenges.

Learn More:

To learn more about Microsoft Defender for Office 365’s Language AI capabilities, please read more here or visit our website.

SafeLinks Protection for Links Generated by M365 Copilot Chat and Office Apps

UrjaGandhi — Fri, 30 May 2025 17:09:40 GMT

The world is experiencing rapid changes, with artificial intelligence (AI) significantly transforming businesses and lifestyles. Additionally, it is impacting cybersecurity, as attackers leverage AI to refine their techniques. Microsoft is committed to ensuring that its AI-powered tools are secure and reliable for business applications. The security of AI remains a primary focus.

M365 Copilot Chat

Copilot serves as the user interface for AI, beginning with Copilot Chat. It is the chat experience utilized daily, powered by extensive knowledge from the web and designed to ensure safety and security for business applications. This platform signifies a fundamental change in our work methods, allowing individuals to operate more intelligently, efficiently, and collaboratively.

While Copilot Chat is a powerful new on-ramp for everyone in your organization to build the AI habit, Microsoft 365 Copilot remains our best-in-class personal AI assistant for work. It includes everything in Copilot Chat and more.

M365 Copilot Chat

Enhancing Security of M365 Copilot Chat with SafeLinks

We are excited to announce some important updates to M365 Copilot Chat that will enhance security and user experience:

1. SafeLinks protection at Time-of-Click of URL:

Microsoft Defender for Office 365's SafeLinks protection has been successfully released worldwide for Copilot Chat on Desktop, Web, Outlook Mobile, Teams Mobile and Microsoft 365 Copilot Mobile app (iOS and Android)!

M365 Copilot Chat has integrated with SafeLinks in Defender for Office 365 to provide time-of-click URL protection for the hyperlinks included in its chat responses.

User with MDO license clicks on a malicious link in Copilot ChatUser with MDO license clicks on a malicious link in Copilot Chat on Mobile

This functionality applies to users with Microsoft Defender for Office 365 Plan 1 or Plan 2 service plans. No policy configuration is needed within the SafeLinks policy.
Within Microsoft Defender for Office 365 Security Center, the URL protection report will show the relevant summary and trend views for threats detected and actions taken on URL clicks generated from within M365 Copilot Chat.

URL threat protection report showing clicks on a malicious link from Copilot Chat

Moreover, Security Operations Center analysts will be able to see the source of the originating URL clicks in the investigation and hunting experiences within Microsoft Defender for Office 365.

Advanced Hunting showing click events on a malicious link from Copilot Chat on different clients

2. Native Time-of-Click URL Reputation Check:

For users without SafeLinks protection (which is available as part of Microsoft Defender for Office 365), M365 Copilot Chat will natively enable time-of-click URL reputation check for the hyperlinks returned in its chat responses.

User without MDO license clicks on a malicious link in Copilot ChatUser without MDO license clicks on a malicious link in Copilot Chat on Mobile

3. Hyperlink Display Changes:

M365 Copilot Chat no longer redacts hyperlinks in its chat responses if they are found in the grounding data used to generate the responses.

These updates ensure that M365 Copilot Chat remains a secure and reliable tool for your organization, helping you navigate the complexities of modern cybersecurity.

What’s Next?

Following this release, SafeLinks protection will be available to Copilot App Chats for Word, PowerPoint and Excel.

Conclusion

As AI continues to evolve, so do the threats that come with it. At Microsoft, we are dedicated to staying ahead of these threats and providing our customers with the tools they need to stay secure. With the integration of SafeLinks, M365 Copilot Chat is poised to be a game-changer in the world of business AI.

Note: This blog post is associated with Message Center post MC1013453.

Learn more

Microsoft Defender for Office 365 SafeLinks protection
M365 Copilot Chat