user-reported phishing emails
Dear Community I have a technical question regarding user-reported emails. In Defender, under “Action and Submissions” -> “Submissions,” I can see the emails that users have reported under the “user reported” option. There, we have the option to analyze these emails and mark them as “no threats found,” “phishing,” or “spam.” The user is then informed. Question: Do these reported emails remain in the user's inbox when they report them? If not, do we have the option to return these reported emails to the user's inbox with the “No threats found” action? Because I don't see this option. In another tenant, under “Choose response Action,” I see “move or delete,” but the “inbox” option is grayed out. Why is that? Thank you very much!Disabling Auto Align Feature in Microsoft Defender 365 Console Alerts
The Microsoft Defender 365 console has recently started auto aligning the alert screen upon clicking on an alert name, which seems to be part of the updated alert management experience. This change is quite bothersome and distracting. How can this feature be disabled?
Built-in report button is available in Microsoft Outlook across platforms
Outlook and Defender for Office 365 are excited to announce the release of built-in report button in Microsoft Outlook across platforms (web, new Outlook for Windows, classic Outlook for Windows, Outlook for Mac, Outlook for Android, Outlook for iOS, and Outlook for android Lite) for both personal and commercial accounts. You can find the built-in button across Outlook: Outlook on the web. New Outlook for Windows. Outlook for Mac version 16.89 (24090815) or later. Classic Outlook for Windows version Current channel: Version 16.0.17827.15010 or later. Monthly Enterprise Channel: Version 16.0.18025.20000 or later. Semi-Annual Channel (Preview): Release 2502, build 16.0.18526.20024 Semi-Annual Channel: Release 2502, build 16.0.18526.20024 Outlook for iOS version 4.2511 or later and Outlook for Android version 4.2446 or later. Outlook for Android Lite Benefits the built-in report button provides for security admins It works out of the box with no setup required The reporting experience for end user is the same across consumer and commercial accounts The report button is consistent across Outlook clients The report button is front and center on all clients The report button is present on the grid view, reading panel, preview panel, context menu The report button enables the user to select in bulk and report messages at once You can turn on and off the pre and post reporting popups for users in your organization using You can customize the individual pre and post reporting popup by adding text and links in 7 diff languages The report button is present on shared and delegate mailboxes enabling end users to report emails. Now present on outlook for web, new outlook for windows, outlook for mac, outlook for android and outlook for iOS The end user reports made by these clients are routed as per the message reported destination configured in the user reported settings. You can view the user report as soon as they are made on the If you have configured Microsoft only or Microsoft and my reporting mailbox in the user reported settings, the result from Microsoft analysis are available on the result column You can turn off the built-in report button on user reported settings by Selecting non-Microsoft add-in button and providing the address of the reporting mailbox of the 3 rd party add-in, or Deselecting monitor reported messages in outlook Note: The report phish add-in and the report message add-in does not provide support for shared and delegate mailbox. The report phish add-in, the report message add-in, and the built-in report button all read from the same user reported settings and use the same internal reporting API. In a way there are two different doors (entry point) to the same house (the backend). For the moment, the report message and report phish add-in are in maintenance mode to provide enough time for customers to migrate to the built-in button. To learn more, please check out Transition from Report Message or the Report Phishing add-ins - Microsoft Defender for Office 365 | Microsoft Learn Report phishing and suspicious emails in Outlook for admins - Microsoft Defender for Office 365 | Microsoft Learn User reported settings - Microsoft Defender for Office 365 | Microsoft Learn Protect yourself from phishing - Microsoft Support Report phishing - Microsoft Support How do I report phishing or junk email? - Microsoft SupportSOC can see Microsoft analysis for Third-party add-in user report
We are pleased to announce that if you are using third-party report message solutions in Microsoft Outlook, such as Knowbe4, Hoxhunt, and Cofense, you can now configure Defender for Office 365 to automatically forward these suspicious messages to Microsoft for analysis. A prerequisite for using this is to already have set up the third-party user report tool on Outlook for your end users and that tool is forwarding the user report to an exchange online mailbox within the organization. We do not recommend using the exchange transport rule for it. To enable this setting, you must do the following: Go to User reported settings in the Microsoft Defender portal, select Monitor reported messages in Outlook, and then select Use a non-Microsoft add-in button. In the Reported message destination section, select Microsoft and my reporting mailbox, and then provide the email address of the internal Exchange Online mailbox where user-reported messages by the third-party add-ins are being routed to. If the third-party vendor follows the guidance for message submissions format, Defender for Office 365 will submit these messages automatically to Microsoft for analysis. The analysis results from Microsoft are displayed on the User reported page in the Defender portal. Alerts are automatically generated for user-reported messages in Defender for Office 365. If you have Defender for Office 365 Plan 2, Automated investigation and response (AIR) is also automatically triggered for user-reported phishing messages. These alerts and their investigations are automatically linked to Defender Incidents, assisting security teams with automation for triage, investigation, and response. Submitting these messages to Microsoft for analysis provides a response of this analysis to security analysts and helps improve Defender for Office 365 filters. To learn more, check out these articles: Report suspicious email messages to Microsoft Automatic user notifications for user reported phishing results in AIR Share Your Feedback! We are eager for you to experience the capabilities of Microsoft feedback, triage, investigation, and analysis for user reports while utilizing the advantages of third-party report add-ins. Share your thoughts with us by commenting below.SafeLinks Protection for Links Generated by M365 Copilot Chat and Office Apps
The world is experiencing rapid changes, with artificial intelligence (AI) significantly transforming businesses and lifestyles. Additionally, it is impacting cybersecurity, as attackers leverage AI to refine their techniques. Microsoft is committed to ensuring that its AI-powered tools are secure and reliable for business applications. The security of AI remains a primary focus. M365 Copilot Chat Copilot serves as the user interface for AI, beginning with Copilot Chat. It is the chat experience utilized daily, powered by extensive knowledge from the web and designed to ensure safety and security for business applications. This platform signifies a fundamental change in our work methods, allowing individuals to operate more intelligently, efficiently, and collaboratively. While Copilot Chat is a powerful new on-ramp for everyone in your organization to build the AI habit, Microsoft 365 Copilot remains our best-in-class personal AI assistant for work. It includes everything in Copilot Chat and more. Enhancing Security of M365 Copilot Chat with SafeLinks We are excited to announce some important updates to M365 Copilot Chat that will enhance security and user experience: 1. SafeLinks protection at Time-of-Click of URL: Microsoft Defender for Office 365's SafeLinks protection has been successfully released worldwide for Copilot Chat on Desktop, Web, Outlook Mobile, Teams Mobile and Microsoft 365 Copilot Mobile app (iOS and Android)! M365 Copilot Chat has integrated with SafeLinks in Defender for Office 365 to provide time-of-click URL protection for the hyperlinks included in its chat responses. This functionality applies to users with Microsoft Defender for Office 365 Plan 1 or Plan 2 service plans. No policy configuration is needed within the SafeLinks policy. Within Microsoft Defender for Office 365 Security Center, the URL protection report will show the relevant summary and trend views for threats detected and actions taken on URL clicks generated from within M365 Copilot Chat. Moreover, Security Operations Center analysts will be able to see the source of the originating URL clicks in the investigation and hunting experiences within Microsoft Defender for Office 365. 2. Native Time-of-Click URL Reputation Check: For users without SafeLinks protection (which is available as part of Microsoft Defender for Office 365), M365 Copilot Chat will natively enable time-of-click URL reputation check for the hyperlinks returned in its chat responses. 3. Hyperlink Display Changes: M365 Copilot Chat no longer redacts hyperlinks in its chat responses if they are found in the grounding data used to generate the responses. These updates ensure that M365 Copilot Chat remains a secure and reliable tool for your organization, helping you navigate the complexities of modern cybersecurity. What’s Next? Following this release, SafeLinks protection will be available to Copilot App Chats for Word, PowerPoint and Excel. Conclusion As AI continues to evolve, so do the threats that come with it. At Microsoft, we are dedicated to staying ahead of these threats and providing our customers with the tools they need to stay secure. With the integration of SafeLinks, M365 Copilot Chat is poised to be a game-changer in the world of business AI. Note: This blog post is associated with Message Center post MC1013453. Learn more Microsoft Defender for Office 365 SafeLinks protection M365 Copilot ChatAuto-Remediation of Malicious Messages in Automated Investigation and Response (AIR) is GA
We are excited to announce the GA release of auto-remediation of malicious messages through automated investigation and response (AIR) expanding this powerful tool and deliver on full end to end automation of key SOC scenarios. AIR works to triage, investigate and remediate and respond to high-impact, high-volume security alerts providing tenant level analysis to increase customer protection and optimize SOC teams. With this enhancement, customers will be able to configure AIR to automatically execute remediations for messages within malicious entity clusters saving SOC teams time and further expediting remediation by removing the need to for SOC teams to approve these actions! To highlight the key user submission scenario, in addition to AIR completing triage, investigation, remediation identification, and end user feedback responses, customers may now configure AIR to take this a step even further to automatically execute on identified remediations. Auto-Remediation Action When AIR recognizes a malicious file or URL, it creates a cluster around the malicious file or URL grouping all messages that contain that file or URL into the respective cluster. The automated investigation then checks the location of the messages within the cluster and if it finds messages within user’s mailboxes, AIR will produce a remediation action. With the auto-remediation enhancement, if the customer has configured the cluster type to auto-remediate, this action will automatically be executed without the need for SecOps approval - removing identified threats at machine speed! Auto-remediated clusters showing in action center history with decided by stating automation: Configuration Auto-remediation will be controlled by a configuration within Settings > Email & Collaboration > MDO automation settings. Within the message clusters section, organizations may specify which types of message clusters they would like to be auto-remediated: Similar files: When the automated investigation recognizes a malicious file, it creates a cluster around the malicious file grouping all messages that contain that file into the cluster. Selecting this checkbox will opt the organization into auto-remediation for these malicious file clusters. Similar URLs: When the automated investigation recognizes a malicious URL, it creates a cluster around the malicious URL grouping all messages that contain the URL into the cluster. Selecting this checkbox will opt the organization into auto-remediation for these malicious URL clusters. The next configuration is for the remediation action, designating soft delete as soft delete is currently the only action supported through AIR. Auto-remediation of malicious entity clusters configuration found in settings>Email & collaboration>MDO automation settings: Note: Customers interested in auto-remediation must turn it on through the MDO automation settings page as it will not be on by default. Auto-Remediation Action Logging The Defender portal provides several ways for customers to review remediation actions to stay cognizant of the actions executed. These include within the investigation, action center, email entity as well as threat explorer and advanced hunting. Should customers disagree with the action executed, the ability to move the messages back to mailboxes is available as well based on configuration and timing. Auto-remediated messages showing in Threat Explorer Additional actions as Automated Remediation: automated: Auto-remediated messages showing in Advanced Hunting with ActionType as Automated Remediation and ActionTrigger as Automation: Learn More Register for the deep dive webinar on Microsoft Defender for Office 365 automated investigation and response (AIR) on June 25, 2025, at 8:00am PDT / 3:00pm UTC. Learn more about the feature enhancements, as well as how AIR can help optimize SOC teams and accelerate threat response. To learn more about the auto-remediation in AIR, please visit Automated remediation in AIR - Microsoft Defender for Office 365 | Microsoft Learn. To learn more about investigations in MDO, please visit the following pages: Automated investigation and response in Microsoft Defender for Office 365 - Office 365 | Microsoft Learn View the results of an automated investigation in Microsoft 365 - Office 365 | Microsoft Learn How automated investigation and response works in Microsoft Defender for Office 365 - Office 365 | Microsoft Learn Automatic user notifications for user reported phishing results in AIR - Microsoft Defender for Office 365 | Microsoft Learn
Part 2: Build custom email security reports and dashboards with workbooks in Microsoft Sentinel
Security teams in both small and large organizations track key metrics to make critical security decisions and identify meaningful trends in their organizations. Defender for Office 365 has rich, built-in reporting capabilities that provide insights into your security posture to support these needs. However, sometimes security teams require custom reporting solutions to create dedicated views, combine multiple data sources, and get additional insights to meet their needs. In January of this year, we shared an example of how you can use workbooks in Microsoft Sentinel to build a custom dashboard for Defender for Office 365. Today, we are excited to announce the release of an updated version of the Microsoft Defender for Office 365 Detections and Insights – Microsoft Sentinel workbook. Over the past few months, we have received feedback from numerous security teams, offering a multitude of ideas for new insights, updated visuals, and improved structure for the workbook. We have incorporated these suggestions into this update to enhance the experience for all users of the Microsoft Defender for Office 365 Detections and Insights workbook. What’s new? We have changed the workbook structure and divided visuals and insights related to the same topic to be on their own tab. We have also added many new visuals and updated existing visuals. Using tabs for easier navigation Simply use the tabs now on the top of the workbook to navigate between the various insights' groups. Notable changes: False Positive and False Negative Submissions insights are separated to have their own tab A new tab added for Quarantine Insights. The complete list of tabs is: Detection Overview | Email - Malware Detections | Email - Phish Detections | Email - Spam Detections | URL Detections and Clicks | Email - Top Users/Senders | Email - Detection Overrides | False Negative (FN) Submissions | False Positive (FP) Submissions | File - Malware Detections (SharePoint, Teams and OneDrive) | Post Delivery Detections and Admin Actions | Quarantine Insights Please note: The workbook has a total of 12 tabs. If all tabs are not visible, you can access the remaining tabs using the "..." located at the end of the tab list on the right side. New insights and visuals We have added new insights and visuals to help security team members better understand their Email security posture. Some examples: Detection Overview tab - Bad traffic percentage (%) - Inbound Emails Visualizes bad traffic (% of emails with threats) compared to total inbound emails over time summarizing the data daily. Email – Malware/Email-Phish detection tabs - Zero Day detections (URL & Attachment detonation) Visualizes total emails with Malware/Phish detections over time summarizing the data daily by detection technologies/controls used for detecting unknown-unique malware and phish (URL detonation, File detonation). Email - Phish Detections tab - Top Domains Outbound with Emails with Threats Inbound (Partner BEC) Visualizes top outbound recipient domains by outbound email volume and shows total number of inbound emails with Threats from the same domains (as inbound senders). Email – Malware/Phish/Spam Detection tabs - Detections by delivery location Visualizes total emails with Malware/Phish/Spam detections over time summarizing the data daily by Delivery Location. These insights can help security teams drive towards stronger security posture by adopting Quarantine as filter verdict action replacing Move to Junk email folder. URL Detections and Clicks tab – Top malicious URLs clicked by users Visualizes top malicious URLs with the number of clicks attempts performed by users. False Negative (FN) Submissions tab – new insights added for user defined filter verdict override configuration impacting the delivery action of the reported email, top 10 inbound P2 senders' domains of reported emails, top subjects of the internal emails reported by users as Phish, number if user reported Phish emails where the email is already in the Junk email folder. Updated Insights We have updated existing insights by adding additional information to them or visualizing the raw data in a different way. Some examples: Email – Malware/Phish/Spam Detection tabs - Email Top 10 Domains sending Malware table view now has Total emails sent by the sender domain and bad traffic % from the sender domain. Grid views are now searchable: False Negative (FN) Submissions/ False Positive (FP) Submissions are separated now on their own tab, existing insights got updated to understand better what users and security team members are submitting. Malware family related visuals on Email – Malware detections and File - Malware Detections (SharePoint, Teams and OneDrive) are using searchable grid now: How can I get the updated version? The latest version of the Microsoft Defender for Office 365 Detections and Insights workbook is available as part of the Microsoft Defender XDR solution in the Microsoft Sentinel - Content hub. Version 3.0.12 of the solution has the updated workbook template. If you already have the Microsoft Defender XDR solution deployed, version 3.0.12 is available now as an update. After you install the update, you will have the new workbook template available to use. If you install the Microsoft Defender XDR solution for the first time, you are deploying the latest version and will have the updated template ready to use. How to share the workbook with others Leveraging Microsoft Sentinel workbooks for reporting to leadership is a common use case. A common concern is granting recipients access to Microsoft Sentinel or all of the tables within the workspace. Using some different RBAC components, this can be done. For details, see the Manage Access to Microsoft Sentinel Workbooks with Lower Scoped RBAC on the Microsoft Sentinel Blog. Can I edit the workbook and change the visuals? Yes, absolutely. The Microsoft Defender for Office 365 Detections and Insights is a workbook template in Microsoft Sentinel. It is ready to use with a few simple clicks, however when needed you can save and edit the workbook based on your organization’s need. You can customize each visual easily or review the underlying KQL. Simply edit the workbook after saving, then adjust the underlying KQL query, change the type of the visual, or create new insights. More information: Visualize your data using workbooks in Microsoft Sentinel | Microsoft Learn Why use workbooks in Microsoft Sentinel for email security reports and insights? There are many potential benefits to using workbooks if you already use Microsoft Sentinel and already stream the hunting data tables: You can choose to store data for a longer period of time via configuring longer retention for tables you use for your workbooks. For example, you can store Defender for Office 365 Email Events table data for 1 year and build visuals over a longer period of time. You can configure auto-refresh for the workbook to keep the data shown up to date. You can access ready-to-use workbook templates and customize them if it's needed. Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the Defender for Office 365 forum. More information Integrate Microsoft Defender XDR with Microsoft Sentinel Learn more about Microsoft Sentinel workbooks Microsoft Defender for Office 365 Detection Details Report – Updated Power BI template for Microsoft Sentinel and Log Analytics Learn more about Microsoft Defender XDRAll Excel Macro Files Suddenly Flagged as Malware (X97M/Slacker.gen!A) Across M365 Starting April 16
Starting around 8 PM GMT+8 on April 16, 2025, macro-enabled Excel files with extensions such as .xlsm, .xlsb, or .xls began being automatically flagged as malware, specifically identified as X97M/Slacker.gen!A—when opened or edited in SharePoint, OneDrive, or Teams. Before this, the same files were not flagged as malicious, even when opened or edited, and this behavior had remained consistent for several months. This issue affects our entire tenant, with over 800 files being flagged as malware under the name X97M/Slacker.gen!A. These files are located across various locations and have been modified by different users. We are a Cloud-only tenant, and we have not done any configuration changes in Threat Policies for the past few months.
Marking Quarantine Notice senders as safe for entire tenant
Our users get quarantine notices weekly. They're configured to come from mailto:email address removed for privacy reasons (the domain specific to tenant).. sometimes they come from mailto:email address removed for privacy reasons anyways, but this is fine. The thing is, I end up with a LOT of users who end up receiving these in their junk mail. We have a lot of tenants - I don't really have the time to keep checking them, taking action on mis-junked items. Most stuff is configured to go to quarantine anyway. What's the best way to allow these senders? The IB Anti-Spam safe-senders component is not Secure-Score recommended, and we try to keep these scores high. But the tenant allow/block list allows a max of 45days since last use. There's so many options, I'm a little confused as to what's 'right' Thanks
