Safeguarding Microsoft Teams with Microsoft Defender for Office 365
As organizations rely more on Microsoft Teams for daily collaboration, securing this platform has become a top priority. Threat actors are increasingly targeting Teams chats and channels with phishing links and malicious files, making it critical for IT admins and security professionals to extend protection beyond email. Enter Microsoft Defender for Office 365, now armed with dedicated Teams protection capabilities. Microsoft Defender for Office 365 enables users to report suspicious messages, brings time-of-click scanning of URLs and files into Teams conversations, and provides rich alerts and hunting insights for SecOps teams. As a collaborative piece between Pierre Thoor, a Microsoft Security Most Valuable Professional (MVP), and the Defender for Office 365 Product Engineering Team, the below guides with accompanying videos emphasize a proactive, user-driven approach to threat detection and response, turning everyday Teams interactions into actionable security signals for SecOps. See something, say something: Reporting suspicious messages in Microsoft Teams Your fastest sensor isn’t AI – it’s your people. Report this message in Microsoft Teams lets anyone flag a suspicious conversation in two clicks and routes a triageable submission to your security team in the Microsoft Defender portal. Why this matters: Speed to signal: Catch threats at the conversation layer, not just in email. Complete context: Original message, participants, URLs, and verdicts in one place. Habit-forming: A simple, repeatable action employees remember under pressure. How to report (desktop, web, and mobile) In Desktop/Web Hover the message → … More options → Report this message Select Security concern → (optional) add a short note → Report In Mobile (iOS/Android) app Long-press the message → Report message Select Security concern → (optional) add a short note → Report *Tip: Short notes like “Unexpected MFA reset link” help analysts triage faster. Where reports go (for security teams) In the Microsoft Defender portal, navigate to: Investigation & response → Actions and submissions → Submissions → User reported. Open an item to view the Teams message entity (sender/domain, Teams message ID, extracted URLs, verdict) and take action – mark as phish/clean, pivot to Explorer or Advanced Hunting, or copy indicators. Quick setup check Defender portal → Settings → Email & collaboration → User reported settings: enable Monitor reported messages in Microsoft Teams. Licensing: Microsoft Defender for Office 365 Plan 2 (included in Microsoft 365 E5). What good looks like (mini playbook) User reports the message. Security triages the submission and captures the URL/domain and other indicators. Block or allow as appropriate via the Tenant Allow/Block List (TABL). Hunt for related activity or clicks (see Video 3). Close the loop: thank the reporter and share the outcome to reinforce the behavior. Common gotchas Reporting is disabled in the Teams messaging policy – verify before rollout. Some users assume “Report” notifies the sender – clarify that it routes to the Security team, not the sender. Call to action: Enable reporting for your users and add this line to your awareness site: “If it feels phishy, report – don’t click.” Think before you click - Safe Links catches threats at click-time Links can change after delivery. Safe Links waits until click-time, evaluates the destination, and shows an in-app warning page in Teams. Pair it with the Tenant Allow/Block List (TABL) to tune quickly across the tenant. Why this matters Prevents delayed redirects: Avoids “clean-at-send” methods. Consistent protection in Teams: Familiar warning UX reduces risky clicks. Rapid tuning: Block newly observed domains in seconds; no advanced transport rules required. What you’ll see in the video Policy check (Teams in scope) Defender portal → Email & collaboration → Policies & rules → Threat policies → Safe Links → ensure Apply Safe Links to Microsoft Teams is enabled for target users or groups OR that you use Standard/Strict Preset Policy. Warning page at click-time Post a benign test URL in Teams and click it to show the Safe Links warning experience. Block it as you spot it (Allow/Block) Defender portal → Threat policies → Tenant Allow/Block List → URLs → Add (domain or URL). Re-click in Teams – now blocked at click-time. Optional telemetry (Advanced Hunting) Confirm outcomes and adoption: UrlClickEvents | where Timestamp > ago(24h) and Workload == "Teams" | summarize Clicks=count(), Users=dcount(AccountUpn) by ActionType | order by Clicks desc Deployment tips Start with a pilot group that includes IT + power users; expand after validation. Create a review cadence for TABL (e.g., monthly) and expire temporary blocks. Troubleshooting No warning page? Verify policy scope includes the user and the Teams workload. Block not taking effect? Give TABL a short sync window, then re-test; confirm you blocked the correct domain/URL pattern. “Hunt the chat”: Advanced hunting for Teams threats Overview With Advanced Hunting you can quickly reconstruct activity in Microsoft Teams – who sent the message, who clicked the link, and what protections kicked in. This section shows how the four Teams-relevant tables work together, so you can move from signal to action quickly. New: message warnings for malicious URLs (internal and external) Teams now shows a warning banner on messages that contain URLs flagged as spam, phishing, or malware. Warnings appear in internal and external chats/channels, and can be added after delivery (up to ~48 hours) if a URL’s reputation changes. This complements Safe Links (time-of-click) and doesn’t replace ZAP; when ZAP removes a message, that action takes precedence. Public preview began September 2025; GA November 2025, enabled by default at GA and manageable in Teams admin center → Messaging settings. See Message Center: https://admin.cloud.microsoft/?#/MessageCenter/:/messages/MC1150984 The four tables you’ll use MessageEvents – delivery context (sender, thread, internal vs. external). MessagePostDeliveryEvents – post-delivery actions, including Phish ZAP and Malware ZAP. MessageUrlInfo – URLs extracted from Teams messages. UrlClickEvents – time-of-click outcomes for links, including those clicked in Teams. What you’ll learn in the video Surface active external domains in your tenant’s Teams chats. Identify who clicked risky links and the click outcomes (via Safe Links telemetry). See where message warnings appear in the chat UI. Pivot to an incident and block indicators fast via the Tenant Allow/Block List (TABL). A couple hunts to try right now 1) Malicious verdicts in Teams (last 24 hours) Find messages that already carry a Spam/Phish/Malware verdict – your fastest triage queue. MessageEvents | where Timestamp > ago(1d) | where ThreatTypes has "Phish" or ThreatTypes has "Malware" or ThreatTypes has "Spam" | project Timestamp, SenderDisplayName, SenderEmailAddress, RecipientDetails, IsOwnedThread, ThreadType, IsExternalThread, ReportId Use it for: a quick sweep + pivot to incident/entities, then TABL block if needed. 2) “IT helpdesk” imposters in external DMs (last 5 days) Surface social-engineering lures that impersonate support. MessageEvents | where Timestamp > ago(5d) | where IsExternalThread == true | where (RecipientDetails has "help" and RecipientDetails has "desk") or (RecipientDetails has "it" and RecipientDetails has "support") or (RecipientDetails has "working" and RecipientDetails has "home") or (SenderDisplayName has "help" and SenderDisplayName has "desk") or (SenderDisplayName has "it" and SenderDisplayName has "support") or (SenderDisplayName has "working" and SenderDisplayName has "home") | project Timestamp, SenderDisplayName, SenderEmailAddress, RecipientDetails, IsOwnedThread, ThreadType, ReportId Use it for: first-contact scams (external tenant posing as IT). Pair with Safe Links telemetry to see who clicked. Tip: has is token-aware and generally faster/cleaner than contains for word matches. Keep both hunts detection-ready by ensuring the final projection includes Timestamp and ReportId. 3) BONUS! External DMs with links (last 7 days) MessageEvents | where Timestamp > ago(7d) and IsExternalThread == true | join kind=inner (MessageUrlInfo) on TeamsMessageId | summarize Links=dcount(Url), Senders=dcount(SenderEmailAddress) by UrlDomain | top 10 by Links desc 4) Who clicked (Teams workload) – exposure view: UrlClickEvents | where Timestamp > ago(7d) and Workload == "Teams" | project Timestamp, AccountUpn, Url, ActionType | order by Timestamp desc “From Hunt to Action”: Respond & contain Finding a risky link in Teams is only half the job. This walkthrough shows how to go from detection to containment – block the domain, clean up delivered messages, and cut attacker access. Why this matters Speed: Shrink time from “we saw it” to “it’s blocked”. Consistency: Turns ad-hoc hunting into a repeatable response flow. Coverage: Pair URL blocking with identity and device containment. What you’ll see in the video Turn a hunt into an alert In Advanced Hunting, run a short query (below) and choose Create detection rule to schedule it. Alerts auto-create incidents you can triage. Block at click-time (Safe Links + TABL) In the incident, open the URL entity and add the URL/domain to the Tenant Allow/Block List (TABL) so future Teams clicks are blocked by Safe Links. Post-delivery cleanup (ZAP) If a malicious message slipped through, ZAP can remove or mark it after delivery. You’ll see evidence on the incident timeline. Contain accounts and devices Revoke user sessions in Entra ID to invalidate active tokens. Reset the password (and require strong, unique credentials), then enforce MFA for the account. Review MFA methods and remove anything suspicious; review app consents and revoke illicit grants. If endpoints are onboarded, isolate the device in Microsoft Defender for Endpoint to stop outbound connections while you investigate. The Microsoft Learn guide, https://learn.microsoft.com/en-us/defender-office-365/responding-to-a-compromised-email-account, for compromised accounts recommends session revocation, password reset, MFA enforcement, reviewing OAuth app consents and admin roles, and checking mail forwarding/rules – steps that complement the Teams response you see here. The hunt This KQL surfaces rare external domains in Teams and any user clicks. let lookback = 1d; // External Teams messages let externalMsgs = MessageEvents | where Timestamp > ago(lookback) and IsExternalThread == true | project MsgTime = Timestamp, TeamsMessageId, SenderEmailAddress, ME_ReportId = ReportId; // URLs found in Teams messages let urlsInMsgs = MessageUrlInfo | where Timestamp > ago(lookback) | project MUI_Time = Timestamp, TeamsMessageId, Url, UrlDomain, MUI_ReportId = ReportId; // Clicks coming from Teams let clicks = UrlClickEvents | where Timestamp > ago(lookback) and Workload == "Teams" | project ClickTime = Timestamp, Url, Clicker = AccountUpn, ClickAction = ActionType, UCE_ReportId = ReportId; // Define “rare” domains in the period let rareDomains = urlsInMsgs | summarize msgCount = dcount(TeamsMessageId) by UrlDomain | where msgCount < 3; rareDomains | join kind=inner (urlsInMsgs) on UrlDomain | join kind=leftouter (externalMsgs) on TeamsMessageId | join kind=leftouter (clicks) on Url | project Timestamp = coalesce(ClickTime, MUI_Time, MsgTime), UrlDomain, Url, SenderEmailAddress, Clicker, ClickTime, ClickAction, TeamsMessageId, ReportId = coalesce(UCE_ReportId, MUI_ReportId, ME_ReportId) After verifying results, select Create detection rule, set a schedule (e.g., hourly), and map entities so incidents include the right artifacts. What good looks like (response playbook) Alert fires → open incident; confirm scope and entities. Block URL/domain via TABL to stop future clicks. Confirm ZAP removed or marked delivered messages. Revoke sessions and reset password; enforce MFA. Review MFA methods and remove unknown devices/methods. Audit app consents (revoke illicit grants) and verify the user holds no unexpected admin roles. If email abuse is suspected, check for forwarding or malicious Inbox rules. Isolate device if execution is suspected; collect artifacts and un-isolate after remediation. FAQs Does the block remove the message? No – TABL blocks at click-time. Post-delivery removal is handled by ZAP when detections apply. Will revoking sessions disrupt users? It forces sign-in again (expected). Communicate this in your response template. What if the attacker used consent phishing? Revoke the offending enterprise app consent and review publisher verification status. Call to action: Save the query, create the detection, and attach this playbook to your incident template. The goal every time: find → block → clean up → contain Securing Microsoft Teams is most effective when technology and people work together. By enabling user reporting, leveraging real-time protections, and empowering security teams to act quickly, organizations can turn everyday collaboration into a strong defense against threats. ## Please take two minutes to take this survey to let us know what you think of this blog (series), video, and community content. Questions or comments on this blog "Microsoft Defender for Office 365 – A Four-Part Guide to Secure Collaboration" for the author or other readers? Please log in and post your response below! _____________ This blog has been generously and expertly authored by Microsoft Security MVP, Pierre Thoor with support of the Microsoft Defender for Office 365 product team. Pierre Thoor Microsoft Security MVP | Microsoft Defender for Office 365 Champ Learn More and Meet the Author 1) December 16th Ask the Experts Webinar: Microsoft Defender for Office 365 | Ask the Experts: Tips and Tricks (REGISTER HERE) DECEMBER 16, 8 AM US Pacific You’ve watched the latest Microsoft Defender for Office 365 best practices videos and read the blog posts by the esteemed Microsoft Most Valuable Professionals (MVPs), now bring your toughest questions or unique situations straight to the experts. In this interactive panel discussion, Microsoft MVPs will answer your real world scenarios, clarify best practices, and highlight practical tips surfaced in the recent series. We’ll kick off with a who’s who and recent blog/video series recap, then dedicate most of the time to your questions across migration, SOC optimization, fine-tuning configuration, Teams protection, and even Microsoft community engagement. Come ready with your questions (or pre-submit here) for the expert Security MVPs on camera, or the Microsoft Defender for Office 365 product team in the chat! REGISTER NOW for 12/16. 2) Additional MVP-Authored Blogs in this Four- Part Series: Microsoft Defender for Office 365: Migration & Onboarding by Purav Desai (This post) Safeguarding Microsoft Teams with Microsoft Defender for Office 365 You may be right after all! Disputing Submission Responses in Microsoft Defender for Office 365 by Mona Ghadiri Microsoft Defender for Office 365: Fine-Tuning by Joe Stocker Learn and Engage with the Microsoft Security Community Log in and follow this Microsoft Defender for Office 365 blog and follow/post in the Microsoft Defender for Office discussion space. Follow = Click the heart in the upper right when you're logged in 🤍 Learn more about the Microsoft MVP Program. Join the Microsoft Security Community and be notified of upcoming events, product feedback surveys, and more. Get early access to Microsoft Security products and provide feedback to engineers by joining the Microsoft Customer Connection Community. Join the Microsoft Security Community LinkedInMicrosoft Defender for Office 365: Migration & Onboarding
This blog covers four key areas that are frequently missed, but they are essential for a secure and auditable deployment of Defender for Office 365. Before diving into the technical details, it is important to clarify a common misconception about Defender for Office 365 protections. Blocking Malicious File Downloads in SharePoint and OneDrive A common assumption during onboarding is that Microsoft Defender for Office 365 protections only apply to email. In reality, Safe Attachments also integrates with SharePoint Online, OneDrive for Business and Microsoft Teams. It scans files for malware even after they are uploaded or shared internally. However, this protection is only effective when the configuration explicitly prevents users from downloading files flagged as malicious. Without this setting, files detected as threats can still be downloaded locally. This creates a major risk particularly if the malware is detected post-delivery. In one investigation, I found that this setting had been left at its default, allowing users to download malicious files from SharePoint. This oversight created a significant exposure risk until it was corrected. This setting is part of the Safe Attachments for SPO/ODB policy and is critical in reducing internal exposure. Once enabled, this setting protects users in real time and acts as a powerful audit point. If someone disables this setting, whether intentionally or by accident, that action is recorded in Purview's Unified Audit Log under the DisallowInfectedFileDownloadDisabled operation. The video below offers a brief walkthrough on how to enable the setting, details the associated audit log events, and provides guidance on configuring alerts for any modifications: Regularly auditing for this event can help identify misconfiguration or potentially malicious administrative activity that could indicate insider threat behaviour. Including this check as part of your continuous security monitoring process is a smart, proactive move. Learn more at Step 2: (Recommended) Use SharePoint Online PowerShell to prevent users from downloading malicious files Once you have established protection against malicious files, the next step is ensuring your tenant is correctly set up to create and manage threat policies. Ensuring Organization Customization is Enabled A frustrating yet common hurdle during Defender for Office 365 onboarding is the inability to create threat policies such as anti-phishing or Safe Attachments policies. This confusion often stems from a basic configuration oversight: the tenant has not been enabled for organization customization. Without this step, the Microsoft 365 platform prevents the creation or editing of many critical security policies in Defender for Office 365. A few years prior with a new client being onboarded to Defender for Office 365, I encountered a situation where policy creation kept failing because this step wasn’t followed. It caused unnecessary delays and frustrated the security team until we identified the missing customization. The fix is simple. Run the Enable-OrganizationCustomization PowerShell cmdlet from Exchange Online. It is a one-time configuration task, but it is essential for policy management and overall service functionality. Including this step early in your deployment or migration plan prevents unnecessary delays and ensures the security team can fully leverage Defender for Office 365's capabilities from day one. This is particularly important for consultants who are brought in to assist after issues have already arisen. Getting ahead of this configuration means one less troubleshooting rabbit hole. With customization enabled, you can now take advantage of the preset security policies to quickly build a solid baseline. Using Preset Security Policies for a Strong Starting Point One of the best tools Microsoft has provided for onboarding is the Preset Security Policies feature. These come in two flavors: Standard and Strict. Figure 4 - Defender for Office 365 Preset security policies (Standard & Strict protection) They represent Microsoft’s recommended baseline configurations for anti-malware, anti-phishing, and spam protection. Learn more at Preset security policies in cloud organizations. For customers with limited security maturity or time to deeply understand the inner workings of Defender for Office 365, these presets are a game-changer. Figure 5 - Microsoft recommendation is to apply standard protection to all users In several cases, I have seen organizations with limited security teams benefit from activating these presets early. This approach gave them immediate protection while freeing up time to better understand and tune policies over time. For incident response, having a consistent and known-good baseline also helps reduce noise and false positives in the initial stages of deployment. Figure 6 - Apply strict Defender for Office 365 protection for priority users After setting foundational policies, controlling who has access to what within Defender for Office 365 is crucial to maintaining a secure environment. Implementing Unified RBAC for Least Privilege Access As more business units engage with Defender for Office 365 for everything from investigation to reporting, it is important to ensure each role has access only to what they need. Unified Role-Based Access Control (RBAC) in Defender for Office 365 makes this possible by allowing granular control over who can see and change what within the security portal. Figure 7 – Example least privilege role configuration for a Defender for Office 365 Incident Responder (image trimmed). This becomes critically valuable in larger or more complex organizations where responsibilities are split between security, compliance, IT, and operations teams. Figure 8 - Activating Microsoft Defender for Office 365 Workload in Defender XDR Roles. By using unified RBAC, you can avoid the dangerous and often default behavior of assigning Security Administrator rights to everyone involved. Instead, define roles based on function. For example, Tier 1 analysts might only need view and investigation access, while admins can manage policies. Figure 9 - Assigning a user to a Custom Microsoft Defender for Office 365 role, Entra Security Groups are also supported. This approach aligns with zero trust principles and makes it easier to audit who has access to sensitive areas. During onboarding, I recommend mapping stakeholders to the available roles and applying this model as early as possible. This helps establish accountability and improves your security posture before an incident occurs. Learn more at Map Defender for Office 365 permissions to the Microsoft Defender XDR Unified RBAC permissions Having set the right roles and permissions, it is vital to understand how these configurations contribute to a resilient and well-prepared security posture. Final Thoughts Successful onboarding to Microsoft Defender for Office 365 is not just about flipping switches. It is about making intentional configuration choices that support operational efficiency and long-term security goals. The points covered here are often missed in quick start guides but they are essential for building a solid foundation. Those who invest time in proper configuration are far better prepared when incidents arise. Migration is just the beginning. Set up Defender for Office 365 right to reduce risk and build real resilience. Please take two minutes to take this survey to let us know what you think of this blog (series), video, and community content. Questions or comments on this blog "Microsoft Defender for Office 365 Migration & Onboarding" for the author or other readers? Please log in and post your response below! _____________ This blog has been generously and expertly authored by Microsoft Security MVP, Purav Desai. with support of the Microsoft Defender for Office 365 product team. Lead M365 Incident Responder, Financial Services | Dual Microsoft Security MVP Learn More and Meet the Author 1) December 16th Ask the Experts Webinar: Microsoft Defender for Office 365 | Ask the Experts: Tips and Tricks (REGISTER HERE) DECEMBER 16, 8 AM US Pacific You’ve watched the latest Microsoft Defender for Office 365 best practices videos and read the blog posts by the esteemed Microsoft Most Valuable Professionals (MVPs). Now bring your toughest questions or unique situations straight to the experts. In this interactive panel discussion, Microsoft MVPs will answer your real-world scenarios, clarify best practices, and highlight practical tips surfaced in the recent series. We’ll kick off with a who’s who and recent blog/video series recap, then dedicate most of the time to your questions across migration, SOC optimization, fine-tuning configuration, Teams protection, and even Microsoft community engagement. Come ready with your questions (or pre-submit here) for the expert Security MVPs on camera, or the Microsoft Defender for Office 365 product team in the chat! REGISTER NOW for 12/16. 2) Additional MVP Tips and Tricks Blogs and Videos in this Four-Part Series: (This post) Microsoft Defender for Office 365: Migration & Onboarding by Purav Desai Safeguarding Microsoft Teams with Microsoft Defender for Office 365 by Pierre Thoor You may be right after all! Disputing Submission Responses in Microsoft Defender for Office 365 by Mona Ghadiri Microsoft Defender for Office 365: Fine-Tuning by Joe Stocker Learn and Engage with the Microsoft Security Community Log in and follow this Microsoft Defender for Office 365 blog and follow/post in the Microsoft Defender for Office 365 discussion space. Follow = Click the heart in the upper right when you're logged in 🤍 Learn more about the Microsoft MVP Program. Join the Microsoft Security Community and be notified of upcoming events, product feedback surveys, and more. Get early access to Microsoft Security products and provide feedback to engineers by joining the Microsoft Customer Connection Community. Join the Microsoft Security Community LinkedInYou may be right after all! Disputing Submission Responses in Microsoft Defender for Office 365
Introduction As a Microsoft MVP (Most Valuable Professional) specializing in SIEM, XDR, and Cloud Security, I have witnessed the rapid evolution of cybersecurity technologies, especially those designed to protect organizations from sophisticated threats targeting email and collaboration tools. Microsoft Defender for Office 365 introduced an LLM-based engine to help better classify phishing emails that, these days, are mostly written using AI anyways about a year ago. Today, I'm excited to spotlight a new place AI has been inserted into a workflow to make it better…a feature that elevates the transparency and responsiveness of threat management: the ability to dispute a submission response directly within Microsoft Defender for Office 365. Understanding the Challenge While the automated and human-driven analyses are robust in Defender for Office 365, there are occasions where the response—be it a verdict of "benign" or "malicious"— doesn’t fully align with the security team's context or threat intelligence. If you are a Microsoft 365 organization with Exchange Online mailboxes, you’re probably familiar with how admins can use the Submissions page in the Microsoft Defender portal to submit messages, URLs, and attachments to Microsoft for analysis. As a recent enhancement, now all the admin submissions use LLM based response for better explainability. In the past, disputing such verdicts required separate support channels, using Community support, or manual email processes, often delaying resolution and impacting the speed of cyber operations, leaving many SOC analysts in Ricky and Lucy's place.... Introducing the Dispute Submission Response Feature With the new dispute submission response feature, Microsoft Defender for Office 365 bridges a critical gap in the incident response workflow. Now, when a security analyst or administrator receives a verdict on a submitted item, they have the option to dispute the response directly within the Microsoft 365 Defender portal. This feature streamlines feedback, allowing teams to quickly flag disagreements and provide additional context for review at the speed of operations. How It Works Upon submission of a suspicious item, Microsoft Defender for Office 365 provides a response indicating its assessment—malicious, benign, or other categorizations. If the security team disagrees with the verdict, they can select the "Dispute" option and submit their rationale, including supporting evidence and threat intelligence. The disputed case is escalated directly to Microsoft’s threat research team for further review, and the team is notified of progress and outcomes. This direct feedback loop not only empowers security teams to advocate for their organization's unique context, but also enables Microsoft to continually refine detection algorithms and verdict accuracy based on real-world input, because security is a team sport. Benefits for Security Operations Faster Resolution: Streamlined dispute submission eliminates the need for external support tickets and escalations, reducing turnaround time for critical cases. Greater Transparency: The feature fosters a collaborative relationship between customers and Microsoft, ensuring that verdicts are not final judgments but points in an ongoing dialogue. Continuous Improvement: Feedback from disputes enhances Microsoft’s threat intelligence and improves detection for all Defender for Office 365 users. Empowerment: Security teams gain a stronger voice in the protection of their environment, reinforcing trust in automated defenses. MVP Insights: Real-World Impact Having worked with global enterprises, I’ve seen how nuanced and context-specific threats can be. Sometimes, what appears benign to one organization may be a targeted attack for another, a slight modification to a URL may catch one email, but not others, as slight changes are made as billions of emails are sent. We are only as good as the consortium. The ability to dispute submission responses creates a vital safety net, ensuring that security teams are not forced to accept verdicts that could expose them to risk. It’s a welcome step toward adaptive, user-driven security operations. Conclusion The dispute submission response feature in Microsoft Defender for Office 365 is one of the most exciting features for me, because it focuses on enabling organizations striving for agility and accuracy in threat management. By enabling direct, contextual feedback, Microsoft empowers security teams to play an active role in shaping their defenses. As an MVP, I encourage all users to leverage this feature, provide detailed feedback, and help drive the future of secure collaboration in the cloud. You may be right after all. _________ This blog has been generously and expertly authored by Microsoft Security MVP, Mona Ghadiri with support of the Microsoft Defender for Office 365 product team. Mona Ghadiri Microsoft Security MVP Learn More and Meet the Author 1) December 16th Ask the Experts Webinar: Microsoft Defender for Office 365 | Ask the Experts: Tips and Tricks (REGISTER HERE) DECEMBER 16, 8 AM US Pacific You’ve watched the latest Microsoft Defender for Office 365 best practices videos and read the blog posts by the esteemed Microsoft Most Valuable Professionals (MVPs). Now bring your toughest questions or unique situations straight to the experts. In this interactive panel discussion, Microsoft MVPs will answer your real-world scenarios, clarify best practices, and highlight practical tips surfaced in the recent series. We’ll kick off with a who’s who and recent blog/video series recap, then dedicate most of the time to your questions across migration, SOC optimization, fine-tuning configuration, Teams protection, and even Microsoft community engagement. Come ready with your questions (or pre-submit here) for the expert Security MVPs on camera, or the Microsoft Defender for Office 365 product team in the chat! REGISTER NOW for 12/16. 2) Additional MVP Tips and Tricks Blogs and Videos in this Four-Part Series: 1. Microsoft Defender for Office 365: Migration & Onboarding by Purav Desai 2. Safeguarding Microsoft Teams with Microsoft Defender for Office 365 by Pierre Thoor 3. (This blog post) You may be right after all! Disputing Submission Responses in Microsoft Defender for Office 365 by Mona Ghadiri 4. Microsoft Defender for Office 365: Fine-Tuning | Real-world Defender for Office 365 tuning that closes real attack paths by Joe Stocker Learn and Engage with the Microsoft Security Community Log in and follow this Microsoft Defender for Office 365 blog and follow/post in the Microsoft Defender for Office 365 discussion space. Follow = Click the heart in the upper right when you're logged in 🤍 Learn more about the Microsoft MVP Program. Join the Microsoft Security Community and be notified of upcoming events, product feedback surveys, and more. Get early access to Microsoft Security products and provide feedback to engineers by joining the Microsoft Customer Connection Community. Join the Microsoft Security Community LinkedInProtection Against Email Bombs with Microsoft Defender for Office 365
In today's digital age, email remains a critical communication tool for businesses and individuals. However, with the increasing sophistication of cyberattacks, email security has become more important than ever. One such threat that has been growing is the email bombing, a form of net abuse that sends large volumes of email to an address to overflow the mailbox, overwhelm the server, or distract attention from important email messages indicating a security breach. Email bomb - Wikipedia Understanding Email Bombing Email bombing, typically involves subscribing victims to a large number of legitimate newsletter and subscription services. Each subscription service sends email notifications, which in aggregate create a large stream of emails into the victim’s inbox, making email triage for legitimate emails very difficult. This form of attack is essentially a denial-of-service (DDOS) on the victim's email triaging attention budget. Hybrid Attacks More recently, email subscription bombs have been coupled with simultaneous lures on Microsoft Teams, Zoom, or via phone calls. Attackers impersonate IT support and offer to help solve the email problem caused by the spike of unwanted emails, ultimately compromising the victim's system or installing malware on their system. This type of attack is brilliant because it creates a sense of urgency and legitimacy, making victims more likely to accept remote assistance and inadvertently allow malware planting or data theft. Read about the use of mail bombs where threat actors misused Quick Assist in social engineering attacks leading to ransomware | Microsoft Security Blog. Incidence and Purpose of Email Bombing Email bombing attacks have been around for many years but can have significant impacts on targeted individuals, such as enterprise executives, HR or finance representatives. These attacks are often used as precursors to more serious security incidents, including malware planting, ransomware, and data exfiltration. They can also mute important security alerts, making it easier for attackers to carry out fraudulent activities without detection. New Detection technology for Mail Bombing attacks To address the limitations of current defenses which often include the victim’s attempt to build their own mail flow rules, Microsoft Defender for Office 365 releases a comprehensive solution involving a durable block to limit the influx of emails, majority of which are often Spam. By intelligently tracking message volumes across different sources and time intervals, this new detection leverages historical patterns of the sender and signals related to spam content. It prevents mail bombs from being dropped into the user’s inbox and the messages are rather sent to the Junk folder (of Outlook). Note: Safe sender lists in Outlook continue to be honored, so emails from trustworthy sources are not unexpectedly moved to the Junk folder (in order to prevent false positives). Since the initial rollout that started in early May, we’ve seen a tremendous impact in blocking mail bombing attacks out of our customers’ inboxes: How to leverage new “Mail bombing” detection technology in SOC experiences 1. Investigation and hunting: SOC analysts can now view the new Detection technology as Mail bombing within the following surfaces: Threat Explorer, Email entity page and Advanced Hunting empowering them to investigate, filter and hunt for threats related to mail bombing. 2. Custom detection rule: To analyze the frequency and volume of attacks from mail bombing vector, or to have automated alerts configured to notify SOC user whenever there is a mail bombing attack, SOC analysts can utilize the custom detection rules in Advanced hunting by writing a KQL query using data in DetectionMethods column of EmailEvents table. Here’s a sample query to get you started: EmailEvents | where Timestamp > ago(1d) | where DetectionMethods contains "Mail bombing" | project Timestamp, NetworkMessageId, SenderFromAddress, Subject, ReportId The SOC experiences are rolled out worldwide to all customers. Conclusion Email bombs represent an incidental threat in the world of cybersecurity. With the new detection technology for Mail Bombing, Microsoft Defender for Office 365 protects users from these attacks and empowers Security Operations Center Analysts to ensure to gain visibility into such attacks and take quick actions to keep organizations safe! Note: The Mail bombing protection is available by default in Exchange Online Protection and Microsoft Defender for Office 365 plans. This blog post is associated with Message Center post MC1096885. Also read Part 2 of our blog series to learn more about protection against multi-modal attacks involving mail bombing and correlation of Microsoft Teams activity in Defender. Learn: Detection technology details table What's on the Email entity page Filterable properties in the All email view in Threat ExplorerIntroducing the Microsoft Defender for Office 365 ICES vendor ecosystem
In today's digital landscape, the need for comprehensive security measures is more critical than ever, as email continues to be a primary vector for cyberattacks such as phishing and malware. To address this, Microsoft Defender for Office 365 leverages the extensive scale of Microsoft's threat intelligence, which processes trillions of signals daily. By integrating Large Language Models (LLMs) and advanced Natural Language Processing, Defender for Office 365 empowers organizations with AI-driven threat detection, behavioral analytics, and automated responses thus proactively identifying and neutralizing risks before they reach end users. This collaborative defense approach reinforces the principle that security is a team sport, requiring shared intelligence and coordinated action across the ecosystem. We recognize in today’s dynamic cyber threat landscape, defense-in-depth strategy has become a vital approach not only for Microsoft customers but also across the broader Secure Email Gateway (SEG) market. Organizations are increasingly adopting layered security solutions to comply with regulatory requirements, enhanced detection, and ensure robust protection. To address this, we’re announcing the Microsoft Defender for Office 365 ICES Vendor Ecosystem — a unified framework that enables seamless integration with trusted third-party vendors. This ecosystem is designed to eliminate integration friction and deliver: Broader detection coverage through vendor diversity Transparency across Microsoft Defender for Office 365 and partner detections Streamlined SOC workflows through consistent policy enforcement and shared investigation tools Stronger compliance alignment with layered security mandates This partner ecosystem is about creating a cohesive defense fabric that enhances SOC efficiency with Microsoft Defender for Office 365 as the foundation. The ecosystem also provides flexibility, scalability, and preparedness for the complexities of contemporary enterprise security. With this in mind, we are pleased to announce that our trusted ICES security vendors, Darktrace and KnowBe4, have become the first launch partners within our ecosystem. They offer customers a seamless and collaborative defense framework where each solution enhances the strengths of the others. We welcome additional partners soon as we continue to expand this integrated ecosystem. “Our integration with Microsoft gives security teams the tools they need to act faster and more precisely to detect and respond to threats,” said Jill Popelka, CEO of Darktrace. “Together, we’re strengthening defenses where it matters most to our customers —at the inbox.” “I’m incredibly excited at the opportunity afforded by this partnership with Microsoft and the deeper integrations it enables. Leveraging this integration allows us to use our vast quorum of data around email security and human risk in a way that provides the most comprehensive layered security approach available to the market. A complementary defense strategy is mandatory and this integration with Microsoft M365 furthers that vision by combining our capabilities to create comprehensive defense strategies that address the full spectrum of modern cyber threats.” noted Greg Kras, Chief Product Officer @ KnowBe4 Unified Quarantine The core strength of this new ecosystem is the seamless integration between Defender for Office 365 and its ICES partners, through the Unified Quarantine feature. Managing quarantined messages from multiple solutions can often be complex and inefficient. Unified Quarantine streamlines the process by consolidating quarantined items identified by both Defender for Office 365 and third-party (3P) solutions into a single, unified interface, enhancing customer ease and visibility. Administrators can efficiently review, release, or remediate messages through this unified interface, irrespective of the provider that identified the threat. This approach not only optimizes time management but also guarantees uniform policy enforcement and facilitates transparency on detections, resulting in improved operational efficiency and a more coherent user experience. As part of the Unified Quarantine, security admins can also see which provider quarantined the message. Transparency and Insight Across Solutions In environments with multiple email security solutions, transparency is crucial to understanding each vendor's detections. Microsoft Defender for Office 365 offers a unified dashboard that clearly distinguishes between threats stopped by Defender and those identified by third-party solutions, ensuring transparent and fair attribution of protection value. This dashboard provides security teams with a comprehensive view of how each solution contributes to protection, helping to identify overlapping coverage and areas of unique value. This clarity supports more informed decision-making around threat trends, policy optimization, and vendor strategy fostering stronger collaboration between internal teams and external partners. Deeper SOC Investigation Capabilities: Threat Explorer, Advanced Hunting, and Email Entity Page Modern defenders need tools for rapid investigation, root cause analysis, and tactical response. The Defender for Office 365 ecosystem unifies investigative workflows across partner solutions. Within Threat Explorer, security analysts can seamlessly pivot between messages actioned by Microsoft Defender for Office 365 and those flagged by integrated partners. The side-by-side display of verdicts and actions enables quick correlation and pattern recognition. Advanced Hunting brings even greater depth, allowing analysts to craft queries that span both Microsoft Defender for Office 365S and 3P data sources. This holistic view accelerates threat hunting and helps organizations surface novel attack techniques or gaps in coverage. EmailEvents | where Timestamp > ago(7d) //List emails caught by a Third-party solution | where DetectionMethods contains "Thirdparty" | project NetworkMessageId, RecipientEmailAddress, ThreatTypes, DetectionMethods, AdditionalFields, LatestDeliveryLocation On the Email Entity Page, every message surfaces a complete action history, including which product took action and what verdict was assigned. This granular visibility demystifies complex incidents and builds confidence in the layered defense model. Summary As the threat landscape continues to evolve, so must our defenses. While organizations embrace defense-in-depth, fragmented integrations may lead to unintended consequences such as diminished detection capabilities, overlapping controls, and SOC inefficiencies. With the Defender for Office 365 ICES vendor ecosystem, Microsoft is setting a new standard for collaborative, integrated security platforms. By combining proven protection, seamless partnerships, and unified visibility, organizations can embrace defense-in-depth without complexity or compromise. Whether combating phishing, malware, or the next generation of email-borne threats, customers benefit from a defense-in-depth strategy built for agility and efficiency. With hands-off enablement, unified experiences, and unmatched transparency, the Defender for Office 365 ecosystem empowers every organization to stay one step ahead—today and tomorrow. Learn More To learn more about the Microsoft Defender for Office 365 ICES Vendor Ecosystem, please visit https://learn.microsoft.com/defender-office-365/mdo-ices-vendor-ecosystem.Strengthening Email Ecosystem: Outlook’s New Requirements for High‐Volume Senders
April 29th Update - Changes have been made to the action take on messages that do not meet requirements, please see details below. Introduction In an era where email remains one of the most widely used tools for personal and business communications, Outlook is stepping up its commitment to protect inboxes and preserve trust in the digital ecosystem. Today, we’re announcing new requirements and best practices designed to strengthen email authentication for domains sending more than 5,000 emails per day. These new requirements will enforce stricter standards by including mandatory SPF, DKIM, DMARC settings. Outlook is pushing the broader industry toward best practices and safeguarding the millions of individuals and small businesses that rely on us every day. These measures will help reduce spoofing, phishing, and spam activity, empowering legitimate senders with stronger brand protection and better deliverability. Outlook has always prioritized user safety and reliability; we’re proud to further invest in this solution that will keep our customers safe and reinforce the best practices across the industry. We believe that by raising the bar for large senders, we can inspire lasting change that benefits everyone. What's Changing? For domains sending over 5,000 emails per day, Outlook will soon require compliance with SPF, DKIM, DMARC. Non‐compliant messages will first be routed to Junk. If issues remain unresolved, they may eventually be rejected. Senders will soon start requiring compliance with the following requirements: SPF (Sender Policy Framework) Must Pass for the sending domain. Your domain's DNS record should accurately list authorized IP addresses/hosts. DKIM (DomainKeys Identified Mail) Must Pass to validate email integrity and authenticity. DMARC (Domain-based Message Authentication, Reporting, and Conformance) At least p=none and align with either SPF or DKIM (preferably both). Learn more about email authentication here. Additional Email Hygiene Recommendations Large senders should also adopt these practices to maintain quality and trust: Compliant P2 (Primary) Sender Addresses: Ensure the “From” or “Reply‐To” address is valid, reflects the true sending domain, and can receive replies. Functional Unsubscribe Links: Provide an easy, clearly visible way for recipients to opt out of further messages, particularly for marketing or bulk mail. List Hygiene & Bounce Management: Remove invalid addresses regularly to reduce spam complaints, bounces, and wasted messages. Transparent Mailing Practices: Use accurate subject lines, avoid deceptive headers, and ensure your recipients have consented to receive your messages. Outlook reserves the right to take negative action, including filtering or blocking—against non‐compliant senders, especially for critical breaches of authentication or hygiene. Enforcement Timeline Starting today, we encourage all senders and particularly those that send at high volume to review and update their SPF, DKIM, and DMARC records, in preparation for when the enforcement begins, starting in May. After careful consideration and to ensure the protection of users and remove any confusion on why a message was in the junk folder for both the recipient and sender, we have made a decision to reject messages that don't pass the required authentication requirements detailed above. The rejected messages will be designated as "550; 5.7.515 Access denied, sending domain [SendingDomain] does not meet the required authentication level." This change will state taking effect on May 5th as originally stated. After May 5th, 2025, Outlook will begin routing messages from high volume non‐compliant domains to the Junk folder, giving senders an opportunity to address any outstanding issues. NOTE: that in the future (date to be announced), non-compliant messages will be rejected to further protect users. Next Steps Prepare Now: Audit your DNS records (SPF, DKIM, DMARC) and verify you meet all the requirements. To view the authentication header, visit this. To learn how to read authentication headers, click here. Stay Informed: We’ll provide updates on official rollout schedules, and dates for when rejection actions will begin through a blog post. Join Our Mission: Embracing better authentication and hygiene not only benefits your deliverability but also helps protect the entire email ecosystem. For additional resources or support, visit sender support. Thank you for partnering with us to make email a more secure, transparent, and trusted channel for everyone. Frequently Asked Questions (FAQ) Why is Outlook requiring these changes specifically for high‐volume senders? Large senders have a broader impact on inbox safety. By focusing on senders of 5,000+ messages a day, we significantly reduce the likelihood of spam and spoofing campaigns reaching our user base. How do SPF, DKIM, and DMARC help me as a sender? These authentication protocols verify your emails for recipients. Compliant senders often see improved deliverability, fewer bounce‐backs, and stronger brand credibility. Do I still need to do this if I send fewer than 5,000 emails/day? While enforcement first targets large senders, all senders benefit from these best practices. Strong authentication protects your reputation. What exactly is a “functional” unsubscribe link? It’s a link placed in your email that allows recipients to quickly opt out of future mail. It should be easy to find and reliable when clicked. Will these changes stop all spam? No system eliminates spam entirely, but these measures make it much harder for malicious actors to succeed and give legitimate senders higher trust. What does “alignment” mean for DMARC? Alignment ensures the “From” domain matches (or sub domain) the domain used by SPF and/or DKIM. This prevents bad actors from exploiting your domain name. My SPF record has multiple include statements—could that cause issues? If you exceed 10 DNS lookups, your SPF check might fail. Tools exist to “flatten” your record or reduce the number of includes. Why does Outlook recommend ARC for forwarding/mailing lists? Forwarding can break DMARC alignment. ARC preserves the original authentication checks, preventing legitimate forwarded mail from being wrongfully flagged. How often should I clean my mailing lists? Aim to remove inactive or invalid addresses regularly—monthly or quarterly. This lowers bounce rates, cuts costs, and reduces spam complaints. If I use a 3rd‐party email vendor, do I still need SPF, DKIM, DMARC records in my domain DNS? Yes. Even if you outsource sending, authentication is tied to your domain. Coordinate with your provider to ensure correct DNS settings. How does Outlook handle DMARC aggregate (rua) and forensic (ruf) reports? We send RUA to the addresses specified in your DMARC record. You can analyze these to see who is sending on behalf of your domain, spot domain abuse, and confirm alignment. We don’t have plans to send RUF. Can separate mail systems have unique DKIM selectors? Yes. Managing multiple selectors (e.g., selector1, selector2) helps maintain clarity and isolate reputation concerns across various business units or campaigns. Learn more about how to configure DKIM here. Does publishing a strict DMARC policy (p=reject) offer better security? Absolutely, once your legitimate sources are aligned, p=reject is the most effective at thwarting domain spoofing. We advise moving gradually (none → quarantine → reject) to avoid unintended mail loss. If someone regularly reports my emails as spam despite authentication, what can I do? Authentication ensures emails are from you, but user perception still matters. Review your content, frequency, and opt‐out process to ensure recipients remain engaged and not overwhelmed. Will adding to safe senders list bypass the new enforcement? No. Safe Sender list won’t be honored.
Submissions Response Using AI for Enhanced Result Explainability
We are pleased to announce that Microsoft Defender for Office 365 now features large language model (LLM)-powered responses within the submission workflow. This update provides security and Exchange admins with clear, actionable insights into the reasons behind the classification of each submission whether as spam, phishing, bulk, or clean - enabling more informed decision-making and response. What's new? Historically, submission results such as Threats found or No threats found have provided limited insight into the reasoning behind classification decisions. The implementation of AI-LLM-based responses addresses this limitation by delivering intuitive and context-rich explanations that clarify why a message was categorized as spam, phishing, bulk, or clean. This enhancement reduces ambiguity and facilitates faster, more accurate responses by administrators. LLM-based responses are now available for administrative email submissions made from any location within the Defender portal. Where can you see LLM based responses? Submissions page at https://security.microsoft.com/reportsubmission : On the Emails tab, select entry to view the LLM based explanation in the details flyout. Example- Example where submissions response came as clean- No threats found. The email is a simple and benign message with no malicious content or suspicious links. The sender and recipient both belong to the same domain (contoso.com), indicating internal communication. Interacting with this email poses no risk as it contains no harmful elements. Example where submissions response came as malicious- Threats found. The sender's email address (bad-vaibhav@contosoo.com) is suspicious and not associated with any legitimate organization. The email subject uses excessive promotional language and emojis, which is typical of spam emails. Interacting with the message could lead to unwanted advertisements or potential scams. Clicking on the provided link leads to a Contoso login page, which is a standard procedure for accessing internal resources. Key Result Types with LLM Support For the result types like Threats found, No threat found, Bulk, Spam and a few Unknowns, you will see the LLM-based explanation. However, if for any reason the AI-generated explanation is unavailable, the system will fall back to the existing explanation, ensuring continuity in the experience. Learn more: Check out our documentation for more details on submission workflows and AI-LLM based integration. Have feedback or questions about LLM based response? Join the conversation in the Microsoft Defender for Office 365 community forum.
SOC can see Microsoft analysis for Third-party add-in user report
We are pleased to announce that if you are using third-party report message solutions in Microsoft Outlook, such as Knowbe4, Hoxhunt, and Cofense, you can now configure Defender for Office 365 to automatically forward these suspicious messages to Microsoft for analysis. A prerequisite for using this is to already have set up the third-party user report tool on Outlook for your end users and that tool is forwarding the user report to an exchange online mailbox within the organization. We do not recommend using the exchange transport rule for it. To enable this setting, you must do the following: Go to User reported settings in the Microsoft Defender portal, select Monitor reported messages in Outlook, and then select Use a non-Microsoft add-in button. In the Reported message destination section, select Microsoft and my reporting mailbox, and then provide the email address of the internal Exchange Online mailbox where user-reported messages by the third-party add-ins are being routed to. If the third-party vendor follows the guidance for message submissions format, Defender for Office 365 will submit these messages automatically to Microsoft for analysis. The analysis results from Microsoft are displayed on the User reported page in the Defender portal. Alerts are automatically generated for user-reported messages in Defender for Office 365. If you have Defender for Office 365 Plan 2, Automated investigation and response (AIR) is also automatically triggered for user-reported phishing messages. These alerts and their investigations are automatically linked to Defender Incidents, assisting security teams with automation for triage, investigation, and response. Submitting these messages to Microsoft for analysis provides a response of this analysis to security analysts and helps improve Defender for Office 365 filters. To learn more, check out these articles: Report suspicious email messages to Microsoft Automatic user notifications for user reported phishing results in AIR Share Your Feedback! We are eager for you to experience the capabilities of Microsoft feedback, triage, investigation, and analysis for user reports while utilizing the advantages of third-party report add-ins. Share your thoughts with us by commenting below.Auto-Remediation of Malicious Messages in Automated Investigation and Response (AIR) is GA
We are excited to announce the GA release of auto-remediation of malicious messages through automated investigation and response (AIR) expanding this powerful tool and deliver on full end to end automation of key SOC scenarios. AIR works to triage, investigate and remediate and respond to high-impact, high-volume security alerts providing tenant level analysis to increase customer protection and optimize SOC teams. With this enhancement, customers will be able to configure AIR to automatically execute remediations for messages within malicious entity clusters saving SOC teams time and further expediting remediation by removing the need to for SOC teams to approve these actions! To highlight the key user submission scenario, in addition to AIR completing triage, investigation, remediation identification, and end user feedback responses, customers may now configure AIR to take this a step even further to automatically execute on identified remediations. Auto-Remediation Action When AIR recognizes a malicious file or URL, it creates a cluster around the malicious file or URL grouping all messages that contain that file or URL into the respective cluster. The automated investigation then checks the location of the messages within the cluster and if it finds messages within user’s mailboxes, AIR will produce a remediation action. With the auto-remediation enhancement, if the customer has configured the cluster type to auto-remediate, this action will automatically be executed without the need for SecOps approval - removing identified threats at machine speed! Auto-remediated clusters showing in action center history with decided by stating automation: Configuration Auto-remediation will be controlled by a configuration within Settings > Email & Collaboration > MDO automation settings. Within the message clusters section, organizations may specify which types of message clusters they would like to be auto-remediated: Similar files: When the automated investigation recognizes a malicious file, it creates a cluster around the malicious file grouping all messages that contain that file into the cluster. Selecting this checkbox will opt the organization into auto-remediation for these malicious file clusters. Similar URLs: When the automated investigation recognizes a malicious URL, it creates a cluster around the malicious URL grouping all messages that contain the URL into the cluster. Selecting this checkbox will opt the organization into auto-remediation for these malicious URL clusters. The next configuration is for the remediation action, designating soft delete as soft delete is currently the only action supported through AIR. Auto-remediation of malicious entity clusters configuration found in settings>Email & collaboration>MDO automation settings: Note: Customers interested in auto-remediation must turn it on through the MDO automation settings page as it will not be on by default. Auto-Remediation Action Logging The Defender portal provides several ways for customers to review remediation actions to stay cognizant of the actions executed. These include within the investigation, action center, email entity as well as threat explorer and advanced hunting. Should customers disagree with the action executed, the ability to move the messages back to mailboxes is available as well based on configuration and timing. Auto-remediated messages showing in Threat Explorer Additional actions as Automated Remediation: automated: Auto-remediated messages showing in Advanced Hunting with ActionType as Automated Remediation and ActionTrigger as Automation: Learn More Register for the deep dive webinar on Microsoft Defender for Office 365 automated investigation and response (AIR) on June 25, 2025, at 8:00am PDT / 3:00pm UTC. Learn more about the feature enhancements, as well as how AIR can help optimize SOC teams and accelerate threat response. To learn more about the auto-remediation in AIR, please visit Automated remediation in AIR - Microsoft Defender for Office 365 | Microsoft Learn. To learn more about investigations in MDO, please visit the following pages: Automated investigation and response in Microsoft Defender for Office 365 - Office 365 | Microsoft Learn View the results of an automated investigation in Microsoft 365 - Office 365 | Microsoft Learn How automated investigation and response works in Microsoft Defender for Office 365 - Office 365 | Microsoft Learn Automatic user notifications for user reported phishing results in AIR - Microsoft Defender for Office 365 | Microsoft Learn
Part 2: Build custom email security reports and dashboards with workbooks in Microsoft Sentinel
Security teams in both small and large organizations track key metrics to make critical security decisions and identify meaningful trends in their organizations. Defender for Office 365 has rich, built-in reporting capabilities that provide insights into your security posture to support these needs. However, sometimes security teams require custom reporting solutions to create dedicated views, combine multiple data sources, and get additional insights to meet their needs. In January of this year, we shared an example of how you can use workbooks in Microsoft Sentinel to build a custom dashboard for Defender for Office 365. Today, we are excited to announce the release of an updated version of the Microsoft Defender for Office 365 Detections and Insights – Microsoft Sentinel workbook. Over the past few months, we have received feedback from numerous security teams, offering a multitude of ideas for new insights, updated visuals, and improved structure for the workbook. We have incorporated these suggestions into this update to enhance the experience for all users of the Microsoft Defender for Office 365 Detections and Insights workbook. What’s new? We have changed the workbook structure and divided visuals and insights related to the same topic to be on their own tab. We have also added many new visuals and updated existing visuals. Using tabs for easier navigation Simply use the tabs now on the top of the workbook to navigate between the various insights' groups. Notable changes: False Positive and False Negative Submissions insights are separated to have their own tab A new tab added for Quarantine Insights. The complete list of tabs is: Detection Overview | Email - Malware Detections | Email - Phish Detections | Email - Spam Detections | URL Detections and Clicks | Email - Top Users/Senders | Email - Detection Overrides | False Negative (FN) Submissions | False Positive (FP) Submissions | File - Malware Detections (SharePoint, Teams and OneDrive) | Post Delivery Detections and Admin Actions | Quarantine Insights Please note: The workbook has a total of 12 tabs. If all tabs are not visible, you can access the remaining tabs using the "..." located at the end of the tab list on the right side. New insights and visuals We have added new insights and visuals to help security team members better understand their Email security posture. Some examples: Detection Overview tab - Bad traffic percentage (%) - Inbound Emails Visualizes bad traffic (% of emails with threats) compared to total inbound emails over time summarizing the data daily. Email – Malware/Email-Phish detection tabs - Zero Day detections (URL & Attachment detonation) Visualizes total emails with Malware/Phish detections over time summarizing the data daily by detection technologies/controls used for detecting unknown-unique malware and phish (URL detonation, File detonation). Email - Phish Detections tab - Top Domains Outbound with Emails with Threats Inbound (Partner BEC) Visualizes top outbound recipient domains by outbound email volume and shows total number of inbound emails with Threats from the same domains (as inbound senders). Email – Malware/Phish/Spam Detection tabs - Detections by delivery location Visualizes total emails with Malware/Phish/Spam detections over time summarizing the data daily by Delivery Location. These insights can help security teams drive towards stronger security posture by adopting Quarantine as filter verdict action replacing Move to Junk email folder. URL Detections and Clicks tab – Top malicious URLs clicked by users Visualizes top malicious URLs with the number of clicks attempts performed by users. False Negative (FN) Submissions tab – new insights added for user defined filter verdict override configuration impacting the delivery action of the reported email, top 10 inbound P2 senders' domains of reported emails, top subjects of the internal emails reported by users as Phish, number if user reported Phish emails where the email is already in the Junk email folder. Updated Insights We have updated existing insights by adding additional information to them or visualizing the raw data in a different way. Some examples: Email – Malware/Phish/Spam Detection tabs - Email Top 10 Domains sending Malware table view now has Total emails sent by the sender domain and bad traffic % from the sender domain. Grid views are now searchable: False Negative (FN) Submissions/ False Positive (FP) Submissions are separated now on their own tab, existing insights got updated to understand better what users and security team members are submitting. Malware family related visuals on Email – Malware detections and File - Malware Detections (SharePoint, Teams and OneDrive) are using searchable grid now: How can I get the updated version? The latest version of the Microsoft Defender for Office 365 Detections and Insights workbook is available as part of the Microsoft Defender XDR solution in the Microsoft Sentinel - Content hub. Version 3.0.12 of the solution has the updated workbook template. If you already have the Microsoft Defender XDR solution deployed, version 3.0.12 is available now as an update. After you install the update, you will have the new workbook template available to use. If you install the Microsoft Defender XDR solution for the first time, you are deploying the latest version and will have the updated template ready to use. How to share the workbook with others Leveraging Microsoft Sentinel workbooks for reporting to leadership is a common use case. A common concern is granting recipients access to Microsoft Sentinel or all of the tables within the workspace. Using some different RBAC components, this can be done. For details, see the Manage Access to Microsoft Sentinel Workbooks with Lower Scoped RBAC on the Microsoft Sentinel Blog. Can I edit the workbook and change the visuals? Yes, absolutely. The Microsoft Defender for Office 365 Detections and Insights is a workbook template in Microsoft Sentinel. It is ready to use with a few simple clicks, however when needed you can save and edit the workbook based on your organization’s need. You can customize each visual easily or review the underlying KQL. Simply edit the workbook after saving, then adjust the underlying KQL query, change the type of the visual, or create new insights. More information: Visualize your data using workbooks in Microsoft Sentinel | Microsoft Learn Why use workbooks in Microsoft Sentinel for email security reports and insights? There are many potential benefits to using workbooks if you already use Microsoft Sentinel and already stream the hunting data tables: You can choose to store data for a longer period of time via configuring longer retention for tables you use for your workbooks. For example, you can store Defender for Office 365 Email Events table data for 1 year and build visuals over a longer period of time. You can configure auto-refresh for the workbook to keep the data shown up to date. You can access ready-to-use workbook templates and customize them if it's needed. Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the Defender for Office 365 forum. More information Integrate Microsoft Defender XDR with Microsoft Sentinel Learn more about Microsoft Sentinel workbooks Microsoft Defender for Office 365 Detection Details Report – Updated Power BI template for Microsoft Sentinel and Log Analytics Learn more about Microsoft Defender XDR
