All Excel Macro Files Suddenly Flagged as Malware (X97M/Slacker.gen!A) Across M365 Starting April 16
Starting around 8 PM GMT+8 on April 16, 2025, macro-enabled Excel files with extensions such as .xlsm, .xlsb, or .xls began being automatically flagged as malware, specifically identified as X97M/Slacker.gen!A—when opened or edited in SharePoint, OneDrive, or Teams. Before this, the same files were not flagged as malicious, even when opened or edited, and this behavior had remained consistent for several months. This issue affects our entire tenant, with over 800 files being flagged as malware under the name X97M/Slacker.gen!A. These files are located across various locations and have been modified by different users. We are a Cloud-only tenant, and we have not done any configuration changes in Threat Policies for the past few months.
Marking Quarantine Notice senders as safe for entire tenant
Our users get quarantine notices weekly. They're configured to come from email address removed for privacy reasons (the domain specific to tenant).. sometimes they come from email address removed for privacy reasons anyways, but this is fine. The thing is, I end up with a LOT of users who end up receiving these in their junk mail. We have a lot of tenants - I don't really have the time to keep checking them, taking action on mis-junked items. Most stuff is configured to go to quarantine anyway. What's the best way to allow these senders? The IB Anti-Spam safe-senders component is not Secure-Score recommended, and we try to keep these scores high. But the tenant allow/block list allows a max of 45days since last use. There's so many options, I'm a little confused as to what's 'right' ThanksAutomated Investigation and Response
Upgraded to Defender for 365 P2 based on the idea of setting automated responses to certain alerts. That's how it was described. Now I'm trying to enable and configure it. The documentation has bounced me around 20 different articles for XDR, Defender Enterprise, Defender for Business... I do not see anywhere to configure the automation in Defender. One doc points me here for making sure it's enabled. when I open this, and go down to Automation, it's simply an empty list of device groups. We don't use Device groups - we don't use Defender Endpoint. Has anyone configured this in a non-XDR environment? What I'm encountering and what was advertised seem very different...upgraded from P1 to P2... how do I configure this?
Upgraded to Defender 365 P2 from P1, based on the automated responses. Kinda figured we'd be able to tweak these, but I guess not? Anyway, I'm a little bit confused about how to set this up maximally. Realized yesterday we had a 'User click a malicious link" investigation that was pending - but no one knew. When I click 'Email Notification' in the 'Incidents' window, it brings me to the XDR settings menu, with options for setting emails to notify of Alerts, Incidents and Threat Analytics. Except we don't have XDR? So I can't tell if these are even valid? The documentation on the AIR component is really hard to decipher - wondering if anyone has much experience with this, and knows how to configure it optimally? As in, how do I notify someone of a Critical Investigation, or something needing approval for remediation? Can I configure certain things to not require approval? Like... removing a reported phishing email from everyone's inbox?Automating User Tags
When we create a custom user tag we can select a group and have all the users in the group tagged. However if a user is removed or added to that group at a later stage the tag is not removed/added. Is there a way to automate this? Only thing I found is that this was before on the roadmap but seems to have been removed? https://m365admin.handsontek.net/microsoft-defender-for-office-365-tagging-support-for-groups/ https://learn.microsoft.com/en-us/defender-office-365/user-tags-about If you assign a group to a user tag, members of the group at the time of tag creation are assigned tag. Users later added to the group aren't automatically assigned the user tag.
Adding Targeted Users/Groups in Attack Simulator
Is there a setting that may have changed recently or needs to be changed that enables filtering by groups when creating a simulation. I am unable to browse our groups in our organization any longer, I can choose from other options like City, Departments, Titles, etc. but the AD groups do not populate any longer in this list when trying to add Target Users. Thank you, Jerid
AIR Result : Email template modification
Hi, I want to change the email language for the Automated investigation and response (AIR) after a phishing report. I found the page where you can set a custom email "Body" and "Footer". This works, but I also need to change the other parts of the email or at least find a way to translate it in french. Right now, there's a mix of english and french (The body and footer I configured) but I need the whole thing to be in french. I would appreciate a hand on this issue. Thank you !! PS : See the screenshot for the part I want to translate.
Attack Simulation - Automations Exclusion List
Hi, A bit of a rudimentary issue: There's no way to include an exclusion list for simulation automations which is a bit odd. The automation feature seems very useful and scalable for small teams with lots of users. Reduces operational cost by a wide margin. Is there a reason for the lack of an exclusion list option here? This is a strong constraint for organizations which cannot include upper management in their phishing simulation.
