Part 3: Build custom email security reports with Power BI and workbooks in Microsoft Sentinel
TL;DR: We're releasing a brand-new Power BI template for email security reporting and a major update (v3) to the Microsoft Sentinel workbook. Both solutions share the same rich visuals and insights. Choose Power BI for quick deployment without Sentinel, or the Sentinel workbook for extended data retention and multi-tenant scenarios. Get started in minutes with either option. Introduction Security teams in both small and large organizations track key metrics to make critical security decisions and identify meaningful trends in their organizations. While Microsoft Defender for Office 365 provides rich, built-in reporting capabilities, many security teams need custom reporting solutions to create dedicated views, combine multiple data sources, and derive deeper insights tailored to their unique requirements. Earlier last year (Part 1 and Part 2) we shared examples of how you can use workbooks in Microsoft Sentinel to build a custom email security insights dashboard for Microsoft Defender for Office 365. Today, we are excited to announce the release of a new Power BI template file for Microsoft Defender for Office 365 customers, along with an updated version of the Microsoft Defender for Office 365 Detections and Insights workbook in Microsoft Sentinel. Both solutions share the same visual design and structure, giving you a consistent experience regardless of which platform you choose. Power BI template file - Microsoft Defender for Office 365 Detections and Insights: Microsoft Sentinel workbook - Microsoft Defender for Office 365 Detections and Insights: NEW: Power BI template file for Microsoft Defender for Office 365 Detections and Insights This custom reporting template file utilizes Power BI and Microsoft Defender XDR Advanced Hunting through the Microsoft Graph security API. It is designed for Microsoft Defender for Office 365 customers who have access to Advanced Hunting but are not using Microsoft Sentinel. Advanced Hunting data in Microsoft Defender for Office 365 tables is available for up to 30 days. The reporting template uses these same data tables to visualize insights into an organization's email security, including protection, detection, and response metrics provided by Microsoft Defender for Office 365. Note: If data retention beyond 30 days is required, customers can use the Microsoft Defender for Office 365 Detections and Insights workbook in Microsoft Sentinel. You can find the new .pbit template file and detailed instructions on how to set up and use it in the unified Microsoft Sentinel and Microsoft 365 Defender GitHub repository. This new Power BI template uses the same visuals and structure as the Microsoft Defender for Office 365 Detections and Insights workbook in Microsoft Sentinel, providing an easy way to gain deep email security insights across a wide range of use cases. UPDATED: Microsoft Defender for Office 365 Detections and Insights workbook in Microsoft Sentinel We are excited to announce the release of a new version (3.0.0) of the Microsoft Defender for Office 365 Detections and Insights workbook in Microsoft Sentinel. The workbook is part of the Microsoft Defender XDR solution in Microsoft Sentinel and can be installed and started to use with a few simple clicks. In this new release we incorporated feedback we have received from many customers in the past few months to add new visuals, updated existing visuals and add insights focusing on security operations. What’s New Here are some notable changes and new capabilities available in the updated workbook template. Improved structure: Headings and grouped insights have been added to tabs for easier navigation and understanding of metrics. Contextual explanations: Each tab, section, and visual now includes descriptions to help users interpret insights effectively. Drill-down capability: A single “Open query link” action allows users to view the underlying KQL query for each visual, enabling quick investigation and hunting by modifying conditions or removing summaries to access raw data. Detection Dashboard tab enhancements: Added an example Effectiveness metric, updated visuals to focus on overall Microsoft Defender for Office 365 protection values, and introduced new sections for Emerging Threats and Microsoft 365 Secure Email Gateway Performance. New Security Operations Center (SOC) Insights tab: Provides operational metrics such as Security Incident Response, Investigation, and Response Actions for SOC teams. Advanced threat insights: Includes new LLM-based content analysis detections and threat classification insights on the Emails – Phish Detections tab. External forwarding insights: Added deep visibility into Inbox rules and SMTP forwarding in Outlook, including destination details to assess potential data leakage risks. Geo-location improvements: Sender IPv4 insights now include top countries for better geographic context for each Threat types (Malware, Spam, Phish). Enhanced top attacked users and top senders: Added TotalEmailCount and Bad_Traffic_Percentage for richer context in top attacked users and senders charts. Expanded URL click insights: URL click-based threat detection visuals now include Microsoft 365 Copilot as a workload. How to use the workbook across multiple tenants If you manage multiple environments with Microsoft Sentinel — or you are an MSSP (Managed Security Service Provider) working across multiple customer tenants — you can also use the workbook in multi‑tenant scenarios. Once the required configuration is in place, you can change the Subscription and Workspace parameters in the workbook to be multi select and load data from one or multiple tenants. This enables to see deep email security insights in multi‑tenant environments, including: Aggregated multi‑tenant view: You can view aggregated insights across tenants in a single workbook view. By multi‑selecting tenants in the Subscription and Workspace parameters, the workbook automatically loads and combines data from all selected environments for all visuals on all tabs. Side‑by-side‑ comparison: For example, you can compare phishing detection trends or top attacked users across two or more tenants simply by opening the workbook in two browser windows placed side by side. Note: For the multiselect option‑ to work in the current workbook version, you need to manually adjust the Subscription and Workspace parameters. This configuration is planned to become the default in the next release of the workbook. Until then, you can simply apply this change using the workbook’s Edit mode. How to get the updated workbook version The latest version of the Microsoft Defender for Office 365 Detections and Insights workbook is available as part of the Microsoft Defender XDR solution in the Microsoft Sentinel - Content hub. Version 3.0.13 of the solution has the updated workbook template. If you already have the Microsoft Defender XDR solution deployed, version 3.0.13 is available now as an update. After you install the update, you will have the new workbook template available to use. Note: If you had the workbook saved from a previous template version, make sure you delete the old workbook and use the save button on the new template to recreate a new local version with the latest updates. If you install the Microsoft Defender XDR solution for the first time, you are deploying the latest version and will have the updated template ready to use. How to edit and share the workbook with others You can customize each visual easily. Simply edit the workbook after saving, then adjust the underlying KQL query, change the type of the visual, or create new insights. More information: Visualize your data using workbooks in Microsoft Sentinel | Microsoft Learn Granting other users access to the workbook also possible, see the Manage Access to Microsoft Sentinel Workbooks with Lower Scoped RBAC on the Microsoft Sentinel Blog. Do you have feedback related to reporting in Microsoft Defender for Office 365? You can provide direct feedback via filling the form: aka.ms/mdoreportingfeedback Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the Defender for Office 365 forum. More information Integrate Microsoft Defender XDR with Microsoft Sentinel Learn more about Microsoft Sentinel workbooks Learn more about Microsoft Defender XDR
“Automating Export of Microsoft Sentinel Analytic Rules mapped to MITRE Tactics & Techniques”
1. Introduction In modern Security Operations Centers (SOCs), mapping detections to the MITRE ATT&CK framework is critical. MITRE ATT&CK provides a structured, globally recognized model of adversary behavior, categorized into Tactics (goals) and Techniques (methods). Microsoft Sentinel analytic rules frequently include MITRE mappings, but viewing or exporting these at scale isn’t straightforward within the portal. Security teams often need: • A centralized view of existing detections mapped to MITRE ATT&CK • A CSV export for reporting, audits, and threat coverage assessments • Insights for SOC maturity, gap analysis, and threat-informed defense Having an automated way to extract this information ensures accuracy, consistency, and faster operational insights — all essential for high-performing SOCs. 2) Why This Script Is Required While Sentinel analytic rules individually display MITRE mappings, organizations typically need a workspace-wide export for: Detection Coverage & Gap Analysis Identify which Tactics & Techniques are covered. Highlight missing ATT&CK areas. Support threat modelling or purple team exercises. Security Operations Reporting Governance and oversight meetings Compliance documentation SOC KPI reporting and dashboards. Detection Engineering Lifecycle Maintaining a detection catalogue. Versioning and documentation Supporting change management and audits Exporting rules into a CSV using automation avoids manual errors, saves analyst time, and ensures accurate, up-to-date data. 3) Script to Export Microsoft Sentinel Analytic Rules with MITRE Tactics & Techniques (TO BE RUN FROM AZURE CLI) Important: This Bash script must be executed from Azure CLI, either: Azure Cloud Shell, or A workstation/server with Azure CLI installed (Linux, macOS, or WSL on Windows) The script uses az rest and jq to pull analytic rules and generate a CSV containing MITRE Tactics, Techniques, Severity, Enabled state, and KQL query. Bash Script (Run in Azure CLI) ------------------------------------------------------------------------------------------------------------------------ #!/bin/bash # Variables export SUB="99005f96-e572-4035-b476-836fd9d83d64" export RG="CyberSOC" export WS="CyberSOC" API="2024-03-01" # Step 1: Set subscription az account set --subscription "$SUB" # Step 2: Fetch alert rules echo "Fetching alert rules..." az rest \ --method GET \ --uri "https://management.azure.com/subscriptions/$SUB/resourceGroups/$RG/providers/Microsoft.OperationalInsights/workspaces/$WS/providers/Microsoft.SecurityInsights/alertRules?api-version=$API" \ --output json > rules.json # Step 3: Validate file if [ ! -s rules.json ]; then echo "Error: rules.json is empty or missing." exit 1 fi echo "Total rules found:" jq '.value | length' rules.json # Step 4: Generate CSV with MITRE mapping, severity, enabled echo "Generating CSV..." jq -r ' (["RuleName","Tactics","Techniques","MITRE_Map","Severity","Enabled","Query"] | @csv), ( .value[] | select(.kind == "Scheduled") | . as $r | ($r.properties // {}) as $p | [ ($p.displayName // $r.name // "N/A"), (( $p.tactics // $p.attackTactics // [] ) | join(";")), (( $p.techniques // $p.attackTechniqueIds // [] ) | join(";")), ( ( ($p.tactics // []) | map("TA" + (.[2:]? // "")) ) as $tacs | ( ($p.techniques // []) | map(.) ) as $techs | ( [$tacs[], $techs[]] | join(";")) ), ($p.severity // "N/A"), ($p.enabled | tostring), (( $p.query // "" ) | gsub("\\r?\\n"; " ")) ] | @csv ) ' rules.json > Scheduled_Rules_TTP_Query.csv ------------------------------------------------------------------------------------------------------------------------ 4) Summary Mapping detections to MITRE ATT&CK is a cornerstone of threat-informed defense. This script simplifies the process of exporting Microsoft Sentinel analytic rules with their MITRE mappings into a CSV — enabling SOC teams to: Analyze coverage across ATT&CK Identify detection gaps. Strengthen red–blue team collaboration. Build dashboards and ATT&CK heatmaps. Enhance SOC governance & reporting. Automating this export ensures faster insights, reduces manual workload, and supports a mature detection engineering program.
user-reported phishing emails
Dear Community I have a technical question regarding user-reported emails. In Defender, under “Action and Submissions” -> “Submissions,” I can see the emails that users have reported under the “user reported” option. There, we have the option to analyze these emails and mark them as “no threats found,” “phishing,” or “spam.” The user is then informed. Question: Do these reported emails remain in the user's inbox when they report them? If not, do we have the option to return these reported emails to the user's inbox with the “No threats found” action? Because I don't see this option. In another tenant, under “Choose response Action,” I see “move or delete,” but the “inbox” option is grayed out. Why is that? Thank you very much!Build custom email security reports and dashboards with workbooks in Microsoft Sentinel
Security teams in both small and large organizations track key metrics to make critical security decisions and identify meaningful trends in their organizations. Defender for Office 365 has rich, built-in reporting capabilities that provide insights into your security posture to support these needs. However, sometimes security teams require custom reporting solutions to create dedicated views, combine multiple data sources, and get additional insights to meet their needs. We previously shared an example of how you can leverage Power BI and the Microsoft Defender XDR Advanced Hunting APIs to build a custom dashboard and shared a template that you can customize and extend. In this blog, we will showcase how you can use workbooks in Microsoft Sentinel to build a custom dashboard for Defender for Office 365. We will also share an example workbook that is now available and can be customized based on your organization’s needs. Why use workbooks in Microsoft Sentinel? There are many potential benefits to using workbooks if you already use Microsoft Sentinel and already stream the hunting data tables for Defender for Office 365: You can choose to store data for a longer period of time via configuring longer retention for tables you use for your workbooks. For example you can store Defender for Office 365 EmailEvents table data for 1 year and build visuals over longer period of time. You can customize your visuals easily based on your organization’s needs. You can configure auto-refresh for the workbook to keep the data shown up to date. You can access ready to use workbook templates and customize them if it's needed. Getting started After you connect your data sources to Microsoft Sentinel, you can visualize and monitor the data using workbooks in Microsoft Sentinel. Ensure that Microsoft Defender XDR is installed in your Microsoft Sentinel instance, so you can use Defender for Office 365 data with a few simple steps. Detection and other Defender for Office 365 insights are already available as raw data in the Microsoft Defender XDR advanced hunting tables: EmailEvents - contains information about all emails EmailAttachmentInfo - contains information about attachments in emails EmailUrlInfo - contains information about URLs in emails EmailPostDeliveryEvents – contains information about Zero-hour auto purge (ZAP) or Manual remediation events UrlClickEvents - contains information about Safe Links clicks from email messages, Microsoft Teams, and Office 365 apps in supported desktop, mobile, and web apps. CloudAppEvents – CloudAppEvents can be used to visualize user reported Phish emails and Admin submissions with Defender for Office 365. The Microsoft Defender XDR solution in Microsoft Sentinel provides a connector to stream the above data continuously into Microsoft Sentinel. Microsoft Sentinel then allows you to create custom workbooks across your data or use existing workbook templates available with packaged solutions or as standalone content from the content hub. How to access the workbook template We are excited to share a new workbook template for Defender for Office 365 detection and data visualization, which is available in the Microsoft Sentinel Content hub. The workbook is part of the Microsoft Defender XDR solution. If you are already using our solution, this update is now available for you. If you are installing the Microsoft Defender XDR solution for the first time, this workbook will be available automatically after installation. After the Microsoft Defender XDR solution is installed (or updated to the latest available version), simply navigate to the Workbooks area in Microsoft Sentinel and on the Templates tab select Microsoft Defender for Office 365 Detection and Insights. Using the “View Template” action loads the workbook. What insights are available in the template? The template has the following sections with each section deep diving into various areas of email security, providing details and insights to security team members: Detection overview Email - Malware Detections Email - Phish Detections Email - Spam Detections Email - Business Compromise Detections (BEC) Email - Sender Authentication based Detections URL Detections and Clicks Email - Top Users/Senders Email - Detection Overrides False Negative/Positive Submissions File - Malware Detections (SharePoint, Teams and OneDrive) Post Delivery Detections and Admin Actions Email - Malware Detections Email - Business Compromise Detections (BEC) Email - Sender Authentication based Detections URL Detections and Clicks False Negative/Positive Submissions File - Malware Detections (SharePoint, Teams and OneDrive) Post Delivery Detections and Admin Actions Can I customize the workbook? Yes, absolutely. Based on the email attributes in the Advanced Hunting schema, you can define more functions and visuals as needed. For example, you can use the DetectionMethods field to analyse detections caught by capabilities like Spoof detections, Safe Attachment, and detection for emails containing URLs extracted from QR codes. You can also bring other data sources into Microsoft Sentinel as tables and use them when creating visuals in the workbook. This sample workbook is a powerful showcase for how you can use the Defender for Office 365 raw detection data to visualize email security detection insights directly in Microsoft Sentinel. It enables organizations to easily create customized dashboards that can help them analyse, track their threat landscape, and respond quickly—based on unique requirements. Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the Defender for Office 365 forum. More information Integrate Microsoft Defender XDR with Microsoft Sentinel. Learn more about Microsoft Sentinel workbooks. Microsoft Defender for Office 365 Detection Details Report – Updated Power BI template for Microsoft Sentinel and Log Analytics Learn more about Microsoft Defender XDR.Ignite 2025: New Microsoft Sentinel Connectors Announcement
Microsoft Sentinel continues to set the pace for innovation in cloud-native SIEMs, empowering security teams to meet today’s challenges with scalable analytics, built-in AI, and a cost-effective data lake. Recognized as a leader by Gartner and Forrester, Microsoft Sentinel is a platform for all of security, evolving to unify signals, cut costs, and power agentic AI for the modern SOC. As Microsoft Sentinel’s capabilities expand, so does its connector ecosystem. With over 350+ integrations available, organizations can seamlessly bring data from a wide range of sources into Microsoft Sentinel’s analytics and data lake tiers. This momentum is driven by our partners, who continue to deliver new and enhanced connectors that address real customer needs. The past year has seen rapid growth in both the number and diversity of connectors, ensuring that Microsoft Sentinel remains robust, flexible, and ready to meet the demands of any security environment. Today we showcase some of the most recent additions to our growing Microsoft Sentinel ecosystem spanning categories such as cloud security, endpoint protection, identity, IT operations, threat intelligence, compliance, and more: New and notable integrations BlinkOps and Microsoft Sentinel BlinkOps is an enterprise-ready agentic security automation platform that integrates seamlessly with Microsoft Sentinel to accelerate incident response and streamline operations. With Blink, analysts can rapidly build sophisticated workflows and custom security agents—without writing a single line of code—enabling agile, scalable automation with both Microsoft Sentinel and any other security platform. This integration helps eliminate alert fatigue, reduce mean time to resolution (MTTR), and free teams to focus on what matters most: driving faster operations, staying ahead of cyber threats, and unlocking new levels of efficiency through reliable, trusted orchestration. Check Point for Microsoft Sentinel solutions Check Point’s External Risk Management (ERM) IOC and Alerts integration with Microsoft Sentinel streamlines how organizations detect and respond to external threats by automatically sending both alerts and indicators of compromise (IOCs) into Microsoft Sentinel. Through this integration, customers can configure SOAR playbooks to trigger automated actions such as updating security policies, blocking malicious traffic, and executing other security operations tasks. This orchestration reduces manual effort, accelerates response times, and allows IT teams, network administrators, and security personnel to focus on strategic threat analysis—strengthening the organization’s overall security posture. Cloudflare for Microsoft Sentinel Cloudflare’s integration with Microsoft Sentinel, powered by Logpush, brings detailed security telemetry from its Zero Trust and network services into your SIEM environment. By forwarding logs such as DNS queries, HTTP requests, and access events through Logpush, the connector enables SOC teams to correlate Cloudflare data with other sources for comprehensive threat detection. This integration supports automated workflows for alerting and investigation, helping organizations strengthen visibility across web traffic and identity-based access while reducing manual overhead. Contrast ADR for Microsoft Sentinel Contrast Security gives Microsoft Sentinel users their first-ever integration with Application Detection and Response (ADR), delivering real-time visibility into application and API attacks, eliminating the application-layer blind spot. By embedding security directly into applications, Contrast enables continuous monitoring and precise blocking of attacks, and with AI assistance, the ability to fix underlying software vulnerabilities in minutes. This integration helps security teams prioritize actionable insights, reduce noise, and better understand the severity of threats targeting APIs and web apps. GreyNoise Enterprise Solution for Microsoft Sentinel GreyNoise helps Microsoft Sentinel users cut through the noise by identifying and filtering out internet background traffic that clutters security alerts. Drawing from a global sensor network, GreyNoise classifies IP addresses that are scanning the internet, allowing SOC teams to deprioritize benign activity and focus on real threats. The integration supports automated triage, threat hunting, and enrichment workflows, giving analysts the context they need to investigate faster and more effectively. iboss Connector for Microsoft Sentinel The iboss Connector for Microsoft Sentinel delivers real-time ingestion of URL event logs, enriching your SIEM with high-fidelity web traffic insights. Logs are forwarded in Common Event Format (CEF) over Syslog, enabling streamlined integration without the need for a proxy. With built-in parser functions and custom workbooks, the solution supports rapid threat detection and investigation. This integration is especially valuable for organizations adopting Zero Trust principles, offering granular visibility into user access patterns and helping analysts accelerate response workflows. Mimecast Mimecast’s integration with Microsoft Sentinel consolidates email security telemetry into a unified threat detection environment. By streaming data from Mimecast into Microsoft Sentinel’s Log Analytics workspace, security teams can craft custom queries, automate response workflows, and prioritize high-risk events. This connector supports a wide range of use cases, from phishing detection to compliance monitoring, while helping reduce mean time to respond (MTTR). MongoDB Atlas Solution for Microsoft Sentinel MongoDB Atlas integrates with Microsoft Sentinel to provide visibility into database activity and security events across cloud environments. By forwarding database logs into Sentinel, this connector enables SOC teams to monitor access patterns, detect anomalies, and correlate database alerts with broader security signals. The integration allows for custom queries and dashboards to be built on real-time log data, helping organizations strengthen data security, streamline investigations, and maintain compliance for critical workloads. Onapsis Defend Onapsis Defend integrates with Microsoft Sentinel Solution for SAP to deliver real-time security monitoring and threat detection from both cloud and on-premises SAP systems. By forwarding Onapsis's unique SAP exploit detection, proprietary SAP zero-day rules, and expert SAP-focused insights into Microsoft Sentinel, this integration enables SOC teams to correlate SAP-specific risks with enterprise-wide telemetry and accelerate incident response. The integration supports prebuilt analytics rules and dashboards, helping organizations detect suspicious behavior and malicious activity, prioritize remediation, and strengthen compliance across complex SAP application landscapes. Proofpoint on Demand (POD) Email Security for Microsoft Sentinel Proofpoint’s Core Email Protection integrates with Microsoft Sentinel to deliver granular email security telemetry for advanced threat analysis. By forwarding events such as phishing attempts, malware detections, and policy violations into Microsoft Sentinel, SOC teams can correlate Proofpoint data with other sources for a unified view of risk. The connector supports custom queries, dashboards, and automated playbooks, enabling faster investigations and streamlined remediation workflows. This integration helps organizations strengthen email defenses and improve response efficiency across complex attack surfaces. Proofpoint TAP Solution Proofpoint’s Targeted Attack Protection (TAP), part of its Core Email Protection, integrates with Microsoft Sentinel to centralize email security telemetry for advanced threat detection and response. By streaming logs and events from Proofpoint into Microsoft Sentinel, SOC teams gain visibility into phishing attempts, malicious attachments, and compromised accounts. The connector supports custom queries, dashboards, and automated playbooks, enabling faster investigations and streamlined remediation workflows. This integration helps organizations strengthen email defenses while reducing manual effort across incident response processes. RSA ID Plus Admin Log Connector The RSA ID Plus Admin Log Connector integrates with Microsoft Sentinel to provide centralized visibility into administrative activity within RSA ID Plus Connector. By streaming admin-level logs into Sentinel, SOC teams can monitor changes, track authentication-related operations, and correlate identity events with broader security signals. The connector supports custom queries and dashboards, enabling organizations to strengthen oversight and streamline investigations across their hybrid environments. Rubrik Integrations with Microsoft Sentinel for Ransomware Protection Rubrik’s integration with Microsoft Sentinel strengthens ransomware resilience by combining data security with real-time threat detection. The connector streams anomaly alerts, such as suspicious deletions, modifications, encryptions, or downloads, directly into Microsoft Sentinel, enabling fast investigations and more informed responses. With built-in automation, security teams can trigger recovery workflows from within Microsoft Sentinel, restoring clean backups or isolating affected systems. The integration bridges IT and SecOps, helping organizations minimize downtime and maintain business continuity when facing data-centric threats. Samsung Knox Asset Intelligence for Microsoft Sentinel Samsung’s Knox Asset Intelligence integration with Microsoft Sentinel equips security teams with near real-time visibility into mobile device threats across Samsung Galaxy enterprise fleets. By streaming security events and logs from managed Samsung devices into Microsoft Sentinel via the Azure Monitor Log Ingestion API, organizations can monitor risk posture, detect anomalies, and investigate incidents from a centralized dashboard. This solution is especially valuable for SOC teams monitoring endpoints for large mobile workforces, offering data-driven insights to reduce blind spots and strengthen endpoint security without disrupting device performance. SAP S/4HANA Public Cloud – Microsoft Sentinel SAP S/4HANA Cloud, public edition integrates with Microsoft Sentinel Solution for SAP to deliver unified, real-time security monitoring for cloud ERP environments. This connector leverages Microsoft’s native SAP integration capabilities to stream SAP logs into Microsoft Sentinel, enabling SOC teams to correlate SAP-specific events with enterprise-wide telemetry for faster, more accurate threat detection and response. SAP Enterprise Threat Detection – Microsoft Sentinel SAP Enterprise Threat Detection integrates with Microsoft Sentinel Solution for SAP to deliver unified, real-time security monitoring across SAP landscapes and the broader enterprise. Normalized SAP logs, alerts, and investigation reports flow into Microsoft Sentinel, enabling SOC teams to correlate SAP-specific alerts with enterprise telemetry for faster, more accurate threat detection and response. SecurityBridge: SAP Data to Microsoft Sentinel SecurityBridge extends Microsoft Sentinel for SAP’s reach into SAP environments, offering real-time monitoring and threat detection across both cloud and on-premises SAP systems. By funneling normalized SAP security events into Microsoft Sentinel, this integration enables SOC teams to correlate SAP-specific risks with broader enterprise telemetry. With support for S/4HANA, SAP BTP, and NetWeaver-based applications, SecurityBridge simplifies SAP security auditing and provides prebuilt dashboards and templates to accelerate investigations. Tanium Microsoft Sentinel Connector Tanium’s integration with Microsoft Sentinel bridges real-time endpoint intelligence and SIEM analytics, offering a unified approach to threat detection and response. By streaming real-time telemetry and alerts into Microsoft Sentinel,Tanium enables security teams to monitor endpoint health, investigate incidents, and trigger automated remediation, all from a single console. The connector supports prebuilt workbooks and playbooks, helping organizations reduce dwell time and align IT and security operations around a shared source of truth. Team Cymru Pure Signal Scout for Microsoft Sentinel Team Cymru’s Pure Signal™ Scout integration with Microsoft Sentinel delivers high-fidelity threat intelligence drawn from global internet telemetry. By enriching Microsoft Sentinel alerts with real-time context on IPs, domains, and adversary infrastructure, Scout enables security teams to proactively monitor third-party compromise, track threat actor infrastructure, and reduce false positives. The integration supports external threat hunting and attribution, enabling analysts to discover command-and-control activity, signals of data exfiltration and compromise with greater precision. For organizations seeking to build preemptive defenses by elevating threat visibility beyond their borders, Scout offers a lens into the broader threat landscape at internet scale. Veeam App for Microsoft Sentinel The Veeam App for Microsoft Sentinel enhances data protection by streaming backup and recovery telemetry into your SIEM environment. The solution provides visibility into backup job status, anomalies, and potential ransomware indicators, enabling SOC teams to correlate these events with broader security signals. With support for custom queries and automated playbooks, this integration helps organizations accelerate investigations, trigger recovery workflows, and maintain resilience against data-centric threats. WithSecure Elements via Function for Microsoft Sentinel WithSecure’s Elements platform integrates with Microsoft Sentinel to provide centralized visibility into endpoint protection and detection events. By streaming incident and malware telemetry into Microsoft Sentinel, organizations can correlate endpoint data with broader security signals for faster, more informed responses. The solution supports a proactive approach to cybersecurity, combining predictive, preventive, and responsive capabilities, making it well-suited for teams seeking speed and flexibility without sacrificing depth. This integration helps reduce complexity while enhancing situational awareness across hybrid environments, and for companies to prevent or minimize any disruption. In addition to these solutions from our third-party partners, we are also excited to announce the following connectors published by the Microsoft Sentinel team, available now in Azure Marketplace and Microsoft Sentinel content hub. Alibaba Cloud Action Trail Logs AWS: Network Firewall AWS: Route 53 DNS AWS: Security Hub Findings AWS: Server Access Cisco Secure Endpoint GCP: Apigee GCP: CDN GCP: Cloud Monitor GCP: Cloud Run GCP: DNS GCP: Google Kubernetes Engine (GKE) GCP: NAT GCP: Resource Manager GCP: SQL GCP: VPC Flow GCP: IAM OneLogin IAM Oracle Cloud Infrastructure Palo Alto: Cortex Xpanse CCF Palo Alto: Prisma Cloud CWPP Ping One Qualys Vulnerability Management Salesforce Service Cloud Slack Audit Snowflake App Assure: The Microsoft Sentinel promise Every connector in the Microsoft Sentinel ecosystem is built to work out of the box, backed by the App Assure team and the Microsoft Sentinel promise. In the unlikely event that customers encounter any issues, App Assure stands ready to assist to ensure rapid resolution. With the new Microsoft Sentinel data lake features, we extend our promise for customers looking to bring their data to the lake. To request a new connector or features for an existing one, contact us via our intake form. Learn More Microsoft Sentinel data lake Microsoft Sentinel data lake: Unify signals, cut costs, and power agentic AI Introducing Microsoft Sentinel data lake What is Microsoft Sentinel data lake Unlocking Developer Innovation with Microsoft Sentinel data lake Microsoft Sentinel Codeless Connector Framework (CCF) Create a codeless connector for Microsoft Sentinel What’s New in Microsoft Sentinel Microsoft App Assure App Assure home page App Assure services App Assure blog App Assure’s promise: Migrate to Sentinel with confidence App Assure’s Sentinel promise now extends to Microsoft Sentinel data lake RSAC 2025 new Microsoft Sentinel connectors announcement Microsoft Security Microsoft’s Secure Future Initiative Microsoft Unified SecOpsMicrosoft Defender for Office 365: Fine-Tuning
In incident response, most business email compromise doesn’t start with “sophisticated zero-day malware.” It starts with configuration gaps: forwarding mail outside the tenant, users clicking through Safe Links warnings, impersonation policies left at day-one defaults, or post-delivery cleanup still relying on a human analyst at 2:00 AM. Those gaps are what attackers actually exploit. This blog covers our top recommendations for fine-tuning Microsoft Defender for Office 365 configuration from hundreds of deployments and recovery engagements: Core fine-tuning actions every email or security admin should land right now Data-driven bulk mail tuning (BCL and Bulk Mail Insights) Impersonation and anti-phishing policy hygiene for executive protection Automate post-delivery cleanup by enabling Automated Remediation Each section includes a short video and practical guidance you can apply immediately in Microsoft Defender for Office 365. These recommendations align with Microsoft’s “secure by default” direction: applying the Standard and Strict preset security policies to users, using Configuration analyzer to catch configuration drift, and enforcing least-privilege release of high-risk mail. When possible, enable the Preset security policies to give you Microsoft’s recommended settings for Safe Links, Safe Attachments, Anti-Phishing, and Anti-Spam. If you use custom policies (or if you exclude users from the Presets) then use Configuration analyzer regularly to compare custom policies to the Standard/Strict baselines, since those get updated as Microsoft updates the Preset policies. Core Fine-Tuning Checklist for Defender for Office 365 This section highlights six controls we recommend implementing broadly. These are “day one hardening” items we repeatedly validate with customers. Block automatic external forwarding by default Attackers often create hidden inbox rules that quietly forward mail (invoices, purchase orders, wire info) to an external account they control. Use outbound spam policies to block automatic external forwarding for the entire org and then create tightly scoped exceptions only for the handful of mailboxes that legitimately need it. This prevents data leakage and payment fraud scenarios where mail auto-forwards out of your tenant without anyone noticing. Although this setting is on by default (“System Controlled” means that external forwarding is disabled), we’ve found many tenants where this was disabled because the admin didn’t know how to create a custom policy for authorized forwarders. The trick is to order custom outbound policies to run as a higher priority than the default outbound policy which should be set to block auto-forwarded emails. It is a good idea to regularly review the auto forwarded message report (located in the Exchange Admin Center). Use Enhanced Filtering for Connectors (“skip listing”) when necessary If you’re routing inbound mail through a third-party Secure Email Gateway or an on-prem hop before Microsoft 365, Defender will see that intermediary as the source IP instead of the original sending IP, which degrades anti-spoofing effectiveness.Enhanced Filtering for Connectors — also called skip listing — lets Microsoft 365 look past that last hop and evaluate the real sending IP and headers, so SPF / DKIM / DMARC and anti-spam logic work correctly. This setting does not support centralized mail routing (unless the routing is linear; see the Enhanced Filtering for Connectors learn article), so make sure you are not using that before enabling Enhanced Filtering. Centralized routing is sometimes used by organizations running a hybrid Exchange deployment, connecting Exchange Online with an on-premises Exchange Server organization. Important: Do this instead of blanket SCL -1 transport rules that “bypass spam filtering for anything coming from our gateway.” Over-bypassing means phishing that slipped through the third-party filter can sail straight to user inboxes, which Microsoft specifically warns against. Turn on Safe Attachments protection beyond email (SharePoint, OneDrive, Teams) In the Safe Attachments “Global settings,” make sure Defender for Office 365 is set to protect files in SharePoint, OneDrive, and Microsoft Teams. When enabled, if a file is identified as malicious, Defender automatically locks the file in-place so users can’t open it in Teams or OneDrive. This gives you malware detonation and containment in collaboration channels, not just email. This step closes a gap we still see a lot: customers protect mail attachments well, but shared files and Teams chats are wide open. In the 1st part of this blog series, Microsoft MVP Purav Desai describes (here) how to prevent users from downloading malicious files by running a SharePoint PowerShell cmdlet: Set-SPOTenant -DisallowInfectedFileDownload $true Don’t let users click through Safe Links warnings Safe Links rewrites and time-of-click scans URLs in mail, Office apps, and Teams. In the Safe Links policy, clear “Let users click through to the original URL.” That prevents the classic “I know it says it’s malicious, but I really need to see it…” moment. Users get blocked instead of “warned but allowed.” This setting is also enforced in Microsoft’s Standard AND Strict preset security policies where click-through is explicitly disabled. Go beyond the default Common Attachment filter The anti-malware policy’s Common Attachment filter blocks known dangerous file extensions (executable content, scriptable content, etc.). Microsoft ships a default list (historically 50+ high-risk extensions), and you can customize it to block additional file types common in malware delivery, like HTML droppers or password-protected archives. Messages with those file types are treated as malware and quarantined. Do this centrally rather than relying on users to “spot a suspicious attachment.” Automation beats user judgment here. Use custom quarantine policies that require admin approval (instead of self-release) If you are not using the Preset Policies, you can create a quarantine policy to customize the user experience with quarantined messages. For anything phishing-related, I recommend creating a custom policy that allows the user to “request release from admin.” That means users can raise a hand if they think something should not have been quarantined, and an Incident is created for administrators to review before it is released. To me, this strikes the best balance between security and productivity. This keeps containment intact and gives the SOC final say. It also creates an auditable workflow: who asked for release, who approved it, and why. Bulk Mail Insights: Tune BCL using your tenant’s mail Bulk email (“graymail”) is noisy. Payroll alerts and benefits notifications are legitimate, but they look exactly like phishing. At the same time, true marketing email (graymail) are also bulk. The traditional response (“just whitelist the sender so users stop complaining”) often opens the door for attacker-looking mail to get delivered straight to executives. Defender for Office 365 gives you something better: Bulk Mail Insights (a.k.a. Bulk senders insight). This report shows, over the last 60 days, how much mail at each Bulk Complaint Level (BCL 1–9) was delivered vs. blocked, which senders are generating volume, and where users are likely to experience false positives or false negatives. You can interactively simulate raising or lowering the bulk threshold and immediately see, “If we tighten BCL, how many more messages get quarantined? How many of those were probably junk? How many were probably wanted?” Why this matters: You stop tuning bulk mail based on anecdotes and start tuning based on real telemetry from your own tenant. You can justify decisions to leadership and audit (“We set BCL at X because here is the simulation showing false positive/false negative impact”). You avoid blanket allow rules. Instead, you adjust bulk thresholds for legitimate high-volume senders while keeping stricter actions for everyone else. Note: You can modify the BCL threshold in your default or custom anti-spam policy, but you can’t change it inside the Standard (BCL:6) or Strict (BCL:5) preset security policies themselves. Standard and Strict are already aligned to Microsoft’s recommended baselines. Additional Links: https://security.microsoft.com/senderinsights https://learn.microsoft.com/en-us/defender-office-365/anti-spam-bulk-senders-insight https://learn.microsoft.com/en-us/defender-office-365/mdo-deployment-guide#step-2-configure-threat-policies https://learn.microsoft.com/en-us/defender-office-365/preset-security-policies#policy-settings-in-preset-security-policies https://learn.microsoft.com/en-us/defender-office-365/recommended-settings-for-eop-and-office365 https://www.microsoft.com/en-us/security/blog/2025/07/17/transparency-on-microsoft-defender-for-office-365-email-security-effectiveness/ Anti-Phishing / Impersonation Tuning: Protect the people attackers actually spoof Business email compromise very often looks like this: “Hi, can you handle this payment today?” sent from an address that looks like your CFO or CEO. Microsoft Defender for Office 365 includes targeted impersonation protection, but it only really works if you target your most targeted executives. Here are five pitfalls we see over and over: Empty or stale VIP list Populate “users to protect / high value targets” with executives, finance approvers, legal, anyone authorized to move money or data. Review it monthly. Roles change, and you only get a finite number of protected users (for example, ~350 entries). An out-of-date list silently weakens protection for the people attackers actually impersonate. Phishing email threshold stuck at 1 forever We find organizations that are not using the preset policies have left their phishing threshold values at the default “1” because of initial false positives. We recommend raising it to match the Standard Preset (“3”) or Strict (“4”). Weak action If suspicious “CFO” mail just goes to Junk, users can still act on it. High-confidence impersonation of executives should be quarantined with AdminOnly or request-release workflows, not left in end-user control. Tie this back to the custom quarantine policies (discussed later in this article). Common-name overload If your CEO’s name is something extremely common, you’ll get noise. Expect it. Don’t “turn off” protection for that name — add that address to the Trusted Senders otherwise it will be blocked as an impersonation attempt. Use Trusted Senders / Trusted Domains for known-good partners and vendors so you keep protection high without drowning in alerts. Add only legitimate senders/domains to the Trusted Senders or Trusted Domains instead of lowering enforcement. No scheduled review This control can’t be “set and forget.” Put impersonation tuning and spoof intelligence review on a monthly checklist. That lets you catch new vendors pretending to be finance, new “urgent wire” lure patterns, and any drift from Standard / Strict baseline that Configuration analyzer will also call out. When done right, impersonation protection is not just “spam reduction.” It’s payment fraud prevention. Automated Investigation & Response (AIR): Let Defender remove malicious email before your SOC has to! One of the biggest wins you can land quickly is letting Microsoft Defender for Office 365 automatically remove clusters of malicious messages — without waiting for analyst approval on every single item. Here’s how it works. Defender’s Automated Investigation and Response (AIR) groups messages into “clusters” based on shared indicators like the same malicious URL or malicious file hash. If you opt in to automatic remediation for those cluster types, AIR will go find every matching copy of that threat across the tenant and soft-delete those messages, not just the one that triggered the alert. Why this matters: It turns post-delivery cleanup into something that happens immediately instead of “after Tier 1 has time to review.” It removes known-bad messages from user mailboxes (and related collaboration surfaces like Teams) before a target can click. It dramatically cuts the classic “Did anyone else get this?” manual hunt-and-purge work that burns out SOC analysts. When you configure AIR automation settings in the Microsoft Defender portal (Settings > Email & collaboration > MDO automation settings), you’ll see checkboxes for “Similar files” and “Similar URLs.” Selecting those opts you into automatic soft delete for those clusters. Today, soft delete is the default supported action for these automatic remediations, enabling administrators to undo a deletion, if necessary. This is Defender for Office 365 Plan 2 / Microsoft 365 E5 functionality, and it’s exactly the kind of “secure operations by default” Microsoft has been pushing: detect, contain, and clean up automatically, then let humans investigate with context instead of manually chasing every copy of a phish. This automation triggers when malicious clusters are detected. For automating the classification and triage of user-submitted phishing incidents, check out the Security Copilot Phishing Triage Agent (Preview). Additional Links: GA Announcement: https://techcommunity.microsoft.com/blog/-/auto-remediation-of-malicious-messages-in-automated/4418047 Docs: https://learn.microsoft.com/en-us/defender-office-365/air-auto-remediation Final Thoughts Defender for Office 365 is more than “email filtering.” It’s part of your security operations surface. The decisions you make about automated remediation (AIR), bulk mail thresholds, Safe Links/Attachment behavior, outbound forwarding, connector hygiene, quarantine policy, and impersonation tuning directly determine how easy — or how hard — it is for an attacker to penetrate your organization. Microsoft’s current guidance is clear: Apply Standard or Strict preset security policies so users get the recommended protections by default (for example, Safe Links with no click-through). If you must use a custom policy, review the recommendations from the Configuration analyzer monthly for new recommendations, or to catch and correct drift whenever someone weakens a control. Align internal procedures with the excellent Security Operations Guide for Defender for Office 365. Lock down quarantine so only admins can release high-risk messages, with an auditable “request release” path for users. Turn on automated remediation so Defender can remove malicious clusters of messages before anyone clicks. Organizations that land these basics are in a dramatically better position during an incident. Instead of “Who clicked the link?” you can say, “AIR already pulled it, users were blocked from clicking through, outbound forwarding is disabled, and impersonation of the CFO is quarantined for admin review.” That’s what “secure by default” actually looks like in production. ________ This blog was authored by Joe Stocker, Microsoft Security MVP and Founder of Patriot Consulting Technology Group, in partnership with the Microsoft Defender for Office 365 product team, including Paul Newell, Senior Product Manager, Microsoft Defender for Office 365. Joe Stocker Microsoft Security MVP Learn More and Meet the Author 1) December 16th Ask the Experts Webinar: Microsoft Defender for Office 365 | Ask the Experts: Tips and Tricks (REGISTER HERE) DECEMBER 16, 8 AM US Pacific You’ve watched the latest Microsoft Defender for Office 365 best practices videos and read the blog posts by the esteemed Microsoft Most Valuable Professionals (MVPs). Now bring your toughest questions or unique situations straight to the experts. In this interactive panel discussion, Microsoft MVPs will answer your real-world scenarios, clarify best practices, and highlight practical tips surfaced in the recent series. We’ll kick off with a who’s who and recent blog/video series recap, then dedicate most of the time to your questions across migration, SOC optimization, fine-tuning configuration, Teams protection, and even Microsoft community engagement. Come ready with your questions (or pre-submit here) for the expert Security MVPs on camera, or the Microsoft Defender for Office 365 product team in the chat! REGISTER NOW for 12/16. 2) Additional MVP Tips and Tricks Blogs and Videos in this Four-Part Series: Microsoft Defender for Office 365: Migration & Onboarding by Purav Desai Safeguarding Microsoft Teams with Microsoft Defender for Office 365 by Pierre Thoor You may be right after all! Disputing Submission Responses in Microsoft Defender for Office 365 by Mona Ghadiri (This post) "Microsoft Defender for Office 365: Fine-Tuning" by Joe Stocker Learn and Engage with the Microsoft Security Community Log in and follow this Microsoft Defender for Office 365 blog and follow/post in the Microsoft Defender for Office 365 discussion space. Follow = Click the heart in the upper right when you're logged in 🤍 Learn more about the Microsoft MVP Program. Join the Microsoft Security Community and be notified of upcoming events, product feedback surveys, and more. Get early access to Microsoft Security products and provide feedback to engineers by joining the Microsoft Customer Connection Community. Join the Microsoft Security Community LinkedIn
You may be right after all! Disputing Submission Responses in Microsoft Defender for Office 365
Introduction As a Microsoft MVP (Most Valuable Professional) specializing in SIEM, XDR, and Cloud Security, I have witnessed the rapid evolution of cybersecurity technologies, especially those designed to protect organizations from sophisticated threats targeting email and collaboration tools. Microsoft Defender for Office 365 introduced an LLM-based engine to help better classify phishing emails that, these days, are mostly written using AI anyways about a year ago. Today, I'm excited to spotlight a new place AI has been inserted into a workflow to make it better…a feature that elevates the transparency and responsiveness of threat management: the ability to dispute a submission response directly within Microsoft Defender for Office 365. Understanding the Challenge While the automated and human-driven analyses are robust in Defender for Office 365, there are occasions where the response—be it a verdict of "benign" or "malicious"— doesn’t fully align with the security team's context or threat intelligence. If you are a Microsoft 365 organization with Exchange Online mailboxes, you’re probably familiar with how admins can use the Submissions page in the Microsoft Defender portal to submit messages, URLs, and attachments to Microsoft for analysis. As a recent enhancement, now all the admin submissions use LLM based response for better explainability. In the past, disputing such verdicts required separate support channels, using Community support, or manual email processes, often delaying resolution and impacting the speed of cyber operations. Introducing the Dispute Submission Response Feature With the new dispute submission response feature, Microsoft Defender for Office 365 bridges a critical gap in the incident response workflow. Now, when a security analyst or administrator receives a verdict on a submitted item, they have the option to dispute the response directly within the Microsoft 365 Defender portal. This feature streamlines feedback, allowing teams to quickly flag disagreements and provide additional context for review at the speed of operations. How It Works Upon submission of a suspicious item, Microsoft Defender for Office 365 provides a response indicating its assessment—malicious, benign, or other categorizations. If the security team disagrees with the verdict, they can select the "Dispute" option and submit their rationale, including supporting evidence and threat intelligence. The disputed case is escalated directly to Microsoft’s threat research team for further review, and the team is notified of progress and outcomes. This direct feedback loop not only empowers security teams to advocate for their organization's unique context, but also enables Microsoft to continually refine detection algorithms and verdict accuracy based on real-world input, because security is a team sport. Benefits for Security Operations Faster Resolution: Streamlined dispute submission eliminates the need for external support tickets and escalations, reducing turnaround time for critical cases. Greater Transparency: The feature fosters a collaborative relationship between customers and Microsoft, ensuring that verdicts are not final judgments but points in an ongoing dialogue. Continuous Improvement: Feedback from disputes enhances Microsoft’s threat intelligence and improves detection for all Defender for Office 365 users. Empowerment: Security teams gain a stronger voice in the protection of their environment, reinforcing trust in automated defenses. MVP Insights: Real-World Impact Having worked with global enterprises, I’ve seen how nuanced and context-specific threats can be. Sometimes, what appears benign to one organization may be a targeted attack for another, a slight modification to a URL may catch one email, but not others, as slight changes are made as billions of emails are sent. We are only as good as the consortium. The ability to dispute submission responses creates a vital safety net, ensuring that security teams are not forced to accept verdicts that could expose them to risk. It’s a welcome step toward adaptive, user-driven security operations. Conclusion The dispute submission response feature in Microsoft Defender for Office 365 is one of the most exciting features for me, because it focuses on enabling organizations striving for agility and accuracy in threat management. By enabling direct, contextual feedback, Microsoft empowers security teams to play an active role in shaping their defenses. As an MVP, I encourage all users to leverage this feature, provide detailed feedback, and help drive the future of secure collaboration in the cloud. You may be right after all. _________ This blog has been generously and expertly authored by Microsoft Security MVP, Mona Ghadiri with support of the Microsoft Defender for Office 365 product team. Mona Ghadiri Microsoft Security MVP Learn More and Meet the Author 1) December 16th Ask the Experts Webinar: Microsoft Defender for Office 365 | Ask the Experts: Tips and Tricks (REGISTER HERE) DECEMBER 16, 8 AM US Pacific You’ve watched the latest Microsoft Defender for Office 365 best practices videos and read the blog posts by the esteemed Microsoft Most Valuable Professionals (MVPs). Now bring your toughest questions or unique situations straight to the experts. In this interactive panel discussion, Microsoft MVPs will answer your real-world scenarios, clarify best practices, and highlight practical tips surfaced in the recent series. We’ll kick off with a who’s who and recent blog/video series recap, then dedicate most of the time to your questions across migration, SOC optimization, fine-tuning configuration, Teams protection, and even Microsoft community engagement. Come ready with your questions (or pre-submit here) for the expert Security MVPs on camera, or the Microsoft Defender for Office 365 product team in the chat! REGISTER NOW for 12/16. 2) Additional MVP Tips and Tricks Blogs and Videos in this Four-Part Series: 1. Microsoft Defender for Office 365: Migration & Onboarding by Purav Desai 2. Safeguarding Microsoft Teams with Microsoft Defender for Office 365 by Pierre Thoor 3. (This blog post) You may be right after all! Disputing Submission Responses in Microsoft Defender for Office 365 by Mona Ghadiri 4. Microsoft Defender for Office 365: Fine-Tuning | Real-world Defender for Office 365 tuning that closes real attack paths by Joe Stocker Learn and Engage with the Microsoft Security Community Log in and follow this Microsoft Defender for Office 365 blog and follow/post in the Microsoft Defender for Office 365 discussion space. Follow = Click the heart in the upper right when you're logged in 🤍 Learn more about the Microsoft MVP Program. Join the Microsoft Security Community and be notified of upcoming events, product feedback surveys, and more. Get early access to Microsoft Security products and provide feedback to engineers by joining the Microsoft Customer Connection Community. Join the Microsoft Security Community LinkedInSafeguarding Microsoft Teams with Microsoft Defender for Office 365
As organizations rely more on Microsoft Teams for daily collaboration, securing this platform has become a top priority. Threat actors are increasingly targeting Teams chats and channels with phishing links and malicious files, making it critical for IT admins and security professionals to extend protection beyond email. Enter Microsoft Defender for Office 365, now armed with dedicated Teams protection capabilities. Microsoft Defender for Office 365 enables users to report suspicious messages, brings time-of-click scanning of URLs and files into Teams conversations, and provides rich alerts and hunting insights for SecOps teams. As a collaborative piece between Pierre Thoor, a Microsoft Security Most Valuable Professional (MVP), and the Defender for Office 365 Product Engineering Team, the below guides with accompanying videos emphasize a proactive, user-driven approach to threat detection and response, turning everyday Teams interactions into actionable security signals for SecOps. See something, say something: Reporting suspicious messages in Microsoft Teams Your fastest sensor isn’t AI – it’s your people. Report this message in Microsoft Teams lets anyone flag a suspicious conversation in two clicks and routes a triageable submission to your security team in the Microsoft Defender portal. Why this matters: Speed to signal: Catch threats at the conversation layer, not just in email. Complete context: Original message, participants, URLs, and verdicts in one place. Habit-forming: A simple, repeatable action employees remember under pressure. How to report (desktop, web, and mobile) In Desktop/Web Hover the message → … More options → Report this message Select Security concern → (optional) add a short note → Report In Mobile (iOS/Android) app Long-press the message → Report message Select Security concern → (optional) add a short note → Report *Tip: Short notes like “Unexpected MFA reset link” help analysts triage faster. Where reports go (for security teams) In the Microsoft Defender portal, navigate to: Investigation & response → Actions and submissions → Submissions → User reported. Open an item to view the Teams message entity (sender/domain, Teams message ID, extracted URLs, verdict) and take action – mark as phish/clean, pivot to Explorer or Advanced Hunting, or copy indicators. Quick setup check Defender portal → Settings → Email & collaboration → User reported settings: enable Monitor reported messages in Microsoft Teams. Licensing: Microsoft Defender for Office 365 Plan 2 (included in Microsoft 365 E5). What good looks like (mini playbook) User reports the message. Security triages the submission and captures the URL/domain and other indicators. Block or allow as appropriate via the Tenant Allow/Block List (TABL). Hunt for related activity or clicks (see Video 3). Close the loop: thank the reporter and share the outcome to reinforce the behavior. Common gotchas Reporting is disabled in the Teams messaging policy – verify before rollout. Some users assume “Report” notifies the sender – clarify that it routes to the Security team, not the sender. Call to action: Enable reporting for your users and add this line to your awareness site: “If it feels phishy, report – don’t click.” Think before you click - Safe Links catches threats at click-time Links can change after delivery. Safe Links waits until click-time, evaluates the destination, and shows an in-app warning page in Teams. Pair it with the Tenant Allow/Block List (TABL) to tune quickly across the tenant. Why this matters Prevents delayed redirects: Avoids “clean-at-send” methods. Consistent protection in Teams: Familiar warning UX reduces risky clicks. Rapid tuning: Block newly observed domains in seconds; no advanced transport rules required. What you’ll see in the video Policy check (Teams in scope) Defender portal → Email & collaboration → Policies & rules → Threat policies → Safe Links → ensure Apply Safe Links to Microsoft Teams is enabled for target users or groups OR that you use Standard/Strict Preset Policy. Warning page at click-time Post a benign test URL in Teams and click it to show the Safe Links warning experience. Block it as you spot it (Allow/Block) Defender portal → Threat policies → Tenant Allow/Block List → URLs → Add (domain or URL). Re-click in Teams – now blocked at click-time. Optional telemetry (Advanced Hunting) Confirm outcomes and adoption: UrlClickEvents | where Timestamp > ago(24h) and Workload == "Teams" | summarize Clicks=count(), Users=dcount(AccountUpn) by ActionType | order by Clicks desc Deployment tips Start with a pilot group that includes IT + power users; expand after validation. Create a review cadence for TABL (e.g., monthly) and expire temporary blocks. Troubleshooting No warning page? Verify policy scope includes the user and the Teams workload. Block not taking effect? Give TABL a short sync window, then re-test; confirm you blocked the correct domain/URL pattern. “Hunt the chat”: Advanced hunting for Teams threats Overview With Advanced Hunting you can quickly reconstruct activity in Microsoft Teams – who sent the message, who clicked the link, and what protections kicked in. This section shows how the four Teams-relevant tables work together, so you can move from signal to action quickly. New: message warnings for malicious URLs (internal and external) Teams now shows a warning banner on messages that contain URLs flagged as spam, phishing, or malware. Warnings appear in internal and external chats/channels, and can be added after delivery (up to ~48 hours) if a URL’s reputation changes. This complements Safe Links (time-of-click) and doesn’t replace ZAP; when ZAP removes a message, that action takes precedence. Public preview began September 2025; GA November 2025, enabled by default at GA and manageable in Teams admin center → Messaging settings. See Message Center: https://admin.cloud.microsoft/?#/MessageCenter/:/messages/MC1150984 The four tables you’ll use MessageEvents – delivery context (sender, thread, internal vs. external). MessagePostDeliveryEvents – post-delivery actions, including Phish ZAP and Malware ZAP. MessageUrlInfo – URLs extracted from Teams messages. UrlClickEvents – time-of-click outcomes for links, including those clicked in Teams. What you’ll learn in the video Surface active external domains in your tenant’s Teams chats. Identify who clicked risky links and the click outcomes (via Safe Links telemetry). See where message warnings appear in the chat UI. Pivot to an incident and block indicators fast via the Tenant Allow/Block List (TABL). A couple hunts to try right now 1) Malicious verdicts in Teams (last 24 hours) Find messages that already carry a Spam/Phish/Malware verdict – your fastest triage queue. MessageEvents | where Timestamp > ago(1d) | where ThreatTypes has "Phish" or ThreatTypes has "Malware" or ThreatTypes has "Spam" | project Timestamp, SenderDisplayName, SenderEmailAddress, RecipientDetails, IsOwnedThread, ThreadType, IsExternalThread, ReportId Use it for: a quick sweep + pivot to incident/entities, then TABL block if needed. 2) “IT helpdesk” imposters in external DMs (last 5 days) Surface social-engineering lures that impersonate support. MessageEvents | where Timestamp > ago(5d) | where IsExternalThread == true | where (RecipientDetails has "help" and RecipientDetails has "desk") or (RecipientDetails has "it" and RecipientDetails has "support") or (RecipientDetails has "working" and RecipientDetails has "home") or (SenderDisplayName has "help" and SenderDisplayName has "desk") or (SenderDisplayName has "it" and SenderDisplayName has "support") or (SenderDisplayName has "working" and SenderDisplayName has "home") | project Timestamp, SenderDisplayName, SenderEmailAddress, RecipientDetails, IsOwnedThread, ThreadType, ReportId Use it for: first-contact scams (external tenant posing as IT). Pair with Safe Links telemetry to see who clicked. Tip: has is token-aware and generally faster/cleaner than contains for word matches. Keep both hunts detection-ready by ensuring the final projection includes Timestamp and ReportId. 3) BONUS! External DMs with links (last 7 days) MessageEvents | where Timestamp > ago(7d) and IsExternalThread == true | join kind=inner (MessageUrlInfo) on TeamsMessageId | summarize Links=dcount(Url), Senders=dcount(SenderEmailAddress) by UrlDomain | top 10 by Links desc 4) Who clicked (Teams workload) – exposure view: UrlClickEvents | where Timestamp > ago(7d) and Workload == "Teams" | project Timestamp, AccountUpn, Url, ActionType | order by Timestamp desc “From Hunt to Action”: Respond & contain Finding a risky link in Teams is only half the job. This walkthrough shows how to go from detection to containment – block the domain, clean up delivered messages, and cut attacker access. Why this matters Speed: Shrink time from “we saw it” to “it’s blocked”. Consistency: Turns ad-hoc hunting into a repeatable response flow. Coverage: Pair URL blocking with identity and device containment. What you’ll see in the video Turn a hunt into an alert In Advanced Hunting, run a short query (below) and choose Create detection rule to schedule it. Alerts auto-create incidents you can triage. Block at click-time (Safe Links + TABL) In the incident, open the URL entity and add the URL/domain to the Tenant Allow/Block List (TABL) so future Teams clicks are blocked by Safe Links. Post-delivery cleanup (ZAP) If a malicious message slipped through, ZAP can remove or mark it after delivery. You’ll see evidence on the incident timeline. Contain accounts and devices Revoke user sessions in Entra ID to invalidate active tokens. Reset the password (and require strong, unique credentials), then enforce MFA for the account. Review MFA methods and remove anything suspicious; review app consents and revoke illicit grants. If endpoints are onboarded, isolate the device in Microsoft Defender for Endpoint to stop outbound connections while you investigate. The Microsoft Learn guide, https://learn.microsoft.com/en-us/defender-office-365/responding-to-a-compromised-email-account, for compromised accounts recommends session revocation, password reset, MFA enforcement, reviewing OAuth app consents and admin roles, and checking mail forwarding/rules – steps that complement the Teams response you see here. The hunt This KQL surfaces rare external domains in Teams and any user clicks. let lookback = 1d; // External Teams messages let externalMsgs = MessageEvents | where Timestamp > ago(lookback) and IsExternalThread == true | project MsgTime = Timestamp, TeamsMessageId, SenderEmailAddress, ME_ReportId = ReportId; // URLs found in Teams messages let urlsInMsgs = MessageUrlInfo | where Timestamp > ago(lookback) | project MUI_Time = Timestamp, TeamsMessageId, Url, UrlDomain, MUI_ReportId = ReportId; // Clicks coming from Teams let clicks = UrlClickEvents | where Timestamp > ago(lookback) and Workload == "Teams" | project ClickTime = Timestamp, Url, Clicker = AccountUpn, ClickAction = ActionType, UCE_ReportId = ReportId; // Define “rare” domains in the period let rareDomains = urlsInMsgs | summarize msgCount = dcount(TeamsMessageId) by UrlDomain | where msgCount < 3; rareDomains | join kind=inner (urlsInMsgs) on UrlDomain | join kind=leftouter (externalMsgs) on TeamsMessageId | join kind=leftouter (clicks) on Url | project Timestamp = coalesce(ClickTime, MUI_Time, MsgTime), UrlDomain, Url, SenderEmailAddress, Clicker, ClickTime, ClickAction, TeamsMessageId, ReportId = coalesce(UCE_ReportId, MUI_ReportId, ME_ReportId) After verifying results, select Create detection rule, set a schedule (e.g., hourly), and map entities so incidents include the right artifacts. What good looks like (response playbook) Alert fires → open incident; confirm scope and entities. Block URL/domain via TABL to stop future clicks. Confirm ZAP removed or marked delivered messages. Revoke sessions and reset password; enforce MFA. Review MFA methods and remove unknown devices/methods. Audit app consents (revoke illicit grants) and verify the user holds no unexpected admin roles. If email abuse is suspected, check for forwarding or malicious Inbox rules. Isolate device if execution is suspected; collect artifacts and un-isolate after remediation. FAQs Does the block remove the message? No – TABL blocks at click-time. Post-delivery removal is handled by ZAP when detections apply. Will revoking sessions disrupt users? It forces sign-in again (expected). Communicate this in your response template. What if the attacker used consent phishing? Revoke the offending enterprise app consent and review publisher verification status. Call to action: Save the query, create the detection, and attach this playbook to your incident template. The goal every time: find → block → clean up → contain Securing Microsoft Teams is most effective when technology and people work together. By enabling user reporting, leveraging real-time protections, and empowering security teams to act quickly, organizations can turn everyday collaboration into a strong defense against threats. ## Please take two minutes to take this survey to let us know what you think of this blog (series), video, and community content. Questions or comments on this blog "Microsoft Defender for Office 365 – A Four-Part Guide to Secure Collaboration" for the author or other readers? Please log in and post your response below! _____________ This blog has been generously and expertly authored by Microsoft Security MVP, Pierre Thoor with support of the Microsoft Defender for Office 365 product team. Pierre Thoor Microsoft Security MVP | Microsoft Defender for Office 365 Champ Learn More and Meet the Author 1) December 16th Ask the Experts Webinar: Microsoft Defender for Office 365 | Ask the Experts: Tips and Tricks (REGISTER HERE) DECEMBER 16, 8 AM US Pacific You’ve watched the latest Microsoft Defender for Office 365 best practices videos and read the blog posts by the esteemed Microsoft Most Valuable Professionals (MVPs), now bring your toughest questions or unique situations straight to the experts. In this interactive panel discussion, Microsoft MVPs will answer your real world scenarios, clarify best practices, and highlight practical tips surfaced in the recent series. We’ll kick off with a who’s who and recent blog/video series recap, then dedicate most of the time to your questions across migration, SOC optimization, fine-tuning configuration, Teams protection, and even Microsoft community engagement. Come ready with your questions (or pre-submit here) for the expert Security MVPs on camera, or the Microsoft Defender for Office 365 product team in the chat! REGISTER NOW for 12/16. 2) Additional MVP-Authored Blogs in this Four- Part Series: Microsoft Defender for Office 365: Migration & Onboarding by Purav Desai (This post) Safeguarding Microsoft Teams with Microsoft Defender for Office 365 You may be right after all! Disputing Submission Responses in Microsoft Defender for Office 365 by Mona Ghadiri Microsoft Defender for Office 365: Fine-Tuning by Joe Stocker Learn and Engage with the Microsoft Security Community Log in and follow this Microsoft Defender for Office 365 blog and follow/post in the Microsoft Defender for Office discussion space. Follow = Click the heart in the upper right when you're logged in 🤍 Learn more about the Microsoft MVP Program. Join the Microsoft Security Community and be notified of upcoming events, product feedback surveys, and more. Get early access to Microsoft Security products and provide feedback to engineers by joining the Microsoft Customer Connection Community. Join the Microsoft Security Community LinkedIn
