SOC can see Microsoft analysis for Third-party add-in user report
We are pleased to announce that if you are using third-party report message solutions in Microsoft Outlook, such as Knowbe4, Hoxhunt, and Cofense, you can now configure Defender for Office 365 to automatically forward these suspicious messages to Microsoft for analysis. A prerequisite for using this is to already have set up the third-party user report tool on Outlook for your end users and that tool is forwarding the user report to an exchange online mailbox within the organization. We do not recommend using the exchange transport rule for it. To enable this setting, you must do the following: Go to User reported settings in the Microsoft Defender portal, select Monitor reported messages in Outlook, and then select Use a non-Microsoft add-in button. In the Reported message destination section, select Microsoft and my reporting mailbox, and then provide the email address of the internal Exchange Online mailbox where user-reported messages by the third-party add-ins are being routed to. If the third-party vendor follows the guidance for message submissions format, Defender for Office 365 will submit these messages automatically to Microsoft for analysis. The analysis results from Microsoft are displayed on the User reported page in the Defender portal. Alerts are automatically generated for user-reported messages in Defender for Office 365. If you have Defender for Office 365 Plan 2, Automated investigation and response (AIR) is also automatically triggered for user-reported phishing messages. These alerts and their investigations are automatically linked to Defender Incidents, assisting security teams with automation for triage, investigation, and response. Submitting these messages to Microsoft for analysis provides a response of this analysis to security analysts and helps improve Defender for Office 365 filters. To learn more, check out these articles: Report suspicious email messages to Microsoft Automatic user notifications for user reported phishing results in AIR Share Your Feedback! We are eager for you to experience the capabilities of Microsoft feedback, triage, investigation, and analysis for user reports while utilizing the advantages of third-party report add-ins. Share your thoughts with us by commenting below.Auto-Remediation of Malicious Messages in Automated Investigation and Response (AIR) is GA
We are excited to announce the GA release of auto-remediation of malicious messages through automated investigation and response (AIR) expanding this powerful tool and deliver on full end to end automation of key SOC scenarios. AIR works to triage, investigate and remediate and respond to high-impact, high-volume security alerts providing tenant level analysis to increase customer protection and optimize SOC teams. With this enhancement, customers will be able to configure AIR to automatically execute remediations for messages within malicious entity clusters saving SOC teams time and further expediting remediation by removing the need to for SOC teams to approve these actions! To highlight the key user submission scenario, in addition to AIR completing triage, investigation, remediation identification, and end user feedback responses, customers may now configure AIR to take this a step even further to automatically execute on identified remediations. Auto-Remediation Action When AIR recognizes a malicious file or URL, it creates a cluster around the malicious file or URL grouping all messages that contain that file or URL into the respective cluster. The automated investigation then checks the location of the messages within the cluster and if it finds messages within user’s mailboxes, AIR will produce a remediation action. With the auto-remediation enhancement, if the customer has configured the cluster type to auto-remediate, this action will automatically be executed without the need for SecOps approval - removing identified threats at machine speed! Auto-remediated clusters showing in action center history with decided by stating automation: Configuration Auto-remediation will be controlled by a configuration within Settings > Email & Collaboration > MDO automation settings. Within the message clusters section, organizations may specify which types of message clusters they would like to be auto-remediated: Similar files: When the automated investigation recognizes a malicious file, it creates a cluster around the malicious file grouping all messages that contain that file into the cluster. Selecting this checkbox will opt the organization into auto-remediation for these malicious file clusters. Similar URLs: When the automated investigation recognizes a malicious URL, it creates a cluster around the malicious URL grouping all messages that contain the URL into the cluster. Selecting this checkbox will opt the organization into auto-remediation for these malicious URL clusters. The next configuration is for the remediation action, designating soft delete as soft delete is currently the only action supported through AIR. Auto-remediation of malicious entity clusters configuration found in settings>Email & collaboration>MDO automation settings: Note: Customers interested in auto-remediation must turn it on through the MDO automation settings page as it will not be on by default. Auto-Remediation Action Logging The Defender portal provides several ways for customers to review remediation actions to stay cognizant of the actions executed. These include within the investigation, action center, email entity as well as threat explorer and advanced hunting. Should customers disagree with the action executed, the ability to move the messages back to mailboxes is available as well based on configuration and timing. Auto-remediated messages showing in Threat Explorer Additional actions as Automated Remediation: automated: Auto-remediated messages showing in Advanced Hunting with ActionType as Automated Remediation and ActionTrigger as Automation: Learn More Register for the deep dive webinar on Microsoft Defender for Office 365 automated investigation and response (AIR) on June 25, 2025, at 8:00am PDT / 3:00pm UTC. Learn more about the feature enhancements, as well as how AIR can help optimize SOC teams and accelerate threat response. To learn more about the auto-remediation in AIR, please visit Automated remediation in AIR - Microsoft Defender for Office 365 | Microsoft Learn. To learn more about investigations in MDO, please visit the following pages: Automated investigation and response in Microsoft Defender for Office 365 - Office 365 | Microsoft Learn View the results of an automated investigation in Microsoft 365 - Office 365 | Microsoft Learn How automated investigation and response works in Microsoft Defender for Office 365 - Office 365 | Microsoft Learn Automatic user notifications for user reported phishing results in AIR - Microsoft Defender for Office 365 | Microsoft LearnGeneral Availability for Collaboration Security for Microsoft Teams
The rapid digital transformation of workplaces worldwide has not only expanded collaboration opportunities but has also introduced new attack surfaces that cybercriminals are eager to exploit. Microsoft Teams, with over 320 million users, has emerged as a cornerstone of enterprise productivity. However, this increased adoption has also made it an appealing target for cyber threats. Adversaries have started exploiting Microsoft Teams for sophisticated attacks including impersonation and delivery of malicious payloads. Our research teams have observed threat actors Storm 1811 and Storm 1674 orchestrating campaigns on Microsoft Teams. That’s why today we’re excited to announce the General Availability of collaboration security for Microsoft Teams. This new enhancement in Microsoft Defender for Office 365 helps protect against phishing, malware, and advanced attacks for Teams users, thanks to a robust set of protection capabilities and security workflows. Some of these features have been in public preview, and we are now introducing new capabilities to ensure users can fully leverage these enhanced features. Collaboration security for Microsoft Teams is designed to address the rise of new sophisticated attacks targeting Teams with end-to-end features including: Improved Teams security posture with increased control over how external organizations communicate with employees Better in-line client protection for end users from malicious links or attachments Easy reporting of suspicious messages to admins and Microsoft Threat hunting and response capabilities Improved Teams security posture with increased control over how external organizations communicate with employees Teams provide a wide range of federation controls that enable organizations to determine how they collaborate—with the new upcoming granular federation policies that give security teams more control. Security teams can dictate which tenants, domains, and users can communicate with their organization. There are also granular controls over how admins allow their organizations to communicate with trial tenants and added protection with new OTP authentication options for securing meetings. Security admins can also bolster their organization’s secure posture with Teams recommended actions within Exposure Management, which helps assess an organization’s current security posture, identify potential improvements, and take actions to enhance overall security. Now Better in-line client protection for end users from malicious links or attachments Defender for Office 365 utilizes advanced threat intelligence and machine learning to detect and block malicious content in Microsoft Teams. It continuously monitors and scans URLs and files shared within Teams chats, protecting end-users from malicious links directly in-line in the teams client and at time-of-click where they collaborate. Phishing attacks often rely on deceptively benign links that lure users into divulging sensitive information. By intercepting these threats before they can reach users in your organization, inline protection in the teams client not only reduces the risk of data breaches but also prevents potential disruption that can lead to costly downtime. When an employee receives a link in a Microsoft Teams conversation, our inline protection immediately evaluates it. If the link is determined to be malicious, it is promptly removed, effectively neutralizing potential phishing attempts while providing an uninterrupted end-user experience. We take a much more proactive approach compared to other solutions, which merely display in-line tips, instead of taking immediate action. Suspicious files and URLs are automatically executed in a secure, isolated environment—a sandbox—to determine if they exhibit any malicious behavior. This process, known as real-time detonation, ensures that harmful content is identified and neutralized before end-users can access it. In addition, we apply time-of-click protection for every URL, evaluating links when they are clicked by end-users, offering an additional layer of protection across Microsoft Teams clients on the web, desktop, and mobile. And for security teams, any clicks on URLs in Microsoft Teams are available for investigation, hunting, and response via our hunting tools and APIs (like Threat Explorer and Advanced Hunting). In addition to links, attachments are prime vectors for malware and ransomware. Detonating these files in real-time prevents harmful content from entering your production environment. For security teams, this means fewer incidents to manage, reduced remediation times, and enhanced business continuity. For example, if a file shared in a Teams chat is flagged as potentially dangerous, it is safely isolated, ensuring your organization and users remains protected. Our integrated quarantine management experience empowers security teams to efficiently triage and investigate flagged Teams messages with the ability to review message details and preview message content. This balance between seamless collaboration and robust security, supported by inline URL protection and integrated quarantine management, helps ensure security without disrupting communication, enabling your users to stay productive while keeping threats at bay. Easy reporting of suspicious messages to admins and Microsoft Organizations today drive employee resilience through security awareness and education. And a key component of these programs is to help people identify and report suspicious events. When employees see suspicious messages in Microsoft Teams—including those from external user can now help secure the organization by easily reporting them to their security teams and Microsoft, thanks to our seamless integration with the broader Microsoft XDR portfolio. Security teams can control where submissions are sent, including sending them to Microsoft for learning and feedback, with similar workflows and configurations across Teams and email. This proactive reporting mechanism not only bolsters your organization’s defenses but drives a security first culture that helps detect and respond to potential threats faster. External reporting broadly available following Secure 2025, details in the documentation section. Threat hunting and response capabilities across Teams messages At the end of May 2024, Microsoft observed Storm-1811 conducting multimodal social engineering attacks by leveraging Microsoft Teams alongside email-based threats. Attackers used tactics like “email bombing” and fraudulent tenants, followed by Teams messages impersonating help desk personnel with deceptive display names like “Help Desk”, “Help Desk IT”, “Help Desk Support”, and “IT Support.” Microsoft swiftly disrupted these attacks, in part due to full integration alongside XDR capabilities, which suspended identified malicious accounts and fraudulent tenants. Additionally, our purpose-built research driven threat detection technology continues to proactively identify and mitigate emerging threats by analyzing anomalous user agents and usernames, recognizing suspicious file hosting URLs, and detecting irregular activities, especially those involving external users. Microsoft Threat Intelligence supports security teams by surfacing correlated alerts and recommended mitigation strategies within our unified SOC platform including alerts about: Use of automation tools in phishing attacks, Messages originating from suspicious tenants, Interactions with potentially compromised users, and Interactions with potentially malicious external users. SOC investigation with Advanced Hunting While automated capabilities and features are effective, advanced hunting is also just as important to keep organizations secure. By providing deep visibility into granular security data, advanced hunting empowers security teams to identify subtle patterns and anomalies, enabling early intervention before threats can develop into full-blown security incidents. To further enhance this capability, we are extending the rich and contextual threat hunting capabilities that Microsoft Defender for Office 365 provides with the introduction of three dedicated advanced hunting tables including: MessageEvents, MessageUrlInfo, MessagePostDeliveryEvents. Security teams can now gain comprehensive insights into Teams messages containing URLs. With detailed, real-time data at their fingertips, your security teams can swiftly follow up on potential threats, fortifying your organization’s capacity to counter new and emerging threats. This includes the ability to correlate any threats across Teams and email messages to address any cross-modal attacks. Broadly available following Secure 2025, details in the documentation section. Stay secure while collaborating with confidence The new capabilities for Microsoft Teams help ensure your organization can approach collaboration security comprehensively, by combining advanced threat detection, improved end-user experience, and tools for more efficient SecOps management. By extending the power of Defender for Office 365 beyond email to include Teams, organizations can build a more resilient security strategy that safeguards all communication channels, while also improving operational efficiency through simplified security administration and XDR. With automated threat remediation, precise policy enforcement, and real-time user alerts, organizations can mitigate risks without affecting productivity. Furthermore, by embedding security directly into collaboration workflows, organizations can empower their teams to work confidently, focus on what’s most impactful, and maintain productivity in a secure digital environment. Learn More Visit our website to learn more about Microsoft Defender for Office 365 Ready to get started with collaboration security? Check out our documentation. To enable threat detections for Teams security, enable the Microsoft 365 connector. Not using Defender for Office 365, yet? Start a free trial. Want to know more about Microsoft’s XDR solution? Start here.Introducing differentiated protection for priority accounts in Microsoft Defender for Office 365
Today we’re thrilled to announce general availability of differentiated protection for priority accounts. With this release, users tagged as priority accounts will receive a higher level of protection against threats.
