Protection Against Email Bombs with Microsoft Defender for Office 365
In today's digital age, email remains a critical communication tool for businesses and individuals. However, with the increasing sophistication of cyberattacks, email security has become more important than ever. One such threat that has been growing is the email bombing, a form of net abuse that sends large volumes of email to an address to overflow the mailbox, overwhelm the server, or distract attention from important email messages indicating a security breach. Email bomb - Wikipedia Understanding Email Bombing Email bombing, typically involves subscribing victims to a large number of legitimate newsletter and subscription services. Each subscription service sends email notifications, which in aggregate create a large stream of emails into the victim’s inbox, making email triage for legitimate emails very difficult. This form of attack is essentially a denial-of-service (DDOS) on the victim's email triaging attention budget. Hybrid Attacks More recently, email subscription bombs have been coupled with simultaneous lures on Microsoft Teams, Zoom, or via phone calls. Attackers impersonate IT support and offer to help solve the email problem caused by the spike of unwanted emails, ultimately compromising the victim's system or installing malware on their system. This type of attack is brilliant because it creates a sense of urgency and legitimacy, making victims more likely to accept remote assistance and inadvertently allow malware planting or data theft. Read about the use of mail bombs where threat actors misused Quick Assist in social engineering attacks leading to ransomware | Microsoft Security Blog. Incidence and Purpose of Email Bombing Email bombing attacks have been around for many years but can have significant impacts on targeted individuals, such as enterprise executives, HR or finance representatives. These attacks are often used as precursors to more serious security incidents, including malware planting, ransomware, and data exfiltration. They can also mute important security alerts, making it easier for attackers to carry out fraudulent activities without detection. New Detection technology for Mail Bombing attacks To address the limitations of current defenses which often include the victim’s attempt to build their own mail flow rules, Microsoft Defender for Office 365 releases a comprehensive solution involving a durable block to limit the influx of emails, majority of which are often Spam. By intelligently tracking message volumes across different sources and time intervals, this new detection leverages historical patterns of the sender and signals related to spam content. It prevents mail bombs from being dropped into the user’s inbox and the messages are rather sent to the Junk folder (of Outlook). Note: Safe sender lists in Outlook continue to be honored, so emails from trustworthy sources are not unexpectedly moved to the Junk folder (in order to prevent false positives). Since the initial rollout that started in early May, we’ve seen a tremendous impact in blocking mail bombing attacks out of our customers’ inboxes: How to leverage new “Mail bombing” detection technology in SOC experiences 1. Investigation and hunting: SOC analysts can now view the new Detection technology as Mail bombing within the following surfaces: Threat Explorer, Email entity page and Advanced Hunting empowering them to investigate, filter and hunt for threats related to mail bombing. 2. Custom detection rule: To analyze the frequency and volume of attacks from mail bombing vector, or to have automated alerts configured to notify SOC user whenever there is a mail bombing attack, SOC analysts can utilize the custom detection rules in Advanced hunting by writing a KQL query using data in DetectionMethods column of EmailEvents table. Here’s a sample query to get you started: EmailEvents | where Timestamp > ago(1d) | where DetectionMethods contains "Mail bombing" | project Timestamp, NetworkMessageId, SenderFromAddress, Subject, ReportId The SOC experiences are rolled out worldwide to all customers. Conclusion Email bombs represent an incidental threat in the world of cybersecurity. With the new detection technology for Mail Bombing, Microsoft Defender for Office 365 protects users from these attacks and empowers Security Operations Center Analysts to ensure to gain visibility into such attacks and take quick actions to keep organizations safe! Note: The Mail bombing protection is available by default in Exchange Online Protection and Microsoft Defender for Office 365 plans. This blog post is associated with Message Center post MC1096885. Also read Part 2 of our blog series to learn more about protection against multi-modal attacks involving mail bombing and correlation of Microsoft Teams activity in Defender. Learn: Detection technology details table What's on the Email entity page Filterable properties in the All email view in Threat ExplorerMicrosoft Defender EOP
We have been experiencing an issue since last week where we are unable to view the details of quarantined emails. Could you please confirm if this is related to a known backend service issue, or if there are any specific troubleshooting steps we should perform on our end? Any guidance or updates would be greatly appreciated.
SOC can see Microsoft analysis for Third-party add-in user report
We are pleased to announce that if you are using third-party report message solutions in Microsoft Outlook, such as Knowbe4, Hoxhunt, and Cofense, you can now configure Defender for Office 365 to automatically forward these suspicious messages to Microsoft for analysis. A prerequisite for using this is to already have set up the third-party user report tool on Outlook for your end users and that tool is forwarding the user report to an exchange online mailbox within the organization. We do not recommend using the exchange transport rule for it. To enable this setting, you must do the following: Go to User reported settings in the Microsoft Defender portal, select Monitor reported messages in Outlook, and then select Use a non-Microsoft add-in button. In the Reported message destination section, select Microsoft and my reporting mailbox, and then provide the email address of the internal Exchange Online mailbox where user-reported messages by the third-party add-ins are being routed to. If the third-party vendor follows the guidance for message submissions format, Defender for Office 365 will submit these messages automatically to Microsoft for analysis. The analysis results from Microsoft are displayed on the User reported page in the Defender portal. Alerts are automatically generated for user-reported messages in Defender for Office 365. If you have Defender for Office 365 Plan 2, Automated investigation and response (AIR) is also automatically triggered for user-reported phishing messages. These alerts and their investigations are automatically linked to Defender Incidents, assisting security teams with automation for triage, investigation, and response. Submitting these messages to Microsoft for analysis provides a response of this analysis to security analysts and helps improve Defender for Office 365 filters. To learn more, check out these articles: Report suspicious email messages to Microsoft Automatic user notifications for user reported phishing results in AIR Share Your Feedback! We are eager for you to experience the capabilities of Microsoft feedback, triage, investigation, and analysis for user reports while utilizing the advantages of third-party report add-ins. Share your thoughts with us by commenting below.Auto-Remediation of Malicious Messages in Automated Investigation and Response (AIR) is GA
We are excited to announce the GA release of auto-remediation of malicious messages through automated investigation and response (AIR) expanding this powerful tool and deliver on full end to end automation of key SOC scenarios. AIR works to triage, investigate and remediate and respond to high-impact, high-volume security alerts providing tenant level analysis to increase customer protection and optimize SOC teams. With this enhancement, customers will be able to configure AIR to automatically execute remediations for messages within malicious entity clusters saving SOC teams time and further expediting remediation by removing the need to for SOC teams to approve these actions! To highlight the key user submission scenario, in addition to AIR completing triage, investigation, remediation identification, and end user feedback responses, customers may now configure AIR to take this a step even further to automatically execute on identified remediations. Auto-Remediation Action When AIR recognizes a malicious file or URL, it creates a cluster around the malicious file or URL grouping all messages that contain that file or URL into the respective cluster. The automated investigation then checks the location of the messages within the cluster and if it finds messages within user’s mailboxes, AIR will produce a remediation action. With the auto-remediation enhancement, if the customer has configured the cluster type to auto-remediate, this action will automatically be executed without the need for SecOps approval - removing identified threats at machine speed! Auto-remediated clusters showing in action center history with decided by stating automation: Configuration Auto-remediation will be controlled by a configuration within Settings > Email & Collaboration > MDO automation settings. Within the message clusters section, organizations may specify which types of message clusters they would like to be auto-remediated: Similar files: When the automated investigation recognizes a malicious file, it creates a cluster around the malicious file grouping all messages that contain that file into the cluster. Selecting this checkbox will opt the organization into auto-remediation for these malicious file clusters. Similar URLs: When the automated investigation recognizes a malicious URL, it creates a cluster around the malicious URL grouping all messages that contain the URL into the cluster. Selecting this checkbox will opt the organization into auto-remediation for these malicious URL clusters. The next configuration is for the remediation action, designating soft delete as soft delete is currently the only action supported through AIR. Auto-remediation of malicious entity clusters configuration found in settings>Email & collaboration>MDO automation settings: Note: Customers interested in auto-remediation must turn it on through the MDO automation settings page as it will not be on by default. Auto-Remediation Action Logging The Defender portal provides several ways for customers to review remediation actions to stay cognizant of the actions executed. These include within the investigation, action center, email entity as well as threat explorer and advanced hunting. Should customers disagree with the action executed, the ability to move the messages back to mailboxes is available as well based on configuration and timing. Auto-remediated messages showing in Threat Explorer Additional actions as Automated Remediation: automated: Auto-remediated messages showing in Advanced Hunting with ActionType as Automated Remediation and ActionTrigger as Automation: Learn More Register for the deep dive webinar on Microsoft Defender for Office 365 automated investigation and response (AIR) on June 25, 2025, at 8:00am PDT / 3:00pm UTC. Learn more about the feature enhancements, as well as how AIR can help optimize SOC teams and accelerate threat response. To learn more about the auto-remediation in AIR, please visit Automated remediation in AIR - Microsoft Defender for Office 365 | Microsoft Learn. To learn more about investigations in MDO, please visit the following pages: Automated investigation and response in Microsoft Defender for Office 365 - Office 365 | Microsoft Learn View the results of an automated investigation in Microsoft 365 - Office 365 | Microsoft Learn How automated investigation and response works in Microsoft Defender for Office 365 - Office 365 | Microsoft Learn Automatic user notifications for user reported phishing results in AIR - Microsoft Defender for Office 365 | Microsoft LearnGeneral Availability for Collaboration Security for Microsoft Teams
The rapid digital transformation of workplaces worldwide has not only expanded collaboration opportunities but has also introduced new attack surfaces that cybercriminals are eager to exploit. Microsoft Teams, with over 320 million users, has emerged as a cornerstone of enterprise productivity. However, this increased adoption has also made it an appealing target for cyber threats. Adversaries have started exploiting Microsoft Teams for sophisticated attacks including impersonation and delivery of malicious payloads. Our research teams have observed threat actors Storm 1811 and Storm 1674 orchestrating campaigns on Microsoft Teams. That’s why today we’re excited to announce the General Availability of collaboration security for Microsoft Teams. This new enhancement in Microsoft Defender for Office 365 helps protect against phishing, malware, and advanced attacks for Teams users, thanks to a robust set of protection capabilities and security workflows. Some of these features have been in public preview, and we are now introducing new capabilities to ensure users can fully leverage these enhanced features. Collaboration security for Microsoft Teams is designed to address the rise of new sophisticated attacks targeting Teams with end-to-end features including: Improved Teams security posture with increased control over how external organizations communicate with employees Better in-line client protection for end users from malicious links or attachments Easy reporting of suspicious messages to admins and Microsoft Threat hunting and response capabilities Improved Teams security posture with increased control over how external organizations communicate with employees Teams provide a wide range of federation controls that enable organizations to determine how they collaborate—with the new upcoming granular federation policies that give security teams more control. Security teams can dictate which tenants, domains, and users can communicate with their organization. There are also granular controls over how admins allow their organizations to communicate with trial tenants and added protection with new OTP authentication options for securing meetings. Security admins can also bolster their organization’s secure posture with Teams recommended actions within Exposure Management, which helps assess an organization’s current security posture, identify potential improvements, and take actions to enhance overall security. Now Better in-line client protection for end users from malicious links or attachments Defender for Office 365 utilizes advanced threat intelligence and machine learning to detect and block malicious content in Microsoft Teams. It continuously monitors and scans URLs and files shared within Teams chats, protecting end-users from malicious links directly in-line in the teams client and at time-of-click where they collaborate. Phishing attacks often rely on deceptively benign links that lure users into divulging sensitive information. By intercepting these threats before they can reach users in your organization, inline protection in the teams client not only reduces the risk of data breaches but also prevents potential disruption that can lead to costly downtime. When an employee receives a link in a Microsoft Teams conversation, our inline protection immediately evaluates it. If the link is determined to be malicious, it is promptly removed, effectively neutralizing potential phishing attempts while providing an uninterrupted end-user experience. We take a much more proactive approach compared to other solutions, which merely display in-line tips, instead of taking immediate action. Suspicious files and URLs are automatically executed in a secure, isolated environment—a sandbox—to determine if they exhibit any malicious behavior. This process, known as real-time detonation, ensures that harmful content is identified and neutralized before end-users can access it. In addition, we apply time-of-click protection for every URL, evaluating links when they are clicked by end-users, offering an additional layer of protection across Microsoft Teams clients on the web, desktop, and mobile. And for security teams, any clicks on URLs in Microsoft Teams are available for investigation, hunting, and response via our hunting tools and APIs (like Threat Explorer and Advanced Hunting). In addition to links, attachments are prime vectors for malware and ransomware. Detonating these files in real-time prevents harmful content from entering your production environment. For security teams, this means fewer incidents to manage, reduced remediation times, and enhanced business continuity. For example, if a file shared in a Teams chat is flagged as potentially dangerous, it is safely isolated, ensuring your organization and users remains protected. Our integrated quarantine management experience empowers security teams to efficiently triage and investigate flagged Teams messages with the ability to review message details and preview message content. This balance between seamless collaboration and robust security, supported by inline URL protection and integrated quarantine management, helps ensure security without disrupting communication, enabling your users to stay productive while keeping threats at bay. Easy reporting of suspicious messages to admins and Microsoft Organizations today drive employee resilience through security awareness and education. And a key component of these programs is to help people identify and report suspicious events. When employees see suspicious messages in Microsoft Teams—including those from external user can now help secure the organization by easily reporting them to their security teams and Microsoft, thanks to our seamless integration with the broader Microsoft XDR portfolio. Security teams can control where submissions are sent, including sending them to Microsoft for learning and feedback, with similar workflows and configurations across Teams and email. This proactive reporting mechanism not only bolsters your organization’s defenses but drives a security first culture that helps detect and respond to potential threats faster. External reporting broadly available following Secure 2025, details in the documentation section. Threat hunting and response capabilities across Teams messages At the end of May 2024, Microsoft observed Storm-1811 conducting multimodal social engineering attacks by leveraging Microsoft Teams alongside email-based threats. Attackers used tactics like “email bombing” and fraudulent tenants, followed by Teams messages impersonating help desk personnel with deceptive display names like “Help Desk”, “Help Desk IT”, “Help Desk Support”, and “IT Support.” Microsoft swiftly disrupted these attacks, in part due to full integration alongside XDR capabilities, which suspended identified malicious accounts and fraudulent tenants. Additionally, our purpose-built research driven threat detection technology continues to proactively identify and mitigate emerging threats by analyzing anomalous user agents and usernames, recognizing suspicious file hosting URLs, and detecting irregular activities, especially those involving external users. Microsoft Threat Intelligence supports security teams by surfacing correlated alerts and recommended mitigation strategies within our unified SOC platform including alerts about: Use of automation tools in phishing attacks, Messages originating from suspicious tenants, Interactions with potentially compromised users, and Interactions with potentially malicious external users. SOC investigation with Advanced Hunting While automated capabilities and features are effective, advanced hunting is also just as important to keep organizations secure. By providing deep visibility into granular security data, advanced hunting empowers security teams to identify subtle patterns and anomalies, enabling early intervention before threats can develop into full-blown security incidents. To further enhance this capability, we are extending the rich and contextual threat hunting capabilities that Microsoft Defender for Office 365 provides with the introduction of three dedicated advanced hunting tables including: MessageEvents, MessageUrlInfo, MessagePostDeliveryEvents. Security teams can now gain comprehensive insights into Teams messages containing URLs. With detailed, real-time data at their fingertips, your security teams can swiftly follow up on potential threats, fortifying your organization’s capacity to counter new and emerging threats. This includes the ability to correlate any threats across Teams and email messages to address any cross-modal attacks. Broadly available following Secure 2025, details in the documentation section. Stay secure while collaborating with confidence The new capabilities for Microsoft Teams help ensure your organization can approach collaboration security comprehensively, by combining advanced threat detection, improved end-user experience, and tools for more efficient SecOps management. By extending the power of Defender for Office 365 beyond email to include Teams, organizations can build a more resilient security strategy that safeguards all communication channels, while also improving operational efficiency through simplified security administration and XDR. With automated threat remediation, precise policy enforcement, and real-time user alerts, organizations can mitigate risks without affecting productivity. Furthermore, by embedding security directly into collaboration workflows, organizations can empower their teams to work confidently, focus on what’s most impactful, and maintain productivity in a secure digital environment. Learn More Visit our website to learn more about Microsoft Defender for Office 365 Ready to get started with collaboration security? Check out our documentation. To enable threat detections for Teams security, enable the Microsoft 365 connector. Not using Defender for Office 365, yet? Start a free trial. Want to know more about Microsoft’s XDR solution? Start here.No URL Detection in Emails with Extensive %2580 Encoding
Hi Community, I encountered a concerning issue where emails containing URLs with extensive encoding (%2580) completely bypassed all detection and security mechanisms. These encoded URLs weren’t identified as links, which allowed them to evade security scanning. Issue Details: The email contained malicious URLs encoded with %2580. The URLs were not flagged or identified as links, allowing the payload to bypass filters entirely. Questions: Has anyone else encountered similar issues with encoded URLs bypassing detection? What’s the best process to submit this email to Microsoft for analysis and improvements to detection mechanisms, since no URL's were identified? Looking forward to your input and recommendations. Thanks in advance!
