Help me understand why this email was quarantined?
I'm pretty familiar with Defender's Threat Policies. I've probably set them up on 40 tenants. I know the Hosted Content Filter Policy is backend for Anti Spam Inbound policy. I know that, confusingly, the AntiSpam Inbound Policies contain the actions for High Confidence/Normal Confidence Phishing - NOT the AntiPhishing policies (which seem more geared towards impersonation). What I DON'T know is why this was quarantined - and whether the anti-phish policy had anything to do with it. The Policy Type linked is the IB Anti Spam. This tenant is one of the few we have set at a BCL tolerance level of 7 - which shows me that 0 messages in the last 60 days would've been caught for this reason (which would include the email in question). So it was either the SCL or some 'anti phish' component of the anti-spam policy. I have none of the custom 'increase spam score' markers here. I was sure there was a 'evidence' tab within email entity, but i guess not - the only info I have about the detection (now released) is the following: This particular sender does not send reliably over 45 days, but also has been a business partner of this tenant for decades. So rather than the Tenant Allow/Block list which allows a max of 45 days, I want to add it to the offending policy. which SEEMS like it would be the inbound anti-spam - except that it also says it's phishing everywhere. I don't want to bypass both the phishing and spam policies unless I have to - but I don't really know why this got blocked. It's an external address that had sent an email days ago that got through without issue... This one has an attached pdf, but so do they all. Thoughts?Microsoft Defender EOP
We have been experiencing an issue since last week where we are unable to view the details of quarantined emails. Could you please confirm if this is related to a known backend service issue, or if there are any specific troubleshooting steps we should perform on our end? Any guidance or updates would be greatly appreciated.upgraded from P1 to P2... how do I configure this?
Upgraded to Defender 365 P2 from P1, based on the automated responses. Kinda figured we'd be able to tweak these, but I guess not? Anyway, I'm a little bit confused about how to set this up maximally. Realized yesterday we had a 'User click a malicious link" investigation that was pending - but no one knew. When I click 'Email Notification' in the 'Incidents' window, it brings me to the XDR settings menu, with options for setting emails to notify of Alerts, Incidents and Threat Analytics. Except we don't have XDR? So I can't tell if these are even valid? The documentation on the AIR component is really hard to decipher - wondering if anyone has much experience with this, and knows how to configure it optimally? As in, how do I notify someone of a Critical Investigation, or something needing approval for remediation? Can I configure certain things to not require approval? Like... removing a reported phishing email from everyone's inbox?
No URL Detection in Emails with Extensive %2580 Encoding
Hi Community, I encountered a concerning issue where emails containing URLs with extensive encoding (%2580) completely bypassed all detection and security mechanisms. These encoded URLs weren’t identified as links, which allowed them to evade security scanning. Issue Details: The email contained malicious URLs encoded with %2580. The URLs were not flagged or identified as links, allowing the payload to bypass filters entirely. Questions: Has anyone else encountered similar issues with encoded URLs bypassing detection? What’s the best process to submit this email to Microsoft for analysis and improvements to detection mechanisms, since no URL's were identified? Looking forward to your input and recommendations. Thanks in advance!
MS 365 Defender - What permissions are needed to move and delete emails in Explorer?
I need a tech with limited permissions to be able to https://learn.microsoft.com/en-us/defender-office-365/remediate-malicious-email-delivered-office-365 These are the options I have in Admin. I tried a bunch of recommended actions, yet I don't seem to have the correct Admin portals as shown https://learn.microsoft.com/en-us/defender-xdr/manage-rbac. For example, I don't have MS 365 Defender Permissions Group shown in the video:
internal user email quarantined and reason "high confidence phish"
Have you ever seen email quarantined when both sender and recipient are internal organization user and the quarantine reason is high confidence phish by the default built-in anti spam policy? really confused why it happened and how to avoid such false positive..
Archive Email Search across all emails going back 3 years or more
Hi, In Mimecast I am able to perform an archive search on emails very quickly (less than 10 seconds) and easily being able to go back 5-10 years (we have a retention of 10yrs for Mimecast) How can I do this with the 365 tooling that I have within the E5 license scope. In Explorer in the Defender portal, I can only go back 30 days, so want to know how I would go about doing this for say 3-5yrs using Microsoft tools. Example, I want to look for any emails from joe.bloggs@gmail sent to any of our users going back 3 or 5yrs without having to do a full eDiscovery each time which is extremely time consuming. Do Microsoft have any plans to have a similar way to easily search through all corporate email quickly and efficiently as it really seems like a no-brainer product that Microsoft could give to their users, and would mean they wouldn't have to rely on third-party tooling to do this in a field where Microsoft really should be stronger. I asked the same question the other day on https://old.reddit.com/r/Office365/comments/1dyg3zd/archive_email_search_across_all_emails_going_back/ as I was hoping that I was missing something, but it seems that it is a feature that is lacking at the moment. Thought I would also raise the question here as well in the hope that someone has a suggestion of what we could use that may work and would be faster than a full blown eDiscovery, or maybe even get the attention of someone at MS that has the ability to create such a needed feature.How to pull a report for detected Phishing, Spam or Malware in Defender for email.
I am trying to pull a report in defender that shows how many phishing emails were detected in the last 30 days. I've tried this in the reports>email and collaboration reports as well as using queries in advanced hunting. I'm getting different numbers every time and starting to think i'm over thinking this. I am trying to see how many of a certain email defender detects and how many our other email security tool detects to see what microsoft is missing. TIA.Notification for pending actions
I'm having an issue where Defender isn't notifying me on pending actions like deleting an email and it's not waiting long enough for me to approve actions. Example: An email is delivered at 6pm (after hours) with a malicious URL. Defender detects it and ZAPs the URL automatically and sends me a useless alert "Email messages containing malicious URL removed after delivery". Sometimes this alert requires my intervention, sometimes not but the same alert comes through every time so I have to check every time. The next morning I come in around 8 and see the useless alerts and go to my Actions queue and all the pending actions have now timed out so now I'm hunting to get rid of these messages. If I could get notified when I need to take action I can disable the useless alert telling me it zapped a URL as not every ZAP requires Admin intervention. I could also configure this "admin approval required" alert to text me so I can take action immediately instead of the next time I check my email. I have 2 questions: 1. How do I setup Defender to send me a notification whenever I have pending actions? 2. How can I change the default behavior of the automated investigations? Ideally, if Defender finds a bad URL or attachment I'd rather have it just soft delete without my intervention.
