How to exclude Blocked sender's form End user quarantine notification/Digest
@All We have end user notification policy in place. Whenever user blocks a sender from Quarantine notification/Digest and next day if we receive email from same sender, it's in quarantine then again quarantine notification/digest will say same stating email from xyz is in quarantine eventhought it was blocked yesterday by same user. This seems to be by design: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-quarantine-notifications?view=o365-worldwide As article say to create a Transport Rule. I created one with Condition as header matches following keywords or phrases Header x-forefrontAntispamreport & Value = SFV:SKN. How this not work, I am not sure if transport rule does not accept this header feild( Because some rule works when I say header = From) or its something to do with priority. Oall am trying to achieve here is once sender is blocked by user in Enduser quarantine notification then onwards that sender should not be shown again in notification. I think we need to some how delete/emails from blocked senders in quarantine However i only can think of transport rule as of now but that's not working. Any suggestions/thoughts are appreciated, Thank you.
Automated Investigation and Response
Upgraded to Defender for 365 P2 based on the idea of setting automated responses to certain alerts. That's how it was described. Now I'm trying to enable and configure it. The documentation has bounced me around 20 different articles for XDR, Defender Enterprise, Defender for Business... I do not see anywhere to configure the automation in Defender. One doc points me https://security.microsoft.com/securitysettings/endpoints/integration for making sure it's enabled. when I open this, and go down to Automation, it's simply an empty list of device groups. We don't use Device groups - we don't use Defender Endpoint. Has anyone configured this in a non-XDR environment? What I'm encountering and what was advertised seem very different...Setting up Admin Quarantine
Hi, We are looking to set up admin quarantine as per the instructions in here: https://learn.microsoft.com/en-us/defender-cloud-apps/use-case-admin-quarantine We have followed this step by setting up a location for admin quarantine: However, when editing the 'Malware Detection' rule in Defender we do not get an option for 'Put in admin quarantine', only 'Put in user quarantine': Does anyone have any idea how to resolve this? Thank you.
Anti-malware policy doesn't block files
Hello Microsoft Community, We have recently found that Anti-malware policy doesn't block files that are set to be blocked by the policy. For example, when we send an *.ics file with a cmd/exe/jse/rdp and other files inside of the ics, the email is not blocked and is delivered to users. We did several tests with external security vendor by sending real malwares, ransomwares and exploits attached to the ics and all of them passed the filtering system. Is anyone aware of the issue? Doesn't MDO scans nested files?! This has happened with a few tenants. Those tenants have Microsoft E5 licenses.
URL clicks not being tracked
Hi, I have url rewrite and defender EDR in the environment. It seems like clicks are missing tracking information. Both in hunting queries and the actual url and domain page show no clicks and i know for a fact users clicked it. URL is external and it is rewritten, i checked in the email to confirm, i even clicked the url myself and nothing is tracked. Also how do you translate a rewritten url to url without clicking on it? Any suggestions?
Spam/Spoofed email received differently by 3 users
Hello experts... today, I had a user reported a spoofed email - the email looked like it was sent from an CEO (his full name, the email address was however completely different and was a gmail.com address not our domain). The user received this email to his inbox directly.... and did not realize it was a spam/phish email at the first sight. So.. I've started to have a look why it was delivered to the inbox as I would expect that email would be either in Junk or Quarantined. I've found out that two other users received the same email address just few seconds after the 1st one was delivered, however, for those two users it was actioned as "FilteredAsSpam" when I checked Mail Flow -> Message trace. ..So it was identified as a SPAM this time and was delivered to JUNK folder.... good here then. I've checked also the header of the one that was delivered to inbox and comparing to the one in Junk... and I saw that for the first one, the SCL = 1... and for the other 2 users, the SCL=5. Also, when I check Defender -> Explorer, I see that: for the 1st recipient: Latest Threats None Latest delivery location Inbox folder Detection technology - Delivery action Delivered for the other 2 recipients: Latest Threats Phish / Normal Latest delivery location Junk Email folder Detection technology Mailbox intelligence impersonation Delivery action Delivered to junk Now, my question would be - why the 1st email was delivered to Inbox and the same email sent to two other users (just few seconds later) was then delivered to Junk (as I would expect also for the 1st user) . Why for the 1st recipient the SCL was 1 and for other two few seconds later SCL was 5 if it is the same email same sender. Btw, I have added CEOs to "impersonated" user list so it hopefully helps next time?How to classify E-Mails with *.html or *.htm attachments as spam?
A tenant is receiving currently an enormous amount of phishing emails with *.html or *.htm attachments. 99% of the e-mail which contain such an attachment are phishing e-mails. What's the best approach to filter out those e-mails? They are using the standard protection threat policies.
Quarantine - Certain Users Not Showing
We have our environment setup to where we get active alerts for any emails that are requested to be released from quarantine. My team then goes in and looks at the email to make sure it is legit enough to be released. Since we have been doing this, we have noticed that certain users will not show up in the quarantine section from time to time. Even though I can pull up the email in Explorer and verify that it was sent to quarantine, it cannot be searched or found in there. I was even able to verify several OTHER users who received these quarantined emails and they do show up. I thought at one point it was just certain emails but recently verified that it is the user themselves. Even though I can verify that 100+ emails have been received and sent to quarantine in the past 30 days by a user, NONE of them show up in the actual quarantine section of Microsoft 365 Defender no matter how it is searched for. Does anyone have any possible fixes for this? It is very frustrating if we are trying to manage these emails for our end users.Notification for pending actions
I'm having an issue where Defender isn't notifying me on pending actions like deleting an email and it's not waiting long enough for me to approve actions. Example: An email is delivered at 6pm (after hours) with a malicious URL. Defender detects it and ZAPs the URL automatically and sends me a useless alert "Email messages containing malicious URL removed after delivery". Sometimes this alert requires my intervention, sometimes not but the same alert comes through every time so I have to check every time. The next morning I come in around 8 and see the useless alerts and go to my Actions queue and all the pending actions have now timed out so now I'm hunting to get rid of these messages. If I could get notified when I need to take action I can disable the useless alert telling me it zapped a URL as not every ZAP requires Admin intervention. I could also configure this "admin approval required" alert to text me so I can take action immediately instead of the next time I check my email. I have 2 questions: 1. How do I setup Defender to send me a notification whenever I have pending actions? 2. How can I change the default behavior of the automated investigations? Ideally, if Defender finds a bad URL or attachment I'd rather have it just soft delete without my intervention.
