Build custom email security reports and dashboards with workbooks in Microsoft Sentinel
Security teams in both small and large organizations track key metrics to make critical security decisions and identify meaningful trends in their organizations. Defender for Office 365 has rich, built-in reporting capabilities that provide insights into your security posture to support these needs. However, sometimes security teams require custom reporting solutions to create dedicated views, combine multiple data sources, and get additional insights to meet their needs. We previously shared an example of how you can leverage Power BI and the Microsoft Defender XDR Advanced Hunting APIs to build a custom dashboard and shared a template that you can customize and extend. In this blog, we will showcase how you can use workbooks in Microsoft Sentinel to build a custom dashboard for Defender for Office 365. We will also share an example workbook that is now available and can be customized based on your organization’s needs. Why use workbooks in Microsoft Sentinel? There are many potential benefits to using workbooks if you already use Microsoft Sentinel and already stream the hunting data tables for Defender for Office 365: You can choose to store data for a longer period of time via configuring longer retention for tables you use for your workbooks. For example you can store Defender for Office 365 EmailEvents table data for 1 year and build visuals over longer period of time. You can customize your visuals easily based on your organization’s needs. You can configure auto-refresh for the workbook to keep the data shown up to date. You can access ready to use workbook templates and customize them if it's needed. Getting started After you connect your data sources to Microsoft Sentinel, you can visualize and monitor the data using workbooks in Microsoft Sentinel. Ensure that Microsoft Defender XDR is installed in your Microsoft Sentinel instance, so you can use Defender for Office 365 data with a few simple steps. Detection and other Defender for Office 365 insights are already available as raw data in the Microsoft Defender XDR advanced hunting tables: EmailEvents - contains information about all emails EmailAttachmentInfo - contains information about attachments in emails EmailUrlInfo - contains information about URLs in emails EmailPostDeliveryEvents – contains information about Zero-hour auto purge (ZAP) or Manual remediation events UrlClickEvents - contains information about Safe Links clicks from email messages, Microsoft Teams, and Office 365 apps in supported desktop, mobile, and web apps. CloudAppEvents – CloudAppEvents can be used to visualize user reported Phish emails and Admin submissions with Defender for Office 365. The Microsoft Defender XDR solution in Microsoft Sentinel provides a connector to stream the above data continuously into Microsoft Sentinel. Microsoft Sentinel then allows you to create custom workbooks across your data or use existing workbook templates available with packaged solutions or as standalone content from the content hub. How to access the workbook template We are excited to share a new workbook template for Defender for Office 365 detection and data visualization, which is available in the Microsoft Sentinel Content hub. The workbook is part of the Microsoft Defender XDR solution. If you are already using our solution, this update is now available for you. If you are installing the Microsoft Defender XDR solution for the first time, this workbook will be available automatically after installation. After the Microsoft Defender XDR solution is installed (or updated to the latest available version), simply navigate to the Workbooks area in Microsoft Sentinel and on the Templates tab select Microsoft Defender for Office 365 Detection and Insights. Using the “View Template” action loads the workbook. What insights are available in the template? The template has the following sections with each section deep diving into various areas of email security, providing details and insights to security team members: Detection overview Email - Malware Detections Email - Phish Detections Email - Spam Detections Email - Business Compromise Detections (BEC) Email - Sender Authentication based Detections URL Detections and Clicks Email - Top Users/Senders Email - Detection Overrides False Negative/Positive Submissions File - Malware Detections (SharePoint, Teams and OneDrive) Post Delivery Detections and Admin Actions Email - Malware Detections Email - Business Compromise Detections (BEC) Email - Sender Authentication based Detections URL Detections and Clicks False Negative/Positive Submissions File - Malware Detections (SharePoint, Teams and OneDrive) Post Delivery Detections and Admin Actions Can I customize the workbook? Yes, absolutely. Based on the email attributes in the Advanced Hunting schema, you can define more functions and visuals as needed. For example, you can use the DetectionMethods field to analyse detections caught by capabilities like Spoof detections, Safe Attachment, and detection for emails containing URLs extracted from QR codes. You can also bring other data sources into Microsoft Sentinel as tables and use them when creating visuals in the workbook. This sample workbook is a powerful showcase for how you can use the Defender for Office 365 raw detection data to visualize email security detection insights directly in Microsoft Sentinel. It enables organizations to easily create customized dashboards that can help them analyse, track their threat landscape, and respond quickly—based on unique requirements. Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the Defender for Office 365 forum. More information Integrate Microsoft Defender XDR with Microsoft Sentinel. Learn more about Microsoft Sentinel workbooks. Microsoft Defender for Office 365 Detection Details Report – Updated Power BI template for Microsoft Sentinel and Log Analytics Learn more about Microsoft Defender XDR.Secure collaboration in Microsoft Teams with efficient and automated Threat Protection and response
New Layers of Protection for Teams Messages With more than 300 million monthly active users on Microsoft Teams, ensuring secure collaboration has become increasingly critical. As the threat landscape continues to change, our security measures must adapt accordingly. To address these challenges, we are pleased to announce enhanced protection and Security Operations response capabilities for enterprise messages containing URLs in Teams, utilizing Microsoft Defender. Threat Profile – Tech Support Impersonation with Phishing URLs In previous blogs, we’ve discussed how threat actors are employing multimodal attacks and targeting users in an organization over Teams by impersonating tech support. Lately some of these attackers have been observed steering their victims towards malicious websites that appear purpose-built to complete their harmful objectives while allaying the victim’s suspicions. The typical attack chain proceeds as follows: Hybrid attacks often begin with mail bombing (spam) directed at the targeted individual, followed by Teams messages or calls in which the attacker impersonates IT support personnel offering to resolve the spam issue. Victims may then be deceived into granting system access to the attacker via remote management and monitoring tools such as Quick Assist or AnyDesk. In recent incidents, attackers have directed victims to malicious URLs that closely resemble legitimate internal IT security update or patching tools, featuring falsified logos and branding. These sites are actually conventional phishing platforms intended to capture user credentials and enable malware deployment, while victims believe their spam problem is being resolved. Below: Rendering of a malicious URL shared over Teams by an attacker to an intended victim Microsoft Defender uses robust detection engines and threat intelligence to support URL warnings, post-delivery protection, and advanced hunting for Teams, enabling comprehensive protection against evolving attack vectors. Near real-time defense For Worldwide customers with Teams enterprise licenses and above Our new advanced near-real-time protection ensures that any message containing URLs is thoroughly scanned and appropriately flagged before delivery. End users are notified with a warning tip upon messages delivery when malicious URLs are detected, helping them recognize and avoid potential risk. Threats don’t always appear right away, to stay ahead of evolving attacks, protection continues for up to 48 hours after a message is delivered. If a previously safe URL later becomes weaponized, the message is automatically updated with a warning tip, ensuring users remain protected even after the message reaches them. This dual-layered approach means: Immediate warnings for messages with known malicious URLs. Post-delivery detection that adapts to evolving threats. Protection across internal and external communications, including chats and channels, regardless of tenant origin. These capabilities powered by Microsoft Defender will provide out-of-the-box protection as it will be enabled by default and will be available for all Teams enterprise users, with no additional configuration required. This ensures that every user benefits from advanced protection. Empowering Users and SOC Teams For worldwide customers with an MDO (Microsoft Defender for Office 365) P2 license or an E5 license Security is a shared responsibility. We’re enabling users to report false negatives (FN) and false positives (FP) directly from Teams messages. These reports feed into Microsoft Defender investigation workflows, helping improve detection accuracy and reduce support overhead. Users can now report potentially malicious messages or messages incorrectly detected as malicious directly from the message context menu in Microsoft Teams: Report as security risk: For messages that seem suspicious but weren’t flagged. Report as not security risk: For messages that were flagged but are actually safe. This enables users to actively contribute to their organization's security management and protection efforts, while simultaneously enhancing the accuracy of Microsoft Defender detection controls. Reports may be submitted for both internal and external communications including chats, meetings, and channels ensuring comprehensive coverage across all collaboration platforms such as Teams web, desktop, and mobile clients. Upon submission, these reports are accessible to administrators and security operations personnel in the Microsoft Defender portal as incidents, where they can efficiently triage, investigate, and respond. Holistic Visibility for Security Operation Teams For worldwide customers with an MDO (Microsoft Defender for Office 365) P2 license or an E5 license Security Operation teams need context, coverage, and control. That’s why we’ve introduced three new Advanced Hunting tables in Microsoft Defender designed specifically to surface Microsoft Teams message metadata and enable deep investigations across both internal and external communications. MessageEvents: Captures metadata for all Teams messages containing URLs at the time of delivery. MessagePostDeliveryEvents: Surfaces messages that were flagged as malicious after delivery, including Zero-hour auto purge (ZAP) actions. MessageURLInfo: Provides granular details on URLs extracted from Teams messages. These tables are now generally available in the Microsoft Defeder portal providing direct insight into Teams message flows. SOC teams can now hunt across all external (federated) messages, not just messages that contain URLs. This is a major step forward in enabling cross-tenant threat detection and response, especially in today’s hybrid collaboration environments. All three tables are accessible via Advanced Hunting APIs and Streaming APIs, allowing SOC teams to integrate hunting workflows into their existing automation pipelines. To further enhance visibility, we’ve added a new column called SafetyTip to both the MessageEvents and MessagePostDeliveryEvents tables. This column flags whether a URL warning tip was shown to the user in the Teams client, helping SOC teams distinguish between warning and block detections. Third-party security information and event management (SIEM) solutions can also integrate with and utilize these hunting tables via the Microsoft Defender Streaming API. For instance, in Splunk, the new tables may be configured to automatically flow into your Splunk instance, supporting extended data retention by leveraging the latest version of the Microsoft Defender Splunk connector. It is important to ensure that the new Teams protection tables are selected during connector configuration to enable the continuous transfer of relevant data. Empower Security Teams to Act Against Threats For worldwide customers with an MDO (Microsoft Defender for Office 365) P2 license or an E5 license We’ve introduced a powerful new capability that gives security teams greater control and confidence when managing potential risks in Teams. With this feature, security admins can investigate suspicious conversations in Advanced Hunting and instantly remove internal users from unsafe chats, revoking their access and clearing all prior chat history to prevent further exposure. This proactive step ensures employees stay protected from threat actors and sensitive information remains secure. The experience is streamlined through the Action Wizard, accessible directly from the Teams entity flyout, making remediation fast and intuitive. Every action is fully traceable in Action Center, providing a centralized view for monitoring and validating security interventions, while audit logs deliver records for reporting. These capabilities empower organizations to contain risks in real time, strengthen collaboration security, and maintain trust across their digital workplace. Response capabilities for Security Teams For worldwide customers with an MDO (Microsoft Defender for Office 365) P2 license or an E5 license In addition to these enhanced detection, investigation and hunting capabilities, security team members are now able to perform advanced response actions for Microsoft Teams directly in the Microsoft Defender portal. Security Operations Center (SOC) analysts and admins can directly block malicious domains from within the Microsoft Defender portal, seamlessly adding targeted entries to the Teams Admin Center (TAC) blocked domains list without leaving their security workflows and switching portals. This capability enables near real-time protection when suspicious or abusive external organizations are identified. SOC teams can immediately block suspicious organizations, effectively halting new external chat messages, invites, and channel communications from those domains while deleting existing ones. These controls empower organizations to react to emerging risks in minutes, all while maintaining compliance and reducing operational overhead. Expanding Admin Quarantine and Zero-Hour Auto-Purge (ZAP) to MDO P1 We are also extending the power of Zero-hour auto-purge (ZAP) and Teams admin quarantine to even more customers, bringing this post-delivery protection layer to Microsoft Defender for Office 365 Plan 1. This reinforces our commitment to secure-by-default protection across all Microsoft Teams environments. ZAP automatically moves malicious messages containing phishing or malware URLs from internal Teams chats and channels to admin quarantine in the Microsoft Defender portal. This post-delivery protection ensures that even if a threat evades initial detection, it can be neutralized before causing harm. This capability will be enabled by default for all Microsoft Teams customers with Microsoft Defender for Office Plan 1, providing immediate protection without requiring additional configuration. Security admins maintain full control through the Microsoft Defender portal, where quarantined Teams messages can be reviewed, managed, and released if needed. This expansion ensures more customers benefit from continuous, automated threat removal, strengthening protection across Teams with no extra effort required These new protections reflect our commitment to delivering security that scales effortlessly with the way people work today. By combining real-time detection, post-delivery protection, and user-driven feedback loops, we’re giving organizations the tools to stay ahead of emerging threats without slowing down collaboration. These capabilities are engineered to operate efficiently in the background, providing assurance and proactive security measures. This enables frontline workers, IT administrators, and SOC analysts to concentrate on their core responsibilities while maintaining a secure working environment. To learn more https://learn.microsoft.com/defender-office-365/mdo-support-teams-about https://learn.microsoft.com/defender-office-365/mdo-support-teams-quick-configure https://learn.microsoft.com/defender-office-365/mdo-support-teams-sec-ops-guideMicrosoft Defender for Office 365: Fine-Tuning
In incident response, most business email compromise doesn’t start with “sophisticated zero-day malware.” It starts with configuration gaps: forwarding mail outside the tenant, users clicking through Safe Links warnings, impersonation policies left at day-one defaults, or post-delivery cleanup still relying on a human analyst at 2:00 AM. Those gaps are what attackers actually exploit. This blog covers our top recommendations for fine-tuning Microsoft Defender for Office 365 configuration from hundreds of deployments and recovery engagements: Core fine-tuning actions every email or security admin should land right now Data-driven bulk mail tuning (BCL and Bulk Mail Insights) Impersonation and anti-phishing policy hygiene for executive protection Automate post-delivery cleanup by enabling Automated Remediation Each section includes a short video and practical guidance you can apply immediately in Microsoft Defender for Office 365. These recommendations align with Microsoft’s “secure by default” direction: applying the Standard and Strict preset security policies to users, using Configuration analyzer to catch configuration drift, and enforcing least-privilege release of high-risk mail. When possible, enable the Preset security policies to give you Microsoft’s recommended settings for Safe Links, Safe Attachments, Anti-Phishing, and Anti-Spam. If you use custom policies (or if you exclude users from the Presets) then use Configuration analyzer regularly to compare custom policies to the Standard/Strict baselines, since those get updated as Microsoft updates the Preset policies. Core Fine-Tuning Checklist for Defender for Office 365 This section highlights six controls we recommend implementing broadly. These are “day one hardening” items we repeatedly validate with customers. Block automatic external forwarding by default Attackers often create hidden inbox rules that quietly forward mail (invoices, purchase orders, wire info) to an external account they control. Use outbound spam policies to block automatic external forwarding for the entire org and then create tightly scoped exceptions only for the handful of mailboxes that legitimately need it. This prevents data leakage and payment fraud scenarios where mail auto-forwards out of your tenant without anyone noticing. Although this setting is on by default (“System Controlled” means that external forwarding is disabled), we’ve found many tenants where this was disabled because the admin didn’t know how to create a custom policy for authorized forwarders. The trick is to order custom outbound policies to run as a higher priority than the default outbound policy which should be set to block auto-forwarded emails. It is a good idea to regularly review the auto forwarded message report (located in the Exchange Admin Center). Use Enhanced Filtering for Connectors (“skip listing”) when necessary If you’re routing inbound mail through a third-party Secure Email Gateway or an on-prem hop before Microsoft 365, Defender will see that intermediary as the source IP instead of the original sending IP, which degrades anti-spoofing effectiveness.Enhanced Filtering for Connectors — also called skip listing — lets Microsoft 365 look past that last hop and evaluate the real sending IP and headers, so SPF / DKIM / DMARC and anti-spam logic work correctly. This setting does not support centralized mail routing (unless the routing is linear; see the Enhanced Filtering for Connectors learn article), so make sure you are not using that before enabling Enhanced Filtering. Centralized routing is sometimes used by organizations running a hybrid Exchange deployment, connecting Exchange Online with an on-premises Exchange Server organization. Important: Do this instead of blanket SCL -1 transport rules that “bypass spam filtering for anything coming from our gateway.” Over-bypassing means phishing that slipped through the third-party filter can sail straight to user inboxes, which Microsoft specifically warns against. Turn on Safe Attachments protection beyond email (SharePoint, OneDrive, Teams) In the Safe Attachments “Global settings,” make sure Defender for Office 365 is set to protect files in SharePoint, OneDrive, and Microsoft Teams. When enabled, if a file is identified as malicious, Defender automatically locks the file in-place so users can’t open it in Teams or OneDrive. This gives you malware detonation and containment in collaboration channels, not just email. This step closes a gap we still see a lot: customers protect mail attachments well, but shared files and Teams chats are wide open. In the 1st part of this blog series, Microsoft MVP Purav Desai describes (here) how to prevent users from downloading malicious files by running a SharePoint PowerShell cmdlet: Set-SPOTenant -DisallowInfectedFileDownload $true Don’t let users click through Safe Links warnings Safe Links rewrites and time-of-click scans URLs in mail, Office apps, and Teams. In the Safe Links policy, clear “Let users click through to the original URL.” That prevents the classic “I know it says it’s malicious, but I really need to see it…” moment. Users get blocked instead of “warned but allowed.” This setting is also enforced in Microsoft’s Standard AND Strict preset security policies where click-through is explicitly disabled. Go beyond the default Common Attachment filter The anti-malware policy’s Common Attachment filter blocks known dangerous file extensions (executable content, scriptable content, etc.). Microsoft ships a default list (historically 50+ high-risk extensions), and you can customize it to block additional file types common in malware delivery, like HTML droppers or password-protected archives. Messages with those file types are treated as malware and quarantined. Do this centrally rather than relying on users to “spot a suspicious attachment.” Automation beats user judgment here. Use custom quarantine policies that require admin approval (instead of self-release) If you are not using the Preset Policies, you can create a quarantine policy to customize the user experience with quarantined messages. For anything phishing-related, I recommend creating a custom policy that allows the user to “request release from admin.” That means users can raise a hand if they think something should not have been quarantined, and an Incident is created for administrators to review before it is released. To me, this strikes the best balance between security and productivity. This keeps containment intact and gives the SOC final say. It also creates an auditable workflow: who asked for release, who approved it, and why. Bulk Mail Insights: Tune BCL using your tenant’s mail Bulk email (“graymail”) is noisy. Payroll alerts and benefits notifications are legitimate, but they look exactly like phishing. At the same time, true marketing email (graymail) are also bulk. The traditional response (“just whitelist the sender so users stop complaining”) often opens the door for attacker-looking mail to get delivered straight to executives. Defender for Office 365 gives you something better: Bulk Mail Insights (a.k.a. Bulk senders insight). This report shows, over the last 60 days, how much mail at each Bulk Complaint Level (BCL 1–9) was delivered vs. blocked, which senders are generating volume, and where users are likely to experience false positives or false negatives. You can interactively simulate raising or lowering the bulk threshold and immediately see, “If we tighten BCL, how many more messages get quarantined? How many of those were probably junk? How many were probably wanted?” Why this matters: You stop tuning bulk mail based on anecdotes and start tuning based on real telemetry from your own tenant. You can justify decisions to leadership and audit (“We set BCL at X because here is the simulation showing false positive/false negative impact”). You avoid blanket allow rules. Instead, you adjust bulk thresholds for legitimate high-volume senders while keeping stricter actions for everyone else. Note: You can modify the BCL threshold in your default or custom anti-spam policy, but you can’t change it inside the Standard (BCL:6) or Strict (BCL:5) preset security policies themselves. Standard and Strict are already aligned to Microsoft’s recommended baselines. Additional Links: https://security.microsoft.com/senderinsights https://learn.microsoft.com/en-us/defender-office-365/anti-spam-bulk-senders-insight https://learn.microsoft.com/en-us/defender-office-365/mdo-deployment-guide#step-2-configure-threat-policies https://learn.microsoft.com/en-us/defender-office-365/preset-security-policies#policy-settings-in-preset-security-policies https://learn.microsoft.com/en-us/defender-office-365/recommended-settings-for-eop-and-office365 https://www.microsoft.com/en-us/security/blog/2025/07/17/transparency-on-microsoft-defender-for-office-365-email-security-effectiveness/ Anti-Phishing / Impersonation Tuning: Protect the people attackers actually spoof Business email compromise very often looks like this: “Hi, can you handle this payment today?” sent from an address that looks like your CFO or CEO. Microsoft Defender for Office 365 includes targeted impersonation protection, but it only really works if you target your most targeted executives. Here are five pitfalls we see over and over: Empty or stale VIP list Populate “users to protect / high value targets” with executives, finance approvers, legal, anyone authorized to move money or data. Review it monthly. Roles change, and you only get a finite number of protected users (for example, ~350 entries). An out-of-date list silently weakens protection for the people attackers actually impersonate. Phishing email threshold stuck at 1 forever We find organizations that are not using the preset policies have left their phishing threshold values at the default “1” because of initial false positives. We recommend raising it to match the Standard Preset (“3”) or Strict (“4”). Weak action If suspicious “CFO” mail just goes to Junk, users can still act on it. High-confidence impersonation of executives should be quarantined with AdminOnly or request-release workflows, not left in end-user control. Tie this back to the custom quarantine policies (discussed later in this article). Common-name overload If your CEO’s name is something extremely common, you’ll get noise. Expect it. Don’t “turn off” protection for that name — add that address to the Trusted Senders otherwise it will be blocked as an impersonation attempt. Use Trusted Senders / Trusted Domains for known-good partners and vendors so you keep protection high without drowning in alerts. Add only legitimate senders/domains to the Trusted Senders or Trusted Domains instead of lowering enforcement. No scheduled review This control can’t be “set and forget.” Put impersonation tuning and spoof intelligence review on a monthly checklist. That lets you catch new vendors pretending to be finance, new “urgent wire” lure patterns, and any drift from Standard / Strict baseline that Configuration analyzer will also call out. When done right, impersonation protection is not just “spam reduction.” It’s payment fraud prevention. Automated Investigation & Response (AIR): Let Defender remove malicious email before your SOC has to! One of the biggest wins you can land quickly is letting Microsoft Defender for Office 365 automatically remove clusters of malicious messages — without waiting for analyst approval on every single item. Here’s how it works. Defender’s Automated Investigation and Response (AIR) groups messages into “clusters” based on shared indicators like the same malicious URL or malicious file hash. If you opt in to automatic remediation for those cluster types, AIR will go find every matching copy of that threat across the tenant and soft-delete those messages, not just the one that triggered the alert. Why this matters: It turns post-delivery cleanup into something that happens immediately instead of “after Tier 1 has time to review.” It removes known-bad messages from user mailboxes (and related collaboration surfaces like Teams) before a target can click. It dramatically cuts the classic “Did anyone else get this?” manual hunt-and-purge work that burns out SOC analysts. When you configure AIR automation settings in the Microsoft Defender portal (Settings > Email & collaboration > MDO automation settings), you’ll see checkboxes for “Similar files” and “Similar URLs.” Selecting those opts you into automatic soft delete for those clusters. Today, soft delete is the default supported action for these automatic remediations, enabling administrators to undo a deletion, if necessary. This is Defender for Office 365 Plan 2 / Microsoft 365 E5 functionality, and it’s exactly the kind of “secure operations by default” Microsoft has been pushing: detect, contain, and clean up automatically, then let humans investigate with context instead of manually chasing every copy of a phish. This automation triggers when malicious clusters are detected. For automating the classification and triage of user-submitted phishing incidents, check out the Security Copilot Phishing Triage Agent (Preview). Additional Links: GA Announcement: https://techcommunity.microsoft.com/blog/-/auto-remediation-of-malicious-messages-in-automated/4418047 Docs: https://learn.microsoft.com/en-us/defender-office-365/air-auto-remediation Final Thoughts Defender for Office 365 is more than “email filtering.” It’s part of your security operations surface. The decisions you make about automated remediation (AIR), bulk mail thresholds, Safe Links/Attachment behavior, outbound forwarding, connector hygiene, quarantine policy, and impersonation tuning directly determine how easy — or how hard — it is for an attacker to penetrate your organization. Microsoft’s current guidance is clear: Apply Standard or Strict preset security policies so users get the recommended protections by default (for example, Safe Links with no click-through). If you must use a custom policy, review the recommendations from the Configuration analyzer monthly for new recommendations, or to catch and correct drift whenever someone weakens a control. Align internal procedures with the excellent Security Operations Guide for Defender for Office 365. Lock down quarantine so only admins can release high-risk messages, with an auditable “request release” path for users. Turn on automated remediation so Defender can remove malicious clusters of messages before anyone clicks. Organizations that land these basics are in a dramatically better position during an incident. Instead of “Who clicked the link?” you can say, “AIR already pulled it, users were blocked from clicking through, outbound forwarding is disabled, and impersonation of the CFO is quarantined for admin review.” That’s what “secure by default” actually looks like in production. ________ This blog was authored by Joe Stocker, Microsoft Security MVP and Founder of Patriot Consulting Technology Group, in partnership with the Microsoft Defender for Office 365 product team, including Paul Newell, Senior Product Manager, Microsoft Defender for Office 365. Joe Stocker Microsoft Security MVP Learn More and Meet the Author 1) December 16th Ask the Experts Webinar: Microsoft Defender for Office 365 | Ask the Experts: Tips and Tricks (REGISTER HERE) DECEMBER 16, 8 AM US Pacific You’ve watched the latest Microsoft Defender for Office 365 best practices videos and read the blog posts by the esteemed Microsoft Most Valuable Professionals (MVPs). Now bring your toughest questions or unique situations straight to the experts. In this interactive panel discussion, Microsoft MVPs will answer your real-world scenarios, clarify best practices, and highlight practical tips surfaced in the recent series. We’ll kick off with a who’s who and recent blog/video series recap, then dedicate most of the time to your questions across migration, SOC optimization, fine-tuning configuration, Teams protection, and even Microsoft community engagement. Come ready with your questions (or pre-submit here) for the expert Security MVPs on camera, or the Microsoft Defender for Office 365 product team in the chat! REGISTER NOW for 12/16. 2) Additional MVP Tips and Tricks Blogs and Videos in this Four-Part Series: Microsoft Defender for Office 365: Migration & Onboarding by Purav Desai Safeguarding Microsoft Teams with Microsoft Defender for Office 365 by Pierre Thoor You may be right after all! Disputing Submission Responses in Microsoft Defender for Office 365 by Mona Ghadiri (This post) "Microsoft Defender for Office 365: Fine-Tuning" by Joe Stocker Learn and Engage with the Microsoft Security Community Log in and follow this Microsoft Defender for Office 365 blog and follow/post in the Microsoft Defender for Office 365 discussion space. Follow = Click the heart in the upper right when you're logged in 🤍 Learn more about the Microsoft MVP Program. Join the Microsoft Security Community and be notified of upcoming events, product feedback surveys, and more. Get early access to Microsoft Security products and provide feedback to engineers by joining the Microsoft Customer Connection Community. Join the Microsoft Security Community LinkedIn
Microsoft Ignite 2025: Transforming Phishing Response with Agentic Innovation
Phishing attacks remain one of the most persistent and damaging threats to organizations worldwide. Security teams are under constant pressure to investigate a growing number of user reported phishing emails daily, ensuring accurate verdicts and timely responses. As threats grow in volume and sophistication, SOC teams are forced to spend valuable time triaging and investigating, often at the expense of strategic defense and proactive threat hunting. At Microsoft Ignite 2025 we are delivering innovation that showcases our continued commitment to infuse AI agents, and agentic workflows into the core of our email security solution and SOC operations to automate repetitive tasks, accelerate investigations, and provide transparent, actionable insights for every reported phishing email. In addition, we continue to invest in our ecosystem partnerships to empower customers with seamless integrations, as they adopt layered security solutions to comply with regulatory requirements, enhance detection, and ensure robust protection. Today I’m excited to announce: General Availability of the Security Copilot Phishing Triage Agent Agentic Email Grading System in Microsoft Defender Cisco and VIPRE Security Group join the Microsoft Defender ICES ecosystem The Security Copilot Phishing Triage Agent is now generally available In March 2025, we introduced the Phishing Triage Agent, designed to autonomously handle user-submitted phishing reports at scale. The agent classifies incoming alerts, resolves false positives, and escalates only the malicious cases that require human expertise. Today, we’re announcing its general availability. We will also be extending the agent to triage alerts for identity and cloud alerts. The Phishing triage agent automates repetitive tasks, accelerates investigations, and every decision is transparent, allowing security teams to focus on what matters most—investigating real threats and strengthening the overall security posture. Early results prove how it is transforming analyst work: Identified 6.5X more malicious alerts Improved verdict accuracy by 77% Agent supported analysts spent 53% more time investigating real threats Agentic email grading: Advanced analysis of phishing email submissions When customers report suspicious messages to Microsoft, they expect clarity, speed, and actionable insights to protect their environment. They expect a response they can trust, understand easily, and take additional investigation and response action for the organization. Previously, when customers reported messages to Microsoft, our response depended largely on manual human grader reviews, creating delays and inconsistent verdicts. Customers often waited several hours for a response, and sometimes it lacked clarity on how a verdict was reached. Today, we are excited to announce that we integrated an agentic grading system into the Microsoft Defender submission analysis and response workflow when customers report phishing messages to Microsoft. Image 2: Agentic Email Grading: Advanced analysis of phishing email submissions The agentic grading system brings a new level of speed and transparency to phishing analysis. It uses large language models (LLMs) orchestrated within an agentic workflow to analyze phishing emails, assess the full content of a submitted email, and communicate context and related metadata. This system combines advanced AI with existing machine learning models and human review for additional levels of accuracy and transparency for decision making. Every verdict comes with higher quality, clear verdicts, and context-rich explanations tailored to each phishing email submission. Additionally, it establishes a feedback mechanism that enhances continuous learning and self-healing, thereby strengthening and optimizing protection over time. By reducing reliance on manual reviews, users will experience lower wait times, faster responses and higher-quality results. It will enable security teams to respond promptly and act confidently against phishing threats. Over time we plan to expand beyond phishing verdicts to include spam, scam, bulk, and clean classifications, making the process more comprehensive. The system will continue to evolve through feedback and adapt to emerging attack patterns. How to view agentic submission responses in Microsoft Defender When you report a suspicious email—whether as an admin or an end user—you can now see how Microsoft Defender’s new agentic grading system evaluates your submission. To view agentic grading system responses, follow the steps below: Report the suspicious email Submit the email through the admin submission or user-reported submission process. Sign in to Microsoft Defender Go to https://security.microsoft.com. Navigate to Submissions From the left menu, select: Investigation & response > Actions & submissions > Submissions. Choose the correct tab Emails for admin submissions User reported for user submissions Open the submission details Click the email submission you want to review. A flyout panel will display Result details. Look for the Agentic AI note If the verdict was generated by Agentic AI, you’ll see: “AI-generated content may be incorrect. Check it for accuracy.” Image 3: AI generated explainable verdicts Expanding the Integrated Cloud Email Security (ICES) ecosystem In June, we introduced the Microsoft Defender ICES vendor ecosystem, a unified framework that enables seamless integration of Microsoft’s Defender’s email security solution with trusted third-party vendors. Today we are excited to announce two new partners: Cisco and VIPRE Security Group. The addition of these partners to our ecosystem reinforces our ongoing commitment to support customers in their choice to strategically layer their email security solutions. Organizations benefit from a unified quarantine experience, and a deep integration across the various SOC experiences including threat explorer, advanced hunting, and the email entity page, while providing clear insight into detection efficacy of each solution. As we continue to innovate, our commitment remains steadfast: empowering defenders with intelligent, transparent, and integrated security solutions that adapt to the evolving threat landscape. By infusing agentic AI into every layer of Microsoft Defender, expanding our ecosystem of trusted partners, and delivering faster, more actionable insights, we’re helping organizations build resilience and stay ahead of attackers. Our strategy is rooted in delivering real value making security simpler, more effective, and adapted to the needs of every customer. Learn More: Want to know what else is new in Microsoft Defender at Ignite 2025 check out the blog here. For info on how to complete admin phish submissions, please see For end user reported phish submissions, you need to have it configured for reporting messages to Microsoft. Set it up today. Join us at Microsoft Ignite Join us at Microsoft Ignite to see these advancements in action and discover how intelligent, agentic defense is becoming accessible to every organization. Don’t miss our featured sessions: AI vs AI: Protect email and collaboration tools with Microsoft Defender on Thursday, November 20 th . Learn More. Microsoft Defender: Building the agentic SOC with guest Allie Mellen on Wednesday, November 19 th . Learn more. Empowering the SOC: Security Copilot and the rise of Agentic Defense on Friday, November 21 st . Learn more.Safeguarding Microsoft Teams with Microsoft Defender for Office 365
As organizations rely more on Microsoft Teams for daily collaboration, securing this platform has become a top priority. Threat actors are increasingly targeting Teams chats and channels with phishing links and malicious files, making it critical for IT admins and security professionals to extend protection beyond email. Enter Microsoft Defender for Office 365, now armed with dedicated Teams protection capabilities. Microsoft Defender for Office 365 enables users to report suspicious messages, brings time-of-click scanning of URLs and files into Teams conversations, and provides rich alerts and hunting insights for SecOps teams. As a collaborative piece between Pierre Thoor, a Microsoft Security Most Valuable Professional (MVP), and the Defender for Office 365 Product Engineering Team, the below guides with accompanying videos emphasize a proactive, user-driven approach to threat detection and response, turning everyday Teams interactions into actionable security signals for SecOps. See something, say something: Reporting suspicious messages in Microsoft Teams Your fastest sensor isn’t AI – it’s your people. Report this message in Microsoft Teams lets anyone flag a suspicious conversation in two clicks and routes a triageable submission to your security team in the Microsoft Defender portal. Why this matters: Speed to signal: Catch threats at the conversation layer, not just in email. Complete context: Original message, participants, URLs, and verdicts in one place. Habit-forming: A simple, repeatable action employees remember under pressure. How to report (desktop, web, and mobile) In Desktop/Web Hover the message → … More options → Report this message Select Security concern → (optional) add a short note → Report In Mobile (iOS/Android) app Long-press the message → Report message Select Security concern → (optional) add a short note → Report *Tip: Short notes like “Unexpected MFA reset link” help analysts triage faster. Where reports go (for security teams) In the Microsoft Defender portal, navigate to: Investigation & response → Actions and submissions → Submissions → User reported. Open an item to view the Teams message entity (sender/domain, Teams message ID, extracted URLs, verdict) and take action – mark as phish/clean, pivot to Explorer or Advanced Hunting, or copy indicators. Quick setup check Defender portal → Settings → Email & collaboration → User reported settings: enable Monitor reported messages in Microsoft Teams. Licensing: Microsoft Defender for Office 365 Plan 2 (included in Microsoft 365 E5). What good looks like (mini playbook) User reports the message. Security triages the submission and captures the URL/domain and other indicators. Block or allow as appropriate via the Tenant Allow/Block List (TABL). Hunt for related activity or clicks (see Video 3). Close the loop: thank the reporter and share the outcome to reinforce the behavior. Common gotchas Reporting is disabled in the Teams messaging policy – verify before rollout. Some users assume “Report” notifies the sender – clarify that it routes to the Security team, not the sender. Call to action: Enable reporting for your users and add this line to your awareness site: “If it feels phishy, report – don’t click.” Think before you click - Safe Links catches threats at click-time Links can change after delivery. Safe Links waits until click-time, evaluates the destination, and shows an in-app warning page in Teams. Pair it with the Tenant Allow/Block List (TABL) to tune quickly across the tenant. Why this matters Prevents delayed redirects: Avoids “clean-at-send” methods. Consistent protection in Teams: Familiar warning UX reduces risky clicks. Rapid tuning: Block newly observed domains in seconds; no advanced transport rules required. What you’ll see in the video Policy check (Teams in scope) Defender portal → Email & collaboration → Policies & rules → Threat policies → Safe Links → ensure Apply Safe Links to Microsoft Teams is enabled for target users or groups OR that you use Standard/Strict Preset Policy. Warning page at click-time Post a benign test URL in Teams and click it to show the Safe Links warning experience. Block it as you spot it (Allow/Block) Defender portal → Threat policies → Tenant Allow/Block List → URLs → Add (domain or URL). Re-click in Teams – now blocked at click-time. Optional telemetry (Advanced Hunting) Confirm outcomes and adoption: UrlClickEvents | where Timestamp > ago(24h) and Workload == "Teams" | summarize Clicks=count(), Users=dcount(AccountUpn) by ActionType | order by Clicks desc Deployment tips Start with a pilot group that includes IT + power users; expand after validation. Create a review cadence for TABL (e.g., monthly) and expire temporary blocks. Troubleshooting No warning page? Verify policy scope includes the user and the Teams workload. Block not taking effect? Give TABL a short sync window, then re-test; confirm you blocked the correct domain/URL pattern. “Hunt the chat”: Advanced hunting for Teams threats Overview With Advanced Hunting you can quickly reconstruct activity in Microsoft Teams – who sent the message, who clicked the link, and what protections kicked in. This section shows how the four Teams-relevant tables work together, so you can move from signal to action quickly. New: message warnings for malicious URLs (internal and external) Teams now shows a warning banner on messages that contain URLs flagged as spam, phishing, or malware. Warnings appear in internal and external chats/channels, and can be added after delivery (up to ~48 hours) if a URL’s reputation changes. This complements Safe Links (time-of-click) and doesn’t replace ZAP; when ZAP removes a message, that action takes precedence. Public preview began September 2025; GA November 2025, enabled by default at GA and manageable in Teams admin center → Messaging settings. See Message Center: https://admin.cloud.microsoft/?#/MessageCenter/:/messages/MC1150984 The four tables you’ll use MessageEvents – delivery context (sender, thread, internal vs. external). MessagePostDeliveryEvents – post-delivery actions, including Phish ZAP and Malware ZAP. MessageUrlInfo – URLs extracted from Teams messages. UrlClickEvents – time-of-click outcomes for links, including those clicked in Teams. What you’ll learn in the video Surface active external domains in your tenant’s Teams chats. Identify who clicked risky links and the click outcomes (via Safe Links telemetry). See where message warnings appear in the chat UI. Pivot to an incident and block indicators fast via the Tenant Allow/Block List (TABL). A couple hunts to try right now 1) Malicious verdicts in Teams (last 24 hours) Find messages that already carry a Spam/Phish/Malware verdict – your fastest triage queue. MessageEvents | where Timestamp > ago(1d) | where ThreatTypes has "Phish" or ThreatTypes has "Malware" or ThreatTypes has "Spam" | project Timestamp, SenderDisplayName, SenderEmailAddress, RecipientDetails, IsOwnedThread, ThreadType, IsExternalThread, ReportId Use it for: a quick sweep + pivot to incident/entities, then TABL block if needed. 2) “IT helpdesk” imposters in external DMs (last 5 days) Surface social-engineering lures that impersonate support. MessageEvents | where Timestamp > ago(5d) | where IsExternalThread == true | where (RecipientDetails has "help" and RecipientDetails has "desk") or (RecipientDetails has "it" and RecipientDetails has "support") or (RecipientDetails has "working" and RecipientDetails has "home") or (SenderDisplayName has "help" and SenderDisplayName has "desk") or (SenderDisplayName has "it" and SenderDisplayName has "support") or (SenderDisplayName has "working" and SenderDisplayName has "home") | project Timestamp, SenderDisplayName, SenderEmailAddress, RecipientDetails, IsOwnedThread, ThreadType, ReportId Use it for: first-contact scams (external tenant posing as IT). Pair with Safe Links telemetry to see who clicked. Tip: has is token-aware and generally faster/cleaner than contains for word matches. Keep both hunts detection-ready by ensuring the final projection includes Timestamp and ReportId. 3) BONUS! External DMs with links (last 7 days) MessageEvents | where Timestamp > ago(7d) and IsExternalThread == true | join kind=inner (MessageUrlInfo) on TeamsMessageId | summarize Links=dcount(Url), Senders=dcount(SenderEmailAddress) by UrlDomain | top 10 by Links desc 4) Who clicked (Teams workload) – exposure view: UrlClickEvents | where Timestamp > ago(7d) and Workload == "Teams" | project Timestamp, AccountUpn, Url, ActionType | order by Timestamp desc “From Hunt to Action”: Respond & contain Finding a risky link in Teams is only half the job. This walkthrough shows how to go from detection to containment – block the domain, clean up delivered messages, and cut attacker access. Why this matters Speed: Shrink time from “we saw it” to “it’s blocked”. Consistency: Turns ad-hoc hunting into a repeatable response flow. Coverage: Pair URL blocking with identity and device containment. What you’ll see in the video Turn a hunt into an alert In Advanced Hunting, run a short query (below) and choose Create detection rule to schedule it. Alerts auto-create incidents you can triage. Block at click-time (Safe Links + TABL) In the incident, open the URL entity and add the URL/domain to the Tenant Allow/Block List (TABL) so future Teams clicks are blocked by Safe Links. Post-delivery cleanup (ZAP) If a malicious message slipped through, ZAP can remove or mark it after delivery. You’ll see evidence on the incident timeline. Contain accounts and devices Revoke user sessions in Entra ID to invalidate active tokens. Reset the password (and require strong, unique credentials), then enforce MFA for the account. Review MFA methods and remove anything suspicious; review app consents and revoke illicit grants. If endpoints are onboarded, isolate the device in Microsoft Defender for Endpoint to stop outbound connections while you investigate. The Microsoft Learn guide, https://learn.microsoft.com/en-us/defender-office-365/responding-to-a-compromised-email-account, for compromised accounts recommends session revocation, password reset, MFA enforcement, reviewing OAuth app consents and admin roles, and checking mail forwarding/rules – steps that complement the Teams response you see here. The hunt This KQL surfaces rare external domains in Teams and any user clicks. let lookback = 1d; // External Teams messages let externalMsgs = MessageEvents | where Timestamp > ago(lookback) and IsExternalThread == true | project MsgTime = Timestamp, TeamsMessageId, SenderEmailAddress, ME_ReportId = ReportId; // URLs found in Teams messages let urlsInMsgs = MessageUrlInfo | where Timestamp > ago(lookback) | project MUI_Time = Timestamp, TeamsMessageId, Url, UrlDomain, MUI_ReportId = ReportId; // Clicks coming from Teams let clicks = UrlClickEvents | where Timestamp > ago(lookback) and Workload == "Teams" | project ClickTime = Timestamp, Url, Clicker = AccountUpn, ClickAction = ActionType, UCE_ReportId = ReportId; // Define “rare” domains in the period let rareDomains = urlsInMsgs | summarize msgCount = dcount(TeamsMessageId) by UrlDomain | where msgCount < 3; rareDomains | join kind=inner (urlsInMsgs) on UrlDomain | join kind=leftouter (externalMsgs) on TeamsMessageId | join kind=leftouter (clicks) on Url | project Timestamp = coalesce(ClickTime, MUI_Time, MsgTime), UrlDomain, Url, SenderEmailAddress, Clicker, ClickTime, ClickAction, TeamsMessageId, ReportId = coalesce(UCE_ReportId, MUI_ReportId, ME_ReportId) After verifying results, select Create detection rule, set a schedule (e.g., hourly), and map entities so incidents include the right artifacts. What good looks like (response playbook) Alert fires → open incident; confirm scope and entities. Block URL/domain via TABL to stop future clicks. Confirm ZAP removed or marked delivered messages. Revoke sessions and reset password; enforce MFA. Review MFA methods and remove unknown devices/methods. Audit app consents (revoke illicit grants) and verify the user holds no unexpected admin roles. If email abuse is suspected, check for forwarding or malicious Inbox rules. Isolate device if execution is suspected; collect artifacts and un-isolate after remediation. FAQs Does the block remove the message? No – TABL blocks at click-time. Post-delivery removal is handled by ZAP when detections apply. Will revoking sessions disrupt users? It forces sign-in again (expected). Communicate this in your response template. What if the attacker used consent phishing? Revoke the offending enterprise app consent and review publisher verification status. Call to action: Save the query, create the detection, and attach this playbook to your incident template. The goal every time: find → block → clean up → contain Securing Microsoft Teams is most effective when technology and people work together. By enabling user reporting, leveraging real-time protections, and empowering security teams to act quickly, organizations can turn everyday collaboration into a strong defense against threats. ## Please take two minutes to take this survey to let us know what you think of this blog (series), video, and community content. Questions or comments on this blog "Microsoft Defender for Office 365 – A Four-Part Guide to Secure Collaboration" for the author or other readers? Please log in and post your response below! _____________ This blog has been generously and expertly authored by Microsoft Security MVP, Pierre Thoor with support of the Microsoft Defender for Office 365 product team. Pierre Thoor Microsoft Security MVP | Microsoft Defender for Office 365 Champ Learn More and Meet the Author 1) December 16th Ask the Experts Webinar: Microsoft Defender for Office 365 | Ask the Experts: Tips and Tricks (REGISTER HERE) DECEMBER 16, 8 AM US Pacific You’ve watched the latest Microsoft Defender for Office 365 best practices videos and read the blog posts by the esteemed Microsoft Most Valuable Professionals (MVPs), now bring your toughest questions or unique situations straight to the experts. In this interactive panel discussion, Microsoft MVPs will answer your real world scenarios, clarify best practices, and highlight practical tips surfaced in the recent series. We’ll kick off with a who’s who and recent blog/video series recap, then dedicate most of the time to your questions across migration, SOC optimization, fine-tuning configuration, Teams protection, and even Microsoft community engagement. Come ready with your questions (or pre-submit here) for the expert Security MVPs on camera, or the Microsoft Defender for Office 365 product team in the chat! REGISTER NOW for 12/16. 2) Additional MVP-Authored Blogs in this Four- Part Series: Microsoft Defender for Office 365: Migration & Onboarding by Purav Desai (This post) Safeguarding Microsoft Teams with Microsoft Defender for Office 365 You may be right after all! Disputing Submission Responses in Microsoft Defender for Office 365 by Mona Ghadiri Microsoft Defender for Office 365: Fine-Tuning by Joe Stocker Learn and Engage with the Microsoft Security Community Log in and follow this Microsoft Defender for Office 365 blog and follow/post in the Microsoft Defender for Office discussion space. Follow = Click the heart in the upper right when you're logged in 🤍 Learn more about the Microsoft MVP Program. Join the Microsoft Security Community and be notified of upcoming events, product feedback surveys, and more. Get early access to Microsoft Security products and provide feedback to engineers by joining the Microsoft Customer Connection Community. Join the Microsoft Security Community LinkedInMicrosoft Defender for Office 365: Migration & Onboarding
This blog covers four key areas that are frequently missed, but they are essential for a secure and auditable deployment of Defender for Office 365. Before diving into the technical details, it is important to clarify a common misconception about Defender for Office 365 protections. Blocking Malicious File Downloads in SharePoint and OneDrive A common assumption during onboarding is that Microsoft Defender for Office 365 protections only apply to email. In reality, Safe Attachments also integrates with SharePoint Online, OneDrive for Business and Microsoft Teams. It scans files for malware even after they are uploaded or shared internally. However, this protection is only effective when the configuration explicitly prevents users from downloading files flagged as malicious. Without this setting, files detected as threats can still be downloaded locally. This creates a major risk particularly if the malware is detected post-delivery. In one investigation, I found that this setting had been left at its default, allowing users to download malicious files from SharePoint. This oversight created a significant exposure risk until it was corrected. This setting is part of the Safe Attachments for SPO/ODB policy and is critical in reducing internal exposure. Once enabled, this setting protects users in real time and acts as a powerful audit point. If someone disables this setting, whether intentionally or by accident, that action is recorded in Purview's Unified Audit Log under the DisallowInfectedFileDownloadDisabled operation. The video below offers a brief walkthrough on how to enable the setting, details the associated audit log events, and provides guidance on configuring alerts for any modifications: Regularly auditing for this event can help identify misconfiguration or potentially malicious administrative activity that could indicate insider threat behaviour. Including this check as part of your continuous security monitoring process is a smart, proactive move. Learn more at Step 2: (Recommended) Use SharePoint Online PowerShell to prevent users from downloading malicious files Once you have established protection against malicious files, the next step is ensuring your tenant is correctly set up to create and manage threat policies. Ensuring Organization Customization is Enabled A frustrating yet common hurdle during Defender for Office 365 onboarding is the inability to create threat policies such as anti-phishing or Safe Attachments policies. This confusion often stems from a basic configuration oversight: the tenant has not been enabled for organization customization. Without this step, the Microsoft 365 platform prevents the creation or editing of many critical security policies in Defender for Office 365. A few years prior with a new client being onboarded to Defender for Office 365, I encountered a situation where policy creation kept failing because this step wasn’t followed. It caused unnecessary delays and frustrated the security team until we identified the missing customization. The fix is simple. Run the Enable-OrganizationCustomization PowerShell cmdlet from Exchange Online. It is a one-time configuration task, but it is essential for policy management and overall service functionality. Including this step early in your deployment or migration plan prevents unnecessary delays and ensures the security team can fully leverage Defender for Office 365's capabilities from day one. This is particularly important for consultants who are brought in to assist after issues have already arisen. Getting ahead of this configuration means one less troubleshooting rabbit hole. With customization enabled, you can now take advantage of the preset security policies to quickly build a solid baseline. Using Preset Security Policies for a Strong Starting Point One of the best tools Microsoft has provided for onboarding is the Preset Security Policies feature. These come in two flavors: Standard and Strict. Figure 4 - Defender for Office 365 Preset security policies (Standard & Strict protection) They represent Microsoft’s recommended baseline configurations for anti-malware, anti-phishing, and spam protection. Learn more at Preset security policies in cloud organizations. For customers with limited security maturity or time to deeply understand the inner workings of Defender for Office 365, these presets are a game-changer. Figure 5 - Microsoft recommendation is to apply standard protection to all users In several cases, I have seen organizations with limited security teams benefit from activating these presets early. This approach gave them immediate protection while freeing up time to better understand and tune policies over time. For incident response, having a consistent and known-good baseline also helps reduce noise and false positives in the initial stages of deployment. Figure 6 - Apply strict Defender for Office 365 protection for priority users After setting foundational policies, controlling who has access to what within Defender for Office 365 is crucial to maintaining a secure environment. Implementing Unified RBAC for Least Privilege Access As more business units engage with Defender for Office 365 for everything from investigation to reporting, it is important to ensure each role has access only to what they need. Unified Role-Based Access Control (RBAC) in Defender for Office 365 makes this possible by allowing granular control over who can see and change what within the security portal. Figure 7 – Example least privilege role configuration for a Defender for Office 365 Incident Responder (image trimmed). This becomes critically valuable in larger or more complex organizations where responsibilities are split between security, compliance, IT, and operations teams. Figure 8 - Activating Microsoft Defender for Office 365 Workload in Defender XDR Roles. By using unified RBAC, you can avoid the dangerous and often default behavior of assigning Security Administrator rights to everyone involved. Instead, define roles based on function. For example, Tier 1 analysts might only need view and investigation access, while admins can manage policies. Figure 9 - Assigning a user to a Custom Microsoft Defender for Office 365 role, Entra Security Groups are also supported. This approach aligns with zero trust principles and makes it easier to audit who has access to sensitive areas. During onboarding, I recommend mapping stakeholders to the available roles and applying this model as early as possible. This helps establish accountability and improves your security posture before an incident occurs. Learn more at Map Defender for Office 365 permissions to the Microsoft Defender XDR Unified RBAC permissions Having set the right roles and permissions, it is vital to understand how these configurations contribute to a resilient and well-prepared security posture. Final Thoughts Successful onboarding to Microsoft Defender for Office 365 is not just about flipping switches. It is about making intentional configuration choices that support operational efficiency and long-term security goals. The points covered here are often missed in quick start guides but they are essential for building a solid foundation. Those who invest time in proper configuration are far better prepared when incidents arise. Migration is just the beginning. Set up Defender for Office 365 right to reduce risk and build real resilience. Please take two minutes to take this survey to let us know what you think of this blog (series), video, and community content. Questions or comments on this blog "Microsoft Defender for Office 365 Migration & Onboarding" for the author or other readers? Please log in and post your response below! _____________ This blog has been generously and expertly authored by Microsoft Security MVP, Purav Desai. with support of the Microsoft Defender for Office 365 product team. Lead M365 Incident Responder, Financial Services | Dual Microsoft Security MVP Learn More and Meet the Author 1) December 16th Ask the Experts Webinar: Microsoft Defender for Office 365 | Ask the Experts: Tips and Tricks (REGISTER HERE) DECEMBER 16, 8 AM US Pacific You’ve watched the latest Microsoft Defender for Office 365 best practices videos and read the blog posts by the esteemed Microsoft Most Valuable Professionals (MVPs). Now bring your toughest questions or unique situations straight to the experts. In this interactive panel discussion, Microsoft MVPs will answer your real-world scenarios, clarify best practices, and highlight practical tips surfaced in the recent series. We’ll kick off with a who’s who and recent blog/video series recap, then dedicate most of the time to your questions across migration, SOC optimization, fine-tuning configuration, Teams protection, and even Microsoft community engagement. Come ready with your questions (or pre-submit here) for the expert Security MVPs on camera, or the Microsoft Defender for Office 365 product team in the chat! REGISTER NOW for 12/16. 2) Additional MVP Tips and Tricks Blogs and Videos in this Four-Part Series: (This post) Microsoft Defender for Office 365: Migration & Onboarding by Purav Desai Safeguarding Microsoft Teams with Microsoft Defender for Office 365 by Pierre Thoor You may be right after all! Disputing Submission Responses in Microsoft Defender for Office 365 by Mona Ghadiri Microsoft Defender for Office 365: Fine-Tuning by Joe Stocker Learn and Engage with the Microsoft Security Community Log in and follow this Microsoft Defender for Office 365 blog and follow/post in the Microsoft Defender for Office 365 discussion space. Follow = Click the heart in the upper right when you're logged in 🤍 Learn more about the Microsoft MVP Program. Join the Microsoft Security Community and be notified of upcoming events, product feedback surveys, and more. Get early access to Microsoft Security products and provide feedback to engineers by joining the Microsoft Customer Connection Community. Join the Microsoft Security Community LinkedIn
Built-in report button is available in Microsoft Outlook across platforms
Outlook and Defender for Office 365 are excited to announce the release of built-in report button in Microsoft Outlook across platforms (web, new Outlook for Windows, classic Outlook for Windows, Outlook for Mac, Outlook for Android, Outlook for iOS, and Outlook for android Lite) for both personal and commercial accounts. You can find the built-in button across Outlook: Outlook on the web. New Outlook for Windows. Outlook for Mac version 16.89 (24090815) or later. Classic Outlook for Windows version Current channel: Version 16.0.17827.15010 or later. Monthly Enterprise Channel: Version 16.0.18025.20000 or later. Semi-Annual Channel (Preview): Release 2502, build 16.0.18526.20024 Semi-Annual Channel: Release 2502, build 16.0.18526.20024 Outlook for iOS version 4.2511 or later and Outlook for Android version 4.2446 or later. Outlook for Android Lite Benefits the built-in report button provides for security admins It works out of the box with no setup required The reporting experience for end user is the same across consumer and commercial accounts The report button is consistent across Outlook clients The report button is front and center on all clients The report button is present on the grid view, reading panel, preview panel, context menu The report button enables the user to select in bulk and report messages at once You can turn on and off the pre and post reporting popups for users in your organization using You can customize the individual pre and post reporting popup by adding text and links in 7 diff languages The report button is present on shared and delegate mailboxes enabling end users to report emails. Now present on outlook for web, new outlook for windows, outlook for mac, outlook for android and outlook for iOS The end user reports made by these clients are routed as per the message reported destination configured in the user reported settings. You can view the user report as soon as they are made on the If you have configured Microsoft only or Microsoft and my reporting mailbox in the user reported settings, the result from Microsoft analysis are available on the result column You can turn off the built-in report button on user reported settings by Selecting non-Microsoft add-in button and providing the address of the reporting mailbox of the 3 rd party add-in, or Deselecting monitor reported messages in outlook Note: The report phish add-in and the report message add-in does not provide support for shared and delegate mailbox. The report phish add-in, the report message add-in, and the built-in report button all read from the same user reported settings and use the same internal reporting API. In a way there are two different doors (entry point) to the same house (the backend). For the moment, the report message and report phish add-in are in maintenance mode to provide enough time for customers to migrate to the built-in button. To learn more, please check out Transition from Report Message or the Report Phishing add-ins - Microsoft Defender for Office 365 | Microsoft Learn Report phishing and suspicious emails in Outlook for admins - Microsoft Defender for Office 365 | Microsoft Learn User reported settings - Microsoft Defender for Office 365 | Microsoft Learn Protect yourself from phishing - Microsoft Support Report phishing - Microsoft Support How do I report phishing or junk email? - Microsoft SupportEnsure your ICES solution works seamlessly alongside Microsoft Defender
In today’s evolving threat landscape, organizations increasingly rely on layered email security solutions to protect users and sensitive data. Microsoft supports and collaborates with Integrated Cloud Email Security (ICES) vendors that work in conjunction with Microsoft Defender, and customers who choose a layered approach to email security to ensure the maximum level of email protection. It is, however, key that when integrating ICES solutions with Microsoft Defender, to follow best practices to maximize security and operational efficiency. In this blog, we explain these best practices in more detail and outline three other routing techniques commonly used across ICES vendors. This will allow organizations to understand the impact of non-standard mail routing configurations on their security operations (SOC) effectiveness and partner with their ICES vendors on the best approach. Best practices for ICES vendor integration Microsoft has outlined best practices for third-party solutions integrating with Microsoft 365, where recommended and supported approaches include DNS mail routing or the Graph API. This article provides more details on these approaches and also outlines integration techniques that we do not recommend. By using these best practices, any 3rd party email security vendor can ensure that their solution works seamlessly alongside Microsoft Defender. In addition, we recently launched the Microsoft Defender ICES vendor ecosystem. This gives partners an additional option for integration, where we partner directly with the solution provider to build a deeper integration between the ICES solution and Microsoft Defender. We harmonize telemetry, email verdicts, security policies, and more, to provide joint customers with optimized protection and SOC workflows in the Defender portal. Non-standard email routing techniques used by ICES vendors We know that as the ICES space evolved, several vendors integrated with Microsoft Exchange using non-standard email routing techniques, such as journaling, connector-based routing, and post-delivery actions. These functions were originally designed for different purposes. When deployed alongside Microsoft Defender, these integration approaches can introduce unique complexities for mail flow and SOC operations. Understanding how these techniques work and their potential impact is essential for making informed decisions about your organization’s email security architecture and are outlined below. Journaling for email security benchmarking Email journaling (Figure 1) is a legacy Exchange Online feature originally designed for archiving and to help organizations meet legal, regulatory, and organizational compliance requirements by recording inbound and outbound email communications. While journaling was designed for archiving and similar use cases, we know that various ICES vendors utilize journaling rules to route emails to the vendor’s test environment to evaluate the effectiveness of their solution. Journaling occurs before Defender filtering, so both solutions act independently and partially, complicating operational clarity for SOC teams. This approach can lead to duplicate catch scenarios, therefore misstating the unique catch rate of the ICES vendor. If a journaled copy of a phishing email is routed to an ICES vendor, this occurs before it was filtered by Microsoft Defender. Consequently, both Microsoft Defender and the ICES vendor now simultaneously assess the message, and both solutions may act on it independently. This often results in duplicate catch scenarios and creates ambiguity around which solution blocked the threat, ultimately making it challenging to assess the true effectiveness of each layer. Some ICES vendors may consider every email they filter “a miss by Microsoft Defender”. However, as journaling occurs before Defender filtering, it’s generally an incomplete representation. Therefore, we do not recommend the implementation of journaling for benchmarking or operational clarity purposes of ICES vendor solutions that operate next to Microsoft Defender. Journaling + post-delivery actions Some vendors combine journaling with post-delivery actions via Graph API or Exchange Web Services (EWS). This approach enables them to take remediation actions on emails after they have been delivered to users’ mailboxes, such as moving messages to the Junk folder or adding labels to alert users of potential threats. However, if Defender quarantines a message first, the ICES vendor may not be able to perform these actions, limiting their impact. Furthermore, when a vendor deletes and recreates a message using EWS, it can result in duplicate message IDs, which fragments SOC visibility and slows incident response. As a result, these configurations should be avoided, as they can lead to unreliable investigations and operational complexity. Connector-based implementations Connectors are typically used to route mail between Exchange Online and on-premises or non-Microsoft systems. Some vendors repurpose this mechanism to: Route messages out of Exchange Online after Microsoft Defender filtering. Apply their own filtering. Reinject the message as a new email. Using connectors to send messages out of Exchange Online after Microsoft Defender filtering, apply additional vendor filtering, and then return them as new emails introduces major operational risks. Reinjecting messages strips the original sender authentication context (SPF, DKIM, DMARC), which can lead to false positives, duplicate quarantines, and inconsistent reporting across tools like Explorer, Advanced Hunting, and Message Trace in Microsoft Defender. With this configuration, SOC teams may see multiple message IDs for the same email, making it difficult to correlate events and accurately track message disposition. This also impacts post-delivery protections such as Zero-hour Auto Purge, which may fail or be misapplied. These issues increase investigation time, reduce visibility, and can undermine existing protections, impacting the overall security of an organization. That’s why our documentation states that we strongly recommend avoiding this configuration. When assessing statistics or performance claims about Microsoft Defender’s effectiveness, it’s important to keep in mind how deployment configurations can shape outcomes. As outlined above, techniques such as journaling, connector-based routing, and post-delivery actions may introduce complexities that affect how performance is measured. These integration approaches can result in discrepancies within metrics, making it challenging to accurately attribute detections or gauge overall effectiveness. It is essential for security leaders and SOC teams to interpret results and make informed decisions about your organization’s email security posture. Microsoft’s commitment to effective ICES vendor integration By understanding the impact of the various integration techniques, security leaders can ensure their layered email security delivers streamlined SOC workflows and the highest level of protection for email. Microsoft is committed to working collaboratively with all ICES vendors to help them embrace best practices in integrating with Microsoft Exchange so they can work effectively alongside Microsoft Defender. Whether using the documented best practices with Microsoft Exchange or joining the Defender ecosystem to build an even deeper integration, either approach will help ensure that the solutions work seamlessly alongside Microsoft Defender. Learn more Integration best practices Microsoft Defender ICES vendor ecosystem Email security effectiveness benchmarking
