phishing

42 Topics

email quarantine and reason "high confidence phish"
Hi I started testing a phishing email campaign from an external vendor KnowBe4. The emails keep going to quarantine reason "high confidence phish" What is the best way to fix this? I tried excluded the URL from Safe Links and added their sender IPs to O365 Tenant allow/block list. Thank you in advanced.
virtual-tech
May 08, 2023 Place Microsoft Defender for Office 365
90KViews
0likes
4Comments
add to whitelist or safe senders from quarantine
Hello all I see its possible to block a sender from within the quarantine. Is it also possible to whitelist or add a sender to "safe senders" list from within the quarantine ?
Solved
Skipster311-1
Nov 15, 2021 Place Microsoft Defender for Office 365
74KViews
1like
18Comments
Attack Simulation goes to Junk Folder
I tried a test simulation that only went to me. However, it went to my junk folder. I didn't see anything in the Attack Simulation documentation about whitelisting and assumed that, since it is all going through Microsoft products, it would just work. Are there other steps I need to have the simulations go to users' mailboxes?
John Twohig
Feb 23, 2023 Place Microsoft Defender for Office 365
50KViews
0likes
4Comments
Enable Quarantine Notifications for Strict protection (Strict Preset Security Policy)
How can I enable quarantine notifications for the preset strict protection policies. There is no way to assign a quarantine policy to strict protection policies.
Solved
Kiril
Dec 07, 2022 Place Microsoft Defender for Office 365
11KViews
0likes
19Comments
Advanced Delivery for third party phishing attack scenario
Hello MSFT Team, Normally every quarterly we perform the third party phishing attack simulator in the Organization to educate the end user's but this time all the phishing testing emails are getting quarantined by marking as high phishing. After searching on the google found below link to use O365 advanced delivery policy for third party phishing. In the advanced delivery policy we have added: Domain : added sending domain Sending IP : added sending IP Simulation URLs to allow : added simulation URLs as well https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-advanced-delivery?view=o365-worldwide&source=docs Followed the above msft blog and added the rule successfully but still the testing phishing emails are getting quarantined and marked as high phish. But one thing has been observed that third party phishing simulator is hosted on amazonses.com and sending domain is different but we have added only the sending domain. Do I need to add the amazonses.com domain as well in advanced delivery policy. Please can someone shed some light on it as I searching lot of blogs on advanced delivery policy but found nothing. Any help really appreciated. Regards Anand Sunka
ANAND_SUNKA
Oct 24, 2021 Place Microsoft Defender for Office 365
11KViews
0likes
6Comments
Moving mx records to O365
Hello We are medium sized company, around 7000 mailboxes. We own several domains that we accept email for. Currently all mx records point to IronPorts. The emails are go through the messaging hygiene at the ironports and then the message is delivered to Exchange online. We want to move all mx records to O365. What i would like to understand, is what is the best strategy to do this? Should i move a domain that doesn't receive a high volume of mail traffic first. I think doing this will allow for fine tuning of the O365 filtering polices, and give us me some indication regarding how successful the move was and what the success rate will be for future domain moves. Also how should i construct my anti spam, anti malware polices? Should i start with the using Preset Security Policies" ? My concern with using the preset policies is you cant edit them. We will have a lot of safe and blocked senders that we will need to export from the IronPort's and import into O365. If i cant edit preset polices, then what is my best course of action? will i need to create custom polices ? I know these are a lot of questions. I'm trying to understand how i should construct the roadmap or process for moving domains to O365 Thank you
Solved
skipster311-175
Jun 14, 2022 Place Microsoft Defender for Office 365
9.2KViews
0likes
6Comments
Enhanced Filtering for Connectors not working
Our mail flow is like this: MX: on-premises Barracuda Barracuda sends into Exchange on-premises. Exchange on-premises sends to EXO via HCW-created "Outbound to Office 365" Send Connector. We have listed our Barracuda IP (Skip-IP-#1), and our Exchange on-premises servers' outbound/external IP (Skip-IP-#2) into our Enhanced Filtering for Connectors "skip list". However, we still get tons of incoming emails quarantined, CAT=PHISH, and when I check them in the quarantine (i.e., review their headers), I can see the SPF test is being done against our Exchange on-premises IP (Skip-IP-#2). There are no signs of the two headers being added - X-MS-Exchange-ExternalOriginalInternetSender and X-MS-Exchange-SkipListedInternetSender - which I understand should be getting added if Enhanced Filtering is working (per this). <removed no-longer-relevant text>
Solved
JeremyTBradshaw
Oct 04, 2021 Place Microsoft Defender for Office 365
7.4KViews
0likes
4Comments
Defender for O365 with onprem mailboxes
Hi all, Just wanted to confirm the usability of some features of Defender for O365 when having a exchange hibrid scenario but still most of the mailboxes on-prem. From my understanding not all features will work Safe Attachments (dynamic delivery will not work for onprem mailboxes) Safe Links (works if the MX is pointing to EOP) ATP for SharePoint, OneDrive, and Microsoft Teams (not applicable to EXO) ATP anti-phishing protection (not sure if all settings will work for onprem mailboxes) Real-time detections (reports) Thanks in advanced, Rgs RM
Ricardo Mendes
Oct 16, 2020 Place Microsoft Defender for Office 365
6.2KViews
0likes
1Comment
Adding Targeted Users/Groups in Attack Simulator
Is there a setting that may have changed recently or needs to be changed that enables filtering by groups when creating a simulation. I am unable to browse our groups in our organization any longer, I can choose from other options like City, Departments, Titles, etc. but the AD groups do not populate any longer in this list when trying to add Target Users. Thank you, Jerid
Jerid
Aug 31, 2021 Place Microsoft Defender for Office 365
6KViews
1like
4Comments
Best practice advice
Hello all I am fairly new to Defender for O365. I am the cloud admin for a small company roughly 1000 accounts. We are moving from mimecast to Defender for O365. I read the article regarding preset security polices, and thought this would be a good place to start, so i enabled the standard policy for all the domains we host. Considering you cannot edit a preset policy i had to edit the default policy to fill in the gaps to account for the things like safe senders, blocked senders, safe domains and blocked domains. Is this the correct strategy to use? From my understanding the preset security policy will take precedence. How does the precedence work? If i create safe senders in the default anti-spam policy will these settings take effect even though the safe senders are not mentioned in the Standard preset security policy ? https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/preset-security-policies?view=o365-worldwide
Solved
Skipster311-1
Jul 06, 2021 Place Microsoft Defender for Office 365
5.8KViews
1like
9Comments