Microsoft Defender EOP
We have been experiencing an issue since last week where we are unable to view the details of quarantined emails. Could you please confirm if this is related to a known backend service issue, or if there are any specific troubleshooting steps we should perform on our end? Any guidance or updates would be greatly appreciated.
No URL Detection in Emails with Extensive %2580 Encoding
Hi Community, I encountered a concerning issue where emails containing URLs with extensive encoding (%2580) completely bypassed all detection and security mechanisms. These encoded URLs weren’t identified as links, which allowed them to evade security scanning. Issue Details: The email contained malicious URLs encoded with %2580. The URLs were not flagged or identified as links, allowing the payload to bypass filters entirely. Questions: Has anyone else encountered similar issues with encoded URLs bypassing detection? What’s the best process to submit this email to Microsoft for analysis and improvements to detection mechanisms, since no URL's were identified? Looking forward to your input and recommendations. Thanks in advance!
Adding Targeted Users/Groups in Attack Simulator
Is there a setting that may have changed recently or needs to be changed that enables filtering by groups when creating a simulation. I am unable to browse our groups in our organization any longer, I can choose from other options like City, Departments, Titles, etc. but the AD groups do not populate any longer in this list when trying to add Target Users. Thank you, Jerid
AIR Result : Email template modification
Hi, I want to change the email language for the Automated investigation and response (AIR) after a phishing report. I found the page where you can set a custom email "Body" and "Footer". This works, but I also need to change the other parts of the email or at least find a way to translate it in french. Right now, there's a mix of english and french (The body and footer I configured) but I need the whole thing to be in french. I would appreciate a hand on this issue. Thank you !! PS : See the screenshot for the part I want to translate.
Effectiveness of "Impersonation Protection" within the Standard Protection security policy
Recently we began trying to improve the overall posture of our O365 Exchange. One step of that was enabling both the Preset Security Policies. These have been enabled and I've set up Impersonation Protection on both with pretty much the same list of internal stakeholders to protect. What we appear to be seeing is that impersonation protection doesn't work for those users on Standard Protection. Support is telling me that's how it works and that I should move all of our users to Strict Protection if we want to take advantage of the Impersonation Protection. My limited tests seem to back this up, but the fact that Impersonation Protection is an available option in the Standard preset policy is baffling if it's as ineffective as it seems to be. As a test I setup a new outlook.com account with the name of the a protected user. I then sent an email to my personal Gmail account and two internal employees. The email was delivered to the Gmail account (expected) and to the 'Standard' employee. The email to the 'Strict' employee was quarantined with a note about impersonation. For the 'Standard' employee it was allowed with the note "Allowed by user policy : Trusted recipient address list". I verified the external address is not in the 'Standard' user's Safe Sender list. Are others seeing this behavior as well?
Archive Email Search across all emails going back 3 years or more
Hi, In Mimecast I am able to perform an archive search on emails very quickly (less than 10 seconds) and easily being able to go back 5-10 years (we have a retention of 10yrs for Mimecast) How can I do this with the 365 tooling that I have within the E5 license scope. In Explorer in the Defender portal, I can only go back 30 days, so want to know how I would go about doing this for say 3-5yrs using Microsoft tools. Example, I want to look for any emails from joe.bloggs@gmail sent to any of our users going back 3 or 5yrs without having to do a full eDiscovery each time which is extremely time consuming. Do Microsoft have any plans to have a similar way to easily search through all corporate email quickly and efficiently as it really seems like a no-brainer product that Microsoft could give to their users, and would mean they wouldn't have to rely on third-party tooling to do this in a field where Microsoft really should be stronger. I asked the same question the other day on reddit as I was hoping that I was missing something, but it seems that it is a feature that is lacking at the moment. Thought I would also raise the question here as well in the hope that someone has a suggestion of what we could use that may work and would be faster than a full blown eDiscovery, or maybe even get the attention of someone at MS that has the ability to create such a needed feature.Display Name Spoofing very often recently - how to prevent it
Hi experts, recently, I have noticed increase in emails that tries to impersonate sender (Display Name Spoofing). The Display name shows a real user from our organization, however the sender email/domain is totally different. I thought I had the protection configured properly but looks like that is not the case :/. I have anti-phish policy with Impersonation as below: few critical users listed in "Enable users to protect" was going to enable it for all now, but there is no option like that, ..and it looks I need to manually add all internal users Enable domains to protect Include domains I own (does this include all domains I have registered in M365? See below). I would expect this will prevent these emails Include custom domains - I have nothing here, but I am not sure now whether my few domains created in M365 - including default domain, needs to be added here? As from what I know, the custom domains are the domains I create in M365. Would like to check what is the proper way to configure protection against these email attacks. We use M365 E3 + M365 E5 SecurityAttack simulation training, Credential Harvest - flag real login credentials
Hello, Is it possible in Attack simulation training, Credential Harvest to flag users who have entered their real login details in the login screen ? Unfortunately, currently the user is marked as "Compromised" for both - false credentials and real credentials. I have not found any information to highlight the entry of true login credentials.
Incorrect training status in attack simulation training
I've run a few attack simulation automations, and every time we get some users who say they have completed the training, but the status doesn't indicate that, and they keep getting training notifications. Is there anyway to figure out what is going on with these users? I do believe that they are completing the training before contacting the help desk about repeat reminders.
