user-reported phishing emails
Dear Community I have a technical question regarding user-reported emails. In Defender, under “Action and Submissions” -> “Submissions,” I can see the emails that users have reported under the “user reported” option. There, we have the option to analyze these emails and mark them as “no threats found,” “phishing,” or “spam.” The user is then informed. Question: Do these reported emails remain in the user's inbox when they report them? If not, do we have the option to return these reported emails to the user's inbox with the “No threats found” action? Because I don't see this option. In another tenant, under “Choose response Action,” I see “move or delete,” but the “inbox” option is grayed out. Why is that? Thank you very much!Microsoft Defender EOP
We have been experiencing an issue since last week where we are unable to view the details of quarantined emails. Could you please confirm if this is related to a known backend service issue, or if there are any specific troubleshooting steps we should perform on our end? Any guidance or updates would be greatly appreciated.
No URL Detection in Emails with Extensive %2580 Encoding
Hi Community, I encountered a concerning issue where emails containing URLs with extensive encoding (%2580) completely bypassed all detection and security mechanisms. These encoded URLs weren’t identified as links, which allowed them to evade security scanning. Issue Details: The email contained malicious URLs encoded with %2580. The URLs were not flagged or identified as links, allowing the payload to bypass filters entirely. Questions: Has anyone else encountered similar issues with encoded URLs bypassing detection? What’s the best process to submit this email to Microsoft for analysis and improvements to detection mechanisms, since no URL's were identified? Looking forward to your input and recommendations. Thanks in advance!
Adding Targeted Users/Groups in Attack Simulator
Is there a setting that may have changed recently or needs to be changed that enables filtering by groups when creating a simulation. I am unable to browse our groups in our organization any longer, I can choose from other options like City, Departments, Titles, etc. but the AD groups do not populate any longer in this list when trying to add Target Users. Thank you, Jerid
AIR Result : Email template modification
Hi, I want to change the email language for the Automated investigation and response (AIR) after a phishing report. I found the page where you can set a custom email "Body" and "Footer". This works, but I also need to change the other parts of the email or at least find a way to translate it in french. Right now, there's a mix of english and french (The body and footer I configured) but I need the whole thing to be in french. I would appreciate a hand on this issue. Thank you !! PS : See the screenshot for the part I want to translate.
Effectiveness of "Impersonation Protection" within the Standard Protection security policy
Recently we began trying to improve the overall posture of our O365 Exchange. One step of that was enabling both the Preset Security Policies. These have been enabled and I've set up Impersonation Protection on both with pretty much the same list of internal stakeholders to protect. What we appear to be seeing is that impersonation protection doesn't work for those users on Standard Protection. Support is telling me that's how it works and that I should move all of our users to Strict Protection if we want to take advantage of the Impersonation Protection. My limited tests seem to back this up, but the fact that Impersonation Protection is an available option in the Standard preset policy is baffling if it's as ineffective as it seems to be. As a test I setup a new outlook.com account with the name of the a protected user. I then sent an email to my personal Gmail account and two internal employees. The email was delivered to the Gmail account (expected) and to the 'Standard' employee. The email to the 'Strict' employee was quarantined with a note about impersonation. For the 'Standard' employee it was allowed with the note "Allowed by user policy : Trusted recipient address list". I verified the external address is not in the 'Standard' user's Safe Sender list. Are others seeing this behavior as well?
Archive Email Search across all emails going back 3 years or more
Hi, In Mimecast I am able to perform an archive search on emails very quickly (less than 10 seconds) and easily being able to go back 5-10 years (we have a retention of 10yrs for Mimecast) How can I do this with the 365 tooling that I have within the E5 license scope. In Explorer in the Defender portal, I can only go back 30 days, so want to know how I would go about doing this for say 3-5yrs using Microsoft tools. Example, I want to look for any emails from joe.bloggs@gmail sent to any of our users going back 3 or 5yrs without having to do a full eDiscovery each time which is extremely time consuming. Do Microsoft have any plans to have a similar way to easily search through all corporate email quickly and efficiently as it really seems like a no-brainer product that Microsoft could give to their users, and would mean they wouldn't have to rely on third-party tooling to do this in a field where Microsoft really should be stronger. I asked the same question the other day on https://old.reddit.com/r/Office365/comments/1dyg3zd/archive_email_search_across_all_emails_going_back/ as I was hoping that I was missing something, but it seems that it is a feature that is lacking at the moment. Thought I would also raise the question here as well in the hope that someone has a suggestion of what we could use that may work and would be faster than a full blown eDiscovery, or maybe even get the attention of someone at MS that has the ability to create such a needed feature.Attack simulation training, Credential Harvest - flag real login credentials
Hello, Is it possible in Attack simulation training, Credential Harvest to flag users who have entered their real login details in the login screen ? Unfortunately, currently the user is marked as "Compromised" for both - false credentials and real credentials. I have not found any information to highlight the entry of true login credentials.
