No URL Detection in Emails with Extensive %2580 Encoding
Hi Community, I encountered a concerning issue where emails containing URLs with extensive encoding (%2580) completely bypassed all detection and security mechanisms. These encoded URLs weren’t identified as links, which allowed them to evade security scanning. Issue Details: The email contained malicious URLs encoded with %2580. The URLs were not flagged or identified as links, allowing the payload to bypass filters entirely. Questions: Has anyone else encountered similar issues with encoded URLs bypassing detection? What’s the best process to submit this email to Microsoft for analysis and improvements to detection mechanisms, since no URL's were identified? Looking forward to your input and recommendations. Thanks in advance!
capability to detect password protected files to during the email delivery and ZAP process of the e
Does M365 Defender & EOP has capability to detect password protected files to during the email delivery and ZAP process of the email in user mailbox? If yes how we can configure to stop such emails and put them into quarantine and stop the email delivery to end users? I have another follow-up question on this is that if we deploy this Transport rule to quarantine false or parked domains emails like phishing or spam and unwanted emails then how we would filter and allow the legit email domains to send out such files like .PDF, Docs, excel and other password protected files to users mailbox without putting them into Quarantine?How to classify E-Mails with *.html or *.htm attachments as spam?
A tenant is receiving currently an enormous amount of phishing emails with *.html or *.htm attachments. 99% of the e-mail which contain such an attachment are phishing e-mails. What's the best approach to filter out those e-mails? They are using the standard protection threat policies.Fastest workflow to block a phished user?
If a user gets phished, or his credentials get leaked - what's the first thing you do, before you start investigating the issue? A few questions concerning this issue: - Is it enough to block the user in the Office 365 Admin Center? - Should I reset his password, or is blocking the user enough? - If the user is blocked, and he still has an active Exchange Online session, can the blocked user still send e-mails?
Considering changing spam filter
Hello, new to Defender. We currently have a spam filter that filters all inbound and outbound email. We're thinking about dropping it and going with EOP. I'm assuming many here have gone that route already. How was the experience? How is it working for you now? Were/Are there many false positives? Heaven forbid, but does anyone find the MS product LESS capable than a Mimecast, Proofpoint, Barracuda, or SpamTitan type service? Thanks!
ASF Advanced Spam Filter roadmap
For the last year or so I have been seeing notes in Microsoft documentation advising that Exchange Online ASF is being deprecated. Do we have a roadmap for this, and more importantly any news about the replacement features elsewhere in the product. I am particularly interested in -IncreaseScoreWithNumericIps; the capability to spot and act on hyperlinks identifying a host by its numeric IP address. Failing clarity on that question, does anyone have a "pattern" they can recommend that can survive the depredations of Safe Links? I apologise for the cross-post from the Exchange community, but it is not completely clear where this topic should be discussed.Feeding the Attack Simulator
Previous commentators have noted the simulator's tendency to send attacks in a single wave. This can lead to a comment from one recipient warning another. Additionally, the wave may overwhelm local IT support. To my mind it makes sense to split a large recipient base up into slices to be attacked at different times and possibly with minor variations in the payload. I had been looking at dynamic groups to do this. Am I correct in saying no type of dynamic group is acceptable to the attack simulator? I have tried the new Microsoft 365 groups, but with the group features suppressed to prevent the group itself from mailing, the simulator will not mail the membership either. set-UnifiedGroup -Identity $Group.Name -HiddenFromExchangeClientsEnabled set-UnifiedGroup -Identity $Group.Name -UnifiedGroupWelcomeMessageEnabled:$false set-UnifiedGroup -Identity $Group.Name -SubscriptionEnabled:$false set-UnifiedGroup -Identity $Group.Name -AlwaysSubscribeMembersToCalendarEvents:$false set-UnifiedGroup -Identity $Group.Name -AutoSubscribeNewMembers:$false
