Protect your organizations against QR code phishing with Defender for Office 365
QR code phishing campaigns have most recently become the fastest growing type of email-based attack. These types of attacks are growing and embed QR code images linked to malicious content directly into the email body, to evade detection. They often entice unwitting users with seemingly genuine prompts, like a password reset or a two-factor authentication request. Microsoft Defender for Office 365 is continuously adapting as threat actors evolve their methodologies. In this blog post we’ll share more details on how we’re helping defenders address this threat and keeping end-users safe.Protection Against Email Bombs with Microsoft Defender for Office 365
In today's digital age, email remains a critical communication tool for businesses and individuals. However, with the increasing sophistication of cyberattacks, email security has become more important than ever. One such threat that has been growing is the email bombing, a form of net abuse that sends large volumes of email to an address to overflow the mailbox, overwhelm the server, or distract attention from important email messages indicating a security breach. Email bomb - Wikipedia Understanding Email Bombing Email bombing, typically involves subscribing victims to a large number of legitimate newsletter and subscription services. Each subscription service sends email notifications, which in aggregate create a large stream of emails into the victim’s inbox, making email triage for legitimate emails very difficult. This form of attack is essentially a denial-of-service (DDOS) on the victim's email triaging attention budget. Hybrid Attacks More recently, email subscription bombs have been coupled with simultaneous lures on Microsoft Teams, Zoom, or via phone calls. Attackers impersonate IT support and offer to help solve the email problem caused by the spike of unwanted emails, ultimately compromising the victim's system or installing malware on their system. This type of attack is brilliant because it creates a sense of urgency and legitimacy, making victims more likely to accept remote assistance and inadvertently allow malware planting or data theft. Read about the use of mail bombs where threat actors misused Quick Assist in social engineering attacks leading to ransomware | Microsoft Security Blog. Incidence and Purpose of Email Bombing Email bombing attacks have been around for many years but can have significant impacts on targeted individuals, such as enterprise executives, HR or finance representatives. These attacks are often used as precursors to more serious security incidents, including malware planting, ransomware, and data exfiltration. They can also mute important security alerts, making it easier for attackers to carry out fraudulent activities without detection. New Detection technology for Mail Bombing attacks To address the limitations of current defenses which often include the victim’s attempt to build their own mail flow rules, Microsoft Defender for Office 365 releases a comprehensive solution involving a durable block to limit the influx of emails, majority of which are often Spam. By intelligently tracking message volumes across different sources and time intervals, this new detection leverages historical patterns of the sender and signals related to spam content. It prevents mail bombs from being dropped into the user’s inbox and the messages are rather sent to the Junk folder (of Outlook). Note: Safe sender lists in Outlook continue to be honored, so emails from trustworthy sources are not unexpectedly moved to the Junk folder (in order to prevent false positives). Since the initial rollout that started in early May, we’ve seen a tremendous impact in blocking mail bombing attacks out of our customers’ inboxes: How to leverage new “Mail bombing” detection technology in SOC experiences 1. Investigation and hunting: SOC analysts can now view the new Detection technology as Mail bombing within the following surfaces: Threat Explorer, Email entity page and Advanced Hunting empowering them to investigate, filter and hunt for threats related to mail bombing. 2. Custom detection rule: To analyze the frequency and volume of attacks from mail bombing vector, or to have automated alerts configured to notify SOC user whenever there is a mail bombing attack, SOC analysts can utilize the custom detection rules in Advanced hunting by writing a KQL query using data in DetectionMethods column of EmailEvents table. Here’s a sample query to get you started: EmailEvents | where Timestamp > ago(1d) | where DetectionMethods contains "Mail bombing" | project Timestamp, NetworkMessageId, SenderFromAddress, Subject, ReportId The SOC experiences are rolled out worldwide to all customers. Conclusion Email bombs represent an incidental threat in the world of cybersecurity. With the new detection technology for Mail Bombing, Microsoft Defender for Office 365 protects users from these attacks and empowers Security Operations Center Analysts to ensure to gain visibility into such attacks and take quick actions to keep organizations safe! Note: The Mail bombing protection is available by default in Exchange Online Protection and Microsoft Defender for Office 365 plans. This blog post is associated with Message Center post MC1096885. Also read Part 2 of our blog series to learn more about protection against multi-modal attacks involving mail bombing and correlation of Microsoft Teams activity in Defender. Learn: Detection technology details table What's on the Email entity page Filterable properties in the All email view in Threat ExplorerIntroducing the Microsoft Defender for Office 365 ICES vendor ecosystem
In today's digital landscape, the need for comprehensive security measures is more critical than ever, as email continues to be a primary vector for cyberattacks such as phishing and malware. To address this, Microsoft Defender for Office 365 leverages the extensive scale of Microsoft's threat intelligence, which processes trillions of signals daily. By integrating Large Language Models (LLMs) and advanced Natural Language Processing, Defender for Office 365 empowers organizations with AI-driven threat detection, behavioral analytics, and automated responses thus proactively identifying and neutralizing risks before they reach end users. This collaborative defense approach reinforces the principle that security is a team sport, requiring shared intelligence and coordinated action across the ecosystem. We recognize in today’s dynamic cyber threat landscape, defense-in-depth strategy has become a vital approach not only for Microsoft customers but also across the broader Secure Email Gateway (SEG) market. Organizations are increasingly adopting layered security solutions to comply with regulatory requirements, enhanced detection, and ensure robust protection. To address this, we’re announcing the Microsoft Defender for Office 365 ICES Vendor Ecosystem — a unified framework that enables seamless integration with trusted third-party vendors. This ecosystem is designed to eliminate integration friction and deliver: Broader detection coverage through vendor diversity Transparency across Microsoft Defender for Office 365 and partner detections Streamlined SOC workflows through consistent policy enforcement and shared investigation tools Stronger compliance alignment with layered security mandates This partner ecosystem is about creating a cohesive defense fabric that enhances SOC efficiency with Microsoft Defender for Office 365 as the foundation. The ecosystem also provides flexibility, scalability, and preparedness for the complexities of contemporary enterprise security. With this in mind, we are pleased to announce that our trusted ICES security vendors, Darktrace and KnowBe4, have become the first launch partners within our ecosystem. They offer customers a seamless and collaborative defense framework where each solution enhances the strengths of the others. We welcome additional partners soon as we continue to expand this integrated ecosystem. “Our integration with Microsoft gives security teams the tools they need to act faster and more precisely to detect and respond to threats,” said Jill Popelka, CEO of Darktrace. “Together, we’re strengthening defenses where it matters most to our customers —at the inbox.” “I’m incredibly excited at the opportunity afforded by this partnership with Microsoft and the deeper integrations it enables. Leveraging this integration allows us to use our vast quorum of data around email security and human risk in a way that provides the most comprehensive layered security approach available to the market. A complementary defense strategy is mandatory and this integration with Microsoft M365 furthers that vision by combining our capabilities to create comprehensive defense strategies that address the full spectrum of modern cyber threats.” noted Greg Kras, Chief Product Officer @ KnowBe4 Unified Quarantine The core strength of this new ecosystem is the seamless integration between Defender for Office 365 and its ICES partners, through the Unified Quarantine feature. Managing quarantined messages from multiple solutions can often be complex and inefficient. Unified Quarantine streamlines the process by consolidating quarantined items identified by both Defender for Office 365 and third-party (3P) solutions into a single, unified interface, enhancing customer ease and visibility. Administrators can efficiently review, release, or remediate messages through this unified interface, irrespective of the provider that identified the threat. This approach not only optimizes time management but also guarantees uniform policy enforcement and facilitates transparency on detections, resulting in improved operational efficiency and a more coherent user experience. As part of the Unified Quarantine, security admins can also see which provider quarantined the message. Transparency and Insight Across Solutions In environments with multiple email security solutions, transparency is crucial to understanding each vendor's detections. Microsoft Defender for Office 365 offers a unified dashboard that clearly distinguishes between threats stopped by Defender and those identified by third-party solutions, ensuring transparent and fair attribution of protection value. This dashboard provides security teams with a comprehensive view of how each solution contributes to protection, helping to identify overlapping coverage and areas of unique value. This clarity supports more informed decision-making around threat trends, policy optimization, and vendor strategy fostering stronger collaboration between internal teams and external partners. Deeper SOC Investigation Capabilities: Threat Explorer, Advanced Hunting, and Email Entity Page Modern defenders need tools for rapid investigation, root cause analysis, and tactical response. The Defender for Office 365 ecosystem unifies investigative workflows across partner solutions. Within Threat Explorer, security analysts can seamlessly pivot between messages actioned by Microsoft Defender for Office 365 and those flagged by integrated partners. The side-by-side display of verdicts and actions enables quick correlation and pattern recognition. Advanced Hunting brings even greater depth, allowing analysts to craft queries that span both Microsoft Defender for Office 365S and 3P data sources. This holistic view accelerates threat hunting and helps organizations surface novel attack techniques or gaps in coverage. EmailEvents | where Timestamp > ago(7d) //List emails caught by a Third-party solution | where DetectionMethods contains "Thirdparty" | project NetworkMessageId, RecipientEmailAddress, ThreatTypes, DetectionMethods, AdditionalFields, LatestDeliveryLocation On the Email Entity Page, every message surfaces a complete action history, including which product took action and what verdict was assigned. This granular visibility demystifies complex incidents and builds confidence in the layered defense model. Summary As the threat landscape continues to evolve, so must our defenses. While organizations embrace defense-in-depth, fragmented integrations may lead to unintended consequences such as diminished detection capabilities, overlapping controls, and SOC inefficiencies. With the Defender for Office 365 ICES vendor ecosystem, Microsoft is setting a new standard for collaborative, integrated security platforms. By combining proven protection, seamless partnerships, and unified visibility, organizations can embrace defense-in-depth without complexity or compromise. Whether combating phishing, malware, or the next generation of email-borne threats, customers benefit from a defense-in-depth strategy built for agility and efficiency. With hands-off enablement, unified experiences, and unmatched transparency, the Defender for Office 365 ecosystem empowers every organization to stay one step ahead—today and tomorrow. Learn More To learn more about the Microsoft Defender for Office 365 ICES Vendor Ecosystem, please visit https://learn.microsoft.com/defender-office-365/mdo-ices-vendor-ecosystem.Microsoft Defender EOP
We have been experiencing an issue since last week where we are unable to view the details of quarantined emails. Could you please confirm if this is related to a known backend service issue, or if there are any specific troubleshooting steps we should perform on our end? Any guidance or updates would be greatly appreciated.
Microsoft Defender for Office 365's Language AI for Phish: Enhancing Email Security
Email security presents a complex challenge for individuals and organizations alike. Over the years, attackers have evolved from simple spam campaigns to sophisticated threats including ransomware, identity theft schemes, and carefully crafted phishing scams. Now, malicious actors are armed with Generative AI and are advancing at an alarming pace. In response, Microsoft Defender for Office 365 has dedicated extensive research and development efforts to making email security smarter, more flexible, and more proactive. This dedication led to the introduction of specialized language intelligence to fight Business Email Compromise (BEC) attacks, announced last year at Ignite 2024 (Microsoft Ignite: Redefining email security with LLMs to tackle a new era of social engineering | Microsoft Community Hub). With that announcement, we offered a significant leap in analyzing suspicious messages using advanced natural language processing, enabling organizations to better detect subtle manipulative emails designed to lure unsuspecting users into revealing confidential data or transferring funds. The threats, however, have not stopped with BEC. Phishing attacks are constantly evolving, leveraging new tactics and forms. As part of Defender for Office’s mission to stay one step ahead of these threats, we’re taking the same robust Language AI approach we used for BEC analysis and applying it to a broader spectrum of phishing attacks. Today we’re excited to announce Microsoft Defender for Office 365’s new Language AI for Phish model. This model progressively learns from thousands of real-world phishing attempts and analyzes all messages classified as phish. Furthermore, it incorporates advanced Machine Learning and Natural Language Processing (NLP) techniques to read, process, and understand email content the way a human analyst might, yet in a fraction of the time and at an immense scale. Our model has been operational since April 2025, achieving over 99.99% accuracy and blocking 1 million phishing emails daily. By advancing our language AI and rigorously training it on phishing email threats, we are further strengthening the comprehensive protections established by our BEC-focused innovations. These enhanced capabilities create an integrated security framework designed to proactively address evolving risks and accelerate response times to emerging threats. Through Microsoft Defender for Office 365’s commitment to continuous improvement, this expanded approach empowers organizations and individuals to maintain a strong security posture in the face of ever-changing cyber challenges. Learn More: To learn more about Microsoft Defender for Office 365’s Language AI capabilities, please read more here or visit our website.
No URL Detection in Emails with Extensive %2580 Encoding
Hi Community, I encountered a concerning issue where emails containing URLs with extensive encoding (%2580) completely bypassed all detection and security mechanisms. These encoded URLs weren’t identified as links, which allowed them to evade security scanning. Issue Details: The email contained malicious URLs encoded with %2580. The URLs were not flagged or identified as links, allowing the payload to bypass filters entirely. Questions: Has anyone else encountered similar issues with encoded URLs bypassing detection? What’s the best process to submit this email to Microsoft for analysis and improvements to detection mechanisms, since no URL's were identified? Looking forward to your input and recommendations. Thanks in advance!
Build custom email security reports and dashboards with workbooks in Microsoft Sentinel
Security teams in both small and large organizations track key metrics to make critical security decisions and identify meaningful trends in their organizations. Defender for Office 365 has rich, built-in reporting capabilities that provide insights into your security posture to support these needs. However, sometimes security teams require custom reporting solutions to create dedicated views, combine multiple data sources, and get additional insights to meet their needs. We previously shared an example of how you can leverage Power BI and the Microsoft Defender XDR Advanced Hunting APIs to build a custom dashboard and shared a template that you can customize and extend. In this blog, we will showcase how you can use workbooks in Microsoft Sentinel to build a custom dashboard for Defender for Office 365. We will also share an example workbook that is now available and can be customized based on your organization’s needs. Why use workbooks in Microsoft Sentinel? There are many potential benefits to using workbooks if you already use Microsoft Sentinel and already stream the hunting data tables for Defender for Office 365: You can choose to store data for a longer period of time via configuring longer retention for tables you use for your workbooks. For example you can store Defender for Office 365 EmailEvents table data for 1 year and build visuals over longer period of time. You can customize your visuals easily based on your organization’s needs. You can configure auto-refresh for the workbook to keep the data shown up to date. You can access ready to use workbook templates and customize them if it's needed. Getting started After you connect your data sources to Microsoft Sentinel, you can visualize and monitor the data using workbooks in Microsoft Sentinel. Ensure that Microsoft Defender XDR is installed in your Microsoft Sentinel instance, so you can use Defender for Office 365 data with a few simple steps. Detection and other Defender for Office 365 insights are already available as raw data in the Microsoft Defender XDR advanced hunting tables: EmailEvents - contains information about all emails EmailAttachmentInfo - contains information about attachments in emails EmailUrlInfo - contains information about URLs in emails EmailPostDeliveryEvents – contains information about Zero-hour auto purge (ZAP) or Manual remediation events UrlClickEvents - contains information about Safe Links clicks from email messages, Microsoft Teams, and Office 365 apps in supported desktop, mobile, and web apps. CloudAppEvents – CloudAppEvents can be used to visualize user reported Phish emails and Admin submissions with Defender for Office 365. The Microsoft Defender XDR solution in Microsoft Sentinel provides a connector to stream the above data continuously into Microsoft Sentinel. Microsoft Sentinel then allows you to create custom workbooks across your data or use existing workbook templates available with packaged solutions or as standalone content from the content hub. How to access the workbook template We are excited to share a new workbook template for Defender for Office 365 detection and data visualization, which is available in the Microsoft Sentinel Content hub. The workbook is part of the Microsoft Defender XDR solution. If you are already using our solution, this update is now available for you. If you are installing the Microsoft Defender XDR solution for the first time, this workbook will be available automatically after installation. After the Microsoft Defender XDR solution is installed (or updated to the latest available version), simply navigate to the Workbooks area in Microsoft Sentinel and on the Templates tab select Microsoft Defender for Office 365 Detection and Insights. Using the “View Template” action loads the workbook. What insights are available in the template? The template has the following sections with each section deep diving into various areas of email security, providing details and insights to security team members: Detection overview Email - Malware Detections Email - Phish Detections Email - Spam Detections Email - Business Compromise Detections (BEC) Email - Sender Authentication based Detections URL Detections and Clicks Email - Top Users/Senders Email - Detection Overrides False Negative/Positive Submissions File - Malware Detections (SharePoint, Teams and OneDrive) Post Delivery Detections and Admin Actions Email - Malware Detections Email - Business Compromise Detections (BEC) Email - Sender Authentication based Detections URL Detections and Clicks False Negative/Positive Submissions File - Malware Detections (SharePoint, Teams and OneDrive) Post Delivery Detections and Admin Actions Can I customize the workbook? Yes, absolutely. Based on the email attributes in the Advanced Hunting schema, you can define more functions and visuals as needed. For example, you can use the DetectionMethods field to analyse detections caught by capabilities like Spoof detections, Safe Attachment, and detection for emails containing URLs extracted from QR codes. You can also bring other data sources into Microsoft Sentinel as tables and use them when creating visuals in the workbook. This sample workbook is a powerful showcase for how you can use the Defender for Office 365 raw detection data to visualize email security detection insights directly in Microsoft Sentinel. It enables organizations to easily create customized dashboards that can help them analyse, track their threat landscape, and respond quickly—based on unique requirements. Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the Defender for Office 365 forum. More information Integrate Microsoft Defender XDR with Microsoft Sentinel. Learn more about Microsoft Sentinel workbooks. Microsoft Defender for Office 365 Detection Details Report – Updated Power BI template for Microsoft Sentinel and Log Analytics Learn more about Microsoft Defender XDR.
