All Excel Macro Files Suddenly Flagged as Malware (X97M/Slacker.gen!A) Across M365 Starting April 16
Starting around 8 PM GMT+8 on April 16, 2025, macro-enabled Excel files with extensions such as .xlsm, .xlsb, or .xls began being automatically flagged as malware, specifically identified as X97M/Slacker.gen!A—when opened or edited in SharePoint, OneDrive, or Teams. Before this, the same files were not flagged as malicious, even when opened or edited, and this behavior had remained consistent for several months. This issue affects our entire tenant, with over 800 files being flagged as malware under the name X97M/Slacker.gen!A. These files are located across various locations and have been modified by different users. We are a Cloud-only tenant, and we have not done any configuration changes in Threat Policies for the past few months.
upgraded from P1 to P2... how do I configure this?
Upgraded to Defender 365 P2 from P1, based on the automated responses. Kinda figured we'd be able to tweak these, but I guess not? Anyway, I'm a little bit confused about how to set this up maximally. Realized yesterday we had a 'User click a malicious link" investigation that was pending - but no one knew. When I click 'Email Notification' in the 'Incidents' window, it brings me to the XDR settings menu, with options for setting emails to notify of Alerts, Incidents and Threat Analytics. Except we don't have XDR? So I can't tell if these are even valid? The documentation on the AIR component is really hard to decipher - wondering if anyone has much experience with this, and knows how to configure it optimally? As in, how do I notify someone of a Critical Investigation, or something needing approval for remediation? Can I configure certain things to not require approval? Like... removing a reported phishing email from everyone's inbox?
capability to detect password protected files to during the email delivery and ZAP process of the e
Does M365 Defender & EOP has capability to detect password protected files to during the email delivery and ZAP process of the email in user mailbox? If yes how we can configure to stop such emails and put them into quarantine and stop the email delivery to end users? I have another follow-up question on this is that if we deploy this Transport rule to quarantine false or parked domains emails like phishing or spam and unwanted emails then how we would filter and allow the legit email domains to send out such files like .PDF, Docs, excel and other password protected files to users mailbox without putting them into Quarantine?
email quarantine and reason "high confidence phish"
Hi I started testing a phishing email campaign from an external vendor KnowBe4. The emails keep going to quarantine reason "high confidence phish" What is the best way to fix this? I tried excluded the URL from Safe Links and added their sender IPs to O365 Tenant allow/block list. Thank you in advanced.How to classify E-Mails with *.html or *.htm attachments as spam?
A tenant is receiving currently an enormous amount of phishing emails with *.html or *.htm attachments. 99% of the e-mail which contain such an attachment are phishing e-mails. What's the best approach to filter out those e-mails? They are using the standard protection threat policies.
Automate email soft delete Approval
Hello Everyone, our security team creating Email Soft delete actions based on the investigations. An admin needs to approve those soft delete actions. Does anyone know how we can automate the approval of Email Soft delete action ? As of now, Microsoft dont have option to do thisQueries related to defender for office 365
Hello MDO gurus, I have below queries for my defender for office deployment: Do we have feature to enable domain specific tagging for MDO Alerts. As for MDO Pending Action items, is there any default action application if we do not approve or reject the Soft-delete emails ? Are manually reported phishing emails part of the MDO Pending Action Items ? Is there a bulk approval option for MDO pending action items ?Whitelist and Safelist problems
With the introduction of Defender for Office 365, there are several more processes that play a role in scanning emails. The Problem: There is no clear or effective way to whitelist security training providers from link and attachment scanning whether in the web portal, API, or Powershell. Impact: One or more of the systems below consistently block, scan links and/or attachments that belong to security training (not actually malicious) from several major providers, and create false positives. Rules in place: Sending Server IPs are whitelisted and emails are modified to set message headers such as "X-MS-Exchange-Organization-SkipSafeLinksProcessing" w/ value "1" "X-MS-Exchange-Organization-SkipSafeAttachmentProcessing" w/ value "1" Bypass SPAM = "-1" There does not appear to be a way to whitelist from: SpamZap - Get trapped as SPAM even with bypass. PhishZap - Gets trapped as Phish regardless of rules. MailboxIntelligenceProtection - Same as Phish. Defender for Office 365 Scanning - The bots are clicking the links and creating false positives Safe Documents - same as above. Report Message Link Detonation - Detonates links regardless of whether it's whitelisted anywhere else. Is anyone aware of a way to do this currently? There are between 50-100 different wildcard domains needed to whitelist (if we had to do them individually). A solution cannot include disabling the above services.
Defender for O365 with onprem mailboxes
Hi all, Just wanted to confirm the usability of some features of Defender for O365 when having a exchange hibrid scenario but still most of the mailboxes on-prem. From my understanding not all features will work Safe Attachments (dynamic delivery will not work for onprem mailboxes) Safe Links (works if the MX is pointing to EOP) ATP for SharePoint, OneDrive, and Microsoft Teams (not applicable to EXO) ATP anti-phishing protection (not sure if all settings will work for onprem mailboxes) Real-time detections (reports) Thanks in advanced, Rgs RM
