Safeguarding Microsoft Teams with Microsoft Defender for Office 365
As organizations rely more on Microsoft Teams for daily collaboration, securing this platform has become a top priority. Threat actors are increasingly targeting Teams chats and channels with phishing links and malicious files, making it critical for IT admins and security professionals to extend protection beyond email. Enter Microsoft Defender for Office 365, now armed with dedicated Teams protection capabilities. Microsoft Defender for Office 365 enables users to report suspicious messages, brings time-of-click scanning of URLs and files into Teams conversations, and provides rich alerts and hunting insights for SecOps teams. As a collaborative piece between Pierre Thoor, a Microsoft Security Most Valuable Professional (MVP), and the Defender for Office 365 Product Engineering Team, the below guides with accompanying videos emphasize a proactive, user-driven approach to threat detection and response, turning everyday Teams interactions into actionable security signals for SecOps. See something, say something: Reporting suspicious messages in Microsoft Teams Your fastest sensor isn’t AI – it’s your people. Report this message in Microsoft Teams lets anyone flag a suspicious conversation in two clicks and routes a triageable submission to your security team in the Microsoft Defender portal. Why this matters: Speed to signal: Catch threats at the conversation layer, not just in email. Complete context: Original message, participants, URLs, and verdicts in one place. Habit-forming: A simple, repeatable action employees remember under pressure. How to report (desktop, web, and mobile) In Desktop/Web Hover the message → … More options → Report this message Select Security concern → (optional) add a short note → Report In Mobile (iOS/Android) app Long-press the message → Report message Select Security concern → (optional) add a short note → Report *Tip: Short notes like “Unexpected MFA reset link” help analysts triage faster. Where reports go (for security teams) In the Microsoft Defender portal, navigate to: Investigation & response → Actions and submissions → Submissions → User reported. Open an item to view the Teams message entity (sender/domain, Teams message ID, extracted URLs, verdict) and take action – mark as phish/clean, pivot to Explorer or Advanced Hunting, or copy indicators. Quick setup check Defender portal → Settings → Email & collaboration → User reported settings: enable Monitor reported messages in Microsoft Teams. Licensing: Microsoft Defender for Office 365 Plan 2 (included in Microsoft 365 E5). What good looks like (mini playbook) User reports the message. Security triages the submission and captures the URL/domain and other indicators. Block or allow as appropriate via the Tenant Allow/Block List (TABL). Hunt for related activity or clicks (see Video 3). Close the loop: thank the reporter and share the outcome to reinforce the behavior. Common gotchas Reporting is disabled in the Teams messaging policy – verify before rollout. Some users assume “Report” notifies the sender – clarify that it routes to the Security team, not the sender. Call to action: Enable reporting for your users and add this line to your awareness site: “If it feels phishy, report – don’t click.” Think before you click - Safe Links catches threats at click-time Links can change after delivery. Safe Links waits until click-time, evaluates the destination, and shows an in-app warning page in Teams. Pair it with the Tenant Allow/Block List (TABL) to tune quickly across the tenant. Why this matters Prevents delayed redirects: Avoids “clean-at-send” methods. Consistent protection in Teams: Familiar warning UX reduces risky clicks. Rapid tuning: Block newly observed domains in seconds; no advanced transport rules required. What you’ll see in the video Policy check (Teams in scope) Defender portal → Email & collaboration → Policies & rules → Threat policies → Safe Links → ensure Apply Safe Links to Microsoft Teams is enabled for target users or groups OR that you use Standard/Strict Preset Policy. Warning page at click-time Post a benign test URL in Teams and click it to show the Safe Links warning experience. Block it as you spot it (Allow/Block) Defender portal → Threat policies → Tenant Allow/Block List → URLs → Add (domain or URL). Re-click in Teams – now blocked at click-time. Optional telemetry (Advanced Hunting) Confirm outcomes and adoption: UrlClickEvents | where Timestamp > ago(24h) and Workload == "Teams" | summarize Clicks=count(), Users=dcount(AccountUpn) by ActionType | order by Clicks desc Deployment tips Start with a pilot group that includes IT + power users; expand after validation. Create a review cadence for TABL (e.g., monthly) and expire temporary blocks. Troubleshooting No warning page? Verify policy scope includes the user and the Teams workload. Block not taking effect? Give TABL a short sync window, then re-test; confirm you blocked the correct domain/URL pattern. “Hunt the chat”: Advanced hunting for Teams threats Overview With Advanced Hunting you can quickly reconstruct activity in Microsoft Teams – who sent the message, who clicked the link, and what protections kicked in. This section shows how the four Teams-relevant tables work together, so you can move from signal to action quickly. New: message warnings for malicious URLs (internal and external) Teams now shows a warning banner on messages that contain URLs flagged as spam, phishing, or malware. Warnings appear in internal and external chats/channels, and can be added after delivery (up to ~48 hours) if a URL’s reputation changes. This complements Safe Links (time-of-click) and doesn’t replace ZAP; when ZAP removes a message, that action takes precedence. Public preview began September 2025; GA November 2025, enabled by default at GA and manageable in Teams admin center → Messaging settings. See Message Center: https://admin.cloud.microsoft/?#/MessageCenter/:/messages/MC1150984 The four tables you’ll use MessageEvents – delivery context (sender, thread, internal vs. external). MessagePostDeliveryEvents – post-delivery actions, including Phish ZAP and Malware ZAP. MessageUrlInfo – URLs extracted from Teams messages. UrlClickEvents – time-of-click outcomes for links, including those clicked in Teams. What you’ll learn in the video Surface active external domains in your tenant’s Teams chats. Identify who clicked risky links and the click outcomes (via Safe Links telemetry). See where message warnings appear in the chat UI. Pivot to an incident and block indicators fast via the Tenant Allow/Block List (TABL). A couple hunts to try right now 1) Malicious verdicts in Teams (last 24 hours) Find messages that already carry a Spam/Phish/Malware verdict – your fastest triage queue. MessageEvents | where Timestamp > ago(1d) | where ThreatTypes has "Phish" or ThreatTypes has "Malware" or ThreatTypes has "Spam" | project Timestamp, SenderDisplayName, SenderEmailAddress, RecipientDetails, IsOwnedThread, ThreadType, IsExternalThread, ReportId Use it for: a quick sweep + pivot to incident/entities, then TABL block if needed. 2) “IT helpdesk” imposters in external DMs (last 5 days) Surface social-engineering lures that impersonate support. MessageEvents | where Timestamp > ago(5d) | where IsExternalThread == true | where (RecipientDetails has "help" and RecipientDetails has "desk") or (RecipientDetails has "it" and RecipientDetails has "support") or (RecipientDetails has "working" and RecipientDetails has "home") or (SenderDisplayName has "help" and SenderDisplayName has "desk") or (SenderDisplayName has "it" and SenderDisplayName has "support") or (SenderDisplayName has "working" and SenderDisplayName has "home") | project Timestamp, SenderDisplayName, SenderEmailAddress, RecipientDetails, IsOwnedThread, ThreadType, ReportId Use it for: first-contact scams (external tenant posing as IT). Pair with Safe Links telemetry to see who clicked. Tip: has is token-aware and generally faster/cleaner than contains for word matches. Keep both hunts detection-ready by ensuring the final projection includes Timestamp and ReportId. 3) BONUS! External DMs with links (last 7 days) MessageEvents | where Timestamp > ago(7d) and IsExternalThread == true | join kind=inner (MessageUrlInfo) on TeamsMessageId | summarize Links=dcount(Url), Senders=dcount(SenderEmailAddress) by UrlDomain | top 10 by Links desc 4) Who clicked (Teams workload) – exposure view: UrlClickEvents | where Timestamp > ago(7d) and Workload == "Teams" | project Timestamp, AccountUpn, Url, ActionType | order by Timestamp desc “From Hunt to Action”: Respond & contain Finding a risky link in Teams is only half the job. This walkthrough shows how to go from detection to containment – block the domain, clean up delivered messages, and cut attacker access. Why this matters Speed: Shrink time from “we saw it” to “it’s blocked”. Consistency: Turns ad-hoc hunting into a repeatable response flow. Coverage: Pair URL blocking with identity and device containment. What you’ll see in the video Turn a hunt into an alert In Advanced Hunting, run a short query (below) and choose Create detection rule to schedule it. Alerts auto-create incidents you can triage. Block at click-time (Safe Links + TABL) In the incident, open the URL entity and add the URL/domain to the Tenant Allow/Block List (TABL) so future Teams clicks are blocked by Safe Links. Post-delivery cleanup (ZAP) If a malicious message slipped through, ZAP can remove or mark it after delivery. You’ll see evidence on the incident timeline. Contain accounts and devices Revoke user sessions in Entra ID to invalidate active tokens. Reset the password (and require strong, unique credentials), then enforce MFA for the account. Review MFA methods and remove anything suspicious; review app consents and revoke illicit grants. If endpoints are onboarded, isolate the device in Microsoft Defender for Endpoint to stop outbound connections while you investigate. The Microsoft Learn guide, https://learn.microsoft.com/en-us/defender-office-365/responding-to-a-compromised-email-account, for compromised accounts recommends session revocation, password reset, MFA enforcement, reviewing OAuth app consents and admin roles, and checking mail forwarding/rules – steps that complement the Teams response you see here. The hunt This KQL surfaces rare external domains in Teams and any user clicks. let lookback = 1d; // External Teams messages let externalMsgs = MessageEvents | where Timestamp > ago(lookback) and IsExternalThread == true | project MsgTime = Timestamp, TeamsMessageId, SenderEmailAddress, ME_ReportId = ReportId; // URLs found in Teams messages let urlsInMsgs = MessageUrlInfo | where Timestamp > ago(lookback) | project MUI_Time = Timestamp, TeamsMessageId, Url, UrlDomain, MUI_ReportId = ReportId; // Clicks coming from Teams let clicks = UrlClickEvents | where Timestamp > ago(lookback) and Workload == "Teams" | project ClickTime = Timestamp, Url, Clicker = AccountUpn, ClickAction = ActionType, UCE_ReportId = ReportId; // Define “rare” domains in the period let rareDomains = urlsInMsgs | summarize msgCount = dcount(TeamsMessageId) by UrlDomain | where msgCount < 3; rareDomains | join kind=inner (urlsInMsgs) on UrlDomain | join kind=leftouter (externalMsgs) on TeamsMessageId | join kind=leftouter (clicks) on Url | project Timestamp = coalesce(ClickTime, MUI_Time, MsgTime), UrlDomain, Url, SenderEmailAddress, Clicker, ClickTime, ClickAction, TeamsMessageId, ReportId = coalesce(UCE_ReportId, MUI_ReportId, ME_ReportId) After verifying results, select Create detection rule, set a schedule (e.g., hourly), and map entities so incidents include the right artifacts. What good looks like (response playbook) Alert fires → open incident; confirm scope and entities. Block URL/domain via TABL to stop future clicks. Confirm ZAP removed or marked delivered messages. Revoke sessions and reset password; enforce MFA. Review MFA methods and remove unknown devices/methods. Audit app consents (revoke illicit grants) and verify the user holds no unexpected admin roles. If email abuse is suspected, check for forwarding or malicious Inbox rules. Isolate device if execution is suspected; collect artifacts and un-isolate after remediation. FAQs Does the block remove the message? No – TABL blocks at click-time. Post-delivery removal is handled by ZAP when detections apply. Will revoking sessions disrupt users? It forces sign-in again (expected). Communicate this in your response template. What if the attacker used consent phishing? Revoke the offending enterprise app consent and review publisher verification status. Call to action: Save the query, create the detection, and attach this playbook to your incident template. The goal every time: find → block → clean up → contain Securing Microsoft Teams is most effective when technology and people work together. By enabling user reporting, leveraging real-time protections, and empowering security teams to act quickly, organizations can turn everyday collaboration into a strong defense against threats. ## Please take two minutes to take this survey to let us know what you think of this blog (series), video, and community content. Questions or comments on this blog "Microsoft Defender for Office 365 – A Four-Part Guide to Secure Collaboration" for the author or other readers? Please log in and post your response below! _____________ This blog has been generously and expertly authored by Microsoft Security MVP, Pierre Thoor with support of the Microsoft Defender for Office 365 product team. Pierre Thoor Microsoft Security MVP | Microsoft Defender for Office 365 Champ Learn More and Meet the Author 1) December 16th Ask the Experts Webinar: Microsoft Defender for Office 365 | Ask the Experts: Tips and Tricks (REGISTER HERE) DECEMBER 16, 8 AM US Pacific You’ve watched the latest Microsoft Defender for Office 365 best practices videos and read the blog posts by the esteemed Microsoft Most Valuable Professionals (MVPs), now bring your toughest questions or unique situations straight to the experts. In this interactive panel discussion, Microsoft MVPs will answer your real world scenarios, clarify best practices, and highlight practical tips surfaced in the recent series. We’ll kick off with a who’s who and recent blog/video series recap, then dedicate most of the time to your questions across migration, SOC optimization, fine-tuning configuration, Teams protection, and even Microsoft community engagement. Come ready with your questions (or pre-submit here) for the expert Security MVPs on camera, or the Microsoft Defender for Office 365 product team in the chat! REGISTER NOW for 12/16. 2) Additional MVP-Authored Blogs in this Four- Part Series: Microsoft Defender for Office 365: Migration & Onboarding by Purav Desai (This post) Safeguarding Microsoft Teams with Microsoft Defender for Office 365 You may be right after all! Disputing Submission Responses in Microsoft Defender for Office 365 by Mona Ghadiri Microsoft Defender for Office 365: Fine-Tuning by Joe Stocker Learn and Engage with the Microsoft Security Community Log in and follow this Microsoft Defender for Office 365 blog and follow/post in the Microsoft Defender for Office discussion space. Follow = Click the heart in the upper right when you're logged in 🤍 Learn more about the Microsoft MVP Program. Join the Microsoft Security Community and be notified of upcoming events, product feedback surveys, and more. Get early access to Microsoft Security products and provide feedback to engineers by joining the Microsoft Customer Connection Community. Join the Microsoft Security Community LinkedInYou may be right after all! Disputing Submission Responses in Microsoft Defender for Office 365
Introduction As a Microsoft MVP (Most Valuable Professional) specializing in SIEM, XDR, and Cloud Security, I have witnessed the rapid evolution of cybersecurity technologies, especially those designed to protect organizations from sophisticated threats targeting email and collaboration tools. Microsoft Defender for Office 365 introduced an LLM-based engine to help better classify phishing emails that, these days, are mostly written using AI anyways about a year ago. Today, I'm excited to spotlight a new place AI has been inserted into a workflow to make it better…a feature that elevates the transparency and responsiveness of threat management: the ability to dispute a submission response directly within Microsoft Defender for Office 365. Understanding the Challenge While the automated and human-driven analyses are robust in Defender for Office 365, there are occasions where the response—be it a verdict of "benign" or "malicious"— doesn’t fully align with the security team's context or threat intelligence. If you are a Microsoft 365 organization with Exchange Online mailboxes, you’re probably familiar with how admins can use the Submissions page in the Microsoft Defender portal to submit messages, URLs, and attachments to Microsoft for analysis. As a recent enhancement, now all the admin submissions use LLM based response for better explainability. In the past, disputing such verdicts required separate support channels, using Community support, or manual email processes, often delaying resolution and impacting the speed of cyber operations, leaving many SOC analysts in Ricky and Lucy's place.... Introducing the Dispute Submission Response Feature With the new dispute submission response feature, Microsoft Defender for Office 365 bridges a critical gap in the incident response workflow. Now, when a security analyst or administrator receives a verdict on a submitted item, they have the option to dispute the response directly within the Microsoft 365 Defender portal. This feature streamlines feedback, allowing teams to quickly flag disagreements and provide additional context for review at the speed of operations. How It Works Upon submission of a suspicious item, Microsoft Defender for Office 365 provides a response indicating its assessment—malicious, benign, or other categorizations. If the security team disagrees with the verdict, they can select the "Dispute" option and submit their rationale, including supporting evidence and threat intelligence. The disputed case is escalated directly to Microsoft’s threat research team for further review, and the team is notified of progress and outcomes. This direct feedback loop not only empowers security teams to advocate for their organization's unique context, but also enables Microsoft to continually refine detection algorithms and verdict accuracy based on real-world input, because security is a team sport. Benefits for Security Operations Faster Resolution: Streamlined dispute submission eliminates the need for external support tickets and escalations, reducing turnaround time for critical cases. Greater Transparency: The feature fosters a collaborative relationship between customers and Microsoft, ensuring that verdicts are not final judgments but points in an ongoing dialogue. Continuous Improvement: Feedback from disputes enhances Microsoft’s threat intelligence and improves detection for all Defender for Office 365 users. Empowerment: Security teams gain a stronger voice in the protection of their environment, reinforcing trust in automated defenses. MVP Insights: Real-World Impact Having worked with global enterprises, I’ve seen how nuanced and context-specific threats can be. Sometimes, what appears benign to one organization may be a targeted attack for another, a slight modification to a URL may catch one email, but not others, as slight changes are made as billions of emails are sent. We are only as good as the consortium. The ability to dispute submission responses creates a vital safety net, ensuring that security teams are not forced to accept verdicts that could expose them to risk. It’s a welcome step toward adaptive, user-driven security operations. Conclusion The dispute submission response feature in Microsoft Defender for Office 365 is one of the most exciting features for me, because it focuses on enabling organizations striving for agility and accuracy in threat management. By enabling direct, contextual feedback, Microsoft empowers security teams to play an active role in shaping their defenses. As an MVP, I encourage all users to leverage this feature, provide detailed feedback, and help drive the future of secure collaboration in the cloud. You may be right after all. _________ This blog has been generously and expertly authored by Microsoft Security MVP, Mona Ghadiri with support of the Microsoft Defender for Office 365 product team. Mona Ghadiri Microsoft Security MVP Learn More and Meet the Author 1) December 16th Ask the Experts Webinar: Microsoft Defender for Office 365 | Ask the Experts: Tips and Tricks (REGISTER HERE) DECEMBER 16, 8 AM US Pacific You’ve watched the latest Microsoft Defender for Office 365 best practices videos and read the blog posts by the esteemed Microsoft Most Valuable Professionals (MVPs). Now bring your toughest questions or unique situations straight to the experts. In this interactive panel discussion, Microsoft MVPs will answer your real-world scenarios, clarify best practices, and highlight practical tips surfaced in the recent series. We’ll kick off with a who’s who and recent blog/video series recap, then dedicate most of the time to your questions across migration, SOC optimization, fine-tuning configuration, Teams protection, and even Microsoft community engagement. Come ready with your questions (or pre-submit here) for the expert Security MVPs on camera, or the Microsoft Defender for Office 365 product team in the chat! REGISTER NOW for 12/16. 2) Additional MVP Tips and Tricks Blogs and Videos in this Four-Part Series: 1. Microsoft Defender for Office 365: Migration & Onboarding by Purav Desai 2. Safeguarding Microsoft Teams with Microsoft Defender for Office 365 by Pierre Thoor 3. (This blog post) You may be right after all! Disputing Submission Responses in Microsoft Defender for Office 365 by Mona Ghadiri 4. Microsoft Defender for Office 365: Fine-Tuning | Real-world Defender for Office 365 tuning that closes real attack paths by Joe Stocker Learn and Engage with the Microsoft Security Community Log in and follow this Microsoft Defender for Office 365 blog and follow/post in the Microsoft Defender for Office 365 discussion space. Follow = Click the heart in the upper right when you're logged in 🤍 Learn more about the Microsoft MVP Program. Join the Microsoft Security Community and be notified of upcoming events, product feedback surveys, and more. Get early access to Microsoft Security products and provide feedback to engineers by joining the Microsoft Customer Connection Community. Join the Microsoft Security Community LinkedInProtection Against Email Bombs with Microsoft Defender for Office 365
In today's digital age, email remains a critical communication tool for businesses and individuals. However, with the increasing sophistication of cyberattacks, email security has become more important than ever. One such threat that has been growing is the email bombing, a form of net abuse that sends large volumes of email to an address to overflow the mailbox, overwhelm the server, or distract attention from important email messages indicating a security breach. Email bomb - Wikipedia Understanding Email Bombing Email bombing, typically involves subscribing victims to a large number of legitimate newsletter and subscription services. Each subscription service sends email notifications, which in aggregate create a large stream of emails into the victim’s inbox, making email triage for legitimate emails very difficult. This form of attack is essentially a denial-of-service (DDOS) on the victim's email triaging attention budget. Hybrid Attacks More recently, email subscription bombs have been coupled with simultaneous lures on Microsoft Teams, Zoom, or via phone calls. Attackers impersonate IT support and offer to help solve the email problem caused by the spike of unwanted emails, ultimately compromising the victim's system or installing malware on their system. This type of attack is brilliant because it creates a sense of urgency and legitimacy, making victims more likely to accept remote assistance and inadvertently allow malware planting or data theft. Read about the use of mail bombs where threat actors misused Quick Assist in social engineering attacks leading to ransomware | Microsoft Security Blog. Incidence and Purpose of Email Bombing Email bombing attacks have been around for many years but can have significant impacts on targeted individuals, such as enterprise executives, HR or finance representatives. These attacks are often used as precursors to more serious security incidents, including malware planting, ransomware, and data exfiltration. They can also mute important security alerts, making it easier for attackers to carry out fraudulent activities without detection. New Detection technology for Mail Bombing attacks To address the limitations of current defenses which often include the victim’s attempt to build their own mail flow rules, Microsoft Defender for Office 365 releases a comprehensive solution involving a durable block to limit the influx of emails, majority of which are often Spam. By intelligently tracking message volumes across different sources and time intervals, this new detection leverages historical patterns of the sender and signals related to spam content. It prevents mail bombs from being dropped into the user’s inbox and the messages are rather sent to the Junk folder (of Outlook). Note: Safe sender lists in Outlook continue to be honored, so emails from trustworthy sources are not unexpectedly moved to the Junk folder (in order to prevent false positives). Since the initial rollout that started in early May, we’ve seen a tremendous impact in blocking mail bombing attacks out of our customers’ inboxes: How to leverage new “Mail bombing” detection technology in SOC experiences 1. Investigation and hunting: SOC analysts can now view the new Detection technology as Mail bombing within the following surfaces: Threat Explorer, Email entity page and Advanced Hunting empowering them to investigate, filter and hunt for threats related to mail bombing. 2. Custom detection rule: To analyze the frequency and volume of attacks from mail bombing vector, or to have automated alerts configured to notify SOC user whenever there is a mail bombing attack, SOC analysts can utilize the custom detection rules in Advanced hunting by writing a KQL query using data in DetectionMethods column of EmailEvents table. Here’s a sample query to get you started: EmailEvents | where Timestamp > ago(1d) | where DetectionMethods contains "Mail bombing" | project Timestamp, NetworkMessageId, SenderFromAddress, Subject, ReportId The SOC experiences are rolled out worldwide to all customers. Conclusion Email bombs represent an incidental threat in the world of cybersecurity. With the new detection technology for Mail Bombing, Microsoft Defender for Office 365 protects users from these attacks and empowers Security Operations Center Analysts to ensure to gain visibility into such attacks and take quick actions to keep organizations safe! Note: The Mail bombing protection is available by default in Exchange Online Protection and Microsoft Defender for Office 365 plans. This blog post is associated with Message Center post MC1096885. Also read Part 2 of our blog series to learn more about protection against multi-modal attacks involving mail bombing and correlation of Microsoft Teams activity in Defender. Learn: Detection technology details table What's on the Email entity page Filterable properties in the All email view in Threat ExplorerProtect your organizations against QR code phishing with Defender for Office 365
QR code phishing campaigns have most recently become the fastest growing type of email-based attack. These types of attacks are growing and embed QR code images linked to malicious content directly into the email body, to evade detection. They often entice unwitting users with seemingly genuine prompts, like a password reset or a two-factor authentication request. Microsoft Defender for Office 365 is continuously adapting as threat actors evolve their methodologies. In this blog post we’ll share more details on how we’re helping defenders address this threat and keeping end-users safe.
Submissions Response Using AI for Enhanced Result Explainability
We are pleased to announce that Microsoft Defender for Office 365 now features large language model (LLM)-powered responses within the submission workflow. This update provides security and Exchange admins with clear, actionable insights into the reasons behind the classification of each submission whether as spam, phishing, bulk, or clean - enabling more informed decision-making and response. What's new? Historically, submission results such as Threats found or No threats found have provided limited insight into the reasoning behind classification decisions. The implementation of AI-LLM-based responses addresses this limitation by delivering intuitive and context-rich explanations that clarify why a message was categorized as spam, phishing, bulk, or clean. This enhancement reduces ambiguity and facilitates faster, more accurate responses by administrators. LLM-based responses are now available for administrative email submissions made from any location within the Defender portal. Where can you see LLM based responses? Submissions page at https://security.microsoft.com/reportsubmission : On the Emails tab, select entry to view the LLM based explanation in the details flyout. Example- Example where submissions response came as clean- No threats found. The email is a simple and benign message with no malicious content or suspicious links. The sender and recipient both belong to the same domain (contoso.com), indicating internal communication. Interacting with this email poses no risk as it contains no harmful elements. Example where submissions response came as malicious- Threats found. The sender's email address (bad-vaibhav@contosoo.com) is suspicious and not associated with any legitimate organization. The email subject uses excessive promotional language and emojis, which is typical of spam emails. Interacting with the message could lead to unwanted advertisements or potential scams. Clicking on the provided link leads to a Contoso login page, which is a standard procedure for accessing internal resources. Key Result Types with LLM Support For the result types like Threats found, No threat found, Bulk, Spam and a few Unknowns, you will see the LLM-based explanation. However, if for any reason the AI-generated explanation is unavailable, the system will fall back to the existing explanation, ensuring continuity in the experience. Learn more: Check out our documentation for more details on submission workflows and AI-LLM based integration. Have feedback or questions about LLM based response? Join the conversation in the Microsoft Defender for Office 365 community forum.
Build custom email security reports and dashboards with workbooks in Microsoft Sentinel
Security teams in both small and large organizations track key metrics to make critical security decisions and identify meaningful trends in their organizations. Defender for Office 365 has rich, built-in reporting capabilities that provide insights into your security posture to support these needs. However, sometimes security teams require custom reporting solutions to create dedicated views, combine multiple data sources, and get additional insights to meet their needs. We previously shared an example of how you can leverage Power BI and the Microsoft Defender XDR Advanced Hunting APIs to build a custom dashboard and shared a template that you can customize and extend. In this blog, we will showcase how you can use workbooks in Microsoft Sentinel to build a custom dashboard for Defender for Office 365. We will also share an example workbook that is now available and can be customized based on your organization’s needs. Why use workbooks in Microsoft Sentinel? There are many potential benefits to using workbooks if you already use Microsoft Sentinel and already stream the hunting data tables for Defender for Office 365: You can choose to store data for a longer period of time via configuring longer retention for tables you use for your workbooks. For example you can store Defender for Office 365 EmailEvents table data for 1 year and build visuals over longer period of time. You can customize your visuals easily based on your organization’s needs. You can configure auto-refresh for the workbook to keep the data shown up to date. You can access ready to use workbook templates and customize them if it's needed. Getting started After you connect your data sources to Microsoft Sentinel, you can visualize and monitor the data using workbooks in Microsoft Sentinel. Ensure that Microsoft Defender XDR is installed in your Microsoft Sentinel instance, so you can use Defender for Office 365 data with a few simple steps. Detection and other Defender for Office 365 insights are already available as raw data in the Microsoft Defender XDR advanced hunting tables: EmailEvents - contains information about all emails EmailAttachmentInfo - contains information about attachments in emails EmailUrlInfo - contains information about URLs in emails EmailPostDeliveryEvents – contains information about Zero-hour auto purge (ZAP) or Manual remediation events UrlClickEvents - contains information about Safe Links clicks from email messages, Microsoft Teams, and Office 365 apps in supported desktop, mobile, and web apps. CloudAppEvents – CloudAppEvents can be used to visualize user reported Phish emails and Admin submissions with Defender for Office 365. The Microsoft Defender XDR solution in Microsoft Sentinel provides a connector to stream the above data continuously into Microsoft Sentinel. Microsoft Sentinel then allows you to create custom workbooks across your data or use existing workbook templates available with packaged solutions or as standalone content from the content hub. How to access the workbook template We are excited to share a new workbook template for Defender for Office 365 detection and data visualization, which is available in the Microsoft Sentinel Content hub. The workbook is part of the Microsoft Defender XDR solution. If you are already using our solution, this update is now available for you. If you are installing the Microsoft Defender XDR solution for the first time, this workbook will be available automatically after installation. After the Microsoft Defender XDR solution is installed (or updated to the latest available version), simply navigate to the Workbooks area in Microsoft Sentinel and on the Templates tab select Microsoft Defender for Office 365 Detection and Insights. Using the “View Template” action loads the workbook. What insights are available in the template? The template has the following sections with each section deep diving into various areas of email security, providing details and insights to security team members: Detection overview Email - Malware Detections Email - Phish Detections Email - Spam Detections Email - Business Compromise Detections (BEC) Email - Sender Authentication based Detections URL Detections and Clicks Email - Top Users/Senders Email - Detection Overrides False Negative/Positive Submissions File - Malware Detections (SharePoint, Teams and OneDrive) Post Delivery Detections and Admin Actions Email - Malware Detections Email - Business Compromise Detections (BEC) Email - Sender Authentication based Detections URL Detections and Clicks False Negative/Positive Submissions File - Malware Detections (SharePoint, Teams and OneDrive) Post Delivery Detections and Admin Actions Can I customize the workbook? Yes, absolutely. Based on the email attributes in the Advanced Hunting schema, you can define more functions and visuals as needed. For example, you can use the DetectionMethods field to analyse detections caught by capabilities like Spoof detections, Safe Attachment, and detection for emails containing URLs extracted from QR codes. You can also bring other data sources into Microsoft Sentinel as tables and use them when creating visuals in the workbook. This sample workbook is a powerful showcase for how you can use the Defender for Office 365 raw detection data to visualize email security detection insights directly in Microsoft Sentinel. It enables organizations to easily create customized dashboards that can help them analyse, track their threat landscape, and respond quickly—based on unique requirements. Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the Defender for Office 365 forum. More information Integrate Microsoft Defender XDR with Microsoft Sentinel. Learn more about Microsoft Sentinel workbooks. Microsoft Defender for Office 365 Detection Details Report – Updated Power BI template for Microsoft Sentinel and Log Analytics Learn more about Microsoft Defender XDR.Announcing quarantine release integration in Microsoft Defender for Office 365 hunting experience!!
This feature allows SecOps teams to define and better filter on messages with custom queries and take release action directly from hunting experiences - Threat Explorer, Advanced Hunting, Email summary panel, Email Entity Page, and custom detections!!
