Forum Widgets
Latest Discussions
Configure Quarantine Notifications to Admins when the any Email is quarantined
Hi All, Good morning, I would like to understand the possible options in EOP and defender for O365 to send an alert or notification mail to the E-mail administrator as soon as any mail is quarantined for any user mailbox in Exchange online. I searched most of the options, but I don't see any solid solution for this. Please share your thoughts and experience on this. Thanks in advance.
Assessing Microsoft Defender for Office365 Effectiveness
I'm looking to gather three data points from Defender for Office365. I'm looking for true positives (emails that have been detected as malicious), false positives (emails detected as malicious but released from quarantine) and false negatives (emails not detected as malicious but later reported by users as phishing). Is there any easy way to find these in logs? Or get counts of these?Defender false positive on SharePoint links
We have an external business partner emailing SharePoint links for sensitive information. M365 Defender is consistently flagging the link as malicious with no clear indication as to why. So we get the following: alerts generated in Defender emails flagged in email explorer and quarantined Defender Smart Screen blocks the safe link/original URL but displays a different URL I have already added the domain to the Allow list in the IoC. I have submitted the domain and specific URL to Microsoft for review. Questions: how to edit the Defender Smart Screen blocks? is there a quicker way to list a URL or domain as safe so users can load?Anti-malware policy doesn't block files
Hello Microsoft Community, We have recently found that Anti-malware policy doesn't block files that are set to be blocked by the policy. For example, when we send an *.ics file with a cmd/exe/jse/rdp and other files inside of the ics, the email is not blocked and is delivered to users. We did several tests with external security vendor by sending real malwares, ransomwares and exploits attached to the ics and all of them passed the filtering system. Is anyone aware of the issue? Doesn't MDO scans nested files?! This has happened with a few tenants. Those tenants have Microsoft E5 licenses.
Automating User Tags
When we create a custom user tag we can select a group and have all the users in the group tagged. However if a user is removed or added to that group at a later stage the tag is not removed/added. Is there a way to automate this? Only thing I found is that this was before on the roadmap but seems to have been removed? https://m365admin.handsontek.net/microsoft-defender-for-office-365-tagging-support-for-groups/ https://learn.microsoft.com/en-us/defender-office-365/user-tags-about If you assign a group to a user tag, members of the group at the time of tag creation are assigned tag. Users later added to the group aren't automatically assigned the user tag.
Emails being accepted by large organisation
Hi I have to interact regularly with alarge UK public sector organisation. Unfortunatley, a number of my emails (and those of my colleagues that have the same domain name) end up in spam folders or spam quarantines and it is very frustrating. I have requested that our email addresses are "whitelisted" but this has been refused on the grounds of security even though there is no history of the domain being used insecurely. I am told it is because of the "hopping" of my emails . My emails have the spf on them. I have also never received a blocked senders notice from Microsoft. Is there anything that can be done?
Add "Add Sender to Safe Senders" button to quarantine email
We're really liking the email filtering with Defender for Office overall, and the quarantine emails are great (if maybe a bit too spaced out), but one feature that really feels missing is an "Add to Safe Senders" button for end users. I understand they can do it by actually going to the quarantine page if they know where to look, but most of our users never actually do that. It would be amazing to have the option next to "Review Message" and "Release" to "Add to Safe Senders." We often get users submitting tickets to our help desk to ask for addresses to be whitelisted (which also isn't best practice generally), and they don't really understand that they can just add the sender to their own Safe Sender list. I think this would be a massive boost to the user experience and quality of the product- hope the product group will consider it. Thanks
Tenant Allow/Block Lists not working as expected
The following is stated on Microsoft's docs related to adding an allow entry in a tenant's Allow/Block lists: When you submit a blocked message asI've confirmed it's cleanand then selectAllow this message, an allow entry for the sender is added to theDomains & email addressestab on theTenant Allow/Block Listspage. ref:https://learn.microsoft.com/en-us/defender-office-365/tenant-allow-block-list-email-spoof-configure#create-allow-entries-for-domains-and-email-addresses I've been submitting quarantined messages for a while now with the specified verdict, both directly from quarantine queue while also usinghttps://security.microsoft.com/reportsubmission. Either way, none of these result in an email address allow entry to be added in Tenant Allow list page. What am I missing?IP whitelist not working - Phishing Simulation setup
I am trying to setup 3rd party (TrendMicro) Phishing Simulation for Exchange online. The very first step is add the source IP into whitelist. But whatever whitelists I have added source IPs in, won't stop the server pickup the test messages as spam. 1. I added an Exchange Rule for the group of IPs, and changed the priority to 0: 2. In the Security, I setup Advanced Delivery rule - Phishing Simulation exemption list 3. I also added an anti-spam policy - connection filter policy to white list the range of IPs. Unfortunately I still have these test message blocked for high spam SCL, even the Exchange Transport rule on above step 1 did apply, the message is still pickup by the system as SCL 9 and Quarantined. Any help will be appreciated very much.
MS 365 Defender - What permissions are needed to move and delete emails in Explorer?
I need a tech with limited permissions to be able to Remediate malicious email delivered in Office 365 These are the options I have in Admin. I tried a bunch of recommended actions, yet I don't seem to have the correct Admin portals as shown here. For example, I don't have MS 365 Defender Permissions Group shown in the video:
