Professional Documents
Culture Documents
e OVERVIEW
Set up with Preset security policies in EOP and Defender for Office 365
b GET STARTED
Preset security policies in EOP and Microsoft Defender for Office 365
c HOW-TO GUIDE
c HOW-TO GUIDE
Use DKIM to validate outbound email sent from your custom domain
Use DMARC to validate email
e OVERVIEW
Recommended settings for EOP and Microsoft Defender for Office 365 security for set up
Prevent
e OVERVIEW
Detect
e OVERVIEW
Threat Trackers
Investigate
e OVERVIEW
e OVERVIEW
Respond
e OVERVIEW
Automate
e OVERVIEW
How Automated Investigation and Response (AIR) works in Defender for Office 365
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
This article will introduce you to your new Microsoft Defender for Office 365 security
properties in the Cloud. Whether you're part of a Security Operations Center, you're a
Security Administrator new to the space, or you want a refresher, let's get started.
U Caution
If you're using Outlook.com, Microsoft 365 Family, or Microsoft 365 Personal, and
need Safe Links or Safe Attachments info, click this link: Advanced Outlook.com
security for Microsoft 365 subscribers .
7 Note
If you bought your subscription and need to roll out security features right now,
skip to the steps in the Protect Against Threats article. If you're new to your
subscription and would like to know your license before you begin, browse Billing
> Your Products in the Microsoft 365 admin center .
Office 365 security builds on the core protections offered by EOP. EOP is present in any
subscription where Exchange Online mailboxes can be found (remember, all the security
products discussed here are Cloud-based).
You may be accustomed to seeing these three components discussed in this way:
EOP Microsoft Defender for Office Microsoft Defender for Office 365 P2
365 P1
But in terms of architecture, let's start by thinking of each piece as cumulative layers of
security, each with a security emphasis. More like this:
Though each of these services emphasizes a goal from among Protect, Detect,
Investigate, and Respond, all the services can carry out any of the goals of protecting,
detecting, investigating, and responding.
The core of Office 365 security is EOP protection. Microsoft Defender for Office 365 P1
contains EOP in it. Defender for Office 365 P2 contains P1 and EOP. The structure is
cumulative. That's why, when configuring this product, you should start with EOP and
work to Defender for Office 365.
Though email authentication configuration takes place in public DNS, it's important to
configure this feature to help defend against spoofing. If you have EOP, you should
configure email authentication.
If you have an Office 365 E3, or below, you have EOP, but with the option to buy
standalone Defender for Office 365 P1 through upgrade. If you have Office 365 E5, you
already have Defender for Office 365 P2.
Tip
If your subscription is neither Office 365 E3 or E5, you can still check to see if you
have the option to upgrade to Microsoft Defender for Office 365 P1. If you're
interested, this webpage lists subscriptions eligible for the Microsoft Defender
for Office 365 P1 upgrade (check the end of the page for the fine-print).
) Important
Learn the details on these pages: Exchange Online Protection, and Defender for
Office 365.
What makes adding Microsoft Defender for Office 365 plans an advantage to pure EOP
threat management can be difficult to tell at first glance. To help sort out if an upgrade
path is right for your organization, let's look at the capabilities of each product when it
comes to:
Because these products are cumulative, if you evaluate Microsoft Defender for Office
365 P1 and decide to subscribe to it, you'll add these abilities.
So, Microsoft Defender for Office 365 P1 expands on the prevention side of the house,
and adds extra forms of detection.
Microsoft Defender for Office 365 P1 also adds Real-time detections for investigations.
This threat hunting tool's name is in bold because having it is clear means of knowing
you have Defender for Office 365 P1. It doesn't appear in Defender for Office 365 P2.
So, Microsoft Defender for Office 365 P2 expands on the investigation and response
side of the house, and adds a new hunting strength. Automation.
In Microsoft Defender for Office 365 P2, the primary hunting tool is called Threat
Explorer rather than Real-time detections. If you see Threat Explorer when you navigate
to the Microsoft 365 Defender portal, you're in Microsoft Defender for Office 365 P2.
To get into the details of Microsoft Defender for Office 365 P1 and P2, jump to this
article.
Tip
EOP and Microsoft Defender for Office 365 are also different when it comes to end-
users. In EOP and Defender for Office 365 P1, the focus is awareness, and so those
two services include the Report message Outlook add-in so users can report emails
they find suspicious, for further analysis.
In Defender for Office 365 P2 (which contains everything in EOP and P1), the focus
shifts to further training for end-users, and so the Security Operations Center has
access to a powerful Threat Simulator tool, and the end-user metrics it provides.
Defender for Office 365 Plan 1 Defender for Office 365 Plan 2
Defender for Office 365 Plan 1 Defender for Office 365 Plan 2
Configuration, protection, and detection Defender for Office 365 Plan 1 capabilities
capabilities: --- plus ---
Safe Attachments
Safe Links Automation, investigation, remediation, and
Safe Attachments for SharePoint, education capabilities:
OneDrive, and Microsoft Teams
Threat Trackers
Anti-phishing protection in Defender
Threat Explorer
for Office 365
Automated investigation and response
Real-time detections
Attack simulation training
Proactively hunt for threats with advanced
hunting in Microsoft 365 Defender
Investigate incidents in Microsoft 365
Defender
Investigate alerts in Microsoft 365 Defender
Microsoft Defender for Office 365 Plan 2 is included in Office 365 E5, Office 365
A5, and Microsoft 365 E5.
Microsoft Defender for Office 365 Plan 1 is included in Microsoft 365 Business
Premium.
Microsoft Defender for Office 365 Plan 1 and Defender for Office 365 Plan 2 are
each available as an add-on for certain subscriptions. To learn more, here's another
link Feature availability across Microsoft Defender for Office 365 plans.
The Safe Documents feature is only available to users with the Microsoft 365 A5 or
Microsoft 365 E5 Security licenses (not included in Microsoft Defender for Office
365 plans).
If your current subscription doesn't include Microsoft Defender for Office 365 and
you want it, contact sales to start a trial , and find out how Microsoft Defender for
Office 365 can work for in your organization.
Microsoft Defender for Office 365 P2 customers have access to Microsoft 365
Defender integration to efficiently detect, review, and respond to incidents and
alerts.
Tip
Insider tip. You can use the Microsoft Learn table of contents to learn about EOP
and Microsoft Defender for Office 365. Navigate back to this page, Office 365
Security overview, and you'll notice that table of contents organization in the side-
bar. It begins with Deployment (including migration) and then continues into
prevention, detection, investigation, and response.
Where to go next
If you're a Security Admin, you may need to configure DKIM or DMARC for your mail.
You may want to roll out 'Strict' security presets for your priority users, or look for what's
new in the product. Or if you're with Security Ops, you may want to leverage Real-time
detections or Threat Explorer to investigate and respond, or train end-user detection
with Attack Simulator. Either way, here are some additional recommendations for what
to look at next.
Email Authentication, including SPF, DKIM, and DMARC (with links to setup of all three)
See the specific recommended 'golden' configs and use their recommended presets to
configure security policies quickly
Catch up on what's new in Microsoft Defender for Office 365 (including EOP
developments)
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to:
This article lists new features in the latest release of Microsoft Defender for Office 365.
Features that are currently in preview are denoted with (preview).
For more information on what's new with other Microsoft Defender security products,
see:
December 2022
The new Microsoft 365 Defender role-based access control (RBAC) model, with
support for Microsoft Defender for Office, is now available in public preview. For
more information, see Microsoft 365 Defender role-based access control (RBAC).
Use the built-in Report button in Outlook on the web: Use the built-in Report
button in Outlook on the web to report messages as phish, junk, and not junk.
October 2022
Manage your allows and blocks in the Tenant Allow/Block List:
With allow expiry management (currently in private preview), if Microsoft
hasn't learned from the allow, Microsoft will automatically extend the expiry
time of allows, which are going to expire soon, by 30 days to prevent legitimate
email from going to junk or quarantine again.
Customers in the government cloud environments will now be able to create
allow and block entries for URLs and attachments in the Tenant Allow/Block List
using the admin URL and email attachment submissions. The data submitted
through the submissions experience won't leave the customer tenant, thus
satisfying the data residency commitments for government cloud clients.
Enhancement in URL click alerts:
With the new lookback scenario, the "A potentially malicious URL click was
detected" alert will now include any clicks during the past 48 hours (for emails)
from the time the malicious URL verdict is identified.
September 2022
Anti-spoofing enhancement for internal domains and senders:
For spoofing protection, the allowed senders or domains defined in the anti-
spam policy and within user allow lists must now pass authentication in order
for the allowed messages to be honored. The change only impacts messages
that are considered to be internal (the sender or sender's domain is in an
accepted domain in the organization). All other messages will continue to be
handled as they are today.
Automatic redirection from Office 365 Security & Compliance Center to Microsoft 365
Defender portal: Automatic redirection begins for users accessing the security solutions
in Office 365 Security & Compliance center (protection.office.com) to the appropriate
solutions in Microsoft 365 Defender portal (security.microsoft.com). This is for all
security workflows like: Alerts, Threat Management, and Reports.
Redirection URLs:
GCC Environment:
From Office 365 Security & Compliance Center URL: protection.office.com
To Microsoft 365 Defender URL: security.microsoft.com
GCC-High Environment:
From Office 365 Security & Compliance Center URL: scc.office365.us
To Microsoft 365 Defender URL: security.microsoft.us
DoD Environment:
From Office 365 Security & Compliance Center URL: scc.protection.apps.mil
To Microsoft 365 Defender URL: security.apps.mil
Items in the Office 365 Security & Compliance Center that aren't related to security
aren't redirected to Microsoft 365 Defender. For compliance solutions redirection
to Microsoft 365 Compliance Center, see Message Center post 244886.
This is a continuation of Microsoft 365 Defender delivers unified XDR experience to
GCC, GCC High and DoD customers - Microsoft Tech Community , announced in
March 2022.
This change enables users to view and manage additional Microsoft 365 Defender
security solutions in one portal.
This change impacts all customers who use the Office 365 Security & Compliance
Center (protection.office.com), including Microsoft Defender for Office (Plan 1 or
Plan 2), Microsoft 365 E3 / E5, Office 365 E3/ E5, and Exchange Online Protection.
For the full list, see Security & Compliance Center - Service Descriptions | Microsoft
Docs
This change impacts all users who log in to the Office 365 Security and Compliance
portal (protection.office.com), including security teams and end-users who access
the Email Quarantine experience, at the Microsoft Defender Portal > Review >
Quarantine.
Redirection is enabled by default and impacts all users of the Tenant.
Global Administrators and Security Administrators can turn on or off redirection in
the Microsoft 365 Defender portal by navigating to Settings > Email &
collaboration > Portal redirection and switch the redirection toggle.
Built-in protection: A profile that enables a base level of Safe Links and Safe
Attachments protection that's on by default for all Defender for Office 365
customers. To learn more about this new policy and order of precedence, see
Preset security policies and to learn about the specific Safe Links and Safe
Attachment controls set, see Safe Attachments settings and Safe Links settings.
Bulk Complaint Level is now available in the EmailEvents table in Advanced
Hunting with numeric BCL values from 0 to 9. A higher BCL score indicates that
bulk message is more likely to generate complaints and is more likely to be spam.
July 2022
Introducing actions into the email entity page: Admins can take preventative,
remediation and submission actions from email entity page.
June 2022
Use the Microsoft 365 Defender portal to create allow entries for spoofed senders
in the Submissions portal: Create allowed spoofed sender entries using the Tenant
Allow/Block List.
Impersonation allows using admin submission: Add allows for impersonated
senders using the Submissions page in Microsoft 365 Defender.
View associated alert for user and admin submissions: View the corresponding
alert for each user reported phish message and admin email submission.
Simplifying the quarantine experience (part two) in Microsoft 365 Defender for
office 365 : Highlights additional features to make the quarantine experience
even easier to use.
April 2022
Introducing the URLClickEvents table in Microsoft 365 Defender Advanced
Hunting : Introducing the UrlClickEvents table in advanced hunting with
Microsoft Defender for Office 365.
Manual email remediation enhancements: Bringing manual email purge actions
taken in Microsoft Defender for Office 365 to the Microsoft 365 Defender (M365D)
unified Action Center using a new action-focused investigation.
Introducing differentiated protection for priority accounts in Microsoft Defender
for Office 365 : Introducing the general availability of differentiated protection for
priority accounts.
March 2022
Streamlined the submission experience in Microsoft Defender for Office 365 :
Introducing the new unified and streamlined submission process to make your
experience simpler.
January 2022
Updated Hunting and Investigation Experiences for Microsoft Defender for Office
365 : Introducing the email summary panel for experiences in Defender for Office
365, along with experience updates for Threat Explorer and Real-time detections.
October 2021
Advanced Delivery DKIM enhancement: Added support for DKIM domain entry as
part of third-party phishing simulation configuration.
Secure by Default: Extended Secure by Default for Exchange mail flow rules (also
known as transport rules).
September 2021
Improved reporting experience in Defender for Office 365
Quarantine policies: Admins can configure granular control for recipient access to
quarantined messages and customize end-user spam notifications.
Video of admin experience
Video of end-user experience
Other new capabilities coming to the quarantine experience are described in
this blog post: Simplifying the Quarantine experience .
Portal redirection by default begins, redirecting users from Security & Compliance
to Microsoft 365 Defender https://security.microsoft.com . For more on this, see:
Redirecting accounts from Office 365 Security & Compliance Center to Microsoft
365 Defender
August 2021
Admin review for reported messages: Admins can now send templated messages
back to end users after they review reported messages. The templates can be
customized for your organization and based on your admin's verdict as well.
ou can now add allow entries to the Tenant Allow/Block List if the blocked message
was submitted as part of the admin submission process. Depending on the nature
of the block, the submitted URL, file, and/or sender allow will be added to the
Tenant Allow/Block List. In most cases, the allows are added to give the system
some time and allow it naturally if warranted. In some cases, Microsoft manages
the allow for you. For more information, see:
Use the Microsoft 365 Defender portal to create allow entries for URLs in the
Submissions portal
Use the Microsoft 365 Defender portal to create allow entries for files in the
Submissions portal
Use the Microsoft 365 Defender portal to create allow entries for domains and
email addresses in the Submissions portal
July 2021
Email analysis improvements in automated investigations
Advanced Delivery: Introducing a new capability for configuring the delivery of
third-party phishing simulations to users and unfiltered messages to security
operation mailboxes.
Safe Links for Microsoft Teams
New alert policies for the following scenarios: compromised mailboxes, Forms
phishing, malicious mails delivered due to overrides and rounding out ZAP
Suspicious email forwarding activity
User restricted from sharing forms and collecting responses
Form blocked due to potential phishing attempt
Form flagged and confirmed as phishing
New alert policies for ZAP
Microsoft Defender for Office 365 alerts is now integrated into Microsoft 365
Defender - Microsoft 365 Defender Unified Alerts Queue and Unified Alerts Queue
User Tags are now integrated into Microsoft Defender for Office 365 alerting
experiences, including: the alerts queue and details in Office 365 Security &
Compliance, and scoping custom alert policies to user tags to create targeted alert
policies.
Tags are also available in the unified alerts queue in the Microsoft 365 Defender
portal (Microsoft Defender for Office 365 Plan 2)
June 2021
New first contact safety tip setting within anti-phishing policies. This safety tip is
shown when recipients first receive an email from a sender or don't often receive
email from a sender. For more information on this setting and how to configure it,
see the following articles:
First contact safety tip
Configure anti-phishing policies in EOP
Configure anti-phishing policies in Microsoft Defender for Office 365
April/May 2021
Email entity page: A unified 360-degree view of an email with enriched information
around threats, authentication and detections, detonation details, and a brand-
new email preview experience.
Office 365 Management API: Updates to EmailEvents (RecordType 28) to add
delivery action, original and latest delivery locations, and updated detection
details.
Threat Analytics for Defender for Office 365: View active threat actors, popular
techniques and attack surfaces, along with extensive reporting from Microsoft
researchers around ongoing campaigns.
February/March 2021
Alert ID integration (search using Alert ID and Alert-Explorer navigation) in hunting
experiences
Increasing the limits for Export of records from 9990 to 200,000 in hunting
experiences
Extending the Explorer (and Real-time detections) data retention and search limit
for trial tenants from 7 (previous limit) to 30 days in hunting experiences
New hunting pivots called Impersonated domain and Impersonated user within
the Explorer (and Real-time detections) to search for impersonation attacks against
protected users or domains. For more information, see details. (Microsoft Defender
for Office 365 Plan 1 or Plan 2)
See also
Microsoft 365 roadmap
Microsoft Defender for Office 365 Service Description
Microsoft Defender for Office 365
Article • 12/22/2022 • 8 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
) Important
But if you're using Outlook.com, Microsoft 365 Family, or Microsoft 365 Personal,
and you need info about Safe Links or Safe Attachments in Outlook blocking
emails, see Advanced Outlook.com security for Microsoft 365 subscribers .
Microsoft Defender for Office 365 safeguards your organization against malicious
threats posed by email messages, links (URLs), and collaboration tools. Defender for
Office 365 includes:
Installation by Preset can set up everything for you: The easiest and the
recommended setup automates the roll-out of a secure environment (if automated
policies are possible in your organization). Abbreviated steps are available too: Just
the steps for preset policy setup, please!
Reports: View real-time reports to monitor Defender for Office 365 performance in
your organization.
You'll also see how Defender for Office 365 can help you define protection policies,
analyze threats to your organization, and respond to attacks.
This article spells out what makes up the two products, and the emphasis of each part of
Microsoft Defender for Office 365 using a familiar structure: Protect, Detect, Investigate,
and Respond.
The goal of this article is clarity and quick readability. So, don't miss it!
Getting Started
There are two methods to set up Microsoft Defender for Office 365 for your
subscription.
7 Note
Microsoft Defender for Office 365 comes in two different Plan types. You can tell if
you have Plan 1 if you have 'Real-time Detections', and Plan 2, if you have Threat
Explorer. The Plan you have influences the tools you will see, so be certain that
you're aware of your Plan as you learn.
With Microsoft Defender for Office 365, your organization's security team can configure
protection by defining policies in the Microsoft 365 Defender portal at
https://security.microsoft.com at Email & collaboration > Policies & rules > Threat
policies. Or, you can go directly to the Threat policies page by using
https://security.microsoft.com/threatpolicy .
Tip
For a quick list of policies to define, see Protect against threats.
Policy options are extremely flexible. For example, your organization's security team can
set fine-grained threat protection at the user, organization, recipient, and domain level.
It is important to review your policies regularly because new threats and challenges
emerge daily.
Safe Attachments for SharePoint, OneDrive, and Microsoft Teams: Protects your
organization when users collaborate and share files, by identifying and blocking
malicious files in team sites and document libraries. To learn more, see Turn on
Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams.
Reports update in real-time, providing you with the latest insights. These reports also
provide recommendations and alert you to imminent threats. Predefined reports include
the following:
Attack simulation training allows you to run realistic attack scenarios in your
organization to identify vulnerabilities. Simulations of current types of attacks are
available, including spear phishing credential harvest and attachment attacks, and
password spray and brute force password attacks.
AIR can save your security operations team time and effort in mitigating threats
effectively and efficiently. To learn more, see AIR in Office 365.
global You can assign this role in Azure Active Directory or in the Microsoft 365
administrator Defender portal. For more information, see Permissions in the Microsoft 365
(or Defender portal.
Organization
Management)
Security You can assign this role in Azure Active Directory or in the Microsoft 365
Administrator Defender portal. For more information, see Permissions in the Microsoft 365
Defender portal.
Search and This role is available only in the Microsoft 365 Defender portal or the Microsoft
Purge Purview compliance portal. For more information, see Permissions in the
Microsoft 365 Defender portal and Permissions in the Microsoft Purview
compliance portal.
If your subscription doesn't include Defender for Office 365, you can get Defender for
Office 365 Plan 1 or Plan 2 as an add-on to certain subscriptions. To learn more, take a
look at the following resources:
Microsoft Defender for Office 365 availability for a list of subscriptions that include
Defender for Office 365 plans.
Feature availability across Microsoft Defender for Office 365 plans for a list of
features included in Plan 1 and 2.
Get the right Microsoft Defender for Office 365 to compare plans and purchase
Defender for Office 365.
Microsoft Defender for Office 365 Service Description describes features and
availability across Defender for Office 365 plans.
See also
Microsoft 365 Defender
Automated investigation and response (AIR) in Microsoft 365 Defender
Step-by-step threat protection in
Microsoft Defender for Office 365
Article • 11/17/2022 • 7 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to:
The Microsoft Defender for Office 365 protection or filtering stack can be broken out
into 4 phases, as in this article. Generally speaking, incoming mail passes through all of
these phases before delivery, but the actual path email takes is subject to an
organization's Defender for Office 365 configuration.
Tip
Stay tuned till the end of this article for a unified graphic of all 4 phases of Defender
for Office 365 protection!
Edge blocks are designed to be automatic. In the case of false positive, senders will be
notified and told how to address their issue. Connectors from trusted partners with
limited reputation can ensure deliverability, or temporary overrides can be put in place,
when onboarding new endpoints.
1. Network throttling protects Office 365 infrastructure and customers from Denial
of Service (DOS) attacks by limiting the number of messages that can be submitted
by a specific set of infrastructure.
2. IP reputation and throttling will block messages being sent from known bad
connecting IP addresses. If a specific IP sends many messages in a short period of
time they will be throttled.
3. Domain reputation will block any messages being sent from a known bad domain.
1. Account compromise detection triggers and alerts are raised when an account has
anomalous behavior, consistent with compromise. In some cases, the user account
is blocked and prevented from sending any further email messages until the issue
is resolved by an organization's security operations team.
2. Email Authentication involves both customer configured methods and methods
set up in the Cloud, aimed at ensuring that senders are authorized, authentic
mailers. These methods resist spoofing.
SPF can reject mails based on DNS TXT records that list IP addresses and
servers allowed to send mail on the organization's behalf.
DKIM provides an encrypted signature that authenticates the sender.
DMARC lets admins mark SPF and DKIM as required in their domain and
enforces alignment between the results of these two technologies.
ARC builds on DMARC to work with forwarding in mailing lists while
recording an authentication chain.
3. Spoof intelligence is capable of filtering those allowed to 'spoof' (that is, those
sending mail on behalf of another account, or forwarding for a mailing list) from
malicious senders who imitate organizational or known external domains. It
separates legitimate 'on behalf of' mail from senders who spoof to deliver spam
and phishing messages.
Intra-org spoof intelligence detects and blocks spoof attempts from a domain
within the organization.
5. Bulk filtering lets admins configure a bulk confidence level (BCL) indicating
whether the message was sent from a bulk sender. Administrators can use the Bulk
Slider in the Antispam policy to decide what level of bulk mail to treat as spam.
8. User impersonation allows an admin to create a list of high value targets likely to
be impersonated. If a mail arrives where the sender only appears to have the same
name and address as the protected high value account, the mail is marked or
tagged. (For example, trαcye@contoso.com for tracye@contoso.com).
9. Domain impersonation detects domains that are similar to the recipient's domain
and that attempt to look like an internal domain. For example, this impersonation
tracye@liwαre.com for tracye@litware.com.
1. Transport rules (also known as mail flow rules or Exchange transport rules) allow
an admin to take a wide range of actions when an equally wide range of conditions
are met for a message. All messages that flow through your organization are
evaluated against the enabled mail flow rules / transport rules.
2. Microsoft Defender Antivirus and a third-party Antivirus engine are used to detect
all known malware in attachments.
3. The anti-virus (AV) engines are also used to true-type supported attachment types,
which allows Type blocking to correctly block file types specified by admins.
4. Whenever Microsoft Defender for Office 365 detects a malicious attachment, the
file's hash, and a hash of its active content, are added to Exchange Online
Protection (EOP) reputation. Attachment reputation blocking will block that file
across all Office 365, and on endpoints, through MSAV cloud calls.
6. Machine learning models act on the header, body content, and URLs of a message
to detect phishing attempts.
8. Content heuristics can detect suspicious messages based on structure and word
frequency within the body of the message, using machine learning models.
9. Safe Attachments sandboxes every attachment for Defender for Office 365
customers, using dynamic analysis to detect never-before seen threats.
10. Linked content detonation treats every URL linking to a file in an email as an
attachment, asynchronously sandboxing the file at the time of delivery.
1. Safe Links is Defender for Office 365's time-of-click protection. Every URL in every
message is wrapped to point to Microsoft Safe Links servers. When a URL is clicked
it is checked against the latest reputation, before the user is redirected to the
target site. The URL is asynchronously sandboxed to update its reputation.
2. Zero-hour auto purge (ZAP) for phishing retroactively detects and neutralizes
malicious phishing messages that have already been delivered to Exchange Online
mailboxes.
3. ZAP for malware retroactively detects and neutralizes malicious malware messages
that have already been delivered to Exchange Online mailboxes.
4. ZAP for spam retroactively detects and neutralizes malicious spam messages that
have already been delivered to Exchange Online mailboxes.
5. Campaign Views let administrators see the big picture of an attack, faster and
more completely, than any team could without automation. Microsoft leverages
the vast amounts of anti-phishing, anti-spam, and anti-malware data across the
entire service to help identify campaigns, and then allows admins to investigate
them from start to end, including targets, impacts, and flows, that are also
available in a downloadable campaign write-up.
6. The Report Message add-ins enable people to easily report false positives (good
email, mistakenly marked as bad) or false negatives (bad email marked as good) to
Microsoft for further analysis.
7. Safe Links for Office clients offers the same Safe Links time-of-click protection,
natively, inside supported Office apps like Word, PowerPoint, and Excel.
8. Protection for OneDrive, SharePoint, and Teams offers the same Safe Attachments
protection against malicious files, natively, inside of OneDrive, SharePoint, and
Microsoft Teams.
9. When a URL that points to a file is selected post delivery, linked content
detonation displays a warning page until the sandboxing of the file is complete,
and the URL is found to be safe.
More information
Do you need to set up Microsoft Defender for Office 365 right now? Use this stack, now,
with this step-by-step to start protecting your organization.
Special thanks from MSFTTracyP and the docs writing team to Giulian Garruba for this
content.
Secure by default in Office 365
Article • 12/22/2022 • 3 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
"Secure by default" is a term used to define the default settings that are most secure as
possible.
However, security needs to be balanced with productivity. This can include balancing
across:
For more information about EOP, see Exchange Online Protection overview.
Because Microsoft wants to keep our customers secure by default, some tenants
overrides are not applied for malware or high confidence phishing. These overrides
include:
Allowed sender lists or allowed domain lists (anti-spam policies)
Outlook Safe Senders
IP Allow List (connection filtering)
Exchange mail flow rules (also known as transport rules)
More information on these overrides can be found in Create safe sender lists.
7 Note
We have deprecated the Move message to Junk Email folder action for a High
confidence phishing email verdict in EOP anti-spam policies. Anti-spam policies
that use this action for high confidence phishing messages will be converted to
Quarantine message. The Redirect message to email address action for high
confidence phishing messages is unaffected.
Secure by default is not a setting that can be turned on or off, but is the way our
filtering works out of the box to keep potentially dangerous or unwanted messages out
of your mailboxes. Malware and high confidence phishing messages should be
quarantined. By default, only admins can manage messages that are quarantined as
malware or high confidence phishing, and they can also report false positives to
Microsoft from there. For more information, see Manage quarantined messages and
files as an admin in EOP.
Our data indicates that a user is 30 times more likely to click a malicious link in
messages in the Junk Email folder versus Quarantine. Our data also indicates that the
false positive rate (good messages marked as bad) for high confidence phishing
messages is very low, and admins can resolve any false positives with admin
submissions.
We also determined that the allowed sender and allowed domain lists in anti-spam
policies and Safe Senders in Outlook were too broad and were causing more harm than
good.
To put it another way: as a security service, we're acting on your behalf to prevent your
users from being compromised.
Exceptions
You should only consider using overrides in the following scenarios:
Phishing simulations: Simulated attacks can help you identify vulnerable users
before a real attack impacts your organization. To prevent phishing simulation
messages from being filtered, see Configure third-party phishing simulations in the
advanced delivery policy.
Security/SecOps mailboxes: Dedicated mailboxes used by security teams to get
unfiltered messages (both good and bad). Teams can then review to see if they
contain malicious content. For more information, see Configure SecOps mailboxes
in the advanced delivery policy.
Third-party filters: Secure by default only applies when the MX record for your
domain is set to Exchange Online Protection
(contoso.mail.protection.outlook.com). If it's set to another service or device, it is
possible to override Secure by default with a Transport Rule to bypass all spam
filtering. When Microsoft detects messages as High Confidence Phish with this rule
in place, they still deliver to the Inbox.
False positives: You might want to temporarily allow certain messages that are still
being analyzed by Microsoft via Admin submissions. As with all overrides, it is
recommended that they are temporary.
What is Microsoft 365 Defender?
Article • 12/15/2022 • 4 minutes to read
7 Note
Want to experience Microsoft 365 Defender? Learn more about how you can
evaluate and pilot Microsoft 365 Defender.
Applies to:
Microsoft 365 Defender is a unified pre- and post-breach enterprise defense suite that
natively coordinates detection, prevention, investigation, and response across
endpoints, identities, email, and applications to provide integrated protection against
sophisticated attacks.
Here's a list of the different Microsoft 365 Defender products and solutions:
Note that Azure Active Directory Identity Protection (AAD IP) is in public preview and
may be substantially modified before it's commercially released. AAD IP is available to
customers only if they already have Microsoft 365 Defender.
With the integrated Microsoft 365 Defender solution, security professionals can stitch
together the threat signals that each of these products receive and determine the full
scope and impact of the threat; how it entered the environment, what it's affected, and
how it's currently impacting the organization. Microsoft 365 Defender takes automatic
action to prevent or stop the attack and self-heal affected mailboxes, endpoints, and
user identities.
Microsoft 365 Defender interactive guide
In this interactive guide, you'll learn how to protect your organization with Microsoft 365
Defender. You'll see how Microsoft 365 Defender can help you detect security risks,
investigate attacks to your organization, and prevent harmful activities automatically.
https://www.microsoft.com/en-us/videoplayer/embed/RE4Bzww?postJsllMsg=true
Microsoft 365 Defender's unique cross-product layer augments the individual service
components to:
Help protect against attacks and coordinate defensive responses across the
services through signal sharing and automated actions.
Narrate the full story of the attack across product alerts, behaviors, and context for
security teams by joining data on alerts, suspicious events and impacted assets to
'incidents'.
Automate response to compromise by triggering self-healing for impacted assets
through automated remediation.
Enable security teams to perform detailed and effective threat hunting across
endpoint and Office data.
Here's an example of how the Microsoft 365 Defender portal correlates all related alerts
across products into a single incident.
Here's an example of query-based hunting on top of email and endpoint raw data.
Licensing requirements
Turn on Microsoft 365 Defender
Try Microsoft Defender for Office 365
Article • 12/22/2022 • 23 minutes to read
As an existing Microsoft 365 customer, the Trials and Evaluation pages in the Microsoft
365 Defender portal at https://security.microsoft.com allow you to try the features of
Microsoft Defender for Office 365 Plan 2 before you buy.
Before you try Defender for Office 365 Plan 2, there are some key questions that you
need to ask yourself:
Do I want to passively observe what Defender for Office 365 Plan 2 can do for me
(audit), or do I want Defender for Office 365 Plan 2 to take direct action on issues
that it finds (block)?
Either way, how can I tell what Defender for Office 365 Plan 2 is doing for me?
How long do I have before I need to make the decision to keep Defender for Office
365 Plan 2?
This article will help you answer those questions so you can try Defender for Office 365
Plan 2 in a way that best meets the needs of your organization.
For a companion guide for how to use your trial, see Trial User Guide: Microsoft
Defender for Office 365.
You can also learn more about Defender for Office 365 at this interactive guide .
Watch this short video to learn more about how you can get more done in less time
with Microsoft Defender for Office 365.
https://www.microsoft.com/en-us/videoplayer/embed/RWMmIe?postJsllMsg=true
Policies
Defender for Office 365 includes the features of Exchange Online Protection (EOP),
which are present in all Microsoft 365 organizations with Exchange Online mailboxes,
and features that are exclusive to Defender for Office 365.
The protection features of EOP and Defender for Office 365 are implemented using
policies. Policies that are exclusive to Defender for Office 365 are created for you as
needed:
Anti-malware policies
Inbound anti-spam protection
Anti-spoofing protection in anti-phishing policies
The default policies for these EOP features are always on, apply to all recipients, and are
always applied last after any custom policies.
Audit mode: Special evaluation policies are created for anti-phishing (which
includes impersonation protection), Safe Attachments, and Safe Links. These
evaluation policies are configured to detect threats only. Defender for Office 365
detects harmful messages for reporting, but the messages aren't acted upon (for
example, detected messages aren't quarantined). The settings of these evaluation
policies are described in the Policies in audit mode section later in this article.
Blocking mode: The Standard template for preset security policies is turned on and
used for the trial, and the users you specify to include in the trial are added to the
Standard preset security policy. Defender for Office 365 detects and takes action on
harmful messages (for example, detected messages are quarantined).
The default and recommended selection is to scope these Defender for Office 365
policies to all users in the organization. But during or after the setup of your trial,
you can change the policy assignment to specific users, groups, or email domains
in the Microsoft 365 Defender portal or in Exchange Online PowerShell.
Blocking mode does not provide customized reports for threats detected by
Defender for Office 365. Instead, the information is available in the regular reports
and investigation features of Defender for Office 365 Plan 2.
A key factor in audit mode vs. blocking mode is how email is delivered to your Microsoft
365 organization:
Mail from the internet flows directly Microsoft 365, but your current subscription
has only Exchange Online Protection (EOP) or Defender for Office 365 Plan 1.
You're currently using a third-party service or device for email protection of your
Microsoft 365 mailboxes. Mail from the internet flows through the protection
service before delivery into your Microsoft 365 organization. Microsoft 365
protection is as low as possible (it's never completely off; for example, malware
protection is always enforced).
In these environments, you can select audit mode only. You don't need to change
your mail flow (MX records).
If you don't already have Defender for Office 365 Plan 2 licenses (for example,
standalone EOP, Microsoft 365 E3, Microsoft 365 Business Premium, or Defender
for Office 365 Plan 1), you can start your trial from the Microsoft 365 trials page at
https://security.microsoft.com/trialHorizontalHub or the Evaluation mode page
at https://security.microsoft.com/atpEvaluation in the Microsoft 365 Defender
portal. At either location, you can select allow mode (Standard preset security
policy) or blocking mode (evaluation policies) as previously described.
Regardless of which location you use, we'll automatically provision the required
Defender for Office 365 Plan 2 trial licenses for you when you enroll. Manual or
outside steps for getting and assigning Plan 2 licenses in the Microsoft 365 admin
center are no longer required. The trial licenses are good for 90 days:
For organizations without Defender for Office 365 (for example, standalone EOP
or Microsoft 365 E3) the features (in particular, the policies) of Defender for
Office 365 are available to you during the trial period.
Organizations with Defender for Office 365 Plan 1 (for example Microsoft 365
Business Premium or add-on subscriptions) have exactly the same policies as
organizations with Defender for Office 365 Plan 2 (impersonation protection in
anti-phishing policies, Safe Attachments policies, and Safe Links policies). The
security policies from allow mode (Standard preset security policy) or blocking
mode (evaluation policies) don't expire or stop working after 90 days. What
ends after 90 days for these organizations are the automation, investigation,
remediation, and education capabilities of Plan 2 that aren't present in Plan 1.
If you already have Defender for Office 365 Plan 2 (for example, as part of a
Microsoft 365 E5 subscription), you'll never see Defender for Office 365 on the
Microsoft 365 trials page at https://security.microsoft.com/trialHorizontalHub .
Instead, you start your evaluation of Defender for Office 365 Plan to on the
Evaluation mode page at https://security.microsoft.com/atpEvaluation in allow
mode (Standard preset security policy) or blocking mode (evaluation policies).
By definition, these organizations don't require trial licenses of Defender for Office
365 Plan 2, so their evaluations are unlimited in duration.
The information from the previous list is summarized in the following table:
Standalone EOP
Audit mode
Yes Yes 90 days
(no Exchange Online Blocking mode
mailboxes)
Microsoft 365 E3
*
The security policies from allow mode (Standard preset security policy) or blocking
mode (evaluation policies) don't expire or stop working after 90 days. Only the
automation, investigation, remediation, and education capabilities that are exclusive to
Defender for Office 365 Plan 2 stop working after 90 days.
1. Start the evaluation in any of the available locations in the Microsoft 365 Defender
portal at https://security.microsoft.com . For example:
On the banner at the top of any Defender for Office 365 feature page, click
Start free trial.
On the Microsoft 365 trials page at
https://security.microsoft.com/trialHorizontalHub , find and select Defender
for Office 365.
On the Evaluation mode page at
https://security.microsoft.com/atpEvaluation , click Start evaluation.
2. In the Turn on protection dialog, select No, I only want reporting, and then click
Continue.
3. In the Select the users you want to include dialog, configure the following
settings:
Select users: If you select this option, you need to select the internal
recipients that the evaluation applies to:
Users: The specified mailboxes, mail users, or mail contacts.
Groups:
Members of the specified distribution groups or mail-enabled security
groups (dynamic distribution groups are not supported).
The specified Microsoft 365 Groups.
Domains: All recipients in the specified accepted domains in your
organization.
Click in the appropriate box, start typing a value, and select the value that
you want from the results. Repeat this process as many times as necessary. To
remove an existing value, click remove next to the value.
For users or groups, you can use most identifiers (name, display name, alias,
email address, account name, etc.), but the corresponding display name is
shown in the results. For users, enter an asterisk (*) by itself to see all
available values.
7 Note
You can change these selections after you finish setting up the trial as
described in the Manage your trial section.
Users: romain@contoso.com
Groups: Executives
Likewise, if you use the same recipient filter as an exception, the evaluation or
trial is not applied to romain@contoso.com only if he's also a member of the
Executives group. If he's not a member of the group, then the evaluation or
trial still applies to him.
4. In the Help us understand your mail flow dialog, configure the following options:
b. In the Exchange mail flow rules dialog, decide if you need an Exchange
Online mail flow rule (also known as a transport rule) that skips spam
filtering for incoming messages from the third-party protection service
or device.
It's likely that you already have an SCL=-1 mail flow rule in Exchange
Online that allows all inbound mail from the protection service to
bypass (most) Microsoft 365 filtering. Many protection services
encourage this spam confidence level (SCL) mail flow rule method for
Microsoft 365 customers who use their services.
To create an SCL=-1 mail flow rule or to review your existing rules, click
the Go to Exchange admin center button on the page. For more
information, see Use mail flow rules to set the spam confidence level
(SCL) in messages in Exchange Online.
I'm only using Microsoft Exchange Online: The MX records for your
domain point to Microsoft 365. There's nothing left to configure, so click
Finish.
Share data with Microsoft: This option isn't selected by default, but you can
select the check box if you like.
5. A progress dialog appears as your evaluation is set up. When set up is complete,
click Done.
1. Start the trial in any of the available locations in the Microsoft 365 Defender portal
at https://security.microsoft.com . For example:
On the banner at the top of any Defender for Office 365 feature page, click
Start free trial.
On the Microsoft 365 trials page at
https://security.microsoft.com/trialHorizontalHub , find and select Defender
for Office 365.
On the Evaluation mode page at
https://security.microsoft.com/atpEvaluation , click Start evaluation.
3. In the Select the users you want to include dialog, configure the following
settings:
Select users: If you select this option, you need to select the internal
recipients that the trial applies to:
Users: The specified mailboxes, mail users, or mail contacts.
Groups:
Members of the specified distribution groups or mail-enabled security
groups (dynamic distribution groups are not supported).
The specified Microsoft 365 Groups.
Domains: All recipients in the specified accepted domains in your
organization.
Click in the appropriate box, start typing a value, and select the value that
you want from the results. Repeat this process as many times as necessary. To
remove an existing value, click remove next to the value.
For users or groups, you can use most identifiers (name, display name, alias,
email address, account name, etc.), but the corresponding display name is
shown in the results. For users, enter an asterisk (*) by itself to see all
available values.
7 Note
You can change these selections after you finish setting up the trial as
described in the Manage your trial section.
Users: romain@contoso.com
Groups: Executives
The evaluation or trial is applied to romain@contoso.com only if he's also a
member of the Executives group. If he's not a member of the group, then the
evaluation or trial is not applied to him.
Likewise, if you use the same recipient filter as an exception, the evaluation or
trial is not applied to romain@contoso.com only if he's also a member of the
Executives group. If he's not a member of the group, then the evaluation or
trial still applies to him.
4. A progress dialog appears as your evaluation is set up. When setup is complete,
click Done.
2. On the Microsoft Defender for Office 365 evaluation page, you can do the
following tasks:
Click Buy a paid subscription to buy Defender for Office 365 Plan 2.
Click Manage. In the Microsoft Defender for Office 365 evaluation flyout
that appears, you can do the following tasks:
Notes:
The policies in the Standard preset security policy have a higher priority
than the evaluation policies, which means the policies in the Standard
preset security are always applied before the evaluation policies, even if
both are present and turned on. To turn off the evaluation policies, use
the Turn off button.
There's no automatic way to go from blocking mode to audit mode.
The manual steps are:
a. Turn off the Standard preset security policy on the Preset security
policies page.
b. After clicking Manage on the Microsoft Defender for Office 365
evaluation page, verify the presence of the Turn off button, which
indicates the evaluation policies are turned on. If you see the Turn on
button, click it to turn on the evaluation policies.
c. Verify the users that the evaluation applies to.
To turn off the evaluation policies, click Turn off. To turn them back on,
click Turn on.
You can filter most views by the Protected by value MDO to see the effects of
Defender for Office 365.
View data by Email > Phish and Chart breakdown by Detection Technology
Messages detected by campaigns appear in Campaign.
Messages detected by Safe Attachments appear in File detonation and File
detonation reputation.
Messages detected by user impersonation protection in anti-phishing
policies appear in Impersonation domain, Impersonation user, and Mailbox
intelligence impersonation.
Messages detected by Safe Links appear in URL detonation and URL
detonation reputation.
View data by Email > Malware and Chart breakdown by Detection Technology
Messages detected by campaigns appear in Campaign.
Messages detected by Safe Attachments appear in File detonation and File
detonation reputation.
Messages detected by Safe Links appear in URL detonation and URL
detonation reputation.
View data by Email > Spam and Chart breakdown by Detection Technology
Show data for Top malware recipients (MDO) and Show data for Top phish
recipients (MDO).
Threat Explorer shows the following banner in message detection details on the
Analysis tab for Bad attachment, spam url + malware, Phish url, and
impersonation messages that were detected by the Defender for Office 365
evaluation show the following banner in the details of the entry:
Safe Links
Safe Attachments
Impersonation protection in anti-phishing policies
By default, the charts show data for the last 30 days, but you can filter the date range by
clicking 30 days and selecting from following additional values that are less than 30
days:
24 hours
7 days
14 days
Custom date range
You can click Download to download the chart data to a .csv file.
Required permissions
The following permissions are required in Azure AD to set up an evaluation or trial of
Defender for Microsoft 365:
Q: How many times can I use the Defender for Office 365
trial in my organization?
A: A maximum of 2 times. If your first trial expires, you need to wait at least 30 days after
the expiration date before you can enroll in the Defender for Office 365 trial again. After
your second trial, you can't enroll in another trial.
Reference
2 Warning
Do not attempt to create, modify, or remove the individual security policies that are
associated with the evaluation of Defender for Office 365. The only supported
method for creating the individual security policies for the evaluation is to start the
evaluation or trial in audit mode in the Microsoft 365 Defender portal for the first
time.
As previously described, when you choose audit mode for your evaluation or trial,
evaluation policies with the required settings to observe but not take action on
messages are automatically created.
To see these policies and their settings, run the following command in Exchange Online
PowerShell:
PowerShell
Setting Value
AuthenticationFailAction MoveToJmf
Enabled True
EnableFirstContactSafetyTips False
EnableMailboxIntelligence True
EnableMailboxIntelligenceProtection True
EnableOrganizationDomainsProtection False
EnableSimilarDomainsSafetyTips False
EnableSimilarUsersSafetyTips False
EnableSpoofIntelligence True
EnableSuspiciousSafetyTip False
EnableTargetedDomainsProtection False
EnableTargetedUserProtection False
EnableUnauthenticatedSender True
EnableUnusualCharactersSafetyTips False
EnableViaTag True
ExcludedDomains {}
ExcludedSenders {}
ImpersonationProtectionState Manual
IsDefault False
MailboxIntelligenceProtectionAction NoAction
MailboxIntelligenceProtectionActionRecipients {}
MailboxIntelligenceQuarantineTag DefaultFullAccessPolicy
PhishThresholdLevel 1
Setting Value
PolicyTag blank
RecommendedPolicyType Evaluation
SpoofQuarantineTag DefaultFullAccessPolicy
TargetedDomainActionRecipients {}
TargetedDomainProtectionAction NoAction
TargetedDomainQuarantineTag DefaultFullAccessPolicy
TargetedDomainsToProtect {}
TargetedUserActionRecipients {}
TargetedUserProtectionAction NoAction
TargetedUserQuarantineTag DefaultFullAccessPolicy
TargetedUsersToProtect {}
Setting Value
Action Allow
ActionOnError True
ConfidenceLevelThreshold 80
Enable True
EnableOrganizationBranding False
IsBuiltInProtection False
IsDefault False
OperationMode Delay
QuarantineTag AdminOnlyAccessPolicy
RecommendedPolicyType Evaluation
Setting Value
Redirect False
RedirectAddress blank
ScanTimeout 30
Setting Value
AllowClickThrough True
CustomNotificationText blank
DeliverMessageAfterScan True
DisableUrlRewrite True
DoNotRewriteUrls {}
EnableForInternalSenders False
EnableOrganizationBranding False
EnableSafeLinksForEmail True
EnableSafeLinksForOffice False
EnableSafeLinksForTeams False
IsBuiltInProtection False
LocalizedNotificationTextList {}
RecommendedPolicyType Evaluation
ScanUrls True
TrackClicks True
To view the rule that's associated with the evaluation, run the following command in
Exchange Online PowerShell:
PowerShell
Get-ATPEvaluationRule
To use Exchange Online PowerShell to modify who the evaluation applies to, use the
following syntax:
PowerShell
This example configures exceptions from the evaluation for the specified security
operations (SecOps) mailboxes.
PowerShell
To turn on or turn off the evaluation in audit mode, you enable or disable the rule that's
associated with the evaluation. The State property value of the evaluation rule shows
whether the rule is Enabled or Disabled.
Run the following command to determine whether the evaluation is currently enabled or
disabled:
PowerShell
Run the following command to turn off the evaluation if it's turned on:
PowerShell
Run the following command to turn on the evaluation if it's turned off:
PowerShell
As previously described, when you choose blocking mode for your trial, policies are
created using the Standard template for preset security policies.
To use Exchange Online PowerShell to view the individual security policies that are
associated with the Standard preset security policy, and to use Exchange Online
PowerShell to view and configure the recipient conditions and exceptions for the preset
security policy, see Preset security policies in Exchange Online PowerShell.
Trial user guide: Microsoft Defender for
Office 365
Article • 12/22/2022 • 9 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to:
Welcome to the Microsoft Defender for Office 365 trial user guide! This user guide will
help you make the most of your free trial by teaching you how to safeguard your
organization against malicious threats posed by email messages, links (URLs), and
collaboration tools.
In addition to the detection of advanced threats, the following video shows how the
SecOps capabilities of Defender for Office 365 can help your team respond to threats:
https://www.microsoft.com/en-us/videoplayer/embed/RWMmIe?postJsllMsg=true
Audit mode: Special evaluation policies are created for anti-phishing (which
includes impersonation protection), Safe Attachments, and Safe Links. These
evaluation policies are configured to detect threats only. Defender for Office 365
detects harmful messages for reporting, but the messages aren't acted upon (for
example, detected messages aren't quarantined). The settings of these evaluation
policies are described in the Policies in audit mode section later in this article.
Blocking mode: The Standard template for preset security policies is turned on and
used for the trial, and the users you specify to include in the trial are added to the
Standard preset security policy. Defender for Office 365 detects and takes action on
harmful messages (for example, detected messages are quarantined).
The default and recommended selection is to scope these Defender for Office 365
policies to all users in the organization. But during or after the setup of your trial,
you can change the policy assignment to specific users, groups, or email domains
in the Microsoft 365 Defender portal or in Policy settings associated with Defender
for Office 365 trials
Blocking mode does not provide customized reports for threats detected by
Defender for Office 365. Instead, the information is available in the regular reports
and investigation features of Defender for Office 365 Plan 2.
A key factor in audit mode vs. blocking mode is how email is delivered to your Microsoft
365 organization:
Mail from the internet flows directly Microsoft 365, but your current subscription
has only Exchange Online Protection (EOP) or Defender for Office 365 Plan 1.
You're currently using a third-party service or device for email protection of your
Microsoft 365 mailboxes. Mail from the internet flows through the protection
service before delivery into your Microsoft 365 organization. Microsoft 365
protection is as low as possible (it's never completely off; for example, malware
protection is always enforced).
In these environments, you can select audit mode only. You don't need to change
your mail flow (MX records).
Blocking mode
Safe Links, Safe Attachments and anti-phishing policies that are scoped to the
entire tenant or subset of users you may have chosen during the trial setup
process.
Safe Attachments protection for SharePoint, OneDrive, and Microsoft Teams.
Safe Links protection for supported Office 365 apps.
Watch this video to learn more: Protect against malicious links with Safe Links in
Microsoft Defender for Office 365 - YouTube .
Watch this video to learn more: Learn how to use the Submissions portal to submit
messages for analysis - YouTube .
Understand threats received in email and collaboration tools with the Threat
protection status report.
See where threats are blocked with the Mailflow status report.
Review links that were viewed by users or blocked by the system.
Protect your most targeted and most visible users with Priority Account Protection in
Defender for Office 365, which helps you prioritize your workflow to ensure these users
are safe.
Watch this video to learn more: Protecting priority accounts in Microsoft Defender for
Office 365 - YouTube .
Watch this video to learn more: Detect and respond to compromise in Microsoft
Defender for Office 365 - YouTube .
Use Threat Explorer to investigate malicious email
Defender for Office 365 enables you to investigate activities that put people in your
organization at risk and to take action to protect your organization. You can do this
using Threat Explorer.
Find suspicious email that was delivered: Find and delete messages, identify the IP
address of a malicious email sender, or start an incident for further investigation.
Check the delivery action and location: This check lets you know the location of
problem email messages.
View the timeline of your email: Simply hunting for your security operations team.
See the bigger picture with Campaign Views in Defender for Office 365, which gives you
a view of the attack campaigns targeting your organization and the impact they have on
your users.
Watch this video to learn more: Campaign Views in Microsoft Defender for Office 365 -
YouTube .
Watch this video to learn more: Threat hunting with Microsoft 365 Defender -
YouTube .
Auditing mode
Evaluation policies ensure no action is taken on email that's detected by Defender for
Office 365.
Watch this video to learn more: Learn how to use the Submissions portal to submit
messages for analysis - YouTube .
Find suspicious email that was delivered: Find and delete messages, identify the IP
address of a malicious email sender, or start an incident for further investigation.
Check the delivery action and location: This check lets you know the location of
problem email messages.
View the timeline of your email: Simply hunting for your security operations team.
When you're ready to turn on Defender for Office 365 policies in production, you can
use "Convert to Standard Protection" within the evaluation management experience to
easily move to Standard protection in preset security policies.
3. In the Convert to standard protection dialog that opens, click Continue to initiate
the setup.
If you already have an existing third-party protection service or device that sits in front
of Microsoft 365, you can migrate your protection to Microsoft Defender for Office 365
to get the benefits of a consolidated management experience, potentially reduced cost
(using products that you already pay for), and a mature product with integrated security
protection.
For more information, see Migrate from a third-party protection service or device to
Microsoft Defender for Office 365.
Additional resources
Interactive guide: Unfamiliar with Defender for Office 365? Review the interactive
guide to understand how to get started.
Fast Track Get Started Guide*: Microsoft Defender for Office 365
Microsoft Defender for Office 365 documentation: Get detailed information on
how Defender for Office 365 works and how to best implement it for your
organization. Visit the Microsoft Defender for Office 365 documentation.
What's included: For a full list of Office 365 email security features listed by
product tier, view the Feature Matrix.
Why Defender for Office 365: The Defender for Office 365 Datasheet shows the
top 10 reasons customers choose Microsoft.
Email authentication in EOP
Article • 12/10/2022 • 8 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
Email authentication (also known as email validation) is a group of standards that tries
to stop spoofing (email messages from forged senders). In all Microsoft 365
organizations, EOP uses these standards to verify inbound email:
SPF
DKIM
DMARC
Email authentication verifies that email messages from a sender (for example,
laura@contoso.com) are legitimate and come from expected sources for that email
domain (for example, contoso.com.)
The rest of this article explains how these technologies work, and how EOP uses them to
check inbound email.
As of March 2018, only 9% of domains of companies in the Fortune 500 publish strong
email authentication policies. The remaining 91% of companies might be spoofed by an
attacker. Unless some other email filtering mechanism is in-place, email from spoofed
senders in these domains might be delivered to users.
Composite authentication
If a domain doesn't have traditional SPF, DKIM, and DMARC records, those record
checks don't communicate enough authentication status information. Therefore,
Microsoft has developed an algorithm for implicit email authentication. This algorithm
combines multiple signals into a single value called composite authentication, or
compauth for short. The compauth value is stamped into the Authentication-Results
text
Authentication-Results:
By examining the message headers, admins or even end users can determine how
Microsoft 365 determined that the sender is spoofed.
The sending domain might lack the required DNS records, or the records are
incorrectly configured.
The source domain has correctly configured DNS records, but that domain doesn't
match the domain in the From address. SPF and DKIM don't require the domain to
be used in the From address. Attackers or legitimate services can register a
domain, configure SPF and DKIM for the domain, and use a completely different
domain in the From address. Messages from senders in this domain will pass SPF
and DKIM.
Composite authentication can address these limitations by passing messages that would
otherwise fail email authentication checks.
For simplicity, the following examples concentrate on email authentication results. Other
back-end intelligence factors could identify messages that pass email authentication as
spoofed, or messages that fail email authentication as legitimate.
For example, the fabrikam.com domain has no SPF, DKIM, or DMARC records. Messages
from senders in the fabrikam.com domain can fail composite authentication (note the
compauth value and reason):
text
From: chris@fabrikam.com
To: michelle@contoso.com
If fabrikam.com configures an SPF without a DKIM record, the message can pass
composite authentication. The domain that passed SPF checks is aligned with the
domain in the From address:
text
From: chris@fabrikam.com
To: michelle@contoso.com
If fabrikam.com configures a DKIM record without an SPF record, the message can pass
composite authentication. The domain in the DKIM signature is aligned with the domain
in the From address:
text
From: chris@fabrikam.com
To: michelle@contoso.com
If the domain in SPF or the DKIM signature doesn't align with the domain in the From
address, the message can fail composite authentication:
text
compauth=fail reason=001
From: chris@contoso.com
To: michelle@fabrikam.com
Microsoft doesn't provide detailed implementation guidelines for SPF, DKIM, and
DMARC records. However, there's many information available online. There are also
third party companies dedicated to helping your organization set up email
authentication records.
This example means that email from your corporate infrastructure will pass email
authentication, but email from unknown sources will fall back to neutral.
Microsoft 365 will treat inbound email from your corporate infrastructure as
authenticated. Email from unidentified sources might still be marked as spoof if it fails
implicit authentication. However, this is still an improvement from all email being
marked as spoof by Microsoft 365.
Once you've gotten started with an SPF fallback policy of ?all , you can gradually
discover and include more email sources for your messages, and then update your SPF
record with a stricter policy.
For external domains, the spoofed user is the domain in the From address, while the
sending infrastructure is one of the following values:
Set up SPF to publish the domain's sending IP addresses, and set up DKIM (if
available) to digitally sign messages. They should also consider setting up DMARC
records.
If they use bulk senders to send email on their behalf, verify that the domain in the
From address (if it belongs to them) aligns with the domain that passes SPF or
DMARC.
Verify the following locations (if they use them) are included in the SPF record:
On-premises email servers.
Email sent from a software-as-a-service (SaaS) provider.
Email sent from a cloud-hosting service (Microsoft Azure, GoDaddy, Rackspace,
Amazon Web Services, etc.).
For small domains that are hosted by an ISP, configure the SPF record according to
the instructions from the ISP.
While it may be difficult at first to get sending domains to authenticate, over time, as
more and more email filters start junking or even rejecting their email, it will cause them
to set up the proper records to ensure better delivery. Also, their participation can help
in the fight against phishing, and can reduce the possibility of phishing in their
organization or organizations that they send email to.
If you host a domain's email or provide hosting infrastructure that can send email, you
should do the following steps:
Ensure your customers have documentation that explains how your customers
should configure their SPF records
Learn how Office 365 uses SPF and supports DKIM validation:
Prerequisites
Create or update your SPF TXT record
How to handle subdomains?
Troubleshooting SPF
This article describes how to update a Domain Name Service (DNS) record so that you
can use Sender Policy Framework (SPF) email authentication with your custom domain
in Office 365.
SPF helps validate outbound email sent from your custom domain (is coming from who
it says it is). It's a first step in setting up the full recommended email authentication
methods of SPF, DKIM, and DMARC.
Prerequisites
Create or update your SPF TXT record
How to handle subdomains?
What does SPF email authentication actually do?
Troubleshooting SPF
More information about SPF
Prerequisites
) Important
If you don't use a custom URL (and the URL used for Office 365 ends in
onmicrosoft.com), SPF has already been set up for you in the Office 365 service.
The SPF TXT record for Office 365 will be made in external DNS for any custom domains
or subdomains. You need some information to make the record. Gather this information:
The SPF TXT record for your custom domain, if one exists. For instructions, see
Gather the information you need to create Office 365 DNS records.
Go to your messaging server(s) and find out the External IP addresses (needed
from all on-premises messaging servers). For example, 131.107.2.200.
Domain names to use for all third-party domains that you need to include in your
SPF TXT record. Some bulk mail providers have set up subdomains to use for their
customers. For example, the company MailChimp has set up servers.mcsv.net.
Figure out what enforcement rule you want to use for your SPF TXT record. The -all
rule is recommended. For detailed information about other syntax options, see SPF
TXT record syntax for Office 365.
) Important
In order to use a custom domain, Office 365 requires that you add a Sender Policy
Framework (SPF) TXT record to your DNS record to help prevent spoofing.
ip4:40.103.0.0/16
include:spf.protection.outlook.com
2. If you haven't already done so, form your SPF TXT record by using the syntax from
the table.
For example, if you are hosted entirely in Office 365, that is, you have no on-
premises mail servers, your SPF TXT record would include rows 1, 2, and 7 and
would look like this:
text
The example above is the most common SPF TXT record. This record works for
just about everyone, regardless of whether your Microsoft datacenter is located in
the United States, or in Europe (including Germany), or in another location.
However, if you bought Office 365 Germany, part of Microsoft Cloud Germany, you
should use the include statement from line 4 instead of line 2. For example, if you
are hosted entirely in Office 365 Germany, that is, you have no on-premises mail
servers, your SPF TXT record would include rows 1, 4, and 7 and would look like
this:
text
If you're already deployed in Office 365 and have set up your SPF TXT records for
your custom domain, and you're migrating to Office 365 Germany, you need to
update your SPF TXT record. To do this, change
include:spf.protection.outlook.com to include:spf.protection.outlook.de .
3. Once you have formed your SPF TXT record, you need to update the record in
DNS. You can only have one SPF TXT record for a domain. If an SPF TXT record
exists, instead of adding a new record, you need to update the existing record. Go
to Create DNS records for Office 365, and then select the link for your DNS host.
A wildcard SPF record ( *. ) is required for every domain and subdomain to prevent
attackers from sending email claiming to be from non-existent subdomains. For
example:
text
Troubleshooting SPF
Having trouble with your SPF TXT record? Read Troubleshooting: Best practices for SPF
in Office 365.
For example, let's say that your custom domain contoso.com uses Office 365. You add
an SPF TXT record that lists the Office 365 messaging servers as legitimate mail servers
for your domain. When the receiving messaging server gets a message from
joe@contoso.com, the server looks up the SPF TXT record for contoso.com and finds
out whether the message is valid. If the receiving server finds out that the message
comes from a server other than the Office 365 messaging servers listed in the SPF
record, the receiving mail server can choose to reject the message as spam.
Also, if your custom domain does not have an SPF TXT record, some receiving servers
may reject the message outright. This is because the receiving server cannot validate
that the message comes from an authorized messaging server.
If you've already set up mail for Office 365, then you have already included Microsoft's
messaging servers in DNS as an SPF TXT record. However, there are some cases where
you may need to update your SPF TXT record in DNS. For example:
Previously, you had to add a different SPF TXT record to your custom domain if
you were using SharePoint Online. This is no longer required. This change should
reduce the risk of SharePoint Online notification messages ending up in the Junk
Email folder. Update your SPF TXT record if you are hitting the 10 lookup limit and
receiving errors that say things like, "exceeded the lookup limit" and "too many
hops".
If you have a hybrid environment with Office 365 and Exchange on-premises.
DMARC email authentication's goal is to make sure that SPF and DKIM information
matches the From address.
For advanced examples and a more detailed discussion about supported SPF syntax, see
How SPF works to prevent spoofing and phishing in Office 365.
Select 'This page' under 'Feedback' if you have feedback on this documentation.
Use DKIM to validate outbound email
sent from your custom domain
Article • 12/22/2022 • 15 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
This article lists the steps to use DomainKeys Identified Mail (DKIM) with Microsoft 365
to ensure that destination email systems trust messages sent outbound from your
custom domain.
In this article:
How DKIM works better than SPF alone to prevent malicious spoofing
Steps to Create, enable and disable DKIM from Microsoft 365 Defender portal
Steps to manually upgrade your 1024-bit keys to 2048-bit DKIM encryption keys
Steps to manually set up DKIM
Steps to configure DKIM for more than one custom domain
Disabling the DKIM signing policy for a custom domain
Default behavior for DKIM and Microsoft 365
Set up DKIM so that a third-party service can send, or spoof, email on behalf of
your custom domain
Next steps: After you set up DKIM for Microsoft 365
7 Note
Microsoft 365 automatically sets up DKIM for its initial 'onmicrosoft.com' domains.
That means you don't need to do anything to set up DKIM for any initial domain
names (for example, litware.onmicrosoft.com). For more information about
domains, see Domains FAQ.
DKIM is one of the trio of Authentication methods (SPF, DKIM and DMARC) that help
prevent attackers from sending messages that look like they come from your domain.
DKIM lets you add a digital signature to outbound email messages in the message
header. When you configure DKIM, you authorize your domain to associate, or sign, its
name to an email message using cryptographic authentication. Email systems that get
email from your domain can use this digital signature to help verify whether incoming
email is legitimate.
In basic, a private key encrypts the header in a domain's outgoing email. The public key
is published in the domain's DNS records, and receiving servers can use that key to
decode the signature. DKIM verification helps the receiving servers confirm the mail is
really coming from your domain and not someone spoofing your domain.
Tip
You can choose to do nothing about DKIM for your custom domain too. If you
don't set up DKIM for your custom domain, Microsoft 365 creates a private and
public key pair, enables DKIM signing, and then configures the Microsoft 365
default policy for your custom domain.
Tip
DKIM uses a private key to insert an encrypted signature into the message headers.
The signing domain, or outbound domain, is inserted as the value of the d= field in
the header. The verifying domain, or recipient's domain, then uses the d= field to
look up the public key from DNS, and authenticate the message. If the message is
verified, the DKIM check passes.
Step 1: Click on the domain you wish to configure DKIM on DKIM page
(https://security.microsoft.com/dkimv2 or https://protection.office.com/dkimv2 ).
Step 2: Slide the toggle to Enable. You will see a pop-up window stating that you need
to add CNAME records.
Step 4: Publish the copied CNAME records to your DNS service provider.
On your DNS provider's website, add CNAME records for DKIM that you want to enable.
Make sure that the fields are set to the following values for each:
text
> Host: Paste the values you copy from DKIM page.
If you see CNAME record doesn't exist error, it might be due to:
1. Synchronization with DNS server, which might take few seconds to hours, if the
problem persists repeat the steps again
2. Check for any copy paste errors, like additional space or tabs etc.
7 Note
Since both 1024 and 2048 bitness are supported for DKIM keys, these directions will tell
you how to upgrade your 1024-bit key to 2048 in Exchange Online PowerShell. The
steps below are for two use-cases, please choose the one that best fits your
configuration.
When you already have DKIM configured, you rotate bitness by running the
following command:
PowerShell
or
PowerShell
PowerShell
Tip
This new 2048-bit key takes effect on the RotateOnDate, and will send emails with
the 1024-bit key in the interim. After four days, you can test again with the 2048-bit
key (that is, once the rotation takes effect to the second selector).
If you want to rotate to the second selector, after four days and confirming that 2048-
bitness is in use, manually rotate the second selector key by using the appropriate
cmdlet listed above.
For detailed syntax and parameter information, see the following articles: Rotate-
DkimSigningConfig, New-DkimSigningConfig, and Get-DkimSigningConfig.
7 Note
If you haven't read the full article, you may have missed this time-saving PowerShell
connection information: Connect to Exchange Online PowerShell.
Run the following commands in Exchange Online PowerShell to create the selector
records:
PowerShell
If you have provisioned custom domains in addition to the initial domain in Microsoft
365, you must publish two CNAME records for each additional domain. So, if you have
two domains, you must publish two additional CNAME records, and so on.
) Important
Console
TTL: 3600
TTL: 3600
Where:
initialDomain is the domain that you used when you signed up for Microsoft 365.
Initial domains always end in onmicrosoft.com. For information about determining
your initial domain, see Domains FAQ.
Console
TTL: 3600
TTL: 3600
TTL: 3600
TTL: 3600
7 Note
It's important to create the second record, but only one of the selectors may be
available at the time of creation. In essence, the second selector might point to an
address that hasn't been created yet. We still recommended that you create the
second CNAME record, because your key rotation will be seamless.
3. In the details flyout that appears, change the Sign messages for this domain with
DKIM signatures setting to Enabled ( )
) Important
If you are configuring DKIM for the first time and see the error 'No DKIM keys
saved for this domain' complete the command in step 2 below (for example, Set-
DkimSigningConfig -Identity contoso.com -Enabled $true ) to see the key.
PowerShell
<Domain> is the name of the custom domain that you want to enable DKIM
signing for.
PowerShell
Send a message from an account within your Microsoft 365 DKIM-enabled domain
to another email account such as outlook.com or Hotmail.com.
Do not use an aol.com account for testing purposes. AOL may skip the DKIM check
if the SPF check passes. This will nullify your test.
Open the message and look at the header. Instructions for viewing the header for
the message will vary depending on your messaging client. For instructions on
viewing message headers in Outlook, see View internet message headers in
Outlook .
The DKIM-signed message will contain the host name and domain you defined
when you published the CNAME entries. The message will look something like this
example:
Console
h=From:To:Message-ID:Subject:MIME-Version:Content-Type;
bh=<body hash>;
b=<signed field>;
Look for the Authentication-Results header. While each receiving service uses a
slightly different format to stamp the incoming mail, the result should include
something like DKIM=pass or DKIM=OK.
) Important
The sender and recipient email addresses are in the same domain.
The sender and recipient email addresses are in different domains that are
controlled by the same organization.
Console
Authentication-Results: dkim=none (message not signed) header.d=none;
2. Run one of the following commands for each domain for which you want to
disable DKIM signing.
PowerShell
For example:
PowerShell
Or
PowerShell
PowerShell
Also, if you disable DKIM signing on your custom domain after enabling it, after a period
of time, Microsoft 365 will automatically apply the MOERA/initial domain policy for your
custom domain.
In the following example, suppose that DKIM for fabrikam.com was enabled by
Microsoft 365, not by the administrator of the domain. This means that the required
CNAMEs do not exist in DNS. DKIM signatures for email from this domain will look
something like this:
Console
h=From:To:Message-ID:Subject:MIME-Version:Content-Type;
bh=<body hash>;
b=<signed field>;
In this example, the host name and domain contain the values to which the CNAME
would point if DKIM-signing for fabrikam.com had been enabled by the domain
administrator. Eventually, every single message sent from Microsoft 365 will be DKIM-
signed. If you enable DKIM yourself, the domain will be the same as the domain in the
From: address, in this case fabrikam.com. If you don't, it will not align and instead will
use your organization's initial domain. For information about determining your initial
domain, see Domains FAQ.
Console
Return-Path: <communication@bulkemailprovider.com>
From: <sender@contoso.com>
3. When sending email, Bulk Email Provider signs the key with the corresponding
private key. By doing so, Bulk Email Provider attached the DKIM signature to the
message header.
sender@contoso.com
d=contoso.com
Identify domains that do not send email
Organizations should explicitly state if a domain does not send email by specifying
v=DKIM1; p= in the DKIM record for those domains. This advises receiving email servers
that there are no valid public keys for the domain, and any email claiming to be from
that domain should be rejected. You should do this for each domain and subdomain
using a wildcard DKIM.
Console
Once you have set up DKIM, if you have not already set up SPF you should do so. For a
quick introduction to SPF and to get it configured quickly, see Set up SPF in Microsoft
365 to help prevent spoofing. For a more in-depth understanding of how Microsoft 365
uses SPF, or for troubleshooting or non-standard deployments such as hybrid
deployments, start with How Microsoft 365 uses Sender Policy Framework (SPF) to
prevent spoofing.
Next, see Use DMARC to validate email. Anti-spam message headers includes the
syntax and header fields used by Microsoft 365 for DKIM checks.
This test will validate that the DKIM signing configuration has been configured
correctly, and that the proper DNS entries have been published.
7 Note
This feature requires a Microsoft 365 administrator account. This feature isn't
available for Microsoft 365 Government, Microsoft 365 operated by 21Vianet, or
Microsoft 365 Germany.
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
DMARC ensures the destination email systems trust messages sent from your domain.
Using DMARC with SPF and DKIM gives organizations more protection against spoofing
and phishing email. DMARC helps receiving mail systems decide what to do with
messages from your domain that fail SPF or DKIM checks.
Tip
Visit the Microsoft Intelligent Security Association (MISA) catalog to view third-
party vendors offering DMARC reporting for Microsoft 365.
Tip
Hove you seen our step-by-step guides? Configuration 1-2-3s and no frills, for
admins in a hurry. Visit for the steps to enable DMARC Reporting for Microsoft
Online Email Routing Addresses (MOERA) and parked Domains.
"Mail From" address: Identifies the sender and says where to send return notices if
any problems occur with the delivery of the message (such as non-delivery
notices). Mail From address appears in the envelope portion of an email message
and isn't displayed by your email application, and is sometimes called the
5321.MailFrom address or the reverse-path address.
"From" address: The address displayed as the From address by your mail
application. From address identifies the author of the email. That is, the mailbox of
the person or system responsible for writing the message. The From address is
sometimes called the 5322.From address.
SPF uses a DNS TXT record to list authorized sending IP addresses for a given domain.
Normally, SPF checks are only performed against the 5321.MailFrom address. The
5322.From address isn't authenticated when you use SPF by itself, which allows for a
scenario where a user gets a message that passed SPF checks but has a spoofed
5322.From sender address. For example, consider this SMTP transcript:
Console
S: Helo woodgrovebank.com
S: data
S:
S: Greetings User,
S:
S: Please click the following link to verify that Microsoft has the right
information for your account.
S:
S: https://short.url/woodgrovebank/updateaccount/12-121.aspx
S:
S: Thank you,
S: Woodgrove Bank
S: .
When you use DMARC, the receiving server also performs a check against the From
address. In the example above, if there's a DMARC TXT record in place for
woodgrovebank.com, then the check against the From address fails.
Console
For more third-party vendors who offer DMARC reporting for Microsoft 365, visit the
MISA catalog .
If you have a custom domain or are using on-premises Exchange servers along with
Microsoft 365, you need to manually set up DMARC for your outbound mail. Setting up
DMARC for your custom domain includes these steps:
For mail sent from third parties on my behalf, will the 5321.MailFrom and
5322.From domains match?
For example, assuming contoso.com sends mail from Exchange Online, an on-premises
Exchange server whose IP address is 192.168.0.1, and a web application whose IP
address is 192.168.100.100, the SPF TXT record would look like this:
Console
As a best practice, ensure that your SPF TXT record takes into account third-party
senders.
If you have third-party senders that send mail on your behalf and the mail they send has
mismatched 5321.MailFrom and 5322.From addresses, DMARC will fail for that email. To
avoid this, you need to set up DKIM for your domain specifically with that third-party
sender. This allows Microsoft 365 to authenticate email from this 3rd-party service.
However, it also allows others, for example, Yahoo, Gmail, and Comcast, to verify email
sent to them by the third-party as if it was email sent by you. This is beneficial because it
allows your customers to build trust with your domain no matter where their mailbox is
located, and at the same time Microsoft 365 won't mark a message as spam due to
spoofing because it passes authentication checks for your domain.
For instructions on setting up DKIM for your domain, including how to set up DKIM for
third-party senders so they can spoof your domain, see Use DKIM to validate outbound
email sent from your custom domain.
Console
Where:
domain is the domain you want to protect. By default, the record protects mail
from the domain and all subdomains. For example, if you specify
_dmarc.contoso.com, then DMARC protects mail from the domain and all
subdomains, such as housewares.contoso.com or plumbing.contoso.com.
TTL should always be the equivalent of one hour. The unit used for TTL, either
hours (1 hour), minutes (60 minutes), or seconds (3600 seconds), will vary
depending on the registrar for your domain.
pct=100 indicates that this rule should be used for 100% of email.
policy specifies what policy you want the receiving server to follow if DMARC fails.
You can set the policy to none, quarantine, or reject.
For information about which options to use, become familiar with the concepts in Best
practices for implementing DMARC in Microsoft 365.
Examples:
Console
Console
Console
Once you've formed your record, you need to update the record at your domain
registrar.
U Caution
Mails may not be sent out daily, and the report itself may change during public
preview. The DMARC aggregate report emails can be expected from the Consumer
accounts (such as hotmail.com, outlook.com, or live.com accounts).
can see the rua address, in this case, processed by third-party company Agari. This
address is used to send 'aggregate feedback' for analysis, and which is used to generate
a report.
Tip
Visit the MISA catalog to view more third-party vendors offering DMARC
reporting for Microsoft 365. See IETF.org's 'Domain-based Message
Authentication, Reporting, and Conformance (DMARC)' for more information
on DMARC 'rua' addresses.
You can do this even before you've implemented SPF or DKIM in your messaging
infrastructure. However, you won't be able to effectively quarantine or reject mail
by using DMARC until you also implement SPF and DKIM. As you introduce SPF
and DKIM, the reports generated through DMARC will give the numbers and
sources of messages that pass these checks, versus those that don't. You can easily
see how much of your legitimate traffic is or isn't covered by them, and
troubleshoot any problems. You'll also begin to see how many fraudulent
messages are being sent, and where they're sent from.
2. Request that external mail systems quarantine mail that fails DMARC
When you believe that all or most of your legitimate traffic is protected by SPF and
DKIM, and you understand the impact of implementing DMARC, you can
implement a quarantine policy. A quarantine policy is a DMARC TXT record that
has its policy set to quarantine (p=quarantine). By doing this, you're asking
DMARC receivers to put messages from your domain that fail DMARC into the
local equivalent of a spam folder instead of your customers' inboxes.
3. Request that external mail systems not accept messages that fail DMARC
The final step is implementing a reject policy. A reject policy is a DMARC TXT
record that has its policy set to reject (p=reject). When you do this, you're asking
DMARC receivers not to accept messages that fail the DMARC checks.
Also, you can add a wildcard-type policy for DMARC when subdomains shouldn't
be sending email, by adding the sp=reject value. For example:
text
If you publish a DMARC reject policy (p=reject), no other customer in Microsoft 365 can
spoof your domain because messages won't be able to pass SPF or DKIM for your
domain when relaying a message outbound through the service. However, if you do
publish a DMARC reject policy but don't have all of your email authenticated through
Microsoft 365, some of it may be marked as spam for inbound email (as described
above), or it will be rejected if you don't publish SPF and try to relay it outbound
through the service. This happens, for example, if you forget to include some of the IP
addresses for servers and apps that send mail on behalf of your domain when you form
your DMARC TXT record.
Microsoft 365 is configured like this because some legitimate email may fail DMARC. For
example, a message might fail DMARC if it's sent to a mailing list that then relays the
message to all list participants. If Microsoft 365 rejected these messages, people could
lose legitimate email and have no way to retrieve it. Instead, these messages will still fail
DMARC but they'll be marked as spam and not rejected. If desired, users can still get
these messages in their inbox through these methods:
Admins can use the spoof intelligence insight or the Tenant Allow/Block List to
allow messages from the spoofed sender.
Admins create an Exchange mail flow rule (also known as a transport rule) for all
users that allows messages for those particular senders.
Microsoft 365 currently utilizes ARC to verify authentication results when Microsoft is
the ARC Sealer, but plan to add support for third-party ARC sealers in the future.
If you're a customer, and your domain's primary MX record doesn't point to EOP, you
won't get the benefits of DMARC. For example, DMARC won't work if you point the MX
record to your on-premises mail server and then route email to EOP by using a
connector. In this scenario, the receiving domain is one of your Accepted-Domains but
EOP isn't the primary MX. For example, suppose contoso.com points its MX at itself and
uses EOP as a secondary MX record, contoso.com's MX record looks like the following:
Console
All, or most, email will first be routed to mail.contoso.com since it's the primary MX, and
then mail will get routed to EOP. In some cases, you might not even list EOP as an MX
record at all and simply hook up connectors to route your email. EOP doesn't have to be
the first entry for DMARC validation to be done. It just ensures the validation, to be
certain that all on-premise/non-O365 servers will do DMARC checks. DMARC is eligible
to be enforced for a customer's domain (not server) when you set up the DMARC TXT
record, but it's up to the receiving server to actually do the enforcement. If you set up
EOP as the receiving server, then EOP does the DMARC enforcement.
Anti-spam message headers includes the syntax and header fields used by
Microsoft 365 for DMARC checks.
Take the DMARC Training Series from M3AAWG (Messaging, Malware, Mobile
Anti-Abuse Working Group).
See also
How Microsoft 365 uses Sender Policy Framework (SPF) to prevent spoofing
Use DKIM to validate outbound email sent from your custom domain in Microsoft
365
Applies to
Email authentication mechanisms like SPF, DKIM, DMARC are used to verify the senders
of emails for the safety of email recipients, but some legitimate services may make
changes to the email between the sender and recipient. In Microsoft 365 Defender,
ARC will help reduce SPF, DKIM, and DMARC delivery failures that happen due to
legitimate indirect mailflows.
Trusted ARC sealers lets admins add a list of trusted intermediaries into the Microsoft
365 Defender portal. Trusted ARC sealers allows Microsoft to honor ARC signatures
from these trusted intermediaries, preventing these legitimate messages from failing the
authentication chain.
7 Note
By adding a trusted ARC sealer, Office 365 will validate and trust the authentication
results that the sealer provides when delivering mail to your tenant in Office 365.
Administrators should add only legitimate services as trusted ARC sealers. Adding
only services the organization expressly uses and knows will help messages that must
first go through a service to pass email authentication checks, and prevent legitimate
messages
from being sent to Junk due to authentication failures.
To add a new Trusted ARC sealer in the Microsoft 365 Defender portal:
2. If this is the first time you've added a trusted ARC sealer, click the Add button.
An ARC header that lists an 'oda' of 1 indicates that previous ARC has been verified, the
previous ARC sealer is trusted, and previous pass result can be used to override the
current DMARC failure.
See the email authentication methods at the end of this header-block for the oda result.
40.107.65.78) smtp.rcpttodomain=microsoft.com
smtp.mailfrom=sampledoamin.onmicrosoft.com; dmarc=bestguesspass action=none
[1,1,header.d=sampledoamin.onmicrosoft.com] dmarc=
[1,1,header.from=sampledoamin.onmicrosoft.com])
To check whether the ARC result was used to override a DMARC failure, look for
compauth result and a reason of code(130) in the header.
See the last entry in this header-block to find compauth and reason.
reason=130
2. Connect-ExchangeOnline.
3. To add or update a domain into a trusted ARC sealer:
or
You need to provide identity parameter -Identity default when running Set-
ArcConfig. The trusted sealers should be matched to the value of the 'd' tag in the
ARC-Seal header.
Get-ArcConfig
or
Get-ArcConfig - Organization {tenant name}
Here, you see the same organization after leveraging the ability to create a trusted
ARC sealer.
Next steps: After you set up ARC for Microsoft
365 Defender for Office
After setup, check your ARC Headers with Message Header Analyzer .
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
Configuration analyzer in the Microsoft 365 Defender portal provides a central location
to find and fix security policies where the settings are below the Standard protection
and Strict protection profile settings in preset security policies.
Microsoft Defender for Office 365 policies: This includes organizations with
Microsoft 365 E5 or Defender for Office 365 add-on subscriptions:
Anti-phishing policies in Microsoft Defender for Office 365, which include:
The same spoof settings that are available in the EOP anti-phishing policies.
Impersonation settings
Advanced phishing thresholds
Safe Links policies.
Safe Attachments policies.
The Standard and Strict policy setting values that are used as baselines are described in
Recommended settings for EOP and Microsoft Defender for Office 365 security.
You need to be assigned permissions in the Microsoft 365 Defender portal before
you can do the procedures in this article:
To use the configuration analyzer and make updates to security policies, you
need to be a member of the Organization Management or Security
Administrator role groups.
For read-only access to the configuration analyzer, you need to be a member of
the Global Reader or Security Reader role groups.
For more information, see Permissions in the Microsoft 365 Defender portal.
7 Note
Adding users to the corresponding Azure Active Directory role gives users
the required permissions in the Microsoft 365 Defender portal and
permissions for other features in Microsoft 365. For more information, see
About admin roles.
The View-Only Organization Management role group in Exchange Online
also gives read-only access to the feature.
The first section of the tab displays the number of settings in each type of policy that
need improvement as compared to Standard or Strict protection. The types of policies
are:
Anti-spam
Anti-phishing
Anti-malware
Safe Attachments (if your subscription includes Microsoft Defender for Office 365)
Safe Links (if your subscription includes Microsoft Defender for Office 365)
If a policy type and number isn't shown, then all of your policies of that type meet the
recommended settings of Standard or Strict protection.
The rest of the tab is the table of settings that need to be brought up to the level
Standard or Strict protection. The table contains the following columns:
Apply recommendation
View policy
Refresh:
If you select a row and click Apply recommendation, a confirmation dialog (with the
option to not show the dialog again) appears. If you click OK, the following things
happen:
If you select a row and click View policy you're taken to the details flyout of the affected
policy in the Microsoft 365 Defender portal where you can manually update the setting.
After you automatically or manually update the setting, click Refresh to see the reduced
number of recommendations and the removal of the updated row from the results.
Last modified
Modified by
Setting Name
Policy: The name of the affected policy.
Type: Anti-spam, Anti-phishing, Anti-malware, Safe Links, or Safe Attachments.
Configuration change: The old value and the new value of the setting
Configuration drift: The value Increase or Decrease that indicates the setting
increased or decreased security compared to the recommended Standard or Strict
setting.
To filter the results, click Filter. In the Filters flyout that appears, you can select from the
following filters:
Start time and End time (date): You can go back as far as 90 days from today.
Standard protection or Strict protection
To filter the results by a specific Modified by, Setting name, or Type value, use the
Search box.
Preset security policies in EOP and
Microsoft Defender for Office 365
Article • 12/22/2022 • 24 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
Preset security policies provide a centralized location for applying all of the
recommended spam, malware, and phishing policies to users at once. The policy
settings are not configurable. Instead, they are set by us and are based on our
observations and experiences in the datacenters for a balance between keeping harmful
content away from users and avoiding unnecessary disruptions.
The rest of this article describes preset security policies and how to configure them.
Profiles
Policies
Policy settings
In addition, the order of precedence is important if multiple preset security policies and
other policies apply to the same person.
Standard protection: A baseline protection profile that's suitable for most users.
Strict protection: A more aggressive protection profile for selected users (high
value targets or priority users).
for Standard protection and Strict protection, you use rules with conditions and
exceptions to determine the internal recipients that the policy applies to (recipient
conditions).
You can only use a condition or exception once, but you can specify multiple
values for the condition or exception. Multiple values of the same condition or
exception use OR logic (for example, <recipient1> or <recipient2>). Different
conditions or exceptions use AND logic (for example, <recipient1> and <member
of group 1>).
) Important
Likewise, if you use the same recipient filter as an exception to the policy, the
policy is not applied to romain@contoso.com only if he's also a member of
the Executives group. If he's not a member of the group, then the policy still
applies to him.
Built-in protection (Defender for Office 365 only): A profile that enables Safe Links
and Safe Attachments protection only. This profile effectively provides default
policies for Safe Links and Safe Attachments, which never had default policies.
For Built-in protection, the preset security policy is on by default for all Defender
for Office 365 customers. Although we don't recommend it, you can also configure
exceptions based on Users, Groups, and Domains so the protection isn't applied
to specific users.
Until you assign the policies to users, the Standard and Strict preset security policies are
assigned to no one. In contrast, the Built-in protection preset security policy is assigned
to all recipients by default, but you can configure exceptions.
Exchange Online Protection (EOP) policies: These policies are in all Microsoft 365
organizations with Exchange Online mailboxes and standalone EOP organizations
without Exchange Online mailboxes:
Anti-spam policies named Standard Preset Security Policy and Strict Preset
Security Policy.
Anti-malware policies named Standard Preset Security Policy and Strict Preset
Security Policy.
Anti-phishing policies (spoofing protection) named Standard Preset Security
Policy and Strict Preset Security Policy (spoof settings).
7 Note
Outbound spam policies are not part of preset security policies. The default
outbound spam policy automatically protects members of preset security
policies. Or, you can create custom outbound spam policies to customize the
protection for members of preset security policies. For more information, see
Configure outbound spam filtering in EOP.
Microsoft Defender for Office 365 policies: These policies are in organizations
with Microsoft 365 E5 or Defender for Office 365 add-on subscriptions:
Anti-phishing policies in Defender for Office 365 named Standard Preset
Security Policy and Strict Preset Security Policy, which include:
The same spoof settings that are available in the EOP anti-phishing policies.
Impersonation settings
Advanced phishing thresholds
Safe Links policies named Standard Preset Security Policy, Strict Preset Security
Policy, and Built-in Protection Policy.
Safe Attachments policies named Standard Preset Security Policy, Strict Preset
Security Policy, and Built-in Protection Policy.
You can apply EOP protections to different users than Defender for Office 365
protections, or you can apply EOP and Defender for Office 365 to the same recipients.
7 Note
In Defender for Office 365 protections, you need to identify the senders for user
impersonation protection and the internal or external domains for domain
impersonation protection.
All domains that you own (accepted domains) automatically receive domain
impersonation protection in preset security policies.
In other words, the settings of the Strict preset security policy override the settings of
the Standard preset security policy, which overrides the settings from any custom
policies, which override the settings of the Built-in protection preset security policy for
Safe Links and Safe Attachments, and the default policies for anti-spam, anti-malware,
and anti-phishing.
For example, a security setting exists in Standard protection and an admin specifies a
user for Standard protection. The Standard protection setting is applied to the user
instead of what's configured for that setting in a custom policy or in the default policy
for the same user.
You might want to apply the Standard or Strict preset security policies to a subset of
users, and apply custom policies to other users in your organization to meet specific
needs. To meet this requirement, do the following steps:
Configure the users who should get the settings of the Standard preset security
policy and custom policies as exceptions in the Strict preset security policy.
Configure the users who should get the settings of custom policies as exceptions
in the Standard preset security policy.
Built-in protection does not affect recipients in existing Safe Links or Safe Attachments
policies. If you've already configured Standard protection, Strict protection or custom
Safe Links or Safe Attachments policies, those policies are always applied before Built-in
protection, so there's no impact to the recipients who are already defined in those
existing preset or custom policies.
You need to be assigned permissions in Exchange Online before you can do the
procedures in this article:
To configure preset security policies, you need to be a member of the
Organization Management or Security Administrator role groups.
For read-only access to preset security policies, you need to be a member of the
Global Reader role group.
For more information, see Permissions in Exchange Online.
Note: Adding users to the corresponding Azure Active Directory role in the
Microsoft 365 admin center gives users the required permissions and permissions
for other features in Microsoft 365. For more information, see About admin roles.
2. On the Preset security policies page, click Manage in the Standard protection or
Strict protection sections.
3. The Apply Standard protection or Apply Strict protection wizard starts in a flyout.
On the Apply Exchange Online Protection page, identify the internal recipients
that the EOP protections apply to (recipient conditions):
All recipients
Specific recipients:
Users
Groups:
Members of the specified distribution groups or mail-enabled security
groups (dynamic distribution groups are not supported).
The specified Microsoft 365 Groups.
Domains
Click in the appropriate box, start typing a value, and select the value that
you want from the results. Repeat this process as many times as necessary. To
remove an existing value, click remove next to the value.
For users or groups, you can use most identifiers (name, display name, alias,
email address, account name, etc.), but the corresponding display name is
shown in the results. For users, enter an asterisk (*) by itself to see all
available values.
None
Exclude these recipients: To add exceptions for the internal recipients that
the policy applies to (recipient exceptions), select this option and configure
the exceptions. The settings and behavior are exactly like the conditions.
7 Note
In organizations without Defender for Office 365, clicking Next takes you to
the Review page. The remaining steps/pages before the Review page are
available only in organizations with Defender for Office 365.
4. On the Apply Defender for Office 365 protection page, identify the internal
recipients that the Defender for Office 365 protections apply to (recipient
conditions).
The settings and behavior are exactly like the EOP protections apply to page in
the previous step.
You can also select Previously selected recipients to use the same recipients that
you selected for EOP protection on the previous page.
6. On the Add email addresses to flag when impersonated by attackers page, add
internal and external senders who are protected by user impersonation protection.
7 Note
Each entry consists of a display name and an email address. Enter each value in the
boxes and then click Add. Repeat this step as many times as necessary.
You can specify a maximum of 350 users, and you can't specify the same user in
the user impersonation protection settings in multiple policies.
7 Note
All domains that you own (accepted domains) automatically receive domain
impersonation protection in preset security policies.
Enter the domain in the box, and then click Add. Repeat this step as many times as
necessary.
To remove an existing entry from the list, select the entry, and then click .
The maximum number of domains that you can specify for domain impersonation
protection in all anti-phishing policies is 50.
8. On the Add trusted email addresses and domains to not flag as impersonation
page, enter the sender email addresses and domains that you want excluded from
impersonation protection. Messages from these senders will never be flagged as
an impersonation attack, but the senders are still subject to scanning by other
filters in EOP and Defender for Office 365.
Enter the email address or domain in the box, and then click Add. Repeat this step
as many times as necessary.
To remove an existing entry from the list, select the entry, and then click .
9. On the Review and confirm this policy page, verify your selections, and then click
Confirm.
To disable the Standard protection or Strict protection preset security policies while still
preserving the existing conditions and exceptions, slide the toggle to Disabled . To
enable the policies, slide the toggle to Enabled .
2. On the Preset security policies page, select Add exclusions (not recommended) in
the Built-in protection section.
3. On the Exclude from Built-in protection flyout that appears, identify the internal
recipients that are excluded from the built-in Safe Links and Safe Attachments
protection:
Users
Groups:
Members of the specified distribution groups or mail-enabled security
groups (dynamic distribution groups are not supported).
The specified Microsoft 365 Groups.
Domains
Click in the appropriate box, start typing a value, and select the value that you
want from the results. Repeat this process as many times as necessary. To remove
an existing value, click remove next to the value.
For users or groups, you can use most identifiers (name, display name, alias, email
address, account name, etc.), but the corresponding display name is shown in the
results. For users, enter an asterisk (*) by itself to see all available values.
When you're finished, click Save.
For example, for email that's detected as spam (not high confidence spam) verify that
the message is delivered to the Junk Email folder for Standard protection users, and
quarantined for Strict protection users.
Or, for bulk mail, verify that the BCL value 6 or higher delivers the message to the Junk
Email folder for Standard protection users, and the BCL value 4 or higher quarantines
the message for Strict protection users.
2 Warning
Rules: Separate rules for the Standard preset security policy, the Strict preset
security policy, and the Built-in protection preset security policy define the
recipient conditions and exceptions for the policies (identify the recipients that the
protections of the policy apply to).
For the Standard and Strict preset security policies, these rules are created the first
time you turn on the preset security policy in the Microsoft 365 Defender portal. If
you've never turned on the preset security policy, the associated rules don't exist.
Subsequently turning off the preset security policy does not delete the associated
rules.
The Built-in protection preset security policy has a single rule that controls
exceptions to the default Safe Links and Safe Attachments protection of the policy.
The Standard and Strict preset security policies have the following rules:
Rules for Exchange Online Protection (EOP) protections: The rule for the
Standard Preset security policy and the rule for the Strict preset security policy
controls who the EOP protections in the policy (anti-malware, anti-spam, and
anti-phishing) apply to (the recipient conditions and exceptions for EOP
protections).
Rules for Defender for Office 365 protections: The rule for the Standard Preset
security policy and the rule for the Strict preset security policy controls who the
Defender for Office 365 protections in the policy (Safe Links and Safe
Attachments) apply to (the recipient conditions and exceptions for Defender for
Office 365 protections).
The rules for Standard and Strict preset security policies also allow you to turn on
or turn of the preset security policy by enabling or disabling the rules that are
associated with the policies.
The rules for preset security policies are not available to the regular rule cmdlets
that work for individual security policies (for example, Get-AntiPhishRule). Instead,
the following cmdlets are required:
Built-in protection preset security policy: *-ATPBuiltInProtectionRule cmdlets.
Standard and strict preset security policies: *-EOPProtectionPolicyRule and *-
ATPProtectionPolicyRule cmdlets.
The following sections describe how to use these cmdlets in supported scenarios.
2 Warning
Do not attempt to create, modify, or remove the individual security policies that are
associated with preset security policies. The only supported method for creating
the individual security policies for Standard or Strict preset security policies is to
turn on the preset security policy in the Microsoft 365 Defender portal for the first
time.
Built-in protection preset security policy: The associated policies are named Built-
In Protection Policy. The IsBuiltInProtection property value is True for these policies.
To view the individual security policies for the Built-in protection preset security
policy, run the following command:
PowerShell
Standard preset security policy: The associated policies are named Standard
Preset Security Policy<13-digit number> . For example, Standard Preset Security
Policy1622650008019 . The RecommendPolicyType property value is Standard.
To view the individual security policies for the Standard preset security policy in
organizations without Defender for Microsoft 365, run the following command:
PowerShell
To view the individual security policies for the Standard preset security policy in
organizations with Defender for Microsoft 365, run the following command:
PowerShell
Strict preset security policy: The associated policies are named Strict Preset
Security Policy<13-digit number> . For example, Strict Preset Security
To view the individual security policies for the Strict preset security policy in
organizations without Defender for Microsoft 365, run the following
command:
PowerShell
PowerShell
Built-in protection preset security policy: The associated rule is named ATP Built-
In Protection Rule.
To view the rule that's associated with the Built-in protection preset security policy,
run the following command:
PowerShell
Get-ATPBuiltInProtectionRule
Standard preset security policy: The associated rules are named Standard Preset
Security Policy.
Use the following commands to view the rules that are associated with the
Standard preset security policy:
To view the rule that's associated with EOP protections in the Standard preset
security policy, run the following command:
PowerShell
To view the rule that's associated with Defender for Office 365 protections in the
Standard preset security policy, run the following command:
PowerShell
To view both rules at the same time, run the following command:
PowerShell
Strict preset security policy: The associated rules are named Strict Preset Security
Policy.
Use the following commands to view the rules that are associated with the Strict
preset security policy:
To view the rule that's associated with EOP protections in the Strict preset
security policy, run the following command:
PowerShell
To view the rule that's associated with Defender for Office 365 protections in the
Strict preset security policy, run the following command:
PowerShell
To view both rules at the same time, run the following command:
PowerShell
Depending on whether your organization has Defender for Office 365, you might need
to enable or disable one rule (the rule for EOP protections) or two rules (one rule for
EOP protections, and one rule for Defender for Office 365 protections) to turn on or turn
off the preset security policy.
In organizations without Defender for Office 365, run the following command
to determine whether the rule for the Standard preset policy is currently
enabled or disabled:
PowerShell
Run the following command to turn off the Standard preset security policy if
it's turned on:
PowerShell
Run the following command to turn on the Standard preset security policy if
it's turned off:
PowerShell
In organizations with Defender for Office 365, run the following command to
determine whether the rules for the Standard preset policy are currently
enabled or disabled:
PowerShell
Run the following command to turn off the Standard preset security policy if
it's turned on:
PowerShell
Run the following command to turn on the Standard preset security policy if
it's turned off:
PowerShell
In organizations with Defender for Office 365, run the following command to
determine whether the rule for the Strict preset policy is currently enabled or
disabled:
PowerShell
Run the following command to turn off the Strict preset security policy if it's
turned on:
PowerShell
Run the following command to turn on the Strict preset security policy if it's
turned off:
PowerShell
In organizations with Defender for Office 365, run the following command to
determine whether the rules for the Strict preset policy are currently enabled
or disabled:
PowerShell
Run the following command to turn off the Strict preset security policy if it's
turned on:
PowerShell
Run the following command to turn on the Strict preset security policy if it's
turned off:
PowerShell
Enable-EOPProtectionPolicyRule -Identity "Strict Preset Security
Policy"; Enable-EOPProtectionPolicyRule -Identity "Strict Preset
Security Policy"
) Important
Users: romain@contoso.com
Groups: Executives
Likewise, if you use the same recipient filter as an exception to the policy, the policy
is not applied to romain@contoso.com only if he's also a member of the Executives
group. If he's not a member of the group, then the policy still applies to him.
For the Built-in protection preset security policy, you can only specify recipient
exceptions. If all exception parameter values are empty ( $null ), there are no exceptions
to the policy.
For the Standard and Strict preset security policies, you can specify recipient conditions
and exceptions for EOP protections and Defender for Office 365 protections. If all of
conditions and exception parameter values are empty ( $null ), there are no recipient
conditions or exceptions to the Standard or Strict preset security policies.
PowerShell
This example removes all recipient exceptions from the Built-in protection preset
security policy.
PowerShell
PowerShell
This example configures exceptions from the EOP protections in the Standard
preset security policy for members of the distribution group named Executives.
PowerShell
This example configures exceptions from the Defender for Office 365 protections
in the Strict preset security policy for the specified security operations (SecOps)
mailboxes.
PowerShell
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
) Important
But if you're using Outlook.com, Microsoft 365 Family, or Microsoft 365 Personal,
and you need info about Safe Links or Safe Attachments in Outlook blocking
emails, see Advanced Outlook.com security for Microsoft 365 subscribers .
Microsoft Defender for Office 365 safeguards your organization against malicious
threats posed by email messages, links (URLs), and collaboration tools. Defender for
Office 365 includes:
Installation by Preset can set up everything for you: The easiest and the
recommended setup automates the roll-out of a secure environment (if automated
policies are possible in your organization). Abbreviated steps are available too: Just
the steps for preset policy setup, please!
Reports: View real-time reports to monitor Defender for Office 365 performance in
your organization.
You'll also see how Defender for Office 365 can help you define protection policies,
analyze threats to your organization, and respond to attacks.
This article spells out what makes up the two products, and the emphasis of each part of
Microsoft Defender for Office 365 using a familiar structure: Protect, Detect, Investigate,
and Respond.
The goal of this article is clarity and quick readability. So, don't miss it!
Getting Started
There are two methods to set up Microsoft Defender for Office 365 for your
subscription.
7 Note
Microsoft Defender for Office 365 comes in two different Plan types. You can tell if
you have Plan 1 if you have 'Real-time Detections', and Plan 2, if you have Threat
Explorer. The Plan you have influences the tools you will see, so be certain that
you're aware of your Plan as you learn.
With Microsoft Defender for Office 365, your organization's security team can configure
protection by defining policies in the Microsoft 365 Defender portal at
https://security.microsoft.com at Email & collaboration > Policies & rules > Threat
policies. Or, you can go directly to the Threat policies page by using
https://security.microsoft.com/threatpolicy .
Tip
For a quick list of policies to define, see Protect against threats.
Policy options are extremely flexible. For example, your organization's security team can
set fine-grained threat protection at the user, organization, recipient, and domain level.
It is important to review your policies regularly because new threats and challenges
emerge daily.
Safe Attachments for SharePoint, OneDrive, and Microsoft Teams: Protects your
organization when users collaborate and share files, by identifying and blocking
malicious files in team sites and document libraries. To learn more, see Turn on
Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams.
Reports update in real-time, providing you with the latest insights. These reports also
provide recommendations and alert you to imminent threats. Predefined reports include
the following:
Attack simulation training allows you to run realistic attack scenarios in your
organization to identify vulnerabilities. Simulations of current types of attacks are
available, including spear phishing credential harvest and attachment attacks, and
password spray and brute force password attacks.
AIR can save your security operations team time and effort in mitigating threats
effectively and efficiently. To learn more, see AIR in Office 365.
global You can assign this role in Azure Active Directory or in the Microsoft 365
administrator Defender portal. For more information, see Permissions in the Microsoft 365
(or Defender portal.
Organization
Management)
Security You can assign this role in Azure Active Directory or in the Microsoft 365
Administrator Defender portal. For more information, see Permissions in the Microsoft 365
Defender portal.
Search and This role is available only in the Microsoft 365 Defender portal or the Microsoft
Purge Purview compliance portal. For more information, see Permissions in the
Microsoft 365 Defender portal and Permissions in the Microsoft Purview
compliance portal.
If your subscription doesn't include Defender for Office 365, you can get Defender for
Office 365 Plan 1 or Plan 2 as an add-on to certain subscriptions. To learn more, take a
look at the following resources:
Microsoft Defender for Office 365 availability for a list of subscriptions that include
Defender for Office 365 plans.
Feature availability across Microsoft Defender for Office 365 plans for a list of
features included in Plan 1 and 2.
Get the right Microsoft Defender for Office 365 to compare plans and purchase
Defender for Office 365.
Microsoft Defender for Office 365 Service Description describes features and
availability across Defender for Office 365 plans.
See also
Microsoft 365 Defender
Automated investigation and response (AIR) in Microsoft 365 Defender
Protect against threats
Article • 12/22/2022 • 15 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
Here's a quick-start guide that breaks the configuration of Defender for Office 365 into
chunks. If you're new to threat protection features in Office 365, not sure where to
begin, or if you learn best by doing, use this guidance as a checklist and a starting point.
) Important
Initial recommended settings are included for each kind of policy; however, many
options are available, and you can adjust your settings to meet your specific
organization's needs. Allow approximately 30 minutes for your policies or changes
to work their way through your datacenter.
To skip manual configuration of most policies in Defender for Office 365, you can
use preset security policies at the Standard or Strict level. For more information, see
Preset security policies in EOP and Microsoft Defender for Office 365.
Requirements
Subscriptions
Threat protection features are included in all Microsoft or Office 365 subscriptions;
however, some subscriptions have advanced features. The table below lists the
protection features included in this article together with the minimum subscription
requirements.
Tip
Notice that beyond the directions to turn on auditing, steps start anti-malware,
anti-phishing, and anti-spam, which are marked as part of Office 365 Exchange
Online Protection (EOP). This can seem odd in a Defender for Office 365 article,
until you remember (Defender for Office 365) contains, and builds on, EOP.
Protection from malicious URLs and files in email and Office documents Microsoft Defender
(Safe Links and Safe Attachments) for Office 365
2. On the Anti-malware page, select the policy named Default (Default) by clicking
on the name.
3. In the policy details flyout that opens, click Edit protection settings, and then
configure the following settings:
For detailed instructions for configuring anti-malware policies, see Configure anti-
malware policies in EOP.
For more information about the recommended settings for anti-phishing policies, see
EOP anti-phishing policy settings and Anti-phishing policy settings in Microsoft
Defender for Office 365.
The following procedure describes how to configure the default anti-phishing policy.
Settings that are only available in Defender for Office 365 are clearly marked.
2. On the Anti-phishing page, select the policy named Office365 AntiPhish Default
(Default) by clicking on the name.
3. In the policy details flyout that appears, configure the following settings:
Phishing threshold & protection section: Click Edit protection settings and
configure the following settings in the flyout that opens:
Phishing email threshold*: Select 2 - Aggressive (Standard) or 3 - More
Aggressive (Strict).
Impersonation section*: Configure the following values:
Select Enable users to protect, click the Manage (nn) sender(s) link
that appears, and then add internal and external senders to protect
from impersonation, such as your organization's board members, your
CEO, CFO, and other senior leaders.
Select Enable domains to protect, and then configure the following
settings that appear:
Select Include domains I own to protect internal senders in your
accepted domains (visible by clicking View my domains) from
impersonation.
To protect senders in other domains, select Include custom domains,
click the Manage (nn) custom domain(s) link that appears, and then
add other domains to protect from impersonation.
Add trusted senders and domains section*: Click Manage (nn) trusted
sender(s) and domains(s) to configure sender and sender domain
exceptions to impersonation protection if needed.
Mailbox intelligence settings*: Verify that Enable mailbox intelligence and
Enable intelligence for impersonation protection are selected.
Spoof section: Verify Enable spoof intelligence is selected.
Actions section: Click Edit actions and configure the following settings in the
flyout that opens:
Message actions section: Configure the following settings:
If message is detected as an impersonated user*: Select Quarantine
the message. An Apply quarantine policy box appears where you
select the quarantine policy that applies to messages that are
quarantined by user impersonation protection.
If message is detected as an impersonated domain*: Select Quarantine
the message. An Apply quarantine policy box appears where you
select the quarantine policy that applies to messages that are
quarantined by domain impersonation protection.
If mailbox intelligence detects an impersonated user*: Select Move
message to the recipients' Junk Email folders (Standard) or Quarantine
the message (Strict). If you select Quarantine the message, an Apply
quarantine policy box appears where you select the quarantine policy
that applies to messages that are quarantined by mailbox intelligence
protection.
If message is detected as spoof: Select Move message to the
recipients' Junk Email folders (Standard) or Quarantine the message
(Strict). If you select Quarantine the message, an Apply quarantine
policy box appears where you select the quarantine policy that applies
to messages that are quarantined by spoof intelligence protection.
Safety tips & indicators section: Configure the following settings:
Show first contact safety tip: Select (turn on).
Show user impersonation safety tip*: Select (turn on).
Show domain impersonation safety tip*: Select (turn on).
Show user impersonation unusual characters safety tip*: Select (turn
on).
Show (?) for unauthenticated senders for spoof: Select (turn on).
Show "via" tag: Select (turn on).
*
This setting is available only in Defender for Office 365.
For detailed instructions for configuring anti-phishing policies, see Configure anti-
phishing policies in EOP and Configure anti-phishing policies in Microsoft Defender for
Office 365.
2. On the Anti-spam policies page, select the policy named Anti-spam inbound
policy (Default) from the list by clicking on the name.
3. In the policy details flyout that appears, configure the following settings:
Bulk email threshold & spam properties section: Click Edit spam threshold
and properties. In the flyout that appears, configure the following settings:
Bulk email threshold: Set this value to 5 (Strict) or 6 (Standard).
Leave other settings at their default values (Off or None).
Actions section: Click Edit actions. In the flyout that appears, configure the
following settings:
Retain spam in quarantine for this many days: Verify the value 30 days.
Enable spam safety tips: Verify this setting is selected (turned on).
Enable zero-hour auto purge (ZAP): Verify this setting is selected (turned
on).
Enable for phishing messages: Verify this setting is selected (turned
on). For more information, see Zero-hour auto purge (ZAP) for phishing.
Enable for spam messages: Verify this setting is selected (turned on).
For more information, see Zero-hour auto purge (ZAP) for spam.
For detailed instructions for configuring anti-spam policies, see Configure anti-spam
policies in EOP.
1. Open the Safe Attachments page in the Microsoft 365 Defender portal at
https://security.microsoft.com/safeattachmentv2 .
2. On the Safe Attachments page, click Global settings, and then configure the
following settings on the flyout that appears:
Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft
Teams: Turn on this setting ( ).
) Important
4. In the Create Safe Attachments policy wizard that opens, configure the following
settings:
$true blocks all actions (except Delete) for detected files. People can't open,
For detailed instructions for configuring Safe Attachments policies and global settings
for Safe Attachments, see the following topics:
1. Open the Safe Links page in the Microsoft 365 Defender portal at
https://security.microsoft.com/safelinksv2 , and then click .
2. In the Create Safe Links policy wizard that opens, configure the following settings:
For detailed instructions for configuring Safe Links policies and global settings for Safe
Links, see Set up Safe Links policies in Microsoft Defender for Office 365.
3. The New alert policy wizard opens. On the Name page, configure the following
settings:
Name: Enter a unique and descriptive name. For example, you could type
Malicious Files in Libraries.
Description: Enter an optional description.
Severity: Select Low, Medium or High.
Category: Select Threat management.
What do you want to alert on? section: Activity is > Detected malware in
file.
How do you want the alert to be triggered section: Verify Every time an
activity matches the rule is selected.
6. On the Review your settings page, review your settings, verify Yes, turn it on right
away is selected, and then click Finish
To learn more about alert policies, see Alert policies in the Microsoft Purview compliance
portal.
7 Note
When you're finished configuring, use these links to start workload investigations:
See how threat protection features are working for your Email security reports
organization by viewing reports
Reports for Microsoft Defender for
Office 365
Threat Explorer
Watch for new features and service updates Standard and Targeted release
options
Message Center
Service Descriptions
Exchange Online Protection overview
Article • 12/22/2022 • 6 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
Exchange Online Protection (EOP) is the cloud-based filtering service that protects your
organization against spam, malware, and other email threats. EOP is included in all
Microsoft 365 organizations with Exchange Online mailboxes.
7 Note
The steps to set up EOP security features and a comparison to the added security that
you get in Microsoft Defender for Office 365, see protect against threats. The
recommended settings for EOP features are available in Recommended settings for EOP
and Microsoft Defender for Office 365 security.
The rest of this article explains how EOP works and the features that are available in
EOP.
2. Then the message is inspected for malware. If malware is found in the message or
the attachment(s) the message is delivered to quarantine. By default, only admins
can view and interact with malware quarantined messages. But, admins can create
and use quarantine policies to specify what users are allowed to do to quarantined
messages. To learn more about malware protection, see Anti-malware protection in
EOP.
3. The message continues through policy filtering, where it's evaluated against any
mail flow rules (also known as transport rules) that you've created. For example, a
rule can send a notification to a manager when a message arrives from a specific
sender.
4. The message passes through content filtering (anti-spam and anti-spoofing) where
harmful messages are identified as spam, high confidence spam, phishing, high
confidence phishing, or bulk (anti-spam policies) or spoofing (spoof settings in
anti-phishing policies). You can configure the action to take on the message based
on the filtering verdict (quarantine, move to the Junk Email folder, etc.), and what
users can do to the quarantined messages using quarantine policies. For more
information, see Configure anti-spam policies and Configure anti-phishing policies
in EOP.
A message that successfully passes all of these protection layers is delivered to the
recipients.
EOP datacenters
EOP runs on a worldwide network of datacenters that are designed to provide the best
availability. For example, if a datacenter becomes unavailable, email messages are
automatically routed to another datacenter without any interruption in service. Servers
in each datacenter accept messages on your behalf, providing a layer of separation
between your organization and the internet, thereby reducing load on your servers.
Through this highly available network, Microsoft can ensure that email reaches your
organization in a timely manner.
EOP performs load balancing between datacenters but only within a region. If you're
provisioned in one region, all your messages will be processed using the mail routing for
that region.
EOP features
This section provides a high-level overview of the main features that are available in
EOP.
For information about requirements, important limits, and feature availability across all
EOP subscription plans, see the Exchange Online Protection service description.
Notes:
EOP uses several URL block lists that help detect known malicious links within
messages.
EOP uses a vast list of domains that are known to send spam.
EOP uses multiple anti-malware engines help to automatically protect our
customers at all times.
EOP inspects the active payload in the message body and all message attachments
for malware.
For recommended values for protection policies, see Recommended settings for
EOP and Microsoft Defender for Office 365 security.
For quick instructions to configure protection policies, see Protect against threats.
Feature Comments
Protection
Preset security Preset security policies in EOP and Microsoft Defender for Office 365
policies
Configuration analyzer for protection policies in EOP and Microsoft
Defender for Office 365
Directory Based Use Directory Based Edge Blocking to reject messages sent to invalid
Edge Blocking recipients
(DBEB)
Quarantine and
submissions
Admin submission Use Admin submission to submit suspected spam, phish, URLs, and files to
Microsoft
You can analyze the message headers of quarantined messages using the
Message Header Analyzer at .
Quarantine policies
Mail flow
Mail flow rules Mail flow rules (transport rules) in Exchange Online
Monitoring
Feature Comments
Mail flow reports Mail flow reports in the Exchange admin center
Mail flow insights Mail flow insights in the Exchange admin center
Service Level
Agreements (SLAs)
and support
Other features
A geo-redundant EOP runs on a worldwide network of datacenters that are designed to help
global network of provide the best availability. For more information, see the EOP
servers datacenters section earlier in this article.
Message queuing Messages in deferral remain in our queues for one day. Message retry
when the on- attempts are based on the error we get back from the recipient's mail
premises server system. On average, messages are retried every 5 minutes. For more
cannot accept mail information, see EOP queued, deferred, and bounced messages FAQ.
Feature Comments
Office 365 Message For more information, see Encryption in Office 365.
Encryption available
as an add-on
Recommended settings for EOP and Microsoft Defender
for Office 365 security
Article • 01/09/2023 • 24 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free? Use the 90-day Defender
for Office 365 trial at the Microsoft 365 Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
Exchange Online Protection (EOP) is the core of security for Microsoft 365 subscriptions and helps keep malicious emails
from reaching your employee's inboxes. But with new, more sophisticated attacks emerging every day, improved protections
are often required. Microsoft Defender for Office 365 Plan 1 or Plan 2 contain additional features that give admins more
layers of security, control, and investigation.
Although we empower security administrators to customize their security settings, there are two security levels in EOP and
Microsoft Defender for Office 365 that we recommend: Standard and Strict. Although customer environments and needs are
different, these levels of filtering will help prevent unwanted mail from reaching your employees' Inbox in most situations.
To automatically apply the Standard or Strict settings to users, see Preset security policies in EOP and Microsoft Defender for
Office 365.
This article describes the default settings, and also the recommended Standard and Strict settings to help protect your users.
The tables contain the settings in the Microsoft 365 Defender portal and PowerShell (Exchange Online PowerShell or
standalone Exchange Online Protection PowerShell for organizations without Exchange Online mailboxes).
7 Note
The Office 365 Advanced Threat Protection Recommended Configuration Analyzer (ORCA) module for PowerShell can
help you (admins) find the current values of these settings. Specifically, the Get-ORCAReport cmdlet generates an
assessment of anti-spam, anti-phishing, and other message hygiene settings. You can download the ORCA module at
https://www.powershellgallery.com/packages/ORCA/ .
In Microsoft 365 organizations, we recommend that you leave the Junk Email Filter in Outlook set to No automatic
filtering to prevent unnecessary conflicts (both positive and negative) with the spam filtering verdicts from EOP. For
more information, see the following articles:
BulkThreshold
Increase spam score Off Off Off All of these settings are part of the Advanced Spam Filter (ASF). For
settings more information, see the ASF settings in anti-spam policies section
in this article.
Mark as spam settings Off Off Off Most of these settings are part of ASF. For more information, see
the ASF settings in anti-spam policies section in this article.
EnableLanguageBlockList
Test mode None None None This setting is part of ASF. For more information, see the ASF
(TestModeAction) settings in anti-spam policies section in this article.
When you create a new anti-spam policy, a blank value means the
default quarantine policy is used to define the historical capabilities
for messages that were quarantined by that particular verdict
(AdminOnlyAccessPolicy with no quarantine notifications for High
confidence phishing; DefaultFullAccessPolicy with no quarantine
notifications for everything else).
Admins can create and select custom quarantine policies that define
more restrictive or less restrictive capabilities for users in the default
or custom anti-spam policies. For more information, see Quarantine
policies.
MoveToJmf MoveToJmf
Security feature name Default Standard Strict Comment
to Junk
HighConfidenceSpamAction Email Quarantine Quarantine
folder
MoveToJmf
*
Phishing detection action
Move Quarantine Quarantine The default value is Move message to Junk Email folder in the
message message
message
default anti-spam policy and in new anti-spam policies that you
PhishSpamAction to Junk create in PowerShell. The default value is Quarantine message in
Email Quarantine Quarantine new anti-spam policies that you create in the Microsoft 365
folder*
Defender portal.
MoveToJmf
MoveToJmf MoveToJmf
PhishZapEnabled
messages
Allowed senders
None None None
AllowedSenders
Use the spoof intelligence insight and the Tenant Allow/Block List to
review all senders who are spoofing sender email addresses in your
organization's email domains or spoofing sender email addresses in
external domains.
Security feature name Default Standard Strict Comment
Blocked senders
None None None
BlockedSenders
BlockedSenderDomains
IncreaseScoreWithImageLinks
IncreaseScoreWithNumericIps
IncreaseScoreWithRedirectToOtherPort
IncreaseScoreWithBizOrInfoUrls
Empty messages
Off Off Off
MarkAsSpamEmptyMessages
MarkAsSpamEmbedTagsInHtml
MarkAsSpamJavaScriptInHtml
MarkAsSpamFormTagsInHtml
MarkAsSpamFramesInHtml
MarkAsSpamWebBugsInHtml
MarkAsSpamObjectTagsInHtml
Sensitive words
Off Off Off
MarkAsSpamSensitiveWordList
Security feature name Default Recommended
Recommended
Comment
Standard Strict
MarkAsSpamSpfRecordHardFail
MarkAsSpamFromAddressAuthFail
Backscatter
Off Off Off
MarkAsSpamNdrBackscatter
Test mode
None None None For ASF settings that support Test as an action, you
can configure the test mode action to None, Add
TestModeAction) default X-Header text, or Send Bcc message ( None ,
AddXHeader , or BccMessage ). For more information,
see Enable, disable, or test ASF settings.
To create and configure outbound spam policies, see Configure outbound spam filtering in EOP.
For more information about the default sending limits in the service, see Sending limits.
7 Note
Outbound spam policies are not part of Standard or Strict preset security policies. The Standard and Strict values
indicate our recommended values in the default outbound spam policy or custom outbound spam policies that you
create.
Restriction placed on users who reach the Restrict the user Restrict the Restrict the
message limit
from sending mail user from user from
until the sending mail
sending mail
BlockUser BlockUser
BlockUserForToday
Automatic
Automatic Automatic
Security feature name Default Recommended
Recommended
Comment
Standard Strict
groups
$false
$false
$false
This setting only works in the
BccSuspiciousOutboundMail
Blank Blank Blank default outbound spam policy. It
doesn't work in custom outbound
BccSuspiciousOutboundAdditionalRecipients spam policies that you create.
Protection settings
Common attachment filter notifications Quarantine the Quarantine the Quarantine the
(When these file types are found)
message
message
message
malware
Admin notifications
InternalSenderAdminAddress
ExternalSenderAdminAddress
From name
Blank
Blank
Blank
From address
Blank
Blank
Blank
Subject
Blank
Blank
Blank
Message
Blank
Blank
Blank
Subject
Blank
Blank
Blank
Message
Blank
Blank
Blank
The spoof settings are inter-related, but the Show first contact safety tip setting has no dependency on spoof settings.
Actions
Security feature name Default Standard Strict Comment
If message is detected as Move Move Quarantine This setting applies to spoofed senders that were automatically
spoof
message message the blocked as shown in the spoof intelligence insight or manually
to the to the message
blocked in the Tenant Allow/Block List.
EnableFirstContactSafetyTips
$false $false $false
EnableUnauthenticatedSender
) Important
The default anti-phishing policy in Microsoft Defender for Office 365 provides spoof protection and mailbox
intelligence for all recipients. However, the other available impersonation protection features and advanced
settings are not configured or enabled in the default policy. To enable all protection features, modify the default
anti-phishing policy or create additional anti-phishing policies.
Although there's no default Safe Attachments policy or Safe Links policy, the Built-in protection preset security
policy provides Safe Attachments protection and Safe Links protection to all recipients (users who aren't defined in
the Standard or Strict preset security policies or in custom Safe Attachments policies or Safe Links policies). For
more information, see Preset security policies in EOP and Microsoft Defender for Office 365.
Safe Attachments for SharePoint, OneDrive, and Microsoft Teams protection and Safe Documents protection
have no dependencies on Safe Links policies.
If your subscription includes Microsoft Defender for Office 365 or if you've purchased Defender for Office 365 as an add-on,
set the following Standard or Strict configurations.
PhishThresholdLevel 1 3 4
For more information about these settings, see Impersonation settings in anti-phishing policies in Microsoft Defender for
Office 365. To configure these settings, see Configure anti-phishing policies in Defender for Office 365.
ExcludedDomains
TargetedUserProtectionAction action
Quarantine Quarantine
NoAction
TargetedDomainProtectionAction action
Quarantine Quarantine
NoAction
MailboxIntelligenceProtectionAction action
recipients'
Junk Email Quarantine
NoAction folders
MoveToJmf
tip
These are the same settings that are available in anti-spam policy settings in EOP.
Although there's no default Safe Attachments policy, the Built-in protection preset security policy provides Safe Attachments
protection to all recipients (users who aren't defined in the Standard or Strict preset security policies or in custom Safe
Attachments policies). For more information, see Preset security policies in EOP and Microsoft Defender for Office 365.
7 Note
The global settings for Safe Attachments are set by the Built-in protection preset security policy, but not by the
Standard or Strict preset security policies. Either way, admins can modify these global Safe Attachments settings at any
time.
The Default column shows the values before the existence of the Built-in protection preset security policy. The Built-in
protection column shows the values that are set by the Built-in protection preset security policy, which are also our
recommended values.
To configure these settings, see Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams and Safe
Documents in Microsoft 365 E5.
EnableATPForSPOTeamsODB
AllowSafeDocsOpen
In PowerShell, you use the New-SafeAttachmentPolicy and Set-SafeAttachmentPolicy cmdlets for these settings.
7 Note
As described earlier, there is no default Safe Attachments policy, but Safe Attachments protection is assigned to all
recipients by the Built-in protection preset security policy (users who aren't defined in any Safe Attachments policies).
The Default in custom column refers to the default values in new Safe Attachments policies that you create. The
remaining columns indicate (unless otherwise noted) the values that are configured in the corresponding preset security
policies.
Security Default in custom Built-in protection Standard Strict Comment
feature name
Safe Off
Block
Block
Block
When the Enable
Attachments
parameter is $false, the
unknown -Enable $false and - -Enable $true and - -Enable $true and - -Enable $true and - value of the Action
malware Action Block Action Block Action Block Action Block parameter doesn't
response
matter.
Enable and
Action
Redirect Not selected and no Not selected and no Selected and specify an Selected and specify an Redirect messages to a
attachment email address specified. email address specified. email address.
email address.
security admin for
with detected
review.
Enable redirect
Note: This setting is not
RedirectAddress is blank RedirectAddress is blank an email address an email address configured in the
Redirect
( $null ) ( $null ) Standard, Strict, or
Built-in protection
RedirectAddress preset security policies.
The Standard and Strict
values indicate our
recommended values in
new Safe Attachments
policies that you create.
Security Default in custom Built-in protection Standard Strict Comment
feature name
Attachments
ActionOnError
Although there's no default Safe Links policy, the Built-in protection preset security policy provides Safe Links protection to
all recipients (users who aren't defined in the Standard or Strict preset security policies or in custom Safe Links policies). For
more information, see Preset security policies in EOP and Microsoft Defender for Office 365.
7 Note
The global settings for Safe Links are set by the Built-in protection preset security policy, but not by the Standard or
Strict preset security policies. Either way, admins can modify these global Safe Links settings at any time.
The Default column shows the values before the existence of the Built-in protection preset security policy. The Built-in
protection column shows the values that are set by the Built-in protection preset security policy, which are also our
recommended values.
To configure these settings, see Configure global settings for Safe Links in Defender for Office 365.
following
URLs
$null $null For more information, see "Block the following URLs" list for Safe Links.
ExcludedUrls Note: You can now manage block URL entries in the Tenant Allow/Block List. The "Block the following
URLs" list is in the process of being deprecated. We'll attempt to migrate existing entries from the
"Block the following URLs" list to block URL entries in the Tenant Allow/Block List. Messages
containing the blocked URL will be quarantined.
In PowerShell, you use the New-SafeLinksPolicy and Set-SafeLinksPolicy cmdlets for these settings.
7 Note
As described earlier, there's no default Safe Links policy, but Safe Links protection is assigned to all recipients by the
Built-in protection preset security policy (users who otherwise aren't included in any Safe Links policies).
The Default in custom column refers to the default values in new Safe Links policies that you create. The remaining
columns indicate (unless otherwise noted) the values that are configured in the corresponding preset security policies.
Action on potentially
malicious URLs within
Emails
EnableSafeLinksForEmail
organization
$true $true
$false $false
EnableForInternalSenders
ScanUrls
the message
$true $true $true
$false
DeliverMessageAfterScan
only
$true
EnableSafeLinksForTeams
Security feature name Default in Built-in Standard Strict Comment
custom protection
EnableSafeLinksForOffice
Display the organization Not Not Not Not We have no specific recommendation for this
branding on notification selected
selected
selected
selected
setting.
$false $false $false $false Before you turn on this setting, you need to follow
EnableOrganizationBranding the instructions in Customize the Microsoft 365
theme for your organization to upload your
company logo.
Notification
How would you like to Use the Use the Use the Use the We have no specific recommendation for this
notify your users?
default default default default setting.
Related articles
Are you looking for best practices for Exchange mail flow rules (also known as transport rules)? See Best practices for
configuring mail flow rules in Exchange Online.
Admins and users can submit false positives (good email marked as bad) and false negatives (bad email allowed) to
Microsoft for analysis. For more information, see Report messages and files to Microsoft.
Use these links for info on how to set up your EOP service, and configure Microsoft Defender for Office 365. Don't
forget the helpful directions in 'Protect Against Threats in Office 365'.
Security baselines for Windows can be found here: Where can I get the security baselines? for GPO/on-premises
options, and Use security baselines to configure Windows devices in Intune for Intune-based security. Finally, a
comparison between Microsoft Defender for Endpoint and Microsoft Intune security baselines is available in Compare
the Microsoft Defender for Endpoint and the Windows Intune security baselines.
Microsoft Defender for Office 365
permissions in the Microsoft 365
Defender portal
Article • 12/15/2022 • 6 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
Global roles in Azure Active Directory (Azure AD) allow you to manage permissions and
access to capabilities in all of Microsoft 365, which also includes Microsoft Defender for
Office 365. But, if you need to limit permissions and capabilities to security features in
Defender for Office 365 only, you can assign Email & collaboration permissions in the
Microsoft 365 Defender portal.
To manage Defender for Office 365 permissions in the Microsoft 365 Defender portal,
go to Permissions & roles > expand Email & collaboration roles > select Roles or go
directly to https://security.microsoft.com/securitypermissions . You need to be a
Global administrator or a member of the Organization Management role group in
Defender for Office 365 permissions. Specifically, the Role Management role in
Defender for Office 365 allows users to view, create, and modify Defender for Office 365
role groups. By default, that role is assigned only to the Organization Management role
group (and by extension, global administrators).
7 Note
Some Defender for Office 365 features require additional permissions in Exchange
Online. For more information, see Permissions in Exchange Online.
In the Microsoft 365 Defender preview program, a different Microsoft Defender 365
RBAC model is also available. The permissions in this RBAC model are different
from the Defender for Office 365 permissions as described in this article. For more
information, see Microsoft 365 Defender role-based access control (RBAC).
For information about permissions in the Microsoft Purview compliance portal, see
Permissions in the Microsoft Purview compliance portal.
A role group is a set of roles that lets people do their jobs in the Microsoft 365
Defender portal.
Defender for Office 365 permissions in the Microsoft 365 Defender portal includes
default role groups for the most common tasks and functions that you'll need to assign.
Generally, we recommend simply adding individual users as members to the default role
groups.
Roles and role groups in the Microsoft 365
Defender portal
The following types of roles and role groups are available in on the Permissions & roles
page at https://security.microsoft.com/securitypermissions in the Microsoft 365
Defender portal:
Azure AD roles: You can view the roles and assigned users, but you can't manage
them directly in the Microsoft 365 Defender portal. Azure AD roles are central roles
that assign permissions for all Microsoft 365 services.
Email & collaboration roles: You can view and manage these role groups directly
in the Microsoft 365 Defender portal. These permissions are specific to the
Microsoft 365 Defender portal and the Microsoft Purview compliance portal, and
don't cover all of the permissions that are needed in other Microsoft 365
workloads.
When you select a role, a details flyout that contains the description of the role and the
user assignments appears. But to manage those assignments, you need to click Manage
members in Azure AD in the details flyout.
For more information, see View and assign administrator roles in Azure Active Directory
and Manage access to Microsoft 365 Defender with Azure Active Directory global roles.
Role Description
Global Access to all administrative features in all Microsoft 365 services. Only global
administrator administrators can assign other administrator roles. For more information, see
Global Administrator / Company Administrator.
Compliance Keep track of your organization's data across Microsoft 365, make sure it's
data protected, and get insights into any issues to help mitigate risks. For more
administrator information, see Compliance Data Administrator.
Compliance Help your organization stay compliant with any regulatory requirements, manage
administrator eDiscovery cases, and maintain data governance policies across Microsoft 365
locations, identities, and apps. For more information, see Compliance
Administrator.
Security View, investigate, and respond to active threats to your Microsoft 365 users,
operator devices, and content. For more information, see Security Operator.
Security View and investigate active threats to your Microsoft 365 users, devices, and
reader content, but (unlike the Security operator) they do not have permissions to
respond by taking action. For more information, see Security Reader.
Global reader The read-only version of the Global administrator role. View all settings and
administrative information across Microsoft 365. For more information, see
Global Reader.
Attack Create and manage all aspects of attack simulation creation, launch/scheduling of
simulation a simulation, and the review of simulation results. For more information, see
administrator Attack Simulation Administrator.
Attack Create attack payloads but not actually launch or schedule them. For more
payload information, see Attack Payload Author.
author
For complete information about these role groups, see Roles and role groups in the
Microsoft 365 Defender and Microsoft Purview compliance portals
2. On the Permissions page, select the role group that you want to modify from the
list. You can click on the Name column header to sort the list by name, or you can
click Search to find the role group.
3. In the role group details flyout that appears, click Edit in the Members section.
4. In the Editing choose members page that appears, do one of the following steps:
If there are no role group members, click Choose members.
If there are existing role group members, click Edit
5. In the Choose members flyout that appears, do one of the following steps:
Click Add. In the list of users that appears, select one or more users. Or, you
can click Search to find and select users.
When you've selected the users that you want to add, click Add.
Click Remove. Select one or more of the existing members. Or, you can click
Search to find and select members.
When you've selected the users that you want to remove, click Remove.
Applies to
If you already have an existing third-party protection service or device that sits in front
of Microsoft 365, you can use this guide to migrate your protection to Microsoft
Defender for Office 365 to get the benefits of a consolidated management experience,
potentially reduced cost (using products that you already pay for), and a mature product
with integrated security protection. For more information, see Microsoft Defender for
Office 365 .
Watch this short video to learn more about migrating to Defender for Office 365.
https://www.microsoft.com/en-us/videoplayer/embed/RWRwfH?postJsllMsg=true
This guide provides specific and actionable steps for your migration, and assumes the
following facts:
You already have Microsoft 365 mailboxes, but you're currently using a third-party
service or device for email protection. Mail from the internet flows through the
protection service before delivery into your Microsoft 365 organization, and
Microsoft 365 protection is as low as possible (it's never completely off; for
example, malware protection is always enforced).
You need to retire your existing third-party protection service, which means you'll
ultimately need to point the MX records for your email domains to Microsoft 365.
When you're done, mail from the internet will flow directly into Microsoft 365 and
will be protected exclusively by Exchange Online Protection (EOP) and Defender
for Office 365.
Eliminating your existing protection service in favor of Defender for Office 365 is a big
step that you shouldn't take lightly, nor should you rush to make the change. The
guidance in this migration guide will help you transition your protection in an orderly
manner with minimal disruption to your users.
The very high-level migration steps are illustrated in the following diagram. The actual
steps are listed in the section named The migration process later in this article.
You or your predecessors have likely spent a lot of time and effort customizing
your existing protection service for optimal mail delivery (in other words, blocking
what needs to be blocked, and allowing what needs to be allowed). It's almost a
guaranteed certainty that not every customization in your current protection
service is required in Defender for Office 365. It's also very possible that Defender
for Office 365 will introduce new issues (allows or blocks) that didn't happen or
weren't required in your current protection service.
Your help desk and security personnel need to know what to do in Defender for
Office 365. For example, if a user complains about a missing message, does your
help desk know where or how to look for it? They're likely familiar with the tools in
your existing protection service, but what about the tools in Defender for Office
365?
In contrast, if you follow the steps in this migration guide, you'll get the following
tangible benefits for your migration:
The more you familiarize yourself with how Defender for Office 365 will affect your
organization, the better the transition will be for users, help desk personnel, security
personnel, and management.
This migration guide gives you a plan for gradually "turning the dial" so you can
monitor and test how Defender for Office 365 affects your users and their email so you
can react quickly to any issues that you encounter.
Phase Description
Phase Description
Next step
Proceed to Phase 1: Prepare.
Migrate to Microsoft Defender for
Office 365 - Phase 1: Prepare
Article • 12/21/2022 • 7 minutes to read
Applies to
Welcome to Phase 1: Prepare of your migration to Microsoft Defender for Office 365!
This migration phase includes the following steps. You should inventory the settings at
your existing protection service first, before you make any changes. Otherwise, you can
do the remaining steps in any order:
But, it's very important that you do not automatically or arbitrarily recreate all of your
existing customizations in Defender for Office 365. At best, you might introduce
settings that are no longer required, relevant, or functional. At worse, some of your
previous customizations might actually create security issues in Defender for Office 365.
Your testing and observation of the native capabilities and behavior of Defender for
Office 365 will ultimately determine the overrides and settings that you need. You might
find it helpful to categorize the settings from your existing protection service into the
following categories:
Connection or content filtering: You'll likely find that you don't need most of
these customizations in Defender for Office 365.
Business routing: The majority of the customizations that you need to recreate will
likely fall into this category. For example, you can recreate these settings in
Microsoft 365 as Exchange mail flow rules (also known as transport rules),
connectors, and exceptions to spoof intelligence.
Instead of moving old settings blindly into Microsoft 365, we recommend a waterfall
approach that involves a pilot phase with ever-increasing user membership, and
observation-based tuning based on balancing security considerations with
organizational business needs.
In the past, you weren't using the third-party protection service with Microsoft 365.
You might have used and configured some protection features in Microsoft 365
that are currently being ignored. But those settings might take effect as you "turn
the dial" to enable the protection features in Microsoft 365.
You might have accommodations in Microsoft 365 protection for false positives
(good mail marked as bad) or false negatives (bad mail allowed) that made it
through your existing protection service.
Review your existing protection features in Microsoft 365 and consider removing or
simplifying settings that are no longer required. A rule or policy setting that was
required years ago could put the organization at risk and create unintentional gaps in
protection.
Outbound and relay mail flow is out of the scope for this article. However, be
aware that you might need to do one or more of the following steps:
Verify that all of the domains that you use to send email have the proper SPF
records. For more information, see Set up SPF to help prevent spoofing.
We strongly recommend that you setup DKIM signing in Microsoft 365. For
more information, see Use DKIM to validate outbound email.
If you're not routing mail directly from Microsoft 365, you need to change that
routing by removing or changing the outbound connector.
Using Microsoft 365 to relay email from your on-premises email servers can be a
complex project in itself. A simple example is a small number of apps or devices
that send most of their messages to internal recipients and aren't used for mass
mailings. See this guide for details. More extensive environments will need to be
more thoughtful. Marketing email and messages that could be seen as spam by
recipients are not allowed.
Defender for Office 365 does not have a feature for aggregating DMARC reports.
Visit the Microsoft Intelligent Security Association (MISA) catalog to view third-
party vendors that offer DMARC reporting for Microsoft 365.
If you don't turn off message modification features in your existing protection service,
you can expect the following negative results in Microsoft 365:
DKIM will break. Not all senders rely on DKIM, but those that do will fail
authentication.
Spoof intelligence and the tuning step later in this guide will not work properly.
You'll probably get a high number of false positives (good mail marked as bad).
To recreate external sender identification in Microsoft 365, you have the following
options:
The Outlook external sender call-out feature , together with first contact safety
tips.
Mail flow rules (also known as transport rules). For more information, see
Organization-wide message disclaimers, signatures, footers, or headers in
Exchange Online.
Microsoft is working with the industry to support the Authenticated Received Chain
(ARC) standard in the near future. If you wish to leave any message modification
features enabled at your current mail gateway provider, then we recommend contacting
them about their plans to support this standard.
With our Standard security settings, we generally deliver these less risky types of
messages to the Junk Email folder. This behavior is similar to many consumer email
offerings, where users can check their Junk Email folder for missing messages, and
they can rescue those messages themselves. Or, if the user intentionally signed up
for a newsletter or marketing mail, they can choose to unsubscribe or block the
sender for their own mailbox.
However, many enterprise users are used to little (if any) mail in their Junk Email
folder. Instead, these enterprise users are used to checking a quarantine for their
missing messages. Quarantine introduces issues of quarantine notifications,
notification frequency, and the permissions that are required to view and release
messages.
Domain Keys Identified Mail (DKIM) will break.
Spoof intelligence will not work properly.
You'll probably get a high number of false positives (good mail marked as bad).
Ultimately, it's your decision if you want to prevent delivery of email to the Junk
Email folder in favor of delivery to quarantine. But, one thing is certain: if the
experience in Defender for Office 365 is different than what your users are used to,
you need to notify them and provide basic training. Incorporate learnings from the
pilot and make sure that users are prepared for any new behavior for email
delivery.
Wanted bulk mail vs. unwanted bulk mail: Many protection systems allow users to
allow or block bulk email for themselves. These settings do not easily migrate to
Microsoft 365, so you should consider working with VIPs and their staff to recreate
their existing configurations in Microsoft 365.
Today, Microsoft 365 considers some bulk mail (for example, newsletters) as safe
based on the message source. Mail from these "safe" sources is currently not
marked as bulk (the bulk complaint level or BCL is 0 or 1), so it's difficult to globally
block mail from these sources. For most users, the solution is to ask them to
individually unsubscribe from these bulk messages or use Outlook to block the
sender. But, some users will not like blocking or unsubscribing from bulk messages
themselves.
Mail flow rules that filter bulk email can be helpful when VIP users do not wish to
manage this themselves. For more information, see Use mail flow rules to filter
bulk email.
Next step
Congratulations! You have completed the Prepare phase of your migration to Microsoft
Defender for Office 365!
Applies to:
Welcome to Phase 2: Setup of your migration to Microsoft Defender for Office 365!
This migration phase includes the following steps:
Exceptions for the SCL=-1 mail flow rule: You want pilot users to get the full effect
of Defender for Office 365 protection, so you need their incoming messages to be
scanned by Defender for Office 365. You do this by defining your pilot users in the
appropriate distribution groups in Microsoft 365, and configuring these groups as
exceptions to the SCL=-1 mail flow rule.
Testing of specific Defender for Office 365 protection features: Even for the pilot
users, you don't want to turn on everything at once. Using a staged approach for
the protection features that are in effect for your pilot users will make
troubleshooting and adjusting much easier. With this approach in mind, we
recommend the following distribution groups:
A Safe Attachments pilot group: For example, MDOPilot_SafeAttachments
A Safe Links pilot group: For example, MDOPilot_SafeLinks
A pilot group for Standard anti-spam and anti-phishing policy settings: For
example, MDOPilot_SpamPhish_Standard
A pilot group for Strict anti-spam and anti-phishing policy settings: For
example, MDOPilot_SpamPhish_Strict
For clarity, we'll use these specific group names throughout this article, but you're free
to use your own naming convention.
When you're ready to begin testing, add these groups as exceptions to the SCL=-1 mail
flow rule. As you create policies for the various protection features in Defender for
Office 365, you'll use these groups as conditions that define who the policy applies to.
Notes:
The terms Standard and Strict come from our recommended security settings,
which are also used in preset security policies. Ideally, we would tell you to define
your pilot users in the Standard and Strict preset security policies, but we can't do
that. Why? Because you can't customize the settings in preset security policies (in
particular, actions that are taken on messages). During your migration testing,
you'll want to see what Defender for Office 365 would do to messages, verify that's
what you want to happen, and possibly adjust the policy configurations to allow or
prevent those results.
So, instead of using preset security policies, you're going to manually create
custom policies with settings that are very similar to, but in some cases are
different than, the settings of Standard and Strict preset security policies.
If you want to experiment with settings that significantly differ from our Standard
or Strict recommended values, you should consider creating and using additional
and specific distribution groups for the pilot users in those scenarios. You can use
the Configuration Analyzer to see how secure your settings are. For instructions,
see Configuration analyzer for protection policies in EOP and Microsoft Defender
for Office 365.
For most organizations, the best approach is to start with policies that closely align
with our recommended Standard settings. After as much observation and feedback
as you're able to do in your available time frame, you can move to more aggressive
settings later. Impersonation protection and delivery to the Junk Email folder vs.
delivery to quarantine might require customization.
If you use customized policies, just make sure that they're applied before the
policies that contain our recommended settings for the migration. If a user is
identified in multiple policies of the same type (for example, anti-phishing), only
one policy of that type is applied to the user (based on the priority value of the
policy). For more information, see Order and precedence of email protection.
You can specify an Exchange Online mailbox to receive messages that users report as
malicious or not malicious. For instructions, see User reported message settings. This
mailbox can receive copies of messages that your users submitted to Microsoft, or the
mailbox can intercept messages without reporting them to Microsoft (you're security
team can manually analyze and submit the messages themselves). However, the
interception approach does not allow the service to automatically tune and learn.
You should also confirm that all users in the pilot have a supported way to report
messages that received an incorrect verdict from Defender for Office 365. These options
include:
Don't underestimate the importance of this step. Data from user reported messages will
give you the feedback loop that you need to verify a good, consistent end-user
experience before and after the migration. This feedback helps you to make informed
policy configuration decisions, as well as provide data-backed reports to management
that the migration went smoothly.
Instead of relying on data that's backed by the experience of the entire organization,
more than one migration has resulted in emotional speculation based on a single
negative user experience. Furthermore, if you've been running phishing simulations, you
can use feedback from your users to inform you when they see something risky that
might require investigation.
If you're using some other mechanism to override the Microsoft filtering stack (for
example, an IP allow list) we recommend that you switch to using an SCL=-1 mail flow
rule as long as all inbound internet mail into Microsoft 365 comes from the third-party
protection service (no mail flows directly from the internet into Microsoft 365).
The SCL=-1 mail flow rule is important during the migration for the following reasons:
You can use Threat Explorer to see which features in the Microsoft stack would
have acted on messages without affecting the results from your existing protection
service.
You can gradually adjust who is protected by the Microsoft 365 filtering stack by
configuring exceptions to the SCL=-1 mail flow rule. The exceptions will be the
members of the pilot distribution groups that we recommend later in this article.
Before or during the cutover of your MX record to Microsoft 365, you'll disable this
rule to turn on the full protection of the Microsoft 365 protection stack for all
recipients in your organization.
For more information, see Use mail flow rules to set the spam confidence level (SCL) in
messages in Exchange Online.
Notes:
If you plan to allow internet mail to flow through your existing protection service
and directly into Microsoft 365 at the same time, you need restrict the SCL=-1 mail
flow rule (mail that bypasses spam filtering) to mail that's gone through your
existing protection service only. You do not want unfiltered internet mail landing in
user mailboxes in Microsoft 365.
To correctly identify mail that's already been scanned by your existing protection
service, you can add a condition to the SCL=-1 mail flow rule. For example:
For cloud-based protection services: You can use a header and header value
that's unique to your organization. Messages that have the header are not
scanned by Microsoft 365. Messages without the header are scanned by
Microsoft 365
For on-premises protection services or devices: You can use source IP
addresses. Messages from the source IP addresses are not scanned by Microsoft
365. Messages that aren't from the source IP addresses are scanned by
Microsoft 365.
Enhanced Filtering for Connectors is required by Defender for Office 365 to see where
internet messages actually came from. Enhanced Filtering for Connectors greatly
improves the accuracy of the Microsoft filtering stack (especially spoof intelligence, as
well as post-breach capabilities in Threat Explorer and Automated Investigation &
Response (AIR).
To correctly enable Enhanced Filtering for Connectors, you need to add the public IP
addresses of **all** third-party services and/or on-premises email system hosts that
route inbound mail to Microsoft 365.
To confirm that Enhanced Filtering for Connectors is working, verify that incoming
messages contain one or both of the following headers:
X-MS-Exchange-SkipListedInternetSender
X-MS-Exchange-ExternalOriginalInternetSender
Step 5: Create pilot protection policies
By creating production policies, even if they aren't applied to all users, you can test
post-breach features like Threat Explorer and test integrating Defender for Office 365
into your security response team's processes.
) Important
Minimal configuration.
Extremely low chance of false positives.
Similar behavior to anti-malware protection, which is always on and not affected
by the SCL=-1 mail flow rule.
For the recommended settings, see Recommended Safe Attachments policy settings.
Note that the Standard and Strict recommendations are the same. To create the policy,
see Set up Safe Attachments policies. Be sure to use the group
MDOPilot_SafeAttachments as the condition of the policy (who the policy applies to).
7 Note
The Built-in protection preset security policy gives Safe Attachments protection to
all recipients that aren't defined in any Safe Attachments policies. For more
information, see Preset security policies in EOP and Microsoft Defender for Office
365.
Create pilot Safe Links policies
7 Note
Create a Safe Links policy for your pilot users. Chances for false positives in Safe Links
are also pretty low, but you should consider testing the feature on a smaller number of
pilot users than Safe Attachments. Because the feature impacts the user experience, you
should consider a plan to educate users.
For the recommended settings, see Recommended Safe Links policy settings. Note that
the Standard and Strict recommendations are the same. To create the policy, see Set up
Safe Links policies. Be sure to use the group MDOPilot_SafeLinks as the condition of the
policy (who the policy applies to).
7 Note
The Built-in protection preset security policy gives Safe Links protection to all
recipients that aren't defined in any Safe Links policies. For more information, see
Preset security policies in EOP and Microsoft Defender for Office 365.
For the recommended Standard and Strict settings, see Recommended anti-spam policy
settings. To create the policies, see Configure anti-spam policies.
A policy that uses the Standard settings, with the exception of impersonation
detection actions as described below. Use the group
MDOPilot_SpamPhish_Standard as the condition of the policy (who the policy
applies to).
A policy that uses the Strict settings, with the exception of impersonation detection
actions as described below. Use the group MDOPilot_SpamPhish_Strict as the
condition of the policy (who the policy applies to). This policy should have a higher
priority (lower number) than the policy with the Standard settings.
For spoof detections, the recommended Standard action is Move message to the
recipients' Junk Email folders, and the recommended Strict action is Quarantine the
message. Use the spoof intelligence insight to observe the results. Overrides are
explained in the next section. For more information, see Spoof intelligence insight in
EOP.
For impersonation detections, ignore the recommended Standard and Strict actions for
the pilot policies. Instead, use the value Don't apply any action for the following
settings:
Use the impersonation insight to observe the results. For more information, see
Impersonation insight in Defender for Office 365.
You'll tune spoofing protection (adjust allows and blocks) and turn on each
impersonation protection action to quarantine or move the messages to the Junk Email
folder (based on the Standard or Strict recommendations). You can observe the results
and adjust their settings as necessary.
Anti-spoofing protection
Impersonation settings in anti-phishing policies
Configure anti-phishing policies in Defender for Office 365.
Next step
Congratulations! You have completed the Setup phase of your migration to Microsoft
Defender for Office 365!
Proceed to Phase 3: Onboard.
Migrate to Microsoft Defender for
Office 365 - Phase 3: Onboard
Article • 12/21/2022 • 12 minutes to read
Applies to
Welcome to Phase 3: Onboard of your migration to Microsoft Defender for Office 365!
This migration phase includes the following steps:
Learn the new tools and integrate them into existing flows. For example:
Admin management of quarantined messages is important. For instructions, see
Manage quarantined messages and files as an admin.
Message trace allows you to see what happened to messages as they enter or
leave Microsoft 365. For more information, see Message trace in the modern
Exchange admin center in Exchange Online.
Identify risks that may have been let into the organization.
Tune and customize alerts for organizational processes.
Manage the incident queue and remediate potential risks.
If your organization has purchased Microsoft Defender for Office 365 Plan 2, they should
begin familiarizing themselves with and using features such as Threat Explorer,
Advanced Hunting, and Incidents. For relevant trainings, see https://aka.ms/mdoninja .
If your security response team collects and analyzes unfiltered messages, you can
configure a SecOps mailbox to receive these unfiltered messages. For instructions, see
Configure SecOps mailboxes in the advanced delivery policy.
SIEM/SOAR
For more information about integrating with your SIEM/SOAR, see the following articles:
If your organization does not have a security response team or existing process flows,
you can use this time to familiarize yourself with basic hunting and response features in
Defender for Office 365. For more information, see Threat investigation and response.
RBAC roles
Permissions in Defender for Office 365 is based on role-based access control (RBAC) and
is explained in Permissions in the Microsoft 365 Defender portal. These are the
important points to keep in mind:
Azure AD roles give permissions to all workloads in Microsoft 365. For example, if
you add a user to the Security Administrator in the Azure portal, they have Security
Administrator permissions everywhere.
Email & collaboration roles in the Microsoft 365 Defender portal give permissions
to the Microsoft 365 Defender Portal and the Microsoft Purview compliance portal.
For example, if you add a user to Security Administrator in the Microsoft 365
Defender portal, they have Security Administrator access only in the Microsoft 365
Defender Portal and the Microsoft Purview compliance portal.
Many features in the Microsoft 365 Defender portal are based on Exchange Online
PowerShell cmdlets and therefore require role group membership in the
corresponding roles (technically, role groups) in Exchange Online (in particular, for
access to the corresponding Exchange Online PowerShell cmdlets).
There are Email & collaboration roles in the Microsoft 365 Defender portal that
have no equivalent to Azure AD roles, and are important for security operations
(for example the Preview role and the Search and Purge role).
Typically, only a subset of security personnel will need additional rights to download
messages directly from user mailboxes. This requires an additional permission that
Security Reader does not have by default.
7 Note
This step is explicitly required if your current protection service provides link
wrapping, but you want to pilot Safe Links functionality. Double wrapping of links is
not supported.
Spoof intelligence can rescue email from domains without proper email authentication
records in DNS, but the feature sometimes needs assistance in distinguishing good
spoofing from bad spoofing. Focus on the following types of message sources:
Message sources that are outside of the IP address ranges defined in Enhanced
Filtering for Connectors.
Message sources that have the highest number of messages.
Message sources that have the highest impact on your organization.
Spoof intelligence will eventually tune itself after you configure user reported message
settings, so there is no need for perfection.
User impersonation protection: Quarantine the message for both Standard and
Strict.
Domain impersonation protection: Quarantine the message for both Standard and
Strict.
Mailbox intelligence protection: Move message to the recipients' Junk Email
folders for Standard; Quarantine the message for Strict.
The longer you monitor the impersonation protection results without acting on the
messages, the more data you'll have to identify allows or blocks that might be required.
Consider using a delay between turning on each protection that's significant enough to
allow for observation and adjustment.
7 Note
When you're ready, do the following steps to allow mailbox intelligence to act on
messages that are detected as impersonation attempts:
In the anti-phishing policy with the Standard protection settings, change the value
of If mailbox intelligence detects an impersonated user to Move message to
recipients' Junk Email folders.
In the anti-phishing policy with the Strict protection settings, change the value of If
mailbox intelligence detects and impersonated user from to Quarantine the
message.
To modify the policies, see Configure anti-phishing policies in Defender for Office 365.
After you've observed the results and made any adjustments, proceed to the next
section to quarantine messages detected by user impersonation.
Check the impersonation insight to see what's being blocked as user impersonation
attempts.
To modify the policies, see Configure anti-phishing policies in Defender for Office 365.
After you've observed the results and made any adjustments, proceed to the next
section to quarantine messages detected by domain impersonation.
Check the impersonation insight to see what's being blocked as domain impersonation
attempts.
To modify the policies, see Configure anti-phishing policies in Defender for Office 365.
Use the following features to monitor and iterate on the protection settings in Defender
for Office 365:
Quarantine
Threat Explorer
Email security reports
Defender for Office 365 reports
Mail flow insights
Mail flow reports
If your organization uses a third-party service for user reported messages, you can
integrate that data into your feedback loop.
Microsoft 365 generates alerts when high confidence phishing messages are
allowed by organizational policies. To identify these messages, you have the
following options:
Overrides in the Threat protection status report.
Filter in Threat Explorer to identify the messages.
Filter in Advanced Hunting to identify the messages.
1. Extend the pilot policies to the entire organization. Fundamentally, there are
different ways to do this:
Use preset security policies and divide your users between the Standard
protection profile and the Strict protection profile (make sure everyone is
covered). Preset security policies are applied before any custom polices that
you've created or any default policies. You can turn off your individual pilot
policies without deleting them.
The drawback to preset security policies is you can't change many of the
important settings after you've created them.
Change the scope of the policies that you created and adjusted during the
pilot to include all users (for example, all recipients in all domains).
Remember, if multiple policies of the same type (for example, anti-phishing
policies) apply to the same user (individually, by group membership, or email
domain), only the settings of the policy with the highest priority (lowest
priority number) are applied, and processing stops for that type of policy.
2. Turn off the SCL=-1 mail flow rule (you can turn it off without deleting it).
3. Verify that the previous changes have taken effect, and that Defender for Office
365 is now properly enabled for all users. At this point, all of the protection
features of Defender for Office 365 are now allowed to act on mail for all
recipients, but that mail has already been scanned by your existing protection
service.
You can pause at this stage for more large-scale data recording and tuning.
When you switch the MX record for your domain, it can take up to 48 hours
for the changes to propagate throughout the internet.
We recommend lowering the TTL value of your DNS records to enable faster
response and possible rollback (if required). You can revert to the original TTL
value after the switchover is complete and verified.
You should consider starting with changing domains that are used less
frequently. You can pause and monitor before moving to larger domains.
However, even if you do this, you still should make sure that all users and
domains are covered by policies, because secondary SMTP domains are
resolved to primary domains prior to the policy application.
Multiple MX records for a single domain will technically work, allowing you to
have split routing, provided that you have followed all the guidance in this
article. Specifically, you should make sure that policies are applied to all users,
that the SCL=-1 mail flow rule is applied only to mail that passes through your
existing protection service as described in Setup Step 3: Maintain or create
the SCL=-1 mail flow rule. However, this configuration introduces behavior
that makes troubleshooting much more difficult, and therefore we do not
typically recommend it, especially for extended periods of time.
Before you switch your MX records, verify that the following settings are not
enabled on the inbound connector from the protection service to Microsoft
365. Typically, the connector will have one or more of the following settings
configured:
and require that the subject name on the certificate that the partner uses
to authenticate with Office 365 matches this domain name
(RestrictDomainsToCertificate)
Reject email messages if they aren't sent from within this IP address
range (RestrictDomainsToIPAddresses)
If the connector type is Partner and
either of these settings are turned on, all mail delivery to your domains will
fail after you switch your MX records. You need to disable these settings
before you continue. If the connector is an on-premises connector that's
used for hybrid, you don't need to modify the on-premises connector. But,
you can still check for the presence of a Partner connector.
If your current mail gateway is also providing recipient validation, you may
want to check that the domain is configured as Authoritative in Microsoft
365. This can prevent unnecessary bounce messages.
When you're ready, switch the MX record for your domains. You can migrate all of your
domains at once. Or, you can migrate less frequently used domains first, and then
migrate the rest later.
Feel free to pause and evaluate here at any point. But, remember: once you turn off the
SCL=-1 mail flow rule, users might have two different experiences for checking false
positives. The sooner you can provide a single, consistent experience, the happier your
users and help desk teams will be when they have to troubleshoot a missing message.
Next steps
Congratulations! You have completed your migration to Microsoft Defender for Office
365! Because you followed the steps in this migration guide, the first few days where
mail is delivered directly into Microsoft 365 should be much smoother.
Now you begin the normal operation and maintenance of Defender for Office 365.
Monitor and watch for issues that are similar to what you experienced during the pilot,
but on a larger scale. The spoof intelligence insight and the impersonation insight will
be most helpful, but consider making the following activities a regular occurrence:
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free?
Use the 90-day Defender for Office 365 trial at the Microsoft 365 Defender portal trials hub .
Learn about who can sign up and trial terms here.
Applies to:
This article gives an overview of the requirements and tasks for successfully operating Microsoft
Defender for Office 365 in your organization. These tasks help ensure that your security operations
center (SOC) provides a high-quality, reliable approach to protect, detect, and respond to email and
collaboration-related security threats.
The rest of this guide describes the required activities for SecOps personnel. The activities are
grouped into prescriptive daily, weekly, monthly, and ad-hoc tasks.
A companion article to this guide provides an overview to manage incidents and alerts from
Defender for Office 365 on the Incidents page in the Microsoft 365 Defender portal.
The Microsoft 365 Defender Security Operations Guide contains additional information that you can
use for planning and development.
Daily activities
Alerts.
Automated investigation and response (AIR).
For more information about the Incidents queue, see Prioritize incidents in Microsoft 365 Defender.
Your triage plan for monitoring the Incidents queue should use the following order of precedence
for incidents:
Incident queue management and the responsible personas are described in the following table:
Triage incidents in the Incidents queue Daily Verify that all Medium and High severity Security
at incidents from Defender for Office 365 are Operations
https://security.microsoft.com/incidents- triaged. Team
queue .
Investigate and take Response actions Daily Investigate all incidents and actively take Security
on incidents. the recommended or manual response Operations
actions. Team
Classify incidents. Daily Classify incidents as true or false. For true Security
alerts, specify the threat type. This Operations
classification helps your security team see Team
threat patterns and defend your
organization from them.
For more information, see the Manage false positive and false negative detections section later in
this article.
False positive and false negative management and the responsible personas are described in the
following table:
Submit false positives and false negatives to Microsoft Daily Provide signals to Security
at https://security.microsoft.com/reportsubmission . Microsoft by reporting Operations
incorrect email, URL, and Team
file detections.
Microsoft:
What caused the Security
false positive or Administration
false negative.
The state of your
Defender for Office
365 configuration
at the time of the
submission.
Whether you need
to make changes
to your Defender
for Office 365
configuration.
Add block entries in the Tenant Allow/Block List at Daily Use the Tenant Security
https://security.microsoft.com/tenantAllowBlockList . Allow/Block List to add Operations
block entries for false Team
negative URL, file, or
sender detections as
needed.
Release false positive from quarantine. Daily After the recipient Security
confirms that the Operations
message was incorrectly Team
Review Daily Review email campaigns that targeted your organization at Security
email https://security.microsoft.com/campaigns . Focus on campaigns that Operations
campaigns. resulted in messages being delivered to recipients.
Team
Weekly activities
Review threats in Threat analytics at Weekly Threat analytics provides detailed Security
https://security.microsoft.com/threatanalytics3 . analysis, including the following Operations
items: Team
IOCs.
Hunting queries about Threat
active threat actors and hunting
their campaigns. team
Popular and new attack
techniques.
Critical vulnerabilities.
Common attack surfaces.
Prevalent malware.
Review the Top targeted users tab in Threat Weekly Use the information to decide if Security
Explorer at you need to adjust policies or Administration
https://security.microsoft.com/threatexplorer . protections for these users. Add
the affected users to Priority Security
accounts to gain the following Operations
benefits: Team
Use Campaign Views at Weekly Learn about the attacks and Security
https://security.microsoft.com/campaigns to techniques and what Defender for Operations
review malware and phishing attacks that affect Office 365 was able to identify Team
you. and block.
Ad-hoc activities
Investigate and remove bad email in Threat Ad-hoc Use the Trigger investigation Security
Explorer at action in Threat Explorer to start an Operations
https://security.microsoft.com/threatexplorer automated investigation and Team
based on user requests. response playbook on any email
from the last 30 days. Manually
triggering an investigation saves
time and effort by centrally
including:
A root investigation.
Steps to identify and
correlate threats.
Recommended actions to
mitigate those threats.
Move to Inbox
Move to Junk
Move to Deleted items
Soft delete
Hard delete.
Proactively hunt for threats
Regular, proactive hunting for threats at: Ad-hoc Search for threats using Security
https://security.microsoft.com/threatexplorer Threat Explorer and Operations
https://security.microsoft.com/v2/advanced- Advanced hunting. Team
hunting
Threat
. hunting
team
Or you can
use the
PowerShell-
based ORCA
tool .
Activity Cadence Description Persona
Actively
investigate,
remove, or
fine tune
overrides to
avoid delivery
of email that
was
determined to
be malicious.
Review who's defined as a priority account at Ad-hoc Keep the membership Security
https://security.microsoft.com/securitysettings/userTags . of priority accounts Operations
current with Team
organizational changes
to get the following
benefits for those users:
Better visibility in
reports.
Filtering in
incidents and
alerts.
Tailored heuristics
for executive mail
flow patterns
(priority account
protection).
Better visibility in
reports.
Filtering in
incidents and
alerts.
Appendix
The content is structured for different knowledge levels (Fundamentals, Intermediate, and
Advanced) with multiple modules per level.
Short videos for specific tasks are also available in the Microsoft Defender for Office 365 YouTube
channel .
7 Note
Privileged Identity Management (PIM) in Azure AD is also a way to assign required permissions
to SecOps personnel. For more information, see Privileged Identity Management (PIM) and
why to use it with Microsoft Defender for Office 365.
The following permissions (roles and role groups) are available in Defender for Office 365 and can
be used to grant access to security team members:
Azure AD roles: Centralized roles that assign permissions for all Microsoft 365 services,
including Defender for Office 365. You can view the Azure AD roles and assigned users in the
Microsoft 365 Defender portal, but you can't manage them directly there. Instead, you
manage Azure AD roles and members at
https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RolesAn
dAdministrators . The most frequent roles used by security teams are:
Security administrator
Security operator
Security reader
Email & collaboration roles: Roles and role groups that grant permission specific to Microsoft
Defender for Office 365. The following roles are not available in Azure AD, but can be
important for security teams:
Preview role: Assign this role to team members who need to preview or download email
messages as part of investigation activities. Allows users to preview and download email
messages in cloud mailboxes using the email entity page.
To assign this role to a new or existing role group, see Modify Email & collaboration role
membership in the Microsoft 365 Defender portal.
Search and Purge role: Approve the deletion of malicious messages as recommended by
AIR or take manual action on messages in hunting experiences like Threat Explorer.
To assign this role to a new or existing role group, see Modify Email & collaboration role
membership in the Microsoft 365 Defender portal.
Tenant AllowBlockList Manager: Manage allow and block entries in the Tenant Allow/Block
List. Blocking URLs, files (using file hash) or senders is a useful response action to take when
investigating malicious email that was delivered.
By default, this role is assigned only to the Security Operator role group. But, members of
the Security Administrators and Organization management role groups can also manage
entries in the Tenant Allow/Block List.
SIEM/SOAR integration
Defender for Office 365 exposes most of its data through a set of programmatic APIs. These APIs
help you automate workflows and make full use of Defender for Office 365 capabilities. Data is
available through the Microsoft 365 Defender APIs and can be used to integrate Defender for Office
365 into existing SIEM/SOAR solutions.
Incident API: Defender for Office 365 alerts and automated investigations are active parts of
incidents in Microsoft 365 Defender. Security teams can focus on what's critical by grouping
the full attack scope and all impacted assets together.
Event streaming API: Allows shipping of real-time events and alerts into a single data stream
as they happen. Supported Defender for Office 365 event types include:
EmailEvents
EmailUrlInfo
EmailAttachmentInfo
EmailPostDeliveryEvents
The events contain data from processing all email (including intra-org messages) in the last 30
days.
Threat Assessment API: Can be used to report spam, phishing URLs, or malware attachments
directly to Microsoft.
To connect Defender for Office 365 incidents and raw data with Microsoft Sentinel, you can use the
Microsoft 365 Defender (M365D) connector
You can use this simple "Hello World" example to test API access to Microsoft Defender APIs: Hello
World for Microsoft 365 Defender REST API.
For more information about SIEM tool integration, see Integrate your SIEM tools with Microsoft 365
Defender.
Organizations have multiple options for configuring user reported messages. Depending on the
configuration, security teams might have more active involvement when users submit false positives
or false negatives to Microsoft:
User user reported messages are sent to Microsoft for analysis when the user reported
message settings are configured with either of the following settings:
Send the reported messages to: Microsoft only.
Send the reported messages to: Microsoft and my reporting mailbox.
Security teams members should do add-hoc admin submissions when false positives or false
negatives that were not reported by users were discovered by the operations teams.
When user reported messages are configured to send messages only to the organization's
mailbox, security teams should actively send user-reported false positives and false negatives
to Microsoft via admin submissions.
Whenever a user reports a message as phishing, Defender for Office 365 generates an alert and the
alert will trigger an AIR playbook. Incident logic will correlate this information to other alerts and
events where possible. This consolidation of information helps security teams triage, investigate,
and respond to user reported messages.
User reported messages and admin submissions are handled by the submission pipeline by
Microsoft, which follows a tightly integrated process. This process includes:
Noise reduction.
Automated triage.
Grading by security analysts and human-partnered machine learning-based solutions.
For more information, see Reporting an email in Defender for Office 365 - Microsoft Tech
Community .
Security team members can do submissions from multiple locations in the Microsoft 365 Defender
portal at https://security.microsoft.com :
Admin submission: Use the Submissions portal to submit suspected spam, phishing, URLs, and
files to Microsoft.
Directly from Threat Explorer using one of the following message actions:
Report clean
Report phishing
Report malware
Report spam
You can select up to 10 messages to perform a bulk submission. Admin submissions created
this way also visible in the Submission portal.
For the short-term mitigation of false negatives, security teams can directly manage block entries
for files, URLs, and domains or email addresses in the Tenant Allow/Block List.
For the short-term mitigation of false positives, security teams can't directly manage allow entries
for domains and email addresses in the Tenant Allow/Block List. Instead, they need to use admin
submissions to report the email message as a false positive. For instructions, see Use the Microsoft
365 Defender portal to create allow entries for domains and email addresses in the Submissions
portal.
Quarantine in Defender for Office 365 holds potentially dangerous or unwanted messages and files.
Security teams can view, release, and delete all types of quarantined messages for all users. This
capability enables security teams to respond effectively when a false positive message or file is
quarantined.
Designate the reporting mailbox where user reported messages are sent on the User reported page
in the Microsoft 365 Defender portal at
https://security.microsoft.com/securitysettings/userSubmission . For more information, see user
reported message settings.
7 Note
When a user reported message arrives in the reporting mailbox, Defender for Office 365
automatically generates the alert named Email reported by user as malware or phish. This alert
launches an AIR playbook. The playbook performs a series of automated investigations steps:
Email reported by user as malware or phish alerts, automated investigations and their
recommended actions are automatically correlated to incidents in Microsoft 365 Defender. This
correlation further simplifies the triage and response process for security teams. If multiple users
report the same or similar messages, all of the users and messages are correlated into the same
incident.
Data from alerts and investigations in Defender for Office 365 is automatically compared to alerts
and investigations in the other Microsoft 365 Defender products:
If a relationship is discovered, the system creates an incident that gives visibility for the entire
attack.
Configure your Microsoft 365 tenant for
increased security
Article • 12/22/2022 • 8 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
This topic will walk you through the manual configuration of tenant-wide settings that
affect the security of your Microsoft 365 environment. Use these recommendations as a
starting point.
Keep in mind that some areas come with default policy configurations. Some areas do
not include default policies or rules.
For example, the recommended setup of Microsoft Defender for Office 365 (plan 1 and
plan 2) is described by this handy step-by-step guide, right here: 'Ensuring you always
have the optimal security'. But, even so, some admins opt for a more hands-on
approach to this product.
To automate your setup of Microsoft Defender for Office 365 visit the Standard and
Strict policies under Email & collaboration > Policies & rules > Threat policies to tune
threat management settings for a more secure environment.
More information:
More information:
Anti-malware protection
Recommended anti-malware policy settings
Configure anti-malware policies
Safe No Configure the global settings for Safe Attachments and create a Safe
Attachments Attachments policy as described here: Configure Safe Attachments
in Defender settings in Microsoft Defender for Office 365.
for Office 365
More information:
Safe Links in No Create a Safe Links policy as described here: Configure Safe Links
Microsoft settings in Microsoft Defender for Office 365.
Defender for
Office 365 More information:
Anti-spam Yes Configure the default anti-spam policy as described here: Configure
(mail filtering) anti-spam protection settings in EOP
More information:
Email Yes Email authentication uses DNS records to add verifiable information
Authentication to email messages about the message source and sender. Microsoft
365 automatically configures email authentication for its default
domain (onmicrosoft.com), but Microsoft 365 admins can also
configure email authentication for custom domains. Three
authentication methods are used:
Sender Policy Framework (or SPF).
For setup, see Set up SPF in Microsoft 365 to help prevent
spoofing.
DomainKeys Identified Mail (DKIM).
See Use DKIM to validate outbound email sent from your
custom domain.
After you've configured DKIM, enable it in the Microsoft 365
Defender portal.
Domain-based Message Authentication, Reporting, and
Conformance (DMARC).
For DMARC setup Use DMARC to validate email in Microsoft
365.
After you've configured DKIM, enable it in the Microsoft 365
Defender portal.
7 Note
1. Browse to security.microsoft.com .
2. Click Reports on the menu.
a. Here you can view information about security trends and track the protection
status of your identities, data, devices, apps, and infrastructure.
The data in these reports will become richer as your organization uses Office 365
services, keep that in mind if you are in pilot or testing. For now, be familiar with what
you can monitor and take action on.
Inside each report, you'll see cards for the specific areas monitored.
Dashboard Description
Security Identities and device security reports such as users and devices with malware
reports detections, device compliance, and users at risk.
Defender The reports are available only in Defender for Office 365. For more information, see
for Office View Defender for Office 365 reports in the Microsoft 365 Defender portal.
365 reports
Mail flow These reports and insights are available in the Exchange admin center (EAC). For
reports and more information, see Mail flow reports and Mail flow insights.
insights
Threat If you are investigating or experiencing an attack against your tenant, use Explorer
Explorer (or (or real-time detections) to analyze threats. Explorer (and the real-time detections
real-time report) shows you the volume of attacks over time, and you can analyze this data by
detections) threat families, attacker infrastructure, and more. You can also mark any suspicious
email for the Incidents list.
Configure additional Exchange Online tenant-
wide settings
Here are a couple of additional settings that are recommended.
Area Recommendation
Mail flow Add a mail flow rule to help protect against ransomware by blocking executable
rules (also file types and Office file types that contain macros. For more information, see
known as Use mail flow rules to inspect message attachments in Exchange Online.
transport
rules) See these additional topics:
More information: How modern authentication works for Office 2013 and Office
2016 client apps
SharePoint team sites configured at the baseline level allow sharing files with external
users by using anonymous access links. This approach is recommended instead of
sending files in email.
To support the goals for baseline protection, configure tenant-wide sharing policies as
recommended here. Sharing settings for individual sites can be more restrictive than this
tenant-wide policy, but not more permissive.
SharePoint admin center and OneDrive for Business admin center include the same
settings. The settings in either admin center apply to both.
For secure environments, be sure to disable authentication for apps that do not support
modern authentication. You can do this in Azure Active Directory with a control that is
coming soon.
In the meantime, use one of the following methods to accomplish this for SharePoint
Online and OneDrive for Business:
Use PowerShell, see Block apps that do not use modern authentication.
Configure this in the SharePoint admin center on the "device access' page —
"Control access from apps that don't use modern authentication." Choose Block.
Or, use Microsoft Defender for Cloud Apps to obtain deeper visibility even after access
is granted, comprehensive controls, and improved protection for all your cloud
applications, including Office 365.
Because this solution recommends the EMS E5 plan, we recommend you start with
Defender for Cloud Apps so you can use this with other SaaS applications in your
environment. Start with default policies and settings.
More information:
Additional resources
These articles and guides provide additional prescriptive information for securing your
Microsoft 365 environment:
Microsoft security guidance for political campaigns, nonprofits, and other agile
organizations (you can use these recommendations in any environment, especially
cloud-only environments)
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to:
Not all user accounts have access to the same company information. Some accounts
have access to sensitive information, such as financial data, product development
information, partner access to critical build systems, and more. If compromised,
accounts that have access to highly confidential information pose a serious threat. We
call these types of accounts priority accounts. Priority accounts include (but aren't limited
to) CEOs, CISOs, CFOs, infrastructure admin accounts, build system accounts, and more.
For attackers, ordinary phishing attacks that cast a random net for ordinary or unknown
users are inefficient. On the other hand, spear phishing or whaling attacks that target
priority accounts are very rewarding for attackers. So, priority accounts require stronger
than ordinary protection to help prevent account compromise.
Microsoft 365 and Microsoft Defender for Office 365 contain several key features that
provide additional layers of security for your priority accounts. This article describes
these capabilities and how to use them.
Train users
7 Note
For information about securing privileged accounts (admin accounts), see this topic.
For instructions, see Step 1. Increase sign-in security for remote workers with MFA.
Although this article is about remote workers, the same concepts apply to priority users.
Note: We strongly recommend that you globally disable legacy authentication protocols
for all priority users as described in the previous article. If your business requirements
prevent you from doing so, Exchange Online offers the following controls to help limit
the scope of legacy authentication protocols:
You can use authentication policies and Client Access Rules in Exchange Online to
block or allow Basic authentication and legacy authentication protocols like POP3,
IMAP4, and authenticated SMTP for specific users.
You can disable POP3 and IMAP4 access on individual mailboxes. You can disable
authenticated SMTP at the organizational level and enable it on specific mailboxes
that still require it. For instructions, see the following articles:
Enable or Disable POP3 or IMAP4 access for a user
Enable or disable authenticated client SMTP submission (SMTP AUTH)
It's also worth noting that Basic authentication is in the process of being deprecated in
Exchange Online for Exchange Web Services (EWS), Exchange ActiveSync, POP3, IMAP4,
and remote PowerShell. For details, see this blog post.
For example, instead of delivering messages that were classified as spam to the Junk
Email folder, you should quarantine those same messages if they're intended for priority
accounts.
You can implement this stringent approach for priority accounts by using the Strict
profile in preset security policies.
Preset security policies are a convenient and central location to apply our recommended
Strict policy settings for all of the protections in EOP and Defender for Office 365. For
more information, see Preset security policies in EOP and Microsoft Defender for Office
365.
For details about how the Strict policy settings differ from the default and Standard
policy settings, see Recommended settings for EOP and Microsoft Defender for Office
365 security.
Priority accounts is a type of built-in user tag (known as a system tag) that you can use
to identify incidents and alerts that involve priority accounts. For more information
about priority accounts, see Manage and monitor priority accounts.
You can also create custom tags to further identify and classify your priority accounts.
For more information, see User tags. You can manage priority accounts (system tags) in
the same interface as custom user tags.
Monitor priority accounts in alerts, reports, and
detections
After you secure and tag your priority users, you can use the available reports, alerts,
and investigations in EOP and Defender for Office 365 to quickly identify incidents or
detections that involve priority accounts. The features that support user tags are
described in the following table.
Feature Description
Alerts The user tags of affected users are visible and available as filters on the Alerts page
in the Microsoft 365 Defender portal. For more information, see Viewing alerts.
Explorer In Explorer (Defender for Office 365 Plan 2) or Real-time detections (Defender for
Real-time Office 365 Plan 1), user tags are visible in the Email grid view and the Email details
detections flyout. User tags are also available as a filterable property. For more information, see
Tags in Explorer.
Campaign User tags are one of many filterable properties in Campaign Views in Microsoft
Views Defender for Office 365 Plan 2. For more information, see Campaign Views.
Threat In virtually all of the views and detail tables in the Threat protection status report,
protection you can filter the results by priority accounts. For more information, see Threat
status protection status report.
report
Email The Email issues for priority accounts report in the Exchange admin center (EAC)
issues for contains information about undelivered and delayed messages for priority accounts.
priority For more information, see Email issues for priority accounts report.
accounts
report
Train users
Training users with priority accounts can help save those users and your security
operations team much time and frustration. Savvy users are less likely to open
attachments or click links in questionable email messages, and they are more likely to
avoid suspicious websites.
Microsoft 365 provides the following resources to help inform users in your
organization:
Concept Resources Description
Microsoft 365 Customizable learning These resources can help you put together training
pathways for users in your organization.
Microsoft 365 Learning module: Secure This module enables you to describe how
security your organization with Microsoft 365 security features work together and
built-in, intelligent security to articulate the benefits of these security features.
from Microsoft 365
Multi-factor Two-step verification: This article helps end users understand what multi-
authentication What is the additional factor authentication is and why it's being used at
verification page? your organization.
Attack Get started using Attack Attack simulation training in Microsoft Defender
simulation simulation training for Office 365 Plan 2 allows admin to configure,
training launch, and track simulated phishing attacks
against specific groups of users.
In addition, Microsoft recommends that users take the actions described in this article:
Protect your account and devices from hackers and malware . These actions include:
See also
Announcing Priority Account Protection in Microsoft Defender for Office 365
Anti-malware protection in EOP
Article • 12/22/2022 • 8 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
Viruses that infect other programs and data, and spread through your computer or
network looking for programs to infect.
Spyware that gathers your personal information, such as sign-in information and
personal data, and sends it back to its author.
Ransomware that encrypts your data and demands payment to decrypt it. Anti-
malware software doesn't help you decrypt encrypted files, but it can detect the
malware payload that's associated with the ransomware.
EOP offers multi-layered malware protection that's designed to catch all known malware
in Windows, Linux, and Mac that travels into or out of your organization. The following
options help provide anti-malware protection:
In EOP, messages that are found to contain malware in any attachments are
quarantined. Whether the recipients can view or otherwise interact with the quarantined
messages is controlled by quarantine policies. By default, messages that were
quarantined due to malware can only be viewed and released by admins. For more
information, see the following topics:
Quarantine policies
Manage quarantined messages and files as an admin in EOP.
For more information about anti-malware protection, see the Anti-malware protection
FAQ.
Anti-malware policies
Anti-malware policies control the settings and notification options for malware
detections. The important settings in anti-malware policies are:
Recipient filters: For custom anti-malware policies, you can specify recipient
conditions and exceptions that determine who the policy applies to. You can use
these properties for conditions and exceptions:
Users
Groups
Domains
You can only use a condition or exception once, but the condition or exception can
contain multiple values. Multiple values of the same condition or exception use OR
logic (for example, <recipient1> or <recipient2>). Different conditions or
exceptions use AND logic (for example, <recipient1> and <member of group 1>).
) Important
Likewise, if you use the same recipient filter as an exception to the policy, the
policy is not applied to romain@contoso.com only if he's also a member of
the Executives group. If he's not a member of the group, then the policy still
applies to him.
Enable the common attachments filter: There are certain types of files that you
really shouldn't send via email (for example, executable files). Why bother scanning
these types of files for malware, when you should probably block them all,
anyway? That's where the common attachments filter comes in. The file types that
you specify are automatically treated as malware.
The default file types: ace, apk, app, appx, ani, arj, bat, cab, cmd,com, deb,
dex, dll, docm, elf, exe, hta, img, iso, jar, jnlp, kext, lha, lib,
library, lnk, lzh, macho, msc, msi, msix, msp, mst, pif, ppa, ppam, reg,
rev, scf, scr, sct, sys, uif, vb, vbe, vbs, vxd, wsc, wsf, wsh, xll, xz, z .
Additional predefined file types that you can select from in the Microsoft 365
Defender portal*: 7z, 7zip, a, accdb, accde, action, ade, adp, appxbundle,
asf, asp, aspx, avi, bin, bundle, bz, bz2, bzip2, cab, caction, cer, chm,
command, cpl, crt, csh, css, der, dgz, dmg, doc, docx, dot, dotm, dtox,
dylib, font, gz, gzip, hlp, htm, html, imp, inf, ins, ipa, isp, its, jnlp,
js, jse, ksh, lqy, mad, maf, mag, mam, maq, mar, mas, mat, mav, maw, mda,
mdb, mde, mdt, mdw, mdz, mht, mhtml, mscompress, msh, msh1, msh1xml, msh2,
msh2xml, mshxml, msixbundle, o, obj, odp, ods, odt, one, onenote, ops,
package, pages, pbix, pdb, pdf, php, pkg, plugin, pps, ppsm, ppsx, ppt,
pptm, pptx, prf, prg, ps1, ps1xml, ps2, ps2xml, psc1, psc2, pst, pub, py,
rar, rpm, rtf, scpt, service, sh, shb, shtm, shx, so, tar, tarz, terminal,
tgz, tool, url, vhd, vsd, vsdm, vsdx, vsmacros, vss, vssx, vst, vstm, vstx,
vsw, workflow, ws, xhtml, xla, xlam, xls, xlsb, xlsm, xlsx, xlt, xltm,
xltx, zi, zip, zipx .
*
You can enter any text value in the Defender portal or using the FileTypes
parameter in the New-MalwareFilterPolicy or Set-MalwareFilterPolicy cmdlets in
Exchange Online PowerShell.
The common attachments filter uses best effort true-typing to detect the file type
regardless of the filename extension. If true-typing fails or isn't supported for the
specified file type, then simple extension matching is used.
When these file types are found: When files are detected by the common
attachments filter, you can choose to Reject the message with a non-delivery
report (NDR) or Quarantine the message.
Zero-hour auto purge (ZAP) for malware: ZAP for malware quarantines messages
that are found to contain malware after they've been delivered to Exchange Online
mailboxes. By default, ZAP for malware is turned on, and we recommend that you
leave it on.
Quarantine policy: Select the quarantine policy that applies to messages that are
quarantined as malware. Quarantine policies define what users are able to do to
quarantined messages, and whether users receive quarantine notifications. By
default, recipients don't receive notifications for messages that were quarantined
as malware. For more information, see Quarantine policies.
Admin notifications: You can specify an additional recipient (an admin) to receive
notifications for malware detected in messages from internal or external senders.
You can customize the From address, subject, and message text for internal and
external notifications.
7 Note
Admin notifications are sent only for attachments that are classified as
malware.
Priority: If you create multiple custom anti-malware policies, you can specify the
order that they're applied. No two policies can have the same priority, and policy
processing stops after the first policy is applied.
For more information about the order of precedence and how multiple policies are
evaluated and applied, see Order and precedence of email protection.
The malware filter policy: Specifies the recipient notification, sender and admin
notification, ZAP, and the common attachments filter settings.
The malware filter rule: Specifies the priority and recipient filters (who the policy
applies to) for a malware filter policy.
The difference between these two elements isn't obvious when you manage anti-
malware policies in the Microsoft 365 Defender portal:
When you create an anti-malware policy, you're actually creating a malware filter
rule and the associated malware filter policy at the same time using the same
name for both.
When you modify an anti-malware policy, settings related to the name, priority,
enabled or disabled, and recipient filters modify the malware filter rule. Other
settings (recipient notification, sender and admin notification, ZAP, and the
common attachments filter) modify the associated malware filter policy.
When you remove an anti-malware policy, the malware filter rule and the
associated malware filter policy are removed.
In PowerShell, you create the malware filter policy first, then you create the
malware filter rule that identifies the policy that the rule applies to.
In PowerShell, you modify the settings in the malware filter policy and the malware
filter rule separately.
When you remove a malware filter policy from PowerShell, the corresponding
malware filter rule isn't automatically removed, and vice versa.
The policy is applied to all recipients in the organization, even though there's no
malware filter rule (recipient filters) associated with the policy.
The policy has the custom priority value Lowest that you can't modify (the policy is
always applied last). Any custom anti-malware policies that you create always have
a higher priority than the policy named Default.
The policy is the default policy (the IsDefault property has the value True ), and
you can't delete the default policy.
Configure anti-malware policies in EOP
Article • 01/09/2023 • 18 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
Admins can view, edit, and configure (but not delete) the default anti-malware policy to
meet the needs of their organizations. For greater granularity, you can also create
custom anti-malware policies that apply to specific users, groups, or domains in your
organization. Custom policies always take precedence over the default policy, but you
can change the priority (running order) of your custom policies.
You can configure anti-malware policies in the Microsoft 365 Defender portal or in
PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes
in Exchange Online; standalone EOP PowerShell for organizations without Exchange
Online mailboxes).
You need to be assigned permissions in Exchange Online before you can do the
procedures in this article:
To add, modify, and delete anti-malware policies, you need to be a member of
the Organization Management or Security Administrator role groups.
For read-only access to anti-malware policies, you need to be a member of the
Global Reader or Security Reader role groups.
Notes:
Adding users to the corresponding Azure Active Directory role in the Microsoft
365 admin center gives users the required permissions and permissions for
other features in Microsoft 365. For more information, see About admin roles.
The View-Only Organization Management role group in Exchange Online also
gives read-only access to the feature.
For our recommended settings for anti-malware policies, see EOP anti-malware
policy settings.
3. The policy wizard opens. On the Name your policy page, configure these settings:
Click in the appropriate box, start typing a value, and select the value that you
want from the results. Repeat this process as many times as necessary. To remove
an existing value, click remove next to the value.
For users or groups, you can use most identifiers (name, display name, alias, email
address, account name, etc.), but the corresponding display name is shown in the
results. For users, enter an asterisk (*) by itself to see all available values.
Multiple values in the same condition use OR logic (for example, <recipient1> or
<recipient2>). Different conditions use AND logic (for example, <recipient1> and
<member of group 1>).
Exclude these users, groups, and domains: To add exceptions for the internal
recipients that the policy applies to (recipient exceptions), select this option
and configure the exceptions. The settings and behavior are exactly like the
conditions.
) Important
Users: romain@contoso.com
Groups: Executives
Enable the common attachments filter: If you select this option, messages
with the specified attachments are treated as malware and are automatically
quarantined. You can modify the list by clicking Customize file types and
selecting or deselecting values in the list.
When these types are found: Select one of the following values:
Reject the message with a non-delivery report (NDR)
Quarantine the message (this is the default value)
Enable zero-hour auto purge for malware: If you select this option, ZAP
quarantines malware messages that have already been delivered. For more
information, see Zero-hour auto purge (ZAP) in Exchange Online.
Quarantine policy: Select the quarantine policy that applies to messages that
are quarantined as malware. Quarantine policies define what users are able to
do to quarantined messages, and whether users receive quarantine
notifications. For more information, see Quarantine policies.
7 Note
7 Note
Admin notifications are sent only for attachments that are classified as
malware.
Use customized notification text: If you select this option, use the From
name and From address boxes to specify the sender's name and email
address for admin notification messages.
6. On the Review page, review your settings. You can select Edit in each section to
modify the settings within the section. Or you can click Back or select the specific
page in the wizard.
2. On the Anti-malware page, the following properties are displayed in the list of
anti-malware policies:
Name
Status
Priority
3. When you select a policy by clicking on the name, the policy settings are displayed
in a flyout.
2. On the Anti-malware page, select a policy from the list by clicking on the name.
3. In the policy details flyout that appears, select Edit in each section to modify the
settings within the section. For more information about the settings, see the
previous Use the Microsoft 365 Defender portal to create anti-malware policies
section in this article.
For the default anti-malware policy, the Users, groups, and domains section isn't
available (the policy applies to everyone), and you can't rename the policy.
To enable or disable a policy or set the policy priority order, see the following sections.
2. On the Anti-malware page, select a custom policy from the list by clicking on the
name.
3. At the top of the policy details flyout that appears, you'll see one of the following
values:
Back on the main policy page, the Status value of the policy will be On or Off.
To change the priority of a policy, you click Increase priority or Decrease priority in the
properties of the policy (you can't directly modify the Priority number in the Microsoft
365 Defender portal). Changing the priority of a policy only makes sense if you have
multiple policies.
Notes:
In the Microsoft 365 Defender portal, you can only change the priority of the anti-
malware policy after you create it. In PowerShell, you can override the default
priority when you create the malware filter rule (which can affect the priority of
existing rules).
Anti-malware policies are processed in the order that they're displayed (the first
policy has the Priority value 0). The default anti-malware policy has the priority
value Lowest, and you can't change it.
2. On the Anti-malware page, select a custom policy from the list by clicking on the
name.
3. At the top of the policy details flyout that appears, you'll see Increase priority or
Decrease priority based on the current priority value and the number of custom
policies:
The policy with the Priority value 0 has only the Decrease priority option
available.
The policy with the lowest Priority value (for example, 3) has only the
Increase priority option available.
If you have three or more policies, the policies between the highest and
lowest priority values have both the Increase priority and Decrease priority
options available.
2. On the Anti-malware page, select a custom policy from the list by clicking on the
name.
3. At the top of the policy details flyout that appears, click More actions >
Delete policy.
4. In the confirmation dialog that appears, click Yes.
Notes:
You can create a new malware filter rule and assign an existing, unassociated
malware filter policy to it. A malware filter rule can't be associated with more than
one malware filter policy.
There are two settings that you can configure on new anti-malware policies in
PowerShell that aren't available in the Microsoft 365 Defender portal until after you
create the policy:
Create the new policy as disabled (Enabled $false on the New-
MalwareFilterRule cmdlet).
Set the priority of the policy during creation (Priority <Number>) on the New-
MalwareFilterRule cmdlet).
A new malware filter policy that you create in PowerShell isn't visible in the
Microsoft 365 Defender portal until you assign the policy to a malware filter rule.
PowerShell
This example creates a new malware filter policy named Contoso Malware Filter Policy
with these settings:
PowerShell
PowerShell
This example creates a new malware filter rule named Contoso Recipients with these
settings:
The malware filter policy named Contoso Malware Filter Policy is associated with
the rule.
The rule applies to recipients in the contoso.com domain.
PowerShell
Get-MalwareFilterPolicy
To return detailed information about a specific malware filter policy, use this syntax:
PowerShell
This example returns all the property values for the malware filter policy named
Executives.
PowerShell
This example returns only the specified properties for the same policy.
PowerShell
PowerShell
Get-MalwareFilterRule
To filter the list by enabled or disabled rules, run the following commands:
PowerShell
PowerShell
To return detailed information about a specific malware filter rule, use this syntax:
PowerShell
This example returns all the property values for the malware filter rule named Executives.
PowerShell
This example returns only the specified properties for the same rule.
PowerShell
The MakeDefault switch that turns the specified policy into the default policy
(applied to everyone, unmodifiable Lowest priority, and you can't delete it) is only
available when you modify a malware filter policy in PowerShell.
You can't rename a malware filter policy (the Set-MalwareFilterPolicy cmdlet has
no Name parameter). When you rename an anti-malware policy in the Microsoft
365 Defender portal, you're only renaming the malware filter rule.
PowerShell
For detailed instructions to specify the quarantine policy to use in a malware filter
policy, see Use PowerShell to specify the quarantine policy in anti-malware
policies.
Otherwise, no additional settings are available when you modify a malware filter rule in
PowerShell. The same settings are available when you create a rule as described in the
Step 2: Use PowerShell to create a malware filter rule section earlier in this article.
PowerShell
PowerShell
This example disables the malware filter rule named Marketing Department.
PowerShell
PowerShell
To set the priority of a malware filter rule in PowerShell, use the following syntax:
PowerShell
This example sets the priority of the rule named Marketing Department to 2. All existing
rules that have a priority less than or equal to 2 are decreased by 1 (their priority
numbers are increased by 1).
PowerShell
Notes:
To set the priority of a new rule when you create it, use the Priority parameter on
the New-MalwareFilterRule cmdlet instead.
The default malware filter policy doesn't have a corresponding malware filter rule,
and it always has the unmodifiable priority value Lowest.
PowerShell
This example removes the malware filter policy named Marketing Department.
PowerShell
PowerShell
This example removes the malware filter rule named Marketing Department.
PowerShell
The EICAR.TXT file is not a virus. The European Institute for Computer Antivirus
Research (EICAR) developed this file to safely test anti-virus installations and
settings.
1. Open Notepad and paste the following text into an empty file:
Text
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Be sure that these are the only text characters in the file. The file size should be 68
bytes.
3. Send an email message that contains the EICAR.TXT file as an attachment, using an
email client that won't automatically block the file, and using an email service that
doesn't automatically block outbound spam. Use your anti-malware policy settings
to determine the following scenarios to test:
4. Verify that the message was quarantined, and verify the admin notification results
based on your anti-malware policy settings. For example, the admin email address
that you specified is notified for internal or external message senders, with the
default or customized notification messages.
5. Delete the EICAR.TXT file after your testing is complete (so other users aren't
unnecessarily alarmed by it).
Built-in virus protection in SharePoint
Online, OneDrive, and Microsoft Teams
Article • 12/10/2022 • 3 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
Microsoft 365 uses a common virus detection engine for scanning files that users
upload to SharePoint Online, OneDrive, and Microsoft Teams. This protection is included
with all subscriptions that include SharePoint Online, OneDrive, and Microsoft Teams.
) Important
The built-in anti-virus capabilities are a way to help contain viruses. They aren't
intended as a single point of defense against malware for your environment. We
encourage all customers to investigate and implement anti-malware protection at
various layers and apply best practices for securing their enterprise infrastructure.
1. In a web browser, a user tries to download a file from SharePoint Online that
happens to be infected.
2. The user is shown a warning that a virus has been detected in the file. The user is
given the option to proceed with the download and attempt to clean it using anti-
virus software on their device.
To change this behavior so users can't download infected files, even from the anti-virus
warning window, admins can use the DisallowInfectedFileDownload parameter on the
Set-SPOTenant cmdlet in SharePoint Online PowerShell. The value $true for the
DisallowInfectedFileDownload parameter completely blocks access to detected/blocked
files for users.
For instructions, see Use SharePoint Online PowerShell to prevent users from
downloading malicious files.
For more information about the infected file, admins can use the Get-SPOMalwareFile
cmdlet to see the type of malware that was detected and the status of the infection.
What happens when the OneDrive sync client
tries to sync an infected file?
When a malicious file is uploaded to OneDrive, it will be synced to the local machine
before it's marked as malware. After it's marked as malware, the user can't open the
synced file anymore from their local machine.
Related articles
Malware and ransomware protection in Microsoft 365
For more information about anti-virus in SharePoint Online, OneDrive, and Microsoft
Teams, see Protect against threats and Turn on Safe Attachments for SharePoint,
OneDrive, and Microsoft Teams.
Anti-malware protection FAQ
FAQ
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
This article provides frequently asked questions and answers about anti-malware
protection for Microsoft 365 organizations with mailboxes in Exchange Online, or
standalone Exchange Online Protection (EOP) organizations without Exchange Online
mailboxes.
For questions and answers about the quarantine, see Quarantine FAQ.
For questions and answers about anti-spam protection, see Anti-spam protection FAQ.
For questions and answers about anti-spoofing protection, see Anti-spoofing protection
FAQ.
A standalone EOP subscription scans messages as they enter or leave your on-premises
email organization. Messages sent between internal users aren't scanned for malware.
However, you can use the built-in anti-malware scanning features of Exchange Server.
For more information, see Anti-malware protection in Exchange Server.
Do all anti-malware engines used by the
service have heuristic scanning enabled?
Yes. Heuristic scanning scans for both known (signature match) and unknown
(suspicious) malware.
After a zero-day virus sample is captured and analyzed by our anti-malware engines, a
definition and unique signature is created to detect the malware.
When a definition or signature exists for the malware, it's no longer considered zero-
day.
You can also create an Exchange mail flow rule (also known as transport rule) that blocks
any email attachment that has executable content.
Follow the steps in How to reduce malware threats through file attachment blocking in
Exchange Online Protection to block the file types listed in Supported file types for
mail flow rule content inspection in Exchange Online.
For increased protection, we also recommend using the Any attachment file extension
includes these words condition in mail flow rules to block some or all of the following
extensions: ade, adp, ani, bas, bat, chm, cmd, com, cpl, crt, hlp, ht, hta, inf,
ins, isp, job, js, jse, lnk, mda, mdb, mde, mdz, msc, msi, msp, mst, pcd, reg, scr,
sct, shs, url, vb, vbe, vbs, wsc, wsf, wsh .
We often work with our legal and digital crime units to take the following actions:
Anti-malware protection
Anti-spam protection in EOP
Article • 12/22/2022 • 8 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
7 Note
This topic is intended for admins. For end-user topics, see Overview of the Junk
Email Filter and Learn about junk email and phishing .
As email use has grown, so has email abuse. Unmonitored junk email can clog inboxes
and networks, impact user satisfaction, and hamper the effectiveness of legitimate email
communications. That's why Microsoft continues to invest in anti-spam technologies.
Simply put, it starts by containing and filtering junk email.
Tip
The following anti-spam technologies are useful when you want to allow or block
messages based on the message envelope (for example, the sender's domain or
the source IP address of the message). To allow or block messages based on
payload (for example, URLs in the message or attached files), then you should use
the Tenant Allow/Block List portal.
Connection filtering: Identifies good and bad email source servers early in the
inbound email connection via the IP Allow List, IP Block List, and the safe list (a
dynamic but non-editable list of trusted senders maintained by Microsoft). You
configure these settings in the connection filter policy. Learn more at Configure
connection filtering.
Spam filtering (content filtering): EOP uses the spam filtering verdicts Spam, High
confidence spam, Bulk email, Phishing email and High confidence phishing email
to classify messages. You can configure the actions to take based on these verdicts,
and you can configure what users are allowed to do to quarantined messages and
whether user receive quarantine notifications by using quarantine policies. For
more information, see Configure anti-spam policies in Microsoft 365.
7 Note
Outbound spam filtering: EOP also checks to make sure that your users don't send
spam, either in outbound message content or by exceeding outbound message
limits. For more information, see Configure outbound spam filtering in Microsoft
365.
Examine the anti-spam message headers: These values will tell you why a
message was marked as spam, or why it skipped spam filtering. For more
information, see Anti-spam message headers.
Point your MX record to Microsoft 365: In order for EOP to provide the best
protection, we always recommend that you have email delivered to Microsoft 365
first. For instructions, see Create DNS records at any DNS hosting provider for
Microsoft 365.
If the MX record points to some other location (for example, a third-party anti-
spam solution or appliance), it's difficult for EOP to provide accurate spam filtering.
In this scenario, you need to configure Enhanced Filtering for connectors (also
known as skip listing). For instructions, see Enhanced Filtering for Connectors in
Exchange Online.
Use email authentication: If you own an email domain, you can use DNS to help
insure that messages from senders in that domain are legitimate. To help prevent
spam and unwanted spoofing in EOP, use all of the following email authentication
methods:
SPF: Sender Policy Framework verifies the source IP address of the message
against the owner of the sending domain. For a quick introduction to SPF and
to get it configured quickly, see Set up SPF to help prevent spoofing. For a more
in-depth understanding of how Microsoft 365 uses SPF, or for troubleshooting
or non-standard deployments such as hybrid deployments, start with How
Microsoft 365 uses Sender Policy Framework (SPF) to prevent spoofing.
DKIM: DomainKeys Identified Mail adds a digital signature to the message
header of messages sent from your domain. For information, see Use DKIM to
validate outbound email sent from your custom domain in Microsoft 365.
Verify your bulk email settings: The bulk complaint level (BCL) threshold that you
configure in anti-spam policies determines whether bulk email (also known as gray
mail) is marked as spam. The PowerShell-only setting MarkAsSpamBulkMail that's
on by default also contributes to the results. For more information, see Configure
anti-spam policies in Microsoft 365.
Use the available blocked sender lists: For information, see Create blocked sender
lists.
Unsubscribe from bulk email If the message was something that the user signed
up for (newsletters, product announcements, etc.) and contains an unsubscribe link
from a reputable source, consider asking them to simply unsubscribe.
Standalone EOP: create mail flow rules in on-premises Exchange for EOP spam
filtering verdicts: In hybrid environments where EOP protects on-premises
Exchange mailboxes, you need to configure mail flow rules (also known as
transport rules) in on-premises Exchange. These mail flow rules translate the EOP
spam filtering verdict so the junk email rule in the mailbox can move the message
to the Junk Email folder. For details, see Configure EOP to deliver spam to the Junk
Email folder in hybrid environments.
Verify the Outlook 'Safe Lists Only' setting is disabled: When this setting is
enabled, only messages from senders in the user's Safe Senders list or Safe
Recipients list are delivered to the Inbox; email from everyone else is
automatically moved to the Junk Email folder.
For more information about these settings, see Configure junk email settings on
Exchange Online mailboxes in Microsoft 365.
Use the available safe sender lists: For information, see Create safe sender lists.
Verify users are within the sending and receiving limits as described in Receiving
and sending limits in the Exchange Online service description.
Standalone EOP: use directory synchronization: If you use standalone EOP to help
protect your on-premises Exchange organization, you should sync user settings
with the service by using directory synchronization. Doing this ensures that your
users' Safe Senders lists are respected by EOP. For more information, see Use
directory synchronization to manage mail users.
Anti-spam legislation
At Microsoft, we believe that the development of new technologies and self-regulation
requires the support of effective government policy and legal frameworks. The
worldwide spam proliferation has spurred numerous legislative bodies to regulate
commercial email. Many countries now have spam-fighting laws in place. The United
States has both federal and state laws governing spam, and this complementary
approach is helping to curtail spam while enabling legitimate e-commerce to prosper.
The CAN-SPAM Act expands the tools available for curbing fraudulent and deceptive
email messages.
Configure anti-spam policies in EOP
Article • 12/21/2022 • 29 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
Admins can view, edit, and configure (but not delete) the default anti-spam policy. For
greater granularity, you can also create custom anti-spam policies that apply to specific
users, groups, or domains in your organization. Custom policies always take precedence
over the default policy, but you can change the priority (running order) of your custom
policies.
You can configure anti-spam policies in the Microsoft 365 Defender portal or in
PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes
in Exchange Online; standalone EOP PowerShell for organizations without Exchange
Online mailboxes).
The spam filter policy: Specifies the actions for spam filtering verdicts and the
notification options.
The spam filter rule: Specifies the priority and recipient filters (who the policy
applies to) for a spam filter policy.
The difference between these two elements isn't obvious when you manage anti-spam
polices in the Microsoft 365 Defender portal:
When you create an anti-spam policy, you're actually creating a spam filter rule
and the associated spam filter policy at the same time using the same name for
both.
When you modify an anti-spam policy, settings related to the name, priority,
enabled or disabled, and recipient filters modify the spam filter rule. All other
settings modify the associated spam filter policy.
When you remove an anti-spam policy, the spam filter rule and the associated
spam filter policy are removed.
In Exchange Online PowerShell or standalone EOP PowerShell, you manage the policy
and the rule separately. For more information, see the Use Exchange Online PowerShell
or standalone EOP PowerShell to configure anti-spam policies section later in this article.
Every organization has a built-in anti-spam policy named Default that has these
properties:
The policy is applied to all recipients in the organization, even though there's no
spam filter rule (recipient filters) associated with the policy.
The policy has the custom priority value Lowest that you can't modify (the policy is
always applied last). Any custom policies that you create always have a higher
priority.
The policy is the default policy (the IsDefault property has the value True ), and
you can't delete the default policy.
To increase the effectiveness of spam filtering, you can create custom anti-spam policies
with stricter settings that are applied to specific users or groups of users.
You need to be assigned permissions in Exchange Online before you can do the
procedures in this article:
To add, modify, and delete anti-spam policies, you need to be a member of the
Organization Management or Security Administrator role groups.
For read-only access to anti-spam policies, you need to be a member of the
Global Reader or Security Reader role groups.
Notes:
Adding users to the corresponding Azure Active Directory role in the Microsoft
365 admin center gives users the required permissions and permissions for
other features in Microsoft 365. For more information, see About admin roles.
The View-Only Organization Management role group in Exchange Online also
gives read-only access to the feature.
For our recommended settings for anti-spam policies, see EOP anti-spam policy
settings.
You can't completely turn off spam filtering, but you can use a mail flow rule (also
known as a transport rule) to bypass most spam filtering on incoming message (for
example, if you route email through a third-party protection service or device
before delivery to Microsoft 365). For more information, see Use mail flow rules to
set the spam confidence level (SCL) in messages.
High confidence phishing messages are still filtered. Other features in EOP are
not affected (for example, messages are always scanned for malware).
If you need to bypass spam filtering for SecOps mailboxes or phishing
simulations, don't use mail flow rules. For more information, see Configure the
delivery of third-party phishing simulations to users and unfiltered messages to
SecOps mailboxes.
2. On the Anti-spam policies page, click Create policy and then select Inbound
from the drop down list.
3. The policy wizard opens. On the Name your policy page, configure these settings:
4. On the Users, groups, and domains page that appears, identify the internal
recipients that the policy applies to (recipient conditions):
Click in the appropriate box, start typing a value, and select the value that you
want from the results. Repeat this process as many times as necessary. To remove
an existing value, click remove next to the value.
For users or groups, you can use most identifiers (name, display name, alias, email
address, account name, etc.), but the corresponding display name is shown in the
results. For users, enter an asterisk (*) by itself to see all available values.
Multiple values in the same condition use OR logic (for example, <recipient1> or
<recipient2>). Different conditions use AND logic (for example, <recipient1> and
<member of group 1>).
Exclude these users, groups, and domains: To add exceptions for the internal
recipients that the policy applies to (recipient exceptions), select this option
and configure the exceptions. The settings and behavior are exactly like the
conditions.
) Important
Users: romain@contoso.com
Groups: Executives
The policy is applied to romain@contoso.com only if he's also a member of
the Executives group. If he's not a member of the group, then the policy is not
applied to him.
Likewise, if you use the same recipient filter as an exception to the policy, the
policy is not applied to romain@contoso.com only if he's also a member of
the Executives group. If he's not a member of the group, then the policy still
applies to him.
5. On the Bulk email threshold & spam properties page that appears, configure the
following settings:
Bulk email threshold: Specifies the bulk complaint level (BCL) of a message
that triggers the specified action for the Bulk spam filtering verdict that you
configure on the next page. A higher value indicates the message is less
desirable (more likely to resemble spam). The default value is 7. For more
information, see Bulk complaint level (BCL) in EOP and What's the difference
between junk email and bulk email?.
Increase spam score, Mark as spam* and Test mode: Advanced Spam Filter
(ASF) settings that are turned off by default.
For details about these settings, see Advanced Spam Filter settings in EOP.
*
The Contains specific languages and from these countries settings are not
part of ASF.
Contains specific languages: Click the box and select On or Off from the
drop down list. If you turn it on, a box appears. Start typing the name of a
language in the box. A filtered list of supported languages will appear. When
you find the language that you're looking for, select it. Repeat this step as
many times as necessary. To remove an existing value, click remove next to
the value.
From these countries*: Click the box and select On or Off from the drop
down list. If you turn it on, a box appears. Start typing the name of a country
in the box. A filtered list of supported countries will appear. When you find
the country that you're looking for, select it. Repeat this step as many times
as necessary. To remove an existing value, click remove next to the value.
The available actions for spam filtering verdicts are described in the following
table.
A check mark ( ✔ ) indicates the action is available (not all actions are
available for all verdicts).
An asterisk ( * ) after the check mark indicates the default action for the
spam filtering verdict.
spam phishing
spam phishing
spam phishing
No action ✔
1
EOP now uses its own mail flow delivery agent to route messages to the
Junk Email folder instead of using the junk email rule in the mailbox. The
Enabled parameter on the Set-MailboxJunkEmailConfiguration cmdlet
no longer has any effect on mail flow. For more information, see
Configure junk email settings on Exchange Online mailboxes.
2
You can this use value as a condition in mail flow rules to filter or route
the message.
3
A blank Select a policy value means the default quarantine policy for
that particular verdict is used. When you later edit the anti-spam policy or
view the settings, the default quarantine policy name is shown. For more
information about default quarantine policies that are used for the spam
filter verdicts, see this table.
4
For High confidence phishing, the action Move message to Junk Email
folder has effectively been deprecated. Although you might be able to
select Move message to Junk Email folder, high confidence phishing
messages are always quarantined (equivalent to selecting Quarantine
message).
Users can't release their own messages that were quarantined as high
confidence phishing. At best, admins can configure the quarantine policy
so users can request the release of their quarantined high confidence
phishing messages.
Retain spam in quarantine for this many days: Specifies how long to keep
the message in quarantine if you selected Quarantine message as the action
for a spam filtering verdict. After the time period expires, the message is
deleted, and is not recoverable. A valid value is from 1 to 30 days.
7 Note
The default value is 15 days in the default anti-spam policy and in new
anti-spam policies that you create in PowerShell. The default value is 30
days in new anti-spam policies that you create in the Microsoft 365
Defender portal.
This setting also controls how long messages that were quarantined by
anti-phishing policies are retained. For more information, see
Quarantined messages in EOP and Defender for Office 365.
Add this X-header text: This box is required and available only if you selected
Add X-header as the action for a spam filtering verdict. The value you specify
is the header field name that's added to the message header. The header
field value is always This message appears to be spam .
The maximum length is 255 characters, and the value can't contain spaces or
colons (:).
If you enter a value that contains spaces or colons (:), the value you enter is
ignored, and the default X-header is added to the message ( X-This-Is-Spam:
This message appears to be spam. ).
Prepend subject line with this text: This box is required and available only if
you selected Prepend subject line with text as the action for a spam filtering
verdict. Enter the text to add to the beginning of the message's subject line.
Redirect to this email address: This box is required and available only if you
selected the Redirect message to email address as the action for a spam
filtering verdict. Enter the email address where you want to deliver the
message. You can enter multiple values separated by semicolons (;).
Enable safety Tips: By default, Safety Tips are enabled, but you can disable
them by clearing the checkbox.
Enable zero-hour auto purge (ZAP): ZAP detects and takes action on
messages that have already been delivered to Exchange Online mailboxes.
For more information, see Zero-hour auto purge - protection against spam
and malware.
ZAP is turned on by default. When ZAP is turned on, the following settings
are available:
Enable ZAP for phishing messages: By default, ZAP is enabled for
phishing detections, but you can disable it by clearing the checkbox.
Enable ZAP for spam messages: By default, ZAP is enabled for spam
detections, but you can disable it by clearing the checkbox.
7 Note
7. On the Allow & block list flyout that appears, you are able to configure message
senders by email address or email domain that are allowed to skip spam filtering.
In the Allowed section, you can configure allowed senders and allowed domains.
In the Blocked section, you can add blocked senders and blocked domains.
) Important
Think very carefully before you add domains to the allowed domains list. For
more information, see Create safe sender lists in EOP
There will be times when our filters will miss a message, you don't agree with
the filtering verdict, or it takes time for our systems to catch up to it. In these
cases, the allow list and block list are available to override the current filtering
verdicts. But, you should use these lists sparingly and temporarily: longs lists
can become unmanageable, and our filtering stack should be doing what it's
supposed to be doing. If you're going to keep an allowed domain for an
extended period of time, you should tell the sender to verify that their domain
is authenticated and set to DMARC reject appropriately.
The steps to add entries to any of the lists are the same:
a. Click the link for the list that you want to configure:
Back on the main flyout, the senders or domains that you added are listed on
the page. To remove an entry from this page, do the following steps:
i. Select one or more entries from the list. You can also use the Search box to
find values in the list.
ii. After you select at least one entry, the delete icon appears.
iii. Click the delete icon to remove the selected entries.
Back on the Allow & block list page, click Next when you're read to continue.
8. On the Review page that appears, review your settings. You can select Edit in each
section to modify the settings within the section. Or you can click Back or select
the specific page in the wizard.
2. On the Anti-spam policies page, look for one of the following values:
Name
Status
Priority
Type
3. When you select an anti-spam policy by clicking on the name, the policy settings
are displayed in a flyout.
Use the Microsoft 365 Defender portal to
modify anti-spam policies
1. In the Microsoft 365 Defender portal at https://security.microsoft.com , go to
Email & Collaboration > Policies & Rules > Threat policies > Anti-spam in the
Policies section. To go directly to the Anti-spam policies page, use
https://security.microsoft.com/antispam .
2. On the Anti-spam policies page, select an anti-spam policy from the list by
clicking on the name:
A custom policy that you created where the value in the Type column is
Custom anti-spam policy.
The default policy named Anti-spam inbound policy (Default).
3. In the policy details flyout that appears, select Edit in each section to modify the
settings within the section. For more information about the settings, see the
previous Use the Microsoft 365 Defender portal to create anti-spam policies
section in this article.
For the default anti-spam policy, the Applied to section isn't available (the policy
applies to everyone), and you can't rename the policy.
To enable or disable a policy or set the policy priority order, see the following sections.
2. On the Anti-spam policies page, select a policy with the Type value of Custom
anti-spam policy from the list by clicking on the name.
3. At the top of the policy details flyout that appears, you'll see one of the following
values:
Back on the main policy page, the Status value of the policy will be On or Off.
To change the priority of a policy, you click Increase priority or Decrease priority in the
properties of the policy (you can't directly modify the Priority number in the Microsoft
365 Defender portal). Changing the priority of a policy only makes sense if you have
multiple policies.
Notes:
In the Microsoft 365 Defender portal, you can only change the priority of the anti-
spam policy after you create it. In PowerShell, you can override the default priority
when you create the spam filter rule (which can affect the priority of existing rules).
Anti-spam policies are processed in the order that they're displayed (the first policy
has the Priority value 0). The default anti-spam policy has the priority value
Lowest, and you can't change it.
2. On the Anti-spam policies page, select a select a policy with the Type value of
Custom anti-spam policy from the list by clicking on the name.
3. At the top of the policy details flyout that appears, you'll see Increase priority or
Decrease priority based on the current priority value and the number of custom
policies:
The anti-spam policy with the Priority value 0 has only the Decrease priority
option available.
The anti-spam policy with the lowest Priority value (for example, 3) has only
the Increase priority option available.
If you have three or more anti-spam policies, the policies between the
highest and lowest priority values have both the Increase priority and
Decrease priority options available.
2. On the Anti-spam policies page, select a policy with the Type value of Custom
anti-spam policy from the list by clicking on the name. At the top of the policy
details flyout that appears, click More actions > Delete policy.
In PowerShell, you create the spam filter policy first, then you create the spam filter
rule that identifies the policy that the rule applies to.
In PowerShell, you modify the settings in the spam filter policy and the spam filter
rule separately.
When you remove a spam filter policy from PowerShell, the corresponding spam
filter rule isn't automatically removed, and vice versa.
Notes:
You can create a new spam filter rule and assign an existing, unassociated spam
filter policy to it. A spam filter rule can't be associated with more than one spam
filter policy.
You can configure the following settings on new spam filter policies in PowerShell
that aren't available in the Microsoft 365 Defender portal until after you create the
policy:
Create the new policy as disabled (Enabled $false on the New-
HostedContentFilterRule cmdlet).
Set the priority of the policy during creation (Priority <Number>) on the New-
HostedContentFilterRule cmdlet).
A new spam filter policy that you create in PowerShell isn't visible in the Microsoft
365 Defender portal until you assign the policy to a spam filter rule.
This example creates a spam filter policy named Contoso Executives with the following
settings:
Quarantine messages when the spam filtering verdict is spam or high confidence
spam, and use the default quarantine policy for the quarantined messages (we
aren't using the SpamQuarantineTag or HighConfidenceSpamQuarantineTag
parameters).
BCL 7, 8, or 9 triggers the action for a bulk email spam filtering verdict.
PowerShell
7 Note
For detailed instructions to specify the quarantine policy to use in a spam filter
policy, see Use PowerShell to specify the quarantine policy in anti-spam policies.
PowerShell
This example creates a new spam filter rule named Contoso Executives with these
settings:
The spam filter policy named Contoso Executives is associated with the rule.
The rule applies to members of the group named Contoso Executives Group.
PowerShell
New-HostedContentFilterRule -Name "Contoso Executives" -
HostedContentFilterPolicy "Contoso Executives" -SentToMemberOf "Contoso
Executives Group"
PowerShell
Get-HostedContentFilterPolicy
To return detailed information about a specific spam filter policy, use the this syntax:
PowerShell
This example returns all the property values for the spam filter policy named Executives.
PowerShell
PowerShell
To return a summary list of all spam filter rules, run this command:
PowerShell
Get-HostedContentFilterRule
To filter the list by enabled or disabled rules, run the following commands:
PowerShell
PowerShell
To return detailed information about a specific spam filter rule, use this syntax:
PowerShell
This example returns all the property values for the spam filter rule named Contoso
Executives.
PowerShell
The MakeDefault switch that turns the specified policy into the default policy
(applied to everyone, always Lowest priority, and you can't delete it) is only
available when you modify a spam filter policy in PowerShell.
You can't rename a spam filter policy (the Set-HostedContentFilterPolicy cmdlet
has no Name parameter). When you rename an anti-spam policy in the Microsoft
365 Defender portal, you're only renaming the spam filter rule.
PowerShell
7 Note
For detailed instructions to specify the quarantine policy to use in a spam filter
policy, see Use PowerShell to specify the quarantine policy in anti-spam policies.
Otherwise, no additional settings are available when you modify a spam filter rule in
PowerShell. The same settings are available when you create a rule as described in the
Step 2: Use PowerShell to create a spam filter rule section earlier in this article.
PowerShell
This example renames the existing spam filter rule named {Fabrikam Spam Filter} .
PowerShell
PowerShell
<Enable-HostedContentFilterRule | Disable-HostedContentFilterRule> -Identity
"<RuleName>"
This example disables the spam filter rule named Marketing Department.
PowerShell
PowerShell
To set the priority of a spam filter rule in PowerShell, use the following syntax:
PowerShell
This example sets the priority of the rule named Marketing Department to 2. All existing
rules that have a priority less than or equal to 2 are decreased by 1 (their priority
numbers are increased by 1).
PowerShell
Notes:
To set the priority of a new rule when you create it, use the Priority parameter on
the New-HostedContentFilterRule cmdlet instead.
The default spam filter policy doesn't have a corresponding spam filter rule, and it
always has the unmodifiable priority value Lowest.
PowerShell
This example removes the spam filter policy named Marketing Department.
PowerShell
PowerShell
This example removes the spam filter rule named Marketing Department.
PowerShell
7 Note
These steps will only work if the email organization that you're sending the GTUBE
message from doesn't scan for outbound spam. If it does, you can't send the test
message.
Generic Test for Unsolicited Bulk Email (GTUBE) is a text string that you include in a test
message to verify your organization's anti-spam settings. A GTUBE message is similar to
the European Institute for Computer Antivirus Research (EICAR) text file for testing
malware settings.
Include the following GTUBE text in an email message on a single line, without any
spaces or line breaks:
text
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
Applies to
In all Microsoft 365 organizations, the Advanced Spam Filter (ASF) settings in anti-spam
policies in EOP allow admins to mark messages as spam based on specific message
properties. ASF specifically targets these properties because they're commonly found in
spam. Depending on the property, ASF detections will either mark the message as Spam
or High confidence spam.
7 Note
Periodic quarantine notifications from spam and high confidence spam filter
verdicts.
The presence of filtered messages in quarantine.
The specific X-CustomSpam: X-header fields that are added to messages as
described in this article.
The following sections describe the ASF settings and options that are available in anti-
spam policies in the Microsoft 365 Defender portal, and in Exchange Online PowerShell
or standalone EOP PowerShell (New-HostedContentFilterPolicy and Set-
HostedContentFilterPolicy). For more information, see Configure anti-spam policies in
EOP.
Off: The ASF setting is disabled. This is the default value, and we recommend that
you don't change it.
Test: ASF adds the corresponding X-header field to the message. What happens to
the message is determined by the Test mode (TestModeAction) value:
None: Message delivery is unaffected by the ASF detection. The message is still
subject to other types of filtering and rules in EOP.
Add default X-header text (AddXHeader): The X-header value X-CustomSpam:
This message was filtered by the custom spam filter option is added to the
message. You can use this value in Inbox rules or mail flow rules (also known as
transport rules) to affect the delivery of the message.
Send Bcc message (BccMessage): The specified email addresses (the
TestModeBccToRecipients parameter value in PowerShell) are added to the Bcc
field of the message, and the message is delivered to the additional Bcc
recipients. In the Microsoft 365 Defender portal, you separate multiple email
addresses by semicolons (;). In PowerShell, you separate multiple email
addresses by commas.
Notes:
Test mode is not available for the following ASF settings:
Conditional Sender ID filtering: hard fail (MarkAsSpamFromAddressAuthFail)
NDR backscatter(MarkAsSpamNdrBackscatter)
SPF record: hard fail (MarkAsSpamSpfRecordHardFail)
The same test mode action is applied to all ASF settings that are set to Test. You
can't configure different test mode actions for different ASF settings.
Image links to remote websites Messages that contain <Img> HTML tag X-
links to remote sites (for example, using CustomSpam:
IncreaseScoreWithImageLinks http) are marked as spam. Image links
to remote
sites
Embedded tags in HTML Message that contain <embed> HTML tags are X-
marked as high confidence spam. CustomSpam:
MarkAsSpamEmbedTagsInHtml
Embed tag in
This tag allows the embedding of different kinds html
of documents in an HTML document (for
example, sounds, videos, or pictures).
Anti-spam policy setting Description X-header
added
Form tags in HTML Messages that contain <form> HTML tags are X-
marked as high confidence spam. CustomSpam:
MarkAsSpamFormTagsInHtml
Form tag in
This tag is used to create website forms. Email html
advertisements often include this tag to solicit
information from the recipient.
Object tags in HTML Messages that contain <object> HTML tags are X-
marked as high confidence spam. CustomSpam:
MarkAsSpamObjectTagsInHtml
Object tag
This tag allows plug-ins or applications to run in in html
an HTML window.
SPF record: hard fail Messages sent from an IP address that isn't X-
specified in the SPF Sender Policy Framework CustomSpam:
MarkAsSpamSpfRecordHardFail (SPF) record in DNS for the source email domain SPF Record
are marked as high confidence spam. Fail
Test mode is not available for this setting.
The following Mark as spam ASF settings set the SCL of detected messages to 6, which
corresponds to a Spam filter verdict and the corresponding action in anti-spam policies.
Sender ID filtering hard fail Messages that hard fail a conditional Sender ID X-
check are marked as spam. CustomSpam:
MarkAsSpamFromAddressAuthFail This setting combines an SPF check with a SPF From
Sender ID check to help protect against Record
message headers that contain forged senders. Fail
Applies to
Junk email is spam, which are unsolicited and universally unwanted messages
(when identified correctly). By default, the EOP rejects spam based on the
reputation of the source email server. If a message passes source IP inspection, it's
sent to spam filtering. If the message is classified as spam by spam filtering, the
message is (by default) delivered to the intended recipients and moved to their
Junk Email folder.
You can configure the actions to take on spam filtering verdicts. For instructions,
see Configure anti-spam policies in EOP.
If you disagree with the spam filtering verdict, you can report messages that you
consider to be spam or non-spam to Microsoft in several ways, as described in
Report messages and files to Microsoft.
Bulk email (also known as gray mail), is more difficult to classify. Whereas spam is
a constant threat, bulk email is often one-time advertisements or marketing
messages. Some users want bulk email messages (and in fact, they have
deliberately signed up to receive them), while other users consider bulk email to be
spam. For example, some users want to receive advertising messages from the
Contoso Corporation or invitations to an upcoming conference on cyber security,
while other users consider these same messages to be spam.
For more information about how bulk email is identified, see Bulk complaint level
(BCL) in EOP.
Anti-spam polices have a default BCL threshold that's used to identify bulk email as
spam. Admins can increase or decrease the threshold. For more information, see the
following topics:
Another option that's easy to overlook: if a user complains about receiving bulk email,
but the messages are from reputable senders that pass spam filtering in EOP, have the
user check for a unsubscribe option in the bulk email message.
For example, if Contoso has set their current bulk threshold to 7 in anti-spam policies,
Contoso recipients will receive email from all senders with BCL < 7 in their Inbox.
Admins can run the following query to get a list of all bulk senders in the organization:
Console
EmailEvents
This query allows admins to identify wanted and unwanted senders. If a bulk sender has
a BCL score that doesn't meet the bulk threshold, admins can submit the sender's
messages to Microsoft for analysis, which adds the sender as an allow entry to the
Tenant Allow/Block List.
Organizations without Defender for Office 365 Plan 2 can try the features in Microsoft
365 Defender for Office 365 Plan 2 for free. Use the 90-day Defender for Office 365
evaluation at https://security.microsoft.com/atpEvaluation . Learn about who can sign
up and trial terms here or you can use the Threat protection status report to identify
wanted and unwanted bulk senders:
1. In the Threat protection status report, select View data by Email > Spam. To go
directly to the report, open one of the following URLs:
EOP: https://security.microsoft.com/reports/TPSAggregateReport
Defender for Office 365:
https://security.microsoft.com/reports/TPSAggregateReportATP
2. Filter for Bulk email, select an email to investigate and click on email entity to learn
more about the sender. Email entity is available only for Defender for Office 365
Plan 2 customers.
3. Once you have identified wanted and unwanted senders, adjust the bulk threshold
to your desired level. If there are bulk senders with BCL score that doesn't fit within
your bulk threshold, submit the messages to Microsoft for analysis, which adds the
sender as an allow entry to the Tenant Allow/Block List.
Admins can follow the recommended bulk threshold values or choose a bulk threshold
value that suits the needs of their organization.
Spam confidence level (SCL) in EOP
Article • 12/10/2022 • 2 minutes to read
Applies to
What the SCL means and the default actions that are taken on messages are described
in the following table. For more information about actions you can take on messages
based on the spam filtering verdict, see Configure anti-spam policies in EOP.
-1 The message skipped spam filtering. For example, the message is from a Deliver the
safe sender, was sent to a safe recipient, or is from an email source message to the
server on the IP Allow List. For more information, see Create safe sender recipients' inbox.
lists in EOP.
0, 1 Spam filtering determined the message was not spam. Deliver the
message to the
recipients' inbox.
8, 9 Spam filtering marked the message as High confidence spam Deliver the
message to the
recipients' Junk
Email folder.
You can use mail flow rules (also known as transport rules) to stamp the SCL on
messages. If you use a mail flow rule to set the SCL, the values 5 or 6 trigger the spam
filtering action for Spam, and the values 7, 8, or 9 trigger the spam filtering action for
High confidence spam. For more information, see Use mail flow rules to set the spam
confidence level (SCL) in messages.
Similar to the SCL, the bulk complaint level (BCL) identifies bad bulk email (also known
as gray mail). A higher BCL indicates a bulk mail message is more likely to generate
complaints (and is therefore more likely to be spam). You configure the BCL threshold in
anti-spam policies. For more information, see Configure anti-spam policies in EOP, Bulk
complaint level (BCL) in EOP), and What's the difference between junk email and bulk
email?.
New to Microsoft 365? Discover free video courses for Microsoft 365 admins and
IT pros, brought to you by LinkedIn Learning.
Bulk complaint level (BCL) in EOP
Article • 12/10/2022 • 2 minutes to read
Applies to
Bulk mailers vary in their sending patterns, content creation, and recipient acquisition
practices. Good bulk mailers send desired messages with relevant content to their
subscribers. These messages generate few complaints from recipients. Other bulk
mailers send unsolicited messages that closely resemble spam and generate many
complaints from recipients. Messages from a bulk mailer are known as bulk mail or gray
mail.
Spam filtering marks messages as Bulk email based on the BCL threshold (the default
value or a value you specify) and takes the specified action on the message (the default
action is deliver the message to the recipient's Junk Email folder). For more information,
see Configure anti-spam policies and What's the difference between junk email and bulk
email?
BCL Description
4, 5, 6, 7* The message is from a bulk sender that generates a mixed number of complaints.
8, 9 The message is from a bulk sender that generates a high number of complaints.
*
This is the default threshold value that's used in anti-spam policies.
Backscatter in EOP
Article • 12/10/2022 • 2 minutes to read
Applies to
Backscatter is non-delivery reports (also known as NDRs or bounce messages) that you
receive for messages that you didn't send. Backscatter is caused by spammers forging
(spoofing) the From address (also known as the 5322.From or P2 address) in their
messages. Spammers will often use real email addresses as the From address to lend
credibility to their messages. When spam is sent to a non-existent recipient, the
destination email server is essentially tricked into returning the undeliverable message in
an NDR to the forged sender in the From address.
Tip
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
But, there are also specific anti-spam settings that admins can configure on individual
mailboxes in Exchange Online:
7 Note
EOP now uses its own mail flow delivery agent to route messages to the Junk Email
folder instead of using the junk email rule. The Enabled parameter on the Set-
MailboxJunkEmailConfiguration cmdlet no longer has any effect on mail flow. EOP
routes messages based on the actions set in anti-spam policies. The user's Safe
Sender list and Blocked Senders list will continue to work as usual.
Move messages to the Junk Email folder based on anti-spam policies: When an
anti-spam policy is configured with the action Move message to Junk Email folder
for a spam filtering verdict, the message is moved to the Junk Email folder after the
message is delivered to the mailbox. For more information about spam filtering
verdicts in anti-spam policies, see Configure anti-spam policies in EOP. Similarly, if
zero-hour auto purge (ZAP) determines a delivered message is spam or phish, the
message is moved to the Junk Email folder for Move message to Junk Email
folder spam filtering verdict actions. For more information about ZAP, see Zero-
hour auto purge (ZAP) in Exchange Online.
Junk email settings that users configure for themselves in Outlook or Outlook
on the web: The safelist collection is the Safe Senders list, the Safe Recipients list,
and the Blocked Senders list on each mailbox. The entries in these lists determine
whether the message is moved to the Inbox or the Junk Email folder. Users can
configure the safelist collection for their own mailbox in Outlook or Outlook on the
web (formerly known as Outlook Web App). Admins can configure the safelist
collection on any user's mailbox.
EOP is able to move messages to the Junk Email folder based on the spam filtering
verdict action Move message to Junk Email folder or the Blocked Senders list on the
mailbox, and prevent messages from being delivered to the Junk Email folder (based on
the Safe Senders list on the mailbox).
Admins can use Exchange Online PowerShell to configure entries in the safelist
collection on mailboxes (the Safe Senders list, the Safe Recipients list, and the Blocked
Senders list).
7 Note
Messages from senders that users have added to their own Safe Senders lists will
skip content filtering as part of EOP (the SCL is -1). To prevent users from adding
entries to their Safe Senders list in Outlook, use Group Policy as mentioned in the
About junk email settings in Outlook section later in this article. Policy filtering,
Content filtering and Defender for Office 365 checks will still be applied to the
messages.
You need to be assigned permissions in Exchange Online before you can do the
procedures in this article. Specifically, you need the Mail Recipients role (which is
assigned to the Organization Management, Recipient Management, and Custom
Mail Recipients role groups by default) or the User Options role (which is assigned
to the Organization Management and Help Desk role groups by default). To add
users to role groups in Exchange Online, see Modify role groups in Exchange
Online. Note that users with default permissions can do these same procedures on
their own mailbox, as long as they have access to Exchange Online PowerShell.
Safe senders for shared mailboxes are not synchronized to Azure AD and EOP by
design.
*
Notes:
PowerShell
Set-MailboxJunkEmailConfiguration <MailboxIdentity> -
BlockedSendersAndDomains <EmailAddressesOrDomains | $null> -ContactsTrusted
<$true | $false> -TrustedListsOnly <$true | $false> -
TrustedSendersAndDomains <EmailAddresses | $null>
To enter multiple values and overwrite any existing entries for the
BlockedSendersAndDomains and TrustedSendersAndDomains parameters, use the
following syntax: "<Value1>","<Value2>"... . To add or remove one or more values
without affecting other existing entries, use the following syntax: @{Add="<Value1>","
<Value2>"... ; Remove="<Value3>","<Value4>...}
This example configures the following settings for the safelist collection on Ori Epstein's
mailbox:
PowerShell
This example removes the domain contoso.com from the Blocked Senders list in all user
mailboxes in the organization.
PowerShell
7 Note
If the user has never opened their mailbox, you might receive an error when
you run the previous commands. To suppress this error for bulk operations,
add -ErrorAction SilentlyContinue to the Set-
MailboxJunkEmailConfiguration command.
The Outlook Junk Email Filter has additional safelist collection settings (for
example, Automatically add people I email to the Safe Senders list). For
more information, see Use Junk Email Filters to control which messages you
see .
Replace <MailboxIdentity> with the name, alias, or email address of the mailbox,
and run the following command to verify the property values:
PowerShell
PowerShell
(Get-MailboxJunkEmailConfiguration -Identity
<MailboxIdentity>).BlockedSendersAndDomains
When the Outlook Junk Email Filter is set to the default value No automatic filtering in
Home > Junk > Junk E-Mail Options > Options, Outlook doesn't attempt to classify
messages as spam, but still uses the safelist collection (the Safe Senders list, Safe
Recipients list, and Blocked Senders list) to move messages to the Junk Email folder after
delivery. For more information about these settings, see Overview of the Junk Email
Filter .
7 Note
In Microsoft 365 organizations, we recommend that you leave the Junk Email Filter
in Outlook set to No automatic filtering to prevent unnecessary conflicts (both
positive and negative) with the spam filtering verdicts from EOP.
When the Outlook Junk Email Filter is set to Low or High, the Outlook Junk Email Filter
uses its own SmartScreen filter technology to identify and move spam to the Junk Email
folder. This spam classification is separate from the spam confidence level (SCL) that's
determined by EOP. In fact, Outlook ignores the SCL from EOP (unless EOP marked the
message to skip spam filtering) and uses its own criteria to determine whether the
message is spam. Of course, it's possible that the spam verdict from EOP and Outlook
might be the same. For more information about these settings, see Change the level of
protection in the Junk Email Filter .
7 Note
In November 2016, Microsoft stopped producing spam definition updates for the
SmartScreen filters in Exchange and Outlook. The existing SmartScreen spam
definitions were left in place, but their effectiveness will likely degrade over time.
For more information, see Deprecating support for SmartScreen in Outlook and
Exchange .
So, the Outlook Junk Email Filter is able to use the mailbox's safelist collection and its
own spam classification to move messages to the Junk Email folder.
Outlook and Outlook on the web both support the safelist collection. The safelist
collection is saved in the Exchange Online mailbox, so changes to the safelist collection
in Outlook appear in Outlook on the web, and vice-versa.
The safelist collection in the user's mailbox has a limit of 510 KB, which includes all
lists, plus additional junk email filter settings. If a user exceeds this limit, they will
receive an Outlook error that looks like this:
Cannot/Unable add to the server Junk E-mail lists. You are over the size
allowed on the server. The Junk E-mail filter on the server will be disabled until
your Junk E-mail lists have been reduced to the size allowed by the server.
For more information about this limit and how to change it, see KB2669081 .
The synchronized safelist collection in EOP has the following synchronization limits:
1024 total entries in the Safe Senders list, the Safe Recipients list, and external
contacts if Trust email from my contacts is enabled.
500 total entries in the Blocked Senders list and Blocked Domains list.
When the 1024 entry limit is reached, the following things happen:
The list stops accepting entries in PowerShell and Outlook on the web, but no
error is displayed.
Outlook users can continue to add more than 1024 entries until they reach the
Outlook limit of 510 KB. Outlook can use these additional entries, as long as an
EOP filter doesn't block the message before delivery to the mailbox (mail flow
rules, anti-spoofing, etc.).
The first 1024 entries are used, and relevant information is stamped in the message
headers.
Entries over 1024 that weren't synchronized to Azure AD are processed by Outlook
(not Outlook on the web), and no information is stamped in the message headers.
As you can see, enabling the Trust email from my contacts setting reduces the number
of Safe Senders and Safe Recipients that can be synchronized. If this is a concern, then
we recommend using Group Policy to turn this feature off:
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
This topic provides frequently asked questions and answers about anti-spam protection
for Microsoft 365 organizations with mailboxes in Exchange Online, or standalone
Exchange Online Protection (EOP) organizations without Exchange Online mailboxes.
For questions and answers about the quarantine, see Quarantine FAQ.
For questions and answers about anti-malware protection, see Anti-malware protection
FAQ.
For questions and answers about anti-spoofing protection, see Anti-spoofing protection
FAQ.
) Important
For outbound messages: The message is either routed through the high-risk delivery
pool or is returned to the sender in a non-delivery report (also known as an NDR or
bounce message). For more information about outbound spam protection, see
Outbound spam controls.
7 Note
If you receive a message that may be a zero-day spam variant, in order to help us
improve the service, please submit the message to Microsoft using one of the
methods described in Report messages and files to Microsoft.
Recommended settings for EOP and Microsoft Defender for Office 365 security
Standalone EOP customers: Reporting and message trace in Exchange Online Protection
Inbound: Change your MX records to point to the third-party provider, and then
redirect the messages to EOP for additional processing. For more information, see
Enhanced Filtering for connectors in Exchange Online.
Outbound: Configure smart host routing from Microsoft 365 to the destination
third-party provider.
For example, if the sender is user@fabrikam, the domain fabrikam resolves to the
IP address 192.0.43.10.
If a sending domain has no A-record and no MX record in DNS, the service will
route the message through its higher risk delivery pool regardless of whether or
not the content of the message is spam. For more information about the higher
risk delivery pool, see High-risk delivery pool for outbound messages.
For example, if the email source IP address is 192.0.43.10, the reverse DNS entry
would be 43-10.any.icann.org .`
The HELO/EHLO command should be configured to match the reverse DNS of the
sending IP address so that the domain remains the same across the various parts
of the message headers.
SPF records are a mechanism for validating that mail sent from a domain really is
coming from that domain and is not spoofed. For more information about SPF
records, see the following links:
Domains FAQ
This identifies the owners of the domain and how to contact them by entering the
stable parent company, point of contact, and name servers.
For bulk mailers, the From: name should reflect who is sending the message,
while the subject line of the message should be a brief summary on what the
message is about.
The message body should have a clear indication of the offering, service, or
product. For example, if a sender is sending out a bulk mailing for the Contoso
company, the following is what the email From and Subject should resemble:
From: marketing@contoso.com
From: user@hotmail.com
Subject: Catalogs
If sending bulk email, list acquisition should be performed using double opt-in.
If you are a bulk mailer, double opt-in is an industry best practice.
Double opt-in is the practice of requiring a user to take two actions to sign up for
marketing mail:
1. Once when the user clicks on a previously unchecked check box where they
opt-in to receive further offers or email messages from the marketer.
2. A second time when the marketer sends a confirmation email to the user's
provided email address asking them to click on a time-sensitive link that will
complete their confirmation.
Using double opt-in builds a good reputation for bulk email senders.
Bulk senders should create transparent content for which they can be held
accountable:
1. Verbiage requesting that recipients add the sender to the address book
should clearly state that such action is not a guarantee of delivery.
2. When constructing redirects in the body of the message, use a consistent link
style.
4. When employing tracking pixels (web bugs or beacons), clearly state their
presence in your public privacy or P3P settings.
If you receive an NDR indicating that an email address is no longer in use, remove
the non-existent email alias from your list. Email addresses change over time, and
people sometimes discard them.
Hotmail uses a program called Smart Network Data Services that allows senders to
check complaints submitted by end users. The SNDS is the primary portal for
troubleshooting delivery problems to Hotmail.
If you use a third-party protection service or device to scan email before it's delivered to
Microsoft 365, you should also enable Enhanced Filtering for Connectors (also known as
skip listing) so detection, reporting, and investigation features in Microsoft 365 are able
to correctly identify messages sources. For more information, see Enhanced Filtering for
Connectors.
If you need to bypass spam filtering for SecOps mailboxes or phishing simulations, don't
use mail flow rules. For more information, see Configure the delivery of third-party
phishing simulations to users and unfiltered messages to SecOps mailboxes.
Mail flow rules (transport rules) in
Exchange Online
Article • 09/09/2022 • 9 minutes to read
) Important
Effective from December 2022, the classic Exchange Admin Center will be
deprecated for
worldwide customers. Microsoft recommends using the new
Exchange Admin Center , if not
already doing so.
While most of the features have been migrated to new EAC, some have been
migrated to
other admin centers and remaining ones will soon be migrated to New
EAC. Find features
that are not yet there in new EAC at Other Features or use
Global Search that will help you
navigate across new EAC.
7 Note
Mail flow rules are similar to the Inbox rules that are available in Outlook and Outlook
on the web (formerly known as Outlook Web App). The main difference is mail flow rules
take action on messages while they're in transit, not after the message is delivered to
the mailbox. Mail flow rules contain a richer set of conditions, exceptions, and actions,
which provides you with the flexibility to implement many types of messaging policies.
This article explains the components of mail flow rules, and how they work.
For steps to create, copy, and manage mail flow rules, see Manage mail flow rules. For
each rule, you have the option of enforcing it, testing it, or testing it and notifying the
sender. To learn more about the testing options, see Test mail flow rules in Exchange
Online and Policy Tips (policy tips aren't available in standalone EOP).
For summary and detail reports about messages that matched mail flow rules, see Use
mail protection reports to view data about malware, spam, and rule detections.
To implement specific messaging policies by using mail flow rules, see Mail flow rule
procedures in Exchange Online.
Conditions: Identify the messages that you want to apply the actions to. Some
conditions examine message header fields (for example, the To, From, or Cc fields).
Other conditions examine message properties (for example, the message subject,
body, attachments, message size, or message classification). Most conditions
require you to specify a comparison operator (for example, equals, doesn't equal,
or contains) and a value to match. If there are no conditions or exceptions, the rule
is applied to all messages.
For more information about mail flow rule conditions in Exchange Online, see Mail
flow rule conditions and exceptions (predicates) in Exchange Online.
Exceptions: Optionally identify the messages that the actions shouldn't apply to.
The same message identifiers that are available in conditions are also available in
exceptions. Exceptions override conditions and prevent the rule actions from being
applied to a message, even if the message matches all of the configured
conditions.
Actions: Specify what to do to messages that match the conditions in the rule, and
don't match any of the exceptions. There are many actions available, such as
rejecting, deleting, or redirecting messages, adding additional recipients, adding
prefixes in the message subject, or inserting disclaimers in the message body.
For more information about mail flow rule actions that are available in Exchange
Online, see Mail flow rule actions in Exchange Online.
For more information, see the Mail flow rule properties section in this article.
Multiple AND A message must match all the conditions in the rule. If you need to match
conditions one condition or another, use separate rules for each condition. For
example, if you want to add the same disclaimer to messages with
attachments and messages that contain specific text, create one rule for
each condition. In the EAC, you can easily copy a rule.
One OR Some conditions allow you to specify more than one value. The message
condition must match any one (not all) of the specified values. For example, if an
with email message has the subject Stock price information, and the The
multiple subject includes any of these words condition is configured to match the
values words Contoso or stock, the condition is satisfied because the subject
contains at least one of the specified values.
Multiple OR If a message matches any one of the exceptions, the actions are not
exceptions applied to the message. The message doesn't have to match all the
exceptions.
Multiple AND Messages that match a rule's conditions get all the actions that are
actions specified in the rule. For example, if the actions Prepend the subject of
the message with and Add recipients to the Bcc box are selected, both
actions are applied to the message.
Keep in mind that some actions (for example, the Delete the message
without notifying anyone action) prevent subsequent rules from being
applied to a message. Other actions (for example, the Forward the
message) don't allow additional actions.
You can also set an action on a rule so that when that rule is applied,
subsequent rules are not applied to the message.
Priority Priority Indicates the order that the rules are applied to
messages. The default priority is based on when the rule
is created (older rules have a higher priority than newer
rules, and higher priority rules are processed before
lower priority rules).
You change the rule priority in the EAC by moving the
rule up or down in the list of rules. In the PowerShell, you
set the priority number (0 is the highest priority).
Audit this SetAuditSeverity Sets the severity level of the incident report and the
rule with corresponding entry that's written to the message
severity tracking log when messages violate DLP policies. Valid
level values are DoNotAudit, Low, Medium, and High.
Mode Mode You can specify whether you want the rule to start
processing messages immediately, or whether you want
to test rules without affecting the delivery of the
message (with or without Data Loss Prevention or DLP
Policy Tips).
Policy Tips present a brief note in Outlook or Outlook on
the web that provides information about possible policy
violations to the person that's creating the message. For
more information, see Policy Tips.
Deactivate
this rule on
the
following
date
Property Parameter name in Description
name in the PowerShell
EAC
On check New rules:Enabled You can create a disabled rule, and enable it when you're
box selected parameter on the ready to test it. Or, you can disable a rule without
or not New-TransportRule deleting it to preserve the settings.
selected cmdlet.
Defer the RuleErrorAction You can specify how the message should be handled if
message if the rule processing can't be completed. By default, the
rule rule will be ignored, but you can choose to resubmit the
processing message for processing.
doesn't
complete
Match SenderAddressLocation If the rule uses conditions or exceptions that examine the
sender sender's email address, you can look for the value in the
address in message header, the message envelope, or both.
message
Stop StopRuleProcessing This is an action for the rule, but it looks like a property
processing in the EAC. You can choose to stop applying additional
more rules rules to a message after a rule processes a message.
Comments Comments You can enter descriptive comments about the rule.
Each rule also offers the option of stopping processing more rules when the rule is
matched. This setting is important for messages that match the conditions in multiple
mail flow rules (which rule do you want applied to the message? All? Just one?).
Differences in processing based on message type
There are several types of messages that pass through an organization. The following
table shows which messages types can be processed by mail flow rules.
Message Encryption: Messages Rules can always access envelope headers and process
encrypted by Message Encryption in messages based on conditions that inspect those
Microsoft 365 or Office 365. For more headers.
information, see Encryption. For a rule to inspect or modify the contents of an
encrypted message, you need to verify that transport
decryption is enabled (Mandatory or Optional; the
default is Optional). For more information, see Enable or
disable transport decryption.
S/MIME encrypted messages Rules can only access envelope headers and process
messages based on conditions that inspect those
headers.
Rules with conditions that require inspection of the
message's content, or actions that modify the message's
content can't be processed.
RMS protected messages: Messages Rules can always access envelope headers and process
that had an Active Directory Rights messages based on conditions that inspect those
Management Services (AD RMS) or headers.
Azure Rights Management (RMS) For a rule to inspect or modify the contents of an RMS
policy applied. protected message, you need to verify that transport
decryption is enabled (Mandatory or Optional; the
default is Optional). For more information, see Enable or
disable transport decryption.
Conditions and exceptions in mail flow rules (also known as transport rules) identify the messages that the
rule is applied to or not applied to. For example, if the rule adds a disclaimer to messages, you can configure
the rule to only apply to messages that contain specific words, messages sent by specific users, or to all
messages except those sent by the members of a specific distribution group. Collectively, the conditions and
exceptions in mail flow rules are also known as predicates, because for every condition, there's a
corresponding exception that uses the exact same settings and syntax. The only difference is conditions
specify messages to include, while exceptions specify messages to exclude.
Most conditions and exceptions have one property that requires one or more values. For example, the The
sender is condition requires the sender of the message. Some conditions have two properties. For example,
the A message header includes any of these words condition requires one property to specify the message
header field, and a second property to specify the text to look for in the header field. Some conditions or
exceptions don't have any properties. For example, the Any attachment has executable content condition
simply looks for attachments in messages that have executable content.
For more information about mail flow rules in Exchange Online, including how multiple
conditions/exceptions or multi-valued conditions/exceptions are handled, see Mail flow rules (transport
rules) in Exchange Online.
Senders
Recipients
Attachments
Any recipients
Message sensitive information types, To and Cc values, size, and character sets
Message properties
Message headers
Notes:
After you select a condition or exception in the Exchange admin center (EAC), the value that's ultimately
shown in the Apply this rule if or Except if field is often different (shorter) than the click path value you
selected. Also, when you create new rules based on a template (a filtered list of scenarios), you can
often select a short condition name instead of following the complete click path. The short names and
full click path values are shown in the EAC column in the tables.
If you select [Apply to all messages] in the EAC, you can't specify any other conditions. The equivalent
in PowerShell is to create a rule without specifying any condition parameters.
The settings and properties are the same in conditions and exceptions, so the output of the Get-
TransportRulePredicate cmdlet doesn't list exceptions separately. Also, the names of some of the
predicates that are returned by this cmdlet are different than the corresponding parameter names, and
a predicate might require multiple parameters.
Senders
For conditions and exceptions that examine the sender's address, you can specify where rule looks for the
sender's address.
In the EAC, in the Properties of this rule section, click Match sender address in message. Note that you
might need to click More options to see this setting. In PowerShell, the parameter is SenderAddressLocation.
The available values are:
Header: Only examine senders in the message headers (for example, the From, Sender, or Reply-To
fields). This is the default value.
Envelope: Only examine senders from the message envelope (the MAIL FROM value that was used in
the SMTP transmission, which is typically stored in the Return-Path field). Note that message envelope
searching is only available for the following conditions (and the corresponding exceptions):
The sender is (From)
The sender is a member of (FromMemberOf)
The sender address includes (FromAddressContainsWords)
The sender address matches (FromAddressMatchesPatterns)
The sender's domain is (SenderDomainIs)
Header or envelope ( HeaderOrEnvelope ) Examine senders in the message header and the message
envelope.
Sender's IP SenderIPRanges
IPAddressRanges Messages where the sender's IP
address is in the ExceptIfSenderIPRanges address matches the specified IP
range address, or falls within the specified IP
address range.
The sender > IP
address is in any
of these ranges
or exactly
matches
Recipients
For conditions and exceptions that examine the recipient's address, you can specify where rule looks for the
recipient's address by using the RecipientAddressType parameter in PowerShell. Valid values are:
A recipient's RecipientDomainIs
DomainName Messages where the domain of a
domain is ExceptIfRecipientDomainIs recipient's email address matches
the specified value.
The recipient > If you need to find recipient
domain is domains that contain the specified
domain (for example, any
subdomain of a domain), use The
recipient address matches
(RecipientAddressMatchesPatterns)
condition, and specify the domain
by using the syntax
'\.domain\.com$' .
7 Note
The search for words or text patterns in the subject or other header fields in the message occurs after
the message has been decoded from the MIME content transfer encoding method that was used to
transmit the binary message between SMTP servers in ASCII text. You can't use conditions or exceptions
to search for the raw (typically, Base64) encoded values of the subject or other header fields in
messages.
Attachments
For more information about how mail flow rules inspect message attachments, see Use mail flow rules to
inspect message attachments in Exchange Online.
Any recipients
The conditions and exceptions in this section provide a unique capability that affects all recipients when the
message contains at least one of the specified recipients. For example, let's say you have a rule that rejects
messages. If you use a recipient condition from the Recipients section, the message is only rejected for those
specified recipients. For example, if the rule finds the specified recipient in a message, but the message
contains five other recipients. The message is rejected for that one recipient, and is delivered to the five
other recipients.
If you add a recipient condition from this section, that same message is rejected for the detected recipient
and the five other recipients.
Conversely, a recipient exception from this section prevents the rule action from being applied to all
recipients of the message, not just for the detected recipients.
7 Note
These conditions don't consider messages that are sent to recipient proxy addresses. They only match
messages that are sent to the recipient's primary email address.
These conditions are applied to all recipients in the current fork of the message only. If the message was
bifurcated by any other action (for example, anti-malware or an erlier mail flow rule), the action will be
applied on the matching fork only.
Notes:
The recipient conditions in this section do not consider messages that are sent to recipient proxy
addresses. They only match messages that are sent to the recipient's primary email address.
For more information about using Microsoft 365 groups with the recipient conditions in this section,
see the Addresses entry in the Property types section.
Note: This
condition/exception
isn't available in
standalone EOP
environments.
The manager of the sender ManagerForEvaluatedUser and First property: Messages where
or recipient is ManagerAddress
EvaluatedUser either a specified
ExceptIfManagerForEvaluatedUser and user is the
The sender and the recipient ExceptIfManagerAddress Second property: manager of the
> the manager of the sender Addresses sender, or a
or recipient is this person specified user is
the manager of a
recipient.
The sender's and any ADAttributeComparisonAttribute and First property: Messages where
recipient's property ADComparisonOperator
ADAttribute the specified Active
compares as ExceptIfADAttributeComparisonAttribute Directory attribute
and ExceptIfADComparisonOperator Second property: for the sender and
The sender and the recipient Evaluation recipient either
> the sender and recipient match or don't
property compares as match.
Message properties
The message
properties >
don't include
any
classification
The message
properties >
include the
importance
level
Message headers
7 Note
The search for words or text patterns in the subject or other header fields in the message occurs after
the message has been decoded from the MIME content transfer encoding method that was used to
transmit the binary message between SMTP servers in ASCII text. You can't use conditions or exceptions
to search for the raw (typically, Base64) encoded values of the subject or other header fields in
messages.
A message header HeaderContainsMessageHeader and First property: Messages that contain the specified
includes HeaderContainsWords
MessageHeaderField header field, and the value of that
ExceptIfHeaderContainsMessageHeader header field contains the specified
A message header and ExceptIfHeaderContainsWords Second property: words.
> includes any of Words The name of the header field and
these words the value of the header field are
always used together.
Condition or Condition and exception Property type Description
exception in the parameters in Exchange Online
EAC PowerShell
A message header HeaderMatchesMessageHeader and First property: Messages that contain the specified
matches HeaderMatchesPatterns
MessageHeaderField header field, and the value of that
ExceptIfHeaderMatchesMessageHeader header field contains the specified
A message header and ExceptIfHeaderMatchesPatterns Second property: regular expressions.
> matches these Patterns The name of the header field and
text patterns the value of the header field are
always used together.
Property types
The property types that are used in conditions and exceptions are described in the following table.
7 Note
ADAttribute Select from a predefined You can check against any of the following Active Directory attributes:
list of Active Directory City
attributes Company
Country
CustomAttribute1 - CustomAttribute15
Department
DisplayName
Email
FaxNumber
FirstName
HomePhoneNumber
Initials
LastName
Manager
MobileNumber
Notes
Office
OtherFaxNumber
OtherHomePhoneNumber
OtherPhoneNumber
PagerNumber
PhoneNumber
POBox
State
Street
Title
UserLogonName
ZipCode
In the EAC, to specify multiple words or text patterns for the same
attribute, separate the values with commas. For example, the value
San Francisco,Palo Alto for the City attribute looks for "City equals
San Francisco" or City equals Palo Alto".
When you specify multiple attributes, or multiple values for the same
attribute, the or operator is used. Don't use values with leading or
trailing spaces.
Note that the Country attribute requires the two-letter ISO 3166-1
country code value (for example, DE for Germany). For more
information, see Country Codes - ISO 3166 .
Property type Valid values Description
Addresses Exchange Online Depending on the nature of the condition or exception, you might be
recipients able to specify any mail-enabled object in the organization (for
example, recipient-related conditions), or you might be limited to a
specific object type (for example, groups for group membership
conditions). And, the condition or exception might require one value,
or allow multiple values.
In Exchange Online PowerShell, separate multiple values by commas.
The recipient picker in the EAC doesn't allow you to select Microsoft
365 groups from the list of recipients. But, you can enter the email
address of a Microsoft 365 group in the box next to Check names,
and then validate the email address by clicking Check names, which
will add the group to the add box.
CharacterSets Array of character set One or more content character sets that exist in a message. For
names example:
Arabic/iso-8859-6
Chinese/big5
Chinese/euc-cn
Chinese/euc-tw
Chinese/gb2312
Chinese/iso-2022-cn
Cyrillic/iso-8859-5
Cyrillic/koi8-r
Cyrillic/windows-1251
Greek/iso-8859-7
Hebrew/iso-8859-8
Japanese/euc-jp
Japanese/iso-022-jp
Japanese/shift-jis
Korean/euc-kr
Korean/johab
Korean/ks_c_5601-1987
Turkish/windows-1254
Turkish/iso-8859-9
Vietnamese/tcvn
EvaluatedUser Single value of Sender or Specifies whether the rule is looking for the manager of the sender or
Recipient the manager of the recipient.
Evaluation Single value of Equal or When comparing the Active Directory attribute of the sender and
Not equal ( NotEqual ) recipients, this specifies whether the values should match, or not
match.
Importance Single value of Low, The Importance level that was assigned to the message by the sender
Normal, or High in Outlook or Outlook on the web.
Property type Valid values Description
IPAddressRanges Array of IP addresses or You enter the IPv4 addresses using the following syntax:
address ranges Single IP address: For example, 192.168.1.1 .
IP address range: For example, 192.168.0.1-192.168.0.254 .
Classless InterDomain Routing (CIDR) IP address range: For
example, 192.168.0.1/25 .
ManagementRelationship Single value of Manager Specifies the relationship between the sender and any of the
or Direct report recipients. The rule checks the Manager attribute in Active Directory
( DirectReport ) to see if the sender is the manager of a recipient, or if the sender is
managed by a recipient.
MessageClassification Single message In the EAC, you select from the list of message classifications that
classification you've created.
In Exchange Online PowerShell, you use the Get-
MessageClassification cmdlet to identify the message classification.
For example, use the following command to search for messages with
the Company Internal classification and prepend the message subject
with the value CompanyInternal : New-TransportRule "Rule Name" -
HasClassification @(Get-MessageClassification "Company
Internal").Identity -PrependSubject "CompanyInternal"
MessageHeaderField Single string Specifies the name of the header field. The name of the header field is
always paired with the value in the header field (word or text pattern
match).The message header is a collection of required and optional
header fields in the message. Examples of header fields are To, From,
Received, and Content-Type. Official header fields are defined in RFC
5322. Unofficial header fields start with X- and are known as X-
headers.
MessageType Single message type value Specifies one of the following message types:
Automatic reply ( OOF )
Auto-forward ( AutoForward )
Encrypted
Calendaring
Permission controlled ( PermissionControlled )
Voicemail
Signed
Approval request ( ApprovalRequest )
Read receipt ( ReadReceipt )
Patterns Array of regular Specifies one or more regular expressions that are used to identify
expressions text patterns in values. For more information, see Regular Expression
Syntax.
SCLValue One of the following Specifies the spam confidence level (SCL) that's assigned to a
values: message. A higher SCL value indicates that a message is more likely to
Bypass spam be spam.
filtering ( -1 )
Integers 0 through
9
SensitiveInformationTypes Array of sensitive Specifies one or more sensitive information types that are defined in
information types your organization. For a list of built-in sensitive information types, see
Sensitive information types in Exchange Server.
Size Single size value Specifies the size of an attachment or the whole message.
In the EAC, you can only specify the size in kilobytes (KB).
B (bytes)
KB (kilobytes)
MB (megabytes)
GB (gigabytes)
SupervisionList Single value of Allow or Supervision policies were a feature in Live@edu that allowed you to
Block control who could send mail to and receive mail from users in your
organization (for example, the closed campus and anti-bullying
policies). In Microsoft 365 and Office 365, you can't configure
supervision list entries on mailboxes.
Property type Valid values Description
UserScopeFrom Single value of Inside the A sender is considered to be inside the organization if either of the
organization following conditions is true:
( InOrganization ) or The sender is a mailbox, mail user, group, or mail-enabled
Outside the organization public folder that exists inside the organization.
( NotInOrganization ) The sender's email address is in an accepted domain that's
configured as an authoritative domain or an internal relay
domain, and the message was sent or received over an
authenticated connection. For more information about
accepted domains, see Manage accepted domains in Exchange
Online.
UserScopeTo One of the following A recipient is considered to be inside the organization if either of the
values: following conditions is true:
Inside the The recipient is a mailbox, mail user, group, or mail-enabled
organization public folder that exists inside the organization.
( InOrganization ) The recipient's email address is in an accepted domain that's
Outside the configured as an authoritative domain or an internal relay
organization domain, and the message was sent or received over an
( NotInOrganization ) authenticated connection.
Words Array of strings Specifies one or more words to look for. The words aren't case-
sensitive, and can be surrounded by spaces and punctuation marks.
Wildcards and partial matches aren't supported. For example,
"contoso" matches " Contoso".
However, if the text is surrounded by other characters, it isn't
considered a match. For example, "contoso" doesn't match the
following values:
Acontoso
Contosoa
Acontosob
New-TransportRule
Mail flow rule actions in Exchange Online
Article • 01/12/2023 • 17 minutes to read
Actions typically require additional properties. For example, when the rule redirects a message, you
need to specify where to redirect the message. Some actions have multiple properties that are
available or required. For example, when the rule adds a header field to the message header, you
need to specify both the name and value of the header. When the rule adds a disclaimer to
messages, you need to specify the disclaimer text, but you can also specify where to insert the text,
or what to do if the disclaimer can't be added to the message. Typically, you can configure
multiple actions in a rule, but some actions are exclusive. For example, one rule can't reject and
redirect the same message.
For more information about mail flow rules, including how multiple actions are handled, see Mail
flow rules (transport rules) in Exchange Online.
For more information about conditions and exceptions in mail flow rules, see Mail flow rule
conditions and exceptions (predicates) in Exchange Online.
For more information about actions in mail flow rules in Exchange Server, see or Mail flow rule
actions in Exchange Server.
Notes:
After you select an action in the Exchange admin center (EAC), the value that's ultimately
shown in the Do the following field is often different from the click path you selected. Also,
when you create new rules, you can sometimes (depending on the selections you make)
select a short action name from a template (a filtered list of actions) instead of following the
complete click path. The short names and full click path values are shown in the EAC column
in the table.
The names of some of the actions that are returned by the Get-TransportRuleAction cmdlet
are different than the corresponding parameter names, and multiple parameters might be
required for an action.
Action in Action parameter in PowerShell Property Description
the EAC
Redirect the
message to
> hosted
quarantine
Action in Action parameter in PowerShell Property Description
the EAC
Block the
message >
delete the
message
without
notifying
anyone
Modify the
message
properties >
remove a
message
header
Modify the
message
properties >
set a
message
header
Modify the
message
properties >
set the spam
confidence
level (SCL)
Modify the
message
security >
Message
Encryption
and rights
protection
Modify the
message
security >
Message
Encryption
and rights
protection
Generate GenerateIncidentReport
First property: Addresses
Sends an incident report that
incident IncidentReportContent Second property: contains the specified content to
report and IncidentReportContent the specified recipients.
send it to An incident report is generated for
messages that match data loss
prevention (DLP) policies in your
organization.
Notify the GenerateNotification NotificationMessageText Specifies the text, HTML tags, and
recipient message keywords to include in
with a the notification message that's sent
message to the message's recipients. For
example, you can notify recipients
that the message was rejected by
the rule, or marked as spam and
delivered to their Junk Email folder.
Action in Action parameter in PowerShell Property Description
the EAC
More
options >
Properties
of this rule
section >
Stop
processing
more rules
Property values
The property values that are used for actions in mail flow rules are described in the following table.
AuditSeverityLevel One of the following values: The values Low, Medium, or High
Uncheck Audit this rule with specify the severity level that's
severity level, or select Audit this assigned to the incident report and
rule with severity level with the to the corresponding entry in the
value Not specified ( DoNotAudit ) message tracking log.
Low
Medium The other value prevents an
High incident report from being
generated, and prevents the
corresponding entry from being
written to the message tracking log.
Property Valid values Description
DSNEnhancedStatusCode Single DSN code value: Specifies the DSN code that's used.
5.7.1 You can create custom DSNs by
5.7.900 through 5.7.999 using the New-SystemMessage
cmdlet.
IncidentReportContent One or more of the following values: Specifies the original message
Sender properties to include in the incident
Recipients report. You can choose to include
Subject any combination of these
Cc'd recipients ( Cc ) properties. In addition to the
Bcc'd recipients ( Bcc ) properties you specify, the message
Severity ID is always included. The available
Sender override information properties are:
( Override ) Sender: The sender of the
Matching rules ( RuleDetections ) original message.
False positive reports Recipients, Cc'd recipients,
( FalsePositive ) and Bcc'd recipients: All
Detected data classifications recipients of the message, or
( DataClassifications ) only the recipients in the Cc
Matching content ( IdMatch ) or Bcc fields. For each
Original mail ( AttachOriginalMail ) property, only the first 10
recipients are included in the
incident report.
Subject: The Subject field of
the original message.
Severity: The audit severity of
the rule that was triggered.
Message tracking logs
Property Valid values Description
If a message is processed by
more than one rule, the
highest severity is included in
any incident reports.
Sender override information:
The override if the sender
chose to override a Policy Tip.
If the sender provided a
justification, the first 100
characters of the justification
are also included.
Matching rules: The list of
rules that the message
triggered.
False positive reports: The
false positive if the sender
marked the message as a
false positive for a Policy Tip.
Detected data classifications:
The list of sensitive
information types detected in
the message.
Matching content: The
sensitive information type
detected, the exact matched
content from the message,
and the 150 characters before
and after the matched
sensitive information.
Original mail: The entire
message that triggered the
rule is attached to the
incident report.
MessageClassification Single message classification object In the EAC, you select from the list
of available message classifications.
In PowerShell, use the Get-
MessageClassification cmdlet to
see the message classification
objects that are available.
NotificationMessageText Any combination of plain text, HTML tags, Specified the text to use in a
and keywords recipient notification message.
In addition to plain text and HTML
tags, you can specify the following
keywords that use values from the
original message:
%%From%%
%%To%%
%%Cc%%
%%Subject%%
%%Headers%%
%%MessageDate%%
Property Valid values Description
NotifySenderType One of the following values: Specifies the type of Policy Tip that
Notify the sender, but allow them the sender receives if the message
to send ( NotifyOnly ) violates a DLP policy. The settings
Block the message ( RejectMessage ) are described in the following list:
Block the message unless it's a false Notify the sender, but allow
positive them to send: The sender is
( RejectUnlessFalsePositiveOverride ) notified, but the message is
Block the message, but allow the delivered normally.
sender to override and send Block the message: The
( RejectUnlessSilentOverride ) message is rejected, and the
Block the message, but allow the sender is notified.
sender to override with a business Block the message unless it's
justification and send a false positive: The message
( RejectUnlessExplicitOverride ) is rejected unless it's marked
as a false positive by the
sender.
Block the message, but allow
the sender to override and
send: The message is rejected
unless the sender has chosen
to override the policy
restriction.
Block the message, but allow
the sender to override with a
business justification and
send: This is similar to Block
the message, but allow the
sender to override and send
type, but the sender also
provides a justification for
overriding the policy
restriction.
RMSTemplate Single Azure RMS template object Specifies the Azure Rights
Management (Azure RMS) template
that's applied to the message.
In the EAC, you select the RMS
template from a list.
SCLValue One of the following values: Specifies the spam confidence level
Bypass spam filtering ( -1 ) (SCL) that's assigned to the
Integers 0 through 9 message. A higher SCL value
indicates that a message is more
likely to be spam.
This article shows you how to create, copy, adjust the order, enable or disable, delete, or
import or export rules, and how to monitor rule usage.
Tip
To make sure your rules work the way you expect, be sure to thoroughly test each
rule and interactions between rules.
Interested in scenarios where these procedures are used? See Mail flow rule procedures
in Exchange Online
For information about how to access the Exchange admin center (EAC), see
Exchange admin center in Exchange Online. To connect to Exchange Online
PowerShell, see Connect to Exchange Online PowerShell. To connect to standalone
EOP PowerShell, see Connect to standalone Exchange Online Protection
PowerShell.
You need to be assigned permissions before you can perform these procedures. To
see what permissions you need, see the "Mail flow" entry in Feature permissions in
Exchange Online.
For information about keyboard shortcuts that may apply to the procedures in this
article, see Keyboard shortcuts for the Exchange admin center.
Tip
Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .
7 Note
After you create or modify a mail flow rule, it can take up to 30 minutes or more in
some cases for the new or updated rule to be applied to email.
7 Note
Each DLP policy is a collection of mail flow rules. After you create the DLP policy, you
can fine-tune the rules using the procedures below.
a. In Apply this rule if..., select the condition you want from the list of available
conditions.
Some conditions require you to specify values. For example, if you select
The sender is... condition, you must specify a sender address. If you're
adding a word or phrase, note that trailing spaces are not allowed.
If the condition you want isn't listed, or if you need to add exceptions,
select More options. Additional conditions and exceptions will be listed.
If you don't want to specify a condition, and want this rule to apply to
every message in your organization, select [Apply to all messages]
condition.
b. In Do the following..., select the action you want the rule to take on messages
matching the criteria from the list of available actions.
Some of the actions will require you to specify values. For example, if you
select the Forward the message for approval to... condition, you will need
to select a recipient in your organization.
If the condition you want isn't listed, select More options. Additional
conditions will be listed.
c. Specify how rule match data for this rule is displayed in the Data Loss
Prevention (DLP) reports and the Mail protection reports.
Under Audit this rule with severity level, select a level to specify the severity
level for this rule. The activity reports for mail flow rules group rule matches by
severity level. Severity level is just a filter to make the reports easier to use. The
severity level has no impact on the priority in which the rule is processed.
7 Note
If you clear the Audit this rule with severity level checkbox, rule matches
will not show up in the rule reports.
d. Set the mode for the rule. You can use one of the two test modes to test the
rule without impacting mail flow. In both test modes, when the conditions are
met, an entry is added to the message trace.
4. If you are satisfied with the rule, go to step 5. If you want to add more conditions
or actions, or if you want to specify exceptions or set additional properties, click
More options. After you click More options, complete the following fields to
create your rule:
a. To add more conditions, click Add condition. If you have more than one
condition, you can remove any one of them by clicking Remove X next to it.
Note that there are a larger variety of conditions available once you click More
options.
b. To add more actions, click Add action. If you have more than one action, you
can remove any one of them by clicking Remove X next to it. Note that there
are a larger variety of actions available once you click More options.
c. To specify exceptions, click Add exception, then select exceptions using the
Except if... dropdown. You can remove any exceptions from the rule by clicking
the Remove X next to it.
d. If you want this rule to take effect after a certain date, click Activate this rule on
the following date: and specify a date. Note that the rule will still be enabled
prior to that date, but it won't be processed.
Similarly, you can have the rule stop processing at a certain date. To do so, click
Deactivate this rule on the following date: and specify a date. Note that the
rule will remain enabled, but it won't be processed.
e. You can choose to avoid applying additional rules once this rule processes a
message. To do so, click Stop processing more rules. If you select this, and a
message is processed by this rule, no subsequent rules are processed for that
message.
f. You can specify how the message should be handled if the rule processing can't
be completed. By default, the rule will be ignored and the message will be
processed regularly, but you can choose to resubmit the message for
processing. To do so, check the Defer the message if rule processing doesn't
complete check box.
g. If your rule analyzes the sender address, it only examines the message headers
by default. However, you can configure your rule to also examine the SMTP
message envelope. To specify what's examined, click one of the following values
for Match sender address in message:
PowerShell
The rule parameters and action used in the above procedure are for illustration only.
Review all the available mail flow rule conditions and actions to determine which ones
meet your requirements.
In the EAC, verify that the new mail flow rule you created is listed in the Rules list.
From Exchange Online PowerShell, verify that you created the new mail flow rule
successfully by running the following command (the example below verifies the
rule created in Exchange Online PowerShell example above):
PowerShell
7 Note
After you create or modify a mail flow rule, it can take up to 30 minutes and more
in some case for the new or updated rule to be applied to email.
PowerShell
Get-TransportRule
To view the properties of a specific mail flow rule, you provide the name of that rule or
its GUID. It is usually helpful to send the output to the Format-List cmdlet to format the
properties. The following example returns all the properties of the mail flow rule named
Sender is a member of Marketing:
PowerShell
To modify the properties of an existing rule, use the Set-TransportRule cmdlet. This
cmdlet allows you to change any property, condition, action or exception associated
with a rule. The following example adds an exception to the rule "Sender is a member of
marketing" so that it won't apply to messages sent by the user Kelly Rollin:
PowerShell
From the rules list in the EAC, click the rule you modified in the Rules list and view
the details pane.
From Exchange Online PowerShell, verify that you modified the mail flow rule
successfully by running the following command to list the properties you modified
along with the name of the rule (the example below verifies the rule modified in
Exchange Online PowerShell example above):
PowerShell
Audit severity SetAuditSeverity Enables you to select a severity level for the audit
Rule modes Mode Enables you to set the mode for the rule
Set the priority of a mail flow rule
The rule at the top of the list is processed first. This rule has a Priority of 0.
PowerShell
From the rules list in the EAC, look at the order of the rules.
From Exchange Online PowerShell, verify the priority of the rules (the example
below verifies the rule modified in Exchange Online PowerShell example above):
PowerShell
PowerShell
The following example enables the mail flow rule "Sender is a member of marketing":
PowerShell
In the EAC, view the list of rules in the Rules list and check the status of the check
box in the ON column.
From Exchange Online PowerShell, run the following command which will return a
list of all rules in your organization along with their status:
PowerShell
PowerShell
In the EAC, view the rules in the Rules list and verify that the rule you removed is
no longer shown.
From Exchange Online PowerShell, run the following command and verify that the
rule you remove is no longer listed:
PowerShell
Get-TransportRule
7 Note
While most data is in the report within 24 hours, some data may take as long as 5
days to appear.
For information about how to export a mail flow rule collection to an XML file, see
Export-TransportRuleCollection.
Restrict a rule to messages either coming into or going out of the organization:
By default, a new rule applies to messages that are sent by and received by people
in your organization. So if you want the rule to apply only one way, be sure to
specify that in the conditions for the rule. For examples, see Use mail flow rules for
attachment blocking scenarios in Exchange Online
Restrict a rule based on the sender's or receiver's domain: By default, a new rule
applies to messages sent from or received by any domain. Sometimes you want a
rule to apply to all domains except for one, or to just one domain. See Create
blocked sender lists in EOP.
For a complete list of all the conditions and exceptions that are available for mail flow
rules, see Mail flow rule conditions and exceptions (predicates) in Exchange Online.
If you use two rules like this, be sure that the conditions are identical. For example:
To stop rule processing after a rule is triggered, in the rule, select the Stop processing
more rules check box.
Expression Matches
For an example that shows a text file with regular expressions and the Exchange module
Windows PowerShell commands to use, see Use mail flow rules to route email based on
a list of words, phrases, or patterns in Exchange Online.
To learn how to specify patterns using regular expressions, see Regular Expression
Reference.
Test mail flow rules in Exchange Online
Article • 12/29/2021 • 5 minutes to read
) Important
Wait at least 30 minutes after creating a rule before you test it. If you test
immediately after you create the rule, you may get inconsistent behavior.
7 Note
You can evaluate the conditions for a rule without taking any actions that impact mail
flow by choosing a test mode. You can set up a rule so that you get an email notification
any time the rule is matched, or you can look at the Look at the message trace for
messages that might match the rule. There are two test modes:
Test without Policy Tips: Use this mode together with an incident report action,
and you can receive an email message each time an email matches the rule.
Test with Policy Tips: This mode is only available if you're using Data loss
prevention (DLP), which is available with some Exchange Online and Exchange
Online Protection (EOP) subscription plans. With this mode, a message is set to the
sender when a message they are sending matches a policy, but no mail flow
actions are taken.
Here's what you'll see when a rule is matched if you include the incident report action:
Use a test mode with an incident report action
1. In the Exchange admin center (EAC), go to Mail flow > Rules.
2. Create a new rule, or select an existing rule, and then select Edit.
3. Scroll down to the Choose a mode for this rule section, and then select Test
without Policy Tips or Test with Policy Tips.
a. Select Add action, or, if this isn't visible, select More options, and then select
Add action.
d. Select Include message properties, and then select any message properties that
you want included in the email you receive. If you don't select any, you will still
get an email when the rule is matched.
5. Select Save.
If you don't have access to multiple accounts in your organization, you can test in a
trial account or create a few temporary fake users in your organization.
Because a web browser typically doesn't let you have simultaneous open sessions
on the same computer signed in to multiple accounts, you can use Internet
Explorer InPrivate Browsing , or a different computer, device, or web browser for
each user.
2. Find the messages that you want to trace by using criteria such as the sender and
the date sent. For help specifying criteria, see Run a Message Trace and View
Results.
3. After locating the message you want to trace, double-click it to view details about
the message.
4. Look in the Event column for Transport rule. The Action column shows the specific
action taken.
3. Select Enforce.
4. If you used an action to generate an incident report, select the action and then
select Remove.
5. Select Save.
Tip
Troubleshooting suggestions
Here are some common problems and resolutions:
Occasionally it takes longer than 15 minutes for a new mail flow to be available.
Wait a few hours, and then test again. Also check to see if another rule might be
interfering. Try changing this rule to priority 0 by moving it to the top of the list.
Disclaimer is added to original message and all replies, instead of just the
original message.
To avoid this, you can add an exception to your disclaimer rule to look for a unique
phrase in the disclaimer.
My rule has two conditions, and I want the action to happen when either of the
conditions is met, but it only is matched when both conditions are met.
You need to create two rules, one for each condition. You can easily copy the rule
by selecting Copy and then remove one condition from the original and the other
condition from the copy.
I'm working with distribution groups, and The sender is ( SentTo) doesn't seem
to be working.
To view a rules report, in the Microsoft 365 admin center, select Reports.
7 Note
While most data is in the report within 24 hours, some data may take as long as 5
days to appear.
To learn more, see View mail protection reports.
To learn about concepts and objectives for mail flow rules, see Mail flow rules (transport
rules) in Exchange Online.
Use mail flow rules to block messages with executable attachments: Learn how to use
mail flow rules to block messages that contain executable attachments.
Use mail flow rules to inspect message attachments: Learn how to use mail flow rule
conditions that allow you to inspect the content of message attachments.
Use mail flow rules to set the spam confidence level (SCL) in messages: Learn how to use
mail flow rules to mark specific messages as spam before they're even scanned by spam
filtering, or mark messages so they'll skip spam filtering.
Use mail flow rules to filter bulk email: Examples describing how to mark messages that
contain specific bulk indicator content as spam.
Use mail flow rules to see what users are reporting to Microsoft: Receive copies of
messages that users report as junk, not junk or phishing to Microsoft.
Use mail flow rules so messages can bypass Clutter: Information to help you make sure
messages are sent to an inbox instead of the Clutter folder.
Use mail flow rules to route email based on a list of words, phrases, or patterns:
Information to help you comply with your organization's email policies.
Use mail flow rules to automatically add meetings to calendars in Exchange Online: Use
the Direct to Calendar feature in Exchange Online to add meetings directly to calendars
in Exchange Online.
Define rules to encrypt email messages in Exchange Online: Learn how to use mail flow
rules to encrypt messages using Microsoft Purview Message Encryption.
Use mail protection reports to view data about malware, spam, and rule detections
Common attachment blocking scenarios
for mail flow rules in Exchange Online
Article • 03/18/2022 • 3 minutes to read
Notes:
For additional examples showing how to block specific attachments by using mail
flow rules, see Use mail flow rules to inspect message attachments in Exchange
Online.
Anti-malware polices EOP allow you to block specific file types by turning on and
configuring the common attachment types filter. For instructions, see Configure
anti-malware policies in EOP.
To get started using mail flow rules to block certain message types, do the following
steps:
1. Open the Exchange admin center (EAC). For more information, see Exchange
admin center in Exchange Online.
2. Go to Mail flow > Rules.
3. Click New ( ) and then select Create a new rule.
4. In the Name box, specify a name for the rule, and then click More options.
5. Select the conditions and actions you want.
7 Note
In the EAC, the smallest attachment size that you can enter is 1 kilobyte, which
should detect most attachments. However, if you want to detect every possible
attachment of any size, you need to use PowerShell to adjust the attachment size to
1 byte after you create the rule in the EAC. To connect to PowerShell, see Connect
to Exchange Online PowerShell or Connect to standalone Exchange Online
Protection PowerShell.
Embedded images are treated as attachments (for example, messages with a
picture in the signature). For this reason, we do not recommend using a very small
value for the attachment size since unexpected messages will be blocked.
In this example, all messages sent to or from the organization with attachments greater
than 10 Megabytes are blocked.
If all you want to do is block the message, you might want to stop rule processing once
this rule is matched. Scroll down the rule dialog box, and select the Stop processing
more rules check box.
You can include placeholders in the notification message so that it includes information
about the original message. The placeholders must be enclosed in two percent signs
(%%), and when the notification message is sent, the placeholders are replaced with
information from the original message. You can also use basic HTML such as <br>, <b>,
<i>, and <img> in the message.
Headers from the original message. This is similar to the list of headers in %%Headers%%
a delivery status notification (DSN) generated for the original message.
In this example, all messages that contain attachments and are sent to people inside
your organization are blocked, and the recipient is notified.
The first rule adds the word "undeliverable" to the beginning of the subject of any
messages with attachments.
The second rule blocks the message and sends a notification message to the
sender using the new subject of the original message.
) Important
The two rules must have identical conditions. Rules are processed in order, so the
first rule adds the word "undeliverable", and the second rule blocks the message
and notifies the recipient.
Here's what the first rule would look like if you want to add "undeliverable" to the
subject:
And the second rule does the blocking and notification (the same rule from Example 2):
Example 4: Apply a rule with a time limit
If you have a malware outbreak, you might want to apply a rule with a time limit so that
you temporarily block attachments. For example, the following rule has both a start and
stop day and time:
See also
Mail flow rules (transport rules) in Exchange Online
Use mail flow rules to block messages
with executable attachments in
Exchange Online
Article • 12/16/2022 • 3 minutes to read
To further enhance protection, you can use mail flow rules (also known as transport
rules) to identify and block messages that contain executable attachments as described
in this article.
For example, following a malware outbreak, a company could apply this rule with a time
limit so that affected users can get back to sending attachments after a specified length
of time.
To open the EAC in Exchange Online, see Exchange admin center in Exchange
Online. To open the EAC in standalone EOP, see Exchange admin center in
standalone EOP.
For more information about mail flow rules in Exchange Online and standalone
EOP, see the following topics:
Mail flow rules (transport rules) in Exchange Online
Mail flow rule conditions and exceptions (predicates) in Exchange Online
Mail flow rule actions in Exchange Online
3. In the New rule page that opens, configure the following settings:
Apply this rule if: Select Any attachment > has executable content.
Do the following: Select Block the message and then choose the action you
want:
reject the message with the enhanced status code of: In the Enter
enhanced status code dialog that appears, enter the enhanced status
code that you want to appear in the NDR. Valid values are 5.7.1 or a value
from 5.7.900 to 5.7.999. The default rejection text is: Delivery not
authorized, message refused.
4. When you're finished, click Save. Your attachment blocking rule is now in force.
Notes:
This example creates a new rule named Block Executable Attachments that silently
deletes messages that contain executable attachments.
PowerShell
In the EAC, go to Mail flow > Rules > select the rule > click Edit , and verify the
settings.
PowerShell
Search for files with text that matches a pattern you specify, and add a disclaimer
to the end of the message.
Inspect content within attachments and, if there are any keywords you specify,
redirect the message to a moderator for approval before it's delivered.
Check for messages with attachments that can't be inspected and then block the
entire message from being sent.
Check for attachments that exceed a certain size and then notify the sender of the
issue, if you choose to prevent the message from being delivered.
Check whether the properties of an attached Office document match the values
that you specify. With this condition, you can integrate the requirements of your
mail flow rules and DLP policies with a third-party classification system, such as
SharePoint or the Windows Server File Classification Infrastructure (FCI).
Create notifications that alert users if they send a message that has matched a mail
flow rule.
Block all messages containing attachments. For examples, see Use mail flow rules
for attachment blocking scenarios in Exchange Online.
7 Note
Exchange Online admins can create mail flow rules in the Exchange admin center (EAC)
at Mail flow > Rules. You need permissions to do this procedure. After you start to
create a new rule, you can see the full list of attachment-related conditions by clicking
More options > Any attachment under Apply this rule if. The attachment-related
options are shown in the following diagram.
For more information about mail flow rules, including the full range of conditions and
actions that you can choose, see Mail flow rules (transport rules) in Exchange Online.
Exchange Online Protection (EOP) and hybrid customers can benefit from the mail flow
rules best practices provided in Best Practices for Configuring EOP. If you're ready to
start creating rules, see Manage mail flow rules in Exchange Online.
To start using these conditions when inspecting messages, you need to add them to a
mail flow rule. Learn about creating or changing rules at Manage mail flow rules in
Exchange Online.
Any
attachment >
content
includes any
of these
words
Any
attachment >
content
matches
these text
patterns
Any AttachmentIsUnsupported Mail flow rules only can inspect the content of
attachment's supported file types. If the mail flow rule finds an
content can't attachment that isn't supported, the
be inspected
AttachmentIsUnsupported condition is triggered.
Any The supported file types are described in the next
attachment > section.
content can't
be inspected
7 Note
Learn more about property types for these conditions at Mail flow rule
conditions and exceptions (predicates) in Exchange Online.
Microsoft .doc, .docm, .docx, .dot, .dotm, The contents of any embedded parts
Office .dotx, .obd, .obt, .one, .pot, contained within these file types are also
.potm, .potx, .ppa, .ppam, .pps, inspected. However, any objects that aren't
.ppsm, .ppsx, .ppt, .pptm, embedded (for example, linked documents)
.pptx, .xlb, .xlc, .xls, .xlsb, .xlsm, aren't inspected. Content within the custom
.xlsx, .xlt properties is also scanned.
OpenDocument .odp, .ods, .odt No parts of .odf files are processed. For
example, if the .odf file contains an embedded
document, the contents of that embedded
document aren't inspected.
Text .asm, .bat, .c, .cmd, .cpp, .cs, Other files that are text based are also
.csv, .cxx, .def, .dic, .h, .hpp, scanned. This list is representative.
.hxx, .ibq, .idl, .inc, .inf, .ini, .inx,
.java, .js, .lnk, .log, .m3u,
messagestorage, .mpx, .php,
.pl, .pos, .txt, .vcf, .vcs
7 Note
If you would like to block certain files using the file condition
AttachmentNameMatchesPatterns or AttachmentExtensionMatchesWords, be aware
that this condition is inspecting the actual file name extension and not the file
properties. Which is different, than the earlier mentioned file content inspection of
other conditions.
If you need to block a file based on the system file proterty
detection, e.g. the file is renamed, please use the "common attachment filter"
feature of the Anti-Mailware policy instead.
Any
attachment >
file name
matches these
text patterns
Condition Condition name in Exchange Description
name in the Online PowerShell
EAC
Any
attachment >
file extension
includes these
words
Any
attachment >
didn't
complete
scanning
Any
attachment >
has
executable
content
Condition Condition name in Exchange Description
name in the Online PowerShell
EAC
7 Note
Learn more about property types for these conditions at Mail flow rule
conditions and exceptions (predicates) in Exchange Online.
32-bit Windows executable file with a dynamic link library extension. .dll
European Institute for Computer Antivirus Research standard antivirus test .com
file.
) Important
.rar (self-extracting archive files created with the WinRAR archiver), .jar (Java archive
files), and .obj (compiled source code, 3D object, or sequence files) files are not
considered to be executable file types. To block these files, you can use mail flow
rules that look for files with these extensions as described earlier in this article, or
you can configure an antimalware policy that blocks these file types (the common
attachment types filter). For more information, see Configure anti-malware policies
in EOP.
To help you manage important business information in email, you can include any of the
attachment-related conditions along with the rules of a data loss prevention (DLP)
policy.
DLP policies and attachment-related conditions can help you enforce your business
needs by defining those needs as mail flow rule conditions, exceptions, and actions.
When you include the sensitive information inspection in a DLP policy, any attachments
to messages are scanned for that information only. However, attachment-related
conditions such as size or file type aren't included until you add the conditions listed in
this article. DLP isn't available with all versions of Exchange; learn more at Data loss
prevention.
If you want to mark specific messages as spam before they're even scanned by spam
filtering, or mark messages so they'll skip spam filtering, you can create mail flow rules
(also known as transport rules) to identify the messages and set the spam confidence
level (SCL). For more information about the SCL, see Spam confidence level (SCL) in EOP.
To open the EAC in Exchange Online, see Exchange admin center in Exchange
Online. To open the EAC in standalone EOP, see Exchange admin center in
standalone EOP.
For more information about mail flow rules in Exchange Online and standalone
EOP, see the following topics:
Mail flow rules (transport rules) in Exchange Online
Mail flow rule conditions and exceptions (predicates) in Exchange Online
Mail flow rule actions in Exchange Online
3. In the New rule page that opens, configure the following settings:
Apply this rule if: Select one or more conditions to identify messages. For
more information, see Mail flow rule conditions and exceptions (predicates)
in Exchange Online.
Do the following: Select Modify the message properties > set the spam
confidence level (SCL). In the Specify SCL dialog that appears, configure one
of the following values:
Bypass spam filtering: The messages will skip spam filtering. High confidence
phishing messages are still filtered. Other features in EOP are not affected (for
example, messages are always scanned for malware).
U Caution
Be very careful about allowing messages to skip spam filtering. The mail
flow rule should use more conditions than just the sender's email
address or domain. For more information, see Create safe sender lists in
EOP.
4. Specify any additional properties that you want for the rule. When you're finished,
click Save.
If you want more options to filter bulk mail, you can create mail flow rules (also known
as transport rules) to search for text patterns or phrases that are frequently found in
bulk mail, and mark those messages as spam. For more information about bulk mail, see
What's the difference between junk email and bulk email? and Bulk complaint level
(BCL) in EOP.
This topic explains how create these mail flow rules in the Exchange admin center (EAC)
and PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with
mailboxes in Exchange Online; standalone EOP PowerShell for organizations without
Exchange Online mailboxes).
To open the EAC in Exchange Online, see Exchange admin center in Exchange
Online. To open the EAC in standalone EOP, see Exchange admin center in
standalone EOP.
For more information about mail flow rules in Exchange Online and standalone
EOP, see the following topics:
Mail flow rules (transport rules) in Exchange Online
Mail flow rule conditions and exceptions (predicates) in Exchange Online
Mail flow rule actions in Exchange Online
The list of words and text patterns that are used to identify bulk mail in the
examples aren't exhaustive; you can add and remove entries as necessary.
However, they are a good starting point.
The search for words or text patterns in the subject or other header fields in the
message occurs after the message has been decoded from the MIME content
transfer encoding method that was used to transmit the binary message between
SMTP servers in ASCII text. You can't use conditions or exceptions to search for the
raw (typically, Base64) encoded values of the subject or other header fields in
messages.
The following procedures mark a bulk message as spam for your entire
organization. However, you can add another condition to apply these rules only to
specific recipients, so you can use aggressive filtering on a few, highly targeted
users, while the rest of your users (who mostly get the bulk email they signed up
for) aren't impacted.
3. In the New rule page that opens, configure the following settings:
Apply this rule if: Configure one of the following settings to look for content
in messages using regular expressions (RegEx) or words or phrases:
The subject or body > subject or body matches these text patterns: In
the Specify words or phrases dialog that appears, enter one of the
following values, click Add , and repeat until you've entered all the
values.
If you are unable to view the content of this email\, please
please
If you are unable to view the content of this email\, please click
here
To ensure you receive (your daily deals|our e-?mails)\, add
unsubscribe)
To edit an entry, select it and click Edit . To remove an entry, select it and
click Remove .
The subject or body > subject or body includes any of these words: In
the Specify words or phrases dialog that appears, enter one of the
following values, click Add , and repeat until you've entered all the
values.
to change your preferences or unsubscribe
This is an advertisement
you would like to unsubscribe or change your
To edit an entry, select it and click Edit . To remove an entry, select it and
click Remove .
Do the following: Select Modify the message properties > set the spam
confidence level (SCL). In the Specify SCL dialog that appears, configure one
of the following settings:
To mark messages as Spam, select 6. The action that you've configured for
Spam filtering verdicts in your anti-spam policies is applied to the
messages (the default value is Move message to Junk Email folder).
For more information about SCL values, see Spam confidence level (SCL) in EOP.
PowerShell
This example creates a new rule named "Bulk email filtering - RegEx" that uses the same
list of regular expressions from earlier in the topic to set messages as Spam.
PowerShell
This example creates a new rule named "Bulk email filtering - Words" that uses the same
list of words from earlier in the topic to set messages as High confidence spam.
PowerShell
In the EAC, go to Mail flow > Rules > select the rule > click Edit , and verify the
settings.
In PowerShell, replace <Rule Name> with the name of the rule, and run the
following command to verify the settings:
PowerShell
You can create a mail flow rule (also known as a transport rule) that looks for messages
that users report to Microsoft, and you can configure Bcc recipients to receive copies of
these reported messages.
You can create the mail flow rule in the Exchange admin center (EAC) and PowerShell
(Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in
Exchange Online; standalone EOP PowerShell for organizations without Exchange Online
mailboxes).
To open the EAC in Exchange Online, see Exchange admin center in Exchange
Online. To open the EAC in standalone EOP, see Exchange admin center in
standalone EOP.
3. In the New rule page that opens, configure the following settings:
Name: Enter a unique, descriptive name for the rule. For example, Bcc
Messages Reported to Microsoft.
Apply this rule if: Select The recipient > address includes any of these
words: In the Specify words or phrases dialog that appears, enter one of the
following values, click Add , and repeat until you've entered all the values.
junk@office365.microsoft.com
abuse@messaging.microsoft.com
phish@office365.microsoft.com
not_junk@office365.microsoft.com
To edit an entry, select it and click Edit . To remove an entry, select it and
click Remove .
Do the following: Select Add recipients > to the Bcc box. In the dialog that
appears, find and select the recipients that you want to add. When you're
finished, click OK.
4. You can make additional selections to audit the rule, test the rule, activate the rule
during a specific time period, and other settings. We recommend testing the rule
before you enforce it.
PowerShell
In the EAC, go to Mail flow > Rules > select the rule > click Edit , and verify the
settings.
PowerShell
Send a test message to one of the reporting email addresses and verify the results.
Configure connection filtering
Article • 12/10/2022 • 11 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
IP Allow List: Skip spam filtering for all incoming messages from the source email
servers that you specify by IP address or IP address range. For scenarios where
spam filtering might still occur on messages from these sources, see the Scenarios
where messages from sources in the IP Allow List are still filtered section later in
this article. For more information about how the IP Allow List should fit into your
overall safe senders strategy, see Create safe sender lists in EOP.
IP Block List: Block all incoming messages from the source email servers that you
specify by IP address or IP address range. The incoming messages are rejected, are
not marked as spam, and no additional filtering occurs. For more information
about how the IP Block List should fit into your overall blocked senders strategy,
see Create block sender lists in EOP.
Safe list: The safe list is a dynamic allow list in the Microsoft datacenter that
requires no customer configuration. Microsoft identifies these trusted email
sources from subscriptions to various third-party lists. You enable or disable the
use of the safe list; you can't configure the source email servers on the safe list.
Spam filtering is skipped on incoming messages from the email servers on the safe
list.
This article describes how to configure the default connection filter policy in the
Microsoft 365 Microsoft 365 Defender portal or in PowerShell (Exchange Online
PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online;
standalone EOP PowerShell for organizations without Exchange Online mailboxes). For
more information about how EOP uses connection filtering is part of your organization's
overall anti-spam settings, see Anti-spam protection.
7 Note
The IP Allow List, safe list, and the IP Block List are one part of your overall strategy
to allow or block email in your organization. For more information, see Create safe
sender lists and Create blocked sender lists.
You need to be assigned permissions in Exchange Online before you can do the
procedures in this article:
To modify the default connection filter policy, you need to be a member of the
Organization Management or Security Administrator role groups.
For read-only access to the default connection filter policy, you need to be a
member of the Global Reader or Security Reader role groups.
Notes:
Adding users to the corresponding Azure Active Directory role in the Microsoft
365 admin center gives users the required permissions and permissions for
other features in Microsoft 365. For more information, see About admin roles.
The View-Only Organization Management role group in Exchange Online also
gives read-only access to the feature.
To find the source IP addresses of the email servers (senders) that you want to
allow or block, you can check the connecting IP (CIP) header field in the message
header. To view a message header in various email clients, see View internet
message headers in Outlook .
The IP Allow List takes precedence over the IP Block List (an address on both lists is
not blocked).
The IP Allow List and the IP Block List each support a maximum of 1273 entries,
where an entry is a single IP address, an IP address range, or a Classless
InterDomain Routing (CIDR) IP.
2. On the Anti-spam policies page, select Connection filter policy (Default) from the
list by clicking on the name of the policy.
3. In the policy details flyout that appears, configure any of the following settings:
Description section: Click Edit name and description. In the Edit name and
description flyout that appears, enter optional descriptive text in the
Description box.
Connection filtering section: Click Edit connection filter policy. In the flyout
that appears, configure the following settings:
To add the IP address or address range, click in the box and type itclick Add
. To remove an entry, select the entry in Allowed IP Address and then click
Remove . When you're finished, click Save.
Turn on safe list: Enable or disable the use of the safe list to identify known,
good senders that will skip spam filtering. To use the safe list, select the check
box.
2. On the Anti-spam policies page, the following properties are displayed in the list
of policies:
Name: This value is Connection filter policy (Default) for the default
connection filter policy.
Status: This value is Always on for the default connection filter policy.
Priority: This value is Lowest for the default connection filter policy.
Type: This value is blank for the default connection filter policy.
3. When you select the default connection filter policy, the policy settings are
displayed in a flyout.
PowerShell
Notes:
IPAddressOrRange3","IPAddressOrRange4",...,"IPAddressOrRangeN"} .
To empty the IP Allow List or IP Block List, use the value $null .
This example configures the IP Allow List and the IP Block List with the specified IP
addresses and address ranges.
PowerShell
This example adds and removes the specified IP addresses and address ranges from the
IP Allow List.
PowerShell
PowerShell
Now that you're fully aware of the potential issues, you can create a mail flow rule with
the following settings (at a minimum) to ensure that messages from these IP addresses
will skip spam filtering:
Rule condition: Apply this rule if > The sender > IP address is in any of these
ranges or exactly matches > (enter your CIDR IP with a /1 to /23 network mask).
Rule action: Modify the message properties > Set the spam confidence level
(SCL) > Bypass spam filtering.
You can audit the rule, test the rule, activate the rule during a specific time period, and
other selections. We recommend testing the rule for a period before you enforce it. For
more information, see Manage mail flow rules in Exchange Online.
For example, the source email server 192.168.1.25 sends email from the domains
contoso.com, fabrikam.com, and tailspintoys.com, but you only want to skip spam
filtering for messages from senders in fabrikam.com. To do this, use the following steps:
2. Configure a mail flow rule with the following settings (at a minimum):
Rule condition: Apply this rule if > The sender > IP address is in any of
these ranges or exactly matches > 192.168.1.25 (the same IP address or
address range that you added to the IP Allow List in the previous step).
Rule action: Modify the message properties > Set the spam confidence
level (SCL) > 0.
Rule exception: The sender > domain is > fabrikam.com (only the domain or
domains that you want to skip spam filtering).
If you encounter either of these scenarios, you can create a mail flow rule with the
following settings (at a minimum) to ensure that messages from the problematic IP
addresses will skip spam filtering:
Rule condition: Apply this rule if > The sender > IP address is in any of these
ranges or exactly matches > (your IP address or addresses).
Rule action: Modify the message properties > Set the spam confidence level
(SCL) > Bypass spam filtering.
New to Microsoft 365? Discover free video courses for Microsoft 365 admins and
IT pros, brought to you by LinkedIn Learning.
Outbound spam protection in EOP
Article • 12/10/2022 • 4 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
This article describes the controls and notifications that are designed to help prevent
outbound spam, and what you can do if you need to send mass mailings.
Review spam complaints from third-party email providers: Many email services
like Outlook.com, Yahoo, and AOL provide a feedback loop where if any user in
their service marks an email from Microsoft 365 as spam, the message is packaged
up and sent back to us for review. To learn more about sender support for
Outlook.com, go to
https://sendersupport.olc.protection.outlook.com/pm/services.aspx .
Monitoring our source IP address reputation: Microsoft 365 queries various third-
party IP block lists. An alert is generated if any of the IP addresses that we use for
outbound email appear on these lists. This monitoring allows us to react quickly
when spam has caused our reputation to degrade. When an alert is generated, we
have internal documentation that outlines how to get our IP addresses remove
(delisted) from block lists.
Disable accounts that send too much spam*: Even though we segregate
outbound spam into the high-risk delivery pool, we can't allow an account (often, a
compromised account) to send spam indefinitely. We monitor accounts that are
sending spam, and when they exceed an undisclosed limit, the account is blocked
from sending email. There are different thresholds for individual users and the
entire tenant.
Disabling accounts that send too much email too quickly*: In addition to the
limits that look for messages marked as spam, there are also limits that block
accounts when they reach an overall outbound message limit, regardless the spam
filtering verdict on the outbound messages. A compromised account could send
zero-day (previously unrecognized) spam that is missed by the spam filter. Because
it can be difficult to identify a legitimate mass mailing campaign vs. a spam
campaign, these limits help to minimize any potential damage.
* We don't advertise the exact limits so spammers can't game the system, and so we can
increase or decrease the limits as necessary. The limits are high enough to prevent an
average business user from ever exceeding them, and low enough to help contain the
damage caused by a spammer.
As described in the Exchange Online Service Description, using EOP to send bulk email
is not a supported use of the service, and is only permitted on a "best-effort" basis. For
customers who do want to send bulk email, we recommend the following solutions:
Send bulk email through on-premises email servers: Customers maintain their
own email infrastructure for mass mailings.
Use a third-party bulk email provider: There are several third-party bulk email
solution providers that you can use to send mass mailings. These companies have
a vested interest in working with customers to ensure good email sending
practices.
The Messaging, Mobile, Malware Anti-Abuse Working Group (MAAWG) publishes its
membership roster at https://www.maawg.org/about/roster . Several bulk email
providers are on the list, and are known to be responsible internet citizens.
Configure outbound spam filtering in
EOP
Article • 12/14/2022 • 22 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
EOP uses outbound spam policies as part of your organization's overall defense against
spam. For more information, see Anti-spam protection.
Admins can view, edit, and configure (but not delete) the default outbound spam policy.
For greater granularity, you can also create custom outbound spam policies that apply
to specific users, groups, or domains in your organization. Custom policies always take
precedence over the default policy, but you can change the priority (running order) of
your custom policies.
You can configure outbound spam policies in the Microsoft 365 Microsoft 365 Defender
portal or in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations
with mailboxes in Exchange Online; standalone EOP PowerShell for organizations
without Exchange Online mailboxes).
The outbound spam filter policy: Specifies the actions for outbound spam filtering
verdicts and the notification options.
The outbound spam filter rule: Specifies the priority and sender filters (who the
policy applies to) for an outbound spam filter policy.
The difference between these two elements isn't obvious when you manage outbound
spam polices in the Microsoft 365 Defender portal:
When you create a policy, you're actually creating a outbound spam filter rule and
the associated outbound spam filter policy at the same time using the same name
for both.
When you modify a policy, settings related to the name, priority, enabled or
disabled, and sender filters modify the outbound spam filter rule. All other settings
modify the associated outbound spam filter policy.
When you remove a policy, the outbound spam filter rule and the associated
outbound spam filter policy are removed.
In Exchange Online PowerShell or standalone EOP PowerShell, you manage the policy
and the rule separately. For more information, see the Use Exchange Online PowerShell
or standalone EOP PowerShell to configure outbound spam policies section later in this
article.
Every organization has a built-in outbound spam policy named Default that has these
properties:
The policy is applied to all senders in the organization, even though there's no
outbound spam filter rule (sender filters) associated with the policy.
The policy has the custom priority value Lowest that you can't modify (the policy is
always applied last). Any custom policies that you create always have a higher
priority than the policy named Default.
The policy is the default policy (the IsDefault property has the value True ), and
you can't delete the default policy.
To increase the effectiveness of outbound spam filtering, you can create custom
outbound spam policies with stricter settings that are applied to specific users or groups
of users.
You need to be assigned permissions in Exchange Online before you can do the
procedures in this article:
To add, modify, and delete outbound spam policies, you need to be a member
of the Organization Management or Security Administrator role groups.
For read-only access to outbound spam policies, you need to be a member of
the Global Reader or Security Reader role groups.
Notes:
Adding users to the corresponding Azure Active Directory role in the Microsoft
365 admin center gives users the required permissions and permissions for
other features in Microsoft 365. For more information, see About admin roles.
The View-Only Organization Management role group in Exchange Online also
gives read-only access to the feature.
For our recommended settings for outbound spam policies, see EOP outbound
spam filter policy settings.
The default alert policies named Email sending limit exceeded, Suspicious email
sending patterns detected, and User restricted from sending email already send
email notifications to members of the TenantAdmins (Global admins) group about
unusual outbound email activity and blocked users due to outbound spam. For
more information, see Verify the alert settings for restricted users. We recommend
that you use these alert policies instead of the notification options in outbound
spam policies.
2. On the Anti-spam policies page, click Create policy and then select Outbound
from the drop down list.
3. The policy wizard opens. On the Name your policy page, configure these settings:
4. On the Users, groups, and domains page that appears, identify the internal
senders that the policy applies to (recipient conditions):
Click in the appropriate box, start typing a value, and select the value that you
want from the results. Repeat this process as many times as necessary. To remove
an existing value, click remove next to the value.
For users or groups, you can use most identifiers (name, display name, alias, email
address, account name, etc.), but the corresponding display name is shown in the
results. For users, enter an asterisk (*) by itself to see all available values.
Multiple values in the same condition use OR logic (for example, <sender1> or
<sender2>). Different conditions use AND logic (for example, <sender1> and
<member of group 1>).
Exclude these users, groups, and domains: To add exceptions for the internal
senders that the policy applies to (recipient exceptions), select this option
and configure the exceptions. The settings and behavior are exactly like the
conditions.
) Important
Multiple different types of conditions or exceptions are not additive; they're
inclusive. The policy is applied only to those recipients that match all of the
specified recipient filters. For example, you configure a recipient filter
condition in the policy with the following values:
Users: romain@contoso.com
Groups: Executives
Likewise, if you use the same recipient filter as an exception to the policy, the
policy is not applied to romain@contoso.com only if he's also a member of
the Executives group. If he's not a member of the group, then the policy still
applies to him.
5. On the Protection settings page that opens, configure the following settings:
Message limits: The settings in this section configure the limits for outbound
email messages from Exchange Online mailboxes:
Set an external message limit: The maximum number of external
recipients per hour.
Set an internal message limit: The maximum number of internal recipients
per hour.
Set a daily message limit: The maximum total number of recipients per
day.
A valid value is 0 to 10000. The default value is 0, which means the service
defaults are used. For more information, see Sending limits.
Enter a value in the box, or use the increase/decrease arrows on the box.
Restriction placed on users who reach the message limit: Select an action
from the drop down list when any of the limits in the Protection settings
section are exceeded.
For all actions, the senders specified in the User restricted from sending
email alert policy (and in the now redundant Notify these users and groups
if a sender is blocked due to sending outbound spam setting later on this
page) receive email notifications.
Restrict the user from sending mail until the following day: This is the
default value. Email notifications are sent, and the user will be unable to
send any more messages until the following day, based on UTC time.
There is no way for the admin to override this block.
The alert policy named User restricted from sending email notifies
admins (via email and on the Incidents & alerts > View alerts page).
Any recipients specified in the Notify specific people if a sender is
blocked due to sending outbound spam setting in the policy are also
notified.
The user will be unable to send any more messages until the following
day, based on UTC time. There is no way for the admin to override this
block.
Restrict the user from sending mail: Email notifications are sent, the user
is added to Restricted users
https://security.microsoft.com/restrictedusers in the Microsoft 365
Defender portal, and the user can't send email until they're removed from
Restricted users by an admin. After an admin removes the user from the
list, the user won't be restricted again for that day. For instructions, see
Removing a user from the Restricted Users portal after sending spam
email.
No action, alert only: Email notifications are sent.
Forwarding rules: Use the settings in this section to control automatic email
forwarding by Exchange Online mailboxes to external senders. For more
information, see Control automatic external email forwarding in Microsoft
365.
7 Note
Select one of the following actions from the Automatic forwarding rules
drop down list:
Automatic - System-controlled: Allows outbound spam filtering to control
automatic external email forwarding. This is the default value.
On: Automatic external email forwarding is not disabled by the policy.
Off: All automatic external email forwarding is disabled by the policy.
7 Note
To enable this setting, select the check box. In the box that appears, click in
the box, enter a valid email address, and then press Enter or select the
complete value that's displayed below the box.
) Important
The default alert policy named User restricted from sending email
already sends email notifications to members of the TenantAdmins
(Global admins) group when users are blocked due to exceeding the
limits in the Recipient Limits section. We strongly recommend that
you use the alert policy rather than this setting in the outbound
spam policy to notify admins and other users. For instructions, see
Verify the alert settings for restricted users.
2. On the Anti-spam policies page, look for one of the following values:
Name
Status
Priority
Type
3. When you select an outbound spam policy by clicking on the name, the policy
settings are displayed in a flyout.
2. On the Anti-spam policies page, select an outbound spam policy from the list by
clicking on the name:
A custom policy that you created where the value in the Type column is
Custom outbound spam policy.
The default policy named Anti-spam outbound policy (Default).
3. In the policy details flyout that appears, select Edit in each section to modify the
settings within the section. For more information about the settings, see the
previous Use the Microsoft 365 Defender portal to create outbound spam policies
section in this article.
For the default outbound spam policy, the Applied to section isn't available (the
policy applies to everyone), and you can't rename the policy.
To enable or disable a policy, set the policy priority order, or configure the end-user
notifications, see the following sections.
1. In the Microsoft 365 Defender portal, go to Email & Collaboration > Policies &
Rules > Threat policies > Anti-spam in the Policies section.
2. On the Anti-spam policies page, select a policy with the Type value of Custom
outbound spam policy from the list by clicking on the name.
3. At the top of the policy details flyout that appears, you'll see one of the following
values:
Back on the main policy page, the Status value of the policy will be On or Off.
Notes:
In the Microsoft 365 Defender portal, you can only change the priority of the
outbound spam policy after you create it. In PowerShell, you can override the
default priority when you create the spam filter rule (which can affect the priority
of existing rules).
Outbound spam policies are processed in the order that they're displayed (the first
policy has the Priority value 0). The default outbound spam policy has the priority
value Lowest, and you can't change it.
1. In the Microsoft 365 Defender portal, go to Email & Collaboration > Policies &
Rules > Threat policies > Anti-spam in the Policies section.
2. On the Anti-spam policies page, select a select a policy with the Type value of
Custom outbound spam policy from the list by clicking on the name.
3. At the top of the policy details flyout that appears, you'll see Increase priority or
Decrease priority based on the current priority value and the number of custom
policies:
The outbound spam policy with the Priority value 0 has only the Decrease
priority option available.
The outbound spam policy with the lowest Priority value (for example, 3) has
only the Increase priority option available.
If you have three or more outbound spam policies, the policies between the
highest and lowest priority values have both the Increase priority and
Decrease priority options available.
2. On the Anti-spam policies page, select a policy with the Type value of Custom
outbound spam policy from the list by clicking on the name. At the top of the
policy details flyout that appears, click More actions > Delete policy.
In PowerShell, you create the outbound spam filter policy first, then you create the
outbound spam filter rule that identifies the policy that the rule applies to.
In PowerShell, you modify the settings in the outbound spam filter policy and the
outbound spam filter rule separately.
When you remove a outbound spam filter policy from PowerShell, the
corresponding outbound spam filter rule isn't automatically removed, and vice
versa.
2. Create the outbound spam filter rule that specifies the outbound spam filter policy
that the rule applies to.
Notes:
You can create a new outbound spam filter rule and assign an existing,
unassociated outbound spam filter policy to it. An outbound spam filter rule
can't be associated with more than one outbound spam filter policy.
You can configure the following settings on new outbound spam filter
policies in PowerShell that aren't available in the Microsoft 365 Defender
portal until after you create the policy:
Create the new policy as disabled (Enabled $false on the New-
HostedOutboundSpamFilterRule cmdlet).
Set the priority of the policy during creation (Priority <Number>) on the
New-HostedOutboundSpamFilterRule cmdlet).
A new outbound spam filter policy that you create in PowerShell isn't visible
in the Microsoft 365 Defender portal until you assign the policy to an
outbound spam filter rule.
PowerShell
This example creates a new outbound spam filter policy named Contoso Executives with
the following settings:
The recipient rate limits are restricted to smaller values that the defaults. For more
information, see Sending limits across Microsoft 365 options.
After one of the limits is reached, the user is prevented from sending messages.
PowerShell
This example creates a new outbound spam filter rule named Contoso Executives with
these settings:
The outbound spam filter policy named Contoso Executives is associated with the
rule.
The rule applies to members of the group named Contoso Executives Group.
PowerShell
PowerShell
Get-HostedOutboundSpamFilterPolicy
To return detailed information about a specific outbound spam filter policy, use the this
syntax:
PowerShell
This example returns all the property values for the outbound spam filter policy named
Executives.
PowerShell
PowerShell
To return a summary list of all outbound spam filter rules, run this command:
PowerShell
Get-HostedOutboundSpamFilterRule
To filter the list by enabled or disabled rules, run the following commands:
PowerShell
PowerShell
To return detailed information about a specific outbound spam filter rule, use this
syntax:
PowerShell
This example returns all the property values for the outbound spam filter rule named
Contoso Executives.
PowerShell
7 Note
PowerShell
Otherwise, no additional settings are available when you modify an outbound spam
filter rule in PowerShell. The same settings are available when you create a rule as
described in the Step 2: Use PowerShell to create an outbound spam filter rule section
earlier in this article.
PowerShell
To enable or disable an outbound spam filter rule in PowerShell, use this syntax:
PowerShell
<Enable-HostedOutboundSpamFilterRule | Disable-HostedOutboundSpamFilterRule>
-Identity "<RuleName>"
This example disables the outbound spam filter rule named Marketing Department.
PowerShell
PowerShell
PowerShell
This example sets the priority of the rule named Marketing Department to 2. All existing
rules that have a priority less than or equal to 2 are decreased by 1 (their priority
numbers are increased by 1).
PowerShell
Notes:
To set the priority of a new rule when you create it, use the Priority parameter on
the New-HostedOutboundSpamFilterRule cmdlet instead.
The outbound default spam filter policy doesn't have a corresponding spam filter
rule, and it always has the unmodifiable priority value Lowest.
PowerShell
This example removes the outbound spam filter policy named Marketing Department.
PowerShell
PowerShell
This example removes the outbound spam filter rule named Marketing Department.
PowerShell
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
7 Note
You can use outbound spam filter policies to control automatic forwarding to external
recipients. Three settings are available:
Automatic - System-controlled: This is the default setting. This setting is now the
same as Off. When this setting was originally introduced, it was equivalent to On.
Over time, thanks to the principles of secure by default, this setting was gradually
changed to Off for all customers. For more information, see this blog post .
On: Automatic external forwarding is allowed and not restricted.
Off: Automatic external forwarding is disabled and will result in a non-delivery
report (also known as an NDR or bounce message) to the sender.
For instructions on how to configure these settings, see Configure outbound spam
filtering in EOP.
7 Note
When one setting allows external forwarding, but another setting blocks external
forwarding, the block typically wins. Examples are described in the following table:
Scenario Result
Scenario Result
You can use this behavior (for example) to allow automatic forwarding in outbound
spam filter policies, but use remote domains to control the external domains that users
can forward messages to.
The following information is required to create the mail flow rule in the Exchange admin
center (EAC):
Apply this rule if (condition): A message header > matches these text patterns.
Note you might need to click More options to see this option.
Header name: X-MS-Exchange-Inbox-Rules-Loop
Header value: .
(Optional) Do the following (action): You can configure an optional action. For
example, you can use the action Modify the message properties > set a message
header, with the header name X-Forwarded and the value True. But, configuring
an action is not required.
Set Audit this rue with severity level to the value Low, Medium, or High. This
setting allows you to use the Exchange transport rule report to get details of users
that are forwarding.
5.7.520 Access denied, Your organization does not allow external forwarding. Please
contact your administrator for further assistance. AS(7555)
Outbound delivery pools
Article • 12/10/2022 • 4 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
Email servers in the Microsoft 365 datacenters might be temporarily guilty of sending
spam. For example, a malware or malicious spam attack in an on-premises email
organization that sends outbound mail through Microsoft 365, or compromised
Microsoft 365 accounts. Attackers also try to avoid detection by relaying messages
through Microsoft 365 forwarding.
These scenarios can result in the IP address of the affected Microsoft 365 datacenter
servers appearing on third-party blocklists. Destination email organizations that use
these blocklists will reject email from those Microsoft 365 messages sources.
The high risk delivery pool is a separate IP address pool for outbound email that's only
used to send "low quality" messages (for example, spam and backscatter. Using the high
risk delivery pool helps prevent the normal IP address pool for outbound email from
sending spam. The normal IP address pool for outbound email maintains the reputation
sending "high quality" messages, which reduces the likelihood that these IP address will
appear on IP blocklists.
The very real possibility that IP addresses in the high-risk delivery pool will be placed on
IP blocklists remains, but this is by design. Delivery to the intended recipients isn't
guaranteed, because many email organizations won't accept messages from the high
risk delivery pool.
7 Note
Messages where the source email domain has no A record and no MX record
defined in public DNS are always routed through the high-risk delivery pool,
regardless of their spam or sending limit disposition.
Messages that exceed the following limits are blocked, so they aren't sent through
the high-risk delivery pool:
Bounce messages
The outbound high-risk delivery pool manages the delivery for all non-delivery reports
(also known as NDRs, bounce messages, delivery status notifications, or DSNs).
A spoofing campaign that affects one of the customers using the service.
A directory harvest attack.
A spam attack.
A rogue email server.
All of these issues can result in a sudden increase in the number of NDRs being
processed by the service. Many times, these NDRs appear to be spam to other email
servers and services (also known as backscatter).
Relay pool
Messages that are forwarded or relayed via Microsoft 365 in certain scenarios will be
sent using a special relay pool, because the destination should not consider Microsoft
365 as the actual sender. It's important for us to isolate this email traffic, because there
are legitimate and invalid scenarios for auto forwarding or relaying email out of
Microsoft 365. Similar to the high-risk delivery pool, a separate IP address pool is used
for relayed mail. This address pool is not published because it can change often, and it's
not part of published SPF record for Microsoft 365.
Microsoft 365 needs to verify that the original sender is legitimate so we can confidently
deliver the forwarded message.
The forwarded or relayed message should meet one of the following criteria to avoid
using the relay pool:
You can tell that a message was sent via the relay pool by looking at the outbound
server IP (the relay pool will be in the 40.95.0.0/16 range), or by looking at the outbound
server name (will have "rly" in the name).
In cases where we can authenticate the sender, we use Sender Rewriting Scheme (SRS)
to help the recipient email system know that the forwarded message is from a trusted
source. You can read more about how that works and what you can do to help make
sure the sending domain passes authentication in Sender Rewriting Scheme (SRS) in
Office 365.
For DKIM to work, make sure you enable DKIM for sending domain. For example,
fabrikam.com is part of contoso.com and is defined in the accepted domains of the
organization. If the message sender is sender@fabrikam.com, DKIM needs to be
enabled for fabrikam.com. you can read on how to enable at Use DKIM to validate
outbound email sent from your custom domain.
To add a custom domains follow the steps in Add a domain to Microsoft 365.
If the MX record for your domain points to a third party service or an on-premises email
server, you should use Enhanced Filtering for Connectors. Enhanced Filtering ensures
SPF validation is correct for inbound mail and will avoid sending email through the relay
pool.
Anti-phishing protection in Microsoft
365
Article • 12/10/2022 • 3 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
Phishing is an email attack that tries to steal sensitive information in messages that
appear to be from legitimate or trusted senders. There are specific categories of
phishing. For example:
Spear phishing uses focused, customized content that's specifically tailored to the
targeted recipients (typically, after reconnaissance on the recipients by the
attacker).
Business email compromise (BEC) uses forged trusted senders (financial officers,
customers, trusted partners, etc.) to trick recipients into approving payments,
transferring funds, or revealing customer data. Learn more by watching this
video .
Ransomware that encrypts your data and demands payment to decrypt it almost
always starts out in phishing messages. Anti-phishing protection can't help you
decrypt encrypted files, but it can help detect the initial phishing messages that are
associated with the ransomware campaign. For more information about recovering
from a ransomware attack, see Recover from a ransomware attack in Microsoft
365.
With the growing complexity of attacks, it's even difficult for trained users to identify
sophisticated phishing messages. Fortunately, Exchange Online Protection (EOP) and the
additional features in Microsoft Defender for Office 365 can help.
Spoof intelligence: Use the spoof intelligence insight to review detected spoofed
senders in messages from external and internal domains, and manually allow or
block those detected senders. For more information, see Spoof intelligence insight
in EOP.
Allow or block spoofed senders in the Tenant Allow/Block List: When you
override the verdict in the spoof intelligence insight, the spoofed sender becomes
a manual allow or block entry that only appears on the Spoofed senders tab in the
Tenant Allow/Block List. You can also manually create allow or block entries for
spoof senders before they're detected by spoof intelligence. For more information,
see Manage the Tenant Allow/Block List in EOP.
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
Automatically created
default policy
Spoof settings
Impersonation settings
Advanced phishing
thresholds
* In the default policy, the policy name, and description are read-only (the description is
blank), and you can't specify who the policy applies to (the default policy applies to all
recipients).
The rest of this article describes the settings that are available in anti-phishing policies in
EOP and Defender for Office 365.
Name: You can't rename the default anti-phishing policy. After you create a
custom anti-phishing policy, you can't rename the policy in the Microsoft 365
Defender portal.
Description You can't add a description to the default anti-phishing policy, but you
can add and change the description for custom policies that you create.
Users, groups, and domains: Identifies internal recipients that the anti-phishing
policy applies to. This value is required in custom policies, and not available in the
default policy (the default policy applies to all recipients).
You can only use a condition or exception once, but you can specify multiple
values for the condition or exception. Multiple values of the same condition or
exception use OR logic (for example, <recipient1> or <recipient2>). Different
conditions or exceptions use AND logic (for example, <recipient1> and <member
of group 1>).
Users: One or more mailboxes, mail users, or mail contacts in your organization.
Groups:
Members of the specified distribution groups or mail-enabled security
groups (dynamic distribution groups are not supported).
The specified Microsoft 365 Groups.
Exclude these users, groups, and domains: Exceptions for the policy. The
settings and behavior are exactly like the conditions:
Users
Groups
Domains
7 Note
At least one selection in the Users, groups, and domains settings is required
in custom anti-phishing policies to identify the message recipients that the
policy applies to. Anti-phishing policies in Defender for Office 365 also have
impersonation settings where you can specify individual sender email
addresses or sender domains that will receive impersonation protection as
described later in this article.
Likewise, if you use the same recipient filter as an exception to the policy, the
policy is not applied to romain@contoso.com only if he's also a member of
the Executives group. If he's not a member of the group, then the policy still
applies to him.
Spoof settings
Spoofing is when the From address in an email message (the sender address that's
shown in email clients) doesn't match the domain of the email source. For more
information about spoofing, see Anti-spoofing protection in Microsoft 365.
The following spoof settings are available in anti-phishing policies in EOP and Defender
for Office 365:
When spoof intelligence is enabled, the spoof intelligence insight shows spoofed
senders that were automatically detected and allowed or blocked by spoof
intelligence. You can manually override the spoof intelligence verdict to allow or
block the detected spoofed senders from within the insight. But when you do, the
spoofed sender disappears from the spoof intelligence insight, and is now visible
only on the Spoofed senders tab in the Tenant Allow/Block List. You can also
manually create allow or block entries for spoofed senders in the Tenant
Allow/Block List. For more information, see the following articles:
Spoof intelligence insight in EOP
Manage the Tenant Allow/Block List in EOP
7 Note
Anti-spoofing protection is enabled by default in the default anti-phishing
policy and in any new custom anti-phishing policies that you create.
You don't need to disable anti-spoofing protection if your MX record
doesn't point to Microsoft 365; you enable Enhanced Filtering for
Connectors instead. For instructions, see Enhanced Filtering for
Connectors in Exchange Online.
Disabling anti-spoofing protection only disables implicit spoofing
protection from composite authentication checks. If the sender fails
explicit DMARC checks where the policy is set to quarantine or reject, the
message is still quarantined or rejected.
Move messages to the recipients' Junk Email folders: This is the default value.
The message is delivered to the mailbox and moved to the Junk Email folder.
For more information, see Configure junk email settings on Exchange Online
mailboxes in Microsoft 365.
If you select Quarantine the message, you can also select the quarantine policy
that applies to messages that were quarantined by spoof intelligence
protection. Quarantine policies define what users are able to do to quarantined
messages, and whether users receive quarantine notifications. For more
information, see Quarantine policies.
Show (?) for unauthenticated senders for spoof: Adds a question mark to the
sender's photo in the From box if the message does not pass SPF or DKIM checks
and the message does not pass DMARC or composite authentication. When this
setting is turned off, the question mark isn't added to the sender's photo.
Show "via" tag: Adds the via tag (chris@contoso.com via fabrikam.com) in the
From box if the domain in the From address (the message sender that's displayed
in email clients) is different from the domain in the DKIM signature or the MAIL
FROM address. For more information about these addresses, see An overview of
email message standards.
To prevent the question mark or via tag from being added to messages from specific
senders, you have the following options:
Allow the spoofed sender in the spoof intelligence insight or manually in the
Tenant Allow/Block List. Allowing the spoofed sender will prevent the via tag from
appearing in messages from the sender, even if the Show "via" tag setting is
turned on in the policy.
Configure email authentication for the sender domain.
For the question mark in the sender's photo, SPF or DKIM are the most
important.
For the via tag, confirm the domain in the DKIM signature or the MAIL FROM
address matches (or is a subdomain of) the domain in the From address.
For more information, see Identify suspicious messages in Outlook.com and Outlook on
the web
This capability adds an extra layer of security protection against potential impersonation
attacks, so we recommend that you turn it on.
The first contact safety tip also replaces the need to create mail flow rules (also known
as transport rules) that add the header named X-MS-Exchange-
EnableFirstContactSafetyTip with the value Enable to messages (although this
capability is still available).
7 Note
If the message has multiple recipients, whether the tip is shown and to whom is
based on a majority model. If the majority of recipients have never or don't often
receive messages from the sender, then the affected recipients will receive the
Some people who received this message... tip. If you're concerned that this
behavior exposes the communication habits of one recipient to another, you
should not enable the first contact safety tip and continue to use mail flow rules
instead.
7 Note
The default anti-phishing policy in Defender for Office 365 provides spoof
protection and mailbox intelligence for all recipients. However, the other available
impersonation protection features and advanced settings are not configured or
enabled in the default policy. To enable all protection features, modify the default
anti-phishing policy or create additional anti-phishing policies.
7 Note
Impersonation protection looks for domains that are similar. For example, if your
domain is contoso.com, we check for different top-level domains (.com, .biz, etc.) as
impersonation attempts, but also domains that are even somewhat similar. For
example, contosososo.com or contoabcdef.com might be seen as impersonation
attempts of contoso.com.
An impersonated domain might otherwise be considered legitimate (registered domain,
configured email authentication records, etc.), except its intent is to deceive recipients.
Enable users to protect: Prevents the specified internal or external email addresses
from being impersonated as message senders. For example, you receive an email
message from the Vice President of your company asking you to send her some
internal company information. Would you do it? Many people would send the
reply without thinking.
You can use protected users to add internal and external sender email addresses to
protect from impersonation. This list of senders that are protected from user
impersonation is different from the list of recipients that the policy applies to (all
recipients for the default policy; specific recipients as configured in the Users,
groups, and domains setting in the Common policy settings section).
7 Note
When you add internal or external email addresses to the Users to protect list,
messages from those senders are subject to impersonation protection checks. The
message is checked for impersonation if the message is sent to a recipient that the
policy applies to (all recipients for the default policy; Users, groups, and domains
recipients in custom policies). If impersonation is detected in the sender's email
address, the impersonation protections actions for users are applied to the
message (what to do with the message, whether to show impersonated users
safety tips, etc.).
Enable domains to protect: Prevents the specified domains from being
impersonated in the message sender's domain. For example, all domains that you
own (accepted domains) or specific custom domains (domains you own or partner
domains). This list of sender domains that are protected from impersonation is
different from the list of recipients that the policy applies to (all recipients for the
default policy; specific recipients as configured in the Users, groups, and domains
setting in the Common policy settings section).
7 Note
When you add domains to the Enable domains to protect list, messages from
senders in those domains are subject to impersonation protection checks. The
message is checked for impersonation if the message is sent to a recipient that the
policy applies to (all recipients for the default policy; Users, groups, and domains
recipients in custom policies). If impersonation is detected in the sender's domain,
the impersonation protection actions for domains are applied to the message
(what to do with the message, whether to show impersonated users safety tips,
etc.).
Redirect message to other email addresses: Sends the message to the specified
recipients instead of the intended recipients.
Move messages to the recipients' Junk Email folders: The message is delivered
to the mailbox and moved to the Junk Email folder. For more information, see
Configure junk email settings on Exchange Online mailboxes in Microsoft 365.
If you select Quarantine the message, you can also select the quarantine policy
that applies to messages that are quarantined by user impersonation or domain
impersonation protection. Quarantine policies define what users are able to do
to quarantined messages. For more information, see Quarantine policies.
Deliver the message and add other addresses to the Bcc line: Deliver the
message to the intended recipients and silently deliver the message to the
specified recipients.
Delete the message before it's delivered: Silently deletes the entire message,
including all attachments.
Impersonation safety tips: Turn on or turn off the following impersonation safety
tips that will appear messages that fail impersonation checks:
Show tip for impersonated users: The From address contains an Enable users
to protect user. Available only if Enable users to protect is turned on and
configured.
Show tip for impersonated domains: The From address contains an Enable
domains to protect domain. Available only if Enable domains to protect is
turned on and configured.
Show tip for unusual characters: The From address contains unusual character
sets (for example, mathematical symbols and text or a mix of uppercase and
lowercase letters) in an Enable users to protect sender or an Enable domains to
protect sender domain. Available only if Enable users to protect or Enable
domains to protect is turned on and configured.
7 Note
Mailbox intelligence protection does not work if the sender and recipient have
previously communicated via email. If the sender and recipient have never
communicated via email, the message will be identified as an impersonation
attempt by mailbox intelligence.
7 Note
If Microsoft 365 system messages from the following senders are identified
as impersonation attempts, you can add the senders to the trusted senders
list:
noreply@email.teams.microsoft.com
noreply@emeaemail.teams.microsoft.com
no-reply@sharepointonline.com
1 - Standard: This is the default value. The severity of the action that's taken on the
message depends on the degree of confidence that the message is phishing (low,
medium, high, or very high confidence). For example, messages that are identified
as phishing with a very high degree of confidence have the most severe actions
applied, while messages that are identified as phishing with a low degree of
confidence have less severe actions applied.
2 - Aggressive: Messages that are identified as phishing with a high degree of
confidence are treated as if they were identified with a very high degree of
confidence.
3 - More aggressive: Messages that are identified as phishing with a medium or
high degree of confidence are treated as if they were identified with a very high
degree of confidence.
4 - Most aggressive: Messages that are identified as phishing with a low, medium,
or high degree of confidence are treated as if they were identified with a very high
degree of confidence.
The chance of false positives (good messages marked as bad) increases as you increase
this setting. For information about the recommended settings, see anti-phishing policy
in Microsoft Defender for Office 365 settings.
Configure anti-phishing policies in EOP
Article • 12/14/2022 • 19 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
Admins can view, edit, and configure (but not delete) the default anti-phishing policy.
For greater granularity, you can also create custom anti-phishing policies that apply to
specific users, groups, or domains in your organization. Custom policies always take
precedence over the default policy, but you can change the priority (running order) of
your custom policies.
For information about creating and modifying the more advanced anti-phishing policies
that are available in Microsoft Defender for Office 365, see Configure anti-phishing
policies in Microsoft Defender for Office 365.
The anti-phish policy: Specifies the phishing protections to enable or disable, and
the actions to apply options.
The anti-phish rule: Specifies the priority and recipient filters (who the policy
applies to) for an anti-phish policy.
The difference between these two elements isn't obvious when you manage anti-
phishing policies in the Microsoft 365 Defender portal:
When you create an anti-phishing policy, you're actually creating an anti-phish rule
and the associated anti-phish policy at the same time using the same name for
both.
When you modify an anti-phishing policy, settings related to the name, priority,
enabled or disabled, and recipient filters modify the anti-phish rule. All other
settings modify the associated anti-phish policy.
When you remove an anti-phishing policy, the anti-phish rule and the associated
anti-phish policy are removed.
In Exchange Online PowerShell, you manage the policy and the rule separately. For more
information, see the Use Exchange Online PowerShell to configure anti-phishing policies
section later in this article.
Every organization has a built-in anti-phishing policy named Office365 AntiPhish Default
that has these properties:
The policy is applied to all recipients in the organization, even though there's no
anti-phish rule (recipient filters) associated with the policy.
The policy has the custom priority value Lowest that you can't modify (the policy is
always applied last). Any custom policies that you create always have a higher
priority.
The policy is the default policy (the IsDefault property has the value True ), and
you can't delete the default policy.
To increase the effectiveness of anti-phishing protection, you can create custom anti-
phishing policies with stricter settings that are applied to specific users or groups of
users.
You need to be assigned permissions in Exchange Online before you can do the
procedures in this article:
To add, modify, and delete anti-phishing policies, you need to be a member of
the Organization Management or Security Administrator role groups.
For read-only access to anti-phishing policies, you need to be a member of the
Global Reader or Security Reader role groups.
Notes:
Adding users to the corresponding Azure Active Directory role in the Microsoft
365 admin center gives users the required permissions and permissions for
other features in Microsoft 365. For more information, see About admin roles.
The View-Only Organization Management role group in Exchange Online also
gives read-only access to the feature*.
For our recommended settings for anti-phishing policies, see EOP anti-phishing
policy settings.
For information about where anti-phishing policies are applied in the filtering
pipeline, see Order and precedence of email protection.
3. The policy wizard opens. On the Policy name page, configure these settings:
4. On the Users, groups, and domains page that appears, identify the internal
recipients that the policy applies to (recipient conditions):
Users: The specified mailboxes, mail users, or mail contacts.
Groups:
Members of the specified distribution groups or mail-enabled security
groups (dynamic distribution groups are not supported).
The specified Microsoft 365 Groups.
Domains: All recipients in the specified accepted domains in your
organization.
Click in the appropriate box, start typing a value, and select the value that you
want from the results. Repeat this process as many times as necessary. To remove
an existing value, click remove next to the value.
For users or groups, you can use most identifiers (name, display name, alias, email
address, account name, etc.), but the corresponding display name is shown in the
results. For users, enter an asterisk (*) by itself to see all available values.
Multiple values in the same condition use OR logic (for example, <recipient1> or
<recipient2>). Different conditions use AND logic (for example, <recipient1> and
<member of group 1>).
Exclude these users, groups, and domains: To add exceptions for the internal
recipients that the policy applies to (recipient exceptions), select this option
and configure the exceptions. The settings and behavior are exactly like the
conditions.
) Important
Users: romain@contoso.com
Groups: Executives
Likewise, if you use the same recipient filter as an exception to the policy, the
policy is not applied to romain@contoso.com only if he's also a member of
the Executives group. If he's not a member of the group, then the policy still
applies to him.
When you're finished, click Next.
5. On the Phishing threshold & protection page that appears, use the Enable spoof
intelligence check box to turn spoof intelligence on or off. The default value is on
(selected), and we recommend that you leave it on. You configure the action to
take on blocked spoofed messages on the next page.
7 Note
You don't need to turn off anti-spoofing protection if your MX record doesn't
point to Microsoft 365; you enable Enhanced Filtering for Connectors instead.
For instructions, see Enhanced Filtering for Connectors in Exchange Online.
To turn on a setting, select the check box. To turn it off, clear the check box.
* This setting is available only if you selected Enable spoof intelligence on the
previous page. For more information, see Unauthenticated sender indicators.
7. On the Review page that appears, review your settings. You can select Edit in each
section to modify the settings within the section. Or you can click Back or select
the specific page in the wizard.
2. On the Anti-phishing page, the following properties are displayed in the list of
policies:
Name
Status
Priority
Last modified
3. When you select a policy by clicking on the name, the policy settings are displayed
in a flyout.
Use the Microsoft 365 Defender portal to
modify anti-phishing policies
1. In the Microsoft 365 Defender portal at https://security.microsoft.com , go to
Email & Collaboration > Policies & Rules > Threat policies > Anti-phishing in the
Policies section. To go directly to the Anti-phishing page, use
https://security.microsoft.com/antiphishing .
2. On the Anti-phishing page, select a policy from the list by clicking on the name.
3. In the policy details flyout that appears, select Edit in each section to modify the
settings within the section. For more information about the settings, see the Use
the Microsoft 365 Defender portal to create anti-phishing policies section earlier in
this article.
For the default anti-phishing policy, the Users, groups, and domains section isn't
available (the policy applies to everyone), and you can't rename the policy.
To enable or disable a policy or set the policy priority order, see the following sections.
2. On the Anti-phishing page, select a custom policy from the list by clicking on the
name.
3. At the top of the policy details flyout that appears, you'll see one of the following
values:
Back on the main policy page, the Status value of the policy will be On or Off.
Set the priority of custom anti-phishing policies
By default, anti-phishing policies are given a priority that's based on the order they were
created in (newer policies are lower priority than older policies). A lower priority number
indicates a higher priority for the policy (0 is the highest), and policies are processed in
priority order (higher priority policies are processed before lower priority policies). No
two policies can have the same priority, and policy processing stops after the first policy
is applied.
To change the priority of a policy, you click Increase priority or Decrease priority in the
properties of the policy (you can't directly modify the Priority number in the Microsoft
365 Defender portal). Changing the priority of a policy only makes sense if you have
multiple policies.
Notes:
In the Microsoft 365 Defender portal, you can only change the priority of the anti-
phishing policy after you create it. In PowerShell, you can override the default
priority when you create the anti-phish rule (which can affect the priority of
existing rules).
Anti-phishing policies are processed in the order that they're displayed (the first
policy has the Priority value 0). The default anti-phishing policy has the priority
value Lowest, and you can't change it.
2. On the Anti-phishing page, select a custom policy from the list by clicking on the
name.
3. At the top of the policy details flyout that appears, you'll see Increase priority or
Decrease priority based on the current priority value and the number of custom
policies:
The policy with the Priority value 0 has only the Decrease priority option
available.
The policy with the lowest Priority value (for example, 3) has only the
Increase priority option available.
If you have three or more policies, the policies between the highest and
lowest priority values have both the Increase priority and Decrease priority
options available.
Click Increase priority or Decrease priority to change the Priority value.
2. On the Anti-phishing page, select a custom policy from the list by clicking on the
name.
3. At the top of the policy details flyout that appears, click More actions >
Delete policy.
In Exchange Online PowerShell, the difference between anti-phish policies and anti-
phish rules is apparent. You manage anti-phish policies by using the *-AntiPhishPolicy
cmdlets, and you manage anti-phish rules by using the *-AntiPhishRule cmdlets.
In PowerShell, you create the anti-phish policy first, then you create the anti-phish
rule that identifies the policy that the rule applies to.
In PowerShell, you modify the settings in the anti-phish policy and the anti-phish
rule separately.
When you remove an anti-phish policy from PowerShell, the corresponding anti-
phish rule isn't automatically removed, and vice versa.
7 Note
Notes:
You can create a new anti-phish rule and assign an existing, unassociated anti-
phish policy to it. An anti-phish rule can't be associated with more than one anti-
phish policy.
You can configure the following settings on new anti-phish policies in PowerShell
that aren't available in the Microsoft 365 Defender portal until after you create the
policy:
Create the new policy as disabled (Enabled $false on the New-AntiPhishRule
cmdlet).
Set the priority of the policy during creation (Priority <Number>) on the New-
AntiPhishRule cmdlet).
A new anti-phish policy that you create in PowerShell isn't visible in the Microsoft
365 Defender portal until you assign the policy to an anti-phish rule.
PowerShell
This example creates an anti-phish policy named Research Quarantine with the following
settings:
PowerShell
7 Note
PowerShell
This example creates an anti-phish rule named Research Department with the following
conditions:
The rule is associated with the anti-phish policy named Research Quarantine.
The rule applies to members of the group named Research Department.
Because we aren't using the Priority parameter, the default priority is used.
PowerShell
PowerShell
This example returns a summary list of all anti-phish policies along with the specified
properties.
PowerShell
This example returns all the property values for the anti-phish policy named Executives.
PowerShell
PowerShell
This example returns a summary list of all anti-phish rules along with the specified
properties.
PowerShell
To filter the list by enabled or disabled rules, run the following commands:
PowerShell
PowerShell
This example returns all the property values for the anti-phish rule named Contoso
Executives.
PowerShell
The MakeDefault switch that turns the specified policy into the default policy
(applied to everyone, always Lowest priority, and you can't delete it) is only
available when you modify an anti-phish policy in PowerShell.
You can't rename an anti-phish policy (the Set-AntiPhishPolicy cmdlet has no
Name parameter). When you rename an anti-phishing policy in the Microsoft 365
Defender portal, you're only renaming the anti-phish rule.
PowerShell
7 Note
Otherwise, the same settings are available when you create a rule as described in the
Step 2: Use PowerShell to create an anti-phish rule section earlier in this article.
PowerShell
PowerShell
PowerShell
PowerShell
For detailed syntax and parameter information, see Enable-AntiPhishRule and Disable-
AntiPhishRule.
To set the priority of an anti-phish rule in PowerShell, use the following syntax:
PowerShell
This example sets the priority of the rule named Marketing Department to 2. All existing
rules that have a priority less than or equal to 2 are decreased by 1 (their priority
numbers are increased by 1).
PowerShell
Notes:
To set the priority of a new rule when you create it, use the Priority parameter on
the New-AntiPhishRule cmdlet instead.
The default anti-phish policy doesn't have a corresponding anti-phish rule, and it
always has the unmodifiable priority value Lowest.
PowerShell
PowerShell
PowerShell
PowerShell
In Exchange Online PowerShell, replace <Name> with the name of the policy or
rule, run the following command, and verify the settings:
PowerShell
PowerShell
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
Anti-phishing policies in Microsoft Defender for Office 365 can help protect your
organization from malicious impersonation-based phishing attacks and other types of
phishing attacks. For more information about the differences between anti-phishing
policies in Exchange Online Protection (EOP) and anti-phishing policies in Microsoft
Defender for Office 365, see Anti-phishing protection.
Admins can view, edit, and configure (but not delete) the default anti-phishing policy.
For greater granularity, you can also create custom anti-phishing policies that apply to
specific users, groups, or domains in your organization. Custom policies always take
precedence over the default policy, but you can change the priority (running order) of
your custom policies.
You can configure anti-phishing policies in Defender for Office 365 in the Microsoft 365
Defender portal or in Exchange Online PowerShell.
For information about configuring the more limited in anti-phishing policies that are
available in Exchange Online Protection (that is, organizations without Defender for
Office 365), see Configure anti-phishing policies in EOP.
The anti-phish policy: Specifies the phishing protections to enable or disable, and
the actions to apply options.
The anti-phish rule: Specifies the priority and recipient filters (who the policy
applies to) for an anti-phish policy.
The difference between these two elements isn't obvious when you manage anti-
phishing policies in the Microsoft 365 Defender portal:
When you create a policy, you're actually creating an anti-phish rule and the
associated anti-phish policy at the same time using the same name for both.
When you modify a policy, settings related to the name, priority, enabled or
disabled, and recipient filters modify the anti-phish rule. All other settings modify
the associated anti-phish policy.
When you remove a policy, the anti-phish rule and the associated anti-phish policy
are removed.
In Exchange Online PowerShell, you manage the policy and the rule separately. For more
information, see the Use Exchange Online PowerShell to configure anti-phishing policies
section later in this article.
Every Defender for Office 365 organization has a built-in anti-phishing policy named
Office 365 AntiPhish Default that has these properties:
The policy is applied to all recipients in the organization, even though there's no
anti-phish rule (recipient filters) associated with the policy.
The policy has the custom priority value Lowest that you can't modify (the policy is
always applied last). Any custom policies that you create always have a higher
priority.
The policy is the default policy (the IsDefault property has the value True ), and
you can't delete the default policy.
To increase the effectiveness of anti-phishing protection in Defender for Office 365, you
can create custom anti-phishing policies with stricter settings that are applied to specific
users or groups of users.
You need to be assigned permissions in Exchange Online before you can do the
procedures in this article:
To add, modify, and delete anti-phishing policies, you need to be a member of
the Organization Management or Security Administrator role groups.
For read-only access to anti-phishing policies, you need to be a member of the
Global Reader or Security Reader role groups*.
Notes:
Adding users to the corresponding Azure Active Directory role in the Microsoft
365 admin center gives users the required permissions and permissions for
other features in Microsoft 365. For more information, see About admin roles.
The View-Only Organization Management role group in Exchange Online also
gives read-only access to the feature.
For our recommended settings for anti-phishing policies in Defender for Office
365, see Anti-phishing policy in Defender for Office 365 settings.
For information about where anti-phishing policies are applied in the filtering
pipeline, see Order and precedence of email protection.
3. The policy wizard opens. On the Policy name page, configure these settings:
4. On the Users, groups, and domains page that appears, identify the internal
recipients that the policy applies to (recipient conditions):
Users: The specified mailboxes, mail users, or mail contacts.
Groups:
Members of the specified distribution groups or mail-enabled security
groups (dynamic distribution groups are not supported).
The specified Microsoft 365 Groups.
Domains: All recipients in the specified accepted domains in your
organization.
Click in the appropriate box, start typing a value, and select the value that you
want from the results. Repeat this process as many times as necessary. To remove
an existing value, click remove next to the value.
For users or groups, you can use most identifiers (name, display name, alias, email
address, account name, etc.), but the corresponding display name is shown in the
results. For users, enter an asterisk (*) by itself to see all available values.
Multiple values in the same condition use OR logic (for example, <recipient1> or
<recipient2>). Different conditions use AND logic (for example, <recipient1> and
<member of group 1>).
Exclude these users, groups, and domains: To add exceptions for the internal
recipients that the policy applies to (recipient exceptions), select this option
and configure the exceptions. The settings and behavior are exactly like the
conditions.
) Important
Users: romain@contoso.com
Groups: Executives
Likewise, if you use the same recipient filter as an exception to the policy, the
policy is not applied to romain@contoso.com only if he's also a member of
the Executives group. If he's not a member of the group, then the policy still
applies to him.
When you're finished, click Next.
5. On the Phishing threshold & protection page that appears, configure the
following settings:
Phishing email threshold: Use the slider to select one of the following values:
1 - Standard (This is the default value.)
2 - Aggressive
3 - More aggressive
4 - Most aggressive
Impersonation: These settings are a condition for the policy that identifies
specific senders to look for (individually or by domain) in the From address of
inbound messages. For more information, see Impersonation settings in anti-
phishing policies in Microsoft Defender for Office 365.
7 Note
Enable users to protect: The default value is off (not selected). To turn it
on, select the check box, and then click the Manage (nn) sender(s) link
that appears.
Back on the Manage senders for impersonation flyout, you can remove
entries by selecting one or more entries from the list. You can search for
entries using the Search box.
After you select at least one entry, the Remove selected users icon
appears, which you can use to remove the selected entries.
Enable domains to protect: The default value is off (not selected). To turn
it on, select the check box, and then configure one or both of the
following settings that appear:
Include the domains I own: To turn this setting on, select the check
box. To view the domains that you own, click View my domains.
Include custom domains: To turn this setting on, select the check box,
and then click the Manage (nn) custom domain(s) link that appears. In
the Manage custom domains for impersonation protection flyout that
appears, click Add domains.
In the Add custom domains flyout that appears, click in the Domain
box, enter a value, and then press Enter or select the value that's
displayed below the box. Repeat this step as many times as necessary.
To remove an existing value, click remove next to the value.
7 Note
After you select at least one entry, the Delete icon appears, which you
can use to remove the selected entries.
Senders: Verify the Sender tab is selected and click . In the Add trusted
senders flyout that appears, enter an email address in the box and then
click Add. Repeat this step as many times as necessary. To remove an
existing entry, click for the entry.
In the Add trusted domains flyout that appears, click in the Domain box,
enter a value, and then press Enter or select the value that's displayed
below the box. Repeat this step as many times as necessary. To remove an
existing value, click remove next to the value.
7 Note
noreply@emeaemail.teams.microsoft.com
no-reply@sharepointonline.com
Back on the Manage custom domains for impersonation flyout, you can
remove entries from the Sender and Domain tabs by selecting one or more
entries from the list. You can search for entries using the Search box.
After you select at least one entry, the Delete icon appears, which you can
use to remove the selected entries.
7 Note
We recommend that you turn this setting on by selecting the check box.
To turn this setting off, clear the check box.
7 Note
Spoof: In this section, use the Enable spoof intelligence check box to turn
spoof intelligence on or off. The default value is on (selected), and we
recommend that you leave it on. You specify the action to take on messages
from blocked spoofed senders in the If message is detected as spoof setting
on the next page.
7 Note
Deliver the message and add other addresses to the Bcc line
Deliver the message and add other addresses to the Bcc line
Deliver the message and add other addresses to the Bcc line
To turn on a setting, select the check box. To turn it off, clear the check box.
2. On the Anti-phishing page, the following properties are displayed in the list of
anti-phishing policies:
Name
Status
Priority
Last modified
3. When you select a policy by clicking on the name, the policy settings are displayed
in a flyout.
2. On the Anti-phishing page, select a policy from the list by clicking on the name.
3. In the policy details flyout that appears, select Edit in each section to modify the
settings within the section. For more information about the settings, see the Use
the Microsoft 365 Defender portal to create anti-phishing policies section earlier in
this article.
For the default anti-phishing policy, the Users, groups, and domains section isn't
available (the policy applies to everyone), and you can't rename the policy.
To enable or disable a policy or set the policy priority order, see the following sections.
2. On the Anti-phishing page, select a custom policy from the list by clicking on the
name.
3. At the top of the policy details flyout that appears, you'll see one of the following
values:
Back on the main policy page, the Status value of the policy will be On or Off.
To change the priority of a policy, you click Increase priority or Decrease priority in the
properties of the policy (you can't directly modify the Priority number in the Microsoft
365 Defender portal). Changing the priority of a policy only makes sense if you have
multiple policies.
Notes:
In the Microsoft 365 Defender portal, you can only change the priority of the anti-
phishing policy after you create it. In PowerShell, you can override the default
priority when you create the anti-phish rule (which can affect the priority of
existing rules).
Anti-phishing policies are processed in the order that they're displayed (the first
policy has the Priority value 0). The default anti-phishing policy has the priority
value Lowest, and you can't change it.
2. On the Anti-phishing page, select a custom policy from the list by clicking on the
name.
3. At the top of the policy details flyout that appears, you'll see Increase priority or
Decrease priority based on the current priority value and the number of custom
policies:
The policy with the Priority value 0 has only the Decrease priority option
available.
The policy with the lowest Priority value (for example, 3) has only the
Increase priority option available.
If you have three or more policies, the policies between the highest and
lowest priority values have both the Increase priority and Decrease priority
options available.
3. At the top of the policy details flyout that appears, click More actions >
Delete policy.
In Exchange Online PowerShell, the difference between anti-phish policies and anti-
phish rules is apparent. You manage anti-phish policies by using the *-AntiPhishPolicy
cmdlets, and you manage anti-phish rules by using the *-AntiPhishRule cmdlets.
In PowerShell, you create the anti-phish policy first, then you create the anti-phish
rule that identifies the policy that the rule applies to.
In PowerShell, you modify the settings in the anti-phish policy and the anti-phish
rule separately.
When you remove an anti-phish policy from PowerShell, the corresponding anti-
phish rule isn't automatically removed, and vice versa.
Notes:
You can create a new anti-phish rule and assign an existing, unassociated anti-
phish policy to it. An anti-phish rule can't be associated with more than one anti-
phish policy.
You can configure the following settings on new anti-phish policies in PowerShell
that aren't available in the Microsoft 365 Defender portal until after you create the
policy:
Create the new policy as disabled (Enabled $false on the New-AntiPhishRule
cmdlet).
Set the priority of the policy during creation (Priority <Number>) on the New-
AntiPhishRule cmdlet).
A new anti-phish policy that you create in PowerShell isn't visible in the Microsoft
365 Defender portal until you assign the policy to an anti-phish rule.
PowerShell
This example creates an anti-phish policy named Research Quarantine with the following
settings:
The policy is enabled (we aren't using the Enabled parameter, and the default value
is $true ).
The description is: Research department policy.
Changes the default action for spoofing detections to Quarantine, and uses the
default quarantine policy for the quarantined messages (we aren't using the
SpoofQuarantineTag parameter).
Enables organization domains protection for all accepted domains, and targeted
domains protection for fabrikam.com.
Specifies Quarantine as the action for domain impersonation detections, and uses
the default quarantine policy for the quarantined messages (we aren't using the
TargetedDomainQuarantineTag parameter).
Specifies Mai Fujito (mfujito@fabrikam.com) as the user to protect from
impersonation.
Specifies Quarantine as the action for user impersonation detections, and uses the
default quarantine policy for the quarantined messages (we aren't using the
TargetedUserQuarantineTag parameter).
Enables mailbox intelligence (EnableMailboxIntelligence), allows mailbox
intelligence protection to take action on messages
(EnableMailboxIntelligenceProtection), specifies Quarantine as the action for
detected messages, and uses the default quarantine policy for the quarantined
messages (we aren't using the MailboxIntelligenceQuarantineTag parameter).
Enables all safety tips.
PowerShell
7 Note
PowerShell
This example creates an anti-phish rule named Research Department with the following
conditions:
The rule is associated with the anti-phish policy named Research Quarantine.
The rule applies to members of the group named Research Department.
Because we aren't using the Priority parameter, the default priority is used.
PowerShell
PowerShell
This example returns a summary list of all anti-phish policies along with the specified
properties.
PowerShell
This example returns all the property values for the anti-phish policy named Executives.
PowerShell
PowerShell
This example returns a summary list of all anti-phish rules along with the specified
properties.
PowerShell
To filter the list by enabled or disabled rules, run the following commands:
PowerShell
Get-AntiPhishRule -State Disabled | Format-Table Name,Priority
PowerShell
This example returns all the property values for the anti-phish rule named Contoso
Executives.
PowerShell
The MakeDefault switch that turns the specified policy into the default policy
(applied to everyone, always Lowest priority, and you can't delete it) is only
available when you modify an anti-phish policy in PowerShell.
PowerShell
7 Note
Otherwise, no additional settings are available when you modify an anti-phish rule in
PowerShell. The same settings are available when you create a rule as described in the
Step 2: Use PowerShell to create an anti-phish rule section earlier in this article.
PowerShell
PowerShell
PowerShell
PowerShell
For detailed syntax and parameter information, see Enable-AntiPhishRule and Disable-
AntiPhishRule.
To set the priority of an anti-phish rule in PowerShell, use the following syntax:
PowerShell
This example sets the priority of the rule named Marketing Department to 2. All existing
rules that have a priority less than or equal to 2 are decreased by 1 (their priority
numbers are increased by 1).
PowerShell
Notes:
To set the priority of a new rule when you create it, use the Priority parameter on
the New-AntiPhishRule cmdlet instead.
The default anti-phish policy doesn't have a corresponding anti-phish rule, and it
always has the unmodifiable priority value Lowest.
PowerShell
PowerShell
PowerShell
PowerShell
In Exchange Online PowerShell, replace <Name> with the name of the policy or
rule, and run the following command and verify the settings:
PowerShell
Get-AntiPhishPolicy -Identity "<Name>"
PowerShell
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
When it comes to protecting its users, Microsoft takes the threat of phishing seriously.
Spoofing is a common technique that's used by attackers. Spoofed messages appear to
originate from someone or somewhere other than the actual source. This technique is
often used in phishing campaigns that are designed to obtain user credentials. The anti-
spoofing technology in EOP specifically examines forgery of the From header in the
message body (used to display the message sender in email clients). When EOP has high
confidence that the From header is forged, the message is identified as spoofed.
EOP analyzes and blocks messages that can't be authenticated by the combination
of standard email authentication methods and sender reputation techniques.
Spoof intelligence insight: Review spoofed messages from senders in internal and
external domains during the last 7 days, and allow or block those senders. For
more information, see Spoof intelligence insight in EOP.
Allow or block spoofed senders in the Tenant Allow/Block List: When you
override the verdict in the spoof intelligence insight, the spoofed sender becomes
a manual allow or block entry that only appears on the Spoofed senders tab in the
Tenant Allow/Block List. You can also manually create allow or block entries for
spoof senders before they're detected by spoof intelligence. For more information,
see Manage the Tenant Allow/Block List in EOP.
Anti-phishing policies: In EOP and Microsoft Defender for Office 365, anti-
phishing policies contain the following anti-spoofing settings:
Turn spoof intelligence on or off.
Turn unauthenticated sender indicators in Outlook on or off.
Specify the action for blocked spoofed senders.
Spoof detections report: For more information, see Spoof Detections report.
Note: Defender for Office 365 organizations can also use Real-time detections
(Plan 1) or Threat Explorer (Plan 2) to view information about phishing attempts.
For more information, see Microsoft 365 threat investigation and response.
Spoofed messages deceive users: A spoofed message might trick the recipient
into clicking a link and giving up their credentials, downloading malware, or
replying to a message with sensitive content (known as a business email
compromise or BEC).
The following message is an example of phishing that uses the spoofed sender
msoutlook94@service.outlook.com:
This message didn't come from service.outlook.com, but the attacker spoofed the
From header field to make it look like it did. This was an attempt to trick the
recipient into clicking the change your password link and giving up their
credentials.
The following message is an example of BEC that uses the spoofed email domain
contoso.com:
The message looks legitimate, but the sender is spoofed.
Users confuse real messages for fake ones: Even users who know about phishing
might have difficulty seeing the differences between real messages and spoofed
messages.
The following message is an example of a real password reset message from the
Microsoft Security account:
The message really did come from Microsoft, but users have been conditioned to
be suspicious. Because it's difficult to the difference between a real password reset
message and a fake one, users might ignore the message, report it as spam, or
unnecessarily report the message to Microsoft as phishing.
From: chris@contoso.com
To: michelle@contoso.com
The sender and the recipient are in subdomains of the same domain:
From: laura@marketing.fabrikam.com
To: julia@engineering.fabrikam.com
The sender and recipient are in different domains that belong to the same
organization (that is, both domains are configured as accepted domains in the
same organization):
Messages that fail composite authentication due to intra-org spoofing contain the
following header values:
X-Forefront-Antispam-Report: ...CAT:SPOOF;...SFTY:9.11
SFTY is the safety level of the message. 9 indicates phishing, .11 indicates intra-
org spoofing.
Cross-domain spoofing: The sender and recipient domains are different, and have
no relationship to each other (also known as external domains). For example:
From: chris@contoso.com
To: michelle@tailspintoys.com
X-Forefront-Antispam-Report: ...CAT:SPOOF;...SFTY:9.22
SFTY is the safety level of the message. 9 indicates phishing, .22 indicates cross-
domain spoofing.
7 Note
For more information about DMARC, see Use DMARC to validate email in Microsoft 365.
Subject: Great viewing of blue jays at the top of Mt. Rainier this week
Anyone want to check out the viewing this week from Mt. Rainier?
The mailing list server receives the message, modifies its content, and replays it to the
members of list. The replayed message has the same From address
(glaureano@contoso.com), but a tag is added to the subject line, and a footer is added
to the bottom of the message. This type of modification is common in mailing lists, and
may result in false positives for spoofing.
Subject: [BIRDWATCHERS] Great viewing of blue jays at the top of Mt. Rainier this
week
Anyone want to check out the viewing this week from Mt. Rainier?
This message was sent to the Birdwatchers Discussion List. You can unsubscribe at
any time.
To help mailing list messages pass anti-spoofing checks, do following steps based on
whether you control the mailing list:
Check the FAQ at DMARC.org: I operate a mailing list and I want to interoperate
with DMARC, what should I do? .
Read the instructions at this blog post: A tip for mailing list operators to
interoperate with DMARC to avoid failures.
Consider installing updates on your mailing list server to support ARC, see
http://arc-spec.org .
Ask the maintainer of the mailing list to configure email authentication for the
domain that the mailing list is relaying from.
When enough senders reply back to domain owners that they should set up
email authentication records, it spurs them into taking action. While Microsoft
also works with domain owners to publish the required records, it helps even
more when individual users request it.
Create inbox rules in your email client to move messages to the Inbox. You can
also ask your admins to configure overrides as described in Spoof intelligence
insight in EOP and Manage the Tenant Allow/Block List.
Use the Tenant Allow/Block List to create an override for the mailing list to treat
it as legitimate. For more information, see Create allow entries for spoofed
senders.
If all else fails, you can report the message as a false positive to Microsoft. For more
information, see Report messages and files to Microsoft.
Senders in an individual user's (or admin's) Safe Senders list will bypass parts of the
filtering stack, including spoof protection. For more information, see Outlook Safe
Senders.
Admins should avoid (when possible) using allowed sender lists or allowed domain lists.
These senders bypass all spam, spoofing, and phishing protection, and also sender
authentication (SPF, DKIM, DMARC). For more information, see Use allowed sender lists
or allowed domain lists.
Anti-spoofing protection FAQ
FAQ
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
This article provides frequently asked questions and answers about anti-spoofing
protection for Microsoft 365 organizations with mailboxes in Exchange Online, or
standalone Exchange Online Protection (EOP) organizations without Exchange Online
mailboxes.
For questions and answers about anti-spam protection, see Anti-spam protection FAQ.
For questions and answers about anti-malware protection, see Anti-malware protection
FAQ
Microsoft itself first adopted the new email authentication requirements several weeks
before deploying it to customers. While there was disruption at first, it gradually
declined.
We recommend that you disable this feature as it provides almost no additional benefit
for detecting spam or phishing message, and would instead generate mostly false
positives. For more information, see Advanced Spam Filter (ASF) settings in EOP.
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
Phishing attacks are a constant threat to any email organization. In addition to using
spoofed (forged) sender email addresses, attackers often use values in the From address
that violate internet standards. To help prevent this type of phishing, Exchange Online
Protection (EOP) and Outlook.com now require inbound messages to include an RFC-
compliant From address as described in this article. This enforcement was enabled in
November 2017.
Notes:
If you regularly receive email from organizations that have malformed From
addresses as described in this article, encourage these organizations to update
their email servers to comply with modern security standards.
The related Sender field (used by Send on Behalf and mailing lists) isn't affected by
these requirements. For more information, see the following blog post: What do
we mean when we refer to the 'sender' of an email?.
The 5321.MailFrom address (also known as the MAIL FROM address, P1 sender, or
envelope sender) is the email address that's used in the SMTP transmission of the
message. This email address is typically recorded in the Return-Path header field in
the message header (although it's possible for the sender to designate a different
Return-Path email address).
The 5322.From (also known as the From address or P2 sender) is the email address
in the From header field, and is the sender's email address that's displayed in email
clients. The From address is the focus of the requirements in this article.
The From address is defined in detail across several RFCs (for example, RFC 5322
sections 3.2.3, 3.4, and 3.4.1, and RFC 3696 ). There are many variations on addressing
and what's considered valid or invalid. To keep it simple, we recommend the following
format and definitions:
Display Name: An optional phrase that describes the owner of the email address.
We recommend that you always enclose the display name in double quotation
marks (") as shown. If the display name contains a comma, you must enclose the
string in double quotation marks per RFC 5322.
If the From address includes a display name, the EmailAddress value must be
enclosed in angle brackets (< >) as shown.
Microsoft strongly recommends that you insert a space between the display
name and the email address.
From: sender@contoso.com
From: <sender@contoso.com>
From: < sender@contoso.com > (Not recommended because there are spaces
between the angle brackets and the email address.)
No From address: Some automated messages don't include a From address. In the
past, when Microsoft 365 or Outlook.com received a message without a From
address, the service added the following default From: address to make the
message deliverable:
From: <>
From: Microsoft 365 sender@contoso.com (The display name is present, but the
email address.)
Choose an email domain that can't receive email. For example, if your primary
domain is contoso.com, you might choose noreply.contoso.com.
For example:
text
noreply.contoso.com IN MX .
For more information about setting up MX records, see Create DNS records at any DNS
hosting provider for Microsoft 365.
For more information about publishing a null MX, see RFC 7505 .
You can't override the From address requirements for outbound email that you send
from Microsoft 365. In addition, Outlook.com will not allow overrides of any kind, even
through support.
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
Safe Attachments in Microsoft Defender for Office 365 provides an additional layer of
protection for email attachments that have already been scanned by anti-malware
protection in Exchange Online Protection (EOP). Specifically, Safe Attachments uses a
virtual environment to check attachments in email messages before they're delivered to
recipients (a process known as detonation).
The following table describes scenarios for Safe Attachments in Microsoft 365 and Office
365 organizations that include Microsoft Defender for Office 365 (in other words, lack of
licensing is never an issue in the examples).
Scenario Result
Pat's Microsoft 365 E5 organization has no Pat is protected by Safe Attachments due to the
Safe Attachments policies configured. Built-in protection preset security policy that
applies to all recipients who are not otherwise
defined in Safe Attachments policies.
Scenario Result
Lee's organization has a Safe Attachments Lee and the rest of the sales department are
policy that applies only to finance employees. protected by Safe Attachments due to the Built-
Lee is a member of the sales department. in protection preset security policy that applies
to all recipients who are not otherwise defined in
Safe Attachments policies.
Yesterday, an admin in Jean's organization Jean is protected by Safe Attachments due to that
created a Safe Attachments policy that custom Safe Attachments policy.
Safe Attachments scanning takes place in the same region where your Microsoft 365
data resides. For more information about datacenter geography, see Where is your data
located?
7 Note
The following features are located in the global settings of Safe Attachments
policies in the Microsoft 365 Defender portal. But, these settings are enabled or
disabled globally, and don't require Safe Attachments policies:
Recipient filters: You need to specify the recipient conditions and exceptions that
determine who the policy applies to. You can use these properties for conditions
and exceptions:
Users
Groups
Domains
You can only use a condition or exception once, but the condition or exception can
contain multiple values. Multiple values of the same condition or exception use OR
logic (for example, <recipient1> or <recipient2>). Different conditions or
exceptions use AND logic (for example, <recipient1> and <member of group 1>).
) Important
Likewise, if you use the same recipient filter as an exception to the policy, the
policy is not applied to romain@contoso.com only if he's also a member of
the Executives group. If he's not a member of the group, then the policy still
applies to him.
Safe Attachments unknown malware response: This setting controls the action for
Safe Attachments malware scanning in email messages. The available options are
described in the following table:
Delivery of safe
messages might be
delayed due to Safe
Attachments
scanning.
Block Prevents messages Protects your organization from repeated attacks using
with detected the same malware attachments.
malware attachments
from being delivered.
This is the default value, and the recommended value
in Standard and Strict preset security policies.
Messages are
quarantined. By
default, only admins
(not users) can review,
release, or delete the
messages.*
Automatically blocks
future instances of the
messages and
attachments.
Delivery of safe
messages might be
delayed due to Safe
Attachments
scanning.
Option Effect Use when you want to:
Replace Note: This action will Raise visibility to recipients that attachments were
be deprecated. For removed because of detected malware.
more information, see
MC424901 .
Removes detected
malware attachments.
Notifies recipients
that attachments have
been removed.
Messages that
contain malicious
attachments are
quarantined. By
default, only admins
(not users) can review,
release, or delete the
messages.*
Delivery of safe
messages might be
delayed due to Safe
Attachments
scanning.
Option Effect Use when you want to:
Dynamic Delivers messages Avoid message delays while protecting recipients from
Delivery immediately, but malicious files.
replaces attachments
with placeholders
until Safe
Attachments scanning
is complete.
Messages that
contain malicious
attachments are
quarantined. By
default, only admins
(not users) can review,
release, or delete the
messages.*
*
Quarantine policy: Admins can create and assign quarantine policies in Safe
Attachments policies that define what users are allowed to do to quarantined
messages. For more information, see Quarantine policies.
7 Note
Redirection will soon be available only for the Monitor action. For more
information, see MC424899 .
Priority: If you create multiple policies, you can specify the order that they're
applied. No two policies can have the same priority, and policy processing stops
after the first policy is applied.
For more information about the order of precedence and how multiple policies are
evaluated and applied, see Order and precedence of email protection.
7 Note
The Dynamic Delivery action in Safe Attachments policies seeks to eliminate any email
delivery delays that might be caused by Safe Attachments scanning. The body of the
email message is delivered to the recipient with a placeholder for each attachment. The
placeholder remains until the attachment is found to be safe, and then the attachment
becomes available to open or download.
Most PDFs and Office documents can be previewed in safe mode while Safe
Attachments scanning is underway. If an attachment is not compatible with the Dynamic
Delivery previewer, the recipients will see a placeholder for the attachment until Safe
Attachments scanning is complete.
If you're using a mobile device, and PDFs aren't rendering in the Dynamic Delivery
previewer on your mobile device, try opening the message in Outlook on the web
(formerly known as Outlook Web App) using your mobile browser.
Here are some considerations for Dynamic Delivery and forwarded messages:
If the forwarded recipient is protected by a Safe Attachments policy that uses the
Dynamic Delivery option, then the recipient sees the placeholder, with the ability to
preview compatible files.
If the forwarded recipient is not protected by a Safe Attachments policy, the
message and attachments will be delivered without any Safe Attachments scanning
or attachment placeholders.
There are scenarios where Dynamic Delivery is unable to replace attachments in
messages. These scenarios include:
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
) Important
This article is intended for business customers who have Microsoft Defender for
Office 365. If you're a home user looking for information about attachment
scanning in Outlook, see Advanced Outlook.com security .
Safe Attachments is a feature in Microsoft Defender for Office 365 that uses a virtual
environment to check attachments in inbound email messages after they've been
scanned by anti-malware protection in Exchange Online Protection (EOP), but before
delivery to recipients. For more information, see Safe Attachments in Microsoft Defender
for Office 365.
Although there's no default Safe Attachments policy, the Built-in protection preset
security policy provides Safe Attachments protection to all recipients (users who aren't
defined in the Standard or Strict preset security policies or custom Safe Attachments
policies). For more information, see Preset security policies in EOP and Microsoft
Defender for Office 365. You can also use the procedures in this article to create Safe
Attachments policies that apply to specific users, group, or domains.
You can configure Safe Attachments policies in the Microsoft 365 Defender portal or in
PowerShell (Exchange Online PowerShell for eligible Microsoft 365 organizations with
mailboxes in Exchange Online; standalone EOP PowerShell for organizations without
Exchange Online mailboxes, but with Defender for Office 365 add-on subscriptions).
The difference between these two elements isn't obvious when you manage Safe
Attachments policies in the Microsoft 365 Defender portal:
When you create a Safe Attachments policy, you're actually creating a safe
attachment rule and the associated safe attachment policy at the same time using
the same name for both.
When you modify a Safe Attachments policy, settings related to the name, priority,
enabled or disabled, and recipient filters modify the safe attachment rule. All other
settings modify the associated safe attachment policy.
When you remove a Safe Attachments policy, the safe attachment rule and the
associated safe attachment policy are removed.
In Exchange Online PowerShell or standalone EOP PowerShell, you manage the policy
and the rule separately. For more information, see the Use Exchange Online PowerShell
or standalone EOP PowerShell to configure Safe Attachments policies section later in
this article.
7 Note
In the global settings area of Safe Attachments settings, you configure features that
are not dependent on Safe Attachments policies. For instructions see Turn on Safe
Attachments for SharePoint, OneDrive, and Microsoft Teams and Safe Documents
in Microsoft 365 E5.
You need permissions before you can do the procedures in this article:
To create, modify, and delete Safe Attachments policies, you need to be a
member of the Organization Management or Security Administrator role
groups in the Microsoft 365 Defender portal and a member of the Organization
Management role group in Exchange Online.
For read-only access to Safe Attachments policies, you need to be a member of
the Global Reader or Security Reader role groups in the Microsoft 365
Defender portal.
For more information, see Permissions in the Microsoft 365 Defender portal and
Permissions in Exchange Online.
Notes:
Adding users to the corresponding Azure Active Directory role in the Microsoft
365 admin center gives users the required permissions in the Microsoft 365
Defender portal and permissions for other features in Microsoft 365. For more
information, see About admin roles.
The View-Only Organization Management role group in Exchange Online also
gives read-only access to the feature.
For our recommended settings for Safe Attachments policies, see Safe
Attachments settings.
3. The policy wizard opens. On the Name your policy page, configure the following
settings:
4. On the Users and domains page that appears, identify the internal recipients that
the policy applies to (recipient conditions):
Click in the appropriate box, start typing a value, and select the value that you
want from the results. Repeat this process as many times as necessary. To remove
an existing value, click remove next to the value.
For users or groups, you can use most identifiers (name, display name, alias, email
address, account name, etc.), but the corresponding display name is shown in the
results. For users, enter an asterisk (*) by itself to see all available values.
Multiple values in the same condition use OR logic (for example, <recipient1> or
<recipient2>). Different conditions use AND logic (for example, <recipient1> and
<member of group 1>).
Exclude these users, groups, and domains: To add exceptions for the internal
recipients that the policy applies to (recipient exceptions), select this option
and configure the exceptions. The settings and behavior are exactly like the
conditions.
) Important
Users: romain@contoso.com
Groups: Executives
Quarantine policy: Select the quarantine policy that applies to messages that
are quarantined by Safe Attachments (Block, Replace, or Dynamic Delivery).
Quarantine policies define what users are able to do to quarantined
messages, and whether users receive quarantine notifications. For more
information, see Quarantine policies.
7 Note
Redirection will soon be available only for the Monitor action. For more
information, see MC424899 .
Apply the Safe Attachments detection response if scanning can't complete
(timeout or errors): The action specified by Safe Attachments unknown
malware response is taken on messages even when Safe Attachments
scanning can't complete. If you selected this option, always select Enable
redirect and specify an email address to send messages that contain malware
attachments. Otherwise, messages might be lost.
6. On the Review page that appears, review your settings. You can select Edit in each
section to modify the settings within the section. Or you can click Back or select
the specific page in the wizard.
2. On the Safe Attachments page, the following properties are displayed in the list of
policies:
Name
Status
Priority
3. When you select a policy by clicking on the name, the policy settings are displayed
in a flyout.
3. In the policy details flyout that appears, select Edit in each section to modify the
settings within the section. For more information about the settings, see the Use
the Microsoft 365 Defender portal to create Safe Attachments policies section
earlier in this article.
To enable or disable a policy or set the policy priority order, see the following sections.
2. On the Safe Attachments page, select a policy from the list by clicking on the
name.
3. At the top of the policy details flyout that appears, you'll see one of the following
values:
Back on the main policy page, the Status value of the policy will be On or Off.
For more information about the order of precedence and how multiple policies are
evaluated and applied, see Order and precedence of email protection.
Safe Attachments policies are displayed in the order they're processed (the first policy
has the Priority value 0).
Note: In the Microsoft 365 Defender portal, you can only change the priority of the Safe
Attachments policy after you create it. In PowerShell, you can override the default
priority when you create the safe attachment rule (which can affect the priority of
existing rules).
To change the priority of a policy, you click Increase priority or Decrease priority in the
properties of the policy (you can't directly modify the Priority number in the Microsoft
365 Defender portal). Changing the priority of a policy only makes sense if you have
multiple policies.
1. In the Microsoft 365 Defender portal, go to Email & Collaboration > Policies &
Rules > Threat policies > Safe Attachments in the Policies section.
2. On the Safe Attachments page, select a policy from the list by clicking on the
name.
3. At the top of the policy details flyout that appears, you'll see Increase priority or
Decrease priority based on the current priority value and the number of policies:
The policy with the Priority value 0 has only the Decrease priority option
available.
The policy with the lowest Priority value (for example, 3) has only the
Increase priority option available.
If you have three or more policies, the policies between the highest and
lowest priority values have both the Increase priority and Decrease priority
options available.
3. At the top of the policy details flyout that appears, click More actions >
Delete policy.
In PowerShell, the difference between safe attachment policies and safe attachment
rules is apparent. You manage safe attachment policies by using the *-
SafeAttachmentPolicy cmdlets, and you manage safe attachment rules by using the *-
SafeAttachmentRule cmdlets.
In PowerShell, you create the safe attachment policy first, then you create the safe
attachment rule that identifies the policy that the rule applies to.
In PowerShell, you modify the settings in the safe attachment policy and the safe
attachment rule separately.
When you remove a safe attachment policy from PowerShell, the corresponding
safe attachment rule isn't automatically removed, and vice versa.
Notes:
You can create a new safe attachment rule and assign an existing, unassociated
safe attachment policy to it. A safe attachment rule can't be associated with more
than one safe attachment policy.
You can configure the following settings on new safe attachment policies in
PowerShell that aren't available in the Microsoft 365 Defender portal until after you
create the policy:
Create the new policy as disabled (Enabled $false on the New-
SafeAttachmentRule cmdlet).
Set the priority of the policy during creation (Priority <Number>) on the New-
SafeAttachmentRule cmdlet).
A new safe attachment policy that you create in PowerShell isn't visible in the
Microsoft 365 Defender portal until you assign the policy to a safe attachment rule.
PowerShell
This example creates a safe attachment policy named Contoso All with the following
values:
Block messages that are found to contain malware by Safe Documents scanning
(we aren't using the Action parameter, and the default value is Block ).
The default quarantine policy is used (AdminOnlyAccessPolicy), because we aren't
using the QuarantineTag parameter.
Redirection is enabled, and messages that are found to contain malware are sent
to sec-ops@contoso.com for analysis and investigation.
If Safe Attachments scanning isn't available or encounters errors, don't deliver the
message (we aren't using the ActionOnError parameter, and the default value is
$true ).
PowerShell
PowerShell
This example creates a safe attachment rule named Contoso All with the following
conditions:
The rule is associated with the safe attachment policy named Contoso All.
The rule applies to all recipients in the contoso.com domain.
Because we aren't using the Priority parameter, the default priority is used.
The rule is enabled (we aren't using the Enabled parameter, and the default value is
$true ).
PowerShell
PowerShell
Get-SafeAttachmentPolicy
This example returns detailed information for the safe attachment policy named
Contoso Executives.
PowerShell
PowerShell
PowerShell
Get-SafeAttachmentRule
To filter the list by enabled or disabled rules, run the following commands:
PowerShell
PowerShell
This example returns detailed information for the safe attachment rule named Contoso
Executives.
PowerShell
Get-SafeAttachmentRule -Identity "Contoso Executives" | Format-List
Otherwise, the same settings are available when you create a safe attachment policy as
described in the Step 1: Use PowerShell to create a safe attachment policy section earlier
in this article.
PowerShell
7 Note
Otherwise, the same settings are available when you create a rule as described in the
Step 2: Use PowerShell to create a safe attachment rule section earlier in this article.
PowerShell
PowerShell
This example disables the safe attachment rule named Marketing Department.
PowerShell
PowerShell
To set the priority of a safe attachment rule in PowerShell, use the following syntax:
PowerShell
This example sets the priority of the rule named Marketing Department to 2. All existing
rules that have a priority less than or equal to 2 are decreased by 1 (their priority
numbers are increased by 1).
PowerShell
Note: To set the priority of a new rule when you create it, use the Priority parameter on
the New-SafeAttachmentRule cmdlet instead.
PowerShell
This example removes the safe attachment policy named Marketing Department.
PowerShell
This example removes the safe attachment rule named Marketing Department.
PowerShell
PowerShell
PowerShell
To verify that Safe Attachments is scanning messages, check the available Defender for
Office 365 reports. For more information, see View reports for Defender for Office 365
and Use Explorer in the Microsoft 365 Defender portal.
Safe Attachments for SharePoint,
OneDrive, and Microsoft Teams
Article • 12/09/2022 • 2 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
Safe Attachments for SharePoint, OneDrive, and Microsoft Teams in Microsoft Defender
for Office 365 provides an additional layer of protection for files that have already been
scanned asynchronously by the common virus detection engine in Microsoft 365. Safe
Attachments for SharePoint, OneDrive, and Microsoft Teams helps detect and block
existing files that are identified as malicious in team sites and document libraries.
Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is not enabled by
default. To turn it on, see Turn on Safe Attachments for SharePoint, OneDrive, and
Microsoft Teams.
Although the blocked file is still listed in the document library and in web, mobile, or
desktop applications, people can't open, copy, move, or share the file. But they can
delete the blocked file.
By default, people can download a blocked file. Here's what downloading a blocked file
looks like on a mobile device:
SharePoint Online admins can prevent people from downloading malicious files. For
instructions, see Use SharePoint Online PowerShell to prevent users from downloading
malicious files.
To learn more about the user experience when a file has been detected as malicious, see
What to do when a malicious file is found in SharePoint Online, OneDrive, or Microsoft
Teams .
When a file is identified as malicious by Safe Attachments for SharePoint, OneDrive, and
Microsoft Teams, the file is also available in quarantine, but only to admins. For more
information, see Manage quarantined files in Defender for Office 365.
Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is part of your
organization's overall threat protection strategy, which includes anti-spam and
anti-malware protection in Exchange Online Protection (EOP), as well as Safe Links
and Safe Attachments in Microsoft Defender for Office 365. To learn more, see
Protect against threats in Office 365.
Turn on Safe Attachments for
SharePoint, OneDrive, and Microsoft
Teams
Article • 12/09/2022 • 5 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
Microsoft Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams
protects your organization from inadvertently sharing malicious files. For more
information, see Safe Attachments for SharePoint, OneDrive, and Microsoft Teams.
This article contains the steps for enabling and configuring Safe Attachments for
SharePoint, OneDrive, and Microsoft Teams.
To turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams, you
need to be a member of the Organization Management or Security Administrator
role groups in the Microsoft 365 Defender portal. For more information, see
Permissions in the Microsoft 365 Defender portal.
3. In the Global settings fly out that appears, go to the Protect files in SharePoint,
OneDrive, and Microsoft Teams section.
Move the Turn on Defender for Office 365 for SharePoint, OneDrive, and
Microsoft Teams toggle to the right to turn on Safe Attachments for
SharePoint, OneDrive, and Microsoft Teams.
PowerShell
*
If users go to Manage access, the Share option is still available.
PowerShell
Notes:
3. The New alert policy wizard opens in a fly out. On the Name your alert page,
configure the following settings:
Name: Type a unique and descriptive name. For example, Malicious Files in
Libraries.
Description: Type an optional description. For example, Notifies admins when
malicious files are detected in SharePoint Online, OneDrive, or Microsoft
Teams.
Severity: Select Low, Medium, or High from the drop down list.
Category: Select Threat management from the drop down list.
What do you want to alert on? section > Activity is > Select Detected
malware in file from the drop down list.
How do you want the alert to be triggered? section: Leave the default value
Every time an activity matches the rule selected.
Verify Send email notifications is selected. In the Email recipients box, select
one or more global administrators, security administrators, or security readers
who should receive notification when a malicious file is detected.
Daily notification limit: Leave the default value No limit selected.
6. On the Review your settings page, review your settings. You can select Edit in each
section to modify the settings within the section. Or you can click Back or select
the specific page in the wizard.
In the Do you want to turn the policy on right away? section, leave the default
value Yes, turn it on right away selected.
Note: The default Severity value is Low. To specify Medium or High, include the Severity
parameter and value in the command.
In the Microsoft 365 Defender portal, go to Policies & rules > Threat Policies >
Policies section > Safe Attachments, select Global settings, and verify the value
of the Turn on Defender for Office 365 for SharePoint, OneDrive, and
Microsoft Teams setting.
PowerShell
To verify that you've successfully blocked people from downloading malicious files,
open SharePoint Online PowerShell, and run the following command to verify the
property value:
PowerShell
To verify that you've successfully configured an alert policy for detected files, use
any of the following steps:
In the Microsoft 365 Defender portal, go to Policies & rules > Alert policy >
select the alert policy, and verify the settings.
PowerShell
Use the Threat protection status report to view information about detected files in
SharePoint, OneDrive, and Microsoft Teams. Specifically, you can use the View data
by: Content > Malware view.
Safe Documents in Microsoft 365 A5 or
E5 Security
Article • 12/06/2022 • 5 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
Safe Documents is a premium feature that uses the cloud backend of Microsoft
Defender for Endpoint to scan opened Office documents in Protected View or
Application Guard for Office .
Users don't need Defender for Endpoint installed on their local devices to get Safe
Documents protection. Users get Safe Documents protection if all of the following
requirements are met:
Licenses from a required licensing plan are assigned to the users. Safe Documents
is controlled by the Office 365 SafeDocs (or SAFEDOCS or bf6f5520-59e3-4f82-
974b-7dbbc4fd27c7) service plan (also known as a service). This service plan is
available in the following licensing plans (also known as license plans, Microsoft
365 plans, or products):
Microsoft 365 A5 for Faculty
Microsoft 365 A5 for Students
Microsoft 365 E5 Security
Safe Documents is not included in Microsoft Defender for Office 365 licensing
plans.
For more information, see Product names and service plan identifiers for licensing.
They're using Microsoft 365 Apps for enterprise (formerly known as Office 365
ProPlus) version 2004 or later.
What do you need to know before you begin?
You open the Microsoft 365 Defender portal at https://security.microsoft.com . To
go directly to the Safe Attachments page, use
https://security.microsoft.com/safeattachmentv2 .
You need permissions in Exchange Online before you can do the procedures in
this article:
To configure Safe Documents settings, you need to be a member of the
Organization Management or Security Administrator role groups.
For read-only access to Safe Documents settings, you need to be a member of
the Global Reader or Security Reader role groups.
7 Note
Files sent by Safe Documents are not retained in Defender for Endpoint beyond the time
needed for analysis (typically, less than 24 hours).
3. In the Global settings fly out that appears, configure the following settings:
Turn on Safe Documents for Office clients: Move the toggle to the right to
turn on the feature: .
Allow people to click through Protected View even if Safe Documents
identified the file as malicious: We recommend that you leave this option
turned off (leave the toggle to the left: ).
PowerShell
The EnableSafeDocs parameter enables or disables Safe Documents for the entire
organization.
The AllowSafeDocsOpen parameter allows or prevents users from leaving Protected
View (that is, opening the document) if the document has been identified as
malicious.
This example enables Safe Documents for the entire organization, and prevents users
from opening documents that have been identified as malicious from Protected View.
PowerShell
1. Turn on Safe Documents in the Microsoft 365 Defender portal or Exchange Online
PowerShell as previously described in this article.
2. Use Azure AD PowerShell to disable Safe Documents for specific users as described
in Disable specific Microsoft 365 services for specific users for a specific licensing
plan.
To learn more, see Onboard to the Microsoft Defender for Endpoint service. If you need
additional help, refer to Troubleshoot Microsoft Defender for Endpoint onboarding
issues.
In the Microsoft 365 Defender portal, go to Email & Collaboration > Policies &
Rules > Threat policies > Safe Attachments in the Policies section > Global
settings, and verify the Turn on Safe Documents for Office clients and Allow
people to click through Protected View even if Safe Documents identifies the file
as malicious settings.
Run the following command in Exchange Online PowerShell and verify the
property values:
PowerShell
The following files are available to test Safe Documents protection. These files are
similar to the EICAR.TXT file for testing anti-malware and anti-virus solutions. The
files are not harmful, but they will trigger Safe Documents protection.
SafeDocsDemo.docx
SafeDocsDemo.pptx
SafeDocsDemo.xlsx
Safe Links in Microsoft Defender for
Office 365
Article • 12/22/2022 • 21 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
) Important
This article is intended for business customers who have Microsoft Defender for
Office 365. If you're using Outlook.com, Microsoft 365 Family, or Microsoft 365
Personal, and you're looking for information about Safelinks in Outlook, see
Advanced Outlook.com security .
Safe Links is a feature in Defender for Office 365 that provides URL scanning and
rewriting of inbound email messages in mail flow, and time-of-click verification of URLs
and links in email messages and other locations. Safe Links scanning occurs in addition
to the regular anti-spam and anti-malware in inbound email messages in Exchange
Online Protection (EOP). Safe Links scanning can help protect your organization from
malicious links that are used in phishing and other attacks.
Watch this short video on how to protect against malicious links with Safe Links in
Microsoft Defender for Office 365.
https://www.microsoft.com/en-us/videoplayer/embed/RWGzjb?postJsllMsg=true
7 Note
Although there's no default Safe Links policy, the Built-in protection preset security
policy provides Safe Links protection in e-mail messages, Microsoft Teams, and files
in supported Office apps to all recipients who are licensed for Defender for Office
365 (users who aren't defined in the Standard or Strict preset security policies or in
custom Safe Links policies). For more information, see Preset security policies in
EOP and Microsoft Defender for Office 365. You can also create Safe Links policies
that apply to specific users, group, or domains. For instructions, see Set up Safe
Links policies in Microsoft Defender for Office 365.
Email messages: Safe Links protections for links in email messages is controlled by
Safe Links policies.
For more information about Safe Links protection for email messages, see the Safe
Links settings for email messages section later in this article.
7 Note
Using another service to wrap links before Defender for Office 365 might
invalidate the ability of Safe Links to process links, including wrapping,
detonating, or otherwise validating the "maliciousness" of the link.
Microsoft Teams: Safe Links protection for links in Teams conversations, group
chats, or from channels is controlled by Safe Links policies.
For more information about Safe Links protection in Teams, see the Safe Links
settings for Microsoft Teams section later in this article.
7 Note
Office apps: Safe Links protection for supported Office desktop, mobile, and web
apps is controlled by Safe Links policies.
For more information about Safe Links protection in Office apps, see the Safe Links
settings for Office apps section later in this article.
This article includes detailed descriptions of the following types of Safe Links settings:
Settings in Safe Links policies: These settings apply only to the users who are
included in the specific policies, and the settings might be different between
policies. These settings include:
Safe Links settings for email messages
Safe Links settings for Microsoft Teams
Safe Links settings for Office apps
"Do not rewrite the following URLs" lists in Safe Links policies
Global Safe Links settings: These settings are configured globally, not in Safe Links
policies. These settings include:
"Block the following URLs" list for Safe Links
7 Note
The Global settings menu and the Block the following URLs list for Safe Links
are in the process of being deprecated. Use block entries for URLs in the
Tenant Allow/Block List instead.
The following table describes scenarios for Safe Links in Microsoft 365 and Office 365
organizations that include Defender for Office 365 (note that lack of licensing is never
an issue in the examples).
Scenario Result
In Pat's organization, admins have created a Pat is not protected by Safe Links.
Safe Links policy that applies Pat, but Safe Although Pat is included in an active Safe Links
Links protection for Office apps is turned off. policy, Safe Links protection for Office apps is
Pat opens a Word document and clicks a URL turned off in that policy, so the protection can't
in the file. be applied.
Jamie and Julia both work for contoso.com. A Julia is protected by Safe Links if the Safe Links
long time ago, admins configured Safe Links policy that applies to her is configured to apply
policies that apply to both of Jamie and Julia. to messages between internal recipients. For
Jamie sends an email to Julia, not knowing more information, see the Safe Links settings for
that the email contains a malicious URL. email messages section later in this article.
Users
Groups
Domains
You can only use a condition or exception once, but the condition or exception can
contain multiple values. Multiple values of the same condition or exception use OR logic
(for example, <recipient1> or <recipient2>). Different conditions or exceptions use AND
logic (for example, <recipient1> and <member of group 1>).
) Important
Users: romain@contoso.com
Groups: Executives
Likewise, if you use the same recipient filter as an exception to the policy, the policy
is not applied to romain@contoso.com only if he's also a member of the Executives
group. If he's not a member of the group, then the policy still applies to him.
After Safe Links rewrites a URL, the URL remains rewritten even if the message is
manually forwarded or replied to (both to internal and external recipients). Additional
links that are added to the forwarded or replied-to message are not rewritten.
In the case of automatic forwarding by Inbox rules or SMTP forwarding, the URL will not
be rewritten in the message that's intended for the final recipient unless one of the
following statements is true:
As long as Safe Links protection is turned on, URLs are scanned prior to message
delivery, regardless of whether the URLs are rewritten or not. In supported versions of
Outlook (Outlook for Desktop version 16.0.12513 or later), unwrapped URLs are checked
by a client-side API call to Safe Links at the time of click.
The settings in Safe Links policies that apply to email messages are described in the
following list:
On: Safe Links checks a list of known, malicious links when users click links in
email: Turn on or turn off Safe Links scanning in email messages. The
recommended value is selected (on), and results in the following actions:
Safe Links scanning is turned on in Outlook (C2R) on Windows.
URLs are rewritten and users are routed through Safe Links protection when
they click URLs in messages.
When clicked, URLs are checked against a list of known malicious URLs and the
"Block the following URLs" list.
URLs that don't have a valid reputation are detonated asynchronously in the
background.
The following settings are available only if Safe Links scanning in email messages is
turned on:
Apply Safe Links to email messages sent within the organization: Turn on or
turn off Safe Links scanning on messages sent between internal senders and
internal recipients within the same Exchange Online organization. The
recommended value is selected (on).
Apply real-time URL scanning for suspicious links and links that point to files:
Turns on real-time scanning of links, including links in email messages that
point to downloadable content. The recommended value is selected (on).
Wait for URL scanning to complete before delivering the message:
Selected (on): Messages that contain URLs are held until scanning is
finished. Messages are delivered only after the URLs are confirmed to be
safe. This is the recommended value.
Not selected (off): If URL scanning can't complete, deliver the message
anyway.
Do not rewrite URLs, do checks via SafeLinks API only: If this setting is selected
(on), no URL wrapping takes place. In supported versions of Outlook (Outlook
for Desktop version 16.0.12513 or later), Safe Links is called exclusively via APIs
at the time of URL click.
For more information about the recommended values for Standard and Strict
policy settings for Safe Links policies, see Safe Links policy settings.
1. All email goes through EOP, where internet protocol (IP) and envelope filters,
signature-based malware protection, anti-spam and anti-malware filters before the
message is delivered to the recipient's mailbox.
2. The user opens the message in their mailbox and clicks on a URL in the message.
3. Safe Links immediately checks the URL before opening the website:
If the URL points to a downloadable file, and the Apply real-time URL
scanning for suspicious links and links that point to files setting is turned on
in the policy that applies to the user, the downloadable file is checked.
7 Note
When you turn on or turn off Safe Links protection for Teams, it might take up to
24 hours for the change to take effect.
Currently, Safe Links protection for Microsoft Teams is not available in Microsoft
365 GCC High or Microsoft 365 DoD.
After you turn on Safe Links protection for Microsoft Teams, URLs in Teams are checked
against a list of known malicious links when the protected user clicks the link (time-of-
click protection). URLs are not rewritten. If a link is found to be malicious, users will have
the following experiences:
If the link was clicked in a Teams conversation, group chat, or from channels, the
warning page as shown in the screenshot below will appear in the default web
browser.
If the link was clicked from a pinned tab, the warning page will appear in the Teams
interface within that tab. The option to open the link in a web browser is disabled
for security reasons.
Depending on how the Let users click through to the original URL setting in the
policy is configured, the user will or will not be allowed to click through to the
original URL (Continue anyway (not recommended) in the screenshot). We
recommend that you don't select the Let users click through to the original URL
setting so users can't click through to the original URL.
If the user who sent the link isn't protected by a Safe Links policy where Teams
protection is turned on, the user is free to click through to the original URL on their
computer or device.
Clicking the Go Back button on the warning page will return the user to their original
context or URL location. However, clicking on the original link again will cause Safe Links
to rescan the URL, so the warning page will reappear.
2. Microsoft 365 verifies that the user's organization includes Microsoft Defender for
Office 365, and that the user is included in an active Safe Links policy where
protection for Microsoft Teams is turned on.
3. URLs are validated at the time of click for the user in chats, group chats, channels,
and tabs.
Safe Links protection for Office apps has the following client requirements:
Office apps are configured to use modern authentication. For more information,
see How modern authentication works for Office 2013, Office 2016, and Office
2019 client apps.
Users are signed in using their work or school accounts. For more information, see
Sign in to Office .
For more information about the recommended values for Standard and Strict policy
settings, see Global settings for Safe Links.
1. A user signs in using their work or school account in an organization that includes
Microsoft 365 Apps or Microsoft 365 Business Premium.
2. The user opens and clicks on a link an Office document in a supported Office app.
3. Safe Links immediately checks the URL before opening the target website:
If the URL is included in the list that skips Safe Links scanning (the Block the
following URLs list) a blocked URL warning page opens.
If the URL points to a downloadable file, and the Safe Links policy that applies
to the user is configured to scan links to downloadable content (Apply real-
time URL scanning for suspicious links and links that point to files), the
downloadable file is checked.
If Safe Links scanning is unable to complete, Safe Links protection does not
trigger. In Office desktop clients, the user will be warned before they proceed
to the destination website.
7 Note
It may take several seconds at the beginning of each session to verify that Safe
Links for Office apps is available to the user.
Track user clicks: Turn on or turn off storing Safe Links click data for URLs clicked.
We recommend that you leave this setting selected (on).
In Safe Links for Office apps, this setting applies to the desktop versions Word,
Excel, PowerPoint, and Visio.
Let users click through to the original URL: Controls whether users can click
through the warning page to the original URL. The recommend value is not
selected (off).
In Safe Links for Office apps, this setting applies to the original URL in the
desktop versions Word, Excel, PowerPoint, and Visio.
For more information about the order of precedence and how multiple policies are
evaluated and applied, see Order of precedence for preset security policies and other
policies and Order and precedence of email protection.
7 Note
The Block the following URLs list for Safe Links is in the process of being
deprecated. Use block entries for URLs in the Tenant Allow/Block List instead.
Messages containing the blocked URL are quarantined.
The Block the following URLs list defines the links that are always blocked by Safe Links
scanning in the following locations:
Email messages.
Documents in Office apps in Windows and Mac.
Documents in Office for iOS and Android.
When a user in an active Safe Links policy clicks a blocked link in a supported app,
they're taken to the Blocked URL warning page.
You configure the list of URLs in the global settings for Safe Links. For instructions, see
Configure the "Block the following URLs" list.
Notes:
For a truly universal list of URLs that are blocked everywhere, see Manage the
Tenant Allow/Block List.
Limits for the Block the following URLs list:
The maximum number of entries is 500.
The maximum length of an entry is 128 characters.
All of the entries can't exceed 10,000 characters.
Don't include a forward slash ( / ) at the end of the URL. For example, use
https://www.contoso.com , not https://www.contoso.com/ .
A domain-only-URL (for example contoso.com or tailspintoys.com ) will block any
URL that contains the domain.
You can block a subdomain without blocking the full domain. For example,
toys.contoso.com* blocks any URL that contains the subdomain, but it doesn't
block URLs that contain the full domain contoso.com .
You can include up to three wildcards ( * ) per URL entry.
Value Result
*contoso.com*
https://toys.contoso.com* Blocks a subdomain ( toys in this example) but allow clicks to other
domain URLs (like https://contoso.com or
https://home.contoso.com ).
7 Note
Entries in the "Do not rewrite the following URLs" list are not scanned or wrapped
by Safe Links during mail flow but might still be blocked at time of click. Use allow
URL entries in the Tenant Allow/Block List to override the Safe Links URL verdict.
Each Safe Links policy contains a Do not rewrite the following URLs list that you can
use to specify URLs that are not rewritten by Safe Links scanning. In other words, the list
allows users who are included in the policy to access the specified URLs that would
otherwise be blocked by Safe Links. You can configure different lists in different Safe
Links policies. Policy processing stops after the first (likely, the highest priority) policy is
applied to the user. So, only one Do not rewrite the following URLs list is applied to a
user who is included in multiple active Safe Links policies.
To add entries to the list in new or existing Safe Links policies, see Create Safe Links
policies or Modify Safe Links policies.
Notes:
The following clients don't recognize the Do not rewrite the following URLs lists in
Safe Links policies. Users included in the policies can be blocked from accessing
the URLs based on the results of Safe Links scanning in these clients:
Microsoft Teams
Office web apps
For a truly universal list of URLs that are allowed everywhere, see Manage the
Tenant Allow/Block List. However, note that URLs added there will not be excluded
from Safe Links rewriting, as that must be done in a Safe Links policy.
Consider adding commonly used internal URLs to the list to improve the user
experience. For example, if you have on-premises services, such as Skype for
Business or SharePoint, you can add those URLs to exclude them from scanning.
If you already have Do not rewrite the following URLs entries in your Safe Links
policies, be sure to review the lists and add wildcards as required. For example,
your list has an entry like https://contoso.com/a and you later decide to include
subpaths like https://contoso.com/a/b . Instead of adding a new entry, add a
wildcard to the existing entry so it becomes https://contoso.com/a/* .
You can include up to three wildcards ( * ) per URL entry. Wildcards explicitly
include prefixes or subdomains. For example, the entry contoso.com is not the
same as *.contoso.com/* , because *.contoso.com/* allows people to visit
subdomains and paths in the specified domain.
If a URL uses automatic redirection for HTTP to HTTPS (for example, 302
redirection for http://www.contoso.com to https://www.contoso.com ), and you try
to enter both HTTP and HTTPS entries for the same URL to the list, you might
notice that the second URL entry replaces the first URL entry. This behavior does
not occur if the HTTP and HTTPS versions of the URL are completely separate.
Do not specify http:// or https:// (that is, contoso.com) in order to exclude both
HTTP and HTTPS versions.
*.contoso.com does not cover contoso.com, so you would need to exclude both to
HTTPS, the main domain contoso.com and any child domains, as well as any or not
ending part (for example, both contoso.com and contoso.com/vdir1 are covered).
Entry syntax for the "Do not rewrite the following URLs"
list
Examples of the values that you can enter and their results are described in the
following table:
Value Result
Note that several warning pages have been updated. If you're not already seeing the
updated pages, you will soon. The updated pages include a new color scheme, more
detail, and the ability to proceed to a site despite the given warning and
recommendations.
Scan in progress notification
The clicked URL is being scanned by Safe Links. You might need to wait a few moments
before trying the link again.
There are several reasons why an admin would manually block specific URLs. If you think
the site should not be blocked, contact your admin.
Error warning
Some kind of error has occurred, and the URL can't be opened.
Set up Safe Links policies in Microsoft
Defender for Office 365
Article • 12/14/2022 • 23 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
) Important
This article is intended for business customers who have Microsoft Defender for
Office 365. If you are a home user looking for information about Safelinks in
Outlook, see Advanced Outlook.com security .
Safe Links in Microsoft Defender for Office 365 provides URL scanning of inbound email
messages in mail flow, and time of click verification of URLs and links in email messages
and in other locations. For more information, see Safe Links in Microsoft Defender for
Office 365.
Although there's no default Safe Links policy, the Built-in protection preset security
policy provides Safe Links protection to all recipients (users who aren't defined in the
Standard or Strict preset security policies or in custom Safe Links policies). For more
information, see Preset security policies in EOP and Microsoft Defender for Office 365.
You can also use the procedures in this article to create Safe Links policies that apply to
specific users, group, or domains.
7 Note
You configure the "Block the following URLs" list in the global settings for Safe
Links protection outside of Safe Links policies. For instructions, see Configure
global settings for Safe Links in Microsoft Defender for Office 365.
Admins should consider the different configuration settings for Safe Links. One of
the available options is to include user identifiable information in Safe Links. This
feature enables security operations (SecOps) teams to investigate potential user
compromise, take corrective action, and limit costly breaches.
You can configure Safe Links policies in the Microsoft 365 Defender portal or in
PowerShell (Exchange Online PowerShell for eligible Microsoft 365 organizations with
mailboxes in Exchange Online; standalone EOP PowerShell for organizations without
Exchange Online mailboxes, but with Microsoft Defender for Office 365 add-on
subscriptions).
The safe links policy: Turn on Safe Links protection, turn on real-time URL
scanning, specify whether to wait for real-time scanning to complete before
delivering the message, turn on scanning for internal messages, specify whether to
track user clicks on URLs, and specify whether to allow users to click trough to the
original URL.
The safe links rule: Specifies the priority and recipient filters (who the policy
applies to).
The difference between these two elements isn't obvious when you manage Safe Links
policies in the Microsoft 365 Defender portal:
When you create a Safe Links policy, you're actually creating a safe links rule and
the associated safe links policy at the same time using the same name for both.
When you modify a Safe Links policy, settings related to the name, priority,
enabled or disabled, and recipient filters modify the safe links rule. All other
settings modify the associated safe links policy.
When you remove a Safe Links policy, the safe links rule and the associated safe
links policy are removed.
In Exchange Online PowerShell or standalone EOP PowerShell, you manage the policy
and the rule separately. For more information, see the Use Exchange Online PowerShell
or standalone EOP PowerShell to configure Safe Links policies section later in this article.
You need to be assigned permissions before you can do the procedures in this
article:
To create, modify, and delete Safe Links policies, you need to be a member of
the Organization Management or Security Administrator role groups in the
Microsoft 365 Defender portal and a member of the Organization
Management role group in Exchange Online.
For read-only access to Safe Links policies, you need to be a member of the
Global Reader or Security Reader role groups.
For more information, see Permissions in the Microsoft 365 Defender portal and
Permissions in Exchange Online.
7 Note
Adding users to the corresponding Azure Active Directory role in the
Microsoft 365 admin center gives users the required permissions in the
Microsoft 365 Defender portal and permissions for other features in
Microsoft 365. For more information, see About admin roles.
. - The View-
Only Organization Management role group in Exchange Online also gives
read-only access to the feature.
For our recommended settings for Safe Links policies, see Safe Links policy
settings.
New features are continually being added to Microsoft Defender for Office 365. As
new features are added, you may need to make adjustments to your existing Safe
Links policies.
3. The New Safe Links policy wizard opens. On the Name your policy page,
configure the following settings:
4. On the Users and domains page that appears, identify the internal recipients that
the policy applies to (recipient conditions):
Click in the appropriate box, start typing a value, and select the value that you
want from the results. Repeat this process as many times as necessary. To remove
an existing value, click remove next to the value.
For users or groups, you can use most identifiers (name, display name, alias, email
address, account name, etc.), but the corresponding display name is shown in the
results. For users, enter an asterisk (*) by itself to see all available values.
Multiple values in the same condition use OR logic (for example, <recipient1> or
<recipient2>). Different conditions use AND logic (for example, <recipient1> and
<member of group 1>).
Exclude these users, groups, and domains: To add exceptions for the internal
recipients that the policy applies to (recipient exceptions), select this option
and configure the exceptions. The settings and behavior are exactly like the
conditions.
) Important
Users: romain@contoso.com
Groups: Executives
Likewise, if you use the same recipient filter as an exception to the policy, the
policy is not applied to romain@contoso.com only if he's also a member of
the Executives group. If he's not a member of the group, then the policy still
applies to him.
5. On the URL & click protection settings page that appears, configure the following
settings:
Action on potentially malicious URLs within Emails (Email & Time of Click)
section:
On: Safe Links checks a list of known, malicious links when users click
links in email: Select this option to turn on Safe Links protection for links
in email messages. If you select this option, the following settings are
available:
Apply real-time URL scanning for suspicious links and links that point
to files (Email): Select this option to turn on real-time scanning of links
in email messages from external senders. If you select this option, the
following setting is available:
Wait for URL scanning to complete before delivering the message
(Email): Select this option to wait for real-time URL scanning to
complete before delivering the message from external senders. The
recommended setting is On.
Do not rewrite URLs, do checks via SafeLinks API only (Time of Click):
Select this option to prevent URL wrapping and skip reputation check
during mail flow. Safe Links is called exclusively via APIs at the time of
URL click by Outlook clients that support it.
Do not rewrite the following URLs in email section: Click Manage (nn)
URLs to allow access to specific URLs that would otherwise be blocked
by Safe Links.
7 Note
Entries in the "Do not rewrite the following URLs" list are not
scanned or wrapped by Safe Links during mail flow. Use URL allow
entries in the Tenant Allow/Block List to override the Safe Links
URL verdict.
a. In the Manage URLs to not rewrite flyout that appears, click Add URLs.
b. In the Add URLs flyout that appears, type the URL or value that you want,
select the entry that appears below the box, and then click Save. Repeat
this step as many times as necessary.
For entry syntax, see Entry syntax for the "Do not rewrite the following
URLs" list.
To remove entries from the list, can use the Search box to find the
entry.
To select multiple entries one at a time, click the blank area to the left of
the value.
To select all entries at one, click the blank area to the left of the URLs
column header.
With one or more entries selected, click the or icons that appear.
7 Note
6. On the Notification page that appears, select one of the following values for How
would you like to notify your users?:
7. On the Review page that appears, review your settings. You can select Edit in each
section to modify the settings within the section. Or you can click Back or select
the specific page in the wizard.
2. On the Safe Links page, the following properties are displayed in the list of Safe
Links policies:
Name
Status
Priority
3. When you select a policy by clicking on the name, the policy settings are displayed
in a flyout.
Use the Microsoft 365 Defender portal to
modify Safe Links policies
1. In the Microsoft 365 Defender portal, go to Policies & rules > Threat Policies >
Policies section > Safe Links.
2. On the Safe Links page, select a policy from the list by clicking on the name.
3. In the policy details flyout that appears, select Edit in each section to modify the
settings within the section. For more information about the settings, see the
previous Use the Microsoft 365 Defender portal to create Safe Links policies
section in this article.
To enable or disable a policy or set the policy priority order, see the following sections.
2. On the Safe Links page, select a policy from the list by clicking on the name.
3. At the top of the policy details flyout that appears, you'll see one of the following
values:
Back on the main policy page, the Status value of the policy will be On or Off.
To change the priority of a policy, you click Increase priority or Decrease priority in the
properties of the policy (you can't directly modify the Priority number in the Microsoft
365 Defender portal). Changing the priority of a policy only makes sense if you have
multiple policies.
Note:
In the Microsoft 365 Defender portal, you can only change the priority of the Safe
Links policy after you create it. In PowerShell, you can override the default priority
when you create the safe links rule (which can affect the priority of existing rules).
Safe Links policies are processed in the order that they're displayed (the first policy
has the Priority value 0). For more information about the order of precedence and
how multiple policies are evaluated and applied, see Order and precedence of
email protection.
2. On the Safe Links page, select a policy from the list by clicking on the name.
3. At the top of the policy details flyout that appears, you'll see Increase priority or
Decrease priority based on the current priority value and the number of custom
policies:
The policy with the Priority value 0 has only the Decrease priority option
available.
The policy with the lowest Priority value (for example, 3) has only the
Increase priority option available.
If you have three or more policies, the policies between the highest and
lowest priority values have both the Increase priority and Decrease priority
options available.
2. On the Safe Links page, select a policy from the list by clicking on the name. At the
top of the policy details flyout that appears, click More actions > Delete
policy.
In PowerShell, the difference between safe links policies and safe links rules is apparent.
You manage safe links policies by using the *-SafeLinksPolicy cmdlets, and you manage
safe links rules by using the *-SafeLinksRule cmdlets.
In PowerShell, you create the safe links policy first, then you create the safe links
rule that identifies the policy that the rule applies to.
In PowerShell, you modify the settings in the safe links policy and the safe links
rule separately.
When you remove a safe links policy from PowerShell, the corresponding safe links
rule isn't automatically removed, and vice versa.
7 Note
You can create a new safe links rule and assign an existing, unassociated safe
links policy to it. A safe links rule can't be associated with more than one safe
links policy.
You can configure the following settings on new safe links policies in
PowerShell that aren't available in the Microsoft 365 Defender portal until
after you create the policy:
Create the new policy as disabled (Enabled $false on the New-
SafeLinksRule cmdlet).
Set the priority of the policy during creation (Priority <Number>) on the
New-SafeLinksRule cmdlet).
A new safe links policy that you create in PowerShell isn't visible in the
Microsoft 365 Defender portal until you assign the policy to a safe links rule.
PowerShell
7 Note
For details about the entry syntax to use for the DoNotRewriteUrls parameter,
see Entry syntax for the "Do not rewrite the following URLs" list.
For additional syntax that you can use for the DoNotRewriteUrls parameter
when you modify existing safe links policies by using the Set-SafeLinksPolicy
cmdlet, see the Use PowerShell to modify safe links policies section later in
this article.
This example creates a safe links policy named Contoso All with the following values:
PowerShell
PowerShell
This example creates a safe links rule named Contoso All with the following conditions:
The rule is associated with the safe links policy named Contoso All.
The rule applies to all recipients in the contoso.com domain.
Because we aren't using the Priority parameter, the default priority is used.
The rule is enabled (we aren't using the Enabled parameter, and the default value is
$true ).
PowerShell
This example creates a safe links rule that's similar to the previous example, but in this
example, the rule applies to recipients in all accepted domains in the organization.
PowerShell
This example creates a safe links rule that's similar to the previous examples, but in this
example, the rule applies to recipients in the domains specified in a .csv file.
PowerShell
$SLDomains = $Data.Domains
PowerShell
PowerShell
This example returns detailed information for the safe links policy named Contoso
Executives.
PowerShell
PowerShell
PowerShell
To filter the list by enabled or disabled rules, run the following commands:
PowerShell
PowerShell
This example returns detailed information for the safe links rule named Contoso
Executives.
PowerShell
The only additional consideration for modifying safe links policies in PowerShell is the
available syntax for the DoNotRewriteUrls parameter (the "Do not rewrite the following
URLs" list):
To add values that will replace any existing entries, use the following syntax:
"Entry1","Entry2,..."EntryN" .
To add or remove values without affecting other existing entries, use the following
syntax: @{Add="Entry1","Entry2"...; Remove="Entry3","Entry4"...}
Otherwise, the same settings are available when you create a safe links policy as
described in the Step 1: Use PowerShell to create a safe links policy section earlier in this
article.
To modify a safe links policy, use this syntax:
PowerShell
Otherwise, the same settings are available when you create a rule as described in the
Step 2: Use PowerShell to create a safe links rule section earlier in this article.
PowerShell
This example adds all accepted domains in the organization as a condition to the safe
links rule named Contoso All.
PowerShell
This example adds the domains from the specified .csv as a condition to the safe links
rule named Contoso All.
PowerShell
$SLDomains = $Data.Domains
PowerShell
This example disables the safe links rule named Marketing Department.
PowerShell
PowerShell
For detailed syntax and parameter information, see Enable-SafeLinksRule and Disable-
SafeLinksRule.
To set the priority of a safe links rule in PowerShell, use the following syntax:
PowerShell
This example sets the priority of the rule named Marketing Department to 2. All existing
rules that have a priority less than or equal to 2 are decreased by 1 (their priority
numbers are increased by 1).
PowerShell
7 Note
To set the priority of a new rule when you create it, use the Priority parameter on
the New-SafeLinksRule cmdlet instead.
PowerShell
This example removes the safe links policy named Marketing Department.
PowerShell
PowerShell
This example removes the safe links rule named Marketing Department.
PowerShell
To verify that Safe Links is scanning messages, check the available Microsoft Defender
for Office 365 reports. For more information, see View reports for Defender for Office
365 and Use Explorer in the Microsoft 365 Defender portal.
PowerShell
PowerShell
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
) Important
The Global settings menu and the Block the following URLs list for Safe Links are
in the process of being deprecated. Use block entries for URLs in the Tenant
Allow/Block List instead.
This article is intended for business customers who have Microsoft Defender for
Office 365. If you are a home user looking for information about Safelinks in
Outlook, see Advanced Outlook.com security .
Safe Links is a feature in Microsoft Defender for Office 365 that provides URL scanning
of inbound email messages in mail flow, and time of click verification of URLs and links
in email messages and in other locations. For more information, see Safe Links in
Microsoft Defender for Office 365.
You configure most Safe Links settings in Safe Links policies, including Safe Links
settings for supported Office Apps. For instructions, see Set up Safe Links policies in
Microsoft Defender for Office 365.
But, Safe Links also uses the following global settings that you configure outside of the
Safe Links policies themselves:
The Block the following URLs list. This setting applies to all users who are included
in any active Safe Links policies. For more information, see "Block the following
URLs" list for Safe Links
You can configure the global Safe Links settings in the Microsoft 365 Defender portal or
in PowerShell (Exchange Online PowerShell for eligible Microsoft 365 organizations with
mailboxes in Exchange Online; standalone EOP PowerShell for organizations without
Exchange Online mailboxes, but with Microsoft Defender for Office 365 add-on
subscriptions).
You need to be assigned permissions in Exchange Online before you can do the
procedures in this article:
To configure the global settings for Safe Links, you need to be a member of the
Organization Management or Security Administrator role groups.
For read-only access to the global settings for Safe Links, you need to be a
member of the Global Reader or Security Reader role groups.
Notes:
Adding users to the corresponding Azure Active Directory role in the Microsoft
365 admin center gives users the required permissions and permissions for
other features in Microsoft 365. For more information, see About admin roles.
The View-Only Organization Management role group in Exchange Online also
gives read-only access to the feature.
For our recommended values for the global settings for Safe Links, see Safe Links
settings.
Allow up to 30 minutes for a new or updated policy to be applied.
New features are continually being added to Microsoft Defender for Office 365. As
new features are added, you may need to make adjustments to your existing Safe
Links policies.
7 Note
You can now manage block URL entries in the Tenant Allow/Block List. The "Block
the following URLs" list is in the process of being deprecated. We'll attempt to
migrate existing entries from the "Block the following URLs" list to block URL
entries in the Tenant Allow/Block List. Messages containing the blocked URL will be
quarantined.
The Block the following URLs list identifies the links that should always be blocked by
Safe Links scanning in supported apps. For more information, see "Block the following
URLs" list for Safe Links.
2. On the Safe Links page, click Global settings. In the Safe Links policy for your
organization fly out that appears, go to the Block the following URLs box.
3. Configure one or more entries as described in Entry syntax for the "Block the
following URLs" list.
To add values that will replace any existing entries, use the following syntax in
Exchange Online PowerShell or Exchange Online Protection PowerShell:
PowerShell
PowerShell
Set-AtpPolicyForO365 -BlockUrls
"fabrikam.com","https://research.tailspintoys.com*"
To add or remove values without affecting other existing entries, use the following
syntax:
PowerShell
This example adds a new entry for adatum.com, and removes the entry for
fabrikam.com.
PowerShell
PowerShell
Applies to
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
ZAP doesn't work in standalone Exchange Online Protection (EOP) environments that
protect on-premises Exchange mailboxes.
The ZAP action is seamless for the user; they aren't notified if a message is detected and
moved.
Safe sender lists, mail flow rules (also known as transport rules), Inbox rules, or
additional filters take precedence over ZAP. Similar to what happens in mail flow, this
means that even if the service determines the delivered message needs ZAP, the
message is not acted on because of the safe senders configuration. This is another
reason to be careful about configuring messages to bypass filtering.
Watch this short video to learn how ZAP in Microsoft Defender for Office 365
automatically detects and neutralizes threats in email.
https://www.microsoft.com/en-us/videoplayer/embed/RWGrLg?postJsllMsg=true
ZAP for malware is enabled by default in anti-malware policies. For more information,
see Configure anti-malware policies in EOP.
Add X-Header, Prepend subject line with text, Redirect message to email
address, Delete message: ZAP takes no action on the message.
Move message to Junk Email: ZAP moves the message to the Junk Email folder.
For more information, see Configure junk email settings on Exchange Online
mailboxes in Microsoft 365.
By default, ZAP for phishing is enabled in anti-spam policies, and the default action for
the Phishing email filtering verdict is Quarantine message, which means ZAP for
phishing quarantines the message by default.
For more information about configuring spam filtering verdicts, see Configure anti-spam
policies in Microsoft 365.
ZAP for high confidence phish is enabled by default. For more information, see Secure
by Default in Office 365.
Add X-Header, Prepend subject line with text, Redirect message to email
address, Delete message: ZAP takes no action on the message.
Move message to Junk Email: ZAP moves the message to the Junk Email folder.
For more information, see Configure junk email settings on Exchange Online
mailboxes in Microsoft 365.
By default, spam ZAP is enabled in anti-spam policies, and the default action for the
Spam filtering verdict is Move message to Junk Email folder, which means spam ZAP
moves unread messages to the Junk Email folder by default.
For more information about configuring spam filtering verdicts, see Configure anti-spam
policies in Microsoft 365.
Number of messages: Use the Mailflow view in the Mailflow status report to see
the number of ZAP-affected messages for the specified date range.
Message details: Use Threat Explorer (and real-time detections) to filter All email
events by the value ZAP for the Additional action column.
7 Note
ZAP is not logged in the Exchange mailbox audit logs as a system action.
For more information about holds in Exchange Online, see In-Place Hold and Litigation
Hold in Exchange Online.
Manage your allows and blocks in the
Tenant Allow/Block List
Article • 01/18/2023 • 6 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
The Tenant Allow/Block List in the Microsoft 365 Defender portal gives you a way to
manually override the Microsoft 365 filtering verdicts. The Tenant Allow/Block List is
used during mail flow for incoming messages from external senders. Note that it doesn't
apply to messages within the organization.
The Tenant Allow/Block list is available in the Microsoft 365 Defender portal at
https://security.microsoft.com > Policies & rules > Threat Policies > Tenant
Allow/Block Lists in the Rules section. To go directly to the Tenant Allow/Block Lists
page, use https://security.microsoft.com/tenantAllowBlockList .
For entry creation and configuration instructions, see the following topics:
Domains and email addresses and spoofed senders: Allow or block emails using
the Tenant Allow/Block List
Files: Allow or block files using the Tenant Allow/Block List
URLs: Allow or block URLs using the Tenant Allow/Block List.
These articles contain procedures in the Microsoft 365 Defender Portal and in
PowerShell.
7 Note
To allow phishing URLs that are part of third-party attack simulation training, use
the advanced delivery configuration to specify the URLs. Don't use the Tenant
Allow/Block List.
7 Note
In the Tenant Allow/Block List, block entries take precedence over allow entries.
7 Note
To block only spam from a specific sender, add the email address or domain
to the block list in anti-spam policies. To block all email from the sender, use
Domains and email addresses in the Tenant Allow/Block List.
Files: Email messages that contain these blocked files are marked as malware and
moved to quarantine.
URLs: Email messages that contain these blocked URLs are blocked as high
confidence phishing. Messages containing the blocked URLs are quarantined.
In the Tenant Allow/Block List, you can also directly create block entries for the following
types of items:
Spoofed senders: If you manually override an existing allow verdict from spoof
intelligence, the blocked spoofed sender becomes a manual block entry that
appears only on the Spoofed senders tab in the Tenant Allow/Block List.
By default, block entries for domains and email addresses, files and URLs expire after
30 days, but you can set them to expire up 90 days or to never expire. Block entries for
spoofed senders never expire.
Domains and email addresses, files, and URLs: You can't create allow entries
directly in the Tenant Allow/Block List. Instead you use the Submissions portal at
https://security.microsoft.com/reportsubmission to report the email, email
attachment, or URL to Microsoft as Should not have been blocked (False
positive).
Spoofed senders:
If spoof intelligence has already blocked the message as spoofing, use the
Submissions portal at https://security.microsoft.com/reportsubmission to
report the email to Microsoft as Should not have been blocked (False positive).
You can proactively create an allow entry for a spoofed sender on the Spoofed
sender tab in the Tenant Allow/Block List before spoof intelligence identifies
and blocks the message as spoofing.
The following list describes what happens in the Tenant Allow/Block List when you
report something to Microsoft as a false positive in the Submissions portal:
Email attachments and URLs: An allow entry is created and it appears on the Files
or URLs tab in the Tenant Allow/Block List.
Email: If a message was blocked by the Microsoft 365 filtering stack, an allow entry
might be created in the Tenant Allow/Block List:
If the message was blocked by spoof intelligence, an allow entry for the sender
is created, and it appears on the Spoofed senders tab in the Tenant Allow Block
List.
If the message was blocked for other reasons, an allow entry for the sender is
created, and it appears on the Domains & addresses tab in the Tenant Allow
Block List.
If the message was not blocked, and an allow entry for the sender is not
created, it won't show on the Spoofed senders tab or the Domains & addresses
tab.
By default, allow entries for domains and email addresses, files and URLs expire after 30
days, which is also the maximum. Allow entries for spoofed senders never expire.
7 Note
Microsoft does not allow you to create allow entries directly as it leads to creation
of allows that are not needed, thus exposing the customer's tenant to malicious
emails which might otherwise have been filtered by the system.
Microsoft manages the allow creation process from Submission by creating allows
for those entities (domains or email addresses, spoofed senders, URLs, files) which
were determined to be malicious by filters during mail flow. For example, if the
sender and a URL in the message were determined to be bad, an allow entry is
created for the sender, and an allow entry is created for the URL.
When that entity (domain or email address, URL, file) is encountered again, all
filters associated with that entity are skipped.
During mail flow, if messages from the domain or email address pass other checks
in the filtering stack, the messages will be delivered. For example, if email
authentication passes, a message from a sender in the allow entry will be delivered.
We recommend letting entries automatically expire after 30 days to see if the system has
learned about the allow or block. If not, you should make another entry to give the
system another 30 days to learn.
With allow expiry management, if Microsoft has not learned from the allow entry,
Microsoft will automatically extend the expiry time of allow entries that will soon expire
by another 30 days. This extension helps to prevent legitimate email from going to junk
or quarantine again. If Microsoft does not learn within 90 calendar days from the date of
the original creation of the allow entry, Microsoft will remove the allow entry.
If Microsoft has learned from the allow entry, the entry will be removed, and you'll get
an alert informing you about it.
Allow or block email using the Tenant
Allow/Block List
Article • 01/18/2023 • 19 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
This article describes how to create and manage allow and block entries for domains
and email addresses (including spoofed senders) that are available in the Tenant
Allow/Block List. For more information about the Tenant Allow/Block List, see Manage
your allows and blocks in the Tenant Allow/Block List.
You manage allow and block entries for email in the Microsoft 365 Defender Portal or in
Exchange Online PowerShell.
For domains and email addresses, the maximum number of allow entries is 500,
and the maximum number of block entries is 500 (1000 domain and email address
entries total).
For details about the syntax for spoofed sender entries, see the Domain pair syntax
for spoofed sender entries section later in this article.
An entry should be active within 30 minutes, but it might take up to 24 hours for
the entry to be active.
You need to be assigned permissions in Exchange Online before you can do the
procedures in this article:
To add and remove values from the Tenant Allow/Block List, you need to be a
member of one of the following role groups:
Organization Management or Security Administrator role group (Security
admin role)
Security Operator role group (Tenant AllowBlockList Manager).
For read-only access to the Tenant Allow/Block List, you need to be a member
of one of the following role groups:
Global Reader role group
Security Reader role group
View-Only configuration role group
7 Note
Adding users to the corresponding Azure Active Directory role in the
Microsoft 365 admin center gives users the required permissions and
permissions for other features in Microsoft 365. For more information, see
About admin roles.
The View-Only Organization Management role group in Exchange Online
also gives read-only access to the feature.
To create block entries for spoofed senders, see the Use the Microsoft 365 Defender
portal to view allow or block entries for spoofed senders in the Tenant Allow/Block List
section later in this article.
Use the Microsoft 365 Defender portal to create block entries for
domains and email addresses in the Submissions portal
When you use the Submissions portal at
https://security.microsoft.com/reportsubmission to report email messages as Should
have been blocked (False negative), you can select Block all emails from this recipient
to add a block entry for the sender on the Domains & addresses tab in the Tenant
Allow/Block List.
Use the Microsoft 365 Defender portal to create block entries for
domains and email addresses in the Tenant Allow/Block List
You can create block entries for domains and email addresses directly in the Tenant
Allow/Block List.
Email messages from these senders are marked as high confidence spam (SCL = 9). What
happens to the messages is determined by the anti-spam policy that detected the
message for the recipient. In the default anti-spam policy and new custom policies,
messages that are marked as high confidence spam are delivered to the Junk Email
folder by default. In Standard and Strict preset security policies, high confidence spam
messages are quarantined.
7 Note
Users in the organization can't send email to these blocked domains and addresses.
They'll receive the following non-delivery report (also known as an NDR or bounce
message): 550 5.7.703 Your message can't be delivered because one or more
recipients are blocked by your organization's tenant recipient block policy.
The entire message is blocked for all recipients of the message, even if only one
recipient email address or domain is defined in a block entry.
2. On the Tenant Allow/Block List page, verify that the Domains & addresses tab is
selected.
4. In the Block domains & addresses flyout that appears, configure the following
settings:
Domains & addresses: Enter one email address or domain per line, up to a
maximum of 20.
Remove block entry after: The default value is 30 days, but you can select
from the following values:
1 day
7 days
30 days
Never expire
Specific date: The maximum value is 90 days from today.
PowerShell
This example adds a block entry for the specified email address that expires on a specific
date.
PowerShell
7 Note
Microsoft does not allow you to create allow entries directly as it leads to creation
of allows that are not needed, thus exposing your organization to malicious email
which might otherwise have been filtered by the system.
Microsoft manages the allow creation process from Submission by creating allows
for those entities (domains or email addresses, spoofed senders, URLs, files) which
were determined to be malicious by filters during mail flow. For example, if the
sender and a URL in the message were determined to be bad, an allow entry is
created for the sender, and an allow entry is created for the URL.
When that entity (domain or email address, URL, file) is encountered again, all
filters associated with that entity are skipped.
During mail flow, if messages from the domain or email address pass other checks
in the filtering stack, the messages will be delivered. For example, if email
authentication passes, a message from a sender in the allow entry will be delivered.
2. Verify the Domains & addresses tab is selected. The following columns are
available:
Click Search, enter all or part of a value, and then press ENTER to find a specific
value. When you're finished, click Clear search.
Click Filter to filter the results. The following values are available in the Filter
flyout that appears:
When you're finished, click Apply. To clear existing filters, click Clear filters in
the Filter flyout.
PowerShell
This example returns all allow and block entries for domains and email addresses.
PowerShell
Get-TenantAllowBlockListItems -ListType Sender
This example filters the results for block entries for domains and email addresses.
PowerShell
3. On the Domains & addresses tab, select the check box of the entry that you want
to modify, and then click the Edit button that appears.
4. The following settings are available in the Edit domain & addresses flyout that
appears:
Remove block entry after: You can extend block entries for a maximum of 90
days after the creation date or set them to Never expire.
Optional note
Note that with allow expiry management, if Microsoft has not learned from the allow,
Microsoft will automatically extend the expiry time of allows, which are going to expire
soon, by 30 days to prevent legitimate email from going to junk or quarantine again. If
Microsoft does not learn within 90 calendar days from the date of allow creation,
Microsoft will remove the allow.
If Microsoft has learned from the allow, the allow will be removed and you will get an
alert informing you about it.
7 Note
For allow entries only, if you select the entry by clicking anywhere in the row other
than the check box, you can select View submission in the details flyout that
appears to go to the Submissions page at
https://security.microsoft.com/reportsubmission .
PowerShell
This example changes the expiration date of the specified block entry for domains and
email addresses.
PowerShell
Select the check box of the entry that you want to remove, and then click the
Delete icon that appears.
Select the entry that you want to remove by clicking anywhere in the row
other than the check box. In the details flyout that appears, click Delete.
7 Note
You can select multiple entries by selecting each check box, or select all entries by
selecting the check box next to the Value column header.
PowerShell
This example removes the specified block entry for domains and email addresses from
the Tenant Allow/Block List.
PowerShell
7 Note
Allow entries for spoofed senders take care of intra-org, cross-org, and DMARC
spoofing.
Only the combination of the spoofed user and the sending infrastructure as defined
in the domain pair is allowed to spoof.
When you configure an allow entry for a domain pair, messages from that domain
pair no longer appear in the spoof intelligence insight.
Use the Microsoft 365 Defender portal to create allow entries for
spoofed senders in the Submissions portal
Submitting messages that were blocked by spoof intelligence to Microsoft in the
Submissions portal at https://security.microsoft.com/reportsubmission adds the
sender as an allow entry for the sender on the Spoofed senders tab in Tenant
Allow/Block List.
7 Note
When you override the verdict in the spoof intelligence insight, the spoofed sender
becomes a manual allow or block entry that only appears on the Spoofed senders
tab in the Tenant Allow/Block List.
If the sender has not been blocked by spoof intelligence, submitting the email
message to Microsoft won't create an allow entry in the Tenant Allow/Block List.
Use the Microsoft 365 Defender portal to create allow entries for
spoofed senders in the Tenant Allow/Block List
In the Tenant Allow/Block List, you can create allow entries for spoofed senders before
they're detected and blocked by spoof intelligence.
2. On the Tenant Allow/Block List page, select the Spoofed senders tab, and then
click Add.
3. In the Add new domain pairs flyout that appears, configure the following settings:
Add domain pairs with wildcards: Enter domain pair per line, up to a
maximum of 20. For details about the syntax for spoofed sender entries, see
the Domain pair syntax for spoofed sender entries section later in this article.
PowerShell
This example creates an allow entry for the sender bob@contoso.com from the source
contoso.com.
PowerShell
7 Note
Only the combination of the spoofed user and the sending infrastructure as defined
in the domain pair is blocked from spoofing.
When you configure a block entry for a domain pair, messages from that domain
pair no longer appear in the spoof intelligence insight.
The instructions to report the message are nearly identical to the steps in Use the
Microsoft 365 Defender portal to create allow entries for domains and email addresses
in the Submissions portal.
The only difference is: for the Action value in Step 4, choose Block instead of Allow.
PowerShell
This example creates a block entry for the sender laura@adatum.com from the source
172.17.17.17/24.
PowerShell
New-TenantAllowBlockListSpoofItems -Identity Default -Action Allow -
SendingInfrastructure 172.17.17.17/24 -SpoofedUser laura@adatum.com -
SpoofType External
2. Verify the Spoofed senders tab is selected. The following columns are available:
Spoofed user
Sending infrastructure
Spoof type: The value Internal or External.
Action: The value Block or Allow.
Click Search, enter all or part of a value, and then press ENTER to find a specific
value. When you're finished, click Clear search.
Click Filter to filter the results. The following values are available in the Filter
flyout that appears:
When you're finished, click Apply. To clear existing filters, click Clear filters in
the Filter flyout.
This example returns all spoofed sender entries in the Tenant Allow/Block List.
PowerShell
Get-TenantAllowBlockListSpoofItems
This example returns all allow spoofed sender entries that are internal.
PowerShell
This example returns all blocked spoofed sender entries that are external.
PowerShell
3. On the Spoofed senders tab, select the entry that you want to modify, and then
click the Edit button that appears.
4. In the Edit spoofed sender flyout that appears, choose Allow or Block.
PowerShell
PowerShell
3. On the Spoofed senders tab, select the entry that you want to remove, and then
click the Delete icon that appears.
7 Note
You can select multiple entries by selecting each check box, or selecting all entries
by selecting the check box next to the Spoofed user column header.
Use PowerShell to remove allow or block entries for spoofed
senders from the Tenant Allow/Block List
PowerShell
PowerShell
This example removes the specified spoofed sender. You get the Ids parameter value
from the Identity property in the output of Get-TenantAllowBlockListSpoofItems
command.
Spoofed user: This value involves the email address of the spoofed user that's
displayed in the From box in email clients. This address is also known as the
5322.From address. Valid values include:
An individual email address (for example, chris@contoso.com).
An email domain (for example, contoso.com).
The wildcard character (for example, *).
Sending infrastructure: This value indicates the source of messages from the
spoofed user. Valid values include:
The domain found in a reverse DNS lookup (PTR record) of the source email
server's IP address (for example, fabrikam.com).
If the source IP address has no PTR record, then the sending infrastructure is
identified as <source IP>/24 (for example, 192.168.100.100/24).
A verified DKIM domain.
Here are some examples of valid domain pairs to identify spoofed senders:
contoso.com, 192.168.100.100/24
chris@contoso.com, fabrikam.com
*, contoso.net
Adding a domain pair only allows or blocks the combination of the spoofed user and the
sending infrastructure. It does not allow email from the spoofed user from any source,
nor does it allow email from the sending infrastructure source for any spoofed user.
For example, you add an allow entry for the following domain pair:
Domain: gmail.com
Sending infrastructure: tms.mx.com
Only messages from that domain and sending infrastructure pair are allowed to spoof.
Other senders attempting to spoof gmail.com aren't allowed. Messages from senders in
other domains originating from tms.mx.com are checked by spoof intelligence.
7 Note
You can specify wildcards in the sending infrastructure or in the spoofed user, but
not in both at the same time. For example, *, * is not permitted.
Instead, the domain or sender is added to the Trusted senders and domains section in
the anti-phishing policy that detected the message.
The instructions to report the message are identical to the steps in Use the Microsoft
365 Defender portal to create allow entries for domains and email addresses in the
Submissions portal.
7 Note
Currently, Graph Impersonation is not taken care from here.
Related articles
Use the Submissions portal to submit suspected spam, phish, URLs, legitimate
email getting blocked, and email attachments to Microsoft
Report false positives and false negatives
Manage your allows and blocks in the Tenant Allow/Block List
Allow or block files in the Tenant Allow/Block List
Allow or block URLs in the Tenant Allow/Block List
Allow or block files using the Tenant
Allow/Block List
Article • 01/18/2023 • 8 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
This article describes how to manage file allow and block entries that are available in the
Tenant Allow/Block List. For more information about the Tenant Allow/Block List, see
Manage your allows and blocks in the Tenant Allow/Block List.
You manage allow and block entries for files in the Microsoft 365 Defender Portal or in
Exchange Online PowerShell.
You specify files by using the SHA256 hash value of the file. To find the SHA256
hash value of a file in Windows, run the following command in a Command
Prompt:
DOS
An example value is
768a813668695ef2483b2bde7cf5d1b2db0423a0d3e63e498f3ab6f2eb13ea3a . Perceptual
hash (pHash) values are not supported.
For files, the maximum number of allow entries is 500, and the maximum number
of block entries is 500 (1000 file entries total).
An entry should be active within 30 minutes, but it might take up to 24 hours for
the entry to be active.
You need to be assigned permissions in Exchange Online before you can do the
procedures in this article:
To add and remove values from the Tenant Allow/Block List, you need to be a
member of one of the following role groups:
Organization Management or Security Administrator role group (Security
admin role)
Security Operator role group (Tenant AllowBlockList Manager).
For read-only access to the Tenant Allow/Block List, you need to be a member
of one of the following role groups:
Global Reader role group
Security Reader role group
View-Only configuration role group
Notes:
Adding users to the corresponding Azure Active Directory role in the Microsoft
365 admin center gives users the required permissions and permissions for
other features in Microsoft 365. For more information, see About admin roles.
The View-Only Organization Management role group in Exchange Online also
gives read-only access to the feature.
Email messages that contain these blocked files are blocked as malware.
4. In the Block files flyout that appears, configure the following settings:
Add file hashes: Enter one SHA256 hash value per line, up to a maximum of
20.
Remove block entry after: The default value is 30 days, but you can select
from the following values:
1 day
7 days
30 days
Never expire
Specific date: The maximum value is 90 days from today.
PowerShell
This example adds a block entry for the specified files that never expires.
PowerShell
) Important
Because Microsoft manages allow entries for you, unneeded allow entries for files
will be removed. This behavior protects your organization and helps prevent
misconfigured allow entries. If you disagree with the verdict, you might need to
open a support case to help determine why a file is still considered bad.
Use the Microsoft 365 Defender portal to view
allow or block entries for files in the Tenant
Allow/Block List
1. In the Microsoft 365 Defender portal at https://security.microsoft.com , go to
Policies & rules > Threat Policies > Tenant Allow/Block Lists in the Rules section.
Or, to go directly to the Tenant Allow/Block Lists page, use
https://security.microsoft.com/tenantAllowBlockList .
Click Search, enter all or part of a value, and then press ENTER to find a specific
value. When you're finished, click Clear search.
Click Filter to filter the results. The following values are available in the Filter
flyout that appears:
When you're finished, click Apply. To clear existing filters, click Clear filters in
the Filter flyout.
PowerShell
Get-TenantAllowBlockListItems -ListType FileHash [-Allow] [-Block] [-Entry
<FileHashValue>] [<-ExpirationDate Date | -NoExpiration>]
PowerShell
This example returns information for the specified file hash value.
PowerShell
PowerShell
4. The following settings are available in the Edit file flyout that appears:
Remove block entry after: You can extend block entries for a maximum of 90
days after the creation date or set them to Never expire.
Optional note
7 Note
For allow entries only, if you select the entry by clicking anywhere in the row other
than the check box, you can select View submission in the details flyout that
appears to go to the Submissions page at
https://security.microsoft.com/reportsubmission .
PowerShell
This example changes the expiration date of the specified file block entry.
PowerShell
Select the check box of the entry that you want to remove, and then click the
Delete icon that appears.
Select the entry that you want to remove by clicking anywhere in the row
other than the check box. In the details flyout that appears, click Delete.
7 Note
You can select multiple entries by selecting each check box, or select all entries by
selecting the check box next to the Value column header.
PowerShell
This example removes the specified file block from the Tenant Allow/Block List.
PowerShell
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
This article describes how to create and manage URL allow and block entries that are
available in the Tenant Allow/Block List. For more information about the Tenant
Allow/Block List, see Manage your allows and blocks in the Tenant Allow/Block List.
You manage allow and block entries for URLs in the Microsoft 365 Defender Portal or in
Exchange Online PowerShell. Messages containing the blocked URLs are quarantined.
7 Note
To allow phishing URLs that are part of third-party attack simulation training, use
the advanced delivery configuration to specify the URLs. Don't use the Tenant
Allow/Block List.
For URLs, the maximum number of allow entries is 500, and the maximum number
of block entries is 500 (1000 URL entries total).
An entry should be active within 30 minutes, but it might take up to 24 hours for
the entry to be active.
You need to be assigned permissions in Exchange Online before you can do the
procedures in this article:
To add and remove values from the Tenant Allow/Block List, you need to be a
member of one of the following role groups:
Organization Management or Security Administrator role group (Security
admin role)
Security Operator role group (Tenant AllowBlockList Manager).
For read-only access to the Tenant Allow/Block List, you need to be a member
of one of the following role groups:
Global Reader role group
Security Reader role group
View-Only configuration role group
Notes:
Adding users to the corresponding Azure Active Directory role in the Microsoft
365 admin center gives users the required permissions and permissions for
other features in Microsoft 365. For more information, see About admin roles.
The View-Only Organization Management role group in Exchange Online also
gives read-only access to the feature.
Email messages that contain these blocked URLs are blocked as high confidence
phishing.
4. In the Block URLs flyout that appears, configure the following settings:
Add URLs with wildcards: Enter one URL per line, up to a maximum of 20. For
details about the syntax for URL entries, see the URL syntax for the Tenant
Allow/Block List section later in this article.
Remove block entry after: The default value is 30 days, but you can select
from the following values:
Never expire
1 day
7 days
30 days
Specific date: The maximum value is 90 days from today.
PowerShell
This example adds a block entry for the URL contoso.com and all subdomains (for
example, contoso.com and xyz.abc.contoso.com). Because we didn't use the
ExpirationDate or NoExpiration parameters, the entry expires after 30 days.
PowerShell
) Important
Because Microsoft manages allow entries for you, unneeded URL allow entries will
be removed. This behavior protects your organization and helps prevent
misconfigured allow entries. If you disagree with the verdict, you might need to
open a support case to help determine why a URL is still considered bad.
Use the Microsoft 365 Defender portal to view
allow or block entries for URLs in the Tenant
Allow/Block List
1. In the Microsoft 365 Defender portal at https://security.microsoft.com , go to
Policies & rules > Threat Policies > Tenant Allow/Block Lists in the Rules section.
Or, to go directly to the Tenant Allow/Block Lists page, use
https://security.microsoft.com/tenantAllowBlockList .
Click Search, enter all or part of a value, and then press ENTER to find a specific
value. When you're finished, click to clear the search.
Click Filter to filter the results. The following values are available in the Filter
flyout that appears:
When you're finished, click Apply. To clear existing filters, click Clear filters in
the Filter flyout.
PowerShell
Get-TenantAllowBlockListItems -ListType Url [-Allow] [-Block] [-Entry
<URLValue>] [<-ExpirationDate <Date> | -NoExpiration>]
PowerShell
PowerShell
3. On the URLs tab, select the check box of the entry that you want to modify, and
then click the Edit button that appears.
4. The following values are available in the Edit URL flyout that appears:
Remove block entry after: You can extend block entries for a maximum of 90
days after the creation date or set them to Never expire.
Optional note
7 Note
For allow entries only, if you select the entry by clicking anywhere in the row other
than the check box, you can select View submission in the details flyout that
appears to go to the Submissions page at
https://security.microsoft.com/reportsubmission .
PowerShell
This example changes the expiration date of the block entry for the specified URL.
PowerShell
Select the check box of the entry that you want to remove, and then click the
Delete icon that appears.
Select the entry that you want to remove by clicking anywhere in the row
other than the check box. In the details flyout that appears, click Delete.
7 Note
You can select multiple entries by selecting each check box, or select all entries by
selecting the check box next to the Value column header.
PowerShell
This example removes the block entry for the specified URL from the Tenant Allow/Block
List.
PowerShell
*.com* is invalid (not a resolvable domain and the right wildcard does not
follow a forward slash).
Scenario: No wildcards
Entry: contoso.com
Allow match: contoso.com
Block match:
contoso.com
contoso.com/a
payroll.contoso.com
test.com/contoso.com
test.com/q=contoso.com
www.contoso.com
www.contoso.com/q=a@contoso.com
7 Note
Entry: *.contoso.com
Block match:
www.contoso.com
xyz.abc.contoso.com
7 Note
Entry: *.contoso.com/*
Block match:
abc.contoso.com/ab
abc.xyz.contoso.com/a/b/c
www.contoso.com/a
www.contoso.com/b/a/c
xyz.contoso.com/ba
Entry: ~contoso.com~
Scenario: IP address
Entry: 1.2.3.4
Non-descriptive wildcards:
*
*.*
Middle wildcards:
conto*so.com
conto~so.com
Double wildcards
contoso.com/**
contoso.com/*/*
Related articles
Use the Submissions portal to submit suspected spam, phish, URLs, legitimate
email getting blocked, and email attachments to Microsoft
Report false positives and false negatives
Manage your allows and blocks in the Tenant Allow/Block List
Allow or block files in the Tenant Allow/Block List
Allow or block emails in the Tenant Allow/Block List
Create blocked sender lists in EOP
Article • 12/10/2022 • 5 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
The available blocked sender lists are described in the following list in order from most
recommended to least recommended:
1. Block entries for domains and email addresses (including spoofed senders) in the
Tenant Allow/Block List.
2. Outlook Blocked Senders (the Blocked Senders list that's stored in each mailbox).
3. Blocked sender lists or blocked domain lists (anti-spam policies).
4. Mail flow rules (also known as transport rules).
5. The IP Block List (connection filtering).
7 Note
Always submit messages in your blocked sender lists to Microsoft for analysis. For
instructions, see Report questionable email to Microsoft. If the messages or
message sources are determined to be harmful, Microsoft can automatically block
the messages, and you won't need to manually maintain the entry in blocked
sender lists.
Instead of blocking email, you also have several options to allow email from specific
sources using safe sender lists. For more information, see Create safe sender lists.
The 5321.MailFrom address (also known as the MAIL FROM address, P1 sender, or
envelope sender) is the email address that's used in the SMTP transmission of the
message. This email address is typically recorded in the Return-Path header field in
the message header (although it's possible for the sender to designate a different
Return-Path email address). If the message can't be delivered, it's the recipient for
the non-delivery report (also known as an NDR or bounce message).
The 5322.From (also known as the From address or P2 sender) is the email address
in the From header field, and is the sender's email address that's displayed in email
clients.
Frequently, the 5321.MailFrom and 5322.From addresses are the same (person-to-person
communication). However, when email is sent on behalf of someone else, the addresses
can be different.
Blocked sender lists and blocked domain lists in anti-spam policies in EOP inspect only
the 5322.From addresses. This behavior is similar to Outlook Blocked Senders that use
the 5322.From address.
Email messages from these senders are marked as high confidence spam (SCL = 9). What
happens to the messages is determined by the anti-spam policy that detected the
message for the recipient. In the default anti-spam policy and new custom policies,
messages that are marked as high confidence spam are delivered to the Junk Email
folder by default. In Standard and Strict preset security policies, high confidence spam
messages are quarantined.
As an added benefit, users in the organization can't send email to these blocked
domains and addresses. They'll receive the following non-delivery report (also known as
an NDR or bounce message): 5.7.1 Your message can't be delivered because one or
more recipients are blocked by your organization's tenant allow/block list policy.
The entire message is blocked to all recipients if email is sent to any of the entries in the
list.
Only if you can't use the Tenant Allow/Block List for some reason should you consider
using a different method to block senders.
When messages are successfully blocked due to a user's Blocked Senders list, the X-
Forefront-Antispam-Report header field will contain the value SFV:BLK .
7 Note
Regardless of the conditions or exceptions that you use to identify the messages, you
configure the action to set the spam confidence level (SCL) of the message to 9, which
marks the message as High confidence spam. For more information, see Use mail flow
rules to set the SCL in messages.
) Important
It's easy to create rules that are overly aggressive, so it's important that you identify
only the messages you want to block using very specific criteria. Also, be sure to
monitor the usage of the rule to ensure everything works as expected.
You should especially avoid adding IP address ranges that belong to consumer services
(for example, outlook.com) or shared infrastructures, and also ensure that you review
the list of blocked IP addresses as part of regular maintenance.
Create safe sender lists in EOP
Article • 01/05/2023 • 10 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
The available safe sender lists are described in the following list in order from most
recommended to least recommended:
1. Allow entries for domains and email addresses (including spoofed senders) in the
Tenant Allow/Block List.
2. Mail flow rules (also known as transport rules).
3. Outlook Safe Senders (the Safe Senders list that's stored in each mailbox that
affects only that mailbox).
4. IP Allow List (connection filtering)
5. Allowed sender lists or allowed domain lists (anti-spam policies)
) Important
Messages that are identified as malware or high confidence phishing are always
quarantined, regardless of the safe sender list option that you use. For more
information, see Secure by default in Office 365.
Be careful to closely monitor any exceptions that you make to spam filtering using
safe sender lists.
Always submit messages in your safe sender lists to Microsoft for analysis. For
instructions, see Report good email to Microsoft. If the messages or message
sources are determined to be benign, Microsoft can automatically allow the
messages, and you won't need to manually maintain the entry in safe sender lists.
Instead of allowing email, you also have several options to block email from specific
sources using blocked sender lists. For more information, see Create block sender
lists in EOP.
Only if you can't use the Tenant Allow/Block List for some reason should you consider
using a different method to allow senders.
7 Note
You can't use message headers and mail flow rules to designate an internal sender
as a safe sender. The procedures in this section work for external senders only.
Mail flow rules in Exchange Online and standalone EOP use conditions and exceptions
to identify messages, and actions to specify what should be done to those messages.
For more information, see Mail flow rules (transport rules) in Exchange Online.
The following example assumes you need email from contoso.com to skip spam
filtering. To do this, configure the following settings:
Mail flow rule condition: The message headers > includes any of these
words:
Header name: Authentication-Results
Header value: dmarc=pass or dmarc=bestguesspass (add both values).
This condition checks the email authentication status of the sending email
domain to ensure that the sending domain is not being spoofed. For more
information about email authentication, see SPF, DKIM, and DMARC.
Use this setting if the sending domain does not use email authentication. Be
as restrictive as possible when it comes to the source IP addresses in the IP
Allow List. We recommend an IP address range of /24 or less (less is better).
Do not use IP address ranges that belong to consumer services (for example,
outlook.com) or shared infrastructures.
) Important
Never configure mail flow rules with only the sender domain as the
condition to skip spam filtering. Doing so will significantly increase the
likelihood that attackers can spoof the sending domain (or impersonate
the full email address), skip all spam filtering, and skip sender
authentication checks so the message will arrive in the recipient's Inbox.
3. Optional conditions:
The sender > is internal/external > Outside the organization: This condition
is implicit, but it's OK to use it to account for on-premises email servers that
might not be correctly configured.
The subject or body > subject or body includes any of these words >
<keywords>: If you can further restrict the messages by keywords or phrases
in the subject line or message body, you can use those words as a condition.
4. Action: Configure both of the following actions in the rule:
a. Modify the message properties > set the spam confidence level (SCL) >
Bypass spam filtering.
If you have more than one domain in the rule, you can customize the header
text as appropriate.
When a message skips spam filtering due to a mail flow rule, the value SFV:SKN value is
stamped in the X-Forefront-Antispam-Report header. If the message is from a source
that's on the IP Allow List, the value IPV:CAL is also added. These values can help you
with troubleshooting.
U Caution
This method creates a high risk of attackers successfully delivering email to the
Inbox that would otherwise be filtered; however, if a message from an entry in the
user's Safe Senders or Safe Domains lists is determined to be malware or high
confidence phishing, the message will be filtered.
Instead of an organizational setting, users or admins can add the sender email
addresses to the Safe Senders list in the mailbox. For instructions, see Configure junk
email settings on Exchange Online mailboxes in Office 365. Safe Senders list entries in
the mailbox affect that mailbox only.
This method is not desirable in most situations since senders will bypass parts of the
filtering stack. Although you trust the sender, the sender can still be compromised and
send malicious content. You should let our filters check every message and then report
the false positive/negative to Microsoft if we got it wrong. Bypassing the filtering stack
also interferes with zero-hour auto purge (ZAP).
When messages skip spam filtering due to entries in a user's Safe Senders list, the X-
Forefront-Antispam-Report header field will contain the value SFV:SFE , which indicates
that filtering for spam, spoof, and phishing (not high confidence phishing) was
bypassed.
Notes:
In Exchange Online, whether entries in the Safe Senders list work or don't work
depends on the verdict and action in the policy that identified the message:
Move messages to Junk Email folder: Domain entries and sender email address
entries are honored. Messages from those senders are not moved to the Junk
Email folder.
Quarantine: Domain entries are not honored (messages from those senders are
quarantined). Email address entries are honored (messages from those senders
are not quarantined) if either of the following statements are true:
The message is not identified as malware or high confidence phishing
(malware and high confidence phishing messages are quarantined).
The email address is not also in a block entry in the Tenant Allow/Block List
(messages from those senders will be quarantined).
Entries for blocked senders and blocked domains are honored (messages from
those senders are moved to the Junk Email folder). Safe mailing list settings are
ignored.
U Caution
Without additional verification like mail flow rules, email from sources in the IP
Allow List skips spam filtering and sender authentication (SPF, DKIM, DMARC)
checks. This result creates a high risk of attackers successfully delivering email to
the Inbox that would otherwise be filtered; however, if a message from an entry in
the IP Allow List is determined to be malware or high confidence phishing, the
message will be filtered.
The next best option is to add the source email server or servers to the IP Allow List in
the connection filter policy. For details, see Configure connection filtering in EOP.
Notes:
It's important that you keep the number of allowed IP addresses to a minimum, so
avoid using entire IP address ranges whenever possible.
Do not use IP address ranges that belong to consumer services (for example,
outlook.com) or shared infrastructures.
Regularly review the entries in the IP Allow List and remove the entries that you no
longer need.
U Caution
This method creates a high risk of attackers successfully delivering email to the
Inbox that would otherwise be filtered; however, if a message from an entry in the
allowed senders or allowed domains lists is determined to be malware or high
confidence phishing, the message will be filtered.
Do not use popular domains (for example, microsoft.com) in allowed domain lists.
The least desirable option is to use the allowed sender list or allowed domain list in anti-
spam policies. You should avoid this option if at all possible because senders bypass all
spam, spoof, phishing protection (except high confidence phishing), and sender
authentication (SPF, DKIM, DMARC). This method is best used for temporary testing
only. The detailed steps can be found in Configure anti-spam policies in EOP topic.
The maximum limit for these lists is approximately 1000 entries; although, you will only
be able to enter 30 entries into the portal. You must use PowerShell to add more than 30
entries.
7 Note
The 5321.MailFrom address (also known as the MAIL FROM address, P1 sender, or
envelope sender) is the email address that's used in the SMTP transmission of the
message. This email address is typically recorded in the Return-Path header field in
the message header (although it's possible for the sender to designate a different
Return-Path email address). If the message can't be delivered, it's the recipient for
the non-delivery report (also known as an NDR or bounce message).
The 5322.From (also known as the From address or P2 sender) is the email address
in the From header field, and is the sender's email address that's displayed in email
clients.
Frequently, the 5321.MailFrom and 5322.From addresses are the same (person-to-person
communication). However, when email is sent on behalf of someone else, the addresses
can be different. This happens most often for bulk email messages.
For example, suppose that Blue Yonder Airlines has hired Margie's Travel to send
advertising email messages. The message you receive in your Inbox has the following
properties:
Safe sender lists and safe domain lists in anti-spam policies in EOP inspect only the
5322.From addresses. This behavior is similar to Outlook Safe Senders that use the
5322.From address.
To prevent this message from being filtered, you can take the following steps:
Add blueyonder@news.blueyonderairlines.com (the 5322.From address) as an
Outlook Safe Sender.
Use a mail flow rule with a condition that looks for messages from
blueyonder@news.blueyonderairlines.com (the 5322.From address),
blueyonder.airlines@margiestravel.com (the 5321.MailFrom address), or both.
Get started using Attack simulation
training in Defender for Office 365
Article • 12/09/2022 • 6 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
Microsoft Defender for Office 365 plan 2
If your organization has Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2,
which includes Threat Investigation and Response capabilities, you can use Attack
simulation training in the Microsoft 365 Defender portal to run realistic attack scenarios
in your organization. These simulated attacks can help you identify and find vulnerable
users before a real attack impacts your bottom line. Read this article to learn more.
Watch this short video to learn more about Attack simulation training.
https://www.microsoft.com/en-us/videoplayer/embed/RWMhvB?postJsllMsg=true
7 Note
Attack simulation training replaces the old Attack Simulator v1 experience that was
available in the Security & Compliance Center at Threat management > Attack
simulator or https://protection.office.com/attacksimulator .
For more information about the availability of Attack simulation training across
different Microsoft 365 subscriptions, see Microsoft Defender for Office 365 service
description.
You need to be assigned permissions in Azure Active Directory before you can do
the procedures in this article. Specifically, you need to be a member of one of the
following roles:
Global Administrator
Security Administrator
Attack Simulation Administrators*: Create and manage all aspects of attack
simulation campaigns.
Attack Payload Author*: Create attack payloads that an admin can initiate later.
* Adding users to this role in the Microsoft 365 Defender portal is currently
unsupported.
For more information, see Permissions in the Microsoft 365 Defender portal or
About admin roles.
Attack simulation and training related data is stored with other customer data for
Microsoft 365 services. For more information see Microsoft 365 data locations.
Attack simulation is available in the following regions: NAM, APC, EUR, IND, CAN,
AUS, FRA, GBR, JPN, KOR, BRA, LAM, CHE, NOR, ZAF, ARE and DEU.
7 Note
NOR, ZAF, ARE and DEU are the latest additions. All features except reported
email telemetry will be available in these regions. We are working to enable
this and will notify our customers as soon as reported email telemetry
becomes available.
7 Note
Simulations
Phishing is a generic term for email attacks that try to steal sensitive information in
messages that appear to be from legitimate or trusted senders. Phishing is a part of a
subset of techniques we classify as social engineering.
Credential harvest: An attacker sends the recipient a message that contains a URL.
When the recipient clicks on the URL, they're taken to a website that typically
shows a dialog box that asks the user for their username and password. Typically,
the destination page is themed to represent a well-known website in order to build
trust in the user.
Link to malware: An attacker sends the recipient a message that contains a link to
an attachment on a well-known file sharing site (for example, SharePoint Online or
Dropbox). When the recipient clicks on the URL, the attachment opens and
arbitrary code (for example, a macro) is run on the user's device to help the
attacker install additional code or further entrench themselves.
OAuth Consent Grant: An attacker creates a malicious Azure Application that seeks
to gain access to data. The application sends an email request that contains a URL.
When the recipient clicks on the URL, the consent grant mechanism of the
application asks for access to the data (for example, the user's Inbox).
The URLs that are used by Attack simulation training are described in the following list:
https://www.mcsharepoint.com
https://www.attemplate.com
https://www.doctricant.com
https://www.mesharepoint.com
https://www.officence.com
https://www.officenced.com
https://www.officences.com
https://www.officentry.com
https://www.officested.com
https://www.prizegives.com
https://www.prizemons.com
https://www.prizewel.com
https://www.prizewings.com
https://www.shareholds.com
https://www.sharepointen.com
https://www.sharepointin.com
https://www.sharepointle.com
https://www.sharesbyte.com
https://www.sharession.com
https://www.sharestion.com
https://www.templateau.com
https://www.templatent.com
https://www.templatern.com
https://www.windocyte.com
7 Note
Check the availability of the simulated phishing URL in your supported web
browsers before you use the URL in a phishing campaign. While we work with many
URL reputation vendors to always allow these simulation URLs, we don't always
have full coverage (for example, Google Safe Browsing). Most vendors provide
guidance that allows you to always allow specific URLs (for example,
https://support.google.com/chrome/a/answer/7532419 ).
Create a simulation
For step by step instructions on how to create and send a new simulation, see Simulate
a phishing attack.
Create a payload
For step by step instructions on how to create a payload for use within a simulation, see
Create a custom payload for Attack simulation training.
Gaining insights
For step by step instructions on how to gain insights with reporting, see Gain insights
through Attack simulation training.
7 Note
Attack Simulator uses Safe Links in Defender for Office 365 to securely track click
data for the URL in the payload message that's sent to targeted recipients of a
phishing campaign, even if the Track user clicks setting in Safe Links policies is
turned off.
Simulate a phishing attack with Attack
simulation training in Defender for
Office 365
Article • 12/06/2022 • 22 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
Microsoft Defender for Office 365 plan 2
Attack simulation training in Microsoft Defender for Office 365 Plan 2 or Microsoft 365
E5 lets you run benign cyberattack simulations in your organization. These simulations
test your security policies and practices, as well as train your employees to increase their
awareness and decrease their susceptibility to attacks. This article walks you through
creating a simulated phishing attack using Attack simulation training.
For getting started information about Attack simulation training, see Get started using
Attack simulation training.
3. The simulation creation wizard opens. The rest of this article describes the pages
and the settings they contain.
7 Note
At any point during the simulation creation wizard, you can click Save and close to
save your progress and continue configuring the simulation later. The incomplete
simulation has the Status value Draft on the Simulations tab. You can pick up
where you left off by selecting the simulation and clicking Edit simulation.
If you click the View details link in the description, a details flyout opens that describes
the technique and the simulation steps that result from the technique.
You can also view the login page that's used in the payload, select a different login page
to use, or create a new login page to use.
Payload
The following details are shown for each payload:
Payload name
Language: The language of the payload content. Microsoft's payload catalog
(global) provides payloads in 10+ languages which can also be filtered.
Click rate: How many people have clicked on this payload.
Predicted compromise rate: Historical data across Microsoft 365 that predicts the
percentage of people who will be compromised by this payload (users
compromised / total number of users who receive the payload).
Simulations launched counts the number of times this payload was used in other
simulations.
In the Search box, you can type part of the payload name and press Enter to filter the
results.
Language: The available values are: English, Spanish, German, Japanese, French,
Portuguese, Dutch, Italian, Swedish, Chinese (Simplified), Norwegian Bokmål,
Polish, Russian, Finnish, Korean, Turkish, Hungarian, Hebrew, Thai, Arabic,
Vietnamese, Slovak, Greek, Indonesian, Romanian, Slovenian, Croatian, Catalan,
or Other.
Add tag(s)
Filter by theme: The available values are: Account activation, Account verification,
Billing, Clean up mail, Document received, Expense, Fax, Finance report,
Incoming messages, Invoice, Items received, Login alert, Mail received, Password,
Payment, Payroll, Personalized offer, Quarantine, Remote work, Review message,
Security update, Service suspended, Signature required, Upgrade mailbox
storage Verify mailbox, Voicemail, and Other.
Filter by brand: The available values are: American Express, Capital One, DHL,
DocuSign, Dropbox, Facebook, First American, Microsoft, Netflix, Scotiabank,
SendGrid, Stewart Title, Tesco, Wells Fargo, Syrinx Cloud, and Other.
Filter by industry: The available values are: Banking, Business services, Consumer
services, Education, Energy, Construction, Consulting, Financial services,
Government, Hospitality, Insurance, Legal, Courier services, IT, Healthcare,
Manufacturing, Retail, Telecom, Real estate, and Other.
When you're finished configuring the filters, click Apply, Cancel, or Clear filters.
If you select a payload from the list by selecting the check box, a Send a test button
appears on the main page where you can send a copy of the payload email to yourself
(the currently logged in user) for inspection.
To create your own payload, click Create a payload. For more information, see Create
custom payloads for Attack simulation training.
If you select a payload from the list by clicking anywhere in the row other than the check
box, details about the payload are shown in a flyout:
The Payload tab contains an example and other details about the payload.
The Login page tab is available only in Credential Harvest or Link in attachment
payloads and is described in the next section.
The Simulations launched tab contains the Simulation name, Click rate,
Compromised rate, and Action.
Login page
7 Note
The Login page tab is available only in Credential Harvest or Link in attachment
payloads.
Select the payload from the list by clicking anywhere in the row other than the check
box to open the details flyout.
The Login page tab in the payload details flyout shows the login page that's currently
selected for the payload.
To view the complete login page, use the Page 1 and Page 2 links at the bottom of the
page for two-page login pages.
To change the login page that's used in the payload, click Change login page.
On the Select login page flyout that appears, The following information is shown for
each login page:
Name
Language
Source: For built-in login pages, the value is Global. For custom login pages, the
value is Tenant.
Status: Ready or Draft.
Created by: For built-in login pages, the value is Microsoft. For custom login
pages, the value is the UPN of the user who created the login page.
Last modified
Actions: Click Preview to preview the login page.
To find a login page in the list, use the Search box to find the name of the login
page.
To create a new login page, click Create new icon. Create new to start the create end
user login page wizard. The steps are the same as at Login pages at Attack simulation
training > Simulated content library tab. For instructions, see Create login pages.
Back on the Select login page, verify the new login page you created is selected, and
then click Save.
When you're finished on the Select a payload and login page, click Next.
7 Note
This page is available only if you selected OAuth Consent Grant on the Select
technique page. Otherwise, you're taken to the Target users page.
App name
App logo: Click Browse to select a .png, .jpeg, or .gif file to use. To remove a file
after you've selected it, click Remove.
Target users
On the Target users page, select who will receive the simulation. Configure one of the
following settings:
Include all users in your organization: The affected users are show in lists of 10.
You can use the Next and Previous buttons directly below the list of users to scroll
through the list. You can also use the Search icon on the page to find affected
users.
Include only specific users and groups: Choose one of the following options:
Add users: In the Add users flyout that appears, you can find users and
groups based on the following criteria:
7 Note
Search for users or groups: In box, you can type part of the Name or Email
address of the user or group and then press Enter. You can select some or all of
the results. When you're finished, click Add x users.
7 Note
Clicking the Add filters button to return to the Filter users by categories
options will clear any users or groups that you selected in the search
results.
Filter users by categories: Select from none, some, or all of the following
options:
User tags: User tags are identifiers for specific groups of users (for example,
Priority accounts). For more information, see User tags in Microsoft Defender
for Office 365.
After you identify your criteria, the affected users are shown in the User list
section that appears, where you can select some or all of the discovered
recipients.
When you're finished, click Apply(x), and then click Add x users.
Back on the main Target users page, you can use the Search box to find
affected users. You can also click Delete to remove specific users.
Import: In the dialog that opens, specify a CSV file that contains one email
address per line.
After you find a select the CSV file, the list of users are imported and shown on the
Targeted users page. You can use the Search box to find affected users. You can
also click Delete to remove specific users.
Assign training
On the Assign training page, you can assign trainings for the simulation. We
recommend that you assign training for each simulation, as employees who go through
training are less susceptible to similar attacks. The following settings are available:
Training assignment
7 Note
The Training assignment page is available only if you selected Microsoft training
experience > Select training courses and modules myself on the previous page.
On the Training assignment page, select the trainings that you want to add to the
simulation by clicking Add trainings.
On the Add training flyout that appears, you can select the trainings to use on the
following tabs that are available:
All trainings tab: Shows all built-in trainings that are available.
In the Search box, you can type part of the training name and press Enter to
filter the results on the current tab.
Select all trainings that you want to include from the current tab, and then click
Add.
Back on the main Training assignment page, the trainings that you selected are shown.
The following information is shown for each training:
Training name
Source
Duration (mins)
For each training in the list, you need to select who gets the training by selecting values
in the Assign to column:
All users
Clicked payload
Compromised
Landing page
On the Landing page page, you configure the web page that users are taken to if they
open the payload in the simulation.
Use Microsoft default landing page: This is the default value that has the
following associated options to configure:
Select landing page layout: Select one of the available templates.
Add logo: Click Browse to find and select a .png, .jpeg, or .gif file. The logo
size should be a maximum of 210 x 70 to avoid distortion. To remove the
logo, click Remove.
Add payload indicators to email: This setting is not available if you
previously selected Malware attachment or Link to malware on the Select
technique page.
You can preview the results by clicking the Open preview panel button at the
bottom of the page.
Use a custom URL: This setting is not available if you previously selected
Malware attachment or Link to malware on the Select technique page.
If you select Use a custom URL, you need to add the URL in the Enter the
custom landing page URL box that appears. No other options are available on
the page.
Create your own landing page: This value has the following associated options
to configure:
Use from default: Select an available template to start with. You can
modify the text and layout in the editing area. To reset the landing
page back to the default text and layout of the template, click Reset to
default.
Code: You can view and modify the HTML code directly.
You can preview the results by clicking the Open preview panel button in the
middle of the page.
7 Note
Certain trademarks, logos, symbols, insignias and other source identifiers receive
heightened protection under local, state and federal statutes and laws.
Unauthorized use of such indicators can subject the users to penalties, including
criminal fines. Though not an extensive list, this includes the Presidential, Vice
Presidential, and Congressional seals, the CIA, the FBI, Social Security, Medicare and
Medicaid, the United States Internal Revenue Service, and the Olympics. Beyond
these categories of trademarks, use and modification of any third-party trademark
carries an inherent amount of risk. Using your own trademarks and logos in a
payload would be less risky, particularly where your organization permits the use. If
you have any further questions about what is or is not appropriate to use when
creating or configuring a payload, you should consult with your legal advisors.
Do not deliver notifications: Click Proceed in the alert dialog that appears. If you
select this option, you're taken to the Launch details page when you click Next.
Select default language: The available values are: English, Spanish, German,
Japanese, French, Portuguese, Dutch, Italian, Swedish, Chinese (Simplified),
Norwegian Bokmål, Polish, Russian, Finnish, Korean, Turkish, Hungarian,
Hebrew, Thai, Arabic, Vietnamese, Slovak, Greek, Indonesian, Romanian,
Slovenian, Croatian, Catalan, or Other.
Preview tab: View the notification message as users will see it.
To view the message in different languages, use the Select language
box.
Use the Select payload to preview box to select the notification
message for simulations that contain multiple payloads.
You're taken to the Launch details page when you click Next.
Customized end user notifications: When you click Next, you're taken to the
Training assignment notification page as described in the next sections.
This page shows the following notifications and their configured languages:
These notifications are also available in End user notifications on the Simulation
content library tab in Attack simulation training at
https://security.microsoft.com/attacksimulator?viewid=simulationcontentlibrary .
Microsoft default training assignment notification is available on the Global
notifications tab. Custom training assignment notifications are available on the
Tenant notifications tab. For more information, see End-user notifications for
Attack simulation training.
You can select an existing training assignment notification or create a new notification to
use:
To select an existing notification, click in the blank area next to the notification
name. If you click on the notification name, the notification is selected and a
preview flyout appears. To deselect the notification, clear the check box next to the
notification.
To search for an existing notification, use the Search box to search for the
name.
Select the notification that you want to use, and then click Next.
7 Note
On the Define details page, be sure to select the value Training assignment
notification for Select notification type.
When you're finished, you're taken back to the Training assignment notification page
where the notification that you just created now appears in the list.
Select the notification that you want to use, and then click Next.
Set frequency for reminder notification: Select Weekly (default) or Twice a week.
Select a reminder notification: This section shows the following notifications and
their configured languages:
To select an existing notification, click in the blank area next to the notification
name. If you click on the notification name, the notification is selected and a
preview flyout appears. To deselect the notification, clear the check box next to
the notification.
To search for an existing notification, use the Search box to search for the
name.
Select the notification that you want to use, and then click Next.
If you clicked Create new on the Training reminder notification page, a notification
creation wizard opens.
7 Note
On the Define details page, be sure to select the value Training reminder
notification for Select notification type.
When you're finished, you're taken back to the Training reminder notification page
where the notification that you just created now appears in the list.
Select the notification that you want to use, and then click Next.
Do not deliver: If you select this option, you're taken to the Launch details page
when you click Next.
Deliver after the user reports a phish and campaign ends or Deliver
immediately after the user reports a phish: These sections show the following
notifications and their configured languages in the Select a positive
reinforcement notification section that appears:
To select an existing notification, click in the blank area next to the notification
name. If you click on the notification name, the notification is selected and a
preview flyout appears. To deselect the notification, clear the check box next to
the notification.
To search for an existing notification, use the Search box to search for the
name.
Select the notification that you want to use, and then click Next.
7 Note
On the Define details page, be sure to select the value Positive reinforcement
notification for Select notification type.
When you're finished, you're taken back to the Positive reinforcement notification page
where the notification that you just created now appears in the list.
Select the notification that you want to use, and then click Next.
Launch details
On the Launch details page, you choose when to launch the simulation and when to
end the simulation. We'll stop capturing interaction with this simulation after the end
date you specify.
Enable region aware time zone delivery: Deliver simulated attack messages to
your employees during their working hours based on their region.
Display the drive-by technique interstitial data gathered page: You can show the
overlay that appears for the drive-by URL technique attacks. To hide this overlay
and directly go to the landing page, de-select this option.
Display the drive-by technique interstitial data gathered page: This setting is
available only if you selected Drive-by URL on the select a technique page page.
You can show the overlay that comes up for drive-by URL technique attacks. To
hide the overlay and go directly to the landing page, don't select this option.
Review simulation
On the Review simulation page, you can review the details of your simulation.
Click the Send a test button to send a copy of the payload email to yourself (the
currently logged in user) for inspection.
You can select Edit in each section to modify the settings within the section. Or you can
click Back or select the specific page in the wizard.
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
Microsoft Defender for Office 365 plan 2
In Attack simulation training, a payload is the phishing email message and links or
attachment content that's are presented to users in simulations. Attack simulation
training in Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2 offers a robust
built-in payload catalog for the available social engineering techniques. However, you
might want to create custom payloads that will work better for your organization.
To see the available payloads, open the Microsoft 365 Defender portal at
https://security.microsoft.com , go to Email & collaboration > Attack simulation
training > Simulation content library tab > and then select Payloads. To go directly to
the Simulation content library tab where you can select Payloads, use
https://security.microsoft.com/attacksimulator?viewid=simulationcontentlibrary .
Payload name
Type: Currently, this value is always Social engineerings.
Language: If the payload contains multiple translations, the first two languages are
shown directly. To see the remaining languages, hover over the numeric icon (for
example, +10).
Source: For built-in payloads, the value is Global. For custom payloads, the value is
Tenant.
Simulations launched: The number of launched simulations that use the payload.
Compromised rate (%): For built-in payloads, this value is the predicted average
compromise rate for Attack simulation training simulations that use the same type
of payload across all other Microsoft 365 organizations.
Created by: For built-in payloads, the value is Microsoft. For custom payloads, the
value is the UPN of the user who created the payload.
Last modified
Technique: One of the available social engineering techniques:
Credential harvest
Malware attachment
Link in attachment
Link to malware
Drive-by URL
OAuth consent grant
Status: The value is Ready or Draft. On the Global payloads tab, the value is always
Ready.
To find a payload in the list, use the Search box to find the name of the payload.
To remove one or more columns that are displayed, click Customize columns. By
default, the only column that's not shown is Platform, and that value is currently always
Email.
When you select a payload from the list, a details flyout appears with the following
information:
Overview tab: View the payload as users will see it. Payload properties are also
visible:
Payload description
From name
From email
Email subject
Source: For built-in payloads, the value is Global. For custom payloads, the
value is Tenant.
Theme
Brand
Industry
Controversial
Current event
Tags
Create payloads
7 Note
Certain trademarks, logos, symbols, insignias and other source identifiers receive
heightened protection under local, state and federal statutes and laws.
Unauthorized use of such indicators can subject the users to penalties, including
criminal fines. Though not an extensive list, this includes the Presidential, Vice
Presidential, and Congressional seals, the CIA, the FBI, Social Security, Medicare and
Medicaid, the United States Internal Revenue Service, and the Olympics. Beyond
these categories of trademarks, use and modification of any third-party trademark
carries an inherent amount of risk. Using your own trademarks and logos in a
payload would be less risky, particularly where your organization permits the use. If
you have any further questions about what is or is not appropriate to use when
creating or configuring a payload, you should consult with your legal advisors.
Click Create a payload on the Tenant payloads tab in Payloads to start the
create payload wizard.
7 Note
Create a payload is also available on the Select payload and login page
step of the simulation creation wizard. For more information, see Create a
simulation: Select a payload and login page.
At any point during the creation wizard, you can click Save and close to save
your progress and continue configuring the payload later. You can pick up
where you left off by selecting the notification on the Tenant payloads tab in
Payloads, and then clicking Edit payload. The partially-completed payload
will have the Status value Draft.
2. On the Select type page, the only value that you can currently select is Email.
Click Next.
3. On the Select technique page, the available options are the same as on the Select
technique page in the simulation creation wizard:
Credential harvest
Malware attachment
Link in attachment
Link to malware
Drive-by URL
OAuth Consent Grant
For more information, see Simulate a phishing attack with Attack simulation
training in Defender for Office 365.
5. On the Configure payload page, it's time to build your payload. Many of the
available settings are determined by the selection you made on the Select
technique page (for example, links vs. attachments).
Link for attachment section: This section is available only if you selected Link
to malware on the Select technique page. In the Select a URL you want to
be your malware attachment link box, select one of the available URLs (the
same URLs that are described for the Phishing link section).
Phishing link section: This section is available only if you selected Credential
harvest, Link in attachment, Drive-by URL, or OAuth Consent Grant on the
Select technique page.
For Credential harvest, Drive-by URL, or OAuth Consent Grant, the name of
the box is Select a URL you want to be your phishing link. Later, you'll
embed the URL in the body of the message.
For Link in attachment, the name of the box is Select a URL in this
attachment that you want to be your phishing link. Later, you'll embed the
URL in the attachment.
7 Note
Attachment content section: This section is available only if you selected Link
in attachment on the Select technique page.
A rich text editor is available for you to create the content in your file
attachment payload.
Use the Phishing link control to add the previously selected phishing URL
into the attachment.
Add tag(s)
Theme: The available values are: Account Activation, Account Verification,
Billing, Clean up Mail, Document Received, Expense, Fax, Finance Report,
Incoming Messages, Invoice, Item Received, Login Alert, Mail Received,
Other, Password, Payment, Payroll, Personalized Offer, Quarantine,
Remote Work, Review Message, Security Update, Service Suspended,
Signature Required, Upgrade Mailbox Storage, Verify mailbox, or
Voicemail.
Brand: The available values are: American Express, Capital One, DHL,
DocuSign, Dropbox, Facebook, First American, Microsoft, Netflix,
Scotiabank, SendGrid, Stewart Title, Tesco, Wells Fargo, Syrinx Cloud, or
Other.
Language section: Select the language for the payload. The available values
are: English, Spanish, German, Japanese, French, Portuguese, Dutch, Italian,
Swedish, Chinese (Simplified), Norwegian Bokmål, Polish, Russian, Finnish,
Korean, Turkish, Hungarian, Hebrew, Thai, Arabic, Vietnamese, Slovak,
Greek, Indonesian, Romanian, Slovenian, Croatian, Catalan, or Other.
You can click Import email and then Choose file to import an existing
plain text message file.
On the Text tab, a rich text editor is available for you to create your email
message payload.
Use the Dynamic tag control to personalize the email message for each
user by inserting the available tags:
Insert user name: The value that's added in the message body is
${userName} .
Insert first name: The value that's added in the message body is
${firstName} .
Insert last name: The value that's added in the message body is
${lastName} .
Insert UPN: The value that's added in the message body is ${upn} .
Insert email: The value that's added in the message body is
${emailAddress} .
The value that's added in the message body (visible on the Code tab) is <a
href="${phishingUrl}" target="_blank">Name value you specified</a> .
On the Code tab, you can view and modify the HTML code directly.
Formatting and other controls like Dynamic tag and Phishing link or
Malware attachment link aren't available.
The Replace all links in the email message with the phishing link toggle
is available only if you selected Credential harvest, Link to malware,
Drive-by URL, or OAuth Consent Grant on the Select technique page.
This toggle can save time by replacing all links in the message with the
previously selected Phishing link or Link for attachment URL. To do this,
toggle the setting to on .
6. The Add indicators page is available only if you selected Credential harvest, Link
in attachment, Drive-by URL, or OAuth Consent Grant on the Select technique
page.
On the Add indicators page, click Add indicator. In the flyout that appears,
configure the following settings:
Select and indicator you would like to use and Where do you want to place
this indicator on the payload?:
These values are interrelated. Where you can place the indicator depends on
the type of indicator. The available values are described in the following
table:
Message subject
Message subject
Message subject
Message subject
This list is curated to contain the most common clues that appear in phishing
messages.
If you select the email message subject or the message body as the location
for the indicator, a Select text button appears. Click this button to select the
text in the message subject or message body where you want the indicator to
appear. When you're finished, click Select.
Indicator description: You can accept the default description for the
indicator or you can customize it.
Indicator preview: To see what the current indicator looks like, click
anywhere within the section.
Back on the Add indicators page, you can review the indicators you selected:
To edit an existing indicator, select it from the list and then click Edit
indicator.
To delete an existing indicator, select it from the list and then click Delete.
To move indicators up or down in the list, select the indicator from the list,
and then click Move up or Move down.
7. On the Review payload page, you can review the details of your payload.
Click the Send a test button to send a copy of the payload email to yourself
(the currently logged in user) for inspection.
Click the Preview indicator button open the payload in a preview flyout. The
preview includes all payload indicators that you've created.
On the main Review payload page, you can select Edit in each section to modify
the settings within the section. Or you can click Back or select the specific page in
the wizard.
When you're finished, click Submit. On the confirmation page that appears, click
Done.
Modify payloads
You can't modify built-in payloads on the Global payloads tab. You can only modify
custom payloads on the Tenant payloads tab.
To modify an existing payload on the Tenant payloads tab, do one of the following
steps:
Select the payload from the list by clicking the check box. Click the Edit payload
icon that appears.
Select the payload from the list by clicking anywhere in the row except the check
box. In the details flyout that opens, click Edit payload.
The payload wizard opens with the settings and values of the selected payload. The
steps are the same as described in the Create payloads section.
Copy payloads
To copy an existing payload on the Tenant payloads or Global payloads tabs, select the
payload from the list by clicking the check box, and then click the Copy payload icon
that appears.
The create payload wizard opens with the settings and values of the selected payload.
The steps are the same as described in the Create payloads section.
7 Note
When you copy a built-in payload on the Global payloads tab, be sure to change
the Name value. If you don't, the payload will appear on the Tenant payloads page
with the same name as the built-in payload.
Send a test
On the Tenant payloads or Global payloads tabs, you can send a copy of the payload
email to yourself (the currently logged in user) for inspection.
Select the payload from the list by clicking the check box, and then click the Send a
test button that appears.
Related links
Get started using Attack simulation training
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
Microsoft Defender for Office 365 plan 2
For getting started information about Attack simulation training, see Get started using
Attack simulation training.
3. The creation wizard opens. The rest of this article describes the pages and the
settings they contain.
7 Note
At any point during the simulation creation wizard, you can click Save and close to
save your progress and continue configuring the simulation later. The incomplete
simulation has the Status value Draft on the Simulations tab. You can pick up
where you left off by selecting the simulation and clicking Edit simulation.##
Name and describe the simulation.
If you click the View details link in the description, a details flyout opens that describes
the technique and the simulation steps that result from the technique.
You can also view the login page that's used in the payload, select a different login page
to use, or create a new login page to use.
Payload
On the Select payloads page, select one of the following options:
Manually select
Randomize
If you select Randomize, there's nothing to configure on this page, so click Next to
continue.
If you select Manually select, you need to select one or more payloads from the list. The
following details are shown for each payload:
Payload name
Technique: You need to select at least one payload per technique that you selected
on the previous page.
Language: The available values are: English, Spanish, German, Japanese, French,
Portuguese, Dutch, Italian, Swedish, Chinese (Simplified), Norwegian Bokmål,
Polish, Russian, Finnish, Korean, Turkish, Hungarian, Hebrew, Thai, Arabic,
Vietnamese, Slovak, Greek, Indonesian, Romanian, Slovenian, Croatian, Catalan,
or Other.
Click rate: How many people have clicked on this payload.
Predicted compromise rate: Historical data across Microsoft 365 that predicts the
percentage of people who will be compromised by this payload (users
compromised / total number of users who receive the payload).
Simulations launched counts the number of times this payload was used in other
simulations.
In the Search box, you can type part of the payload name and press Enter to filter the
results.
Language
Add tag(s)
Filter by theme: The available values are: Account activation, Account verification,
Billing, Clean up mail, Document received, Expense, Fax, Finance report,
Incoming messages, Invoice, Items received, Login alert, Mail received, Password,
Payment, Payroll, Personalized offer, Quarantine, Remote work, Review message,
Security update, Service suspended, Signature required, Upgrade mailbox
storage Verify mailbox, Voicemail, and Other.
Filter by brand: The available values are: American Express, Capital One, DHL,
DocuSign, Dropbox, Facebook, First American, Microsoft, Netflix, Scotiabank,
SendGrid, Stewart Title, Tesco, Wells Fargo, Syrinx Cloud, and Other.
Filter by industry: The available values are: Banking, Business services, Consumer
services, Education, Energy, Construction, Consulting, Financial services,
Government, Hospitality, Insurance, Legal, Courier services, IT, Healthcare,
Manufacturing, Retail, Telecom, Real estate, and Other.
When you're finished configuring the filters, click Apply, Cancel, or Clear filters.
If you select a payload from the list by clicking anywhere in the row other than the check
box, details about the payload are shown in a flyout:
The Payload tab contains an example and other details about the payload.
The Login page tab is available only in Credential Harvest or Link in attachment
payloads and is described in the next section.
The Simulations launched tab contains the Simulation name, Click rate,
Compromised rate, and Action.
Login page
7 Note
The Login page tab is available only in Credential Harvest or Link in attachment
payloads.
Select the payload from the list by clicking anywhere in the row other than the check
box to open the details flyout.
The Login page tab in the payload details flyout shows the login page that's currently
selected for the payload.
To view the complete login page, use the Page 1 and Page 2 links at the bottom of the
page for two-page login pages.
To change the login page that's used in the payload, click Change login page.
On the Select login page flyout that appears, The following information is shown for
each login page:
Name
Language
Source: For built-in login pages, the value is Global. For custom login pages, the
value is Tenant.
Status: Ready or Draft.
Created by: For built-in login pages, the value is Microsoft. For custom login
pages, the value is the UPN of the user who created the login page.
Last modified
Actions: Click Preview to preview the login page.
To find a login page in the list, use the Search box to find the name of the login
page.
To create a new login page, click Create new icon. Create new to start the create end
user login page wizard. The steps are the same as at Login pages at Attack simulation
training > Simulated content library tab. For instructions, see Create login pages.
Back on the Select login page, verify the new login page you created is selected, and
then click Save.
When you're finished on the Select a payload and login page, click Next.
7 Note
This page is available only if you selected OAuth Consent Grant on the Select
social engineering techniques page. Otherwise, you're taken to the Target users
page.
App name
App logo: Click Browse to select a .png, .jpeg, or .gif file to use. To remove a file
after you've selected it, click Remove.
When you're finished on the Configure OAuth payload page, click Next.
Target users
On the Target users page, select who will receive the simulation. Configure one of the
following settings:
Include all users in your organization: The affected users are show in lists of 10.
You can use the Next and Previous buttons directly below the list of users to scroll
through the list. You can also use the Search icon on the page to find affected
users.
Include only specific users and groups: Choose one of the following options:
Add users: In the Add users flyout that appears, you can find users and
groups based on the following criteria:
Users or groups: In the Search for users and groups box, you can type
part of the Name or Email address of the user or group, and then press
Enter. You can select some or all of the results. When you're finished, click
Add x users.
7 Note
Clicking the Add filters button to return to the Filter users by categories
options will clear any users or groups that you selected in the search
results.
Filter users by categories: Select from none, some, or all of the following
options:
Suggested user groups: Select from the following values:
All suggested user groups
Users not targeted by a simulation in the last three months
Repeat offenders
Department: Use the following options:
Search: In the Search by Department box, you can type part of the
Department value, and then press Enter. You can select some or all of
the results.
Select All Department
Select existing Department values.
Title: Use the following options:
Search: In the Search by Title box, you can type part of the Title
value, and then press Enter. You can select some or all of the results.
Select All Title
Select existing Title values.
After you identify your criteria, the affected users are shown in the User list
section that appears, where you can select some or all of the discovered
recipients.
When you're finished, click Apply(x), and then click Add x users.
Back on the main Target users page, you can use the Search box to find
affected users. You can also click Delete to remove specific users.
Import: In the dialog that opens, specify a CSV file that contains one email
address per line.
After you find and select the CSV file, the list of users are imported and shown on
the Targeted users page. You can use the Search box to find affected users. You
can also click Delete to remove specific users.
Assign training
On the Assign training page, you can assign trainings for the simulation. We
recommend that you assign training for each simulation, as employees who go through
training are less susceptible to similar attacks. The following settings are available:
Training assignment
7 Note
The Training assignment page is available only if you selected Microsoft training
experience > Select training courses and modules myself on the previous page.
On the Training assignment page, select the trainings that you want to add to the
simulation by clicking Add trainings.
On the Add training flyout that appears, you can select the trainings to use on the
following tabs that are available:
All trainings tab: Shows all built-in trainings that are available.
In the Search box, you can type part of the training name and press Enter to
filter the results on the current tab.
Select all trainings that you want to include from the current tab, and then click
Add.
Back on the main Training assignment page, the trainings that you selected are shown.
The following information is shown for each training:
Training name
Source
Duration (mins)
For each training in the list, select one or more of the following values in the Assign to
column to configure who gets the training:
All users
Clicked payload
Compromised
Landing page
On the Landing page page, you configure the web page that users are taken to if they
open the payload in the simulation.
Select landing page preference: The available values depend on your previous
payload selections on the Select a payload and login page page as described in
the following table:
select
Create your own landing page
Note: The Use a custom URL value is not available if you previously selected
Malware attachment or Link to malware on the Select social engineering
techniques page.
The available Select landing page preference values and their associated settings
are described in the following list:
Use Microsoft default landing page. This is the default value, and results in one
Microsoft default template, logo, and payload indicator action that's applicable
to all payloads.
You need to configure the following additional settings on the Landing page
page:
Select landing page layout: Select one of the 5 available landing page
templates.
Add logo: Click Browse to find and select a .png, .jpeg, or .gif file to add to
all payloads that are selected by Microsoft. The logo size should be a
maximum of 210 x 70 to avoid distortion. To remove the logo, click Remove.
Select Add payload indicators to email to help users learn how to identify
phishing messages.
You can preview the results by clicking the Open preview panel button in the
middle of the page. In the preview flyout that appears, you can use Select
payload to preview to see what each payload looks like.
Create your own landing page: This value results in a single payload indicator
action that's applied to the selected payloads.
You need to configure the following additional settings on the Landing page
page:
Use from default: Select one of the 5 available landing page templates
to start with. You can modify the text and layout in the editing area. To
reset the landing page back to the default text and layout of the
template, click Reset to default.
Training link: In the Name training URL dialog that appears, enter a
link title for the training link, and then click Confirm to add the link to
the landing page.
Code: You can view and modify the HTML code directly.
You can preview the results by clicking the Open preview panel button in the
middle of the page. In the preview flyout that appears, you can use Select
payload to preview to see what each payload looks like.
Use a custom URL: Add the URL in the Enter the custom landing page URL box
that appears. No other options are available on the page.
Do not deliver notifications: Click Proceed in the alert dialog that appears. If you
select this option, you're taken to the Simulation schedule page when you click
Next.
Select default language: The available values are: Chinese (Simplified), Chinese
(Traditional), English, French, German, Italian, Japanese, Korean, Portuguese,
Russian, Spanish, and Dutch.
Preview tab: View the notification message as users will see it.
To view the message in different languages, use the Select language
box.
Use the Select payload to preview box to select the notification
message for simulations that contain multiple payloads.
Details tab: View details about the notification:
Notification description
Source: For built-in notifications, the value is Global. For custom
notifications, the value is Tenant.
Notification type: One of the following types base on the notification
you originally selected:
Positive reinforcement notification
Training assignment notification
Training reminder notification
Modified by
Last modified
You're taken to the Simulation schedule page when you click Next.
Customized end user notifications: When you click Next, you're taken to the
Training assignment notification page as described in the next sections.
This page shows the following notifications and their configured languages:
These notifications are also available in End user notifications on the Simulation
content library tab in Attack simulation training at
https://security.microsoft.com/attacksimulator?viewid=simulationcontentlibrary .
Microsoft default training assignment notification is available on the Global
notifications tab. Custom training assignment notifications are available on the
Tenant notifications tab. For more information, see End-user notifications for
Attack simulation training.
You can select an existing training assignment notification or create a new notification to
use:
To select an existing notification, click in the blank area next to the notification
name. If you click on the notification name, the notification is selected and a
preview flyout appears. To deselect the notification, clear the check box next to the
notification.
To search for an existing notification, use the Search box to search for the
name.
Select the notification that you want to use, and then click Next.
7 Note
On the Define details page, be sure to select the value Training assignment
notification for Select notification type.
When you're finished, you're taken back to the Training assignment notification page
where the notification that you just created now appears in the list.
Select the notification that you want to use, and then click Next.
Set frequency for reminder notification: Select Weekly (default) or Twice a week.
Select a reminder notification: This section shows the following notifications and
their configured languages:
To select an existing notification, click in the blank area next to the notification
name. If you click on the notification name, the notification is selected and a
preview flyout appears. To deselect the notification, clear the check box next to
the notification.
To search for an existing notification, use the Search box to search for the
name.
Select the notification that you want to use, and then click Next.
If you clicked Create new on the Training reminder notification page, a notification
creation wizard opens.
7 Note
On the Define details page, be sure to select the value Training reminder
notification for Select notification type.
When you're finished, you're taken back to the Training reminder notification page
where the notification that you just created now appears in the list.
Select the notification that you want to use, and then click Next.
Deliver after the user reports a phish and campaign ends or Deliver
immediately after the user reports a phish: These sections show the following
notifications and their configured languages in the Select a positive
reinforcement notification section that appears:
To select an existing notification, click in the blank area next to the notification
name. If you click on the notification name, the notification is selected and a
preview flyout appears. To deselect the notification, clear the check box next to
the notification.
To search for an existing notification, use the Search box to search for the
name.
Select the notification that you want to use, and then click Next.
7 Note
On the Define details page, be sure to select the value Positive reinforcement
notification for Select notification type.
When you're finished, you're taken back to the Positive reinforcement notification page
where the notification that you just created now appears in the list.
Select the notification that you want to use, and then click Next.
Simulation schedule
On the Simulation schedule page, select one of the following values:
Randomized: You still need to select the schedule on the next page, but the
simulations will launch at random times with the schedule.
Fixed
Schedule details
What you see on the Schedule details page depends on whether you selected
Randomized or Fixed on the previous page.
Launch details
On the Launch details page, configure the following additional settings for the
automation:
Target all selected users in every simulation run: By default, this setting is not
selected.
Target repeat offenders: By default, this setting is not selected. If you select it,
configure the following setting that appears:
Enter the maximum number of times a user can be targeted within this
automation: Enter a value from 1 to 10.
Send simulation email based upon the user's current time zone setting from
Outlook web app: By default, this setting is not selected.
Display the drive-by technique interstitial data gathered page: This setting is
available only if you selected Drive-by URL on the Select social engineering
techniques page. You can show the overlay that comes up for drive-by URL
technique attacks. By default, the setting is on . To hide the overlay and go
directly to the landing page, turn this setting off .
If you select Target All Selected Users In Every Run, all targeted users will be part of
every simulation that's created by the simulation automation.
How does the Randomize option on the Simulation
schedule page work?
The **Randomize launch&& option optimally selects a day within the start date and end
date range to launch simulations.
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
Microsoft Defender for Office 365 plan 2
In Attack simulation training in Microsoft 365 E5 or Microsoft Defender for Office 365
Plan 2, payload automations (also known as payload harvesting) collect information
from real-world phishing attack messages that were reported by users in your
organization. Although the numbers of these messages are likely low in your
organization, you can specify the conditions to look for in phishing attacks (for example,
recipients, social engineering technique, sender information, etc.). Attack simulation
training will then mimic the messages and payloads used in the attack to automatically
launch harmless simulations to targeted users.
To see the available payload automations, open the Microsoft 365 Defender portal at
https://security.microsoft.com , go to Email & collaboration > Attack simulation
training > Automations tab > and then select Payload automations. To go directly to
the Automations tab where you can select Payload automations, use
https://security.microsoft.com/attacksimulator?viewid=automations .
Automation name
Type: The value is Payload.
Items collected
Last modified
Status: The value is Ready or Draft.
When you select a payload automation from the list, a details flyout appears with the
following information:
7 Note
At any point during the creation wizard, you can click Save and close to save
your progress and continue configuring the payload automation later. You can
pick up where you left off by selecting the payload automation in Payload
automations, and then clicking Edit automation. The partially-completed
payload automation will have the Status value Draft.
Click Add condition and select from one of the following conditions:
You can use each condition only once. Multiple conditions use AND logic
(<Condition1> and <Condition2>).
4. On the Review automation page, you can review the details of your payload
automation.
You can select Edit in each section to modify the settings within the section. Or you
can click Back or select the specific page in the wizard.
5. On the New automation created page, you can use the links to turn on the
automation or go to the Simulations page.
To turn on a payload automation, select it from the list by clicking the check box. Click
the Turn on icon that appears, and then click Confirm in the dialog.
To turn off a payload automation, select it from the list by clicking the check box. Click
the Turn on icon that appears, and then click Confirm in the dialog.
Select the payload automation from the list by clicking the check box. Click the
Edit automation icon that appears.
Select the payload automation from the list by clicking anywhere in the row except
the check box. In the details flyout that opens, on the General tab, click Edit in the
Name, Description, or Run conditions sections.
The payload automation wizard opens with the settings and values of the selected
payload automation. The steps are the same as described in the Create payload
automations section.
Related links
Get started using Attack simulation training
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
In Attack simulation training in Microsoft 365 E5 or Microsoft Defender for Office 365
Plan 2, end-user notifications are email messages that are sent to users as a result of
simulations or simulation automations. The following types of end-user notifications are
available:
To see the available end-user notifications, open the Microsoft 365 Defender portal at
https://security.microsoft.com , go to Email & collaboration > Attack simulation
training > Simulation content library tab > and then select End user notifications. To
go directly to the Simulation content library tab where you can select End user
notifications, use https://security.microsoft.com/attacksimulator?
viewid=simulationcontentlibrary .
To find a notification in the list, use the Search box to find the name of the
notification.
To group the notifications by type, click Group and then select Notification type. To
ungroup the notifications, select None.
On the Tenant notifications tab only, click to filter the notifications by one or more
languages.
To remove one or more columns that are displayed, click Customize columns.
When you select a notification from the list, a details flyout appears with the following
information:
Preview tab: View the notification message as users will see it. To view the message
in different languages, use the Select language box.
Details tab: View details about the notification:
Notification description
Source: For built-in notifications, the value is Global. For custom notifications,
the value is Tenant.
Notification type
Modified by
Last modified
Simulations
Simulation names
Simulation status
End by
On the details flyout from the Tenant notifications tab only, click Edit notification to
modify the notification.
2. On the Tenant notifications tab, click Create new to start the end user
notification wizard.
7 Note
At any point during the creation wizard, you can click Save and close to save
your progress and continue configuring the notification later. You can pick up
where you left off by selecting the notification on the Tenant notifications tab
in End user notifications, and then clicking Edit automation. The partially-
completed notification will have the Status value Draft.
4. On the Define content page, the only setting that's available is the Add content in
business language button. When you click it, an Add content in default language
flyout appears that contains the following settings:
You can preview the results by clicking the Preview email button at the top of the
page.
You're taken back to the Define content page where the notification that you just
created is summarized with the following information:
Language
Subject
Category
Actions: The following icons are available:
Edit
View
Delete: If there's only language version of the notification, you can't
delete it.
You can repeat this steps as many times as necessary to create translated versions
of the notification in the 12 supported languages.
5. On the Review notification page, you can review the details of your notification.
You can select Edit in each section to modify the settings within the section. Or you
can click Back or select the specific page in the wizard.
On the New simulation notification created page, you can use the links to create a
new notification, launch a simulation, or view all notifications.
Back on the Tenant notifications tab in End user notifications, the notification that you
created is now list.
To modify an existing custom notification on the Tenant notifications tab, do one of the
following steps:
Select the notification from the list by clicking the check box. Click the Edit icon
that appears.
Click ⋮ (Actions) between the Notifications and Language values of the notification
in the list, and then select Edit.
Select the notification from the list by clicking anywhere in the row except the
check box. In the details flyout that opens, click Edit notification.
The end-user notification wizard opens with the settings and values of the selected
notification. The steps are the same as described in the Create end-user notifications
section.
Select the notification from the list by clicking the check box, and then click the
Create a copy icon that appears.
Click ⋮ (Actions) between the Notifications and Language values of the notification
in the list, and then select Create a copy.
When you copy a custom notification on the Tenant notifications tab, a copy of the
notification named "<OriginalName> - Copy" is available in the list.
When you copy a built-in notification on the Global notifications tab, a Create copy
dialog appears. The dialog confirms that a copy of the notification has been created,
and is available on the Tenant notifications tab. If you click Go to Tenant notification
you're taken to the Tenant notifications tab, where the copied built-in notification is
named "<OriginalName> - Copy" is available in the list. If you click Stay here in the
dialog, you return to the Global notifications tab.
7 Note
The Use from default control on the Add content in default language flyout in the
notification wizard allows you to copy the contents of a built-in notification.
Remove notifications
You can't remove built-in notifications from the Global notifications tab. You can only
remove custom notifications on the Tenant notifications tab.
To remove an existing custom notification from the Tenant notifications tab, do one of
the following steps:
Select the notification from the list by clicking the check box, and then click the
Delete icon that appears.
Click ⋮ (Actions) between the Notifications and Language values of the notification
in the list, and then select Delete.
Related links
Get started using Attack simulation training
Create a phishing attack simulation
Applies to
Microsoft Defender for Office 365 plan 2
In Attack simulation training in Microsoft 365 E5 or Microsoft Defender for Office 365
Plan 2, login pages are displayed to users in simulations that use the Credential harvest
and Link in attachment social engineering techniques.
To see the available login pages, open the Microsoft 365 Defender portal at
https://security.microsoft.com , go to Email & collaboration > Attack simulation
training > Simulation content library tab > and then select Login pages. To go directly
to the Simulation content library tab where you can select Login pages, use
https://security.microsoft.com/attacksimulator?viewid=simulationcontentlibrary .
Global login pages: Contains the built-in, non-modifiable login pages. There are
four built-in login pages localized into 12+ languages:
GitHub login page
LinkedIn login page
Microsoft login page
Non-branded login page
Tenant login pages: Contains the custom login pages that you've created.
Name
Language
Source: For built-in login pages, the value is Global. For custom login pages, the
value is Tenant.
Status: Ready or Draft.
Created by: For built-in login pages, the value is Microsoft. For custom login
pages, the value is the UPN of the user who created the login page.
Last modified
To find a login page in the list, use the Search box to find the name of the login
page.
When you select a login page from the list, a details flyout appears with the following
information:
Edit is available only in custom login pages on the Tenant login pages tab.
Mark as default to make this login page the default selection in Credential
harvest or Link in attachment payloads or payload automations. If the login page
is already the default, Mark as default isn't available.
Preview tab: View the login page as users will see it. Page 1 and Page 2 links are
available at the bottom of the page for two-page login pages.
Details tab: View details about the login page:
Description
Status: Ready or Draft.
Login page source: For built-in login pages, the value is Global. For custom
login pages, the value is Tenant.
Modified by
Language
Last modified
Click Create new to start the create end user login page wizard.
7 Note
Create new is also available during the payload selection step of creating a
simulation or simulation automation. For more information, see Create a
simulation: Select a payload and login page and Create a simulation
automation: Select a payload and login page.
At any point during the creation wizard, you can click Save and close to save
your progress and continue configuring the login page later. You can pick up
where you left off by selecting the login page on the Tenant login pages tab
in Login pages, and then clicking Edit. The partially-completed login page
will have the Status value Draft.
2. On the Define details for login page page, configure the following settings:
Make this the default login page: If you select this option, the login page will
be the default selection in Credential harvest or Link in attachment payloads
or payload automations.
Create a two-page login: If you don't select this option, the login page is one
page. If you select this option, Page 1 and Page 2 tabs appear for you to
configure separately.
On the Text tab, a rich text editor is available for you to create your login
page.
Use the Dynamic tag control to customize the login page by inserting
the available tags:
Insert user name: The value that's added in the message body is
${userName} .
Use the Use from default control to select a built-in login page to start
with as a template.
On the Code tab, you can view and modify the HTML code directly.
Formatting and other controls like Dynamic tag and Use from default or
Add compromise button aren't available.
Use the Preview login page button at the top of the page to review the login
page.
4. On the Review login page page, you can review the details of your login page.
You can select Edit in each section to modify the settings within the section. Or you
can click Back or select the specific page in the wizard.
5. On the New login page <Name> created page, you can use the links to create a
new login page, launch a simulation, or view all login pages.
Back on the Tenant login pages tab in Login pages, the login page that you created is
now list.
To modify an existing custom login page on the Tenant login pages tab, do one of the
following steps:
Select the login page from the list by clicking the check box. Click the Edit icon
that appears.
Click ⋮ (Actions) between the Name and Language values of the login page in the
list, and then select Edit.
Select the login page from the list by clicking the name. In the details flyout that
opens, click Edit.
The login page wizard opens with the settings and values of the selected login page.
The steps are the same as described in the Create login pages section.
Copy login pages
To copy an existing login page on the Tenant login pages or Global login pages tabs,
do one of the following steps:
Select the login page from the list by clicking the check box, and then click the
Create a copy icon that appears.
Click ⋮ (Actions) between the Name and Language values of the login page in the
list, and then select Create a copy.
The login page wizard opens with the settings and values of the selected login page.
The steps are the same as described in the Create login pages section.
7 Note
When you copy a built-in login page on the Global login pages tab, be sure to
change the Name value. This step ensures the copy is saved as a custom login page
on the Tenant login pages tab.
The Use from default control on the Configure login page page in the login page
wizard allows you to copy the contents of a built-in login page.
To remove an existing custom login page from the Tenant login pages tab, do one of
the following steps:
Select the login page from the list by clicking the check box, and then click the
Delete icon that appears.
Click ⋮ (Actions) between the Name and Language values of the login page in the
list, and then select Delete.
Select the login page from the list by clicking the check box. Click the Mark as
default icon that appears.
Click ⋮ (Actions) between the Name and Language values of the login page in the
list, and then select Mark as default.
Select the login page from the list by clicking the name. In the details flyout that
opens, click Mark as default.
Select Make this the default login page on the Configure login page page in the
wizard when you create or modify a login page.
7 Note
The previous procedures are not available if the login page is already the default.
The default login page is also marked in the list, although you might need to widen
the Name column to see it:
Related links
Get started using Attack simulation training
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
Microsoft Defender for Office 365 plan 2
In Attack simulation training in Microsoft Defender for Office Plan 2 or Microsoft 365 E5,
Microsoft provides insights and reports from the results of simulations and the
corresponding trainings. This information keeps you informed on the threat readiness
progress of your users, as well as recommended next steps to better prepare your users
for future attacks.
Insights and reports are available in the following locations in Attack simulation training
in the Microsoft 365 Defender portal:
For getting started information about Attack simulation training, see Get started using
Attack simulation training.
Selecting Launch a simulation starts the simulation creation wizard. For more
information, see Simulate a phishing attack in Defender for Office 365.
Predicted compromise rate: Historical data across Microsoft 365 that predicts the
percentage of people who will be compromised by this simulation (users
compromised / total number of users who receive the simulation).
Actual compromise rate: The actual percentage of people who were compromised
by the simulation (actual users compromised / total number of users in your
organization who received the simulation).
If you hover over a data point in the chart, the actual percentage values are shown.
users less susceptible to phishing: The difference between the actual number of
users compromised by the simulated attack and the predicted compromise rate.
This number of users is less likely to be compromised by similar attacks in the
future.
x% better than predicted rate: Indicates how users did overall in contrast with the
predicted compromise rate.
To see a more detailed report, click View simulations and training efficacy report. This
report is explained later in this article.
Selecting Launch simulation for non-simulated users starts the simulation creation
wizard where the users who didn't receive the simulation are automatically selected on
the Target user page. For more information, see Simulate a phishing attack in Defender
for Office 365.
Selecting View simulation coverage report takes you to the User coverage tab for the
Attack simulation report.
Completed
In progress
Incomplete
You can hover over a section in the chart to see the actual number of users in each
category.
Selecting View training completion report takes you to the Training completion tab for
the Attack simulation report.
All
Malware attachment
Link to malware
Credential harvest
Link in attachments
Drive-by URL
Selecting View repeat offender report takes you to the Repeat offenders tab for the
Attack simulation report.
Recommendations card
The Recommendations card on the Overview tab suggests different types of
simulations to run.
Selecting Launch now starts the simulation creation wizard with the specified simulation
type automatically selected on the Select technique page. For more information, see
Simulate a phishing attack in Defender for Office 365.
The chart shows the Predicted compromise rate and Actual compromised rate. If you
hover over a section in the chart, the actual percentage values for are shown.
The details table below the chart shows the following information:
Simulation name
Simulation technique
Simulation tactics
Predicted compromised rate
Actual compromised rate
Total users targeted
Count of clicked users
Click Customize columns to remove the columns that are shown. When you're finished,
click Apply.
Use Search box to filter the results by Simulation name or Simulation Technique.
Wildcards aren't supported.
If you click the Export report button, report generation progress is shown as a
percentage of complete. In the dialog that opens, you can choose to open the .csv file,
save the .csv file, and remember the selection.
On the User coverage tab, the chart shows the Simulated users and Non-simulated
users. If you hover over a data point in the chart, the actual values are shown.
The details table below the chart shows the following information:
Username
Email address
Included in simulation
Date of last simulation
Last simulation result
Count of clicked
Count of compromised
Click Customize columns to remove the columns that are shown. When you're finished,
click Apply.
Use Search box to filter the results by Username or Email address. Wildcards aren't
supported.
If you click the Export report button, report generation progress is shown as a
percentage of complete. In the dialog that opens, you can choose to open the .csv file,
save the .csv file, and remember the selection.
On the Training completion tab, the chart shows the number of Completed, In
progress, and Incomplete simulations. If you hover over a section in the chart, the actual
values are shown.
The details table below the chart shows the following information:
Username
Email address
Included in simulation
Date of last simulation
Last simulation result
Name of most recent training completed
Date completed
All trainings
Click Customize columns to remove the columns that are shown. When you're finished,
click Apply.
Click Filter to filter the chart and details table by one or more of the following values:
Completed
In progress
All
When you're finished configuring the filters, click Apply, Cancel, or Clear filters.
Use Search box to filter the results by Username or Email address. Wildcards aren't
supported.
If you click the Export report button, report generation progress is shown as a
percentage of complete. In the dialog that opens, you can choose to open the .csv file,
save the .csv file, and remember the selection.
Repeat offenders tab for the Attack simulation report
On the Repeat offenders tab, the chart organizes repeat offender data by simulation
type:
All
Credential harvest
Malware attachment
Link in attachment
Link to malware
Drive-by URL
If you hover over a data point in the chart, the actual values are shown.
The details table below the chart shows the following information:
User
Repeat count
Simulation types
Simulations
Click Customize columns to remove the columns that are shown. When you're finished,
click Apply.
Click Filter to filter the chart and details table by some or all of the simulation type
values:
Credential harvest
Malware attachment
Link in attachment
Link to malware
When you're finished configuring the filters, click Apply, Cancel, or Clear filters.
Use Search box to filter the results by any of the column values. Wildcards aren't
supported.
If you click the Export report button, report generation progress is shown as a
percentage of complete. In the dialog that opens, you can choose to open the .csv file,
save the .csv file, and remember the selection.
When you select a simulation from the list, a details page opens. This page contains the
configuration settings of the simulation that you would expect to see (status, launch
date, payload used, etc.).
The rest of this section describe the insights and reports that are available on the
simulation details page.
If you hover over a section in the chart, the actual numbers for each category are shown.
SuccessfullyDeliveredEmail
Links:
CredSupplied: After clicking on the link, how many users supplied their
credentials.
Attachments:
Related Links
Get started using Attack simulation training
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
Attack simulation training enables Microsoft 365 E5 or Microsoft Defender for Office 365
Plan 2 organizations to measure and manage social engineering risk by allowing the
creation and management of phishing simulations that are powered by real-world, de-
weaponized phishing payloads. Hyper-targeted training, delivered in partnership with
Terranova security, helps improve knowledge and change employee behavior.
For more information about getting started with Attack simulation training, see Get
started using Attack simulation training.
While the whole simulation creation and scheduling experience has been designed to be
free-flowing and frictionless, running simulations at an enterprise scale often requires
planning. This article helps address specific challenges that we see as our customers run
simulations in their own environments.
As part of the planning phase, be sure to check the availability of the URL in your
supported web browsers before you use the URL in a phishing campaign. If the URLs are
blocked by Google Safe Browsing, follow this guidance from Google to allow access
to the URLs.
Refer to Get started using Attack simulation training for the list of URLs that are
currently used by Attack simulation training.
Firewalls
Web Application Firewall (WAF) solutions
Third-party filter drivers (for example, kernel mode filters)
While we have seen few customers being blocked at this layer, it does happen. If you
encounter problems, consider configuring the following URLs to bypass scanning by
your security devices or filters as required:
The simulated phishing URLs as described in Get started using Attack simulation
training.
https://security.microsoft.com/attacksimulator
https://security.microsoft.com/attacksimulationreport
https://security.microsoft.com/trainingassignments
Simulation messages not delivered to all targeted users
It's possible that the number of users who actually receive the simulation email
messages is less than the number of users who were targeted by the simulation. The
following types of users will be excluded as part of target validation:
Only valid, non-guest users with a valid mailbox will be included in simulations. If you
use distribution groups or mail-enabled security groups to target users, you can use the
Get-DistributionGroupMember cmdlet in Exchange Online PowerShell to view and
validate distribution group members.
Audit log search is required by Attack simulation training so events can be captured,
recorded, and read back. Turning off audit log search has the following consequences
for Attack simulation training:
Reporting data is not available across all reports. The reports will appear empty.
Training assignments are blocked, because data is not available.
To turn on audit log search, see Turn audit log search on or off.
7 Note
Empty activity details can also be caused by no E5 licenses being assigned to users.
Verify at least one E5 license is assigned to an active user to ensure that reporting
events are captured and recorded.
Simulation reports are not updated immediately
Detailed simulation reports are not updated immediately after you launch a campaign.
Don't worry; this behavior is expected.
Every simulation campaign has a lifecycle. When first created, the simulation is in the
Scheduled state. When the simulation starts, it transitions to the In progress state.
When completed, the simulation transitions to the Completed state.
While a simulation is in the Scheduled state, the simulation reports will be mostly
empty. During this stage, the simulation engine is resolving the target user email
addresses, expanding distribution groups, removing guest users from the list, etc.:
Once the simulation enters the In progress stage, you will notice information starting to
trickle into the reporting:
It can take up to 30 minutes for the individual simulation reports to update after the
transition to the In progress state. The report data continues to build until the
simulation reaches the Completed state. Reporting updates occur at the following
intervals:
7 Note
You can use the Export option on the various reporting pages to extract data.
If messages that users reported as phishing aren't captured in Attack simulation training
simulation reports, there might be an Exchange mail flow rule (also known as a transport
rule) that's blocking the delivery of the reported messages to Microsoft. Verify that any
mail flow rules aren't blocking delivery to the following email addresses:
junk@office365.microsoft.com
abuse@messaging.microsoft.com
phish@office365.microsoft.com
not_junk@office365.microsoft.com
Include all users (currently available to organizations with less than 40,000 users).
Choose specific users.
Select users from a CSV file (one email address per line).
Azure AD group-based targeting.
We've found that campaigns where the targeted users are identified by Azure AD
groups are generally easier to manage.
Managing a large CSV file or adding many individual recipients can be cumbersome.
Using Azure AD groups will simplify the overall management of the simulation.
That being said, you can create your own payload in the language of your choice using
the custom payload authoring experience. We also strongly recommend that you
harvest existing payloads that were used to target users in a specific geography. In other
words, let the attackers localize the content for you.
Note that the configuration change might take up to 30 minutes to synchronize across
all services.
At 7:00 AM in the Pacific time zone (UTC-8), an admin creates and schedules a
campaign to start at 9:00 AM on the same day.
UserA is in the Eastern time zone (UTC-5).
UserB is also in the Pacific time zone.
At 9:00 AM on the same day, the simulation message is sent to UserB. With region-
aware delivery, the message is not sent to UserA on the same day, because 9:00 AM
Pacific time is 12:00 PM Eastern time. Instead, the message is sent to UserA at 9:00 AM
Eastern time on the following day.
So, on the initial run of a campaign with region aware delivery enabled, it might appear
that the simulation message was sent only to users in a specific time zone. But, as time
passes and more users come into scope, the targeted users will increase.
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
To keep your organization secure by default, Exchange Online Protection (EOP) does not
allow safe lists or filtering bypass for messages that are identified as malware or high
confidence phishing. But, there are specific scenarios that require the delivery of
unfiltered messages. For example:
You use the advanced delivery policy in Microsoft 365 to prevent inbound messages in
these specific scenarios from being filtered*. The advanced delivery policy ensures that
messages in these scenarios achieve the following results:
Filters in EOP and Microsoft Defender for Office 365 take no action on these
messages.*
Zero-hour Purge (ZAP) for spam and phishing take no action on these messages**.
Default system alerts aren't triggered for these scenarios.
AIR and clustering in Defender for Office 365 ignores these messages.
Specifically for third-party phishing simulations:
Admin submissions generates an automatic response saying that the message is
part of a phishing simulation campaign and isn't a real threat. Alerts and AIR will
not be triggered. The admin submissions experience will show these messages
as a simulated threat.
When a user reports a phishing simulation message using the built-in Report
button in Outlook on the web or the Microsoft Report Message or Report
Phishing add-ins, the system will not generate an alert, investigation, or
incident. The links or files will not be detonated, but the message will appear on
the User reported tab of the Submissions page.
Safe Links in Defender for Office 365 doesn't block or detonate the specifically
identified URLs in these messages at time of click. URLs are still wrapped, but
they aren't blocked.
Safe Attachments in Defender for Office 365 doesn't detonate attachments in
these messages.
*
You can't bypass malware filtering.
** You can bypass ZAP for malware by creating an anti-malware policy for the SecOps
mailbox where ZAP for malware is turned off. For instructions, see Configure anti-
malware policies in EOP.
Messages that are identified by the advanced delivery policy aren't security threats, so
the messages are marked with system overrides. Admin experiences will show these
messages as due to either a Phishing simulation system override or a SecOps mailbox
system override. Admins can filter and analyze on these system overrides in the
following experiences:
Threat Explorer/Real-time detections in Defender for Office 365 plan 2: Admin can
filter on System override source and select either Phishing simulation or SecOps
Mailbox.
The Email entity Page in Threat Explorer/Real-time detections: Admin can view a
message that was allowed by organization policy by either SecOps mailbox or
Phishing simulation under Tenant override in the Override(s) section.
The Threat protection status report: Admin can filter by view data by System
override in the drop down menu and select to see messages allowed due to a
phishing simulation system override. To see messages allowed by the SecOps
mailbox override, you can select chart breakdown by delivery location in the
chart breakdown by reason drop down menu.
Advanced hunting in Microsoft Defender for Endpoint: Phishing simulation and
SecOps mailbox system overrides will show as options within OrgLevelPolicy in
EmailEvents.
Campaign Views: Admin can filter on System override source and select either
Phishing simulation or SecOps Mailbox.
You need to be assigned permissions before you can do the procedures in this
article:
To create, modify, or remove configured settings in the advanced delivery
policy, you need to be a member of the Security Administrator role group in
the Microsoft 365 Defender portal and a member of the Organization
Management role group in Exchange Online.
For read-only access to the advanced delivery policy, you need to be a member
of the Global Reader or Security Reader role groups.
For more information, see Permissions in the Microsoft 365 Defender portal and
Permissions in Exchange Online.
7 Note
Adding users to the corresponding Azure Active Directory role gives users the
required permissions in the Microsoft 365 Defender portal and permissions
for other features in Microsoft 365. For more information, see About admin
roles.
Click Edit.
If there are no configured SecOps mailboxes, click Add.
3. In the Edit SecOps mailboxes flyout that opens, enter an existing Exchange Online
mailbox that you want to designate as SecOps mailbox by doing one of the
following steps:
Click in the box, let the list of mailboxes resolve, and then select the mailbox.
Click in the box start typing an identifier for the mailbox (name, display name,
alias, email address, account name, etc.), and select the mailbox (display
name) from the results.
Repeat this step as many times as necessary. Distribution groups are not
allowed.
The SecOps mailbox entries that you configured are displayed on the SecOps mailbox
tab.
2. On the Advanced delivery page, verify that the SecOps mailbox tab is selected,
and then click Edit.
3. In the Edit SecOps mailboxes flyout that opens, you add or remove mailboxes as
described in the previous section.
To remove all mailboxes, click remove next to each value until there are no more
mailboxes selected.
4. When you're finished, click Save and then click Close.
The SecOps mailbox entries that you configured are displayed on the SecOps mailbox
tab. If you removed all SecOps mailbox entries, the list will be empty.
2. On the Advanced delivery page, select the Phishing simulation tab, and then do
one of the following steps:
Click Edit.
If there are no configured phishing simulations, click Add.
3. In the Edit third-party phishing simulation flyout that opens, configure the
following settings:
Domain: Expand this setting and enter at least one email address domain (for
example, contoso.com) by clicking in the box, entering a value, and then
pressing Enter or selecting the value that's displayed below the box. Repeat
this step as many times as necessary. You can add up to 20 entries.
7 Note
Use the domain from the 5321.MailFrom address (also known as the
MAIL FROM address, P1 sender, or envelope sender) that's used in the
SMTP transmission of the message or a DomainKeys Identified Mail
(DKIM) domain as specified by your phishing simulation vendor.
Sending IP: Expand this setting and enter at least one valid IPv4 address by
clicking in the box, entering a value, and then pressing Enter or selecting the
value that's displayed below the box. Repeat this step as many times as
necessary. You can add up to 10 entries. Valid values are:
Single IP: For example, 192.168.1.1.
IP range: For example, 192.168.0.1-192.168.0.254.
CIDR IP: For example, 192.168.0.1/25.
Simulation URLs to allow: Expand this setting and optionally enter specific
URLs that are part of your phishing simulation campaign that should not be
blocked or detonated by clicking in the box, entering a value, and then
pressing Enter or selecting the value that's displayed below the box. You can
add up to 30 entries. For the URL syntax format, see URL syntax for the
Tenant Allow/Block List. These URLs are wrapped at the time of click, but they
aren't blocked.
7 Note
You can optionally include Simulation URLs to allow to ensure that URLs in
simulation messages are not blocked.
There must be a match on at least one Domain and one Sending IP, but no
association between values is maintained.
The third-party phishing simulation entries that you configured are displayed on the
Phishing simulation tab.
2. On the Advanced delivery page, select the Phishing simulation tab, and then click
Edit.
3. In the Edit third-party phishing simulation flyout that opens, you add or remove
entries for Domain, Sending IP, and Simulation URLs as described in the previous
section.
To remove all entries, click remove next to each value until there are no more
domains, IPs, or URLs selected.
False positives under review: You might want to temporarily allow certain
messages that are still being analyzed by Microsoft via admin submissions to
report known good messages that are incorrectly being marked as bad to
Microsoft (false positives). As with all overrides, we highly recommended that
these allowances are temporary.
You create the policy first, then you create the rule that identifies the policy that
the rule applies to.
When you remove a policy from PowerShell, the corresponding rule is also
removed.
When you remove a rule from PowerShell, the corresponding policy is not
removed. You need to remove the corresponding policy manually.
PowerShell
7 Note
Regardless of the Name value you specify, the policy name will be
SecOpsOverridePolicy, so you might as well use that value.
PowerShell
PowerShell
7 Note
Regardless of the Name value you specify, the rule name will be
SecOpsOverrideRule<GUID> where <GUID> is a unique GUID value (for example,
6fed4b63-3563-495d-a481-b24a311f8329).
PowerShell
Get-SecOpsOverridePolicy
PowerShell
Get-SecOpsOverrideRule
Although the previous command should return only one rule, any rules that are pending
deletion might also be included in the results.
This example identifies the valid rule (one) and any invalid rules.
PowerShell
After you identify the invalid rules, you can remove them by using the Remove-
SecOpsOverrideRule cmdlet as described later in this article.
PowerShell
PowerShell
7 Note
If an associated, valid SecOps override rule exists, the email addresses in the rule
will also be updated.
PowerShell
PowerShell
PowerShell
3. Optionally, identity the phishing simulation URLs that should be allowed (that is,
not blocked or scanned).
PowerShell
Note: Regardless of the Name value you specify, the policy name will be
PhishSimOverridePolicy, so you might as well use that value.
Regardless of the Name value you specify, the rule name will be
PhishSimOverrideRule<GUID> where <GUID> is a unique GUID value (for example,
a0eae53e-d755-4a42-9320-b9c6b55c5011).
This example creates the phishing simulation override rule with the specified settings.
PowerShell
PowerShell
For details about the URL syntax, see URL syntax for the Tenant Allow/Block List
This example adds a URL allow entry for the specified third-party phishing simulation
URL with no expiration.
PowerShell
PowerShell
Get-PhishSimOverridePolicy
PowerShell
Get-PhishSimOverrideRule
Although the previous command should return only one rule, any rules that are pending
deletion might also be included in the results.
This example identifies the valid rule (one) and any invalid rules.
PowerShell
After you identify the invalid rules, you can remove them by using the Remove-
PhishSimOverrideRule cmdlet as described later in this article.
PowerShell
PowerShell
PowerShell
This example modifies the specified phishing simulation override rule with the following
settings:
PowerShell
PowerShell
You identify the entry to modify by its URL values (the Entries parameter) or the Identity
value from the output of the Get-TenantAllowBlockListItems cmdlet (the Ids parameter).
PowerShell
PowerShell
PowerShell
PowerShell
You identify the entry to modify by its URL values (the Entries parameter) or the Identity
value from the output of the Get-TenantAllowBlockListItems cmdlet (the Ids parameter).
PowerShell
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to:
User tags are identifiers for specific groups of users in Microsoft Defender for Office 365.
There are two types of user tags:
System tags: Currently, Priority accounts is the only type of system tag.
Custom tags: You create these user tags yourself.
If your organization has Defender for Office 365 Plan 2 (included in your subscription or
as an add-on), you can create custom user tags in addition to using the priority
accounts tag.
7 Note
After you apply system tags or custom tags to users, you can use those tags as filters in
alerts, reports, and investigations:
Alerts
Custom alert policies
Threat Explorer and real-time detections
Compromised user report
Email entity page
Threat protection status report
Top senders and recipients report
Attack simulation
Campaign Views
Admin submissions and user reported messages
Quarantine
For priority accounts, you can use the Email issues for priority accounts report in
the Exchange admin center (EAC).
This article explains how to configure user tags in the Microsoft 365 Defender portal.
There are no cmdlets in Microsoft 365 Defender portal to manage user tags.
To see how user tags are part of the strategy to help protect high-impact user accounts,
see Security recommendations for priority accounts in Microsoft 365.
You need to be assigned permissions in the Microsoft 365 Defender portal before
you can do the procedures in this article:
To create, modify, and delete custom user tags, you need to be a member of the
Organization Management or Security Administrator role groups.
To add and remove members from the Priority Account system tag, you need to
be a member of the Security Administrator and Exchange Admin role groups.
To add and remove members from existing custom user tags, you need to be a
member of the Organization Management or Security Administrator role
groups.
For read-only access to user tags, you need to be a member of the Global
Reader, Security Operator, or Security Reader role groups.
For more information, see Permissions in the Microsoft 365 Defender portal.
7 Note
User tag management is controlled by the Tag Reader and Tag Manager
roles.
You can also manage and monitor priority accounts in the Microsoft 365 admin
center. For instructions, see Manage and monitor priority accounts.
For information about securing privileged accounts (admin accounts), see this topic.
3. The Create tag wizard opens in a new flyout. On the Define tag page, configure
the following settings:
Name: Enter a unique, descriptive name for the tag. This is the value that
you'll see and use. Note that you can't rename a tag after you create it.
Description: Enter an optional description for the tag.
Click Add members. In the fly out that appears, do any of the following
steps to add individual users or groups:
Click in the box and scroll through the list to select a user or group.
Click in the box and start typing to filter the list and select a user or group.
To add additional values, click in an empty area in the box.
To remove individual entries, click next to the entry in the box.
To remove all entries, click on the Selected nn users and nn groups
item below the box.
Back on the Assign members page, you can also remove entries by clicking
next to the entry.
Click Import to select a text file that contains the email addresses of the users
or groups. Be sure the text file contains one entry per line.
2. On the User tags page, the following properties are displayed in the list of user
tags:
Tag: The name of the user tag. Note that this includes the built-in Priority
account system tag.
Applied to: The number of members
Last modified
Created on
3. When you select a user tag by clicking on the name, the details are displayed in a
flyout.
2. On the User tags page, select the user tag from the list, and then click Edit tag.
3. In the details flyout that appears, the same wizard and settings are available as
described in the Use the Microsoft 365 Defender portal to create user tags section
earlier in this article.
Notes:
The Define tag page is not available for the built-in Priority account system
tag, so you can't rename this tag or change the description.
You can't rename a custom tag, but you can change the description.
7 Note
2. On the User tags page, select the user tag from the list, and then click Delete
tag.
3. Read the warning in the confirmation dialog that appears, and then click Yes,
remove.
More information
Configure and review priority accounts in Microsoft Defender for Office 365
Configure and review Priority accounts
in Microsoft Defender for Office 365
Article • 12/22/2022 • 3 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
In every organization, there are people that are critical, like executives, leaders,
managers, or other users who have access to sensitive, proprietary, or high priority
information. You can tag these users within Microsoft Defender for Office 365 as priority
accounts, allowing security teams to prioritize their focus on these critical individuals.
With differentiated protection for priority accounts, users tagged as priority accounts
will receive a higher level of protection against threats.
Priority accounts are targeted by attackers more often and are generally attacked with
more sophisticated techniques. Differentiated protection for priority accounts focuses
on this specific user set and provides higher level of protection using enhanced machine
learning models. This differentiation in learning and message handling provides the
highest level of protection for these accounts and helps maintain a low false positive
rate, as a high rate of false positives can also have a negative impact on these users.
7 Note
If you want to use Exchange Online PowerShell to turn on priority account protection,
do the following steps:
PowerShell
2. To verify that priority account protection is turned on, run the following command
to verify the EnablePriorityAccountProtection property value:
PowerShell
Get-EmailTenantSettings | Format-List
Identity,EnablePriorityAccountProtection
The value True means priority account protection is turned on. The value False
means priority account protection is turned off.
For more information, see User tags in Microsoft Defender for Office 365.
Review differentiated protection from priority
account protection
The affects of priority account protection are visible in the following features:
Alerts
Custom alert policies
Threat Explorer and real-time detections
Compromised user report
Email entity page
Threat protection status report
Top senders and recipients report
Attack simulation
Campaign Views
Admin submissions and user reported messages
Quarantine
2. The default view is View data by Overview. Click on this value to change the view
by selecting one of the following values:
3. Click Filter.
4. On the Filters flyout that opens, in the Priority accounts section, select Yes, No or
both values.
Threat Explorer
Context filter within Threat Explorer helps search for emails where priority account
protection was involved in the detection of the message. This allows security operations
teams to be able to see the value provided by this protection. You can still filter
messages by priority account tag to find all messages for the specific set of users.
2. Select Context from the dropdown, and then select the checkbox next to Priority
account protection.
Email entity page
The email entity page is available in Threat Explorer. Select the subject of an email
you're investigating. A gold bar will display at the top of the email flyout for that mail.
Select to view the new page.
The tabs along the top of the entity page will allow you to investigate email efficiently.
Click the Analysis tab. Priority account protection is now listed under Threat detection
details.
More information
User tags in Microsoft Defender for Office 365
Manage and monitor priority accounts
The Email entity page
Article • 12/09/2022 • 14 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to:
In this article:
Admins of Microsoft Defender for Office 365 E5, and Defender for Office P1 and P2 have
a 360-degree view of email using the Email entity page. This go-to email page was
created to enhance information delivered throughout Microsoft Defender for Office 365
and Microsoft 365 Defender.
See email details in the experiences below, including previewing and downloading the
email, the email headers with the option to copy, Detection details, Threats detected,
Latest and Original delivery locations, Delivery actions, and IDs like Alert ID, Network
Message ID and more.
Threat Explorer
Advanced Hunting
Alerts
Quarantine
Submissions
Reporting
Action Center
One way to get to the email entity page is Threat Explorer, but the steps remain the
same from wherever you find email details. Navigate to the Microsoft 365 Defender
portal at https://security.microsoft.com , Email & collaboration > Explorer. Or, to go
directly to the Explorer page, use https://security.microsoft.com/threatexplorer .
7 Note
The permissions needed to view and use this page are the same as to view
Explorer. The admin must be a member of Global admin or global reader, or
Security admin or Security Reader. For more information, see Permissions in the
Microsoft 365 Defender portal.
How to read the email entity page
The structure is designed to be easy to read and navigate through at a glance. Various
tabs along the top of the page allow you to investigate in more detail. Here's how the
layout works:
1. The most required fields are on the left side of the fly-out. These details are 'sticky',
meaning they're anchored to the left no matter the tab you navigate to in the rest
of the fly-out.
2. On the top-right corner are the actions that can be taken on an email. Any actions
that can be taken through Explorer will also be available through email entity
page.
3. Deeper analysis can be done by sorting through the rest of the page. Check the
email detection details, email authentication status, and header. This area should
be looked on a case-by-case basis, but the info in these tabs is available for any
email.
1. Timeline: The timeline view for an email (per Explorer timeline) shows the original
delivery to post-delivery events that happen on an email. For emails that have no
post-delivery actions, the view shows the original delivery row in timeline view.
Events like: Zero-hour auto purge (ZAP), Remediations, User and Admin
submissions, Quarantine information, URL clicks and more, from sources like:
system, admin, and user, show up here, in the order in which they occurred.
2. Analysis: Analysis shows fields that help admins analyze an email in depth. For
cases where admins need to understand more about detection, sender / recipient,
and email authentication details, they should use the Analysis tab. Links for
Attachments and URLs are also found on this page, under 'Related Entities'. Both
attachments and identified threats are numbered here, and clicking will take you
straight to the Attachments and URL pages. This tab also has a View header option
to show the email header. Admins can compare any detail from email headers, side
by side with information on the main panel, for clarity.
3. Attachments: This examines attachments found in the email with other details
found on attachments. The number of attachments shown is currently limited to
10. Notice that detonation details for attachments found to be malicious is also
shown here.
4. URLs: This tab lists URLs found in the email with other details about the URLs. The
number of URLs is limited to 10 right now, but these 10 are prioritized to show
malicious URLs first. Prioritization saves you time and guess-work. The URLs that
were found to be malicious and detonated will also be shown here.
5. Similar emails: This tab lists all emails similar to the network message id + recipient
combination specific to this email. Similarity is based on the body of the message,
only. The determinations made on mails to categorize them as 'similar' don't
include a consideration of attachments.
2 Warning
Previewing and downloading emails requires a special role called Preview. You can
add this role in the Microsoft 365 Defender portal as described in Email &
collaboration roles in the Microsoft 365 Defender portal. You might need to
create a new Email & collaboration role group there and add the Preview role to
that new role group or add the Preview role to a role group that allows admins in
your organization to work in Explorer.
Detonation details
These details are specific to email attachments and URLs. Users can see these details by
going to Explorer and applying the detection technology filter set to file detonation or
URL detonation. Emails filtered for file detonation will contain a malicious file with
detonation details, and those filtered for URLs contain a malicious URL and its
detonation details.
Users will see enriched detonation details for known malicious attachments or URLs
found in their emails, which got detonated for their specific tenant. It will include the
Detonation chain, Detonation summary, Screenshot, and Observed behavior details to
help customers understand why the attachment or URL was deemed malicious and
detonated.
1. Detonation chain. A single file or URL detonation can trigger multiple detonations.
The Detonation chain tracks the path of detonations, including the original
malicious file or URL that caused the verdict, and all other files or URLs affected by
the detonation. These URLs or attached files may not be directly present in the
email, but including that analysis is important to determining why the file or URL
was found to be malicious.
7 Note
This may show just the top level item if none of the entities linked to it were
found to be problematic, or were detonated.
2. Detonation Summary gives a basic summary for detonation such as analysis time,
the time when detonation occurred, OS and application, the operating system and
application in which the detonation occurred, file size, and verdict reason.
4. Behavior Details are an export that shows behavior details like exact events that
took place during detonation, and observables that contain URLs, IPs, domains,
and files that were found during detonation (and can either be problematic or
benign). Be aware, there may be no behavior details for:
Container files like .zip or .rar that are holding other files.
Latest delivery location: The latest delivery location is the location where an email landed
after system actions like ZAP, or admin actions like Move to Deleted Items, finish. Latest
delivery location isn't intended to inform admins of the message's current location. For
example, if a user deletes a message, or moves it to archive, the delivery location won't
be updated. However, if a system action has taken place and updated the location (like a
ZAP resulting in an email moving to quarantine) this would update the Latest delivery
location to quarantine.
Email details: Details required for a deeper understanding of email available in the
Analysis tab.
Exchange transport rules (also known as mail flow rules or ETRs): These rules are
applied to a message at the transport layer and take precedence over phish and
spam verdicts. Mail flow rules are created and modified in the Exchange admin
center at https://admin.exchange.microsoft.com/#/transportrules , but if any mail
flow rule applies to a message, the rule name and GUID will be shown here.
Valuable information for tracking purposes.
Primary Override: Source: Primary override and source refer to the tenant or user
setting which impacted the delivery of the email, overriding the delivery location
given by the system (as per the threat and detection technology). As an example,
this could be an email blocked due to a tenant configured transport rule or an
email allowed due to an end-user setting for Safe Senders.
All Overrides: All Overrides refer to the list of overrides (tenant or user settings)
that was applied on the email, which may or may not have impacted the delivery of
an email. As an example, if a tenant configured transport rule, as well as a tenant
configured policy setting (for example, from the Tenant Allow Block lists), is applied
to an email, then both will be listed in this field. You can check the primary override
field to determine the setting that impacted the delivery of the email.
Bulk Complaint Level (BCL): The bulk complaint level (BCL) of the message. A
higher BCL indicates a bulk mail message is more likely to generate complaints
(the natural result if the email is likely to be spam).
Spam Confidence Level (SCL): The spam confidence level (SCL) of the message. A
higher value indicates the message is more likely to be spam.
Client type: Indicates the Client type from which the email was sent like REST.
Distribution list: Shows the distribution list, if the recipient received the email as a
member of the list. It shows the top level distribution list if there are nested
distribution lists involved.
To, Cc: Indicates the addresses that are listed in To, Cc fields of an email. The
information in these fields is restricted to 5000 characters.
Domain Created Date: Specifies the date of creation of the sending domain. A
newly created domain is something you could be cautious of if other signals
indicate some suspicious behavior.
Email Authentication: Email authentication methods used by Microsoft 365 include SPF,
DKIM, and DMARC.
Sender Policy Framework (SPF): Describes results for SPF check for the message.
Possible values can be:
Pass (IP address): The SPF check for the message passed and includes the
sender's IP address. The client is authorized to send or relay email on behalf of
the sender's domain.
Fail (IP address): The SPF check for the message failed, and includes the sender's
IP address. This is sometimes called hard fail.
Softfail (reason): The SPF record designated the host as not being allowed to
send but is in transition.
Neutral: The SPF record explicitly states that it does not assert whether the IP
address is authorized to send.
None: The domain doesn't have an SPF record, or the SPF record doesn't
evaluate to a result.
Temperror: A temporary error has occurred. For example, a DNS error. The same
check later might succeed.
Permerror: A permanent error has occurred. For example, the domain has a
badly formatted SPF record.
You will be able to select Take actions from the top right corner of the entity page and
this will open the Action wizard for you to select the specific action you need.
In the Action wizard you can take email actions, email submissions, block sender and
sender domain, investigative actions and two step approval (add to remediation) in the
same side pane. This follows a consistent flow for ease of use. The Action wizard uses
the same system as is used by Explorer actions (for Delete, Submissions, and
Investigation actions), for example. You will be able to see and track these actions in the
Unified action center (for deleted emails), in the
Submission portal (for
submissions), and in Tenant Allow/Block Lists page for (TABL blocks).
We are also bringing Tenant level block URL and attachment to the respective Email
entity URL and Attachments tabs. Upon approval, all the Tenant Allow and Block Lists (or
TABL) block URL and block attachments can be tracked under TABL/URL and TABL/file
pages.
7 Note
To view all the components, click on the Open email entity link to open the full
email entity page.
Email details: Contains information about email properties like sender name,
sender address, time received, authentication details, and other several other
details.
URLs: By default, you will see 3 URLs and their corresponding threats. You can
always select View all URLs to expand and see all URLs and export them.
Attachments: By default, you will see 3 attachments. You can always select View all
attachments to expand and see all attachments.
In addition to the above sections, you will also see sections specific to few experiences
that are integrated with the summary panel:
Submissions:
Submission details: Contains information about the specific submissions such as:
Date submitted
Subject
Submission type
Reason for submitting
Submission ID
Submitted by
Result details: Messages that are submitted are reviewed. You can see the result
of your submission as well as any recommended next steps.
Quarantine:
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
Office 365 Threat Investigation and Response capabilities enable your organization's
security team to discover and take action against cybersecurity threats. Office 365 Threat
Investigation and Response capabilities include Threat Tracker features, including
Noteworthy trackers. Read this article to get an overview of these new features and next
steps.
) Important
Office 365 Threat Intelligence is now Microsoft Defender for Office 365 Plan 2,
along with additional threat protection capabilities. To learn more, see Microsoft
Defender for Office 365 plans and pricing and the Microsoft Defender for
Office 365 Service Description.
Trackers are just a few of the many great features you get with Microsoft Defender for
Office 365 Plan 2. Threat Trackers include Noteworthy trackers, Trending trackers,
Tracked queries, and Saved queries.
To view and use your Threat Trackers for your organization, open the Microsoft 365
Defender portal at https://security.microsoft.com , and go to Email & collaboration >
Threat tracker. To go directly to the Threat tracker page, use
https://security.microsoft.com/threattrackerv2 .
7 Note
Noteworthy trackers
Noteworthy trackers are where you'll find big and smaller threats and risks that we think
you should know about. Noteworthy trackers help you find whether these issues exist in
your Microsoft 365 environment, plus link to articles (like this one) that give you more
details on what is happening, and how they'll impact your organization's use of Office
365. Whether it's a big new threat (e.g. Wannacry, Petya) or an existing threat that might
create some new challenges (like our other inaugural Noteworthy item - Nemucod), this
is where you'll find important new items you and your security team should review and
examine periodically.
Typically Noteworthy trackers will be posted for just a couple of weeks when we identify
new threats and think you might need the extra visibility that this feature provides. Once
the biggest risk for a threat has passed, we'll remove that Noteworthy item. This way, we
can keep the list fresh and up to date with other relevant new items.
Trending trackers
Trending trackers (formerly called Campaigns) highlight new threats received in your
organization's email in the past week. The Trending trackers view provides dynamic
assessments of email threats impacting your organization's Office 365 environment. This
view shows tenant level malware trends, identifying malware families on the rise, flat, or
declining, giving admins greater insight into which threats require further attention.
Trending trackers give you an idea of new threats you should review to ensure your
broader corporate environment is prepared against attacks.
Tracked queries
Tracked queries leverage your saved queries to periodically assess Microsoft 365 activity
in your organization. This gives you event trending, with more to come in the coming
months. Tracked queries run automatically, giving you up-to-date information without
having to remember to re-run your queries.
Saved queries
Saved queries are also found in the Trackers section. You can use Saved queries to store
the common Explorer searches that you want to get back to quicker and repeatedly,
without having to re-create the search every time.
You can always save a Noteworthy tracker query or any of your own Explorer queries
using the Save query button at the top of the Explorer page. Anything saved there will
show up in the Saved queries list on the Tracker page.
Trackers and Explorer
Whether you're reviewing email, content, or Office activities (coming soon), Explorer and
Trackers work together to help you investigate and track security risks and threats. All
together, Trackers provide you with information to protect your users by highlighting
new, notable, and frequently searched issues - ensuring your business is better
protected as it moves to the cloud.
And remember that you can always provide us feedback on this or other Microsoft 365
security features by clicking on the Feedback button in the lower-right corner.
In today's threat-riddled world, running only traditional anti-malware scans means you
are not protected well enough against attacks. Today's more sophisticated attackers use
commonly available tools to create new, obfuscated, or delayed attacks that won't be
recognized by traditional signature-based anti-malware engines. The Safe Attachments
feature takes email attachments and detonates them in a virtual environment to
determine whether they're safe or malicious. This detonation process opens each file in
a virtual computer environment, then watches what happens after the file is opened.
Whether it's a PDF, and compressed file, or an Office document, malicious code can be
hidden in a file, activating only once the victim opens it on their computer. By
detonating and analyzing the file in the email flow, Defender for Office 365 capabilities
finds these threats based on behaviors, file reputation, and a number of heuristic rules.
The new Noteworthy threat filter highlights items that were recently detected through
Safe Attachments. These detections represent items that are new malicious files, not
previously found by Microsoft 365 in either your email flow or other customers' email.
Pay attention to the items in the Noteworthy Threat Tracker, see who was targeted by
them, and review the detonation details shown on the Advanced Analysis tab (found by
clicking on the subject of the email in Explorer). Note you'll only find this tab on emails
detected by the Safe Attachments capability - this Noteworthy tracker includes that
filter, but you can also use that filter for other searches in Explorer.
Next steps
If your organization doesn't already have these Office 365 Threat Investigation and
Response capabilities, see How do we get Office 365 Threat Investigation and
Response capabilities?.
Make sure that your security team has the correct roles and permissions assigned.
You must be a global administrator, or have the Security Administrator or Search
and Purge role assigned in the Microsoft 365 Defender portal. See Permissions in
the Microsoft 365 Defender portal.
Watch for the new Trackers to show up in your Microsoft 365 environment. When
available, you'll find your Trackers on the Threat tracker page in the Microsoft 365
Defender portal at https://security.microsoft.com/threattracker .
If you haven't already done so, learn more about and configure Microsoft
Defender for Office 365 for your organization, including Safe links and Safe
Attachments.
Alert policies in Microsoft 365
Article • 12/22/2022 • 36 minutes to read
You can use alert policies and the alert dashboard in the Microsoft Purview compliance
portal or the Microsoft 365 Defender portal to create alert policies and then view the
alerts generated when users perform activities that match the conditions of an alert
policy. There are several default alert policies that help you monitor activities such as
assigning admin privileges in Exchange Online, malware attacks, phishing campaigns,
and unusual levels of file deletions and external sharing.
Tip
Go to the Default alert policies section in this article for a list and description of
the available alert policies.
Alert policies let you categorize the alerts that are triggered by a policy, apply the policy
to all users in your organization, set a threshold level for when an alert is triggered, and
decide whether to receive email notifications when alerts are triggered. There's also a
Alerts page where you can view and filter alerts, set an alert status to help you manage
alerts, and then dismiss alerts after you've addressed or resolved the underlying
incident.
7 Note
Alert policies are available for organizations with a Microsoft 365 Enterprise, Office
365 Enterprise, or Office 365 US Government E1/F1/G1, E3/F3/G3, or E5/G5
subscription. Advanced functionality is only available for organizations with an
E5/G5 subscription, or for organizations that have an E1/F1/G1 or E3/F3/G3
subscription and a Microsoft Defender for Office 365 P2 or a Microsoft 365 E5
Compliance or an E5 eDiscovery and Audit add-on subscription. The functionality
that requires an E5/G5 or add-on subscription is highlighted in this topic. Also note
that alert policies are available in Office 365 GCC, GCC High, and DoD US
government environments.
Tip
If you're not an E5 customer, you can try all the premium features in Microsoft
Purview for free. Use the 90-day Purview solutions trial to explore how robust
Purview capabilities can help your organization manage data security and
compliance needs. Start now at the Microsoft Purview compliance portal trials
hub . Learn details about signing up and trial terms.
To create alert policies, you have to be assigned the Manage Alerts role or the
Organization Configuration role in the compliance portal or the Defender portal.
7 Note
2. A user performs an activity that matches the conditions of an alert policy. In the
case of malware attacks, infected email messages sent to users in your
organization trigger an alert.
3. Microsoft 365 generates an alert that's displayed on the Alerts page in compliance
portal or Defender portal. Also, if email notifications are enabled for the alert
policy, Microsoft sends a notification to a list of recipients. The alerts that an admin
or other users can see that on the Alerts page is determined by the roles assigned
to the user. For more information, see RBAC permissions required to view alerts.
Go to the compliance portal , and then select Policies > Alert > Alert policies.
Go to the Microsoft 365 Defender portal and under Email & collaboration select
Policies & rules > Alert policy. Alternatively, you can go directly to
https://security.microsoft.com/alertpolicies .
7 Note
You have to be assigned the View-Only Manage Alerts role to view alert policies in
the Microsoft Purview compliance portal or the Microsoft 365 Defender portal. You
have to be assigned the Manage Alerts role to create and edit alert policies. For
more information, see Permissions in the Microsoft Purview compliance portal.
Activity the alert is tracking. You create a policy to track an activity or in some
cases a few related activities, such a sharing a file with an external user by sharing
it, assigning access permissions, or creating an anonymous link. When a user
performs the activity defined by the policy, an alert is triggered based on the alert
threshold settings.
7 Note
The activities that you can track depend on your organization's Office 365
Enterprise or Office 365 US Government plan. In general, activities related to
malware campaigns and phishing attacks require an E5/G5 subscription or an
E1/F1/G1 or E3/F3/G3 subscription with an Defender for Office 365 Plan 2
add-on subscription.
Activity conditions. For most activities, you can define additional conditions that
must be met to trigger an alert. Common conditions include IP addresses (so that
an alert is triggered when the user performs the activity on a computer with a
specific IP address or within an IP address range), whether an alert is triggered if a
specific user or users perform that activity, and whether the activity is performed
on a specific file name or URL. You can also configure a condition that triggers an
alert when the activity is performed by any user in your organization. The available
conditions are dependent on the selected activity.
You can also define user tags as a condition of an alert policy. This results in the alerts
triggered by the policy to include the context of the impacted user. You can use system
user tags or custom user tags. For more information, see User tags in Microsoft
Defender for Office 365.
When the alert is triggered. You can configure a setting that defines how often an
activity can occur before an alert is triggered. This allows you to set up a policy to
generate an alert every time an activity matches the policy conditions, when a
certain threshold is exceeded, or when the occurrence of the activity the alert is
tracking becomes unusual for your organization.
If you select the setting based on unusual activity, Microsoft establishes a baseline
value that defines the normal frequency for the selected activity. It takes up to
seven days to establish this baseline, during which alerts won't be generated. After
the baseline is established, an alert is triggered when the frequency of the activity
tracked by the alert policy greatly exceeds the baseline value. For auditing-related
activities (such as file and folder activities), you can establish a baseline based on a
single user or based on all users in your organization; for malware-related
activities, you can establish a baseline based on a single malware family, a single
recipient, or all messages in your organization.
7 Note
Alert category. To help with tracking and managing the alerts generated by a
policy, you can assign one of the following categories to a policy.
Data loss prevention
Information governance
Mail flow
Permissions
Threat management
Others
When an activity occurs that matches the conditions of the alert policy, the alert
that's generated is tagged with the category defined in this setting. This allows you
to track and manage alerts that have the same category setting on the Alerts page
in the Microsoft Purview portal because you can sort and filter alerts based on
category.
Alert severity. Similar to the alert category, you assign a severity attribute (Low,
Medium, High, or Informational) to alert policies. Like the alert category, when an
activity occurs that matches the conditions of the alert policy, the alert that's
generated is tagged with the same severity level that's set for the alert policy.
Again, this allows you to track and manage alerts that have the same severity
setting on the Alerts page. For example, you can filter the list of alerts so that only
alerts with a High severity are displayed.
Tip
Email notifications. You can set up the policy so that email notifications are sent
(or not sent) to a list of users when an alert is triggered. You can also set a daily
notification limit so that once the maximum number of notifications has been
reached, no more notifications are sent for the alert during that day. In addition to
email notifications, you or other administrators can view the alerts that are
triggered by a policy on the Alerts page. Consider enabling email notifications for
alert policies of a specific category or that have a higher severity setting.
The following tables list and describe the available default alert policies and the
category each policy is assigned to. The category is used to determine which alerts a
user can view on the Alerts page. For more information, see RBAC permissions required
to view alerts.
The tables also indicate the Office 365 Enterprise and Office 365 US Government plan
required for each one. Some default alert policies are available if your organization has
the appropriate add-on subscription in addition to an E1/F1/G1 or E3/F3/G3
subscription.
7 Note
The unusual activity monitored by some of the built-in policies is based on the
same process as the alert threshold setting that was previously described. Microsoft
establishes a baseline value that defines the normal frequency for "usual" activity.
Alerts are then triggered when the frequency of activities tracked by the built-in
alert policy greatly exceeds the baseline value.
7 Note
The alert policies in this section are in the process of being deprecated based on
customer feedback as false positives. To retain the functionality of these alert
policies, you can create custom alert policies with the same settings.
A content search is
started
The results of a content
search are exported
A content search report is
exported
Email messages Note: This alert policy has Informational Yes E5/G5 or
containing malware been replaced by Email Microsoft
removed after messages containing Defender for
delivery malicious file removed after Office 365
delivery. This alert policy will P2 add-on
eventually go away, so we subscription
recommend disabling this
alert policy and using Email
messages containing
malicious file removed after
delivery instead. For more
information, see New alert
policies in Microsoft
Defender for Office 365.
Name Description Severity Automated Enterprise
investigation subscription
Email messages Note: This alert policy has Informational Yes E5/G5 or
containing phish been replaced by Email Defender for
URLs removed after messages containing Office 365
delivery malicious URL removed P2 add-on
after delivery. This alert subscription
policy will eventually go
away, so we recommend
disabling this alert policy
and using Email messages
containing malicious URL
removed after delivery
instead. For more
information, see New alert
policies in Microsoft
Defender for Office 365.
Remediation action Note: This alert policy has Informational Yes E5/G5 or
taken by admin on been replaced by the Defender for
emails or URL or Administrative action Office 365
sender submitted by an P2 add-on
Administrator alert policy. subscription
This alert policy will
eventually go away, so we
recommend disabling this
alert policy and using
Administrative action
submitted by an
Administrator instead.
* This alert policy is in the process of being deprecated based on customer feedback as
a false positive. To retain the functionality of this alert policy, you can create a custom
alert policy with the same settings.
** This alert policy is part of the replacement functionality for the Phish delivered due to
tenant or user override and User impersonation phish delivered to inbox/folder alert
policies that were removed based on user feedback. For more information about anti-
phishing in Office 365, see Anti-phishing policies.
View alerts
When an activity performed by users in your organization matches the settings of an
alert policy, an alert is generated and displayed on the Alerts page in the Microsoft
Purview portal or the Defender portal. Depending on the settings of an alert policy, an
email notification is also sent to a list of specified users when an alert is triggered. For
each alert, the dashboard on the Alerts page displays the name of the corresponding
alert policy, the severity and category for the alert (defined in the alert policy), and the
number of times an activity has occurred that resulted in the alert being generated. This
value is based on the threshold setting of the alert policy. The dashboard also shows the
status for each alert. For more information about using the status property to manage
alerts, see Managing alerts.
To view alerts:
Status: Show alerts that are assigned a particular status. The default status is
Active. You or other administrators can change the status value.
Policy: Show alerts that match the setting of one or more alert policies. Or you can
display all alerts for all alert policies.
Time range: Show alerts that were generated within a specific date and time range.
Severity: Show alerts that are assigned a specific severity.
Category: Show alerts from one or more alert categories.
Tags:Show alerts from one or more user tags. Tags are reflected based on tagged
mailboxes or users that appear in the alerts. See User tags in Defender for Office
365 to learn more.
Source: Use this filter to show alerts triggered by alert policies in the Microsoft
Purview portal or alerts triggered by Microsoft Defender for Cloud Apps policies,
or both. For more information about Defender for Cloud Apps alerts, see the View
Defender for Cloud Apps alerts section in this article.
) Important
Filtering and sorting by user tags is currently in Public Preview, and might be
substantially modified before it's generally available. Microsoft makes no
warranties, express or implied, with respect to the information provided about it.
Alert aggregation
When multiple events that match the conditions of an alert policy occur with a short
period of time, they are added to an existing alert by a process called alert aggregation.
When an event triggers an alert, the alert is generated and displayed on the Alerts page
and a notification is sent. If the same event occurs within the aggregation interval, then
Microsoft 365 adds details about the new event to the existing alert instead of
triggering a new alert. The goal of alert aggregation is to help reduce alert "fatigue" and
let you focus and take action on fewer alerts for the same event.
The length of the aggregation interval depends on your Office 365 or Microsoft 365
subscription.
Subscription Aggregation
interval
When events that match the same alert policy occur within the aggregation interval,
details about the subsequent event are added to the original alert. For all events,
information about aggregated events is displayed in the details field and the number of
times an event occurred with the aggregation interval is displayed in the activity/hit
count field. You can view more information about all aggregated events instances by
viewing the activity list.
The following screenshot shows an alert with four aggregated events. The activity list
contains information about the four email messages relevant to the alert.
Keep the following things in mind about alert aggregation:
Alerts triggered by the A potentially malicious URL click was detected default
alert policy are not aggregated. This is because alerts triggered by this policy are
unique to each user and email message.
At this time, the Hit count alert property doesn't indicate the number of
aggregated events for all alert policies. For alerts triggered by these alert policies,
you can view the aggregated events by clicking View message list or View activity
on the alert. We're working to make the number of aggregated events listed in the
Hit count alert property available for all alert policies.
Members of the Records Management role group can view only the alerts that are
generated by alert policies that are assigned the Information governance
category.
Members of the Compliance Administrator role group can't view alerts that are
generated by alert policies that are assigned the Threat management category.
Members of the eDiscovery Manager role group can't view any alerts because
none of the assigned roles provide permission to view alerts from any alert
category.
This design (based on RBAC permissions) lets you determine which alerts can be viewed
(and managed) by users in specific job roles in your organization.
The following table lists the roles that are required to view alerts from the six different
alert categories. A check mark indicates that a user who is assigned that role can view
alerts from the corresponding alert category listed in the title row.
To see which category a default alert policy is assigned to, see the tables in Default alert
policies.
Role Information
Data loss
Mail
Permissions Threat
Others
governance prevention flow management
Compliance ✔ ✔ ✔ ✔
Administrator
DLP Compliance ✔
Management
Information ✔
Protection Admin
Information ✔
Protection Analyst
Information ✔
Protection
Investigator
Manage Alerts ✔
Organization ✔
Configuration
Privacy
Management
Quarantine
Record ✔
Management
Role Information
Data loss
Mail
Permissions Threat
Others
governance prevention flow management
Retention ✔
Management
Role Management ✔
Security ✔ ✔ ✔ ✔
Administrator
Security Reader ✔ ✔ ✔ ✔
Transport Hygiene
View-Only DLP ✔
Compliance
Management
View-Only
Configuration
View-Only Manage ✔
Alerts
View-Only ✔
Recipients
View-Only Record ✔
Management
View-Only ✔
Retention
Management
Tip
To view the roles that are assigned to each of the default role groups, run the
following commands in Security & Compliance PowerShell:
PowerShell
$RoleGroups = Get-RoleGroup
You can also view the roles assigned to a role group in the compliance portal or the
Microsoft 365 Defender portal. Go to the Permissions page, and select a role
group. The assigned roles are listed on the flyout page.
Manage alerts
After alerts have been generated and displayed on the Alerts page in the Microsoft
Purview portal, you can triage, investigate, and resolve them. The same RBAC
permissions that give users access to alerts also give them the ability to manage alerts.
Assign a status to alerts: You can assign one of the following statuses to alerts:
Active (the default value), Investigating, Resolved, or Dismissed. Then, you can
filter on this setting to display alerts with the same status setting. This status
setting can help track the process of managing alerts.
View alert details: You can select an alert to display a flyout page with details
about the alert. The detailed information depends on the corresponding alert
policy, but it typically includes the following information:
The name of the actual operation that triggered the alert, such as a cmdlet or an
audit log operation.
A description of the activity that triggered the alert.
The user (or list of users) who triggered the alert. This is included only for alert
policies that are set up to track a single user or a single activity.
The number of times the activity tracked by the alert was performed. This
number may not match that actual number of related alerts listed on the Alerts
page because more alerts may have been triggered.
A link to an activity list that includes an item for each activity that was
performed that triggered the alert. Each entry in this list identifies when the
activity occurred, the name of the actual operation (such as "FileDeleted"), the
user who performed the activity, the object (such as a file, an eDiscovery case, or
a mailbox) that the activity was performed on, and the IP address of the user's
computer. For malware-related alerts, this links to a message list.
The name (and link) of the corresponding alert policy.
Suppress email notifications: You can turn off (or suppress) email notifications
from the flyout page for an alert. When you suppress email notifications, Microsoft
won't send notifications when activities or events that match the conditions of the
alert policy occur. But alerts will be triggered when activities performed by users
match the conditions of the alert policy. You can also turn off email notifications by
editing the alert policy.
Resolve alerts: You can mark an alert as resolved on the flyout page for an alert
(which sets the status of the alert to Resolved). Unless you change the filter,
resolved alerts aren't displayed on the Alerts page.
Organizations that have Microsoft Defender for Cloud Apps as part of an Enterprise
Mobility + Security E5 subscription or as a standalone service can also view Defender for
Cloud Apps alerts that are related to Microsoft 365 apps and services in the compliance
portal or the Microsoft 365 Defender portal.
To display only Defender for Cloud Apps alerts in the Microsoft Purview portal or the
Defender portal, use the Source filter and select Defender for Cloud Apps.
Similar to an alert triggered by an alert policy in the Microsoft Purview portal, you can
select a Defender for Cloud Apps alert to display a flyout page with details about the
alert. The alert includes a link to view the details and manage the alert in the Defender
for Cloud Apps portal and a link to the corresponding Defender for Cloud Apps policy
that triggered the alert. See Monitor alerts in Defender for Cloud Apps.
) Important
Changing the status of a Defender for Cloud Apps alert in the Microsoft Purview
portal won't update the resolution status for the same alert in the Defender for
Cloud Apps portal. For example, if you mark the status of the alert as Resolved in
the Microsoft Purview portal, the status of the alert in the Defender for Cloud Apps
portal is unchanged. To resolve or dismiss a Defender for Cloud Apps alert, manage
the alert in the Defender for Cloud Apps portal.
Search for role group changes or admin
audit logs in Exchange Online
Article • 06/09/2022 • 8 minutes to read
7 Note
Run an administrator role group report in the Exchange admin center (EAC).
Use PowerShell to search for admin audit log entries and send the results to a
recipient.
These options can be helpful when you're trying to track the cause of unexpected
behavior, to identify a malicious administrator, or to verify that compliance requirements
are being met. Both of these options are described in this article.
Tip
You can also use the EAC to view entries in the admin audit log. For more
information, see View the admin audit log.
You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "View-only administrator
audit logging" entry in the Feature permissions in Exchange Online topic.
To open the Exchange admin center (EAC), see Exchange admin center in Exchange
Online.
To connect to Exchange Online PowerShell, see Connect to Exchange Online
PowerShell. To connect to standalone Exchange Online Protection PowerShell see
Connect to Exchange Online Protection PowerShell.
For information about keyboard shortcuts that may apply to the procedures in this
topic, see Keyboard shortcuts for the Exchange admin center.
Tip
Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .
1. In the EAC, go to Compliance management > Auditing, and then choose Run an
administrator role group report.
2. In the Search for changes to administrator role groups page that opens,
configure the following settings:
Start date and End date: Enter a date range. By default, the report searches
for changes made to administrator role groups in the past two weeks.
Select role groups: By default, all role groups are searched. To filter the
results by specific role groups, click Select role groups. In the dialog that
appears, select a role group and click add ->. Repeat this step as many times
as necessary, and then click OK when you're finished.
If any changes are found using the specified criteria, they will appear in the results pane.
Click a role group in the search results to see the changes in the details pane.
To determine if a user was added or removed, you have to compare two separate entries
in the report. For example, let's look at the following log entries for the HelpDesk role
group:
1/27/2021 4:43 PM
Administrator
2/06/2018 10:09 AM
Administrator
2/19/2021 2:12 PM
Administrator
In this example, the Administrator user account made the following changes:
7 Note
In standalone EOP, you can't export the admin audit log from the EAC. But, you can
Use PowerShell to search for audit log entries and send results to a recipient
If you're going to use Outlook on the web (formerly known as Outlook Web App)
to view the exported entries, you need to enable .xml attachments in Outlook on
the web. For details, see Configure Outlook on the web to allow XML
attachments.
Exporting the admin audit log writes the information to an XML file and sends it to you
as an attachment in an email message. The maximum size of the XML file is 10
megabytes (MB).
1. In the EAC, select Compliance management > Auditing, and then click Export the
admin audit log.
2. Select a date range using the Start date and End date fields.
3. In the Send the auditing report to field, click Select users and then select the
recipient you want to send the report to.
4. Click Export.
If any log entries are found using the criteria you specified, an XML file will be created
and sent as an email attachment to the recipient you specified.
To search the audit log for criteria you specify, use the following syntax.
PowerShell
7 Note
This example performs a search for all audit log entries with the following criteria:
PowerShell
This example searches for changes made to a specific mailbox. This is useful if you're
troubleshooting or you need to provide information for an investigation. The following
criteria are used:
PowerShell
If your searches return many log entries, we recommend that you use the procedure
provided in Use PowerShell to search for audit log entries and send results to a recipient
later in this article. The procedure in that section sends an XML file as an email
attachment to the recipients you specify, enabling you to more easily extract the data
you're interested in.
To view the contents of the CmdletParameters and ModifiedProperties fields, use the
following steps. Or, you can use the procedure in Use PowerShell to search for audit log
entries and send results to a recipient later in this article to create an XML file.
PowerShell arrays
PowerShell variables
1. Decide the criteria you want to search for, run the Search-AdminAuditLog cmdlet,
and store the results in a variable using the following command.
PowerShell
$Results = Search-AdminAuditLog <search criteria>
2. Each audit log entry is stored as an array element in the variable $Results . You can
select an array element by specifying its array element index. Array element
indexes start at zero (0) for the first array element. For example, to retrieve the 5th
array element, which has an index of 4, use the following command.
PowerShell
$Results[4]
3. The previous command returns the log entry stored in array element 4. To see the
contents of the CmdletParameters and ModifiedProperties fields for this log
entry, use the following commands.
PowerShell
$Results[4].CmdletParameters
$Results[4].ModifiedProperties
7 Note
If you're going to use Outlook on the web (formerly known as Outlook Web App)
to view the exported entries, you need to enable .xml attachments in Outlook on
the web. For details, see Configure Outlook on the web to allow XML
attachments.
You can use Exchange Online PowerShell or standalone Exchange Online Protection
PowerShell to search for audit log entries that meet the criteria you specify, and then
send those results to a recipient you specify as an XML file attachment. The results are
sent to the recipient within 15 minutes. For a list of search criteria, see Search-
AdminAuditLog cmdlet criteria.
To search the audit log for criteria you specify, use the following syntax.
PowerShell
This example performs a search for all audit log entries with the following criteria:
The command sends the results to the davids@contoso.com SMTP address with
"Mailbox limit changes" included in the subject line of the message.
PowerShell
For more information about the format of the XML file, see admin audit log structure.
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to:
Alerts are created when malicious or suspicious activity affects an entity (for example,
email, users, or mailboxes). Alerts provide valuable insights about in-progress or
completed attacks. However, an ongoing attack can affect multiple entities, which
results in multiple alerts from different sources. Some built-in alerts will automatically
trigger AIR playbooks. These playbooks do a series of investigation steps to look for
other impacted entities or suspicious activity.
Watch this short video on how to manage Microsoft Defender for Office 365 alerts in
Microsoft 365 Defender.
https://www.microsoft.com/en-us/videoplayer/embed/RWGrL2?postJsllMsg=true
Defender for Office 365 alerts, investigations, and their data are automatically
correlated. When a relationship is determined, an incident is created by the system to
give security teams visibility for the entire attack.
We strongly recommend that SecOps teams manage incidents and alerts from Defender
for Office 365 in the Incidents queue at https://security.microsoft.com/incidents-
queue . This approach has the following benefits:
You can take incidents directly from the queue or assign them to someone.
Comments and comment history can help track progress.
If the attack impacts other workloads that are protected by Microsoft Defender*,
the related alerts, investigations, and their data are also correlated to the same
incident.
*Microsoft Defender for Endpoint, Microsoft Defender for Identity, and Microsoft
Defender for Cloud Apps.
Complex correlation logic isn't required, because the logic is provided by the
system.
If the correlation logic doesn't fully meet your needs, you can add alerts to existing
incidents or create new incidents.
Related Defender for Office 365 alerts, AIR investigations, and pending actions
from investigations are automatically added to incidents.
If the AIR investigation finds no threat, the related alerts are automatically resolved
by the system. If all alerts within an incident are resolved, the incident status also
changes to Resolved.
Security team members can take response actions directly from the incidents. For
example, they can soft-delete email in mailboxes or remove suspicious Inbox rules
from mailboxes.
Recommended email actions are created only when the latest delivery location of a
malicious email is a cloud mailbox.
Pending email actions are updated based on the latest delivery location. If the
email was already remediated by a manual action, the status will reflect that.
Recommended actions are created only for email and email clusters that are
determined to be the most critical threats:
Malware
High confidence phishing
Malicious URLs
Malicious files
7 Note
Incidents don't just represent static events. They also represent attack stories that
happen over time. As the attack progresses, new Defender for Office 365 alerts, AIR
investigations, and their data are continuously added to the existing incident.
Manage incidents on the Incidents page in the Microsoft 365 Defender portal at
https://security.microsoft.com/incidents-queue :
Manage incidents on the Incidents page in Microsoft Sentinel at
https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsof
t.securityinsightsarg%2Fsentinel :
Response actions to take
Security teams can take wide variety of response actions on email using Defender for
Office 365 tools:
You can delete messages, but you can also take the following actions on email:
Move to Inbox
Move to Junk
Move to Deleted Items
Soft delete
Hard delete.
You can start an AIR playbook manually on any email message using the Trigger
investigation action in Threat Explorer.
You can report false positive or false negative detections directly to Microsoft
using Threat Explorer or admin submissions.
You can block undetected malicious files, URLs, or senders using the Tenant
Allow/Block List.
Defender for Office 365 actions are seamlessly integrated into hunting experiences and
the history of actions are visible on the History tab in the unified Action center at
https://security.microsoft.com/action-center/history .
The most effective way to take action is to use the built-in integration with Incidents in
Microsoft 365 Defender. You can simply approve the actions that were recommended by
AIR in Defender for Office 365 on the Evidence and response tab of an Incident in
Microsoft 365 Defender. This method of tacking action is recommended for the
following reasons:
You take action on email based on the result of a manual investigation or hunting
activity. Threat Explorer allows security team members to take action on any email
messages that might still exist in cloud mailboxes. They can take action on intra-org
messages that were sent between users in your organization. Threat Explorer data is
available for the last 30 days.
Watch this short video to learn how Microsoft 365 Defender combines alerts from
various detection sources, like Defender for Office 365, into incidents.
https://www.microsoft.com/en-us/videoplayer/embed/RWGpcs?postJsllMsg=true
Threat investigation and response
Article • 12/22/2022 • 5 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies To
Threat investigation and response capabilities in Microsoft Defender for Office 365 help
security analysts and administrators protect their organization's Microsoft 365 for
business users by:
Threat investigation and response capabilities provide insights into threats and related
response actions that are available in the Microsoft 365 Defender portal. These insights
can help your organization's security team protect users from email- or file-based
attacks. The capabilities help monitor signals and gather data from multiple sources,
such as user activity, authentication, email, compromised PCs, and security incidents.
Business decision makers and your security operations team can use this information to
understand and respond to threats against your organization and protect your
intellectual property.
Explorer
Use Explorer (and real-time detections) to analyze threats, see the volume of attacks
over time, and analyze data by threat families, attacker infrastructure, and more. Explorer
(also referred to as Threat Explorer) is the starting place for any security analyst's
investigation workflow.
To view and use this report in the Microsoft 365 Defender portal at
https://security.microsoft.com , go to Email & collaboration > Explorer. Or, to go
directly to the Explorer page, use https://security.microsoft.com/threatexplorer .
When you turn on this feature, you'll be able to incorporate data from Microsoft
Defender for Office 365 into Microsoft 365 Defender to conduct a comprehensive
security investigation across Office 365 mailboxes and Windows devices.
7 Note
You'll need to have the appropriate license to enable this feature.
To receive contextual device integration in Office 365 Threat Intelligence, you'll need to
enable the Defender for Endpoint settings in the Security & Compliance dashboard.
Incidents
Use the Incidents list (this is also called Investigations) to see a list of in flight security
incidents. Incidents are used to track threats such as suspicious email messages, and to
conduct further investigation and remediation.
To view the list of current incidents for your organization in the Microsoft 365 Defender
portal at https://security.microsoft.com , go to Incidents & alerts > Incidents. Or, to go
directly to the Incidents page, use https://security.microsoft.com/incidents .
To view and use this feature in the Microsoft 365 Defender portal at
https://security.microsoft.com , go to Email & collaboration > Attack simulation
training. Or, to go directly to the Attack simulation training page, use
https://security.microsoft.com/attacksimulator?viewid=overview .
Tip
The Search and Purge role must be assigned in the Email &
collaboration roles in the Microsoft 36 Defender portal
(https://security.microsoft.com ).
Integrate Microsoft Either the Global Administrator or the Security Administrator role
Defender for Office 365 assigned in either Azure Active Directory
Plan 2 with Microsoft (https://portal.azure.com ) or the Microsoft 365 admin center
Defender for Endpoint (https://admin.microsoft.com ).
Integrate Microsoft
Defender for Office 365 --- plus ---
Plan 2 with a SIEM server
An appropriate role assigned in additional applications (such as
Microsoft Defender Security Center or your SIEM server).
Next steps
Learn about Threat Trackers - New and Noteworthy
Find and investigate malicious email that was delivered (Office 365 Threat
Investigation and Response)
Integrate Office 365 Threat Investigation and Response with Microsoft Defender
for Endpoint
Simulate a phishing attack
Investigate malicious email that was
delivered in Microsoft 365
Article • 12/09/2022 • 11 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to:
Microsoft Defender for Office 365 enables you to investigate activities that put people in
your organization at risk, and to take action to protect your organization. For example, if
you are part of your organization's security team, you can find and investigate
suspicious email messages that were delivered. You can do this by using Threat Explorer
(or real-time detections).
7 Note
Your organization has Microsoft Defender for Office 365 and licenses are assigned
to users.
You are a global administrator, or you have either the Security Administrator or the
Search and Purge role assigned in the Microsoft 365 Defender portal. For more
information, see Permissions in the Microsoft 365 Defender portal. For some
actions, you must also have the Preview role assigned.
Security
Reader
Use Threat Explorer (and Real-time detections) to view headers for Global No
email messages as well as preview and download quarantined email Administrator
messages Security
Administrator
Security
Reader
Use Threat Explorer to view headers, preview email (only in the email Global Yes
entity page) and download email messages delivered to mailboxes Administrator
Security
Administrator
Security
Reader
Preview
7 Note
Preview is a role, not a role group. The Preview role must be added to an existing
role group or a new role group in the Microsoft 365 Defender portal. For more
information, see Permissions in the Microsoft 365 Defender portal.
The Global Administrator role is assigned the Microsoft 365 admin center at
https://admin.microsoft.com . The Security Administrator and Security Reader
roles are assigned in Microsoft 365 Defender portal.
7 Note
Default searches in Explorer don't currently include delivered items that were
removed from the cloud mailbox by zero-hour auto purge (ZAP). This limitation
applies to all views (for example, the Email > Malware or Email > Phish views). To
include items removed by ZAP, you need to add a Delivery action set to include
Removed by ZAP. If you include all options, you'll see all delivery action results,
including items removed by ZAP.
On the Explorer page, the Additional actions column shows admins the outcome
of processing an email. The Additional actions column can be accessed in the
same place as Delivery action and Delivery location. Special actions might be
updated at the end of Threat Explorer's email timeline, which is a new feature
aimed at making the hunting experience better for admins.
2. In the View menu, choose Email > All email from the drop down list.
The Malware view is currently the default, and captures emails where a malware
threat is detected. The Phish view operates in the same way, for Phish.
However, All email view lists every mail received by the organization, whether
threats were detected or not. As you can imagine, this is a lot of data, which is why
this view shows a placeholder that asks a filter be applied. (This view is only
available for Defender for Office 365 P2 customers.)
Submissions view shows up all mails submitted by admin or user that were
reported to Microsoft.
3. Search and filter in Threat Explorer: Filters appear at the top of the page in the
search bar to help admins in their investigations. Notice that multiple filters can be
applied at the same time, and multiple comma-separated values added to a filter
to narrow down the search. Remember:
4. Advanced filters: With these filters, you can build complex queries and filter your
data set. Clicking on Advanced Filters opens a flyout with options.
Adding a time filter to the start date and end date helps your security team to drill
down quickly. The shortest allowed time duration is 30 minutes. If you can narrow
the suspicious action by time-frame (e.g., it happened 3 hours ago), this will limit
the context and help pinpoint the problem.
5. Fields in Threat Explorer: Threat Explorer exposes a lot more security-related mail
information such as Delivery action, Delivery location, Special action, Directionality,
Overrides, and URL threat. It also allows your organization's security team to
investigate with a higher certainty.
Delivery action is the action taken on an email due to existing policies or
detections. Here are the possible actions an email can take:
Delivered – email was delivered to inbox or folder of a user and the user can
directly access it.
Junked (Delivered to junk)– email was sent to either user's junk folder or
deleted folder, and the user has access to email messages in their Junk or
Deleted folder.
Blocked – any email messages that are quarantined, that failed, or were
dropped.
Replaced – any email where malicious attachments are replaced by .txt files
that state the attachment was malicious
Delivery location: The Delivery location filter is available in order to help admins
understand where suspected malicious mail ended-up and what actions were
taken on it. The resulting data can be exported to spreadsheet. Possible delivery
locations are:
Directionality: This option allows your security operations team to filter by the
'direction' a mail comes from, or is going. Directionality values are Inbound,
Outbound, and Intra-org (corresponding to mail coming into your org from
outside, being sent out of your org, or being sent internally to your org,
respectively). This information can help security operations teams spot spoofing
and impersonation, because a mismatch between the Directionality value (ex.
Inbound), and the domain of the sender (which appears to be an internal domain)
will be evident! The Directionality value is separate, and can differ from, the
Message Trace. Results can be exported to spreadsheet.
Overrides: This filter takes information that appears on the mail's details tab and
uses it to expose where organizational, or user policies, for allowing and blocking
mails have been overridden. The most important thing about this filter is that it
helps your organization's security team see how many suspicious emails were
delivered due to configuration. This gives them an opportunity to modify allows
and blocks as needed. This result set of this filter can be exported to spreadsheet.
Allowed by Org Policy Mail was allowed into the mailbox as directed by the
organization policy.
Blocked by Org policy Mail was blocked from delivery to the mailbox as directed by
the organization policy.
File extension blocked by File was blocked from delivery to the mailbox as directed by
Org Policy the organization policy.
Allowed by User Policy Mail was allowed into the mailbox as directed by the user
policy.
Blocked by User Policy Mail was blocked from delivery to the mailbox as directed by
the user policy.
URL threat: The URL threat field has been included on the details tab of an email to
indicate the threat presented by a URL. Threats presented by a URL can include
Malware, Phish, or Spam, and a URL with no threat will say None in the threats
section.
6. Email timeline view: Your security operations team might need to deep-dive into
email details to investigate further. The email timeline allows admins to view
actions taken on an email from delivery to post-delivery. To view an email timeline,
click on the subject of an email message, and then click Email timeline. (It appears
among other headings on the panel like Summary or Details.) These results can be
exported to spreadsheet.
Email timeline will open to a table that shows all delivery and post-delivery events
for the email. If there are no further actions on the email, you should see a single
event for the original delivery that states a result, such as Blocked, with a verdict
like Phish. Admins can export the entire email timeline, including all details on the
tab and email (such as, Subject, Sender, Recipient, Network, and Message ID). The
email timeline cuts down on randomization because there is less time spent
checking different locations to try to understand events that happened since the
email arrived. When multiple events happen at, or close to, the same time on an
email, those events show up in a timeline view.
7. Preview / download: Threat Explorer gives your security operations team the
details they need to investigate suspicious email. Your security operations team
can either:
Delivery action is the action taken on an email due to existing policies or detections.
Here are the possible actions an email can take:
Delivered – email was delivered to inbox or folder of a user and the user can
directly access it.
Junked – email was sent to either user's junk folder or deleted folder, and the user
has access to email messages in their Junk or Deleted folder.
Blocked – any email messages that are quarantined, that failed, or were dropped.
Replaced – any email where malicious attachments are replaced by .txt files that
state the attachment was malicious.
Delivery location shows the results of policies and detections that run post-delivery. It's
linked to a Delivery Action. This field was added to give insight into the action taken
when a problem mail is found. Here are the possible values of delivery location:
Inbox or folder – The email is in the inbox or a folder (according to your email
rules).
On-prem or external – The mailbox doesn't exist on cloud but is on-premises.
Junk folder – The email is in a user's Junk folder.
Deleted items folder – The email is in a user's Deleted items folder.
Quarantine – The email in quarantine, and not in a user's mailbox.
Failed – The email failed to reach the mailbox.
Dropped – The email gets lost somewhere in the mail flow.
View the timeline of your email
Email Timeline is a field in Threat Explorer that makes hunting easier for your security
operations team. When multiple events happen at or close to the same time on an
email, those events show up in a timeline view. Some events that happen post-delivery
to email are captured in the Special actions column. Combining information from the
timeline of an email message with any special actions that were taken post-delivery
gives admins insight into policies and threat handling (such as where the mail was
routed, and, in some cases, what the final assessment was).
) Important
Related topics
Remediate malicious email delivered in Office 365
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
In addition, admins in Microsoft 365 organizations with Microsoft Defender for Endpoint
also have several methods for reporting files.
Watch this video that shows more information about the unified submissions
experience.
https://www.microsoft.com/en-us/videoplayer/embed/RE50HhM?postJsllMsg=true
The built-in User Currently, this method is available only in Outlook on the web
Report (formerly known as Outlook Web App or OWA).
button
Method Submission Comments
type
The User These free add-ins work in Outlook on all available platforms. For
Microsoft installation instructions, see Enable the Report Message or the
Report Report Phishing add-ins.
Message
and Report
Phishing
add-ins
The Admin Admins use this method to submit good (false positive) and bad
Submissions (false negative) entities including user-reported messages to
page in the Microsoft for further analysis. Tabs include Email, Email
Microsoft attachments, URLs, and Files. Note that Files is only available to
365 users with Microsoft Defender for Endpoint P2 license, Microsoft
Defender Defender for Office P2 license, and Microsoft 365 Defender E5
portal license.. The Submissions page is available to organizations who
have Exchange Online mailboxes as part of a Microsoft 365
subscription (not available in standalone EOP).
User reported message settings allow admins to configure whether user reported
messages go to a specified reporting mailbox, to Microsoft, or both. Depending on your
subscription, user reported messages are available in the following locations in the
Microsoft 365 Defender portal:
Admins can use mail flow rules (also known as transport rules) to notify specified email
address when users report messages to Microsoft for analysis. For more information, see
Use mail flow rules to see what users are reporting to Microsoft.
Admins can also submit email attachments and other suspected files to Microsoft for
analysis using the sample submission portal at
https://www.microsoft.com/wdsi/filesubmission . For more information, see Submit
files for analysis.
Tip
Information is blocked from going outside the organization when data isn't
supposed to leave the tenant boundary for compliance purposes (for example, in
U.S. Government organizations: Microsoft 365 GCC, GCC High, and DoD). Reporting
a message or file to Microsoft from one of these organizations will have the
following message in the result details:
Further investigation needed. Your tenant doesn't allow data to leave the
environment, so nothing was found during the initial scan. You'll need to contact
Microsoft support to have this item reviewed.
7 Note
When you report an email entity to Microsoft, everything associated with the email
is copied to include it in the continual algorithm reviews. This copy includes the
email content, email headers, and related data about email routing. Any message
attachments are also included.
Microsoft treats your feedback as your organization's permission to analyze all the
information to fine tune the message hygiene algorithms. Your message is held in
secured and audited data centers in the USA. The submission is deleted as soon as
it's no longer required. Microsoft personnel might read your submitted messages
and attachments, which is normally not permitted for email in Microsoft 365.
However, your email is still treated as confidential between you and Microsoft, and
your email or attachments isn't shared with any other party as part of the review
process.
Use the Submissions portal to submit
suspected spam, phish, URLs, legitimate
email getting blocked, and email
attachments to Microsoft
Article • 01/12/2023 • 21 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
In Microsoft 365 organizations with Exchange Online mailboxes, admins can use the
Submissions portal in the Microsoft 365 Defender portal to submit email messages,
URLs, and attachments to Microsoft for scanning.
When you submit an email message for analysis, you will get:
) Important
Payload reputation/detonation and grader analysis are not done in all tenants.
Information is blocked from going outside the organization when data is not
supposed to leave the tenant boundary for compliance purposes.
For other ways to submit email messages, URLs, and attachments to Microsoft, see
Report messages and files to Microsoft.
Watch this short video to learn how to use admin submissions in Microsoft Defender for
Office 365 to submit messages to Microsoft for evaluation.
https://www.microsoft.com/en-us/videoplayer/embed/RWBLPn?postJsllMsg=true
To submit messages and files to Microsoft, you need to have one of following
roles:
Note that one of these roles is required to View user reported messages as
described later in this article.
Admins can submit messages as old as 30 days if it is still available in the mailbox
and not purged by the user or another admin.
For more information about how users can submit messages and files to Microsoft,
see Report messages and files to Microsoft.
4. In the Submit to Microsoft for analysis flyout that appears, enter the following
information:
Select the submission type: Verify the value Email is selected.
Add the network message ID or upload the email file: Select one of the
following options:
Add the email network message ID: This is a GUID value that's available in
the X-MS-Exchange-Organization-Network-Message-Id header in the
message or in the X-MS-Office365-Filtering-Correlation-Id header in
quarantined messages.
Upload the email file (.msg or .eml): Click Browse files. In the dialog that
opens, find and select the .eml or .msg file, and then click Open.
Choose a recipient who had an issue: Specify the recipient that you would
like to run a policy check against. The policy check will determine if the email
bypassed scanning due to user or organization policies.
Select a reason for submitting to Microsoft: Verify Should not have been
blocked (False positive) is selected.
The email should have been categorized as: Select Phish, Malware, or
Spam. If you're not sure, use your best judgment.
Block all emails from this sender or domain: Select this option to create a
block entry for the sender in the Tenant Allow/Block List. For more
information about the Tenant Allow/Block List, see Manage your allows
and blocks in the Tenant Allow/Block List.
After you select this option, the following settings are available:
Remove block entry after: The default value is 30 days, but you can
select from the following values:
1 day
7 days
30 days
90 days
Never expire
Specific date
Block entry note: Enter optional information about why you're allowing
this email.
7 Note
For messages that were incorrectly blocked by spoof intelligence, a block entry for
the domain pair is not created in the Tenant Allow/Block List.
4. On the Submit to Microsoft for analysis flyout that appears, enter the following
information:
Select the submission type: Verify the value Email attachment is selected.
File: Click Browse files to find and select the file to submit.
The email should have been categorized as: Select Phish or Malware. If
you're not sure, use your best judgment.
Block this file: Select this option to create a block entry for the sender in
the Tenant Allow/Block List. For more information about the Tenant
Allow/Block List, see Manage your allows and blocks in the Tenant
Allow/Block List.
After you select this option, the following settings are available:
Remove block entry after: The default value is 30 days, but you can
select from the following values:
1 day
7 days
30 days
90 days
Never expire
Specific date
Block entry note: Enter optional information about why you're allowing
this email.
appears.
The email should have been categorized as: Select Phish or Malware. If
you're not sure, use your best judgment.
Block this URL: Select this option to create a block entry for the sender in
the Tenant Allow/Block List. For more information about the Tenant
Allow/Block List, see Manage your allows and blocks in the Tenant
Allow/Block List.
After you select this option, the following settings are available:
Remove block entry after: The default value is 30 days, but you can
select from the following values:
1 day
7 days
30 days
90 days
Never expire
Specific date
Block entry note: Enter optional information about why you're allowing
this email.
4. On the Add new submission flyout that appears, enter the following information:
Select the submission type: You can choose the value Files or File hash.
This file should have been categorized as: Select Malware or Unwanted
Software.
Choose the priority: Select Low - bulk file or file hash submission or
Medium - standard submission or High - need immediate attention (3
allowed per org per day). If you're not sure, use your best judgment. This
option is only available if you choose the option Files in Select the
submission type.
Note for Microsoft: Enter optional information in case there is anything else
that needs to be added.
4. In the Submit to Microsoft for analysis flyout that appears, enter the following
information:
Add the network message ID or upload the email file: Select one of the
following options:
Add the email network message ID: This is a GUID value that's available in
the X-MS-Exchange-Organization-Network-Message-Id header in the
message or in the X-MS-Office365-Filtering-Correlation-Id header in
quarantined messages.
Upload the email file (.msg or .eml): Click Browse files. In the dialog that
opens, find and select the .eml or .msg file, and then click Open.
Choose a recipient who had an issue: Specify the recipient that you would
like to run a policy check against. The policy check will determine if the email
was blocked due to user or organization policies.
Select a reason for submitting to Microsoft: Select Should not have been
blocked (False positive), and then configure the following settings:
Allow emails with similar attributes (URL, sender, etc.): Turn on this
setting .
Remove allow entry after: The default value is 30 days, but you can
select from the following values:
1 day
7 days
30 days
Specific date: The maximum value is 30 days from today.
Allow entry note: Enter optional information about why you're allowing
this email.
For spoofed senders, any value you enter here is not shown in the allow
entry on the Spoofed senders tab on the Tenant Allow/Block List.
After a few moments, the allow entry will appear on the Domains & addresses or
Spoofed senders tab on the Tenant Allow/Block List page.
7 Note
When you override the verdict in the spoof intelligence insight, the spoofed
sender becomes a manual allow or block entry that only appears on the
Spoofed senders tab in the Tenant Allow/Block List.
If the sender has not already been blocked, submitting the email message to
Microsoft won't create an allow entry in the Tenant Allow/Block List.
Allows are added during mail flow, based on which filters determined the
message to be malicious. For example, if the sender and a URL in the message
were determined to be bad, an allow entry is created for the sender, and an
allow entry is created for the URL.
When that entity (domain or email address, URL, file) is encountered again, all
filters associated with that entity are skipped. For an email, all other entities
are still evaluated by the filtering system before making a decision.
During mail flow, if messages from the domain or email address pass other
checks in the filtering stack, the messages will be delivered. For example, if
email authentication passes, a message from a sender in the allow entry will
be delivered.
4. On the Submit to Microsoft for analysis flyout that appears, enter the following
information:
Select the submission type: Verify the value Email attachment is selected.
File: Click Browse files to find and select the file to submit.
Select a reason for submitting to Microsoft: Select Should not have been
blocked (False positive), and then configure the following settings:
Remove allow entry after: The default value is 30 days, but you can
select from the following values:
1 day
7 days
30 days
Specific date: The maximum value is 30 days from today.
Allow entry note: Enter optional information about why you're allowing
this file.
After a few moments, an allow entry will appear on the Files tab on the Tenant
Allow/Block List page.
7 Note
When the file is encountered again, it's not sent for Safe Attachments detonation
or file reputation checks, and all other file-based filters are skipped. During mail
flow, if messages containing the file pass other non-file checks in the filtering stack,
the messages will be delivered.
4. In the Submit to Microsoft for analysis flyout that appears, enter the following
information:
appears. You can also provide a top level domain (for example,
https://www.fabrikam.com/* ), and then select it in the box that appears.
Select a reason for submitting to Microsoft: Select Should not have been
blocked (False positive), and then configure the following settings:
Remove allow entry after: The default value is 30 days, but you can
select from the following values:
1 day
7 days
30 days
Specific date: The maximum value is 30 days from today.
Allow entry note: Enter optional information about why you're allowing
this URL.
After a few moments, an allow entry will appear on the URL tab on the Tenant
Allow/Block List page. For more information about the Tenant Allow/Block List, see
Manage your allows and blocks in the Tenant Allow/Block List.
7 Note
When the URL is detected again, it's not sent for Safe Links detonation or URL
reputation checks, and all other URL-based filters are skipped.
During mail flow, if messages containing the URL pass other non-URL checks
in the filtering stack, the messages will be delivered.
Report good files to Microsoft
1. In the Microsoft 365 Defender portal at https://security.microsoft.com , go to the
Submissions page at Actions & submissions > Submissions. To go directly to the
Submissions page, use https://security.microsoft.com/reportsubmission .
4. On the Add new submission flyout that appears, enter the following information:
Select the submission type: You can choose the value Files or File hash.
This file should have been categorized as: Verify the value Clean is selected.
Choose the priority: Select Low - bulk file or file hash submission or
Medium - standard submission or High - need immediate attention (3
allowed per org per day). If you're not sure, use your best judgment. This
option is only available if you choose the option Files in Select the
submission type.
Note for Microsoft: Enter optional information in case there is anything else
that needs to be added.
Click Customize columns to select the columns that you want to view. The
default values are marked with an asterisk (*):
Submission name*
Sender*
Recipient
Date submitted*
Reason for submitting*
Status*
Result*
Filter verdict
Delivery/Block reason
Submission ID
Network Message ID/Object ID
Direction
Sender IP
Bulk compliant level (BCL)
Destination
Policy action
Submitted by
Phish simulation
Tags*
Allow
To filter the entries, click Filter. The following values are available in the
Filter flyout that appears:
Date submitted: Start date and End date values.
Submission ID: A GUID value that's assigned to every submission.
Network Message ID
Sender
Recipient
Name
Submitted by
Reason for submitting: The values Not junk, Phish, Malware, and Spam.
Status: The values Pending and Completed.
Tags: The default value is All or select a user tag from the drop-down list.
When you're finished, click Apply. To clear existing filters, click Clear filters
in the Filter flyout.
To group the entries, click Group and select one of the following values
from the dropdown list:
None
Reason
Status
Result
Tags
To export the entries, click Export. In the dialog that appears, save the .csv
file.
2. On the Submissions page, verify that the Email attachments tab is selected.
Click Customize columns to select the columns that you want to view. The
default values are marked with an asterisk (*):
Attachment filename*
Date submitted*
Reason for submitting*
Status*
Result*
Filter verdict
Delivery/Block reason
Submission ID
Object ID
Policy action
Submitted by
Tags*
Allow
Click Customize columns to select the columns that you want to view. The
default values are marked with an asterisk (*):
URL*
Date submitted*
Reason for submitting*
Status*
Result*
Filter verdict
Delivery/Block reason
Submission ID
Object ID
Policy action
Submitted by
Tags*
Allow
When you're finished, click Apply. To clear existing filters, click Clear filters
in the Filter flyout.
To group the entries, click Group and select one of the following values
from the dropdown list:
None
Reason
Status
Result
Tags
To export the entries, click Export. In the dialog that appears, save the .csv
file.
Click Customize columns to select the columns that you want to view. The
default values are marked with an asterisk (*):
Submission name*
Submission ID*
Submitted by
Date submitted*
Submission Type
Reason for submitting*
Status*
Priority*
Customer comment
Researcher comment
To filter the entries, click Filter. The following values are available in the
Filter flyout that appears:
Date submitted: Start date and End date values.
Submitted as: The values Unknown, Clean, False positive, Experimental
false positive, Malware, Spyware, Unwanted Software, Pua false positive,
and Night watch unknown.
Status: The values New, Unassigned, Assigned, Pending, Resolved,
Closed, Downloading, Sample collection, Sample collection failure,
Rejected, and Review timed out.
Submission ID: A GUID value that's assigned to every submission.
Priority: The values Low, Medium, or High.
When you're finished, click Apply. To clear existing filters, click Clear filters
in the Filter flyout.
To group the entries, click Group and select one of the following values
from the dropdown list:
None
Submission Type
Reason for submitting
Status
Priority
To export the entries, click Export. In the dialog that appears, save the .csv
file.
If there was a failure in the sender's email authentication at the time of delivery.
Information about any policy hits that could have affected or overridden the
verdict of a message.
Current detonation results to see if the URLs or files contained in the message
were malicious or not.
Feedback from graders.
If an override was found, the result should be available in several minutes. If there wasn't
a problem in email authentication or delivery wasn't affected by an override, then the
feedback from graders could take up to a day.
Click Customize columns to select the columns that you want to view. The
default values are marked with an asterisk (*):
Email subject*
Reported by*
Date reported*
Sender*
Reported reason*
Original verdict*
Result*
Message reported ID
Network Message ID
Sender IP
Reported from
Phish simulation
Converted to admin submission
Tags*
Marked as*
Marked by
Date marked
To filter the entries, click Filter. The following values are available in the
Filter flyout that appears:
Date reported: Start date and End date.
Reported by
Email subject
Message reported ID
Network Message ID
Sender
Reported reason: The values Not junk, Phish, or Spam.
Reported from: The values Microsoft add-in or Third party add-in.
Phish simulation: The values Yes or No.
Converted to admin submission: The values Yes or No.
Tags: The default value is All or select a user tag from the drop-down list.
When you're finished, click Apply. To clear existing filters, click Clear filters
in the Filter flyout.
To group the entries, click Group and select one of the following values
from the dropdown list:
None
Reason
Sender
Reported by
Original verdict
Result
Reported from
Phish simulation
Converted to admin submission
Tags
To export the entries, click Export. In the dialog that appears, save the .csv
file.
7 Note
User reported messages that are sent only to the reporting mailbox (not to
Microsoft) appear on the User reported tab on the Submissions page, but the
Result value for those entries is always blank (because the messages aren't
rescanned).
Report clean
Report phishing
Report malware
Report spam
Trigger investigation
If the message is reported to Microsoft, the Converted to admin submission value turns
from no to yes. You can directly access the admin submission by clicking View the
converted admin submission from the More options menu on the submission flyout
of the message.
View associated alert for user and admin email
submissions
) Important
The information in this section applies only to Defender for Office 365 Plan 2 or
higher.
Currently, user reported messages generate alerts only for messages that are
reported as phishing.
For each user reported phishing message and admin email submission, a corresponding
alert is generated.
To view the corresponding alert for a user reported phishing message, go to the User
reported tab at https://security.microsoft.com/reportsubmission?viewid=user , and
then double-click the message to open the submission flyout. Click More options
and then select View alert.
To view the corresponding alert for admin email submissions, go to the Emails tab at
https://security.microsoft.com/reportsubmission?viewid=email , and then double-click
the message to open the submission flyout. Select View alert on the Open email entity
option.
Enable the Microsoft Report Message or
the Report Phishing add-ins
Article • 12/15/2022 • 9 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
7 Note
The Microsoft Report Message and Report Phishing add-ins for Outlook and Outlook on
the web (formerly known as Outlook Web App or OWA) makes it easy to report false
positives (good email marked as bad) or false negatives (bad email allowed) to
Microsoft and its affiliates for analysis.
Microsoft uses these user reported messages to improve the effectiveness of email
protection technologies. For example, suppose that people are reporting many
messages using the Report Phishing add-in. This information surfaces in the Security
Dashboard and other reports. Your organization's security team can use this information
as an indication that anti-phishing policies might need to be updated.
You can install either the Report Message or the Report Phishing add-in. If you want
your users to report both spam and phishing messages, deploy the Report Message
add-in in your organization.
The Report Message add-in provides the option to report both spam and phishing
messages. Admins can enable the Report Message add-in for the organization, and
individual users can install it for themselves.
The Report Phishing add-in provides the option to report only phishing messages.
Admins can enable the Report Phishing add-in for the organization, and individual users
can install it for themselves.
If you're an individual user, you can enable both the add-ins for yourself.
After the add-in is installed and enabled, users will see the following icons:
The Report Message icon in the Simplified Ribbon: Click More commands >
Protection section > Report Message.
The Report Phishing icon in the Simplified Ribbon: Click More commands >
Protection section > Report Phishing.
The add-ins are not available for shared, group, or delegated mailboxes (Report
message will be greyed out).
Your existing web browser should work with the Report Message and Report
Phishing add-ins. But, if you notice an add-in isn't available or not working as
expected, try a different browser.
Admins need to be a member of the Global admins role group. For more
information, see Permissions in the Microsoft 365 Defender portal.
For more information on how to report a message using the Report Message
feature, see Report false positives and false negatives in Outlook.
Organizations that have a URL filtering or security solution (such as a proxy and/or
firewall) in place, must have ipagave.azurewebsites.net and outlook.office.com
endpoints allowed to be reached on HTTPS protocol.
) Important
Admin instructions
Install and configure the Report Message or Report Phishing add-ins for the
organization.
7 Note
3. In the Microsoft 365 Apps page that opens, enter Report Message in the
Search box.
In the search results, click Get it now in the Report Message entry or the Report
Phishing entry.
7 Note
Although the screenshots in the remaining steps show the Report Message
add-in, the steps are identical for the Report Phishing add-in.
4. The Deploy New App wizard opens. On the Add users page, configure the
following settings:
Is this a test deployment?: Leave the toggle at No, or set the toggle to
Yes.
5. On the Accept permissions requests page, read the app permissions and
capabilities information carefully before you click Next.
6. On the Review and finish deployment page, review your settings. Click Back to
make changes.
7. A progress indicator appears on the Review and finish deployment page. If
deployment of the add-in is successful, the page title changes to Deployment
completed.
If you click View this deployment, the page closes and you're taken to the details
of the add-in as described in the next section.
7 Note
2. In the Deploy a new add-in flyout that opens, click Next, and then select Upload
custom apps.
3. Select I have a URL for the manifest file. Use the following URLs:
Report Message:
https://ipagave.azurewebsites.net/ReportMessageManifest/ReportMessageAz
ure.xml
Report Phishing:
https://ipagave.azurewebsites.net/ReportPhishingManifest/ReportPhishingAz
ure.xml
4. Choose which users will have access to the add-in, select a deployment method,
and then select Deploy.
7 Note
Although the screenshots in the remaining steps show the Report Message
add-in, the steps are identical for the Report Phishing add-in.
2. On the Integrated apps page, select the Report Message add-in or the Report
Phishing add-in by doing one of the following steps:
In the Name column, click the icon or text for the add-in. This selection takes
you to the Overview tab in the details flyout as described in the next steps.
In the Name column, click ⋮ Edit row, and then select Edit users. This
selection takes you to the Users tab in the details flyout as described in the
next steps.
In the Name column, click ⋮ Edit row, and then select Check usage data.
This selection takes you to the Usage tab in the details flyout as described in
the next steps.
Overview tab:
Basic info section:
Status
Type: Add-in
Test deployment: Yes or No, depending on the option you selected
when you deployed the add-in or the selection you change on the
Users tab.
Description
Host product: Outlook
Actions section: Click Remove app to remove the app.
Assigned users section: Click Edit users to go to the Users tab.
Usage section: Click Check usage data to got to the Usage tab.
Users tab:
Is this a test deployment?: Leave the toggle at No, or set the toggle
to Yes.
Usage tab: The chart and details table shows the number of active users over
time.
Filter the Date range to 7 days, 30 days (default), or 90 days.
In the Report column, click Download to download the information
filtered by Date range to the file named UsageData.csv.
When you're finished viewing the information on the tabs, click Close to close
the details flyout.
User instructions
Get the Report Message or Report Phishing add-ins for
yourself
1. Do one of the following steps:
Use one of the following URLs to go directly to the download page for the
add-in:
Report Message:
https://appsource.microsoft.com/product/office/WA104381180
Report Phishing:
https://appsource.microsoft.com/product/office/WA200002469
7 Note
Although the screenshots in the remaining steps show the Report Message
add-in, the steps are identical for the Report Phishing add-in.
4. When the installation is finished, you'll see the following Launch page:
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
Microsoft provides the following tools for users to report good and bad messages:
Built-in reporting in Outlook on the web (formerly known as Outlook Web App or
OWA).
The Microsoft Report Message or Report Phishing add-ins. The add-ins work on all
virtually all Outlook platforms, including Outlook on the web. For more
information, see Enable the Microsoft Report Message or Report Phishing add-ins.
For more information about reporting messages to Microsoft, see Report messages and
files to Microsoft.
7 Note
Admins in Microsoft 365 organizations with Exchange Online mailboxes use the
Submissions page in the Microsoft 365 Defender portal to submit messages to
Microsoft. For instructions, see Use the Submissions portal to submit suspected
spam, phish, URLs, and files to Microsoft.
7 Note
The built-in Report button is available in Outlook on the web only if both of
the following settings are configured on the User reported page at
https://security.microsoft.com/securitysettings/userSubmission :
The toggle on the User reported page is On .
Use the built-in "Report" button with "Phishing", "Junk", and "Not Junk
options is selected.
Currently, the Report button in Outlook on the web does not honor the
Before a message is reported and After a message is reported settings
(notification pop-ups) in the user reported message settings.
Based on the user reported message settings in your organization, the messages are
sent to the reporting mailbox, to Microsoft, or both. The following actions are also taken
on the reported messages in the mailbox:
Reported as junk: The messages are moved to the Junk Email folder.
Reported as phishing: The messages are deleted.
Based on the user reported message settings in your organization, the messages are
sent to the reporting mailbox, to Microsoft, or both. The messages are also moved out
of Junk Email to the Inbox or another specified folder.
7 Note
Classic Ribbon: Click Report Message, and then select Junk or Phishing in
the dropdown list.
Simplified Ribbon: Click More commands > Protection section > Report
Message > select Junk or Phishing.
Based on the user reported message settings in your organization, the messages are
sent to the reporting mailbox, to Microsoft, or both. The following actions are also taken
on the reported messages in the mailbox:
Reported as junk: The messages are moved to the Junk Email folder.
Reported as phishing: The messages are deleted.
Classic Ribbon: Click Report Message, and then select Not Junk in the
dropdown list.
Simplified Ribbon: Click More commands > Protection section > Report
Message > select Not Junk.
Based on the user reported message settings in your organization, the messages are
sent to the reporting mailbox, to Microsoft, or both. The messages are also moved out
of Junk Email to the Inbox or another specified folder.
Use the User reported tab on the Submissions page in the Microsoft 365 Defender
portal at https://security.microsoft.com/reportsubmission . For more information,
see View user reported messages to Microsoft.
Create a mail flow rule (also known as a transport rule) to send copies of reported
messages to a recipient for review. For instructions, see Use mail flow rules to see
what users are reporting to Microsoft.
More information
Admins can watch this short video to learn how to use Microsoft Defender for Office
365 to easily investigate user reported messages. Admins can determine the contents of
a message and how to respond by applying the appropriate remediation action.
https://www.microsoft.com/en-us/videoplayer/embed/RWBHof?postJsllMsg=true
User reported message settings
Article • 01/10/2023 • 23 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
In Microsoft 365 organizations with Exchange Online mailboxes, you can identify a
reporting mailbox (formerly known as a custom mailbox or submissions mailbox) to hold
messages that users report as malicious or not malicious using supported reporting
tools in Outlook. For Microsoft reporting tools, you can decide whether to send user
reported messages to the reporting mailbox, to Microsoft, or to the reporting mailbox
and Microsoft. These selections were formerly part of the User submissions policy or User
submissions.
User reported message settings and the reporting mailbox work with the following
message reporting tools:
7 Note
Identify the reporting mailbox as a SecOps mailbox. For instructions, see Use the
Microsoft 365 Defender portal to configure SecOps mailboxes in the advanced
delivery policy.
Create a custom anti-malware policy for the reporting mailbox with the following
settings:
Turn off Zero-hour auto purge (ZAP) for malware (Protection settings section >
Enable zero-hour auto purge for malware is not selected or -ZapEnabled
$false in PowerShell).
Turn off common attachments filtering (Protection settings section > Enable
the common attachments filter is not selected or -EnableFileFilter $false in
PowerShell).
Verify that the reporting mailbox is not included in the Standard or Strict preset
security policies. For instructions, see Preset security policies.
Exclude the reporting mailbox from the Built-in protection preset security
policy. For instructions, see Preset security policies.
Create a Safe Attachments policy for the mailbox where Safe Attachments
scanning, including Dynamic Delivery, is turned off (Settings > Safe
Attachments unknown malware response section > Off or -Enable $false in
PowerShell). For instructions, see Set up Safe Attachments policies in Microsoft
Defender for Office 365.
Create a Safe Links policy for the reporting mailbox where Safe Links scanning
in email is turned off (URL & click protection settings > On: Safe Links checks a
list of known, malicious links when users click links in email is not selected or
EnableSafeLinksForEmail $false in PowerShell). For instructions, see Set up Safe
Links policies in Microsoft Defender for Office 365.
If you have data loss prevention (DLP), exclude the reporting mailbox from DLP.
For instructions, see Creating exceptions in DLP.
After you've verified that the reporting mailbox meets all of these requirements, use the
rest of the instructions in this article to identify the reporting mailbox to configure
related settings for user reported message.
To modify the settings for user reported messages, you need to be a member of
one of the following role groups:
Organization Management or Security Administrator in the Permissions in the
Microsoft 365 Defender portal.
You need access to Exchange Online PowerShell. If the account that you're trying
to use doesn't have access to Exchange Online PowerShell, you'll receive an error
that looks like this when specifying the submissions mailbox:
2. On the User reported page, what you see and can configure is determined entirely
by the toggle at the top of the page:
Users in your organization can see and use the the built-in Report button
in Outlook on the web or the Microsoft Report Message or Report
Phishing add-ins in virtually all Outlook platforms to report messages.
You can configure user reported messages to go to the reporting
mailbox, to Microsoft, or both.
You decide whether users receive Before a message is reported and
After a message is reported pop-ups in Outlook.
You decide how to customize the feedback email that's sent to users
from Mark and notify on the Submissions page at
https://security.microsoft.com/reportsubmission .
You decide whether users can report messages from quarantine.
In the Add a mailbox to send reported messages to box that appears, enter the
email address of an existing Exchange Online mailbox to use as the reporting
mailbox that holds user reported messages from Microsoft reporting tools.
Distribution groups are not allowed.
In the Add a mailbox to send reported messages to box that appears, enter the
email address of an existing Exchange Online mailbox to use as the reporting
mailbox. Distribution groups are not allowed.
) Important
In U.S. Government organizations (Microsoft 365 GCC, GCC High, and DoD),
the only available selection in the Send the reported messages to section is
My reporting mailbox only. The other two options are grayed out.
If you select My reporting mailbox only, the Result value of messages entries
on the User reported tab on the Submissions page at
https://security.microsoft.com/reportsubmission?viewid=user will always
be empty, because the messages were not rescanned.
7 Note
Currently, users who report messages from Outlook on the web using the built-in
Report button don't get these before or after pop-up messages. The pop-ups work
for users who report messages using the Microsoft Report Message and Report
Phishing add-ins.
Show a pop-up message in Outlook to confirm it the user want's to report the
message in the Before a message is reported section: This setting controls
whether users see a pop-up before they report a message.
If this setting is selected, click Customize before message to enter the the Title
and Message text in the Customize text before message is reported flyout that
opens. Use the variable %type% to include the submission type (junk, not junk,
phishing, etc.).
When you're finished, click Confirm to return to the User reported page.
Show a success pop-up message in Outlook after the user reports in the After a
message is reported section: This setting controls whether users see a pop-up
after they report a message.
If this setting is selected, click Customize after message to enter the the Title and
Message text in the Customize text after message is reported flyout that opens.
Use the variable %type% to include the submission type (junk, not junk, phishing,
etc.).
Email sent to user after admin review section: The following settings are available:
Specify an Office 365 mailbox to send email notifications from: Select this
option and enter the sender's email address in the box that appears.
Replace the Microsoft logo with my company logo: Select this option to
replace the default Microsoft logo that's used in notifications. Before you do
this step, you need to follow the instructions in Customize the Microsoft 365
theme for your organization to upload your custom logo. This option is not
supported if your organization has a custom logo pointing to a URL instead of
an uploaded image file.
Customize email notification messages: Click this link to customize the email
notification that's sent after an admin reviews and marks a reported message. In
the Customize admin review email notifications flyout that appears, configure
the following settings on the Phishing, Junk and No threats found tabs:
Email body results text: Enter the custom text to use. You can use different
text for Phishing, Junk and No threats found.
Email footer text: Enter the custom message footer text to use. The same
text is used for Phishing, Junk and No threats found.
When you're finished, click Confirm to return to the User reported page.
When you're finished on the User reported page, click Save. To restore all settings on
the page to their immediately previous values, click Restore.
These user reported messages appear on the User reported tab of the
Submissions page at https://security.microsoft.com/reportsubmission?
viewid=user . The Result value for these entries is Not Submitted to Microsoft.
A messages sent to the reporting mailbox must include the original user reported
message as an uncompressed .EML or .MSG attachment. Don't forward the original
user reported message to the reporting mailbox.
7 Note
Messages that contain multiple attached messages will be discarded. We
support only one attached original message in a user reported message.
The message formatting requirements are described in the next section. This
formatting is optional, but if user reported messages don't follow the prescribed
format, they're always identified as phishing.
Let your organization report messages from quarantine in the Report from
quarantine section: Verify that this setting is selected to let users report messages
from quarantine. Otherwise, uncheck this setting.
When you're finished on the User reported page, click Save. To restore all settings on
the page to their immediately previous values, click Restore.
To specify the reason why the original, attached messages were reported, messages sent
to the reporting mailbox must meet the following criteria:
The user reported message should contain the following required headers:
1. X-Microsoft-Antispam-Message-Info
2. Message-Id
3. X-Ms-Exchange-Organization-Network-Message-Id
4. X-Ms-Exchange-Crosstenant-Id
7 Note
The Subject line (Envelope Title) of messages sent to the reporting mailbox must
start with one of the following prefix values:
1| or Junk: .
2| or Not junk: .
3| or Phishing: .
For example:
3|This text in the Subject line is ignored by the system
Not Junk:This text in the Subject line is also ignored by the system
Messages that don't follow this format will not display properly on the
Submissions page at https://security.microsoft.com/reportsubmission .
In Exchange Online PowerShell, the basic elements of the user reported message
settings are:
The report submission policy: Turns the Microsoft integrated reporting experience
on or off, turns sending reported messages to Microsoft on or off, turns sending
reported messages to the reporting mailbox on or off, and most other settings.
The report submission rule: Specifies the email address of the reporting mailbox
or a blank value when the reporting mailbox isn't used (report messages to
Microsoft only).
The difference between these two elements isn't obvious when you manage the user
reported message settings in the Microsoft 365 Defender portal:
You can delete the report submission rule and recreate it with a different name, but
the rule is always associated with the report submission policy whose name you
can't change. So, we recommend that you name the rule
DefaultReportSubmissionRule whenever you create or recreate the rule.
When you specify the email address of the reporting mailbox in the Microsoft 365
Defender portal, that value is primarily set in the report submission rule, but the
value is also copied into the related properties in the report submission policy. In
PowerShell, when you set the email address in the rule, the value isn't copied into
the related properties in the policy. For consistency with the Microsoft 365
Defender portal and for clarity, we recommend that you add or update the email
address in the policy and the rule.
PowerShell
Get-ReportSubmissionPolicy
PowerShell
Get-ReportSubmissionRule
To view both the policy and the rule at the same time, run the following commands:
PowerShell
Always create the report submission policy first, because you specify the report
submission policy in the report submission rule.
Other settings:
Before a message is reported section:
Show a pop-up message in Outlook to confirm if the user wants to report the
message is selected ( -PreSubmitMessageEnabled $true | $false is available only
on Set-ReportSubmissionPolicy; the unconfigurable value on New-
ReportSubmissionPolicy is $true ).
Customize before message link: Nothing is entered in the Title or Message
boxes in the flyout.( -EnableCustomizedMsg $false is the default value).
7 Note
Report from quarantine section: Let your organization report messages from
quarantine is selected ( -DisableQuarantineReportingOption $false is the default
value).
PowerShell
New-ReportSubmissionPolicy
Because a reporting mailbox isn't use, the report submission rule is not needed or
created.
This example creates the report submission policy and the report submission rule with
the following settings:
values).
Add a mailbox to send reported messages to specifies the email address of the
reporting mailbox.
New-ReportSubmissionPolicy: -ReportJunkToCustomizedAddress $true -
ReportJunkAddresses <emailaddress> -ReportNotJunkToCustomizedAddress
<emailaddress> .
New-ReportSubmissionRule: -SentTo <emailaddress> .
7 Note
You must use the same email address value in all parameters that identify
the reporting mailbox.
The remaining settings are the default values in "Other settings" as described in Use
PowerShell to configure the Microsoft integrated reporting experience with report to
Microsoft only.
PowerShell
$usersub = "reportedmessages@contoso.com"
Add a mailbox to send reported messages to specifies the email address of the
reporting mailbox.
New-ReportSubmissionPolicy: -ReportJunkToCustomizedAddress $true -
ReportJunkAddresses <emailaddress> -ReportNotJunkToCustomizedAddress
$true -ReportNotJunkAddresses <emailaddress> -
7 Note
You must use the same email address value in all parameters that identify
the reporting mailbox.
The remaining settings are the default values in "Other settings" as described in Use
PowerShell to configure the Microsoft integrated reporting experience with report to
Microsoft only.
PowerShell
$usersub = "userreportedmessages@fabrikam.com"
This example creates the report submission policy and the report submission rule with
the following settings:
7 Note
You must use the same email address value in all parameters that identify
the reporting mailbox.
Other settings:
Report from quarantine section: Let your organization report messages from
quarantine is selected ( -DisableQuarantineReportingOption $false is the default
value).
PowerShell
$usersub = "thirdpartyreporting@wingtiptoys.com"
Turning off the Microsoft integrated reporting experiences has the following
consequences:
The Report button in Outlook on the web and the Microsoft Report Message and
Report Phishing add-ins are unavailable in all Outlook platforms.
Third-party reporting tools still work, but reported messages do not appear on the
Submissions page in the Microsoft 365 Defender portal.
This example creates the report submission policy with the Microsoft integrated
reporting experience turned Off ( ) ( -EnableReportToMicrosoft $false ; -
EnableThirdPartyAddress $false -ReportJunkToCustomizedAddress $false -
PowerShell
7 Note
Currently, users who report messages from Outlook on the web using the
built-in Report button don't get these pop-up messages. The pop-ups work
for users who report messages using the Microsoft Report Message and
Report Phishing add-ins.
When you modify the existing settings in the report submission policy, you might need
to undo or nullify some important settings that you previously configured or didn't
configure. And, you might need to create or delete the report submission rule to allow
or prevent message reporting to a reporting mailbox.
The following examples show how to change the user reporting experience without
concern for the existing settings or values:
Change to Use built-in "Report" button with "Phishing", "Junk" and "Not Junk"
options and Send messages to > Microsoft only:
PowerShell
Get-ReportSubmissionRule | Remove-ReportSubmissionRule
Change to Use built-in "Report" button with "Phishing", "Junk" and "Not Junk"
options and Send messages to > Microsoft and my reporting mailbox* (for
example, reportedmessages@contoso.com):
PowerShell
$usersub = "reportedmessages@contoso.com"
The following command is required only if you don't already have the report
submission rule:
PowerShell
Change to Use built-in "Report" button with "Phishing", "Junk" and "Not Junk"
options and Send messages to > Microsoft and my reporting mailbox (for
example, userreportedmessages@fabrikam.com):
PowerShell
$usersub = "userreportedmessages@fabrikam.com"
The following command is required only if you don't already have the report
submission rule:
PowerShell
PowerShell
$usersub = "thirdpartyreporting@wingtiptoys.com"
The following command is required only if you don't already have the report
submission rule:
PowerShell
PowerShell
The following command is required only if you don't already have the report
submission rule:
PowerShell
Get-ReportSubmissionRule | Remove-ReportSubmissionRule
The only meaningful setting that you can modify in the report submission rule is the
email address of the reporting mailbox (the SentTo parameter value). For example:
PowerShell
7 Note
If you change the email address of the reporting mailbox in the report submission
rule, be sure to change the corresponding values in the report submissions policy.
For example:
ThirdPartyReportAddresses
ReportJunkAddresses, ReportNotJunkAddresses, and ReportPhishAddresses
To temporarily disable sending email messages to the reporting mailbox without deleing
the report submission rule, use Disable-ReportSubmissionRule. For example:
PowerShell
PowerShell
To remove the report submission policy, run the following command in Exchange Online
PowerShell:
PowerShell
PowerShell
Get-ReportSubmissionRule | Remove-ReportSubmissionRule
To remove both the report submission policy and report submission rule in the same
command without prompts, run the following command:
PowerShell
Remove-ReportSubmissionPolicy -Identity DefaultReportSubmissionPolicy; Get-
ReportSubmissionRule | Remove-ReportSubmissionRule -Confirm:$false
Applies to
7 Note
But what can you do if you receive a message with a suspicious attachment or have a
suspicious file on your system? Or what if you suspect that your computer or device was
infected by an email attachment that made it past our filters or a file you downloaded
from the internet? In these cases, you should submit the suspicious attachment or file to
Microsoft. Conversely, if an attachment in an email message or file was incorrectly
identified as malware or some other threat, you can submit that, too.
What do you need to know before you begin?
Messages with attachments that contain scripts or other malicious executables are
considered malware, and you can use the procedures in this article to report them.
Messages with links to malicious sites are considered spam. For more information
about reporting spam and non-spam, see Report messages and files to Microsoft.
Files that block you from your accessing your system and demand money to open
them are considered ransomware.
After you've uploaded the file or files, note the Submission ID that's created for your
sample submission (for example, 7c6c214b-17d4-4703-860b-7f1e9da03f7f ).
After we receive the sample, we'll investigate. If we determine that the sample file is
malicious, we'll take corrective action to prevent the malware from going undetected.
If you continue receiving infected messages or attachments, then you should copy the
message headers from the email message, and contact Microsoft Customer Service and
Support for further assistance. Be sure to have your Submission ID ready as well.
You can also submit a file that you believe was incorrectly identified as malware to the
website. (Just select No for the question Do you believe this file contains malware?)
After we receive the sample, we'll investigate. If we determine that the sample file is
clean, we'll take corrective action to prevent the file from being detected as malware.
Admin review for reported messages
Article • 12/09/2022 • 3 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
In Microsoft 365 organizations with Exchange Online mailboxes and Microsoft Defender
for Office 365, admins can send templated messages back to end users after they review
reported messages. The templates can be customized for your organization and based
on your admin's verdict as well.
The feature is designed to give feedback to your users but doesn't change the verdicts
of messages in the system. To help Microsoft update and improve its filters, you need to
submit messages for analysis using Admin submission.
You will only be able to mark and notify users of review results if the message was
reported as a false positives or false negatives.
2. On the User reported tab, find and select the message, select Mark as and notify,
and then select one of the following values from the dropdown list:
No threats found
Phishing
Junk
The reported message will be marked as either false positive or false negative, and an
email will be automatically sent from within the portal notifying the user who reported
the message.
2. On the User reported page, verify that the toggle at the top of the page is
On.
3. Find the Email sent to user after admin review section and configure one or more
of the following settings:
Specify an Office 365 mailbox to send email notifications from: Select this
option and enter the sender's email address in the box that appears.
Replace the Microsoft logo with my company logo: Select this option to
replace the default Microsoft logo that's used in notifications. Before you do
this step, you need to follow the instructions in Customize the Microsoft 365
theme for your organization to upload your custom logo. This option is not
supported if your organization has a custom logo pointing to a URL instead
of an uploaded image file.
Customize email notification messages: Click this link to customize the email
notification that's sent after an admin reviews and marks a reported message.
In the Customize admin review email notifications flyout that appears,
configure the following settings on the Phishing, Junk and No threats found
tabs:
Email box results text: Enter the custom text to use.
Footer tab: The following options are available:
Email footer text: Enter the custom message footer text to use.
4. When you're finished, click Save. To clear these values, click Restore on the User
reported page.
Errors during admin submissions
Article • 01/17/2023 • 2 minutes to read
Applies to
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
This article attempts to explain the common error messages tha you might receive as
you try to report emails, URLs, and email attachments to Microsoft
You tried to submit an email message that wasn't filtered by Exchange Online
Protection (EOP) or Microsoft Defender for Office 365 at the time of delivery.
It's hard for us to determine why the message was missed or delivered when it
wasn't filtered by Microsoft's protection stack.
You tried to submit an email message that was filtered by EOP or Defender for
Office 365, but we're still in the process of collecting the required metadata
(descriptive data) about the message.
If you wait "a while" and submit the message again, the submission will be
successful.
Campaigns in Microsoft Defender for
Office 365
Article • 12/20/2022 • 13 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
Campaigns in the Microsoft 365 Defender portal identifies and categorizes coordinated
email attacks including phishing and malware. Campaigns can help you to:
Efficiently investigate and respond to phishing and malware attacks, delivered via
email.
Better understand the scope of the email attack targetting your organization.
Show value of Microsoft Defender for Office to decision makers in preventing
email threats.
Campaigns lets you see the big picture of an email attack faster and more complete
than any human.
Watch this short video on how campaigns in Microsoft Defender for Office 365 help you
understand coordinated email attacks targeting your organization.
https://www.microsoft.com/en-us/videoplayer/embed/RWGBL8?postJsllMsg=true
What is a campaign?
A campaign is a coordinated email attack against one or many organizations. Email
attacks that steal credentials and company data are a large and lucrative industry. As
technologies increase in an effort to stop attacks, attackers modify their methods in an
effort to ensure continued success.
A campaign might be short-lived, or could span several days, weeks, or months with
active and inactive periods. A campaign might be launched against your specific
organization, or your organization might be part of a larger campaign across multiple
companies.
Campaigns overview
The main Campaigns page is a threat report with all campaigns targeting your
organizations.
On the default Campaign tab, the Campaign type area shows a bar graph that shows
the number of recipients per day. By default, the graph shows both Phish and Malware
data.
Tip
If you don't see any campaign data, or very limited data, try changing the date
range or filters.
The table below the graph on the overview page shows the following information on
the Campaign tab:
Name
Sample subject: The subject line of one of the messages in the campaign. Note
that all messages in the campaign will not necessarily have the same subject.
Subtype: This value contains more details about the campaign. For example:
Phish: Where available, the brand that is being phished by this campaign. For
example, Microsoft , 365 , Unknown , Outlook , or DocuSign .
Malware: For example, HTML/PHISH or HTML/<MalwareFamilyName> .
Where available, the brand that is being phished by this campaign. When the
detection is driven by Defender for Office 365 technology, the prefix ATP- is added
to the subtype value.
Inboxed: The number of users that received messages from this campaign in their
Inbox (not delivered to their Junk Email folder).
Clicked: The number of users that clicked on the URL or opened the attachment in
the phishing message.
Visited: How many users actually made it through to the payload website. If there
are Clicked values, but Safe Links blocked access to the website, this value will be
zero.
The Campaign origin tab shows the message sources on a map of the world.
The most basic filtering that you can do is the start date/time and the end date/time.
To further filter the view, you can do single property with multiple values filtering by
clicking the Campaign type button, making your selection, and then clicking Refresh.
The filterable campaign properties that are available in the Campaign type button are
described in the following list:
Basic:
Campaign type: Select Malware or Phish. Clearing the selections has the same
result as selecting both.
Campaign name
Campaign subtype
Sender
Recipients
Sender domain
Subject
Attachment filename
Malware family
Tags: Users or groups that have had the specified user tag applied (including
priority accounts). For more information about user tags, see User tags.
Delivery action
Additional action
Directionality
Detection technology
Original delivery location
Latest delivery location
System overrides
Advanced:
Internet message ID: Available in the Message-ID header field in the message
header. An example value is <08f1e0f6806a47b4ac103961109ae6ef@server.domain>
(note the angle brackets).
Network message ID: A GUID value that's available in the X-MS-Exchange-
Organization-Network-Message-Id header field in the message header.
Sender IP
Attachment SHA256: To find the SHA256 hash value of a file in Windows, run
the following command in a Command Prompt: certutil.exe -hashfile "
<Path>\<Filename>" SHA256 .
Cluster ID
Alert ID
Alert Policy ID
Campaign ID
ZAP URL signal
URLs:
URL domain
URL domain and path
URL
URL path
Click verdict
For more advanced filtering, including filtering by multiple properties, you can click the
Advanced filter button to build a query. The same campaign properties are available,
but with the following enhancements:
After you create a basic or advanced filter, you can save it by using Save query or Save
query as. Later, when you return to the Campaigns page, you can load a saved filter by
clicking Saved query settings.
To export the graph or the list of campaigns, click Export and select Export chart data
or Export campaign list.
If you have a Microsoft Defender for Endpoint subscription, you can click MDE Settings
to connect or disconnect the campaigns information with Microsoft Defender for
Endpoint. For more information, see Integrate Microsoft Defender for Office 365 with
Microsoft Defender for Endpoint.
Campaign details
When you click on the name of a campaign, the campaign details appear in a flyout.
Campaign information
At the top of the campaign details view, the following campaign information is available:
Campaign flow
In the middle of the campaign details view, important details about the campaign are
presented in a horizontal flow diagram (known as a Sankey diagram). These details will
help you to understand the elements of the campaign and the potential impact in your
organization.
Tip
The information that's displayed in the flow diagram is controlled by the date range
filter in the timeline as described in the previous section.
If you hover over a horizontal band in the diagram, you'll see the number of related
messages (for example, messages from a particular source IP, messages from the source
IP using the specified sender domain, etc.).
Sender IPs
Sender domains
Filter verdicts: Verdict values are related to the available phishing and spam
filtering verdicts as described in Anti-spam message headers. The available values
are described in the following table:
Allowed SFV:SKN The message was marked as not spam and/or skipped filtering
before being evaluated by spam filtering. For example, the message
SFV:SKI was marked as not spam by a mail flow rule (also known as a
transport rule).
The message skipped spam filtering for other reasons. For example,
the sender and recipient appear to be in the same organization.
Blocked SFV:SKS The message was marked as spam before being evaluated by spam
filtering. For example, by a mail flow rule.
Not SFV:NSPM The message was marked as not spam by spam filtering.
Detected
Released SFV:SKQ The message skipped spam filtering because it was released from
quarantine.
Tenant SFV:SKA The message skipped spam filtering because of the settings in an
Allow* anti-spam policy. For example, the sender was in the allowed
sender list or allowed domain list.
Tenant SFV:SKA The message was blocked by spam filtering because of the settings
Block** in an anti-spam policy. For example, the sender was in the allowed
sender list or allowed domain list.
User SFV:SFE The message skipped spam filtering because the sender was in a
Allow* user's Safe Senders list.
User SFV:BLK The message was blocked by spam filtering because the sender was
Block** in a user's Blocked Senders list.
Value Spam Description
filter
verdict
ZAP n/a Zero-hour auto purge (ZAP) moved the delivered message to the
Junk Email folder or quarantine. You configure the action in anti-
spam policies.
* Review your anti-spam policies, because the allowed message would have likely
been blocked by the service.
**
Review your anti-spam policies, because these messages should be quarantined,
not delivered.
7 Note
In all layers that contain more than 10 items, the top 10 items are shown, while the
rest are bundled together in Others.
URL clicks
When a phishing message is delivered to a recipient's Inbox or Junk Email folder, there's
always a chance that the user will click on the payload URL. Not clicking on the URL is a
small measure of success, but you need to determine why the phishing message was
even delivered to the mailbox.
If a user clicked on the payload URL in the phishing message, the actions are displayed
in the URL clicks area of the diagram in the campaign details view.
Allowed
BlockPage: The recipient clicked on the payload URL, but their access to the
malicious website was blocked by a Safe Links policy in your organization.
BlockPageOverride: The recipient clicked on the payload URL in the message, Safe
Links tried to stop them, but they were allowed to override the block. Inspect your
Safe Links policies to see why users are allowed to override the Safe Links verdict
and continue to the malicious website.
PendingDetonationPage: Safe Attachments in Microsoft Defender for Office 365 is
in the process of opening and investigating the payload URL in a virtual computer
environment.
PendingDetonationPageOverride: The recipient was allowed to override the
payload detonation process and open the URL without waiting for the results.
Tabs
The tabs in the campaign details view allow you to further investigate the campaign.
Tip
The information that's displayed on the tabs is controlled by the date range filter in
the timeline as described in Campaign information section.
URL clicks: If users didn't click on the payload URL in the message, this section will
be blank. If a user was able to click on the URL, the following values will be
populated:
User*
URL*
Click time
Click verdict
Sender IPs
Sender IP*
Total count
Inboxed
Not Inboxed
SPF passed: The sender was authenticated by the Sender Policy Framework
(SPF). A sender that doesn't pass SPF validation indicates an unauthenticated
sender, or the message is spoofing a legitimate sender.
Senders
Sender: This is the actual sender address in the SMTP MAIL FROM command,
which is not necessarily the From: email address that users see in their email
clients.
Total count
Inboxed
Not Inboxed
DKIM passed: The sender was authenticated by Domain Keys Identified Mail
(DKIM). A sender that doesn't pass DKIM validation indicates an
unauthenticated sender, or the message is spoofing a legitimate sender.
DMARC passed: The sender was authenticated by Domain-based Message
Authentication, Reporting, and Conformance (DMARC). A sender that doesn't
pass DMARC validation indicates an unauthenticated sender, or the message is
spoofing a legitimate sender.
Attachments
Filename
SHA256
Malware family
Total count
URL
URL*
Total Count
*
Clicking on this value opens a new flyout that contains more details about the
specified item (user, URL, etc.) on top of the campaign details view. To return to the
campaign details view, click Done in the new flyout.
Attitional Actions
The buttons at the bottom the campaign details view allows you to investigate and
record details about the campaign:
Explore messages: Use the power of Threat Explorer to further investigate the
campaign:
All messages: Opens a new Threat Explorer search tab using the Campaign ID
value as the search filter.
Inboxed messages: Opens a new Threat Explorer search tab using the
Campaign ID and Delivery location: Inbox as the search filter.
Internal messages: Opens a new Threat Explorer search tab using the Campaign
ID and Directionality: Intra-org as the search filter.
Download threat report: Download the campaign details to a Word document (by
default, named CampaignReport.docx). Note that the download contains details
over the entire lifetime of the campaign (not just the filter dates you selected).
Threat Explorer and Real-time
detections
Article • 12/22/2022 • 26 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
If your organization has Microsoft Defender for Office 365, and you have the necessary
permissions, you have either Explorer or Real-time detections (formerly Real-time
reports — see what's new!). Go to Threat management, and then choose Explorer or
Real-time detections.
With Microsoft Defender for Office 365 Plan With Microsoft Defender for Office 365 Plan
2, you see: 1, you see:
Explorer or Real-time detections helps your security operations team investigate and
respond to threats efficiently. With this report, you can:
7 Note
The user tags feature is in Preview, isn't available to everyone, and is subject to
change. For information about the release schedule, check out the Microsoft 365
roadmap.
User tags identify specific groups of users in Microsoft Defender for Office 365. For
more information about tags, including licensing and configuration, see User tags.
In Threat Explorer, you can see information about user tags in the following experiences.
Filtering
You can use tags as a filter. Hunt just across priority accounts or specific user tags
scenarios. You can also exclude results that have certain tags. Combine this functionality
with other filters to narrow your scope of investigation.
Tags information is also shown in the URL clicks flyout. To view it, go to Phish or All
Email view and then to the URLs or URL Clicks tab. Select an individual URL flyout to
view additional details about clicks for that URL, including tags associated with that click.
After these updates, you'll see a single entry for each message, regardless of the
different post-delivery events that affect the message. Actions can include ZAP, manual
remediation (which means admin action), Dynamic Delivery, and so on.
In addition to showing malware and phishing threats, you see the spam verdict
associated with an email. Within the email, see all the threats associated with the email
along with the corresponding detection technologies. An email can have zero, one, or
multiple threats. You'll see the current threats in the Details section of the email flyout.
For multiple threats (such as malware and phishing), the Detection tech field shows the
threat-detection mapping, which is the detection technology that identified the threat.
The set of detection technologies now includes new detection methods, as well as
spam-detection technologies. You can use the same set of detection technologies to
filter the results across the different email views (Malware, Phish, All Email).
7 Note
Threats in URLs
You can now see the specific threat for a URL on the email flyout Details tab. The threat
can be malware, phish, spam, or none.)
Updated timeline view (upcoming)
Timeline view identifies all delivery and post-delivery events. It includes information
about the threat identified at that point of time for a subset of these events. Timeline
view also provides information about any additional action taken (such as ZAP or
manual remediation), along with the result of that action. Timeline view information
includes:
Original delivery location will give more information about where an email was
delivered initially. Latest delivery location will state where an email landed after system
actions like ZAP or admin actions like Move to deleted items. Latest delivery location is
intended to tell admins the message's last-known location post-delivery or any
system/admin actions. It doesn't include any end-user actions on the email. For
example, if a user deleted a message or moved the message to archive/pst, the message
"delivery" location won't be updated. But if a system action updated the location (for
example, ZAP resulting in an email moving to quarantine), Latest delivery location
would show as "quarantine."
7 Note
There are a few cases where Delivery location and Delivery action may show as
"unknown":
Additional actions
Additional actions were applied after delivery of the email. They can include ZAP, manual
remediation (action taken by an Admin such as soft delete), Dynamic Delivery, and
reprocessed (for an email that was retroactively detected as good).
7 Note
As part of the pending changes, the "Removed by ZAP" value currently surfaced in
the Delivery Action filter is going away. You'll have a way to search for all email with
the ZAP attempt through Additional actions.
System overrides
System overrides enable you to make exceptions to the intended delivery location of a
message. You override the delivery location provided by the system, based on the
threats and other detections identified by the filtering stack. System overrides can be set
through tenant or user policy to deliver the message as suggested by the policy.
Overrides can identify unintentional delivery of malicious messages due to
configurations gaps, such as an overly broad Safe Sender policy set by a user. These
override values can be:
Allowed by user policy: A user creates policies at the mailbox level to allow
domains or senders.
Blocked by user policy: A user creates policies at the mail box level to block
domains or senders.
Allowed by org policy: The organization's security teams set policies or Exchange
mail flow rules (also known as transport rules) to allow senders and domains for
users in their organization. This can be for a set of users or the entire organization.
Blocked by org policy: The organization's security teams set policies or mail flow
rules to block senders, domains, message languages, or source IPs for users in their
organization. This can be applied to a set of users or the entire organization.
File extension blocked by org policy: An organization's security team blocks a file
name extension through the anti-malware policy settings. These values will now be
displayed in email details to help with investigations. Secops teams can also use
the rich-filtering capability to filter on blocked file extensions.
Show the full clicked URL (including any query parameters that are part of the URL)
in the Clicks section of the URL flyout. Currently, the URL domain and path appear
in the title bar. We're extending that information to show the full URL.
Fixes across URL filters (URL versus URL domain versus URL domain and path): The
updates affect searching for messages that contain a URL/click verdict. We enabled
support for protocol-agnostic searches, so you can search for a URL without using
http . By default, the URL search maps to http, unless another value is explicitly
specified. For example:
Search with and without the http:// prefix in the URL, URL Domain, and URL
Domain and Path filter fields. The searches should show the same results.
Search for the https:// prefix in URL. When no value is specified, the http://
prefix is assumed.
/ is ignored at the beginning and end of the URL path, URL Domain, URL
domain and path fields. / at the end of the URL field is ignored.
To improve the hunting process, we've updated Threat Explorer and Real-time
detections to make the hunting experience more consistent. The changes are outlined
here:
Timezone improvements
Update in the refresh process
Chart drilldown to add to filters
In product information updates
) Important
Filtering and sorting by user tags is currently in public preview. This functionality
may be substantially modified before it's commercially released. Microsoft makes
no warranties, express or implied, with respect to the information provided about it.
Timezone improvements
You'll see the time zone for the email records in the Portal as well as for Exported data. It
will be visible across experiences like Email Grid, Details flyout, Email Timeline, and
Similar Emails, so the time zone for the result set is clear.
From an experience standpoint, the user can apply and remove the different range of
filters (from the filter set and date) and select the refresh button to filter the results after
they've defined the query. The refresh button is also now emphasized on the screen.
We've also updated the related tooltips and in-product documentation.
Extended capabilities in Threat Explorer
You'll be able to export the list of targeted users, up to a limit of 3,000, along with the
number of attempts for offline analysis for each email view. In addition, selecting the
number of attempts (for example, 13 attempts in the image below) will open a filtered
view in Threat Explorer, so you can see more details across emails and threats for that
user.
You'll be able to see both the GUID and the name of the transport rules that were
applied to the message. You'll be able to search for the messages by using the name of
the transport rule. This is a "Contains" search, which means you can do partial searches
as well.
) Important
ETR search and name availability depend on the specific role that's assigned to you.
You need to have one of the following roles/permissions to view the ETR names
and search. If you don't have any of these roles assigned to you, you can't see the
names of the transport rules or search for messages by using ETR names. However,
you could see the ETR label and GUID information in the Email Details. Other
record-viewing experiences in Email Grids, Email flyouts, Filters, and Export are not
affected.
Within the email grid, Details flyout, and Exported CSV, the ETRs are presented with
a Name/GUID as shown below.
Inbound connectors
Connectors are a collection of instructions that customize how your email flows to and
from your Microsoft 365 or Office 365 organization. They enable you to apply any
security restrictions or controls. Within Threat Explorer, you can now view the
connectors that are related to an email and search for emails by using connector names.
The search for connectors is "contains" in nature, which means partial keyword searches
should work as well. Within the Main grid view, the Details flyout, and the Exported CSV,
the connectors are shown in the Name/GUID format as shown here:
To review phish messages and search for impersonated users or domains, use the Email
> Phish view of Explorer.
3. EITHER select Impersonated domain, and then type a protected domain in the
textbox.
For example, search for protected domain names like contoso, contoso.com, or
contoso.com.au.
4. Select the Subject of any message under the Email tab > Details tab to see
additional impersonation information like Impersonated Domain / Detected
location.
OR
Select Impersonated user and type a protected user's email address in the textbox.
Tip
For best results, use full email addresses to search protected users. You will
find your protected user quicker and more successfully if you search for
firstname.lastname@contoso.com, for example, when investigating user
impersonation. When searching for a protected domain the search will take
the root domain (contoso.com, for example), and the domain name (contoso).
Searching for the root domain contoso.com will return both impersonations of
contoso.com and the domain name contoso.
5. Select the Subject of any message under Email tab > Details tab to see additional
impersonation information about the user or domain, and the Detected location.
7 Note
1. Select a built-in role group that only has the Preview role, such as Data Investigator
or eDiscovery Manager.
2. Select Copy role group.
3. Choose a name and description for your new role group and select Next.
4. Modify the roles by adding and removing roles as necessary but leaving the
Preview role.
5. Add members and then select Create role group.
Explorer and Real-time detections will also get new fields that provide a more complete
picture of where your email messages land. These changes make hunting easier for
Security Ops. But the main result is you can know the location of problem email
messages at a glance.
How is this done? Delivery status is now broken out into two columns:
Delivery action is the action taken on an email due to existing policies or detections.
Here are the possible actions for an email:
Email was delivered Email was sent to Emails that are Email had malicious
to the inbox or the user's Junk or quarantined, that failed, attachments replaced by
folder of a user, Deleted folder, and or were dropped. These .txt files that state the
and the user can the user can access mails are inaccessible to attachment was
access it. it. the user. malicious.
Delivered Blocked
Junked Replaced
Delivery location shows the results of policies and detections that run post-delivery. It's
linked to Delivery action. These are the possible values:
Inbox or folder: The email is in the inbox or a folder (according to your email rules).
On-prem or external: The mailbox doesn't exist on cloud but is on-premises.
Junk folder: The email is in a user's Junk folder.
Deleted items folder: The email in a user's Deleted items folder.
Quarantine: The email is in quarantine and not in a user's mailbox.
Failed: The email failed to reach the mailbox.
Dropped: The email got lost somewhere in the mail flow.
Email timeline
The Email timeline is a new Explorer feature that improves the hunting experience for
admins. It cuts the time spent checking different locations to try to understand the
event. When multiple events happen at or close to the same time an email arrives, those
events are displayed in a timeline view. Some events that happen to your email post-
delivery are captured in the Special action column. Admins can combine information
from the timeline with the special action taken on the mail post-delivery to get insight
into how their policies work, where the mail was finally routed, and, in some cases, what
the final assessment was.
For more information, see Investigate and remediate malicious email that was delivered
in Office 365.
Explorer > View Phish > Clicks > Top URLs or URL Top Clicks > select any record to
open the URL flyout.
When you select a URL in the list, you'll see a new Export button on the fly-out panel.
Use this button to move data to an Excel spreadsheet for easier reporting.
Follow this path to get to the same location in the Real-time detections report:
Explorer > Real-time detections > View Phish > URLs > Top URLs or Top Clicks >
Select any record to open the URL flyout > navigate to the Clicks tab.
Tip
The Network Message ID maps the click back to specific mails when you search on
the ID through Explorer or associated third-party tools. Such searches identify the
email associated with a click result. Having the correlated Network Message ID
makes for quicker and more powerful analysis.
Your detection technologies are now available as filters for the report.
4. Choose an option. Then select the Refresh button to apply that filter.
The report refreshes to show the results that malware detected in email, using the
technology option you selected. From here, you can conduct further analysis.
4. Select one or more options, such as Blocked and Block overridden, and then
select the Refresh button on the same line as the options to apply that filter. (Don't
refresh your browser window.)
The report refreshes to show two different URL tables on the URL tab under the
report:
Top URLs are the URLs in the messages that you filtered down to and the
email delivery action counts for each URL. In the Phish email view, this list
typically contains legitimate URLs. Attackers include a mix of good and bad
URLs in their messages to try to get them delivered, but they make the
malicious links look more interesting. The table of URLs is sorted by total
email count, but this column is hidden to simplify the view.
Top clicks are the Safe Links-wrapped URLs that were clicked, sorted by total
click count. This column also isn't displayed, to simplify the view. Total counts
by column indicate the Safe Links click verdict count for each clicked URL. In
the Phish email view, these are usually suspicious or malicious URLs. But the
view could include URLs that aren't threats but are in phish messages. URL
clicks on unwrapped links don't show up here.
The two URL tables show top URLs in phishing email messages by delivery action
and location. The tables show URL clicks that were blocked or visited despite a
warning, so you can see what potential bad links were presented to users and that
the user's clicked. From here, you can conduct further analysis. For example, below
the chart you can see the top URLs in email messages that were blocked in your
organization's environment.
7 Note
In the URL flyout dialog box, the filtering on email messages is removed to
show the full view of the URL's exposure in your environment. This lets you
filter for email messages you're concerned about in Explorer, find specific
URLs that are potential threats, and then expand your understanding of the
URL exposure in your environment (via the URL details dialog box) without
having to add URL filters to the Explorer view itself.
None: Unable to capture the verdict for the URL. The user might have clicked
through the URL.
Allowed: The user was allowed to navigate to the URL.
Blocked: The user was blocked from navigating to the URL.
Pending verdict: The user was presented with the detonation-pending page.
Blocked overridden: The user was blocked from navigating directly to the URL. But
the user overrode the block to navigate to the URL.
Pending verdict bypassed: The user was presented with the detonation page. But
the user overrode the message to access the URL.
Error: The user was presented with the error page, or an error occurred in
capturing the verdict.
Failure: An unknown exception occurred while capturing the verdict. The user
might have clicked through the URL.
4. Select an option, such as Phish, and then select the Refresh button.
The report refreshes to show data about email messages that people in your
organization reported as a phishing attempt. You can use this information to conduct
further analysis, and, if necessary, adjust your anti-phishing policies in Microsoft
Defender for Office 365.
7 Note
Automated investigation and response can save your security operations team time and
effort spent investigating and mitigating cyberattacks. In addition to configuring alerts
that can trigger a security playbook, you can start an automated investigation and
response process from a view in Explorer. For details, see Example: A security
administrator triggers an investigation from Explorer.
To view and use Explorer or Real-time detections, you must have appropriate
permissions, such as those granted to a security administrator or security reader.
For the Microsoft 365 Defender portal, you must have one of the following roles
assigned:
Organization Management
Security Administrator (this can be assigned in the Azure Active Directory admin
center (https://aad.portal.azure.com )
Security Reader
For Exchange Online, you must have one of the following roles assigned in either
the Exchange admin center (EAC) or Exchange Online PowerShell:
Organization Management
View-Only Organization Management
View-Only Recipients
Compliance Management
To learn more about roles and permissions, see the following resources:
Other articles
Investigate emails with the Email Entity Page
Threat hunting in Threat Explorer for
Microsoft Defender for Office 365
Article • 12/22/2022 • 10 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to:
In this article:
7 Note
This is part of a 3-article series on Threat Explorer (Explorer), email security, and
Explorer and Real-time detections (such as differences between the tools, and
permissions needed to operate them). The other two articles in this series are Email
security with Threat Explorer and Threat Explorer and Real-time detections.
Applies to
If your organization has Microsoft Defender for Office 365, and you have the
permissions, you can use Explorer or Real-time detections to detect and remediate
threats.
Watch this short video to learn how to hunt and investigate email and collaboration-
based threats using Microsoft Defender for Office 365.
https://www.microsoft.com/en-us/videoplayer/embed/RWyPRU?postJsllMsg=true
Defender for Office 365 Plan 1 uses Real-time detections, which is a subset of the Threat
Explorer (also called Explorer) hunting tool in Plan 2. In this series of articles, most of the
examples were created using the full Threat Explorer. Admins should test any steps in
Real-time detections to see where they apply.
After you go to Explorer, by default, you'll arrive on the All email page, but use the tabs
to navigate to the available views. If you're hunting phish or digging into a threat
campaign, choose those views.
Once a security operations (Sec Ops) person selects the data they want to see, they can
further narrow down the data by applying filters such as Sender, Recipient, and Subject,
or select an appropriate date range to get the desired results. Remember to select
Refresh to complete your filtering actions.
Refining focus in Explorer or Real-time detection can be thought of in layers. The first is
View. The second can be thought of as a filtered focus. For example, you can retrace the
steps you took in finding a threat by recording your decisions like this: To find the issue
in Explorer, I chose the Malware View with a Recipient filter focus. This makes retracing
your steps easier.
Tip
If Sec Ops uses Tags to mark accounts they consider high valued targets, they can
make selections like Phish View with a Tags filter focus (include a date range if used).
This will show them any phishing attempts directed at their high value user targets
during a time-range (like dates when certain phishing attacks are happening a lot
for their industry).
With the new version of Threat Explorer, users can use the following new dropdown
options with four new operators on the filters:
Note that these filter conditions are available based on filter types and input types.
Use the Column options button to get the kind of information on the table that would
be most helpful:
In the same mien, make sure to test your display options. Different audiences will react
well to different presentations of the same data. For some viewers, the Email Origins
map can show that a threat is widespread or discreet more quickly than the Campaign
display option right next to it. Sec Ops can make use of these displays to best make
points that underscore the need for security and protection, or for later comparison, to
demonstrate the effectiveness of their actions.
Email investigation
When you see a suspicious email, click the name to expand the flyout on the right. Here,
the banner that lets Sec Ops see the email entity page is available.
The email entity page pulls together contents that can be found under Details,
Attachments, Devices, but includes more organized data. This includes things like
DMARC results, plain text display of the email header with a copy option, verdict
information on attachments that were securely detonated, and files those detonations
dropped (can include IP addresses that were contacted and screenshots of pages or
files). URLs and their verdicts are also listed with similar details reported.
When you reach this stage, the email entity page will be critical to the final step—
remediation.
Tip
To learn more about the rich email entity page (seen below on the Analysis tab),
including the results of detonated Attachments, findings for included URLs, and
safe Email preview, click here.
Email remediation
Once a Sec Ops person determines that an email is a threat, the next Explorer or Real-
time detection step is dealing with the threat and remediating it. This can be done by
returning to Threat Explorer, selecting the checkbox for the problem email, and using
the Actions button.
Here, the analyst can take actions like reporting the mail as Spam, Phishing, or Malware,
contacting recipients, or further investigations that can include triggering Automated
Investigation and Response (or AIR) playbooks (if you have Plan 2). Or, the mail can also
be reported as clean.
Alert ID
When navigating from an alert into Threat Explorer, the View will be filtered by Alert ID.
This also applies in Real-time detection. Messages relevant to the specific alert, and an
email total (a count) are shown. You will be able to see if a message was part of an alert,
as well as navigate from that message to the related alert.
Finally, alert ID is included in the URL, for example:
https://https://security.microsoft.com/viewalerts
7 Note
The user tags feature is in Preview and may not be available to everyone. Also,
Previews are subject to change. For information about the release schedule, check
out the Microsoft 365 roadmap.
User tags identify specific groups of users in Microsoft Defender for Office 365. For
more information about tags, including licensing and configuration, see User tags.
In Threat Explorer, you can see information about user tags in the following experiences.
Filtering
Tags can be used as filters. Hunt among priority accounts only, or use specific user tags
scenarios this way. You can also exclude results that have certain tags. Combine Tags
with other filters and date ranges to narrow your scope of investigation.
Tags information is also shown in the URL clicks flyout. To see it, go to Phish or All Email
view > URLs or URL Clicks tab. Select an individual URL flyout to see additional details
about clicks for that URL, including any Tags associated with that click.
Extended capabilities
Security operations people be able to export the list of targeted users, up to a limit of
3,000, along with the number of attempts made, for offline analysis for each email view.
Also, selecting the number of attempts (for example, 13 attempts in the image below)
will open a filtered view in Threat Explorer, so you can see more details across emails,
and threats for that user.
Names and GUIDs of the transport rules applied to the message appear. Analysts will be
able to search for messages by using the name of the transport rule. This is a CONTAINS
search, which means you can do partial searches as well.
) Important
Exchange transport rule search and name availability depend on the specific role
assigned to you. You need to have one of the following roles or permissions to view
the transport rule names and search. However, even without the roles or
permissions below, an analyst may see the transport rule label and GUID
information in the Email Details. Other record-viewing experiences in Email Grids,
Email flyouts, Filters, and Export are not affected.
Within the email grid, Details flyout, and Exported CSV, the ETRs are presented with
a Name/GUID as shown below.
Inbound connectors
Connectors are a collection of instructions that customize how your email flows to and
from your Microsoft 365 or Office 365 organization. They enable you to apply any
security restrictions or controls. In Threat Explorer, you can view the connectors that are
related to an email and search for emails using connector names.
The search for connectors is a CONTAINS query, which means partial keyword searches
can work:
To view and use Explorer or Real-time detections, you must have the following
permissions:
More information
Find and investigate malicious email that was delivered
View malicious files detected in SharePoint Online, OneDrive, and Microsoft Teams
Get an overview of the views in Threat Explorer (and Real-time detections)
Threat protection status report
Automated investigation and response in Microsoft Threat Protection
Investigate emails with the Email Entity Page
Email security with Threat Explorer in
Microsoft Defender for Office 365
Article • 12/22/2022 • 5 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to:
In this article:
7 Note
This is part of a 3-article series on Threat Explorer (Explorer), email security, and
Explorer and Real-time detections (such as differences between the tools, and
permissions needed to operate them). The other two articles in this series are
Threat hunting in Threat Explorer and Threat Explorer and Real-time detections.
This article explains how to view and investigate malware and phishing attempts that are
detected in email by Microsoft 365 security features.
From here, start at the View, choose a particular frame of time to investigate (if
needed), and focus your filters, as per the Explorer walk- through.
2. In the View drop down list, verify that Email > Malware is selected.
3. Click Sender, and then choose Basic > Detection technology in the drop down list.
Your detection technologies are now available as filters for the report.
4. Choose an option, and then click Refresh to apply that filter (don't refresh your
browser window).
The report refreshes to show the results that malware detected in email, using the
technology option you selected. From here, you can conduct further analysis.
2. Verify that you're on the Email tab, and then from the list of reported messages,
select the one you'd like to report as clean.
4. Scroll down the list of options to go to the Start new submission section, and then
select Report clean. A flyout appears.
5. Toggle the slider to On. From the drop down list, specify the number of days you
want the message to be removed, add a note if needed, and then select Submit.
3. Click Sender, and then choose URLs > Click verdict in the drop down list.
4. In options that appear, select one or more options, such as Blocked and Block
overridden, and then click Refresh (don't refresh your browser window).
The report refreshes to show two different URL tables on the URLs tab under the
report:
Top URLs are the URLs in the messages that you filtered down to and the
email delivery action counts for each URL. In the Phish email view, this list
typically contains legitimate URLs. Attackers include a mix of good and bad
URLs in their messages to try to get them delivered, but they make the
malicious links look more interesting. The table of URLs is sorted by total
email count, but this column is hidden to simplify the view.
Top clicks are the Safe Links-wrapped URLs that were clicked, sorted by total
click count. This column also isn't displayed, to simplify the view. Total counts
by column indicate the Safe Links click verdict count for each clicked URL. In
the Phish email view, these are usually suspicious or malicious URLs. But the
view could include URLs that aren't threats but are in phish messages. URL
clicks on unwrapped links don't show up here.
The two URL tables show top URLs in phishing email messages by delivery action
and location. The tables show URL clicks that were blocked or visited despite a
warning, so you can see what potential bad links were presented to users and that
the users clicked. From here, you can conduct further analysis. For example, below
the chart you can see the top URLs in email messages that were blocked in your
organization's environment.
7 Note
In the URL flyout dialog box, the filtering on email messages is removed to
show the full view of the URL's exposure in your environment. This lets you
filter for email messages you're concerned about in Explorer, find specific
URLs that are potential threats, and then expand your understanding of the
URL exposure in your environment (via the URL details dialog box) without
having to add URL filters to the Explorer view itself.
None: Unable to capture the verdict for the URL. The user might have clicked
through the URL.
Allowed: The user was allowed to navigate to the URL.
Blocked: The user was blocked from navigating to the URL.
Pending verdict: The user was presented with the detonation-pending page.
Blocked overridden: The user was blocked from navigating directly to the URL. But
the user overrode the block to navigate to the URL.
Pending verdict bypassed: The user was presented with the detonation page. But
the user overrode the message to access the URL.
Error: The user was presented with the error page, or an error occurred in
capturing the verdict.
Failure: An unknown exception occurred while capturing the verdict. The user
might have clicked through the URL.
7 Note
Automated investigation and response can save your security operations team time and
effort spent investigating and mitigating cyberattacks. In addition to configuring alerts
that can trigger a security playbook, you can start an automated investigation and
response process from a view in Explorer. For details, see Example: A security
administrator triggers an investigation from Explorer.
Other articles
Investigate emails with the Email Entity Page
Explorer and Real-time detections
Article • 12/22/2022 • 6 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
In this article:
7 Note
This is part of a 3-article series on Explorer (also known as Threat Explorer), email
security, and Explorer and Real-time detections basics (such as differences
between the tools, and permissions needed to operate them). The other two
articles in this series are Threat hunting in Explorer and Email security with
Explorer.
This article explains the difference between Explorer and real-time detections reporting,
updated experience with Explorer and real-time detections where you can toggle
between old and new experiences, and the licenses and permissions that are required.
If your organization has Microsoft Defender for Office 365, and you have the
permissions, you can use Explorer (also known as Threat Explorer) or Real-time
detections to detect and remediate threats.
7 Note
Toggling impacts only your account and does not impact anyone else within your
tenant.
Threat Explorer and Real-time detections is divided into the following views:
All email: Shows all email analyzed by Defender for office 365 and contains both
good and malicious emails. This feature is only present in Threat Explorer and is
not available for Real-time detections. By default, it is set to show data for two
days, which can be expanded up to 30 days. This is also the default view for Threat
Explorer.
Malware view: Shows emails on which a malware threat was identified. This is the
default view for Real-time detections, and shows data for two days (can be
expanded to 30 days).
Filters
You can use the various filters to view the data based on email or file attributes.
By default, the time filter is applied to the records, and is applied for two days.
If you are applying multiple filters, they are applied in 'AND' mode and you can
use the advanced filter to change it to 'OR' mode.
You can use commas to add multiple values for the same filter.
Charts
Charts provide a visual, aggregate view of data based on filters. You can use
different filters to view the data by different dimensions.
7 Note
You may see no results in chart view even if you are seeing an entry in the list
view. This happens if the filter does not produce any data. For example, if you
have applied the filter malware family, but the underlying data does not have
any malicious emails, then you may see the message no data available for this
scenario.
Results grid
Results grid shows the email results based on the filters you have applied.
Based on the configuration set in your tenant, data will be shown in UTC or local
timezone, with the timezone information available in the first column.
You can navigate to the individual email entity page from the list view by
clicking the Open in new window icon.
You can also customize your columns to add or remove columns to optimize
your view.
7 Note
You can toggle between the Chart View and the List View to maximize your
result set.
Detailed flyout
You can click on hyperlinks to get to the email summary panel (entries in
Subject column), recipient, or IP flyout.
The email summary panel replaces the legacy email flyout, and also provides a
path to access the email entity panel.
The individual entity flyouts like IP, recipient, and URL would reflect the same
information, but presented in a single tab-based view, with the ability to expand
and collapse the different sections based on requirement.
For flyouts like URLs, you can click View all Email or View all Clicks to view the
full set of emails/clicks containing that URL, as well as export the result set.
Actions
From Threat Explorer, you can trigger remediation actions like Delete an email.
For more information on remediation, remediation limits, and tracking
remediation see Remediate malicious email.
Export
You can click Export chart data to export the chart details. Similarly, click Export
email list to export email details.
You can export up to 200K records for email list. However, for better system
performance and reduced download time, you should use various email filters.
In addition to these features, you will also get updated experiences like Top URLs, Top
clicks, Top targeted users, and Email origin. Top URLs, Top clicks, and Top targeted users
can be further filtered based on the filter that you apply within Explorer.
Security Operations teams need to assign licenses for all users who should be protected
by Defender for Office 365 and be aware that Explorer and Real-time detections show
detection data for licensed users.
To view and use Explorer or Real-time detections, you need the following permissions:
To learn more about roles and permissions, see the following articles:
More information
Threat Explorer collect email details on the email entity page
Find and investigate malicious email that was delivered
View malicious files detected in SharePoint Online, OneDrive, and Microsoft Teams
Threat protection status report
Automated investigation and response in Microsoft Threat Protection
Views in Threat Explorer and real-time
detections
Article • 12/09/2022 • 6 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
Threat Explorer (and the real-time detections report) is a powerful, near real-time tool to
help Security Operations teams investigate and respond to threats in the Microsoft 365
Defender portal. Explorer (and the real-time detections report) displays information
about suspected malware and phish in email and files in Office 365, as well as other
security threats and risks to your organization.
If you have Microsoft Defender for Office 365 Plan 2, then you have Explorer.
If you have Microsoft Defender for Office 365 Plan 1, then you have real-time
detections.
When you first open Explorer (or the real-time detections report), the default view
shows email malware detections for the past 7 days. This report can also show Microsoft
Defender for Office 365 detections, such as malicious URLs detected by Safe Links, and
malicious files detected by Safe Attachments. This report can be modified to show data
for the past 30 days (with a Microsoft Defender for Office 365 P2 paid subscription). Trial
subscriptions will include data for the past seven days only.
Subscription Utility Days of
Data
Microsoft Defender for Office 365 P1 paid testing Defender for Threat Explorer 7
Office 365 P2 trial
7 Note
We will soon be extending the Explorer (and Real-time detections) data retention
and search limit for trial tenants from 7 to 30 days. This change is being tracked as
part of roadmap item no. 70544, and is currently in a roll-out phase.
Use the View menu to change what information is displayed. Tooltips help you
determine which view to use.
Once you have selected a view, you can apply filters and set up queries to conduct
further analysis. The following sections provide a brief overview of the various views
available in Explorer (or real-time detections).
Click Sender to open your list of viewing options. Use this list to view data by sender,
recipients, sender domain, subject, detection technology, protection status, and more.
For example, to see what actions were taken on detected email messages, choose
Protection status in the list. Select an option, and then click the Refresh button to apply
that filter to your report.
Below the chart, view more details about specific messages. When you select an item in
the list, a fly-out pane opens, where you can learn more about the item you selected.
Click Sender to open your list of viewing options. Use this list to view data by sender,
recipients, sender domain, sender IP, URL domain, click verdict, and more.
For example, to see what actions were taken when people clicked on URLs that were
identified as phishing attempts, choose Click verdict in the list, select one or more
options, and then click the Refresh button.
Below the chart, view more details about specific messages, URL clicks, URLs, and email
origin.
When you select an item in the list, such as a URL that was detected, a fly-out pane
opens, where you can learn more about the item you selected.
Click Sender to open your list of viewing options. Use this list to view information by
sender, recipients, report type (the user's determination that the email was junk, not
junk, or phish), and more.
For example, to view information about email messages that were reported as phishing
attempts, click Sender > Report type, select Phish, and then click the Refresh button.
Below the chart, view more details about specific email messages, such as subject line,
the sender's IP address, the user that reported the message as junk, not junk, or phish,
and more.
7 Note
If you get an error that reads Too much data to display, add a filter and, if
necessary, narrow the date range you're viewing.
To apply a filter, choose Sender, select an item in the list, and then click the Refresh
button. In our example, we used Detection technology as a filter (there are several
options available). View information by sender, sender's domain, recipients, subject,
attachment filename, malware family, protection status (actions taken by your threat
protection features and policies in Office 365), detection technology (how the malware
was detected), and more.
Below the chart, view more details about specific email messages, such as subject line,
recipient, sender, status, and so on.
View information by malware family, detection technology (how the malware was
detected), and workload (OneDrive, SharePoint, or Teams).
Below the chart, view more details about specific files, such as attachment filename,
workload, file size, who last modified the file, and more.
Click-to-filter capabilities
With Explorer (and real-time detections), you can apply a filter in a click. Click an item in
the legend, and that item becomes a filter for the report. For example, clicking ATP
Detonation in this chart results in a view like this:
In this view, we are now looking at data for files that were detonated by Safe
Attachments. Below the chart, we can see details about specific email messages that had
attachments that were detected by Safe Attachments.
Selecting one or more items activates the Actions menu, which offers several choices
from which to choose for the selected item(s).
The ability to filter in a click and navigate to specific details can save you a lot of time in
investigating threats.
) Important
Do not use wildcard characters, such as an asterisk or a question mark, in the query
bar for Explorer (or real-time detections). When you search on the Subject field for
email messages, Explorer (or real-time detections) will perform partial matching
and yield results similar to a wildcard search.
Impersonation insight in Defender for
Office 365
Article • 12/22/2022 • 7 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
Impersonation is where the sender of an email message looks very similar to a real or
expected sender email address. Attackers often user impersonated sender email
addresses in phishing or other types of attacks in an effort to gain the trust of the
recipient. There are basically two types of impersonation:
Impersonation protection is part of the anti-phishing policy settings that are exclusive to
Microsoft Defender for Office 365. For more information about these settings, see
Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365.
You can use the impersonation insight in the Microsoft 365 Defender portal to quickly
identify messages from impersonated senders or sender domains that you've
configured for impersonation protection.
You need to be assigned permissions in the Microsoft 365 Defender portal before
you can do the procedures in this article:
Organization Management
Security Administrator
Security Reader
Global Reader
For more information, see Permissions in the Microsoft 365 Defender portal.
Note: Adding users to the corresponding Azure Active Directory role in the
Microsoft 365 admin center gives users the required permissions in the Microsoft
365 Defender portal and permissions for other features in Microsoft 365. For more
information, see About admin roles.
Sender Domain: The impersonating domain, which is the domain that was used to
send the email message.
Message count: The number of messages from impersonating sender domain over
the last 7 days.
Impersonation type: This value shows the detected location of the impersonation
(for example, Domain in address).
Impersonated domain(s): The impersonated domain, which should closely
resemble the domain that's configured for impersonation protection in the anti-
phishing policy.
Domain type: This value is Company domain for internal domains or Custom
domain for custom domains.
Policy: The anti-phishing policy that detected the impersonated domain.
Allowed to impersonate: One of the following values:
Yes: The domain was configured as trusted domain (an exception for
impersonation protection) in the anti-phishing policy. Messages from senders in
the impersonated domain were detected, but allowed.
No: The domain was configured for impersonation protection in the anti-
phishing policy. Messages from senders in the impersonated domain were
detected and acted upon based on the action for impersonated domains in the
anti-phishing policy.
To filter the results, you can use the Filter sender box to enter a comma-separated list of
values to filter the results.
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
When a sender spoofs an email address, they appear to be a user in one of your
organization's domains, or a user in an external domain that sends email to your
organization. Attackers who spoof senders to send spam or phishing email need to be
blocked. But there are scenarios where legitimate senders are spoofing. For example:
By allowing known senders to send spoofed messages from known locations, you can
reduce false positives (good email marked as bad). By monitoring the allowed spoofed
senders, you provide an additional layer of security to prevent unsafe messages from
arriving in your organization.
Likewise, you can review spoofed senders that were allowed by spoof intelligence and
manually block those senders from the spoof intelligence insight.
The rest of this article explains how to use the spoof intelligence insight in the Microsoft
365 Defender portal and in PowerShell (Exchange Online PowerShell for Microsoft 365
organizations with mailboxes in Exchange Online; standalone EOP PowerShell for
organizations without Exchange Online mailboxes).
7 Note
Only spoofed senders that were detected by spoof intelligence appear in the
spoof intelligence insight. When you override the allow or block verdict in the
insight, the spoofed sender becomes a manual allow or block entry that
appears only on the Spoofed senders tab in the Tenant Allow/Block List. You
can also manually create allow or block entries for spoofed senders before
they're detected by spoof intelligence. For more information, see Manage the
Tenant Allow/Block List in EOP.
The spoof intelligence insight and the Spoofed senders tab in the Tenant
Allow/Block list replace the functionality of the spoof intelligence policy that
was available on the anti-spam policy page in the Security & Compliance
Center.
The spoof intelligence insight shows 7 days worth of data. The Get-
SpoofIntelligenceInsight cmdlet shows 30 days worth of data.
You need to be assigned permissions in Exchange Online before you can do the
procedures in this article:
To modify the spoof intelligence policy or enable or disable spoof intelligence,
you need to be a member of one of the following role groups:
Organization Management
Security Administrator and View-Only Configuration or View-Only
Organization Management.
For read-only access to the spoof intelligence policy, you need to be a member
of the Global Reader or Security Reader role groups.
7 Note
Adding users to the corresponding Azure Active Directory role in the
Microsoft 365 admin center gives users the required permissions and
permissions for other features in Microsoft 365. For more information, see
About admin roles.
The View-Only Organization Management role group in Exchange Online
also gives read-only access to the feature.
You enable and disable spoof intelligence in anti-phishing policies in EOP and
Microsoft Defender for Office 365. Spoof intelligence is enabled by default. For
more information, see Configure anti-phishing policies in EOP or Configure anti-
phishing policies in Microsoft Defender for Office 365.
For our recommended settings for spoof intelligence, see EOP anti-phishing policy
settings.
Open the spoof intelligence insight in the
Microsoft 365 Defender portal
1. In the Microsoft 365 Defender portal at https://security.microsoft.com , go to
Email & Collaboration > Policies & Rules > Threat policies > Tenant Allow/Block
Lists in the Rules section. To go directly to the Spoofed senders tab on the Tenant
Allow/Block List page, use https://security.microsoft.com/tenantAllowBlockList?
viewid=SpoofItem .
2. On the Tenant Allow/Block Lists page, the spoof intelligence insight looks like this:
Insight mode: If spoof intelligence is enabled, the insight shows you how
many messages were detected by spoof intelligence during the past seven
days.
What if mode: If spoof intelligence is disabled, then the insight shows you
how many messages would have been detected by spoof intelligence during
the past seven days.
To view information about the spoof intelligence detections, click View spoofing activity
in the spoof intelligence insight.
7 Note
Remember, only spoofed senders that were detected by spoof intelligence appear
on this page. When you override the allow or block verdict in the insight, the
spoofed sender becomes a manual allow or block entry that appears only on the
Spoofed senders tab in the Tenant Allow/Block List.
On the Spoof intelligence insight page that appears after you click View spoofing
activity in the spoof intelligence insight, the page contains the following information:
Spoofed user: The domain of the spoofed user that's displayed in the From box in
email clients. The From address is also known as the 5322.From address.
Sending infrastructure: Also known as the infrastructure. The sending
infrastructure will be one of the following values:
The domain found in a reverse DNS lookup (PTR record) of the source email
server's IP address.
If the source IP address has no PTR record, then the sending infrastructure is
identified as <source IP>/24 (for example, 192.168.100.100/24).
A verified DKIM domain.
Message count: The number of messages from the combination of the spoofed
domain and the sending infrastructure to your organization within the last 7 days.
Last seen: The last date when a message was received from the sending
infrastructure that contains the spoofed domain.
Spoof type: One of the following values:
Internal: The spoofed sender is in a domain that belongs to your organization
(an accepted domain).
External: The spoofed sender is in an external domain.
Action: This value is Allowed or Blocked:
Allowed: The domain failed explicit email authentication checks SPF, DKIM, and
DMARC. However, the domain passed our implicit email authentication checks
(composite authentication). As a result, no anti-spoofing action was taken on
the message.
Blocked: Messages from the combination of the spoofed domain and sending
infrastructure are marked as bad by spoof intelligence. The action that's taken
on the spoofed messages is controlled by the default anti-phishing policy or
custom anti-phishing policies (the default value is Move message to Junk Email
folder). For more information, see Configure anti-phishing policies in Microsoft
Defender for Office 365.
Click the Filter button. In the Filter flyout that appears, you can filter the results by:
Spoof type
Action
Use the Search box to enter a comma-separated list of spoofed domain values or
sending infrastructure values to filter the results.
Domain: gmail.com
Infrastructure: tms.mx.com
Only email from that domain/sending infrastructure pair will be allowed to spoof. Other
senders attempting to spoof gmail.com aren't automatically allowed. Messages from
senders in other domains that originate from tms.mx.com are still checked by spoof
intelligence, and might be blocked.
To view the information in the spoof intelligence insight, run the following command:
PowerShell
Get-SpoofIntelligenceInsight
Check the Spoof Mail Report. You can use this report often to view and help
manage spoofed senders. For information, see Spoof Detections report.
Review your Sender Policy Framework (SPF) configuration. For a quick introduction
to SPF and to get it configured quickly, see Set up SPF in Microsoft 365 to help
prevent spoofing. For a more in-depth understanding of how Office 365 uses SPF,
or for troubleshooting or non-standard deployments such as hybrid deployments,
start with How Office 365 uses Sender Policy Framework (SPF) to prevent spoofing.
Review your DomainKeys Identified Mail (DKIM) configuration. You should use
DKIM in addition to SPF and DMARC to help prevent attackers from sending
messages that look like they are coming from your domain. DKIM lets you add a
digital signature to email messages in the message header. For information, see
Use DKIM to validate outbound email sent from your custom domain in Office 365.
Applies to
) Important
Spoofed sender management in the Microsoft 365 Defender portal is now available
only on the Spoofed senders tab in the Tenant Allow/Block List. For current
procedures in the Microsoft 365 Defender portal, see Spoof intelligence insight in
EOP.
Use PowerShell to view allow or block entries for spoofed senders in the
Tenant Allow/Block List
Use PowerShell to create allow entries for spoofed senders
Use PowerShell to create block entries for spoofed senders
Use PowerShell to modify allow or block entries for spoofed senders in the
Tenant Allow/Block List
Use PowerShell to remove allow or block entries for spoofed senders from
the Tenant Allow/Block List
You need to be assigned permissions in Exchange Online before you can do the
procedures in this article:
To modify the spoof intelligence policy or enable or disable spoof intelligence,
you need to be a member of:
Organization Management
Security Administrator and View-Only Configuration or View-Only
Organization Management.
For read-only access to the spoof intelligence policy, you need to be a member
of the Global Reader or Security Reader role groups.
Notes:
Adding users to the corresponding Azure Active Directory role in the Microsoft
365 admin center gives users the required permissions and permissions for
other features in Microsoft 365. For more information, see About admin roles.
The View-Only Organization Management role group in Exchange Online also
gives read-only access to the feature.
The options for spoof intelligence are described in Spoof settings in anti-phishing
policies.
You can enable, disable, and configure the spoof intelligence settings in anti-
phishing policies. For instructions based on your subscription, see one of the
following topics:
Configure anti-phishing policies in EOP.
Configure anti-phishing policies in Microsoft Defender for Office 365.
For our recommended settings for spoof intelligence, see EOP anti-phishing policy
settings.
PowerShell
Get-PhishFilterPolicy [-AllowedToSpoof <Yes | No | Partial>] [-
ConfidenceLevel <Low | High>] [-DecisionBy <Admin | SpoofProtection>] [-
Detailed] [-SpoofType <Internal | External>]
This example returns detailed information about all senders that are allowed to spoof
users in your domains.
PowerShell
To configure allowed and blocked senders in spoof intelligence, follow these steps:
1. Capture the current list of detected spoofed senders by writing the output of the
Get-PhishFilterPolicy cmdlet to a CSV file by running the following command:
PowerShell
Sender (domain in source server's PTR record, IP/24 address, or verified DKIM
domain)
SpoofedUser: One of the following values:
The internal user's email address.
The external user's email domain.
A blank value that indicates you want to block or allow any and all spoofed
messages from the specified Sender, regardless of the spoofed email
address.
AllowedToSpoof (Yes or No)
SpoofType (Internal or External)
Save the file, read the file, and store the contents as a variable named
$UpdateSpoofedSenders by running the following command:
PowerShell
PowerShell
PowerShell
In PowerShell, run the following command to export the list of all spoofed senders
to a CSV file:
PowerShell
7 Note
The admin audit log records specific actions, based on Exchange Online PowerShell or
standalone Exchange Online Protection PowerShell cmdlets, done by admins and users
who have been assigned administrative privileges. Entries in the admin audit log provide
you with information about what cmdlet was run, which parameters were used, who ran
the cmdlet, and what objects were affected.
Notes:
Admin auditing logging is enabled by default, and you can't disable it.
The admin audit log doesn't record actions based on cmdlets that begins with the
verbs Get, Search, or Test.
When a change is made in your organization, it may take up to 15 minutes to
appear in audit log search results. If a change doesn't appear in the admin audit
log, wait a few minutes and run the search again.
Audit log entries are kept for 90 days. When an entry is older than 90 days, it's
deleted.
You need to be assigned permissions before you can perform this procedure or
procedures. To see what permissions you need, see the "View-only administrator
audit logging" entry in the Feature permissions in Exchange Online topic.
For information about keyboard shortcuts that may apply to the procedures in this
article, see Keyboard shortcuts for the Exchange admin center in Exchange Online.
Tip
Having problems? Ask for help in the Exchange forums. Visit the forums at
Exchange Online or Exchange Online Protection .
2. In the Search for changes to administrator role groups page that opens, choose a
Start date and End date (the default range is the past two weeks), and then choose
Search. All configuration changes made during the specified time period are
displayed, and can be sorted, using the following information:
Date: The date and time that the configuration change was made. The date
and time are stored in Coordinated Universal Time (UTC) format.
Cmdlet: The name of the cmdlet that was used to make the configuration
change.
User: The name of the user account of the user who made the configuration
change.
PowerShell
Notes:
You can only use the Parameters parameter together with the Cmdlets parameter.
The ObjectIds parameter filters the results by the object that was modified by the
cmdlet. A valid value depends on how the object is represented in the audit log.
For example:
Name
Canonical distinguished name (for example, contoso.com/Users/Akia Al-Zuhairi)
You'll likely need to use other filtering parameters on this cmdlet to narrow down
the results and identify the types of objects that you're interested in.
The UserIds parameter filters the results by the user who made the change (who
ran the cmdlet).
For the StartDate and EndDate parameters, if you specify a date/time value without
a time zone, the value is in Coordinated Universal Time (UTC). To specify a
date/time value for this parameter, use either of the following options:
Specify the date/time value in UTC: For example, "2016-05-06 14:30:00z".
Specify the date/time value as a formula that converts the date/time in your
local time zone to UTC: For example, (Get-Date "5/6/2016 9:30
AM").ToUniversalTime() . For more information, see Get-Date.
The cmdlet returns a maximum of 1,000 log entries by default. Use the ResultSize
parameter to specify up to 250,000 log entries. Or, use the value Unlimited to
return all entries.
This example performs a search for all audit log entries with the following criteria:
PowerShell
To view the contents of the CmdletParameters and ModifiedProperties fields, use the
following steps.
1. Decide the criteria you want to search for, run the Search-AdminAuditLog cmdlet,
and store the results in a variable using the following command.
PowerShell
2. Each audit log entry is stored as an array element in the variable $Results . You can
select an array element by specifying its array element index. Array element
indexes start at zero (0) for the first array element. For example, to retrieve the 5th
array element, which has an index of 4, use the following command.
PowerShell
$Results[4]
3. The previous command returns the log entry stored in array element 4. To see the
contents of the CmdletParameters and ModifiedProperties fields for this log
entry, use the following commands.
PowerShell
$Results[4].CmdletParameters
$Results[4].ModifiedProperties
Field Description
ObjectModified This field contains the object that was modified by the cmdlet specified in
the CmdletName field.
CmdletName This field contains the name of the cmdlet that was run by the user in the
Caller field.
CmdletParameters This field contains the parameters that were specified when the cmdlet in
the CmdletName field was run. Also stored in this field, but not visible in the
default output, is the value specified with the parameter, if any.
ModifiedProperties This field contains the properties that were modified on the object in the
ObjectModified field. Also stored in this field, but not visible in the default
output, are the old value of the property and the new value that was
stored.
Caller This field contains the user account of the user who ran the cmdlet in the
CmdletName field.
Succeeded This field specifies whether the cmdlet in the CmdletName field ran
successfully. The value is either True or False .
Error This field contains the error message generated if the cmdlet in the
CmdletName field failed to complete successfully.
RunDate This field contains the date and time when the cmdlet in the CmdletName
field was run. The date and time are stored in Coordinated Universal Time
(UTC) format.
Field Description
OriginatingServer This field indicates the server on which the cmdlet specified in the
CmdletName field was run.
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2
for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365 Defender
portal trials hub . Learn about who can sign up and trial terms here.
Applies to
7 Note
Some of the reports on the Email & collaboration reports page require Microsoft
Defender for Office 365. For information about these reports, see View Defender for
Office 365 reports in the Microsoft 365 Defender portal.
Reports that are related to mail flow are now in the Exchange admin center. For more
information about these reports, see Mail flow reports in the new Exchange admin
center.
Watch this short video to learn how you can use reports to understand the effectiveness of
Defender for Office 365 in your organization.
https://www.microsoft.com/en-us/videoplayer/embed/RWBkxB?postJsllMsg=true
Deprecated report and cmdlets New report and cmdlets Message Date
Center ID
URL trace
URL protection report
MC239999 June
2021
Get-URLTrace Get-SafeLinksAggregateReport
Get-SafeLinksDetailReport
Get-MailDetailReport Get-MailTrafficATPReport
Get-MailDetailATPReport
Get-MailFlowStatusReport
Forwarding report
Auto-forwarded messages report in MC250533 June
the EAC
2021
no cmdlets
no cmdlets
Get-MailDetailATPReport
Safe Attachments message disposition Threat protection status report: View MC250531 June
report
data by Email > Malware
2021
Get-AdvancedThreatProtectionTrafficReport Get-MailTrafficATPReport
Get-MailDetailMalwareReport Get-MailDetailATPReport
Get-MailDetailMalwareReport Get-MailTrafficATPReport
Get-MailDetailATPReport
Get-MailDetailSpamReport Get-MailTrafficATPReport
Get-MailDetailATPReport
Deprecated report and cmdlets New report and cmdlets Message Date
Center ID
Get- Get-ContentMalwareMdoDetailReport
AdvancedThreatProtectionDocumentDetail
Get-MailDetailTransportRuleReport Get-MailTrafficPolicyReport
Get-MailDetailTransportRuleReport
7 Note
The Compromised users report shows the number of user accounts that were marked as
Suspicious or Restricted within the last 7 days. Accounts in either of these states are
problematic or even compromised. With frequent use, you can use the report to spot
spikes, and even trends, in suspicious or restricted accounts. For more information about
compromised users, see Responding to a compromised email account.
The aggregate view shows data for the last 90 days and the detail view shows data for the
last 30 days.
On the Compromised users page, the chart shows the following information for the
specified date range:
Restricted: The user account has been restricted from sending email due to highly
suspicious patterns.
Suspicious: The user account has sent suspicious email and is at risk of being
restricted from sending email.
The details table below the graph shows the following information:
Creation time
User ID
Action
Tags: For more information about user tags, see User tags.
You can filter both the chart and the details table by clicking Filter and selecting one or
more of the following values in the flyout that appears:
When you're finished configuring the filters, click Apply, Cancel, or Clear filters.
On the Compromised users page, the Create schedule, Request report, and
Export buttons are available.
To view the report in the Microsoft 365 Defender portal, go to Reports > Email &
collaboration > Email & collaboration reports. On the Email & collaboration reports
page, find Exchange transport rule and then click View details. To go directly to the report,
open https://security.microsoft.com/reports/ETRRuleReport .
On the Exchange transport rule report page, the available charts and data are described in
the following sections.
7 Note
The Exchange transport rule report is now available in the EAC. For more information,
see Exchange transport rule report in the new EAC.
If you select Chart breakdown by Direction, the follow charts are available:
View data by Exchange transport rules: The number of Inbound and Outbound
messages that were affected by mail flow rules.
View data by DLP Exchange transport rules: The number of Inbound and Outbound
messages that were affected by data loss prevention (DLP) mail flow rules.
The following information is shown in the details table below the graph:
Date
DLP policy (View data by DLP Exchange transport rules only)
Transport rule
Subject
Sender address
Recipient address
Severity
Direction
You can filter both the chart and the details table by clicking Filter and selecting one or
more of the following values in the flyout that appears:
Date (UTC) Start date and End date.
Direction: Outbound and Inbound.
Severity: High severity, Medium severity, and Low severity
When you're finished configuring the filters, click Apply, Cancel, or Clear filters.
On the Exchange transport rule report page, the Create schedule, Request report,
and Export buttons are available.
If you select Chart breakdown by Severity, the follow charts are available:
View data by Exchange transport rules: The number of High severity, Medium
severity, and Low severity messages. You set the severity level as an action in the rule
(Audit this rule with severity level or SetAuditSeverity). For more information, see
Mail flow rule actions in Exchange Online.
View data by DLP Exchange transport rules: The number of High severity, Medium
severity, and Low severity messages that were affected by DLP mail flow rules.
The following information is shown in the details table below the graph:
Date
DLP policy (View data by DLP Exchange transport rules only)
Transport rule
Subject
Sender address
Recipient address
Severity
Direction
You can filter both the chart and the details table by clicking Filter and selecting one or
more of the following values in the flyout that appears:
When you're finished configuring the filters, click Apply, Cancel, or Clear filters.
On the Exchange transport rule report page, the Create schedule, Request report,
and Export buttons are available.
Forwarding report
7 Note
This report is now available in the EAC. For more information, see Auto forwarded
messages report in the new EAC.
On the Mailflow status report page, the Type tab is selected by default. The chart shows
the following information for the specified date range:
Good mail: Email that's determined not to be spam or are allowed by user or
organizational policies.
Total
Malware: Email that's blocked as malware by various filters.
Phishing email: Email that's blocked as phishing by various filters.
Spam: Email that's blocked as spam by various filters.
Edge protection: Email that's rejected at the edge/perimeter before being evaluated
by EOP or Defender for Office 365.
Rule messages: Email messages that were acted upon by mail flow rules (also known
as transport rules).
The details table below the graph shows the following information:
Direction
Type
24 hours
3 days
7 days
15 days
30 days
You can filter both the chart and the details table by clicking Filter and selecting one or
more of the following values in the flyout that appears:
When you're finished configuring the filters, click Apply, Cancel, or Clear filters.
Back on the Mailflow status report page, if you click Choose a category for more details,
you can select from the following values:
Phishing email: This selection takes you to the Threat protection status report.
Malware in email: This selection takes you to the Threat protection status report.
Spam detections: This selection takes you to the Spam Detections report.
Edge blocked spam: This selection takes you to the Spam Detections report.
On the Mailflow status report page, the Create schedule and Export buttons are
available.
If you click the Direction tab, the chart shows the following information for the specified
date range:
Inbound
Outbound
You can filter both the chart and the details table by clicking Filter and selecting one or
more of the following values in the flyout that appears:
When you're finished configuring the filters, click Apply, Cancel, or Clear filters.
Back on the Mailflow status report page, if you click Choose a category for more details,
you can select from the following values:
Phishing email: This selection takes you to the Threat protection status report.
Malware in email: This selection takes you to the Threat protection status report.
Spam detections: This selection takes you to the Spam Detections report.
Edge blocked spam: This selection takes you to the Spam Detections report.
On the Mailflow status report page, the Create schedule and Export buttons are
available.
The aggregate view and details table view allow for 90 days of filtering.
The information in the diagram is color-coded by EOP or Defender for Office 365
technologies.
If you hover over a horizontal band in the diagram, you'll see the number of related
messages.
*
If you click on this element, the diagram is expanded to show further details. For a
description of each element in the expanded nodes, see Detection technologies.
The details table below the diagram shows the following information:
Date
Total email
Edge filtered
Rule messages
Anti-malware engine, Safe Attachments, rule filtered
DMARC impersonation, spoof, phish filtered
Detonation detection
Anti-spam filtered
ZAP removed
Messages where not threats were detected
If you select a row in the details table, a further breakdown of the email counts is shown in
the details flyout that appears.
You can filter both the chart and the details table by clicking Filter and selecting one or
more of the following values in the flyout that appears:
Date (UTC) Start date and End date.
Direction: Outbound and Inbound.
When you're finished configuring the filters, click Apply, Cancel, or Clear filters.
Back on the Mailflow status report page, you can click Show trends to see trend graphs in
the Mailflow trends flyout that appears.
7 Note
This report has been deprecated. The same information is available in the Threat
protection status report.
7 Note
This report has been deprecated. The same information is available in the Threat
protection status report.
The aggregate and detail views of the report allows for 90 days of filtering.
To view the report in the Microsoft 365 Defender portal, go to Reports > Email &
collaboration > Email & collaboration reports. On the Email & collaboration reports
page, find Spoof detections and then click View details. To go directly to the report, open
https://security.microsoft.com/reports/SpoofMailReport .
Pass
Fail
SoftPass
None
Other
When you hover over a day (data point) in the chart, you can see how many spoofed
messages were detected and why.
You can filter both the chart and the details table by clicking Filter and selecting one or
more of the following values in the flyout that appears:
The details table below the graph shows the following information:
Date
Spoofed user
Sending infrastructure
Spoof type
Result
Result code
SPF
DKIM
DMARC
Message count
For more information about composite authentication result codes, see Anti-spam
message headers in Microsoft 365.
On the Spoof detections page, the Create schedule, Request report, and Export
buttons are available.
Submissions report
The Submissions report shows information about items that admins have reported to
Microsoft for analysis. For more information, see Use Admin Submission to submit
suspected spam, phish, URLs, and files to Microsoft.
Pending
Completed
You can filter both the chart and the details table by clicking Filter and selecting one or
more of the following values in the flyout that appears:
The report provides the count of email messages with malicious content, such as files or
website addresses (URLs) that were blocked by the anti-malware engine, zero-hour auto
purge (ZAP), and Defender for Office 365 features like Safe Links, Safe Attachments, and
impersonation protection features in anti-phishing policies. You can use this information to
identify trends or determine whether organization policies need adjustment.
Note: It's important to understand that if a message is sent to five recipients we count it as
five different messages and not one message.
To view the report in the Microsoft 365 Defender portal, go to Reports > Email &
collaboration > Email & collaboration reports. On the Email & collaboration reports
page, find Threat protection status and then click View details. To go directly to the report,
open one of the following URLs:
Defender for Office 365:
https://security.microsoft.com/reports/TPSAggregateReportATP
EOP: https://security.microsoft.com/reports/TPSAggregateReport
By default, the chart shows data for the past 7 days. If you click Filter on the Threat
protection status report page, you can select a 90 day date range (trial subscriptions
might be limited to 30 days). The details table allows filtering for 30 days.
In the View data by Overview view, the following detection information is shown in the
chart:
Email malware
Email phish
Email spam
Content malware
No details table is available below the chart.
When you're finished configuring the filters, click Apply, Cancel, or Clear filters.
7 Note
Starting in May 2021, phishing detections in email were updated to include message
attachments that contain phishing URLs. This change might shift some of the
detection volume out of the View data by Email > Malware view and into the View
data by Email > Phish view. In other words, message attachments with phishing URLs
that were traditionally identified as malware now might be identified as phishing
instead.
In the View data by Email > Phish and Chart breakdown by Detection Technology view,
the following information is shown in the chart:
*
Defender for Office 365 only
In the details table below the chart, the following information is available:
Date
Subject
Sender
Recipients
Detection technology: The same detection technology values from the chart.
Delivery status
Sender IP
Tags: For more information about user tags, see User tags.
When you're finished configuring the filters, click Apply, Cancel, or Clear filters.
On the Threat protection status page, the Create schedule, Request report, and
Export buttons are available.
View data by Email > Spam and Chart breakdown by
Detection Technology
In the View data by Email > Spam and Chart breakdown by Detection Technology view,
the following information is shown in the chart:
In the details table below the chart, the following information is available:
Date
Subject
Sender
Recipients
Detection technology: The same detection technology values from the chart.
Delivery status
Sender IP
Tags: For more information about user tags, see User tags.
When you're finished configuring the filters, click Apply, Cancel, or Clear filters.
On the Threat protection status page, the Create schedule, Request report, and
Export buttons are available.
7 Note
Starting in May 2021, malware detections in email were updated to include harmful
URLs in messages attachments. This change might shift some of the detection volume
out of the View data by Email > Phish view and into the View data by Email >
Malware view. In other words, harmful URLs in message attachments that were
traditionally identified as phishing now might be identified as malware instead.
In the View data by Email > Malware and Chart breakdown by Detection Technology
view, the following information is shown in the chart:
*
Defender for Office 365 only
In the details table below the chart, the following information is available:
Date
Subject
Sender
Recipients
Detection technology: The same detection technology values from the chart.
Delivery Status
Sender IP
Tags: For more information about user tags, see User tags.
When you're finished configuring the filters, click Apply, Cancel, or Clear filters.
On theThreat protection status page, the Create schedule, Request report, and
Export buttons are available.
In the View data by Email > Phish, View data by Email > Spam, or View data by Email >
Malware views, selecting Chart breakdown by Policy type shows the following information
in the chart:
Anti-malware
Safe Attachments*
Anti-phish
Anti-spam
Mail flow rule (also known as a transport rule)
Others
In the details table below the chart, the following information is available:
Date
Subject
Sender
Recipients
Detection technology: The same detection technology values from the chart.
Delivery status
Sender IP
Tags: For more information about user tags, see User tags.
*
Defender for Office 365 only
When you're finished configuring the filters, click Apply, Cancel, or Clear filters.
On the Threat protection status page, the Create schedule, Request report, and
Export buttons are available.
In the View data by Email > Phish, View data by Email > Spam, or View data by Email >
Malware views, selecting Chart breakdown by Delivery status shows the following
information in the chart:
In the details table below the chart, the following information is available:
Date
Subject
Sender
Recipients
Detection technology: The same detection technology values from the chart.
Delivery status
Sender IP
Tags: For more information about user tags, see User tags.
*
Defender for Office 365 only
When you're finished configuring the filters, click Apply, Cancel, or Clear filters.
On the Threat protection status page, the Create schedule, Request report, and
Export buttons are available.
In the View data by Content > Malware view, the following information is shown in the
chart for Microsoft Defender for Office 365 organizations:
Anti-malware engine: Malicious files detected in SharePoint, OneDrive, and Microsoft
Teams by the built-in virus detection in Microsoft 365.
MDO detonation: Malicious files detected by Safe Attachments for SharePoint,
OneDrive, and Microsoft Teams.
File reputation: The message contains a file that was previously identified as
malicious in other Microsoft 365 organizations.
In the details table below the chart, the following information is available:
Date (UTC)
Attachment filename
Workload
Detection technology: The same detection technology values from the chart.
File size
Last modifying user
When you're finished configuring the filters, click Apply, Cancel, or Clear filters.
On the Threat protection status page, the Create schedule, Request report, and
Export buttons are available.
In the View data by System override and Chart breakdown by Reason view, the following
override reason information is shown in the chart:
On-premises skip
IP allow
Exchange transport rule (mail flow rule)
Organization allowed senders
Organization allowed domains
ZAP not enabled
User Safe Sender
User Safe Domain
Phishing simulation: For more information, see Configure the delivery of third-party
phishing simulations to users and unfiltered messages to SecOps mailboxes.
Third party filter
In the details table below the chart, the following information is available:
Date
Subject
Sender
Recipients
System override
Sender IP
Tags: For more information about user tags, see User tags.
When you're finished configuring the filters, click Apply, Cancel, or Clear filters.
In the View data by System override and Chart breakdown by Delivery location view, the
following override reason information is shown in the chart:
In the details table below the chart, the following information is available:
Date
Subject
Sender
Recipients
System override
Sender IP
Tags: For more information about user tags, see User tags.
*
Defender for Office 365 only
When you're finished configuring the filters, click Apply, Cancel, or Clear filters.
To view the report in the Microsoft 365 Defender portal, go to Reports > Email &
collaboration > Email & collaboration reports. On the Email & collaboration reports
page, find Top malware and then click View details. To go directly to the report, open
https://security.microsoft.com/reports/TopMalware .
When you hover over a wedge in the pie chart, you can see the name of a kind of malware
and how many messages were detected as having that malware.
On the Top malware report page, a larger version of the pie chart is displayed. The details
table below the chart shows the following information:
Top malware
Count
If you click Filter, you can specify a date range with Start date and End date.
On the Top malware page, the Create schedule and Export buttons are available.
The Top senders and recipients shows the top messages senders in your organization, as
well as the top recipients for messages that were detected by EOP and Defender for Office
365 protection features. By default, the report shows data for the last week, but data is
available for the last 90 days.
When you hover over a wedge in the pie chart, you can see the number of messages for
the sender or recipient.
On the Top senders and recipients page, a larger version of the pie chart is displayed. The
following charts are available:
Show data for Top mail senders (this is the default view)
Show data for Top mail recipients
Show data for Top spam recipients
Show data for Top malware recipients (EOP)
Show data for Top phishing recipients
Show data for Top malware recipients (MDO)
Show data for Top phish recipients (MDO)
When you hover over a wedge in the pie chart, you can see the message count for that
specific sender or recipient.
The details table below the graph shows the senders or recipients and message counts
based on the view you selected.
You can filter both the chart and the details table by clicking Filter and selecting Start date
and End date. Users can also filter by user tags.
When you're finished configuring the filters, click Apply, Cancel, or Clear filters.
On the Top senders and recipients page, the Export button is available.
) Important
In order for the User reported messages report to work correctly, audit logging must
be turned on for your Microsoft 365 environment. This is typically done by someone
who has the Audit Logs role assigned in Exchange Online. For more information, see
Turn Microsoft 365 audit log search on or off.
The User reported messages report shows information about email messages that users
have reported as junk, phishing attempts, or good mail by using the built-in Report button
in Outlook on the web or the Microsoft Report Message or Report Phishing add-ins.
To view the report in the Microsoft 365 Defender portal, go to Reports > Email &
collaboration > Email & collaboration reports. On the Email & collaboration reports
page, find User reported messages and then click View details. To go directly to the
report, open https://security.microsoft.com/reports/userSubmissionReport . To go to
admin submissions in the Microsoft 365 Defender portal, click Go to Submissions.
You can filter both the chart and the details table by clicking Filter and selecting one or
more of the following values in the flyout that appears:
When you're finished configuring the filters, click Apply, Cancel, or Clear filters.
To group the entries, click Group and select one of the following values from the drop-
down list:
None
Reason
Sender
Reported by
Rescan result
Phish simulation
The details table below the graph shows the following information:
Email subject
Reported by
Date reported
Sender
Reported reason
Rescan result
Tags: For more information about user tags, see User tags.
To submit a message to Microsoft for analysis, select the message entry from the table,
click Submit to Microsoft for analysis and then select one of the following values from the
drop-down list:
Report clean
Report phishing
Report malware
Report spam'
Trigger investigation (Defender for Office 365)
On the User reported messages page, the Export button is available.
Organization Management
Security Administrator
Security Reader
Global Reader
For more information, see Permissions in the Microsoft 365 Defender portal.
Note: Adding users to the corresponding Azure Active Directory role in the Microsoft 365
admin center gives users the required permissions in the Microsoft 365 Defender portal
and permissions for other features in Microsoft 365. For more information, see About
admin roles.
Schedule report
7 Note
2. The Create scheduled report wizard opens. On the Name scheduled report page,
review or customize the Name value, and then click Next.
4. On the Recipients page, choose recipients for the report. The default value is your
email address, but you can add others.
5. On the Review page, review your selections. You can click the Back button or the Edit
link in the respective sections to make changes.
2. On the Manage schedules page, the following information is shown for each
scheduled report:
3. After you select the scheduled report do any of the following actions in the details
flyout that opens:
Edit name: Click this button, change the name of the report in the flyout that
appears, and then click Save.
Delete schedule: Click this button, read the warning that appears (previous
reports will no longer be available for download), and then click Save.
Schedule details section: Click Edit preferences to change the following
settings:
Frequency: Weekly or Monthly
Start date
Expiry date
Recipients section: Click Edit recipients to add or remove recipients for the
scheduled report. When you're finished, click Save
Request report
1. On the main page for the specific report, click Request report.
2. The Create on-demand report wizard opens. On the Name on-demand report page,
review or customize the Name value, and then click Next.
Start date: When generation of the report begins. The default value is one
month ago.
Expiry date: When generation of the report ends. The default value is today.
4. On the Recipients page, choose recipients for the report. The default value is your
email address, but you can add others.
5. On the Review page, review your selections. You can click the Back button or the Edit
link in the respective sections to make changes.
6. After the report has been successfully created, you're taken to the New on-demand
report created page, where you can click Create another report or Done.
The report is also available on the Reports for download page as described in the
next section.
Download reports
1. In the Microsoft 365 Defender portal at https://security.microsoft.com , go to
Reports > expand Email & collaboration > select Reports for download.
2. On the Reports for download page, the following information is shown for each
available report:
Start date
Name
Report type
Last sent
Direction
Export report
On the main page for the specific report, click Export (if that link is available). An Export
conditions flyout appears where you can configure the following settings:
When you're finished configuring the filters, click Export. In the dialog that opens, you can
choose to open the file, save the file, or remember the selection.
Each exported .csv file is limited to 150,000 rows. If the data contains more than 150,000
rows, multiple .csv files are created.
Related topics
Anti-spam protection in EOP
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
Microsoft Defender for Office 365 organizations (for example, Microsoft 365 E5
subscriptions or Microsoft Defender for Office 365 Plan 1 or Microsoft Defender for
Office 365 Plan 2 add-ons) contain a variety of security-related reports. If you have the
necessary permissions, you can view and download these reports in the Microsoft 365
Defender portal.
View reports
1. In the Microsoft 365 Defender portal at https://security.microsoft.com , go to
Reports > Email & collaboration > Email & collaboration reports. To go directly
to the Email & collaboration reports page, use
https://security.microsoft.com/emailandcollabreport .
2. Choose the report you want to view, and then select View details.
Download reports
In the Microsoft 365 Defender portal at https://security.microsoft.com , go to Reports
> Email & collaboration > Reports for download. To go directly to the Reports for
download page, use https://security.microsoft.com/ReportsForDownload?
viewid=custom .
7 Note
Email security reports that don't require Defender for Office 365 are described in
View email security reports in the Microsoft 365 Defender portal.
Reports that are related to mail flow are now in the Exchange admin center (EAC).
For more information about these reports, see Mail flow reports in the new
Exchange admin center.
7 Note
This report has been deprecated. The same information is available in the Threat
protection status report.
7 Note
This report has been deprecated. The same information is available in the Threat
protection status report.
Mail latency report
The Mail latency report shows you an aggregate view of the mail delivery and
detonation latency experienced within your organization. Mail delivery times in the
service are affected by a number of factors, and the absolute delivery time in seconds is
often not a good indicator of success or a problem. A slow delivery time on one day
might be considered an average delivery time on another day, or vice-versa. This tries to
qualify message delivery based on statistical data about the observed delivery times of
other messages.
On the Email & collaboration reports page, find Mail latency report and then click View
details. To go directly to the report, use
https://security.microsoft.com/mailLatencyReport .
On the Mail latency report page, the following tabs are available on the Mail latency
report page:
50th percentile: This is the middle for message delivery times. You can consider
this value as an average delivery time. This tab is selected by default.
90th percentile: This indicates a high latency for message delivery. Only 10% of
messages took longer than this value to deliver.
99th percentile: This indicates the highest latency for message delivery.
Regardless of the tab you select, the chart shows messages organized into the following
categories:
Overall
Detonation
When you hover over a category in the chart, you can see a breakdown of the latency in
each category.
If you click Filter, you can filter both the chart and the details table by the following
values:
When you're finished configuring the filters, click Apply, Cancel, or Clear filters.
In the details table below the chart, the following information is available:
Date (UTC)
Latency
Message count
50th percentile
90th percentile
99th percentile
To view the report, open the Microsoft 365 Defender portal , go to Reports > Email &
collaboration > Email & collaboration reports. On the Email & collaboration reports
page, find URL protection page and then click View details. To go directly to the report,
open https://security.microsoft.com/reports/URLProtectionActionReport .
The available views on the URL protection report page are described in the following
sections.
7 Note
This is a protection trend report, meaning data represents trends in a larger dataset.
As a result, the data in the charts is not available in real time here, but the data in
the details table is, so you may see a slight discrepancy between the two. The
charts are refreshed once every four hours and contain data for the last 90 days.
The View data by URL click protection action view shows the number of URL clicks by
users in the organization and the results of the click:
Allowed: Clicks allowed.
Allowed by tenant admin: Clicks allowed in Safe Links policies.
Blocked: Click blocked.
Blocked by tenant admin: The Clicks blocked in Safe Links policies.
Blocked and clicked through: Blocked clicks where users click through to the
blocked URL.
Blocked by tenant admin and clicked through: Admin has blocked the link, but
the user clicked through.
Clicked through during scan: Clicks where users click through the pending scan
page to the URL.
Pending scan: Clicks on URLs that are pending a scan verdict.
A click indicates that the user has clicked through the block page to the malicious
website (admins can disable click through in Safe Links policies).
If you click Filters, you can modify the report and the details table by selecting one or
more of the following values in the flyout that appears:
When you're finished configuring the filters, click Apply, Cancel, or Clear filters.
The details table below the chart provides the following near-real-time view of all clicks
that happened within the organization for the last 7 days:
Click time
User
URL
Action
App
On the main report page, the Create schedule, Request report, and Export
buttons are available.
View data by URL click by application
The View data by URL click by application view shows the number of URL clicks by
apps that support Safe Links:
Email client
Office document
Teams
If you click Filters, you can modify the report and the details table by selecting one or
more of the following values in the flyout that appears:
When you're finished configuring the filters, click Apply, Cancel, or Clear filters.
The details table below the chart provides the following near-real-time view of all clicks
that happened within the organization for the last 7 days:
Click time
User
URL
Action
App
On the main report page, the Create schedule, Request report, and Export
buttons are available.
Additional reports to view
In addition to the reports described in this article, several other reports are available, as
described in the following table:
Report Topic
Explorer (Microsoft Defender for Office 365 Plan 2) or real- Threat Explorer (and real-time
time detections (Microsoft Defender for Office 365 Plan 1) detections)
Email security reports that don't require Defender for Office View email security reports in the
365 Microsoft 365 Defender portal
Mail flow reports in the Exchange admin center (EAC) Mail flow reports in the new
Exchange admin center
Report Topic
Get-MailDetailATPReport
Get-SafeLinksDetailReport
Get-CompromisedUserDetailReport
Organization Management
Security Administrator
Security Reader
Global Reader
For more information, see Permissions in the Microsoft 365 Defender portal.
Note: Adding users to the corresponding Azure Active Directory role in the Microsoft
365 admin center gives users the required permissions in the Microsoft 365 Defender
portal and permissions for other features in Microsoft 365. For more information, see
About admin roles.
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
Message trace follows email messages as they travel through your Exchange Online
organization. You can determine if a message was received, rejected, deferred, or
delivered by the service. It also shows what actions were taken on the message before it
reached its final status.
You can use the information from message trace to efficiently answer user questions
about what happened to messages, troubleshoot mail flow issues, and validate policy
changes.
7 Note
Message trace in the Microsoft 365 Defender portal is just a pass through to
Message trace in the Exchange admin center. For more information, see Message
trace in the modern Exchange admin center.
The maximum number of messages that are displayed in the results of a message
trace depends on the report type you selected (see the Choose report type section
for details). The Get-HistoricalSearch cmdlet in Exchange Online PowerShell or
standalone EOP PowerShell returns all messages in the results.
At this point, message trace in the EAC opens. For more information, see Message trace
in the modern Exchange admin center.
Responding to a Compromised Email
Account
Article • 01/17/2023 • 8 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
Using the stolen credentials, the attacker can access the user's Microsoft 365 mailbox,
SharePoint folders, or files in the user's OneDrive. One action commonly seen is the
attacker sending emails as the original user to recipients both inside and outside of the
organization. When the attacker emails data to external recipients, this is called data
exfiltration.
If a user reports any of the above symptoms, you should perform further investigation.
The Microsoft 365 Defender portal and the Azure portal offer tools to help you
investigate the activity of a user account that you suspect may be compromised.
Unified audit logs in the Microsoft 365 Defender portal: Review all the activities
for the suspected account by filtering the results for the date range spanning from
immediately before the suspicious activity occurred to the current date. Do not
filter on the activities during the search. For more information, see Search the audit
log in the compliance center.
Azure AD Sign-in logs and other risk reports in the Azure AD portal: Examine the
values in these columns:
Review IP address
sign-in locations
sign-in times
sign-in success or failure
You must do all the following steps to regain access to your account the sooner the
better to make sure that the hijacker doesn't resume control your account. These steps
help you remove any back-door entries that the hijacker may have added to your
account. After you do these steps, we recommend that you run a virus scan to make
sure that your computer isn't compromised.
) Important
Do not send the new password to the intended user through email as the
attacker still has access to the mailbox at this point.
Make sure that the password is strong and that it contains upper and
lowercase letters, at least one number, and at least one special character.
Don't reuse any of your last five passwords. Even though the password history
requirement lets you reuse a more recent password, you should select
something that the attacker can't guess.
If your on-premises identity is federated with Microsoft 365, you must change
your password on-premises, and then you must notify your administrator of
the compromise.
2. On the Active users page, find the user account in question, and select the user
(row) without selecting the checkbox.
4. If the value in the Email forwarding section is Applied, click Manage email
forwarding. In the Manage email forwarding flyout that appears, clear Forward all
email sent to this mailbox, and then click Save changes.
To unblock a mailbox from sending mail, follow the procedures in Removing a user from
the Restricted Users portal after sending spam email.
) Important
You can block the suspected compromised account from signing-in until you
believe it is safe to re-enable access.
2. On the Active users page, find and select the user account, click , and then select
Edit sign-in status.
3. On the Block sign-in pane that appears, select Block this user from signing in, and
then click Save changes.
5. On the Mailboxes page, find and select the user. In the mailbox details flyout that
opens, do the following steps:
In the Email apps section, select Manage email apps settings. In the Manage
settings for email apps flyout that appears, block all of the available settings
by moving the toggle to the right :
Outlook on the web
Outlook desktop (MAPI)
Exchange Web Services
Mobile (Exchange ActiveSync)
IMAP
POP3
7 Note
Administrative role group membership can be restored after the account has been
secured.
ii. On the Editing Choose members flyout that appears, click Edit.
iv. In the flyout that appears, select the user account, and then click Remove.
3. Make sure that your contact information, such as telephone numbers and
addresses, is correct.
See also
Detect and Remediate Outlook Rules and Custom Forms Injections Attacks in
Microsoft 365
Detect and Remediate Illicit Consent Grants
Internet Crime Complaint Center
Securities and Exchange Commission - "Phishing" Fraud
To report spam email directly to Microsoft and your admin Use the Report
Message add-in
Remediate malicious email delivered in
Office 365
Article • 12/09/2022 • 9 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
Remediation means taking a prescribed action against a threat. Malicious email sent to
your organization can be cleaned up either by the system, through zero-hour auto
purge (ZAP), or by security teams through remediation actions like move to inbox, move
to junk, move to deleted items, soft delete, or hard delete. Microsoft Defender for Office
365 Plan 2/E5 enables security teams to remediate threats in email and collaboration
functionality through manual and automated investigation.
7 Note
To remediate malicious email, security teams need the Search and Purge role
assigned to them. Role assignment is done through permissions in the Microsoft
365 Defender portal.
Because email actions create automated investigations in the backend, you need to
enable Automated Investigation. Go to Settings > Endpoints > Advanced features and
turn on Automated Investigation.
Manual and automated remediation
Manual hunting occurs when security teams identify threats manually by using the
search and filtering capabilities in Explorer. Manual email remediation can be triggered
through any email view (Malware, Phish, or All email) after you identify a set of emails
that need to be remediated.
Choose emails by hand: Use filters in various views. Select up to 100 emails to
remediate.
Query selection: Select an entire query by using the top select all button. The same
query is also shown in action center mail submission details. Customers can submit
maximum 200,000 emails from threat explorer.
Query selection with exclusion: Sometimes security operations teams may want to
remediate emails by selecting an entire query and excluding certain emails from
the query manually. To do so, an admin can use the Select all check box and scroll
down to exclude emails manually. The query can hold a maximum of 200,000
emails.
Once emails are selected through Explorer, you can start remediation by taking direct
action or by queuing up emails for an action:
Direct approval: When actions like move to inbox, move to junk, move to deleted
items, soft delete, or hard delete are selected by security personnel who have
appropriate permissions, and the next steps in remediation are followed, the
remediation process begins to execute the selected action.
7 Note
As the remediation gets kicked-off, it generates an alert and an investigation in
parallel. Alert shows up in the alerts queue with the name "Administrative action
submitted by an Administrator" suggesting that security personnel took the action
of remediating an entity. It presents details like name of the person who performed
the action, supporting investigation link, time etc. It works really well to know every
time a harsh action like remediation is performed on entities. All these actions can
be tracked under the Actions & Submissions > Action center -> History tab
(public preview).
Manual actions pending approval using the two-step approval process (1. Add to
remediation by one security operation team member, 2. Reviewed and approved by
another security operation team member) are visible at Actions & Submissions > Action
center > Pending tab (https://security.microsoft.com/action-center/pending ). After
approval, they're visible at Actions & Submissions > Action center > History tab
(https://security.microsoft.com/action-center/history ).
Unified Action Center shows remediation actions for the past 30 days. Actions taken
through Explorer are listed by the name that the security operations team provided
when the remediation was created as well as approval Id, Investigation Id. Actions taken
through automated investigations have titles that begin with the related alert that
triggered the investigation, such as Zap email cluster.
Open any remediation item to view details about it, including its remediation name,
approval Id, Investigation Id, creation date, description, status, action source, action
type, decided by, status. It also opens a side pane with action details, email cluster
details, alert and Incident details.
Open Investigation page this opens up an admin Investigation that contains fewer
details and tabs. It shows details like: related alert, entity selected for remediation,
action taken, remediation status, entity count, logs, approver of action. This
investigation keeps a track of investigation done by the admin manually and
contains details to selections made by the admin, hence is called admin action
investigation. No need to act on the investigation and alert its already in approved
state.
Email count Displays the number of emails submitted through Threat Explorer.
These emails can be actionable or not actionable.
Action logs Show the details of remediation statuses like successful, failed, and
already in destination.
Actionable: Emails in the following cloud mailbox locations can be acted on and
moved:
Inbox
Junk
Deleted folder
Soft-deleted folder
7 Note
Currently, only a user with access to the mailbox can recover items from a
soft-deleted folder.
Unless you're remediating old messages after your organization's Explorer retention
period, it's advisable to retry remediating items if you see number inconsistencies. For
system delays, remediation updates are typically refreshed within a few hours.
If your organization's retention period for email in Explorer is 30 days and you're
remediating emails going back 29-30 days, mail submission counts may not always add
up. The emails might have started moving out of the retention period already.
If remediations are stuck in the "In progress" state for a while, it's likely due to system
delays. It could take up to a few hours to remediate. You might see variations in mail
submission counts, as some of the emails may not have been included the query at the
start of remediation due to system delays. It is a good idea to retry remediating in such
cases.
7 Note
Only remediable emails are acted on during remediation. Nonremediable emails can't
be remediated by the Office 365 email system, as they aren't stored in cloud mailboxes.
Admins can take actions on emails in quarantine if necessary, but those emails will
expire out of quarantine if they're not manually purged. By default, emails quarantined
because of malicious content aren't accessible by users, so security personnel don't have
to take any action to get rid of threats in quarantine. If the emails are on-premises or
external, the user can be contacted to address the suspicious email. Or the admins can
use separate email server/security tools for removal. These emails can be identified by
applying the delivery location = on-prem external filter in Explorer. For failed or dropped
email, or email not accessible by users, there won't be any email to mitigate, since these
mails don't reach the mailbox.
Action logs: This shows the messages remediated, successful, failed, already in
destination.
As only remediable emails can be acted on, each email's cleanup is shown as
successful or failed. From the total remediable emails, successful and failed
mitigations are reported.
Success: The desired action on remediable emails was accomplished. For
example: An admin wants to remove emails from mailboxes, so the admin takes
the action of soft-deleting emails. If a remediable email isn't found in the
original folder after the action is taken, the status will show as successful.
Failure: The desired action on remediable emails failed. For example: An admin
wants to remove emails from mailboxes, so the admin takes the action of soft-
deleting emails. If a remediable email is still found in the mailbox after the
action is taken, status will show as failed.
Already in destination: The desired action was already taken on the email OR
the email already existed in the destination location. For example: An email was
soft deleted by the admin through Explorer on day one. Then similar emails
show up on day 2, which are again soft deleted by the admin. While selecting
these emails, admin ends up picking some emails from day one that are already
soft deleted. Now these emails will not be acted upon again, they will just show
as "already in destination", since no action was taken on them as they existed in
the destination location.
New: An Already in destination column has been added in the Action Log. This
feature uses the latest delivery location in Threat Explorer to signal if the mail
has already been remediated. Already in destination will help security teams
understand the total number of messages that still need to be addressed.
Actions can only be taken on messages in Inbox, Junk, Deleted, and Soft Deleted folders
of Threat Explorer. Here's an example of how the new column works. A soft delete action
takes place on the message present in the Inbox, then the message will be handled
according to policies. The next time a soft delete is performed, this message will show
under the column 'Already in destination' signaling it doesn't need to be addressed
again.
Select any item in the action log to display remediation details. If the details say
"successful" or "not found in mailbox", that item was already removed from the mailbox.
Sometimes there's a system error during remediation. In those cases, it's a good idea to
retry the remediation action.
In case of remediating large batches of email, export the messages sent for remediation
via Mail Submission, and messages that were remediated via Action Logs. The export
limit is increased to 100,000 records.
Admins can take remediation actions like moving email messages to Junk, Inbox, or
Deleted items folder and delete actions like soft deleted or hard delete from Advanced
Hunting pages.
Remediation mitigates threats, addresses suspicious emails, and helps keep an
organization secure.
Automated investigation and response
(AIR) in Microsoft Defender for Office
365
Article • 12/22/2022 • 6 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
Microsoft Defender for Office 365 includes powerful automated investigation and
response (AIR) capabilities that can save your security operations team time and effort.
As alerts are triggered, it's up to your security operations team to review, prioritize, and
respond to those alerts. Keeping up with the volume of incoming alerts can be
overwhelming. Automating some of those tasks can help.
AIR enables your security operations team to operate more efficiently and effectively.
AIR capabilities include automated investigation processes in response to well-known
threats that exist today. Appropriate remediation actions await approval, enabling your
security operations team to respond effectively to detected threats. With AIR, your
security operations team can focus on higher-priority tasks without losing sight of
important alerts that are triggered.
This article also includes next steps, and resources to learn more.
2. While an automated investigation runs, it gathers data about the email in question
and entities related to that email. Such entities can include files, URLs, and
recipients. The investigation's scope can increase as new and related alerts are
triggered.
3. During and after an automated investigation, details and results are available to
view. Results might include recommended actions that can be taken to respond to
and remediate any existing threats that were found.
Note: If the investigation does not result in recommended actions the automated
investigation will close and the details of what was reviewed as part of the automated
investigation will still be available on the investigation page.
In Microsoft Defender for Office 365, no remediation actions are taken automatically.
Remediation actions are taken only upon approval by your organization's security team.
AIR capabilities save your security operations team time by identifying remediation
actions and providing the details needed to make an informed decision.
During and after each automated investigation, your security operations team can:
Tip
In addition, make sure to review your organization's alert policies, especially the default
policies in the Threat management category.
A potentially High This alert is generated when any of the following occurs:
malicious URL A user protected by Safe Links in your organization
click was clicks a malicious link
detected Verdict changes for URLs are identified by Microsoft
Defender for Office 365
Users override Safe Links warning pages (based on your
organization's Safe Links policy.
For more information on events that trigger this alert, see Set
up Safe Links policies.
An email Informational This alert is generated when users in your organization report
message is messages as phishing email using the Microsoft Report
reported by a Message or Report Phishing add-ins.
user as malware
or phish
Alert Severity How the alert is generated
Email messages Informational This alert is generated when any messages containing a
containing malicious file are delivered to mailboxes in your organization.
malicious file If this event occurs, Microsoft removes the infected messages
removed after from Exchange Online mailboxes using zero-hour auto purge
delivery (ZAP).
Email messages Informational This alert is generated when any email messages containing
containing malware are delivered to mailboxes in your organization. If
malware are this event occurs, Microsoft removes the infected messages
removed after from Exchange Online mailboxes using zero-hour auto purge
delivery (ZAP).
Email messages Informational This alert is generated when any messages containing a
containing malicious URL are delivered to mailboxes in your organization.
malicious URL If this event occurs, Microsoft removes the infected messages
removed after from Exchange Online mailboxes using zero-hour auto purge
delivery (ZAP).
Email messages Informational This alert is generated when any messages containing phish
containing are delivered to mailboxes in your organization. If this event
phish URLs are occurs, Microsoft removes the infected messages from
removed after Exchange Online mailboxes using ZAP.
delivery
Suspicious Medium This alert is generated when someone in your organization has
email sending sent suspicious email and is at risk of being restricted from
patterns are sending email. The alert is an early warning for behavior that
detected might indicate that the account is compromised, but not
severe enough to restrict the user.
Although it's rare, an alert generated by this policy may be an
anomaly. However, it's a good idea to check whether the user
account is compromised.
Admin Informational This alert is generated when an admin triggers the manual
triggered investigation of an email from Threat Explorer. This alert
manual notifies your organization that the investigation was started.
investigation of
email
Alert Severity How the alert is generated
Admin Medium This alert is generated when an admin triggers the manual
triggered user user compromise investigation of either an email sender or
compromise recipient from Threat Explorer. This alert notifies your
investigation organization that the user compromise investigation was
started.
Tip
To learn more about alert policies or edit the default settings, see Alert policies in
the Microsoft Purview compliance portal.
These roles can be assigned in Azure Active Directory or in the Microsoft 365
Defender portal.
Start an One of the following roles, assigned in Azure Active Directory or in the Microsoft
automated 365 Defender portal:
investigation
--- or --- Global Administrator
Security Administrator
Approve or Security Operator
reject Security Reader
Required licenses
Microsoft Defender for Office 365 Plan 2 licenses should be assigned to:
Next steps
Get started using AIR
See details and results of an automated investigation
Review and approve pending actions
View pending or completed remediation actions
How automated investigation and
response works in Microsoft Defender
for Office 365
Article • 01/18/2023 • 4 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
As security alerts are triggered, it's up to your security operations team to look into
those alerts and take steps to protect your organization. Sometimes, security operations
teams can feel overwhelmed by the volume of alerts that are triggered. Automated
investigation and response (AIR) capabilities in Microsoft Defender for Office 365 can
help.
AIR enables your security operations team to operate more efficiently and effectively.
AIR capabilities include automated investigation processes in response to well-known
threats that exist today. Appropriate remediation actions await approval, enabling your
security operations team to respond to detected threats.
This article describes how AIR works through several examples. When you're ready to
get started using AIR, see Automatically investigate and respond to threats.
During the root investigation phase, various aspects of the email are assessed. These
aspects include:
After the root investigation is complete, the playbook provides a list of recommended
actions to take on the original email and entities associated with it.
During the hunting phase, risks and threats are assigned to various hunting steps.
Remediation is the final phase of the playbook. During this phase, remediation steps are
taken, based on the investigation and hunting phases.
For example, suppose that you are using the Malware view in Explorer. Using the tabs
below the chart, you select the Email tab. If you select one or more items in the list, the
+ Actions button activates.
For example, recently, an organization set up a way for their security operations team to
view user-reported phish alerts that were already processed by AIR. Their solution
integrates relevant alerts with the organization's SIEM server and their case-
management system. The solution greatly reduces the number of false positives so that
their security operations team can focus their time and effort on real threats. To learn
more about this custom solution, see Tech Community blog: Improve the Effectiveness
of your SOC with Microsoft Defender for Office 365 and the O365 Management API .
Next steps
Get started using AIR
View pending or completed remediation actions
Review and manage remediation actions
in Office 365
Article • 12/09/2022 • 3 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
These remediation actions are not taken unless and until your security operations team
approves them. We recommend reviewing and approving any pending actions as soon
as possible so that your automated investigations complete in a timely manner. You
need to be part of Search & purge role before taking any actions.
We've added additional checks for duplicate or overlapping investigations with the same
clusters approved multiple times. If the same investigation cluster is already approved in
the previous hour, new duplicate remediation will not be processed again. This behavior
doesn't remove duplicate investigations or investigation evidence - it simply de-
duplicates approved actions to improve remediation processing speed. For the duplicate
approved cluster investigations, you won't see action details in the action center side
panel.
Incident queue
Investigation itself (accessed via Incident or from an alert)
Action center
Investigation and remediation investigations queue
Incident queue
1. In the Microsoft 365 Defender portal at https://security.microsoft.com , go to the
Incidents page at Incidents & alerts > Incidents. To go directly to the Incidents
page, use https://security.microsoft.com/incidents .
2. Filter on Pending action for the Automated investigation state (optional).
3. On the Incidents page, select an incident name to open its summary page.
4. Select the Evidence and Response tab.
5. Select an item in the list to open its flyout pane.
6. Review the information, and then take one of the following steps:
Action center
1. In the Microsoft 365 Defender portal at https://security.microsoft.com , go to the
Action center page by selecting Action center. To go directly to the Action center
page, use https://security.microsoft.com/action-center/pending .
2. On the Action center page, verify that the Pending tab is selected, and then review
the list of actions that are awaiting approval.
Select Open investigation page to view more details about the investigation.
Select Approve to initiate a pending action.
Select Reject to prevent a pending action from being taken.
Next steps
Use Threat Explorer
Admin /Manual Actions
How to report false positives/negatives in automated investigation and response
capabilities
See also
View details and results of an automated investigation in Office 365
How to report false positives/negatives
in automated investigation and
response capabilities
Article • 12/22/2022 • 2 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
If your organization is using Microsoft Defender for Endpoint in addition to Office 365,
and a file, IP address, URL, or domain is treated as malware on a device, even though it's
safe, you can create a custom indicator with an "Allow" action for your device.
) Important
Make sure you have the necessary permissions before attempting to perform the
following tasks.
An email message was Move the message to Find and investigate malicious
routed to a user's Junk Email the user's Deleted email that was delivered in Office
folder Items folder 365
Move the message to
the user's Inbox
Delete the message
See also
Microsoft Defender for Office 365
Automated investigations in Microsoft Defender for Office 365
Details and results of an automated
investigation in Microsoft 365
Article • 12/22/2022 • 6 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
When an automated investigation occurs in Microsoft Defender for Office 365, details
about that investigation are available during and after the automated investigation
process. If you have the necessary permissions, you can view those details in the
Microsoft 365 Defender portal. Investigation details provide you with up-to-date status,
and the ability to approve any pending actions.
Tip
Check out the new, unified investigation page in the Microsoft 365 Defender portal.
To learn more, see (NEW!) Unified investigation page.
Investigation status
The investigation status indicates the progress of the analysis and actions. As the
investigation runs, status changes to indicate whether threats were found, and whether
actions have been approved.
Status Description
Starting The investigation has been triggered and waiting to start running.
Running The investigation process has started and is underway. This state also occurs when
pending actions are approved.
Status Description
No Threats The investigation has finished and no threats (user account, email message, URL,
Found or file) were identified.
TIP: If you suspect something was missed (such as a false negative), you can take
action using Threat Explorer.
Partially The automated investigation found issues, but there are no specific remediation
Investigated actions to resolve those issues.
The Partially Investigated status can occur when some type of user activity was
identified but no cleanup actions are available. Examples include any of the
following user activities:
TIP: If you suspect something was missed (such as a false negative), you can
investigate and take action using Threat Explorer
Terminated The investigation stopped. An investigation can stop for several reasons:
By System The investigation's pending actions expired. Pending actions time out after
awaiting approval for one week
There are too many actions. For example, if there are too many users
clicking on malicious URLs, it can exceed the investigation's ability to run all
the analyzers, so the investigation halts
TIP: If an investigation halts before actions were taken, try using Threat Explorer to
find and address threats.
Pending The investigation has found a threat, such as a malicious email, a malicious URL, or
Action a risky mailbox setting, and an action to remediate that threat is awaiting approval.
The Pending Action state is triggered when any threat with a corresponding
action is found. However, the list of pending actions can increase as an
investigation runs. View investigation details to see if other items are still pending
completion.
Remediated The investigation finished and all remediation actions were approved (noted as
fully remediated).
NOTE: Approved remediation actions can have errors that prevent the actions
from being taken. Regardless of whether remediation actions are successfully
completed, the investigation status doesn't change. View investigation details.
Status Description
Partially The investigation resulted in remediation actions, and some were approved and
Remediated completed. Other actions are still pending.
Failed At least one investigation analyzer ran into a problem where it couldn't complete
properly.
NOTE If an investigation fails after remediation actions were approved, the
remediation actions might still have succeeded. View the investigation details.
The email counts shown for the email clusters on the Email tab and the email
quantity value shown on cluster flyout are calculated at the time of investigation,
and don't change.
The email count shown at the bottom of the Email tab of the email cluster flyout
and the count of email messages shown in Explorer reflect email messages
received after the investigation's initial analysis.
Thus, an email cluster that shows an original quantity of 10 email messages would
show an email list total of 15 when five more email messages arrive between the
investigation analysis phase and when the admin reviews the investigation.
Likewise, old investigations might start showing higher counts than Explorer
queries show, because data in Microsoft Defender for Office 365 Plan 2 expires
after seven days for trials and after 30 days for paid licenses.
Showing both count historical and current counts in different views is done to
indicate the email impact at the time of investigation and the current impact up
until the time that remediation is run.
In the context of email, you might see a volume anomaly threat surface as part of
the investigation. A volume anomaly indicates a spike in similar email messages
around the investigation event time compared to earlier timeframes. A spike in
email traffic together with certain characteristics (for example, subject and sender
domain, body similarity, and sender IP) is typical of the start of email campaigns or
attacks. However, bulk, spam, and legitimate email campaigns commonly share
these characteristics.
You don't have to approve every action. If you don't agree with the recommended
action or your organization doesn't choose certain types of actions, then you can
choose to Reject the actions or simply ignore them and take no action.
Approving and/or rejecting all actions lets the investigation fully close (status
becomes remediated), while leaving some actions incomplete results in the
investigation status changing to a partially remediated state.
Next steps
Review and approve pending actions
Remediation actions in Microsoft
Defender for Office 365
Article • 12/22/2022 • 3 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
Remediation actions
Threat protection features in Microsoft Defender for Office 365 include certain
remediation actions. Such remediation actions can include:
In Microsoft Defender for Office 365, remediation actions are not taken automatically.
Instead, remediation actions are taken only upon approval by your organization's
security operations team.
Email Missed phish email Automated investigation triggered by the user's report
reported by a user
User A user clicked a malicious Automated investigation does not result in a specific
URL
pending action.
(A user navigated to a Block URL (time-of-click)
page that was later found
to be malicious, or a user Use Threat Explorer to view data about URLs and click
bypassed a Safe Links verdicts.
warning page to get to a
If your organization is using Microsoft Defender for
malicious page.)
Endpoint, consider investigating the user to determine if
their account is compromised.
User Anomalous email sending Automated investigation does not result in a specific
(A user recently sent pending action.
more email than during Sending a large volume of email isn't malicious by itself;
the previous 7-10 days.) the user might just have sent email to a large group of
recipients for an event. To investigate, use the New users
forwarding email insight in the EAC and Outbound
message report in the EAC to determine what's going on
and take action.
Next steps
View details and results of an automated investigation in Microsoft Defender for
Office 365
View pending or completed remediation actions following an automated
investigation in Microsoft Defender for Office 365
Related articles
Learn about automated investigation in Microsoft Defender for Endpoint
Learn about capabilities in Microsoft 365 Defender
Review and manage remediation actions
in Office 365
Article • 12/09/2022 • 3 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
These remediation actions are not taken unless and until your security operations team
approves them. We recommend reviewing and approving any pending actions as soon
as possible so that your automated investigations complete in a timely manner. You
need to be part of Search & purge role before taking any actions.
We've added additional checks for duplicate or overlapping investigations with the same
clusters approved multiple times. If the same investigation cluster is already approved in
the previous hour, new duplicate remediation will not be processed again. This behavior
doesn't remove duplicate investigations or investigation evidence - it simply de-
duplicates approved actions to improve remediation processing speed. For the duplicate
approved cluster investigations, you won't see action details in the action center side
panel.
Incident queue
Investigation itself (accessed via Incident or from an alert)
Action center
Investigation and remediation investigations queue
Incident queue
1. In the Microsoft 365 Defender portal at https://security.microsoft.com , go to the
Incidents page at Incidents & alerts > Incidents. To go directly to the Incidents
page, use https://security.microsoft.com/incidents .
2. Filter on Pending action for the Automated investigation state (optional).
3. On the Incidents page, select an incident name to open its summary page.
4. Select the Evidence and Response tab.
5. Select an item in the list to open its flyout pane.
6. Review the information, and then take one of the following steps:
Action center
1. In the Microsoft 365 Defender portal at https://security.microsoft.com , go to the
Action center page by selecting Action center. To go directly to the Action center
page, use https://security.microsoft.com/action-center/pending .
2. On the Action center page, verify that the Pending tab is selected, and then review
the list of actions that are awaiting approval.
Select Open investigation page to view more details about the investigation.
Select Approve to initiate a pending action.
Select Reject to prevent a pending action from being taken.
Next steps
Use Threat Explorer
Admin /Manual Actions
How to report false positives/negatives in automated investigation and response
capabilities
See also
View details and results of an automated investigation in Office 365
Address compromised user accounts
with automated investigation and
response
Article • 12/22/2022 • 3 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
Microsoft Defender for Office 365 Plan 2 includes powerful automated investigation and
response (AIR) capabilities. Such capabilities can save your security operations team a
lot of time and effort dealing with threats. This article describes one of the facets of the
AIR capabilities, the compromised user security playbook.
The compromised user security playbook enables your organization's security team to:
) Important
You must have appropriate permissions to perform the following tasks. See
Required permissions to use AIR capabilities.
Watch this short video to learn how you can detect and respond to user compromise in
Microsoft Defender for Office 365 using Automated Investigation and Response (AIR)
and compromised user alerts.
https://www.microsoft.com/en-us/videoplayer/embed/RWAl83?postJsllMsg=true
2. On the Alerts page, filter the results by time period and the policy named User
restricted from sending email.
3. If you select the entry by clicking on the name, a User restricted from sending
email page opens with additional details for you to review. Next to the Manage
alert button, you can click More options and then select View restricted user
details to go to the Restricted users page, where you can release the restricted
user.
Next steps
Review the required permissions to use AIR capabilities
Visit the Microsoft 365 Roadmap to see what's coming soon and rolling out
Custom or third-party reporting
solutions for Microsoft Defender for
Office 365
Article • 12/22/2022 • 2 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
With Microsoft Defender for Office 365, you get detailed information about automated
investigations. However, some organizations also use a custom or third-party reporting
solution. If your organization wants to integrate information about automated
investigations with such a solution, you can use the Office 365 Management Activity API.
With Microsoft Defender for Office 365, you get detailed information about automated
investigations. However, some organizations also use a custom or third-party reporting
solution. If your organization wants to integrate information about automated
investigations with such a solution, you can use the Office 365 Management Activity API.
Resource Description
Office 365 The Office 365 Management Activity API provides information about various
Management user, admin, system, and policy actions and events from Microsoft 365 and Azure
APIs overview Active Directory activity logs.
Get started The Office 365 Management API uses Azure AD to provide authentication
with Office services for your application to access Microsoft 365 data. Follow the steps in this
365 article to set this up.
Management
APIs
Office 365 You can use the Office 365 Management Activity API to retrieve information
Management about user, admin, system, and policy actions and events from Microsoft 365 and
Activity API Azure AD activity logs. Read this article to learn more about how this works.
reference
Resource Description
Office 365 Get an overview of the Common schema and the Defender for Office 365 and
Management threat investigation and response schema to learn about specific kinds of data
Activity API available through the Office 365 Management Activity API.
schema
See also
Microsoft Defender for Office 365
Automated investigation and response in Microsoft 365 Defender
Email analysis in investigations for
Microsoft Defender for Office 365
Article • 11/22/2022 • 6 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
During the automated investigation of alerts, Microsoft Defender for Office 365 analyzes
the original email for threats and identifies other emails that are related to the original
email and potentially part of an attack. This analysis is important because email attacks
rarely consist of a single email.
The automated investigation's email analysis identifies email clusters using attributes
from the original email to query for emails sent and received by your organization. This
is similar to a security operations analyst would hunt for the related emails in Explorer or
Advanced Hunting. Several queries are used to identify matching emails because
attackers typically morph the email parameters to avoid security detection. The
clustering analysis performs these checks to determine how to handle emails involved in
the investigation:
The email analysis creates queries (clusters) of emails using attributes from the
original email – sender values (IP address, sender domain) and contents (subject,
cluster ID) in order to find emails that might be related.
If analysis of the original email's URLs and files identifies that some are malicious
(that is, malware or phish), then it will also create queries or clusters of emails
containing the malicious URL or file.
Email clustering analysis counts the threats associated with the similar emails in the
cluster to determine whether the emails are malicious, suspicious, or have no clear
threats. If the cluster of emails matching the query has a sufficient amount of
spam, normal phish, high confidence phish or malware threats, the email cluster
gets that threat type applied to it.
The email clustering analysis also checks the latest delivery location of the original
email and emails in the email clusters to help identify if the emails potentially still
need removal or have already been remediated or prevented. This analysis is
important because attackers morph malicious content plus security policies and
protection may vary between mailboxes. This capability leads to situations where
malicious content may still sit in mailboxes, even though one or more malicious
emails have been prevented or detected and removed by zero-hour auto purge
(ZAP).
Email clusters that are considered malicious due to malware, high confidence
phish, malicious files, or malicious URL threats will get a pending action to soft
delete the emails when the emails are still in the cloud mailbox (inbox or junk
folder). If malicious emails or email clusters are only "Not In Mailbox" (blocked,
quarantined, failed, soft deleted, etc.) or "On-premises/External" with none in the
cloud mailbox, then no pending action will be set up to remove them.
If any of the email clusters are determined to be malicious, then the threat
identified by the cluster will get applied back to the original email involved in the
investigation. This behavior is similar to a security operations analyst using email
hunting results to determine the verdict of an original email based on similar
emails. This result ensures that regardless of whether an original email's URLs, files,
or source email indicators are detected or not, the system can identify malicious
emails that are potentially evading detection through personalization, morphing,
evasion, or other attacker techniques.
In the user compromise investigation, additional email clusters are created to
identify potential email issues created by the mailbox. This process includes a clean
email cluster (good emails from user, potential data exfiltration, and potential
command/control emails), suspicious email clusters (emails containing spam or
normal phish) and malicious email clusters (emails containing malware or high
confidence phish). These email clusters provide security operations analysts data to
determine what other problems may need to be addressed from a compromise,
and visibility on which emails may have triggered the original alerts (for example,
phish/spam that triggered user sending restrictions)
Email clustering analysis via similarity and malicious entity queries ensures that email
problems are fully identified and cleaned up, even if only one email from an attack gets
identified. You can use links from the email cluster details side panel views to open the
queries in Explorer or Advanced Hunting to perform deeper analysis and change the
queries if needed. This capability enables manual refinement and remediation if you find
the email cluster's queries too narrow or too broad (including unrelated emails).
7 Note
When opening an email cluster to view it in Explorer from the email cluster details,
the PhishEdu and SecOps mailbox filters will be applied in Explorer but will not be
shown. If you change the Explorer filters, dates, or refresh the query within the page
– then the PhishEdu/SecOps filter exclusions will get removed and emails that
match these will be shown once again. If you refresh the Explorer page using the
browser refresh function, the original query filters will get re-loaded, including the
PhishEdu/SecOps filters – but removing any subsequent changes you had made.
To ensure investigation actions are up to date, any investigation that has pending
actions will periodically re-run the email analysis queries to update the email locations
and threats.
When the email cluster data changes, it will update the threat and latest delivery
location counts.
If emails or email cluster with pending actions no longer are in the mailbox, then
the pending action will be canceled, and the malicious email/cluster considered
remediated.
Once all the investigation's threats have been remediated or canceled as noted
above, then the investigation will transition to a remediated state and the original
alert resolved.
2. You can take remediation action for email clusters with a Malicious verdict (but not
Suspicious).
3. For the email spam verdict, phishing is split into high confidence and normal phish.
For a Malicious verdict, the threat categories are malware, high confidence phish,
malicious URL, and malicious file.
For a Suspicious verdict, the threat categories are spam and normal phish.
4. The email count by is based the latest delivery location and includes counters for
email in mailboxes, not in mailboxes, and on-premises.
5. Includes the date and time of the query, which might get updated for latest data.
For email or email clusters in the Entities tab of an investigation, Prevented means that
there was no malicious emails in the mailbox for this item (mail or cluster). Here is an
example.
Next steps
View pending or completed remediation actions
Recover from a ransomware attack in
Microsoft 365
Article • 12/10/2022 • 5 minutes to read
Applies to
Even if you take every precaution to protect your organization, you can still fall victim to
a ransomware attack. Ransomware is big business, and in today's threat landscape
Microsoft 365 is an ever-increasing target for sophisticated attacks .
The steps in this article will give you the best chance to recover data and stop the
internal spread of infection. Before you get started, consider the following items:
There's no guarantee that paying the ransom will return access to your files. In fact,
paying the ransom can make you a target for more ransomware.
If you already paid, but you recovered without using the attacker's solution,
contact your bank to see if they can block the transaction.
We also recommend that you report the ransomware attack to law enforcement,
scam reporting websites, and Microsoft as described later in this article.
It's important for you respond quickly to the attack and its consequences. The
longer you wait, the less likely it is that you can recover the affected data.
If you don't have backups, or if your backups were also affected by the ransomware, you
can skip this step.
If you suspect email as a target of the ransomware encryption, temporarily disable user
access to mailboxes. Exchange ActiveSync synchronizes data between devices and
Exchange Online mailboxes.
To disable Exchange ActiveSync for a mailbox, see How to disable Exchange ActiveSync
for users in Exchange Online .
Pausing OneDrive sync will help protect your cloud data from being updated by
potentially infected devices. For more information, see How to Pause and Resume sync
in OneDrive .
Don't forget to scan devices that are synchronizing data, or the targets of mapped
network drives.
You can use Windows Defender or (for older clients) Microsoft Security Essentials .
An alternative that will also help you remove ransomware or malware is the Malicious
Software Removal Tool (MSRT) .
If these options don't work, you can try Windows Defender Offline or Troubleshoot
problems with detecting and removing malware .
Some ransomware will also encrypt or delete the backup versions, so you can't use
File History or System Protection to restore files. If that happens, you need use
backups on external drives or devices that were not affected by the ransomware or
OneDrive as described in the next section.
If a folder is synchronized to OneDrive and you aren't using the latest version of
Windows, there might be some limitations using File History.
Australia: SCAMwatch
If your country isn't listed, ask your local or federal law enforcement agencies.
The growing threat of ransomware , Microsoft On the Issues blog post on July 20,
2021
Human-operated ransomware
Rapidly protect against ransomware and extortion
2021 Microsoft Digital Defense Report (see pages 10-19)
Ransomware: A pervasive and ongoing threat threat analytics report in the
Microsoft 365 Defender portal
Microsoft 365:
Microsoft Azure:
Key steps on how Microsoft's Detection and Response Team (DART) conducts
ransomware incident investigations.
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
Summary Learn how to recognize and remediate the illicit consent grants attack in
Microsoft 365.
These attacks leverage an interaction model which presumes the entity that is calling the
information is automation and not a human.
) Important
2. On the Audit page, verify that the Search tab is selected, and then configure the
following settings:
3. Click the Activity column to sort the results and look for Consent to application.
4. Select an entry from the list to see the details of the activity. Check to see if
IsAdminConsent is set to True.
7 Note
It can take from 30 minutes up to 24 hours for the corresponding audit log entry to
be displayed in the search results after an event occurs.
The length of time that an audit record is retained and searchable in the audit log
depends on your Microsoft 365 subscription, and specifically the type of the license
that is assigned to a specific user. For more information, see Audit log.
If this value is true, it indicates that someone with Global Administrator access may
have granted broad access to data. If this is unexpected, take steps to confirm an
attack.
Inventory applications and their permissions using the Azure Active Directory
portal. This method is thorough, but you can only check one user at a time which
can be very time consuming if you have many users to check.
Inventory applications and their permissions using PowerShell. This is the fastest
and most thorough method, with the least amount of overhead.
Have your users individually check their apps and permissions and report the
results back to the administrators for remediation.
This will show you the apps that are assigned to the user and what permissions the
applications have.
Pre-requisites
The Azure AD PowerShell library installed.
Global administrator rights on the tenant that the script will be run against.
Local Administrator on the computer from which will run the scripts.
) Important
1. Sign in to the computer that you will run the script from with local administrator
rights.
3. Open a PowerShell session as an administrator and open to the folder where you
saved the script to.
PowerShell
The script produces one file named Permissions.csv. Follow these steps to look for illicit
application permission grants:
1. In the ConsentType column (column G) search for the value "AllPrinciples". The
AllPrincipals permission allows the client application to access everyone's content
in the tenancy. Native Microsoft 365 applications need this permission to work
correctly. Every non-Microsoft application with this permission should be reviewed
carefully.
2. In the Permission column (column F) review the permissions that each delegated
application has to content. Look for "Read" and "Write" permission or "All"
permission, and review these carefully because they may not be appropriate.
3. Review the specific users that have consents granted. If high profile or high impact
users have inappropriate consents granted, you should investigate further.
4. In the ClientDisplayName column (column C) look for apps that seem suspicious.
Apps with misspelled names, super bland names, or hacker-sounding names
should be reviewed carefully.
) Important
Mailbox auditing and Activity auditing for admins and users must have been
enabled prior to the attack for you to get this information.
You can revoke the application's permission in the Azure Active Directory Portal by:
1. Navigate to the affected user in the Azure Active Directory User blade.
2. Select Applications.
3. Select the illicit application.
4. Click Remove in the drill down.
You can revoke the OAuth consent grant with PowerShell by following the steps in
Remove-AzureADOAuth2PermissionGrant.
You can revoke the Service App Role Assignment with PowerShell by following the
steps in Remove-AzureADServiceAppRoleAssignment.
You can also disable sign-in for the affected account altogether, which will in turn
disable app access to data in that account. This isn't ideal for the end user's
productivity, of course, but if you are working to limit impact quickly, it can be a
viable short-term remediation.
You can turn integrated applications off for your tenancy. This is a drastic step that
disables the ability for end users to grant consent on a tenant-wide basis. This
prevents your users from inadvertently granting access to a malicious application.
This isn't strongly recommended as it severely impairs your users' ability to be
productive with third party applications. You can do this by following the steps in
Turning Integrated Apps on or off.
See also
Unexpected application in my applications list walks administrators through
various actions they may want to take after realizing there are unexpected
applications with access to data.
Integrating applications with Azure Active Directory is a high-level overview of
consent and permissions.
Problems developing my application provides links to various consent related
articles.
Application and service principal objects in Azure Active Directory (Azure AD)
provides an overview of the Application and Service principal objects that are core
to the application model.
Manage access to apps is an overview of the capabilities that administrators have
to manage user access to apps.
Detect and Remediate Outlook Rules
and Custom Forms Injections Attacks
Article • 10/19/2022 • 11 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Summary Learn how to recognize and remediate the Outlook rules and custom Forms
injections attacks in Office 365.
Reinstalling Outlook, or even giving the affected person a new computer won't help.
When the fresh installation of Outlook connects to the mailbox, all rules and forms are
synchronized from the cloud. The rules or forms are typically designed to run remote
code and install malware on the local machine. The malware steals credentials or
performs other illicit activity.
The good news is: if you keep your Outlook clients patched to the latest version, you
aren't vulnerable to the threat as current Outlook client defaults block both
mechanisms.
3. The attacker creates a forwarding Inbox rule in the mailbox. The forwarding rule is
triggered when the mailbox receives a specific message from the attacker that
matches the conditions of the rule. The rule conditions and message format are
tailor-made for each other.
4. The attacker sends the trigger email to the compromised mailbox, which is still
being used as normal by the unsuspecting user.
5. When the mailbox receives a message that matches the conditions of rule, the
action of the rule is applied. Typically, the rule action is to launch an application on
a remote (WebDAV) server.
6. Typically, the application installs malware on the user's machine (for example,
PowerShell Empire ).
7. The malware allows the attacker to steal (or steal again) the user's username and
password or other credentials from local machine and perform other malicious
activities.
2. The attacker signs in to that user's Exchange mailbox (Exchange Online or on-
premises Exchange).
3. The attacker inserts a custom mail form template into the user's mailbox. The
custom form is triggered when the mailbox receives a specific message from the
attacker that requires the mailbox to load the custom form. The custom form and
the message format are tailor-made for each other.
4. The attacker sends the trigger email to the compromised mailbox, which is still
being used as normal by the unsuspecting user.
5. When the mailbox receives the message, the mailbox loads the required form. The
form launches an application on a remote (WebDAV) server.
6. Typically, the application installs malware on the user's machine (for example,
PowerShell Empire ).
7. The malware allows the attacker to steal (or steal again) the user's username and
password or other credentials from local machine and perform other malicious
activities.
Manually examine the rules and forms for each mailbox using the Outlook client.
This method is thorough, but you can only check one mailbox at a time. This
method can be very time consuming if you have many users to check, and might
also infect the computer that you're using.
3. Look for rules that the user did not create, or any unexpected rules or rules with
suspicious names.
4. Look in the rule description for rule actions that start and application or refer to an
.EXE, .ZIP file or to launching a URL.
5. Look for any new processes that start using the Outlook process ID. Refer to Find
the Process ID.
2. Follow the steps in, Show the Developer tab for the user's version of Outlook.
3. Open the now visible developer tab in Outlook and click design a form.
4. Select the Inbox from the Look In list. Look for any custom forms. Custom forms
are rare enough that if you have any custom forms at all, it is worth a deeper look.
6. Open any custom forms and in the Form group click View Code to see what runs
when the form is loaded.
Pre-requisites
You will need to have global administrator rights to run the script because the script
connects to every mailbox in the tenancy to read the rules and forms.
1. Sign in to the machine that you will run the script from with local administrator
rights.
2. Download or copy the Get-AllTenantRulesAndForms.ps1 script from GitHub to a
folder from which you will run it. The script will create two date stamped files to
this folder, MailboxFormsExport-yyyy-mm-dd.csv, and MailboxRulesExport-yyyy-
mm-dd.csv.
3. Open a PowerShell instance as an administrator and open the folder you saved the
script to.
ActionType (column A): If you see the value "ID_ACTION_CUSTOM", the rule is
likely malicious.
ActionCommand (column G): If this column lists an application or any file with
.exe or .zip extensions, or an unknown entry that refers to a URL, the rule is
likely malicious.
Using Outlook
1. Identify all the devices that the user has used with Outlook. They will all need to be
cleaned of potential malware. Do not allow the user to sign on and use email until
all the devices are cleaned.
3. If you are unsure about the presence of other malware, you can format and
reinstall all the software on the device. For mobile devices, you can follow the
manufacturers steps to reset the device to the factory image.
4. Install the most up-to-date versions of Outlook. Remember that the current
version of Outlook blocks both types of this attack by default.
5. Once all offline copies of the mailbox have been removed, reset the user's
password (use a high quality one) and follow the steps in Setup multi-factor
authentication for users if MFA has not already been enabled. This ensures that the
user's credentials are not exposed via other means (such as phishing or password
re-use).
Using PowerShell
There are two Exchange PowerShell cmdlets you can use to remove or disable
dangerous rules. Just follow the steps.
2. If you want to completely remove a single rule, multiple rules, or all rules from a
mailbox use the Remove-InboxRule cmdlet.
3. If you want to retain the rule and its contents for further investigation use the
Disable-InboxRule cmdlet.
2. If you want to completely remove a single rule, multiple rules, or all rules from a
mailbox use the Remove-Inbox Rule cmdlet.
3. If you want to retain the rule and its contents for further investigation use the
Disable-InboxRule cmdlet.
How to minimize future attacks
The best way to protect your user accounts, and especially your administrator accounts,
is to set up multi-factor authentication for users. You should also:
Monitor how your user accounts are accessed and used. You may not prevent the
initial breach, but you will shorten the duration and the impact of the breach by
detecting it sooner. You can use these Office 365 Cloud App Security policies to
monitor you accounts and alert on unusual activity:
Multiple failed login attempts: This policy profiles your environment and
triggers alerts when users perform multiple failed login activities in a single
session with respect to the learned baseline, which could indicate an attempted
breach.
Impossible travel: This policy profiles your environment and triggers alerts
when activities are detected from the same user in different locations within a
time period that is shorter than the expected travel time between the two
locations. This could indicate that a different user is using the same credentials.
Detecting this anomalous behavior necessitates an initial learning period of
seven days during which it learns a new user's activity pattern.
Unusual impersonated activity (by user): This policy profiles your environment
and triggers alerts when users perform multiple impersonated activities in a
single session with respect to the baseline learned, which could indicate an
attempted breach.
Use a tool like Office 365 Secure Score to manage account security configurations
and behaviors.
Here are the patch versions for your Outlook 2013 and 2016 clients:
You can see if "Start Application" has been re-enabled through an override in the
registry by using the information in How to view the system registry by using 64-bit
versions of Windows . Check these subkeys:
Outlook 2016:
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\
Outlook 2013:
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Security\
Look for the key EnableUnsafeClientMailRules. If it is there and is set to 1, the Outlook
security patch has been overridden and the computer is vulnerable to the Form/Rules
attack. If the value is 0, the "Start Application" action is disabled. If the updated and
patched version of Outlook is installed and this registry key is not present, then a system
is not vulnerable to these attacks.
See also:
Malicious Outlook Rules by SilentBreak Security Post about Rules Vector
provides a detailed review of how the Outlook Rules.
MAPI over HTTP and Mailrule Pwnage on the Sensepost blog about Mailrule
Pwnage discusses a tool called Ruler that lets you exploit mailboxes through
Outlook rules.
Outlook forms and shells on the Sensepost blog about Forms Threat Vector.
Ruler Codebase
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
Connectors are used for enabling mail flow between Microsoft 365 or Office 365 and
email servers that you have in your on-premises environment. For more information, see
Configure mail flow using connectors in Exchange Online.
The presence of an inbound connector wasn't created by the intended user or the
administrator.
1. Select Connector, insert Connector Name, select date range, and then click
Refresh.
3. Identify:
If a significant number of emails were recently sent to the Junk folder. This is
a good indicator of a compromised connector being used to send spam.
If the recipients are the ones that your organization usually stays in contact
with.
If you have Microsoft Defender for Office 365 Plan 1 or Exchange Online Protection, go
to https://admin.exchange.microsoft.com/#/messagetrace .
2. Select an activity under Activity list, and copy suspicious connector domain and IP
address detected in the alert.
If the recipients are the ones that your organization usually stays in contact
with.
Use the following command line in PowerShell to investigate and validate connector-
related activity by a user in the audit log. For more information, see Use a PowerShell
script to search the audit log.
PowerShell
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
If a user exceeds one of the outbound sending limits as specified in the service limits or
in outbound spam policies, the user is restricted from sending email, but they can still
receive email.
The user is added to the Restricted users page in the Microsoft 365 Defender portal.
When they try to send email, the message is returned in a non-delivery report (also
known as an NDR or bounce message) with the error code 5.1.8 and the following text:
Admins can remove users from the Restricted users page in the Microsoft 365 Defender
or in Exchange Online PowerShell.
You need to be assigned permissions in Exchange Online before you can do the
procedures in this article:
To remove users from the Restricted users portal, you need to be a member of
the Organization Management or Security Administrator role groups.
For read-only access to the Restricted users portal, you need to be a member of
the Global Reader or Security Reader role groups.
7 Note
2. On the Restricted users page, find and select the user that you want to unblock by
clicking on the user.
4. In the Unblock user flyout that appears, read the details about the restricted
account. You should go through the recommendations to ensure you're taking the
proper actions in case the account is compromised.
7 Note
Under most circumstances, all restrictions should be removed from the user
within one hour. Transient technical issues might cause a longer wait time, but
the total wait should be no longer than 24 hours.
) Important
For alerts to work, audit log search must to be turned on. For more information, see
Turn the audit log search on or off.
2. On the Alert policy page, find and select the alert named User restricted from
sending email. You can sort the policies by name, or use the Search box to find the
policy.
3. In the User restricted from sending email flyout that appears, verify or configure
the following settings:
Email recipients: Click Edit and verify or configure the following settings in
the Edit recipients flyout that appears:
Send email notifications: Verify this is selected (On).
Email recipients: The default value is TenantAdmins (meaning, Global
admin members). To add more recipients, click in a blank area of the box.
A list of recipients will appear, and you can start typing a name to filter
and select a recipient. You can remove an existing recipient from the box
by clicking next to their name.
Daily notification limit: The default value is No limit but you can select a
limit for the maximum number of notifications per day.
4. Back on the User restricted from sending email flyout, click Close.
PowerShell
Get-BlockedSenderAddress
To view details about a specific user, replace <emailaddress> with their email address
and run the following command:
PowerShell
To remove a user from the Restricted users list, replace <emailaddress> with their email
address and run the following command:
PowerShell
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
Your message couldn't be delivered. The most common reason for this is that your
organization's email connector is suspected of sending spam or phish and it's no
longer allowed to send email. Contact your email admin for assistance.
Remote
Server returned '550;5.7.711 Access denied, bad inbound connector. AS(2204).'
Admins can remove connectors from the Restricted entities page in Microsoft 365
Defender or in Exchange Online PowerShell.
Restricted user: For more information about why a user can be restricted and how
to handle restricted users, see Remove blocked users from the Restricted entities
portal.
Restricted connector: Learn about why a connector can be restricted and how to
handle restricted connectors (this article).
You must have permissions in Exchange Online before you can follow the
procedures mentioned in this article:
To remove connectors from the Restricted entities portal, you need to be a
member of the Organization Management or Security Administrator role
groups.
For read-only access to the Restricted entities portal, you need to be a member
of the Global Reader or Security Reader role groups.
7 Note
Before you remove the connector from the Restricted entities portal, be sure to
follow the required steps to regain control of the connector. For more information,
see Respond to a compromised connector.
2. On the Restricted entities page, find and select the connector that you want to
unblock by clicking on the connector.
4. In the Unblock entity flyout that appears, read the details about the restricted
connector. You should go through the recommendations to ensure you're taking
the proper actions in case the connector is compromised.
7 Note
) Important
For alerts to work, audit log search must to be turned on. For more information, see
Turn the audit log search on or off.
1. In the Microsoft 365 Defender portal, go to Email & collaboration > Policies &
rules > Alert policy.
2. On the Alert policy page, find and select the alert named Suspicious connector
activity. You can sort the policies by name, or use the Search box to find the
policy.
3. In the Suspicious connector activity flyout that appears, verify or configure the
following settings:
Email recipients: Click Edit and verify or configure the following settings in
the Edit recipients flyout that appears:
Send email notifications: Verify this is selected (On).
Email recipients: The default value is TenantAdmins (meaning, Global
admin members). To add more recipients, click on a blank area of the box.
A list of recipients will appear, and you can start typing a name to filter
and select a recipient. You can remove an existing recipient from the box
by clicking next to their name.
Daily notification limit: The limit is no more than 3 notifications per
connector per day.
PowerShell
Get-BlockedConnector
To view details about a specific connector, replace <connectorId> and run the following
command:
PowerShell
To remove a connector from the Restricted entities list, replace <connectorId> and run
the following command:
PowerShell
Remove-BlockedConnector -ConnectorId <connectorId>
More information
Respond to a compromised connector
Remove blocked users
Tune anti-phishing protection
Article • 12/22/2022 • 5 minutes to read
Applies to
Although Microsoft 365 comes with a variety of anti-phishing features that are enabled
by default, it's possible that some phishing messages could still get through to your
mailboxes. This topic describes what you can do to discover why a phishing message
got through, and what you can do to adjust the anti-phishing settings in your Microsoft
365 organization without accidentally making things worse.
If your subscription includes Microsoft Defender for Office 365, you can use Office 365
Threat Intelligence to identify other users who also received the phishing message. You
have additional options to block phishing messages:
Anti-phishing policies in Microsoft Defender for Office 365. Note that you can
temporarily increase the Advanced phishing thresholds in the policy from
Standard to Aggressive, More aggressive, or Most aggressive.
Verify these Defender for Office 365 features are turned on.
For messages that end up in quarantine by mistake, or for messages that are
allowed through, we recommend that you search for those messages in Threat
Explorer and real-time detections. You can search by sender, recipient, or message
ID. After you locate the message, go to details by clicking on the subject. For a
quarantined message, look to see what the "detection technology" was so that you
can use the appropriate method to override. For an allowed message, look to see
which policy allowed the message.
Email from spoofed senders (the From address of the message doesn't match the
source of the message) is classified as phishing in Defender for Office 365.
Sometimes spoofing is benign, and sometimes users don't want messages from
specific spoofed sender to be quarantined. To minimize the impact to users,
periodically review the spoof intelligence insight, the Spoofed senders tab in the
Tenant Allow/Block List, and the Spoof detections report. Once you have reviewed
allowed and blocked spoofed senders and made any necessary overrides, you can
be confident to configure spoof intelligence in anti-phishing policies to
Quarantine suspicious messages instead of delivering them to the user's Junk
Email folder.
You can repeat the above step for Impersonation (domain or user) in Microsoft
Defender for Office 365. The Impersonation report is found under Threat
Management > Dashboard > Insights.
The best way to deal with legitimate messages that are blocked by Microsoft 365
(false positives) that involve senders in your domain is to fully and completely
configure the SPF, DKIM, and DMARC records in DNS for all of your email
domains:
Verify that your SPF record identifies all sources of email for senders in your
domain (don't forget third-party services!).
Use hard fail (-all) to ensure that unauthorized senders are rejected by email
systems that are configured to do so. You can use the spoof intelligence insight
to help identify senders that are using your domain so that you can include
authorized third-party senders in your SPF record.
Use DKIM to validate outbound email sent from your custom domain
Whenever possible, we recommend that you deliver email for your domain directly
to Microsoft 365. In other words, point your Microsoft 365 domain's MX record to
Microsoft 365. Exchange Online Protection (EOP) is able to provide the best
protection for your cloud users when their mail is delivered directly to Microsoft
365. If you must use a third-party email hygiene system in front of EOP, use
Enhanced Filtering for Connectors. For instructions, see Enhanced Filtering for
Connectors in Exchange Online.
Using the built-in Report button in Outlook on the web or the Microsoft Report
Message or Report Phishing add-ins to report messages to Microsoft helps with
the training of our detection systems. Admins should also take advantage of admin
submission capabilities to report messages to Microsoft.
Multi factor authentication (MFA) is a good way to prevent compromised accounts.
You should strongly consider enabling MFA for all of your users. For a phased
approach, start by enabling MFA for your most sensitive users (admins, executives,
etc.) before you enable MFA for everyone. For instructions, see Set up multi-factor
authentication.
Forwarding rules to external recipients are often used by attackers to extract data.
Use the Review mailbox forwarding rules information in Microsoft Secure Score to
find and even prevent forwarding rules to external recipients. For more
information, see Mitigating Client External Forwarding Rules with Secure Score.
Quarantined email messages in EOP and
Defender for Office 365
Article • 01/11/2023 • 3 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
Admins can work with all types of quarantined messages for all users. By default,
only admins can work with messages that were quarantined as malware, high
confidence phishing, or as a result of mail flow rules (also known as transport
rules). For more information, see Manage quarantined messages and files as an
admin in EOP.
By default, users can work with quarantined messages where they are a recipient
and the message was quarantined as spam, bulk email, or phishing (not high
confidence phishing). For more information, see Find and release quarantined
messages as a user in EOP.
Admins can report false positives to Microsoft from quarantine. For more
information, see Take action on quarantined email and Take action on quarantined
files.
How long quarantined messages are held in quarantine before they expire varies
based on why the message was quarantined. The features that quarantine
messages and their corresponding retention periods are described in the following
table:
30 days in
anti-spam
policies that
you create in
the Microsoft
365 Defender
portal.
Messages 30 days No
quarantined by Safe
Attachments policies
in Defender for Office
365 (malware
messages).
Messages 30 days No
quarantined by mail
flow rules: the action
is Deliver the
message to the
hosted quarantine
(Quarantine).
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
Admins can view, release, and delete all types of quarantined messages for all users.
Admins can also report false positives to Microsoft.
By default, only admins can manage messages that were quarantined as malware, high
confidence phishing, or as a result of mail flow rules (also known as transport rules). But
admins can use quarantine policies to define what users are allowed to do to
quarantined messages based on why the message was quarantined (for supported
features). For more information, see Quarantine policies.
Admins in organizations with Microsoft Defender for Office 365 can also manage files
that were quarantined by Safe Attachments for SharePoint, OneDrive, and Microsoft
Teams.
You view and manage quarantined messages in the Microsoft 365 Defender portal or in
PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes
in Exchange Online; standalone EOP PowerShell for organizations without Exchange
Online mailboxes).
You need to be assigned permissions in Exchange Online before you can do the
procedures in this article:
To take action on quarantined messages for all users, you need to be a member
of the Organization Management, Security Administrator, or Quarantine
Administrator* role groups. To submit messages to Microsoft, you need to be a
member of the Security Administrator role group.
For read-only access to quarantined messages for all users, you need to be a
member of the Global Reader or Security Reader role groups.
Notes:
Adding users to the corresponding Azure Active Directory role in the Microsoft
365 admin center gives users the required permissions and permissions for
other features in Microsoft 365. For more information, see About admin roles.
The View-Only Organization Management role group in Exchange Online also
gives read-only access to the feature.
*
Members of the Quarantine Administrator role group in Email &
collaboration roles in the Microsoft 365 Defender portal also need to be
members of the Hygiene Management role group in Exchange Online to do
quarantine procedures in Exchange Online PowerShell.
Quarantined messages are retained for a default period of time based on why they
were quarantined. After the retention period expires, the messages are
automatically deleted and are not recoverable. For more information, see
Quarantined email messages in EOP and Defender for Office 365.
3. You can sort the results by clicking on an available column header. Click Customize
columns to change the columns that are shown. The default values are marked
with an asterisk (*):
Time received*
Subject*
Sender*
Quarantine reason*
Release status*
Policy type*
Expires*
Recipient
Message ID
Policy name
Message size
Mail direction
Recipient tag
4. To filter the results, click Filter. The following filters are available in the Filters flyout
that appears:
For example, you used message trace to look for a message that was sent to
a user in your organization, and you determine that the message was
quarantined instead of delivered. Be sure to include the full message ID value,
which might include angle brackets (<>). For example: <79239079-d95a-483a-
aacf-e954f592a0f6@XYZPR00BM0200.contoso.com> .
Sender address
Recipient address
Subject
Time received: Enter a Start time and End time (date).
Recipient tag
Quarantine reason:
Transport rule (mail flow rule)
Bulk
Spam
Malware: Anti-malware policies in EOP or Safe Attachments policies in
Defender for Office 365. The Policy Type value indicates which feature was
used.
Phishing: The spam filter verdict was Phishing or anti-phishing protection
quarantined the message (spoof settings or impersonation protection).
High confidence phishing
Recipient: All users or Only me. End users can only manage quarantined
messages sent to them.
When you're finished, click Apply. To clear the filters, click Clear filters.
5. Use the Search box and a corresponding value to find specific messages. Wildcards
aren't supported. You can search by the following values:
After you've entered the search criteria, press ENTER to filter the results.
7 Note
The Search box on the main Quarantine page will search only quarantined
items in the current view, not the entire quarantine. To search all quarantined
items, use Filter and the resulting Filters flyout.
After you find a specific quarantined message, select the message to view details about
it, and to take action on it (for example, view, release, download, or delete the message).
When you select quarantined message from the list, the following information is
available in the details flyout that appears.
Message ID: The globally unique identifier for the message. Available in the
Message-ID header field in the message header.
Sender address
Received: The date/time when the message was received.
Subject
Quarantine reason: Shows if a message has been identified as Spam, Bulk, Phish,
matched a mail flow rule (Transport rule), or was identified as containing Malware.
Policy type
Policy name
Recipient count
Recipients: If the message contains multiple recipients, you need to click Preview
message or View message header to see the complete list of recipients.
Recipient tag: For more information, see User tags in Microsoft Defender for Office
365.
Expires: The date/time when the message will be automatically and permanently
deleted from quarantine.
Released to: All email addresses (if any) to which the message has been released.
Not yet released to: All email addresses (if any) to which the message has not yet
been released.
7 Note
To remain in the details flyout, but change the quarantined message that you're
looking at, use the up and down arrows at the top of the flyout.
Release email*: In the flyout pane that appears, configure the following options:
Add sender to your organization's allow list: Select this option to prevent
messages from the sender from being quarantined.
Send a copy of this message to other recipients: Select this option and enter
the recipient email addresses in the Recipients box that appears.
7 Note
To send a copy of the message to other recipients, you must also release
the message at least one of the original recipients (select Release to all
recipients or Release to specific recipients).
Allow messages like this: This option is turned off by default ( ). Turn it on (
) to temporarily prevent messages with similar URLs, attachments, and
other properties from being quarantined. When you turn this option on, the
following options are available:
Remove after: Select how long you want to allow messages like this. Select 1
day to 30 days. The default is 30.
Optional note: Enter a useful description for the allow.
Share email: In the flyout that appears, add one or more recipients to receive a
copy of the message. When you're finished, click Share.
The following actions are available after you click More actions:
View message headers: Choose this link to see the message header text. The
Message header flyout appears with the following links:
Copy message header: Click this link to copy the message header (all header
fields) to your clipboard.
Microsoft Message Header Analyzer: To analyze the header fields and values in
depth, click this link to go to the Message Header Analyzer. Paste the message
header into the Insert the message header you would like to analyze section
(CTRL+V or right-click and choose Paste), and then click Analyze headers.
Preview message: In the flyout that appears, choose one of the following tabs:
Source: Shows the HTML version of the message body with all links disabled.
Plain text: Shows the message body in plain text.
Delete from quarantine: After you click Yes in the warning that appears, the
message is immediately deleted without being sent to the original recipients.
Download email: In the flyout that appears, configure the following settings:
Reason for downloading file: Enter descriptive text.
Create password and Confirm password: Enter a password that's required to
open the downloaded message file.
When you're finished, click Download, and then Done to save a local copy of the
message. The .eml message file is save in a compressed file named Quarantined
Messages.zip in your Downloads folder. If the .zip file already exists, a number is
appended to the filename (for example, Quarantined Messages(1).zip).
Block sender: Add the sender to the Blocked Senders list in your mailbox. For
more information, see Block a mail sender .
Submit only: Reports the message to Microsoft for analysis. In the flyout that
appears, choose the following options:
Select the submission type: Email (default), URL, or File.
Add the network message ID or upload the email file: Select one of the
following options:
Add the email network message ID (default, with the corresponding value in
the box)
Upload the email file (.msg or eml): Click Browse files to find and select the
.msg or .eml message file to submit.
Choose a recipient who had an issue: Select one (preferred) or more original
recipients of the message to analyze the policies that were applied to them.
Select a reason for submitting to Microsoft: Choose one of the following
options:
Should not have been blocked (false positive) (default): The following
options are available:
Allow messages like this: This option is turned off by default ( ). Turn
it on ( ) to temporarily prevent messages with similar URLs,
attachments, and other properties from being quarantined. When you turn
this option on, the following options are available:
Remove after: Select how long you want to allow messages like this.
Select 1 day to 30 days. The default is 30.
Optional note: Enter a useful description for the allow.
Should have been blocked (false negative).
*
This option is not available for messages that have already been released (the Released
status value is Released).
If you don't release or remove the message, it will be deleted after the default
quarantine retention period expires (as shown in the Expires column).
7 Note
On a mobile device, the description text isn't available on the action icons.
The icons in order and their corresponding descriptions are summarized in the
following table:
Icon Description
Release email
Share email
Preview message
Download email
Block sender
Submit only
7 Note
Consider the following scenario: john@gmail.com sends a message to
faith@contoso.com and john@subsidiary.contoso.com. Gmail bifurcates this
message into two copies that are both routed to quarantine as phishing in
Microsoft. An admin releases both of these messages to
admin@contoso.com. The first released message that reaches the admin
mailbox is delivered. The second released message is identified as duplicate
delivery and is skipped. Message are identified as duplicates if they have the
same message ID and received time.
Delete messages: After you click Yes in the warning that appears, the messages
are immediately removed from quarantine without being sent to the original
recipients.
Download messages
Submit only
7 Note
The procedures for quarantined files in this section are available only to Microsoft
Defender for Office 365 Plan 1 or Plan 2 subscribers.
In organizations with Defender for Office 365, admins can manage files that were
quarantined by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams. To
enable protection for these files, see Turn on Safe Attachments for SharePoint,
OneDrive, and Microsoft Teams.
7 Note
2. On the Quarantine page, select the Files tab (Email is the default tab).
3. You can sort the results by clicking on an available column header. Click Customize
columns to change the columns that are shown. The default columns are marked
with an asterisk (*):
User*
Location*
Attachment filename*
File URL*
File Size
Release status*
Expires*
Detected by
Modified by time
4. To filter the results, click Filter. The following filters are available in the Filters flyout
that appears:
After you find a specific quarantined file, select the file to view details about it, and to
take action on it (for example, view, release, download, or delete the file).
When you select a quarantined file from the list, the following information is available in
the details flyout that opens:
File Name
File URL: URL that defines the location of the file (for example, in SharePoint
Online).
Malicious content detected on The date/time the file was quarantined.
Expires: The date when the file will be deleted from quarantine.
Detected by
Released?
Malware Name
Document ID: A unique identifier for the document.
File Size: In kilobytes (KB).
Organization Your organization's unique ID.
Last modified
Modified By: The user who last modified the file.
Secure Hash Algorithm 256-bit (SHA-256) value: You can use this hash value to
identify the file in other reputation stores or in other locations in your
environment.
7 Note
To remain in the details flyout, but change the quarantined file that you're looking
at, use the up and down arrows at the top of the flyout.
Release file*: In the flyout pane that appears, turn on or turn off Report files to
Microsoft for analysis, and then click Release.
Download file: In the flyout that appears, select I understand the risks from
downloading this file, and then click Download to save a local copy of the file.
Delete from quarantine: After you click Yes in the warning that appears, the file
is immediately deleted.
Block sender: Add the sender to the Blocked Senders list in your mailbox. For
more information, see Block a mail sender .
* This option is not available for files that have already been released (the Released
status value is Released).
If you don't release or remove the file, it will be deleted after the default quarantine
retention period expires (as shown in the Expires column).
When you select multiple quarantined files in the list (up to 100) by clicking in the blank
area to the left of the Subject column, the Bulk actions drop down list appears where
you can take the following actions:
Release file: In the flyout pane that appears, turn on or turn off Report files to
Microsoft for analysis, and then click Release.
Delete from quarantine: After you click Yes in the warning that appears, the file
is immediately deleted.
Download file: In the flyout that appears, select I understand the risks from
downloading this file, and then click Download to save a local copy of the file.
Delete-QuarantineMessage
Export-QuarantineMessage
Get-QuarantineMessage
Preview-QuarantineMessage: Note that this cmdlet is only for messages, not
quarantined files from Safe Attachments for SharePoint, OneDrive, and Microsoft
Teams.
Release-QuarantineMessage
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
As an ordinary user (not an admin), the default capabilities that are available to you as a
recipient of a quarantined message are described in the following table:
Anti-spam policies
Bulk
Spam
Phishing
Anti-phishing policies
Anti-malware policies
Quarantine policies define what users are allowed to do to quarantined messages based
on why the message was quarantined in supported features. Default quarantine policies
enforce the historical capabilities as described in the previous table. Admins can create
and apply custom quarantine policies that define less restrictive or more restrictive
capabilities for users in supported features. For more information, see Quarantine
policies.
You view and manage your quarantined messages in the Microsoft 365 Defender portal
or (if an admin has set this up) quarantine notifications from quarantine policies.
Admins can configure how long messages are kept in quarantine before they're
permanently deleted in anti-spam policies. Messages that have expired from
quarantine are unrecoverable. For more information, see Configure anti-spam
policies in EOP.
By default, messages that were quarantined for high confidence phishing, malware,
or by mail flow rules are only available to admins, and aren't visible to users. For
more information, see Manage quarantined messages and files as an admin in
EOP.
7 Note
2. On the Quarantine page, you can sort the results by clicking on an available
column header. Click Customize columns to change the columns that are shown.
The default values are marked with an asterisk (*):
Time received*
Subject*
Sender*
Quarantine reason*
Release status*
Policy type*
Expires*
Recipient
Message ID
Policy name
Message size
Mail direction
3. To filter the results, click Filter. The following filters are available in the Filters flyout
that appears:
When you're finished, click Apply. To clear the filters, click Clear filters.
4. Use Search box and a corresponding value to find specific messages. Wildcards
aren't supported. You can search by the following values:
Message ID
Sender email address
Recipient email address
Subject. Use the entire subject of the message. The search is not case-
sensitive.
Policy name. Use the entire policy name. The search is not case-sensitive.
After you've entered the search criteria, press ENTER to filter the results.
7 Note
The Search box on the main Quarantine page will search only quarantined
items in the current view, not the entire quarantine. To search all quarantined
items, use Filter and the resulting Filters flyout.
After you find a specific quarantined message, select the message to view details about
it, and to take action on it (for example, view, release, download, or delete the message).
When you select an email message in the list, the following message details appear in
the Details flyout pane:
7 Note
To remain in the details flyout, but change the quarantined message that you're
looking at, use the up and down arrows at the top of the flyout.
7 Note
After you select a quarantined message from the list, the following actions are available
in the details flyout:
Copy message header: Click this link to copy the message header (all header
fields) to your clipboard.
Microsoft Message Header Analyzer: To analyze the header fields and values in
depth, click this link to go to the Message Header Analyzer. Paste the message
header into the Insert the message header you would like to analyze section
(CTRL+V or right-click and choose Paste), and then click Analyze headers.
The following actions are available after you click More actions:
Preview message: In the flyout that appears, choose one of the following tabs:
Source: Shows the HTML version of the message body with all links disabled.
Plain text: Shows the message body in plain text.
Remove from quarantine: After you click Yes in the warning that appears, the
message is immediately deleted without being sent to the original recipients.
Download email: In the flyout that appears, configure the following settings:
Reason for downloading file: Enter descriptive text.
Create password and Confirm password: Enter a password that's required to
open the downloaded message file.
When you're finished, click Download, and then Done to save a local copy of the
message. The .eml message file is save in a compressed file named Quarantined
Messages.zip in your Downloads folder. If the .zip file already exists, a number is
appended to the filename (for example, Quarantined Messages(1).zip).
Block sender: Add the sender to the Blocked Senders list in your mailbox. For
more information, see Block a mail sender .
*
This option is not available for messages that have already been released (the Released
status value is Released).
If you don't release or remove the message, it will be deleted after the default
quarantine retention period expires (as shown in the Expires column).
7 Note
On a mobile device, the description text isn't available on the action icons.
The icons in order and their corresponding descriptions are summarized in the
following table:
Icon Description
Release email
Preview message
Block sender
Release messages: Delivers the messages to your Inbox.
Delete messages: After you click Yes in the warning that appears, the messages
are immediately removed from quarantine without being sent to the original
recipients.
Quarantine policies
Article • 12/22/2022 • 31 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to:
Traditionally, users have been allowed or denied levels of interactivity for quarantine
messages based on why the message was quarantined. For example, users can view and
release messages that were quarantined by anti-spam filtering as spam or bulk, but they
can't view or release messages that were quarantined as high confidence phishing or
malware.
For supported protection features, quarantine policies specify what users are allowed to
do to their own messages (messages where they're a recipient) in quarantine and in
quarantine notifications. Quarantine notifications are the replacement for end-user spam
notifications. These notifications are now controlled by quarantine policies, and contain
information about quarantined messages for all supported protection features (not just
anti-spam policy and anti-phishing policy verdicts).
Default quarantine policies that enforce the historical user capabilities are automatically
assigned to actions in the supported protection features that quarantine messages. Or,
you can create custom quarantine policies and assign them to the supported protection
features to allow or prevent users from performing specific actions on those types of
quarantined messages.
The individual quarantine policy permissions are combined into the following preset
permission groups:
No access
Limited access
Full access
The individual quarantine policy permissions that are contained in the preset permission
groups are described in the following table:
Delete (PermissionToDelete)
Preview (PermissionToPreview)
*
The Allow recipients to release a message from quarantine permission is not honored
in anti-malware policies or for the high confidence phishing verdict in anti-spam
policies. Users cannot release their own malware or high confidence phishing messages
from quarantine. At best, you can use the Allow recipients to request a message to be
released from quarantine permission.
The default quarantine policies, their associated permission groups, and whether
quarantine notifications are enabled is described in the following table:
AdminOnlyAccessPolicy No access No
If you don't like the default permissions in the preset permission groups, or if you want
to enable quarantine notifications, create and use custom quarantine policies. For more
information about what each permission does, see the Quarantine policy permission
details section later in this article.
You create and assign quarantine policies in the Microsoft 365 Defender portal or in
PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with Exchange
Online mailboxes; standalone EOP PowerShell in EOP organizations without Exchange
Online mailboxes).
7 Note
How long quarantined messages are held in quarantine before they expire is
controlled by the Retain spam in quarantine for this many days
(QuarantineRetentionPeriod) in anti-spam policies. For more information, see
Configure anti-spam policies in EOP.
Your organization existed before the quarantine policy feature was turned on (late
July/early August 2021).
You had one or more anti-spam policies (the default anti-spam policy or custom
anti-spam policies) where the Enable end-user spam notifications setting was
turned on.
3. The New policy wizard opens. On the Policy name page, enter a brief but unique
name in the Policy name box. You'll need to identify and select the quarantine
policy by name in upcoming steps. When you're finished, click Next.
4. On the Recipient message access page, select one of the following values:
7 Note
6. On the Review policy page, review your settings. You can select Edit in each
section to modify the settings within the section. Or you can click Back or select
the specific page in the wizard.
Now you're ready to assign the quarantine policy to a quarantine feature as described in
the Step 2 section.
Create quarantine policies in PowerShell
If you'd rather use PowerShell to create quarantine policies, connect to Exchange Online
PowerShell or Exchange Online Protection PowerShell and use the New-
QuarantinePolicy cmdlet.
7 Note
If you don't use the ESNEnabled parameter and the value $true , then quarantine
notifications are turned off.
PowerShell
The required order and values for each individual permission are described in the
following table:
PermissionToDownload** 64 01000000
PermissionToAllowSender** 32 00100000
PermissionToBlockSender 16 00010000
PermissionToRequestRelease*** 8 00001000
PermissionToRelease*** 4 00000100
PermissionToPreview 2 00000010
Permission Decimal value Binary value
PermissionToDelete 1 00000001
*
The value 0 doesn't hide the View message header button in the details of the
quarantined message (the button is always available).
**
This setting is not used (the value 0 or 1 does nothing).
***
Don't set both of these values to 1. Set one to 1 and the other to 0, or set both to 0.
PermissionToViewHeader 0
PermissionToDownload 0
PermissionToAllowSender 0
PermissionToBlockSender 1
PermissionToRequestRelease 1
PermissionToRelease 0
PermissionToPreview 1
PermissionToDelete 1
This example creates a new quarantine policy named LimitedAccess with quarantine
notifications turned on that assigns the Limited access permissions as described in the
previous table.
PowerShell
For custom permissions, use the previous table to get the binary value that corresponds
to the permissions you want. Convert the binary value to a decimal value and use the
decimal value for the EndUserQuarantinePermissionsValue parameter. Don't use the
binary value for the parameter value.
For detailed syntax and parameter information, see New-QuarantinePolicy.
*
As previously described in this article, your organization might use
NotificationEnabledPolicy instead of DefaultFullAccessPolicy. The only difference
between these two quarantine policies is quarantine notifications are turned on in
NotificationEnabledPolicy and turned off in DefaultFullAccessPolicy.
The default quarantine policies, preset permission groups, and permissions are
described at the beginning of this article and later in this article.
7 Note
If you're happy with the default end-user permissions and quarantine notifications
that are provided (or not provided) by the default quarantine policies, you don't
need to do anything. If you want to add or remove end-user capabilities (the
available buttons) for user quarantined messages, or enable quarantine
notifications and add or remove the same capabilities in quarantine notifications,
you can assign a different quarantine policy to the quarantine action.
7 Note
Users can't release their own messages that were quarantined as malware (anti-
malware policies) or high confidence phishing (anti-spam policies), regardless of
how the quarantine policy is configured. At best, admins can configure the
quarantine policy so users can request the release of their quarantined malware or
high confidence phishing messages.
Anti-spam policies
1. In the Microsoft 365 Defender portal , go to Email & collaboration > Policies &
rules > Threat policies > Anti-spam in the Policies section.
Edit existing: Select the policy by clicking on the name of the policy. In the
policy details flyout, go to the Actions section and then click Edit actions.
Create new: In the new policy wizard, get to the Actions page.
4. On the Actions page, every verdict that has the Quarantine message action will
also have the Select quarantine policy box for you to select a corresponding
quarantine policy.
Note: When you create a new policy, a blank Select quarantine policy value
indicates the default quarantine policy for that verdict is used. When you later edit
the policy, the blank values are replaced by the actual default quarantine policy
names as described in the previous table.
Full instructions for creating and modifying anti-spam policies are described in
Configure anti-spam policies in EOP.
PowerShell
Notes:
To see the important parameter values in existing anti-spam policies, run the
following command:
PowerShell
Get-HostedContentFilterPolicy | Format-List
Name,*SpamAction,HighConfidencePhishAction,*QuarantineTag
For information about the default action values and the recommended action
values for Standard and Strict, see EOP anti-spam policy settings.
When you create new anti-spam policies, a spam filtering verdict without a
corresponding quarantine policy parameter means the default quarantine policy
for that verdict is used.
You need to replace a default quarantine policy with a custom quarantine policy
only if you want to change the default end-user capabilities on quarantined
messages for that particular spam filtering verdict.
A new anti-spam policy in PowerShell requires a spam filter policy (settings) using
the New-HostedContentFilterPolicy cmdlet and an exclusive spam filter rule
(recipient filters) using the New-HostedContentFilterRule cmdlet. For instructions,
see Use PowerShell to create anti-spam policies.
This example creates a new spam filter policy named Research Department with the
following settings:
PowerShell
This example modifies the existing spam filter policy named Human Resources. The
action for the spam quarantine verdict is set to Quarantine, and the custom quarantine
policy named NoAccess is assigned.
PowerShell
Anti-phishing policies
Spoof intelligence is available in EOP and Defender for Office 365. User impersonation
protection, domain impersonation protection, and mailbox intelligence are available
only in Defender for Office 365. For more information, see Anti-phishing policies in
Microsoft 365.
1. In the Microsoft 365 Defender portal , go to Email & collaboration > Policies &
rules > Threat policies > Anti-phishing in the Policies section.
Edit existing: Select the policy by clicking on the name of the policy. In the
policy details flyout, go to the Protection settings section and then click Edit
protection settings.
Create new: In the new policy wizard, get to the Actions page.
4. On the Protection settings page, verify that the following settings are turned on
and configured as required:
Edit existing: In the policy details flyout, go to the Actions section and then
click Edit actions.
Create new: In the new policy wizard, get to the Actions page.
6. On the Actions page, every verdict that has the Quarantine the message action
will also have the Apply quarantine policy box for you to select a corresponding
quarantine policy.
Note: When you create a new policy, a blank Apply quarantine policy value
indicates the default quarantine policy for that action is used. When you later edit
the policy, the blank values are replaced by the actual default quarantine policy
names as described in the previous table.
Full instructions for creating and modifying anti-phishing policies are available in the
following topics:
PowerShell
Notes:
The Enable* parameters are required to turn on the specific protection features.
The default value for the EnableMailboxIntelligence and EnableSpoofIntelligence
parameters is $true, so you don't need to use these parameters when you create
new anti-phish policies in PowerShell. All other Enable* parameters need to have
the value $true so you can set the value Quarantine in the corresponding *Action
parameters to then assign a quarantine policy. None of the *\Action parameters
have the default value Quarantine.
To see the important parameter values in existing anti-phish policies, run the
following command:
PowerShell
Get-AntiPhishPolicy | Format-List
Name,Enable*Intelligence,Enable*Protection,*Action,*QuarantineTag
For information about the default action values and the recommended action
values for Standard and Strict, see EOP anti-phishing policy settings and
Impersonation settings in anti-phishing policies in Microsoft Defender for Office
365.
You need to replace a default quarantine policy with a custom quarantine policy
only if you want to change the default end-user capabilities on quarantined
messages for that particular verdict.
PowerShell
This example modifies the existing anti-phish policy named Human Resources. The
action for messages detected by user impersonation and domain impersonation is set to
Quarantine, and the custom quarantine policy named NoAccess is assigned.
PowerShell
Anti-malware policies
1. In the Microsoft 365 Defender portal , go to Email & collaboration > Policies &
rules > Threat policies > Anti-malware in the Policies section.
Edit existing: Select the policy by clicking on the name of the policy. In the
policy details flyout, go to the Protection settings section and then click Edit
protection settings.
Create new: In the new policy wizard, get to the Actions page.
Note: When you create a new policy, a blank Quarantine policy value indicates the
default quarantine policy for that is used. When you later edit the policy, the blank
value is replaced by the actual default quarantine policy name as described in the
previous table.
PowerShell
Notes:
When you create new anti-malware policies without using the QuarantineTag
parameter when you create a new anti-malware policy, the default quarantine
policy for malware detections is used (AdminOnlyAccessPolicy).
You need to replace the default quarantine policy with a custom quarantine policy
only if you want to change the default end-user capabilities on messages that are
quarantined as malware.
To see the important parameter values in existing anti-phish policies, run the
following command:
PowerShell
This example creates a malware filter policy named Research Department that uses the
custom quarantine policy named NoAccess that assigns No access permissions to the
quarantined messages.
PowerShell
This example modifies the existing malware filter policy named Human Resources by
assigning the custom quarantine policy named NoAccess that assigns No access
permissions to the quarantined messages.
PowerShell
Edit existing: Select the policy by clicking on the name of the policy. In the
policy details flyout, go to the Settings section and then click Edit settings.
Create new: In the new policy wizard, get to the Settings page.
4. On the Settings page, do the following steps:
a. Safe Attachments unknown malware response: Select Block, Replace, or
Dynamic Delivery.
b. Select a quarantine policy in the Quarantine policy box.
Note: When you create a new policy, a blank Quarantine policy value indicates the
default quarantine policy is used. When you later edit the policy, the blank value is
replaced by the actual default quarantine policy name as described in the previous
table.
Full instructions for creating and modifying Safe Attachments policies are described in
Set up Safe Attachments policies in Microsoft Defender for Office 365.
PowerShell
Notes:
When you create new Safe Attachments policies without using the QuarantineTag
parameter, the default quarantine policy for Safe Attachments detections in email
is used (AdminOnlyAccessPolicy).
You need to replace the default quarantine policy with a custom quarantine policy
only if you want to change the default end-user capabilities on email messages
that are quarantined by Safe Attachments policies.
PowerShell
Get-SafeAttachmentPolicy | Format-List Name,Enable,Action,QuarantineTag
This example creates a safe attachment policy named Research Department that blocks
detected messages and uses the custom quarantine policy named NoAccess that
assigns No access permissions to the quarantined messages.
PowerShell
This example modifies the existing safe attachment policy named Human Resources by
assigning the custom quarantine policy named NoAccess that assigns No access
permissions.
PowerShell
1. In the Microsoft 365 Defender portal, go to Email & collaboration > Policies &
rules > Threat policies > Quarantine policies in the Rules section. Or, to go
directly to the Quarantine policies page, use
https://security.microsoft.com/quarantinePolicies .
2. On the Quarantine policies page, select Global settings.
3. In the Quarantine notification settings flyout that opens, configure the following
settings:
7 Note
We don't allow the same display name, subject, or disclaimer text for different
languages. You need to provide a different display name, subject, and
disclaimer text for each language that you select.
The same sender address is used for all languages. Although you can select a
different sender email address for each language, the last sender you specify
is used for all languages.
The language identifier for the Display name, Subject, and Disclaimer
values. Quarantine notifications are already localized based on the
recipient's language settings. The Display name, Subject, and Disclaimer
values are used in quarantine notifications that apply to the recipient's
language.
Select the language in the Choose language box before you enter values
in the Display name, Subject and Disclaimer boxes. When you change the
value in the Choose language box, the values in the Display name,
Subject, and Disclaimer boxes are emptied.
a. Select the language from the Choose language box. The default value is
Default, which means the default language for the Microsoft 365
organization. For more information, see How to set language and region
settings for Microsoft 365.
b. Enter values for Display name, Subject, and Disclaimer. The values must
be unique for each language. If you try to reuse a Display name, Subject,
or Disclaimer value for multiple languages, you'll get an error when you
click Save.
Use my company logo: Select this option to replace the default Microsoft
logo that's used at the top of quarantine notifications. Before you do this
step, you need to follow the instructions in Customize the Microsoft 365
theme for your organization to upload your custom logo. This option is not
supported if your organization has a custom logo pointing to a URL instead
of an uploaded image file.
Send end-user spam notification every (days): Select the frequency for
quarantine notifications. The default value is 3 days, but you can select 1 to
15 days.
3. To view the settings of built-in or custom quarantine policies, select the quarantine
policy from the list by clicking on the name.
To view a summary list of all built-in or custom policies, run the following
command:
PowerShell
PowerShell
To view the global settings for quarantine notifications, run the following
command:
PowerShell
2. On the Quarantine policies page, select the policy by clicking on the name.
3. After you select the policy, click the Edit policy icon that appears.
4. The Edit policy wizard that opens is virtually identical to the New policy wizard as
described in the Create quarantine policies in the Microsoft 365 Defender portal
section earlier in this article.
5. When you're finished modifying the policy, go to the Summary page and click
Submit.
PowerShell
The available settings are the same as described for creating quarantine policies earlier
in this article.
PowerShell
If the quarantine policy is being used, replace the assigned quarantine policy
before you remove it.
1. In the Microsoft 365 Defender portal, go to Email & collaboration > Policies &
rules > Threat policies > Quarantine policies in the Rules section. Or, to go
directly to the Quarantine policies page, use
https://security.microsoft.com/quarantinePolicies .
2. On the Quarantine policies page, select the custom quarantine policy that you
want to remove by clicking on the name.
3. After you select the policy, click the Delete policy icon that appears.
PowerShell
Admins can customize the email notification recipients or create a custom alert policy
for more options.
For more information about alert policies, see Alert policies in Microsoft 365.
No access
If the quarantine policy assigns the No access permissions (admin only access), users will
not able to see those messages that are quarantined:
Limited access
If the quarantine policy assigns the Limited access permissions, users get the following
capabilities:
Full access
If the quarantine policy assigns the Full access permissions (all available permissions),
users get the following capabilities:
7 Note
Individual permissions
Quarantine notifications:
Block sender permission enabled: The Block sender button is available.
Block sender permission disabled: The Block sender button is not available.
For more information about the Blocked Senders list, see Block messages from
someone and Use Exchange Online PowerShell to configure the safelist collection on
a mailbox.
Delete permission
The Delete permission (PermissionToDelete) controls the ability to of users to delete
their messages (messages where the user is a recipient) from quarantine.
Preview permission
The Preview permission (PermissionToPreview) controls the ability to of users to preview
their messages in quarantine.
7 Note
This permission is not honored in anti-malware policies or for the high confidence
phishing verdict in anti-spam policies. Users cannot release their own malware or
high confidence phishing messages from quarantine. At best, you can use the
Allow recipients to request a message to be released from quarantine permission
permission.
Quarantine notifications:
Permission enabled: The Release button is available.
Permission disabled: The Release button is not available.
Quarantine notifications:
Permission enabled: The Request release button is available.
Permission disabled: The Request release button is not available.
View and release quarantined messages
from shared mailboxes
Article • 12/10/2022 • 3 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to:
Users can manage quarantined messages where they are one of the recipients as
described in Find and release quarantined messages as a user in EOP. But what about
shared mailboxes where the user has Full Access and Send As or Send on Behalf
permissions to the mailbox as described in Shared mailboxes in Exchange Online?
Previously, the ability for users to manage quarantined messages sent to a shared
mailbox required admins to leave automapping enabled for the shared mailbox (it's
enabled by default when an admin gives a user access to another mailbox). However,
depending on the size and number of mailboxes that the user has access to,
performance can suffer as Outlooks tries to open all mailboxes that the user has access
to. For this reason, many admins choose to remove automapping for shared mailboxes.
The user can go to quarantine in the Microsoft 365 Defender portal and click Filter
to filter the results by Recipient address (the email address of the shared mailbox).
On the main Quarantine page, you can click on the Recipient column to sort by
messages that were sent to the shared mailbox.
The first user to act on the quarantined message decides the fate of the message
for everyone who uses the shared mailbox. For example, if a shared mailbox is
accessed by 10 users, and a user decides to delete the quarantine message, the
message is deleted for all 10 users. Likewise, if a user decides to release the
message, it's released to the shared mailbox and is accessible by all other users of
the shared mailbox.
Currently, the Block sender button is not available in the Details flyout for
quarantined messages that were sent to the shared mailbox.
Regarding quarantine operations for shared mailboxes, if you use nested security
groups to grant access to a shared mailbox, we recommend no more than two
levels of nested groups. For example, Group A is a member of Group B, which is a
member of Group C. To assign permissions to a shared mailbox, don't add the user
to Group A and then assign Group C to the shared mailbox.
As of July 2022, users with primary SMTP addresses that are different from their
user principal names (UPNs) should be able to access quarantined messages for
the shared mailbox.
PowerShell
Then, the end-user can select a quarantined message from the list to view or take
action on.
This example shows all of the quarantined messages that were sent to the shared
mailbox, and then releases the first message in the list from quarantine (the first
message in the list is 0, the second is 1, and so on).
PowerShell
$SharedMessages
For detailed syntax and parameter information, see the following topics:
Get-QuarantineMessage
Get-QuarantineMessageHeader
Preview-QuarantineMessage
Release-QuarantineMessage
Use quarantine notifications to release
and report quarantined messages
Article • 12/10/2022 • 3 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
Quarantine policies define what users are allowed to do to quarantined messages based
on why the message was quarantined (for supported features). For more information,
see Quarantine policies. Quarantine polices also control whether the affected recipients
(including shared mailboxes) get periodic quarantine notifications about their
quarantined messages. Quarantine notifications are the replacement for end-user spam
notifications for all supported protection features (not just anti-spam policy verdicts).
Quarantine notifications are not turned on in the built-in quarantine notifications named
AdminOnlyAccessPolicy or DefaultFullAccessPolicy. Quarantine notifications are turned
on in the built-in quarantine policy named NotificationEnabledPolicy if your
organization has it. Otherwise, to turn on quarantine notifications in quarantine policies,
you need to create and configure a new quarantine policy.
Admins can also use the global settings in quarantine policies to customize the sender's
display name, disclaimer text in different languages, and the company logo that's used
in quarantine notifications. For instructions, see Configure global quarantine notification
settings.
For shared mailboxes, quarantine notifications are supported only for users who are
granted FullAccess permission to the shared mailbox. For more information, see Use the
EAC to edit shared mailbox delegation.
7 Note
Quarantine notifications for messages sent to Microsoft 365 Groups are sent to all
group members only if the Send copies of group conversations and events to
group members setting is turned on.
When you receive a quarantine notification, the following information is always available
for each quarantined message:
Sender: The send name and email address of the quarantined message.
Subject: The subject line text of the quarantined message.
Date: The date and time (in UTC) that the message was quarantined.
The actions that are available in the quarantine notification depend on why the message
was quarantined, and the permissions that are assigned by the associated quarantine
policy. For more information, see Quarantine policy permission details.
By default, the following actions are available in the quarantine notification for
messages that were quarantined as spam, high confidence spam, or bulk:
Block Sender: Click this link to add the sender to the Blocked Senders list on your
mailbox. For more information, see Block a mail sender .
Release: You can release the message here without going to Quarantine in the
Microsoft 365 Defender portal.
Review: Click this link to go to Quarantine in the Microsoft 365 Defender portal,
where you can (depending on why the message was quarantined) view, release,
delete or report your quarantined messages. For more information, see Find and
release quarantined messages as a user in EOP.
7 Note
A blocked sender can still send you mail. Any messages from this sender that make
it to your mailbox will be immediately moved to the Junk Email folder. Future
messages from this sender will go to your Junk Email folder or to quarantine. If you
would like to delete these messages on arrival instead of quarantining them, use
mail flow rules (also known as transport rules) to delete the messages on arrival.
Quarantined messages FAQ
FAQ
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
This topic provides frequently asked questions and answers about quarantined email
messages for Microsoft 365 organizations with mailboxes in Exchange Online, or
standalone Exchange Online Protection (EOP) organizations without Exchange Online
mailboxes.
For questions and answers about anti-spam protection, see Anti-spam protection FAQ.
For questions and answers about anti-malware protection, see Anti-malware protection
FAQ.
For questions and answers about anti-spoofing protection, see Anti-spoofing protection
FAQ.
But, admins can create and apply quarantine policies to anti-malware policies that define
more capabilities for users. For more information, see Quarantine policies.
By default, users can access the following types of quarantined messages where they're
a recipient:
Anti-spam policies: Spam, bulk email, and phishing messages (not high confidence
phishing messages).
Anti-phishing policies: Spoofed senders, user impersonation protection (Defender
for Office 365), domain impersonation protection (Defender for Office 365), and
mailbox intelligence protection (Defender for Office 365).
For more information, see Find and release quarantined messages as a user.
By default, end users can't access the following types of quarantined messages where
they are a recipient:
For more information, see Manage quarantined messages and files as an admin.
For example, copy the following PowerShell code into NotePad and save the file as .ps1
in a location that's easy for you to find (for example, C:\Data\QuarantineRelease.ps1).
Then, after you connect to Exchange Online PowerShell or Exchange Online Protection
PowerShell, run the following command to run the script:
PowerShell
& C:\Data\QuarantineRelease.ps1
Find unreleased messages that were quarantined as spam from all senders in the
fabrikam domain. The maximum number of results is 50,000 (50 pages of 1000
results).
Save the results to a CSV file.
Release the matching quarantined messages to all original recipients.
PowerShell
$Page = 1
$List = $null
Do
Write-Host "
Exporting list to appended CSV for logging"
$Page = $Page + 1
Applies to
Are you getting an error message when you try to send an email to a recipient whose
email address is in Microsoft 365 (for example and address 5.7.511 Access denied)? If
you think you should not be receiving the error message, you can use the delist portal
to remove yourself from the blocked senders list.
You will know you have been added to the list when you receive a response to a mail
message that includes an error that looks something like this:
550 5.7.606-649 Access denied, banned sending IP [IP address] (ex. 5.7.511 Access
denied): To request removal from this list please visit https://sender.office.com/
and follow the directions. For more information see Email non-delivery reports in
Exchange Online.
where IP address is the IP address of the computer on which the mail server runs.
https://www.microsoft.com/en-us/videoplayer/embed/RWMhvD?postJsllMsg=true
2. Follow the instructions on the page. Ensure that you use the email address to
which the error message was sent, and the IP address that is specified in the error
message. You can only enter one email address and one IP address per visit.
3. Click Submit.
The portal sends an email to the email address that you supply. The email will look
something like the following:
4. Click the confirmation link in the email sent to you by the delisting portal.
After the IP address is removed from the blocked senders list, email messages from
that IP address will be delivered to recipients who use Microsoft 365. So, make sure
you're confident that email sent from that IP address won't be abusive or
malicious; otherwise, the IP address might be blocked again.
7 Note
It may take up to 24 hours or results can vary widely before restrictions are
removed.
See Create safe sender lists in EOP and Outbound spam protection in EOP to prevent an
IP from being blocked.
In the email to request removal from this list, provide the full NDR code and IP address.
Microsoft will contact you within 48 hours with the next steps.
More information
The delisting form for Outlook.com, the consumer service can be found here . Be sure
to read the FAQ first for submission direction.
Welcome to the Microsoft Defender for
Office 365 step-by-step guides
Article • 09/29/2022 • 2 minutes to read
Microsoft Defender for Office 365 is a powerful product with a lot of capabilities. Along
with that comes a lot of documentation and detail. But sometimes you have to get a
task completed quickly. That's when you need a step-by-step guide.
These step-by-step guides help administrators configure and use Microsoft Defender for
Office 365 by reducing distracting information like how a feature might work, and other
details not directly linked to completing a process. The guides maximize on specific steps
and clicks needed to do a thing, and reduce the time taken for admins to test a feature
and secure an organization.
If you learn Microsoft products best by doing, the step-by-step guides will jumpstart
configuration and testing. They are as useful for set up in a trial subscription as they are
in production.
) Important
Beyond links to the documentation, the step-by-step guides don't concern themselves
with product details (the docs around Microsoft Defender for Office 365 are thorough
for when you need them).
Instead, these guides are streamlined for learning by doing, testing, and running
experiments. They're ideal for trial subscriptions, and will allow admins and security
operators to deploy the same logic in production.
Examples
If you've just got Microsoft Defender for Office 365, and you want to get protected
as quickly as possible use Preset security policies.
Documentation in this format can be found under the step-by-step section in Office 365
Security. Visit the docs by using aka.ms/step-by-step .
If there's a topic, task or config you'd like to see in this format, please let us know by
leaving feedback. Thank you!
Getting the best security value from
Microsoft Defender for Office 365 when
you have third party email filtering
Article • 12/21/2022 • 5 minutes to read
You're licensed for Microsoft Defender for Office 365 and host your mailboxes in
Office 365
You're also using a third party for your email security
The information below will detail how to get the most out of your investment, broken
down into easy to follow steps.
Protection features
Built-in protection offers a base level of unobtrusive protection, and includes
malware, zero day (Safe Attachments), and URL protection (Safe Links) in email
(including internal email), SharePoint Online, OneDrive, and Teams. Note that URL
protection provided in this state is via API call only. It doesn't wrap or rewrite URLs
but does require a supported Outlook client. You can create your own custom
policies to expand your protection.
Read more & watch an overview video of Safe Links here : Complete Safe Links
overview
Read more about Safe Attachments here : Safe Attachments
Read more, watch an overview video and get started here : Incident response with
Microsoft 365 Defender
Threat Analytics is our in-product detailed threat intelligence solution from expert
Microsoft security researchers, detailed reports designed to get you up to speed
on the latest threat groups, attack techniques, how to protect your organization
with Indicators of Compromise (IOC) and much more.
Read more, watch an overview video and get started here : Threat analytics in
Microsoft 365 Defender
Explorer can be used to hunt threats, visualize mail flow patterns, spot trends, and
identify the impact of changes you make during tuning Defender for Office 365.
You can also quickly delete messages from your organization with a few simple
clicks.
Read more, and get started here: Threat Explorer and Real-time detections
Protection features
Consider enabling policies beyond the built-in Protection. Enabling time-of-click
protection, or impersonation protection, for example, to add extra layers or fill
gaps missing from your third party protection. Be aware that if you have a
transport rule or connection filter that is overriding verdicts (this also can be
known as SCL-1) you'll need to address this before turning on other protection
features.
Read more here: Use Trusted ARC senders for legitimate devices and services between
the sender and receiver
Priority account protection will offer enhanced visibility for accounts in tooling,
along with additional protection when in an advanced defense in-depth
configuration state.
You can configure user reported message settings to allow users to report good or
bad messages to Microsoft, to a designated reporting mailbox (to integrate with
current security workflows) or both. Admins can use the User reported tab on the
Submissions page to triage false positives and false negative user reported
messages.
Read more here: Deploy and configure the report message add-in to users
Education features
Attack simulation training allows you to run realistic but benign cyber-attack
scenarios in your organization. If you don't already have phishing simulation
capabilities from your primary email security provider, Microsoft's simulated
attacks can help you identify and find vulnerable users, policies, and practices. This
is important knowledge to have and correct before a real attack impacts your
organization. Post simulation we assign in product or custom training to educate
users about the threats they missed, ultimately reducing your organization's risk
profile. With Attack simulation training we deliver messages directly into the inbox,
so the user experience is rich. This also means no security changes such as
overrides needed to get simulations delivered correctly.
Jump right into delivering a simulation here: How to setup automated attacks and
training within Attack simulation training
Read More: Security Operations Guide for Defender for Office 365
The Migration guide contains lots of useful guidance on preparing and tuning your
environment to ready it for a migration. But many of the steps are also applicable
to a dual-use scenario. Simply ignore the MX switch guidance in the final steps.
Read it here: Migrate from a third-party protection service to Microsoft Defender for
Office 365 - Office 365 | Microsoft Docs
More information
Migrate from a third-party protection service to Microsoft Defender for Office 365
Get more out of Microsoft Defender for Office 365 with Microsoft 365 Defender
How to configure quarantine
permissions and policies
Article • 12/22/2022 • 2 minutes to read
Providing security admins and users with a very simple way to manage false positive
folders is vital given the increased demand for a more aggressive security posture with
the evolution of hybrid work. Taking a prescriptive approach, admins and users can
achieve this with the guidance below.
Tip
For a short video aimed at admins trying to set quarantine permissions and
policies, see this link . If you are an end user opt for this 1 minute overview of
the process.
1. Decide what verdicts category (bulk, spam, phish, high confidence phish, or
malware) of items you want your user to triage and not triage.
2. For those categories that you don't want the users to triage, assign the items to
the AdminOnlyPolicy. As for the category you want users to triage with limited
access, you can create a custom policy with a request release access and assign
users to that category.
3. It's strongly recommended that malware and high confidence phish items be
assigned to AdminOnlyPolicy, regular confidence phish items be assigned limited
access with request release, while bulk and spam can be left as full access for users.
) Important
For more information on how granular custom policies can be created, see
Quarantine policies - Office 365 | Microsoft Docs.
1. Identify the users, groups, or domains that you would like to include in the full
access category vs. the limited access category, versus the Admin-Only category.
2. Sign in to the Microsoft Security portal .
3. Select Email & collaboration > Policies & rules.
4. Select Threat policies.
5. Select each of the following: Anti-spam policies, Anti-phishing policy, Anti-
Malware policy.
6. Select Create policy and choose Inbound.
7. Add policy Name, users, groups, or domains to apply the policy to, and Next.
8. In the Actions tab, select Quarantine message for categories. You will notice an
additional panel for select quarantine policy, use that dropdown to select the
quarantine policy you created earlier.
9. Move on to the Review section and click the Confirm button to create the new
policy.
10. Repeat these same steps for the other policies: Anti-phishing policy, Anti-Malware
policy, and Safe Attachment policy.
Tip
For more detailed information on what you've learned so far, see Configure spam
filter policies - Office 365 | Microsoft Docs | Configure anti-phishing policies in
EOP - Office 365 | Microsoft Docs | Configure anti-malware policies - Office 365 |
Microsoft Docs| Set up Safe Attachments policies in Microsoft Defender for
Office 365 - Office 365 | Microsoft Docs
Next Steps
Use Global policy available in quarantine policy to enable your organization
branding logo, display name, and disclaimer.
Also set the User frequency to 1 day for the quarantine notification.
More information
Learn more about organization branding and notification settings here Quarantine
policies - Office 365 | Microsoft Docs
Set up steps for the Standard or Strict
preset security policies in Microsoft
Defender for Office 365
Article • 09/29/2022 • 3 minutes to read
Does Microsoft Defender for Office 365 gave you a way to apply security policies that it
would then maintain?
Did you know that when a best practice for a security control changes due to the
evolving threat landscape, or as new controls are added, Microsoft automatically
updates security control settings for users assigned to a Standard or Strict preset
security policy?
By using preset security policies (Standard or Strict), you will always have Microsoft's
recommended, best practice, configuration for your users.
Use the steps below to apply preset security policies and have Microsoft Defender for
Office 365 manage and maintain security controls for you.
Collect the list of your users that require more aggressive detections even if it
means more good mail will get flagged as suspicious. These are typically your
executive staff, executive support staff, and historically highly targeted users.
Ensure that the selected users have admin coverage to review and release emails if
the end user thinks that the mail might be good and requests that the message be
released to them.
If the criteria above are met, then the user should be placed in the Strict preset
security policy. Otherwise the user should be placed in the Standard preset security
policy.
Tip
For information on what Standard and Strict security polices are, see this article.
1. Identify the users, groups, or domains you would like to include in Standard and
Strict security presets.
2. Login to the Microsoft Security portal at https://security.microsoft.com .
3. On the left nav, under Email & collaboration, select Policies & rules.
4. Select Threat policies.
5. Select Preset Security Policies underneath the Templated policies heading
6. Select Manage underneath the Standard protection preset.
7. Select All Recipients to apply Exchange Online Protection tenant wide, or select
Specific recipients to manually add add users, groups, or domains you want to
apply the protection policy to. Click the Next button.
8. Select All Recipients to apply Defender for Office 365 Protection tenant wide, or
select Specific recipients to manually add add users, groups, or domains you want
to apply the protection policy to. Click the Next button.
9. On the Impersonation Protection section, add email addresses & domains to
protect from impersonation attacks, then add any trusted senders and domains
you do not want the impersonation protection to apply to, then press Next.
10. Click on the Confirm button.
11. Select the Manage link in the Strict protection preset.
12. Repeat steps 7-10 again, but for the users strict protection should be applied to. (if
applicable)
13. Click on the Confirm button.
Tip
Tip
Configuration analyzer allows admins to find and fix security policies where the
settings are below the Standard or Strict protection profile settings in preset
security policies. Find out more about Configuration analyzer here.
Secure Presets are always recommended because it ensures admins are exercising
Microsoft best practices. However, in some cases customized configurations are
required. Learn about custom policies here.
Reduce the attack surface for Microsoft
Teams
Article • 01/19/2023 • 5 minutes to read
Microsoft Teams is a widely used collaboration tool, where many users are now
spending their time. Attackers know this and are pivoting. Below are a set of steps you
can perform to reduce the attack surface in Teams and help keep your organization
more secure.
) Important
There is a balance to strike between security and productivity, and not all these
steps may be relevant for your organizational risk profile.
7 Note
Not all these options will be available for government specific clouds such as
Microsoft 365 GCC.
Learn More (SafeLinks) & Learn More (Safe Attachments) (Detailed Documentation)
5. Press Save.
6. You'll need to change this setting for each policy (if you have multiple).
Learn more about teams access policies: Recommended Teams policies - Microsoft 365
for enterprise - Office 365 | Microsoft Docs
You can ingest your Microsoft Defender for Office 365 data (and data from the rest of
the Microsoft 365 Defender suite), including incidents, into Microsoft Sentinel.
Take advantage of rich security information events management (SIEM) combined with
data from other Microsoft 365 sources, synchronization of incidents and alerts, and
advanced hunting.
) Important
Next Steps
Admins will now be able to see incidents, alerts, and raw data in Microsoft Sentinel and
use this data for advanced hunting, pivoting on existing and new data from Microsoft
Defender.
More Information
Connect Microsoft 365 Defender data to Microsoft Sentinel | Microsoft Docs
Best practice for domain email security protection is to protect yourself from spoofing
using Domain-based Message Authentication, Reporting, and Conformance (DMARC). If
you haven't already enabled DMARC for your domains, that should be the first step,
detailed here: Domain-based Message Authentication, Reporting, and Conformance
(DMARC)
This guide is designed to help you configure DMARC for domains not covered by the
main DMARC article. These domains include domains that you're not using for email,
but could be leveraged by attackers if they remain unprotected:
Your onmicrosoft.com domain, also known as the Microsoft Online Email Routing
Address (MOERA) domain.
Parked custom domains that you're currently not using for email yet.
Next Steps
Wait until the DNS changes are propagated and try to spoof the configured domains.
Check if the attempt is blocked based in the DMARC record, and you receive a DMARC
report.
More Information
Set up SPF to help prevent spoofing - Office 365 | Microsoft Docs
Use DMARC to validate email, setup steps - Office 365 | Microsoft Docs
Deploy and configure the report
message add-in to users
Article • 12/06/2022 • 2 minutes to read
The Report message and report phishing add-in for Outlook makes it easy to report
phishing to Microsoft and its affiliates for analysis, along with easy triage for admins in
the submissions portal .
Depending on whether you are licensed for Defender for Office 365, you'll also get
added functionality such as alerting & automated investigation and response (AIR),
which will remove the burden from your security operations staff. This guide will walk
you through configuring the add-in deployment as recommended by the Microsoft
Defender for Office 365 team.
Further reading
Learn more about user reported message settings User reported message settings -
Office 365 | Microsoft Docs
Enable the report message or report phishing add-in Enable the Microsoft Report
Message or Report Phishing add-ins - Office 365 | Microsoft Docs
Use Microsoft Defender for Office 365
with SharePoint Online
Article • 12/06/2022 • 2 minutes to read
Microsoft SharePoint Online is a widely used user collaboration and file storage tool.
The following steps help reduce the attack surface area in SharePoint Online and that
help keep this collaboration tool in your organization secure. However, it's important to
note there is a balance to strike between security and productivity, and not all these
steps may be relevant for your organizational risk profile. Take a look, test, and maintain
that balance.
To learn more, read Step 1: Use the Microsoft 365 Defender portal to turn on Safe
Attachments for SharePoint, OneDrive, and Microsoft Teams.
To learn more, read Step 2: (Recommended) Use SharePoint Online PowerShell to prevent
users from downloading malicious files.
Further reading
Policy recommendations for securing SharePoint sites and files
Track and respond to emerging threats
with campaigns in Microsoft Defender
for Office 365
Article • 11/10/2022 • 3 minutes to read
Campaigns can be used to track and respond to emerging threats because campaigns
allow you to investigate a coordinated email attack against your organization. As new
threats target your organization, Microsoft Defender for Office 365 will automatically
detect and correlate malicious messages.
A campaign might be short-lived, or could span several days, weeks, or months with
active and inactive periods. A campaign might be launched against your specific
organization, or your organization might be part of a larger campaign across multiple
companies.
Tip
To learn more about the data available within a campaign, read Campaign Views in
Microsoft Defender for Office 365.
Attack origin: Top sending IP addresses and domains with a count of messages
that were delivered to inboxes in your organization. This allows you to investigate
who is targeting your organization.
Email template and payload: The subject line of the emails that were part of the
campaign and URLs (and their frequency) present as part of the campaign.
Recommendations: Recommendations for next steps to remediate messages.
Next steps
To learn more, read, Campaign Views in Microsoft Defender for Office 365.
Set up a digest notification of changes
to Microsoft Defender for Office 365
using the message center
Article • 09/29/2022 • 2 minutes to read
Would it be convenient if, every week, a digest email of Microsoft Defender for Office
365 changes from the Microsoft message center landed in your inbox?
The message center is where admins learn about official service announcements and
feature changes, via visiting the site (desktop or mobile app), consulting Microsoft
Planner, or by email.
Follow the steps below to make that helpful digest email happen.
You're done.
Watch: Track your message center tasks in
Planner
Video
Learn More
Track new and changed features in the Microsoft 365 Message center
When alerts are triggered in Microsoft 365 Defender, automated investigation and
response (AIR) will trigger to hunt across an organization's subscription, determine the
impact and scope of the threat, and collate the information into a single Incident so that
admins don't have to manage multiple incidents.
When the Incident page loads you can filter and prioritize by clicking columns to sort
the actions or press Filters to apply a filter such as data source, tags or state.
Now you have a prioritized list of incidents, from which you can select to rename, assign,
classify, tag, change the status or add comments via the Manage incidents button.
Use the filters to make sure Microsoft Defender for Office items are included.
If you are looking for specific alerts, either use the incident search capability (Search for
name or ID) or consider using the alert queue filtering on a specific alert.
The Evidence and Response tab shows items identified as related to the original alert via
the investigation.
Any items showing as Pending Action within Evidence and Response are awaiting
approval from an administrator. Sorting by the remediation status column in the All
Evidence view is recommended, followed by clicking the entity or cluster to load the
flyout menu where you can then approve the actions if appropriate.
If you need to understand the items involved further, you can use the incident graph to
see the visual linkage of the evidence and entities involved. Alternatively, you can review
the underlying investigations, which will show more of the entities and items involved in
the security event.
Next Steps
You can start using Action Center to act on pending action items from all incidents in
your organization if you want to focus on the action items AIR needs approval for.
More Information
Manage incidents in Microsoft 365 Defender | Microsoft Docs
How automated investigation and response works in Microsoft Defender for Office 365
Attack simulation training allows you to run realistic but benign cyber attack scenarios in
your organization. Simulated attacks can help you identify and find vulnerable users,
policies and practices before a real attack impacts your organization, leveraging inbuilt
or custom training to reduce risk and better educate end users about threats.
You can either let Microsoft assign training courses by selecting Assign
training for me or you can choose specific modules with Select training
courses and modules myself
Select a Due Date (30, 15, or 7 days) from the drop-down menu.
Click Next to continue.
10. Customize the landing page displayed when a user is phished if appropriate, or
otherwise leave the Microsoft Default.
a. Under Payload indicators, check the box to add payload indicators to email.
Adding payloads will help users to learn how to identify the phishing email.
Select Open preview panel to view the message.
b. Click Next to continue.
11. Choose if you'd like end user notifications, and if so, select the delivery preferences
and customize where needed.
a. Notice that you can also select default language for the notification under the
Select default language drop-down menu.
12. Select when to launch the simulation, and how long it should be valid for. You can
also enable region aware time zone delivery. This option will deliver simulated
attack messages to your employees during their working hours based on their
region. Select Next.
13. Send a test if you're ready. Review the summary of choices. Click Submit.
Further reading
To learn how Attack Simulation works see Simulate a phishing attack with Attack
simulation training - Office 365 | Microsoft Docs
How to setup automated attacks and
training within Attack simulation
training
Article • 09/29/2022 • 2 minutes to read
Attack simulation training lets you run benign attack simulations on your organization
to assess your phishing risk and teach your users how to better avoid phish attacks. By
following this guide, you will configure automated flows with specific techniques and
payloads that run when the specified conditions are met, launching simulations against
your organization.
Learn More
Full guidance can be found at Simulation automations for Attack simulation training -
Office 365 | Microsoft Docs.
Optimize and correct security policies
with configuration analyzer
Article • 09/29/2022 • 2 minutes to read
Configuration analyzer is a central location and single pane of glass for administering
and viewing the email security policies you have configured in your tenant. You can
perform a side-to-side comparison of your settings to our Standard and Strict
recommended settings, apply recommendations and view historical changes that
affected your posture.
The page which loads will show you the modifications to your security policies in the
timeframe selected by the filters, along with data about the change and if it increased or
decreased your overall posture.
To learn more details about Configuration Analyzer, see Configuration analyzer for
security policies - Office 365 | Microsoft Docs.
Protect your c-suite with priority
account protection
Article • 12/02/2022 • 2 minutes to read
Priority account protection helps IT and security teams ensure a high quality of service
and protection for the critical people within your organization. Tagging an account as a
priority account will enable the additional protection tuned for the mail flow patterns
targeting company executives, along with extra visibility in reports, alerts, and
investigations.
To learn what priority account tags are see Manage and monitor priority accounts -
Microsoft 365 admin | Microsoft Docs.
Next Steps
Review the differentiated protection for users tagged as priority accounts.
PowerShell configuration
If you want to achieve these steps via PowerShell, you can do this using the following
cmdlets:
Email remediation is an already existing feature that helps admins act on emails that are
threats.
2. The side pane will open and ask for details like a name for the remediation,
severity, and description. Once the information is reviewed, press Submit.
3. As soon as the admin approves this action, they will see the Approval ID and a link
to the Microsoft 365 Defender Action Center here . This page is where actions
can be tracked.
a. Admin action alert - A system alert shows up in the alert queue with the name
'Administrative action submitted by an Administrator'. This indicates that an
admin took the action of remediating an entity. It gives details such as the name
of the admin who took the action, and the investigation link and time. This
makes admins aware of each important action, like remediation, taken on
entities.
b. Admin action investigation - Since the analysis on entities was already done by
the admin and that's what led to the action taken, no additional analysis is done
by the system. It shows details such as related alert, entity selected for
remediation, action taken, remediation status, entity count, and approver of the
action. This allows admins to keep track of the investigation and actions carried
out manually--an admin action investigation.
4. Action logs in unified action center - History and action logs for email actions like
soft delete and move to deleted items folder, are all available in a centralized view
under the unified Action Center > History tab.
5. Filters in unified action center - There are multiple filters such as remediation
name, approval ID, Investigation ID, status, action source, and action type. These
are useful for finding and tracking email actions in unified Action center.
) Important
Performance
For better performance, remediation should be done in batches of
50,000 or fewer. Narrow down the search result by using latest delivery location and
trigger email remediation if the email is in remediable folder like Inbox, Junk,
Deleted, for example.
Given the common scenarios, email remediation can be triggered in three different
ways.
1. Query based remediation: By selecting all the search results with a query (200,000
emails can be submitted at a maximum).
2. Handpicked remediation: Selecting emails one-by-one by clicking on the check
box (100 emails can be submitted at one time).
3. Query based remediation with exclusions: Selecting all emails, and then manually
removing a few messages (the query can hold a maximum of 1,000 emails and the
maximum number of exclusions is 100).
Next Steps
1. Go to the Microsoft 365 Defender portal and sign in.
2. In the navigation pane, select Action center.
3. Go to the History tab, click on any waiting approval list. It opens up a side pane.
4. Track the action status in the unified action center.
More information
Learn more about email remediation
Prioritize and manage Automated
Investigations and Response (AIR)
Article • 12/09/2022 • 2 minutes to read
Automated Investigation and Response (AIR) saves your security operations team time
and effort.
When alerts are triggered, automated investigation will determine the scope of
impact of a threat in your organization and provide recommended remediation
actions.
Security teams can save time by leveraging AIR automation to reduce the need for
manual hunting.
These investigations can identify emails that haven't been cleaned-up by Zero-
hour Auto Purge (ZAP) or other remediation.
AIR investigations also identify mailbox configurations that may be risky or indicate
a compromised mailbox.
Investigation actions (and investigations) are accessible from several points in the
Microsoft Security portal: via Incidents, via Alerts, or via Action Center. Which admins use
is based on the workflow an admin is pursuing.
More Information
View the results of an automated investigation in Microsoft 365 - Office 365 | Microsoft
Docs
Learn about approving and rejecting pending actions from the Investigation page
How to handle malicious emails that are
delivered to recipients (False Negatives),
using Microsoft Defender for Office 365
Article • 12/22/2022 • 2 minutes to read
Microsoft Defender for Office 365 helps deal with malicious emails (False Negative) that
are delivered to recipients and that put your organizational productivity at risk.
Defender for Office 365 can help you understand why emails are getting delivered, how
to resolve the situation quickly, and how to prevent similar situations from happening in
the future.
Microsoft Defender for Office 365 helps deal with important legitimate business emails
that are mistakenly blocked as threats (False Positives). Defender for Office 365 can help
admins understand why legitimate emails are being blocked, how to resolve the
situation quickly, and prevent similar situations from happening in the future.
Before you make change(s) to your security configuration, such as policies or transport
rules, it's important to understand the impact of the change(s) so that you can plan and
ensure minimal disruption to your organization.
This step-by-step guide will take you through assessing a change, and exporting the
impacted emails for assessment. The procedure can be applied to many different
changes, by altering the criteria (filters) you use in explorer.
Further reading
Consider using secure presets Ensuring you always have the optimal security controls
with preset security policies
You can also manage email authentication issues with spoof intelligence Spoof
intelligence insight
Historically, allow lists have told Exchange Online Protection to ignore the signals
indicating an email is malicious. It is commonplace for vendors to request IPs, domains,
and sender addresses be overridden unnecessarily. Attackers have been known to take
advantage of this mistake and it is a pressing security loophole to have unnecessary
allow list entries. This step-by-step guide will walk you through using advanced hunting
to identify these misconfigured overrides and remove them, so you can increase your
organization's security posture.
Tip
Queries
Top override source
Use this query to find where the most unnecessary overrides are located. This query
looks for emails that have been overridden without any detection that needed an
override.
Learn More
Hopefully you found this useful, with some basic queries to get you started with
advanced hunting, to learn more check out the below articles
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
The Microsoft 365 Defender portal and Microsoft Purview compliance portal have
replaced the Security & Compliance Center as the place to manage Microsoft Defender
for Office 365 and Microsoft Purview compliance roles and role groups for your
organization. For more information about permissions within these portals, see the
following articles:
These portals let you grant permissions to people who perform tasks like device
management, data loss prevention, eDiscovery, retention, and so on. These people can
perform only the tasks that you explicitly grant them access to. To access these portals,
users need to be a global admin or a member of one or more Defender for Office 365
(Email & collaboration) or Purview compliance groups.
Permissions in these portals are based on the role-based access control (RBAC)
permissions model. RBAC is the same permissions model that's used by Exchange, so if
you're familiar with Exchange Online, granting permissions in these portals will be very
similar. But, It's important to remember that role groups in Exchange Online and role
groups for Defender for Office 365 or Purview compliance don't share membership or
permissions. For example, while an Organization Management role group exists in
Exchange Online, the permissions granted and role group members are different than
the Organization Management role group in Defender for Office 365 and Purview
compliance.
This article contains the inventory of Defender for Office 365 and Purview compliance
roles and role groups.
7 Note
In the Microsoft 365 Defender preview program, a different Microsoft Defender 365
RBAC model is also available. The permissions in this RBAC model are different
from the Defender for Office 365 permissions as described in this article. For more
information, see Microsoft 365 Defender role-based access control (RBAC).
Managing permissions in Defender for Office 365 or Purview compliance gives users
access to security and compliance features that are available within their respective
portals. To grant permissions to other features, such as Exchange mail flow rules (also
known as transport rules), you need to grant permissions in Exchange Online. For more
information, see Permissions in Exchange Online.
7 Note
To view the Permissions tab as described in this article, you need to be an admin.
Specifically, you need to be assigned the Role Management role, and that role is
assigned only to the Organization Management role group by default.
Furthermore, the Role Management role allows users to view, create, and modify
role groups.
Attack Don't use this role group in these portals. Use the Attack Simulator
Simulation corresponding role in Azure AD. Admin
Administrators
Attack Don't use this role group in these portals. Use the Attack Simulator
Simulator corresponding role in Azure AD. Payload Author
Payload
Authors
Role group Description Default roles
assigned
Communication
Compliance
Analysis
Communication
Compliance Case
Management
Communication
Compliance
Investigation
Communication
Compliance Viewer
Data Classification
Feedback Provider
Data Connector
Admin
View-Only Case
Administrators
Communication
Compliance Case
Management
Data Connector
Admin
Communication
Compliance Case
Management
Role group Description Default roles
assigned
Communication
Compliance Case
Management
Communication
Compliance
Investigation
Data Classification
Feedback Provider
View-Only Case
Communication
Compliance Viewer
Compliance Members can manage settings for device management, Case Management
Communication
Compliance Case
Management
Compliance
Administrator
Compliance Search
Data Classification
Feedback Provider
Data Classification
Feedback Reviewer
Data Connector
Role group Description Default roles
assigned
Admin
Data Investigation
Management
Device
Management
Disposition
Management
DLP Compliance
Management
Hold
IB Compliance
Management
Information
Protection Admin
Information
Protection Analyst
Information
Protection
Investigator
Information
Protection Reader
Insider Risk
Management
Admin
Manage Alerts
Organization
Configuration
RecordManagement
Retention
Management
View-Only Audit
Role group Description Default roles
assigned
Logs
View-Only Case
View-Only Device
Management
View-Only DLP
Compliance
Management
View-Only IB
Compliance
Management
View-Only Manage
Alerts
View-Only
Recipients
View-Only Record
Management
View-Only
Retention
Management
Administrator preservation.
Compliance Search
Data Connector
Admin
Device
Management
Disposition
Management
DLP Compliance
Management
IB Compliance
Management
Information
Protection Admin
Information
Protection Analyst
Information
Protection
Investigator
Information
Protection Reader
Manage Alerts
Organization
Configuration
RecordManagement
Retention
Management
Sensitivity Label
Administrator
View-Only Audit
Logs
View-Only Device
Management
View-Only DLP
Compliance
Management
View-Only IB
Compliance
Management
View-Only Manage
Alerts
View-Only
Recipients
View-Only Record
Management
View-Only
Retention
Management
Compliance
Manager
Assessment
Compliance
Manager
Contribution
Compliance
Manager Reader
Data Connector
Admin
Compliance
Manager
Contribution
Compliance
Manager Reader
Data Connector
Admin
Role group Description Default roles
assigned
Compliance
Manager Reader
Data Connector
Admin
Content View all items in Content explorer in list format only. Data Classification
Explorer List List Viewer
Viewer
Custodian
Data Investigation
Management
Export
Preview
Review
RMS Decrypt
eDiscovery Members can perform searches and place holds on Case Management
Global Reader Members have read-only access to reports, alerts, and Security Reader
Sensitivity Label
The primary difference between Global Reader and Reader
View-Only Audit
Logs
View-Only Device
Management
View-Only DLP
Compliance
Management
View-Only IB
Compliance
Management
View-Only Manage
Alerts
View-Only
Recipients
View-Only Record
Management
View-Only
Retention
Management
Role group Description Default roles
assigned
Information Full control over all information protection features, Data Classification
Protection including sensitivity labels and their policies, DLP, all Content Viewer
Information
Protection Analyst
Information
Protection
Investigator
Information
Protection Reader
Information Create, edit, and delete DLP policies, sensitivity labels Information
Protection and their policies, and all classifier types. Manage Protection Admin
Admins endpoint DLP settings and simulation mode for auto-
labeling policies.
Information Access and manage DLP alerts and activity explorer. Data Classification
Protection View-only access to DLP policies, sensitivity labels and List Viewer
Information Access and manage DLP alerts, activity explorer, and Data Classification
Protection content explorer. View-only access to DLP policies, Content Viewer
Information
Protection
Investigator
Insider Risk Use this role group to manage insider risk management Case Management
Insider Risk
Management Audit
Insider Risk
Management
Investigation
View-Only Case
Insider Risk Use this role group to initially configure insider risk Case Management
View-Only Case
Insider Risk Use this group to assign permissions to users that will Case Management
Management act as insider risk case analysts. Users in this role group
Analysts can access all insider risk management alerts, cases, and Insider Risk
notices templates. They cannot access the insider risk Management
Content Explorer. Analysis
View-Only Case
Insider Risk Use this group to assign permissions to users that will Insider Risk
Management audit insider risk management activities. Users in this Management Audit
Auditors role group can access the insider risk audit log.
Role group Description Default roles
assigned
Insider Risk Use this group to assign permissions to users that will Case Management
View-Only Case
IRM This role group is visible, but is used by background Insider Risk
Contributors services only. Management
Permanent
contribution
Insider Risk
Management
Temporary
contribution
MailFlow Members can monitor and view mail flow insights and View-Only
Administrator reports in the Defender portal. Global admins can add Recipients
ordinary users to this group, but, if the user isn't a
member of the Exchange Admin group, the user will not
have access to Exchange admin-related tasks.
Organization Members can control permissions for accessing features Audit Logs
Management1 in these portals, and also manage settings for device
management, data loss prevention, reports, and Case Management
preservation.
Communication
Users who are not global administrators must be
Compliance Admin
Exchange administrators to see and take action on
devices that are managed by Basic Mobility and Security Communication
for Microsoft 365 (formerly known as Mobile Device Compliance Case
Management or MDM). Management
Data Connector
Admin
Device
Management
Role group Description Default roles
assigned
DLP Compliance
Management
Hold
IB Compliance
Management
Insider Risk
Management
Admin
Manage Alerts
Organization
Configuration
Quarantine
RecordManagement
Retention
Management
Role Management
Security
Administrator
Security Reader
Sensitivity Label
Administrator
Sensitivity Label
Reader
Service Assurance
View
Tag Contributor
Tag Manager
Tag Reader
View-Only Audit
Logs
Role group Description Default roles
assigned
View-Only Device
Management
View-Only DLP
Compliance
Management
View-Only IB
Compliance
Management
View-Only Case
View-Only Manage
Alerts
View-Only
Recipients
View-Only Record
Management
View-Only
Retention
Management
Role group Description Default roles
assigned
Privacy Manage access control for Priva in the Microsoft Case Management
Management Purview compliance portal.
Data Classification
Content Viewer
Data Classification
List Viewer
Privacy
Management
Admin
Privacy
Management
Analysis
Privacy
Management
Investigation
Privacy
Management
Permanent
contribution
Privacy
Management
Temporary
contribution
Privacy
Management
Viewer
Subject Rights
Request Admin
View-Only Case
View-Only Case
Role group Description Default roles
assigned
Privacy
Management
Analysis
View-Only Case
Privacy
Management
Temporary
contribution
Data Classification
List Viewer
Privacy
Management
Investigation
View-Only Case
Privacy Viewer of privacy management solution that can access Data Classification
Management the available dashboards and widgets. List Viewer
Viewers
Privacy
Management
Viewer
Quarantine Members can access all Quarantine actions. For more Quarantine
Administrator information, see Manage quarantined messages and
files as an admin in EOP
Role group Description Default roles
assigned
Retention
Management
View-Only Device
Management
View-Only DLP
Compliance
Management
View-Only IB
Compliance
Management
View-Only Manage
Alerts
Role group Description Default roles
assigned
Security Members can manage security alerts, and also view Compliance Search
Operator reports and settings of security features.
Manage Alerts
Security Reader
Tag Contributor
Tag Reader
Tenant
AllowBlockList
Manager
View-Only Audit
Logs
View-Only Device
Management
View-Only DLP
Compliance
Management
View-Only IB
Compliance
Management
View-Only Manage
Alerts
Role group Description Default roles
assigned
Security Reader Members have read-only access to a number of security Security Reader
features of Identity Protection Center, Privileged
Identity Management, Monitor Microsoft 365 Service Sensitivity Label
Health, and the Defender and compliance portals. Reader
By default, this role group may not appear to have any
Tag Reader
members. However, the Security Reader role from Azure
Active Directory is assigned to this role group. View-Only Device
Therefore, this role group inherits the capabilities and Management
membership of the Security Reader role from Azure
Active Directory. View-Only DLP
Compliance
To manage permissions centrally, add and remove Management
group members in the Azure Active Directory admin
center. For more information, see Azure AD built-in View-Only IB
roles. If you edit this role group in the portals Compliance
(membership or roles), those changes apply only to Management
security and compliance areas and not to any other
services. View-Only Manage
Alerts
Service Members can access the Service assurance section in Service Assurance
Assurance User the compliance portal. Service assurance provides View
reports and documents that describe Microsoft's
security practices for customer data that's stored in
Microsoft 365. It also provides independent third-party
audit reports on Microsoft 365. For more information,
see Service assurance in the compliance portal.
Request
Administrators Subject Rights
Request Admin
View-Only Case
Supervisory Members can create and manage the policies that Supervisory Review
Review define which communications are subject to review in Administrator
an organization. For more information, see Configure
communication compliance policies for your
organization.
7 Note
1 This role group doesn't assign members the permissions necessary to search the
audit log or to use any reports that might include Exchange data, such as the DLP
or Defender for Office 365 reports. To search the audit log or to view all reports, a
user has to be assigned permissions in Exchange Online. This is because the
underlying cmdlet used to search the audit log is an Exchange Online cmdlet.
Global admins can search the audit log and view all reports because they're
automatically added as members of the Organization Management role group in
Exchange Online. For more information, see Search the audit log in the
compliance portal.
The following roles aren't assigned to the Organization Management role group by
default:
Attack Simulator Don't use this role in the portals. Use the Attack Simulator
Admin corresponding role in Azure AD. Administrators
Attack Simulator Don't use this role in the portals. Use the Attack Simulator
Payload Author corresponding role in Azure AD. Payload Authors
Audit Logs Turn on and configure auditing for the organization, Organization
view the organization's audit reports, and then export Management
Case Management Create, edit, delete, and control access to eDiscovery Communication
cases. Compliance
Communication
Compliance
Investigators
Compliance
Administrator
eDiscovery
Manager
Insider Risk
Role Description Default role
group
assignments
Management
Insider Risk
Management
Admins
Insider Risk
Management
Analysts
Insider Risk
Management
Investigators
Organization
Management
Privacy
Management
Privacy
Management
Administrators
Privacy
Management
Analysts
Privacy
Management
Investigators
Subject Rights
Request
Administrators
Communication
Compliance
Administrators
Compliance
Administrator
Organization
Management
Communication
Compliance
Investigators
Role Description Default role
group
assignments
Management
Communication
Compliance
Administrators
Communication
Compliance
Analysts
Communication
Compliance
Investigators
Communication
Compliance
Viewers
Compliance
Administrator
Organization
Management
Communication
Compliance
Viewers
Role Description Default role
group
assignments
Compliance View and edit settings and reports for compliance Compliance
Administrator features. Administrator
Compliance Data
Administrator
Organization
Management
Compliance
Manager
Assessors
Compliance
Manager
Assessors
Compliance
Manager
Contributors
Role Description Default role
group
assignments
Compliance
Manager
Assessors
Compliance
Manager
Contributors
Compliance
Manager Readers
Compliance Data
Administrator
Data Investigator
eDiscovery
Manager
Organization
Management
Security
Operator
Data Classification View in-place rendering of files in Content explorer. Content Explorer
Content Viewer Content Viewer
Information
Protection
Information
Protection
Investigators
Privacy
Management
Privacy
Management
Investigators
Communication
Compliance
Investigators
Compliance
Administrator
Data Classification View the list of files in content explorer. Content Explorer
List Viewer List Viewer
Information
Protection
Analysts
Privacy
Management
Privacy
Management
Analysts
Privacy
Management
Investigators
Privacy
Management
Viewers
Role Description Default role
group
assignments
Data Connector Create and manage connectors to import and archive Communication
Admin non-Microsoft data in Microsoft 365. Compliance
Communication
Compliance
Administrators
Compliance
Administrator
Compliance Data
Administrator
Compliance
Manager
Administrators
Compliance
Manager
Assessors
Compliance
Manager
Contributors
Insider Risk
Management
Insider Risk
Management
Admins
Organization
Management
Data Investigation Create, edit, delete, and control access to data Compliance
Management investigation. Administrator
Data Investigator
Role Description Default role
group
assignments
Device View and edit settings and reports for device Compliance
Management management features. Administrator
Compliance Data
Administrator
Organization
Management
Security
Administrator
Compliance Data
Administrator
Records
Management
DLP Compliance View and edit settings and reports for data loss Compliance
Management prevention (DLP) policies. Administrator
Compliance Data
Administrator
Organization
Management
Security
Administrator
Export Export mailbox and site content that's returned from Data Investigator
searches.
eDiscovery
Manager
Organization
Management
Role Description Default role
group
assignments
Compliance Data
Administrator
Organization
Management
Security
Administrator
Information Create, edit, and delete DLP policies, sensitivity labels Compliance
Protection Admin and their policies, and all classifier types. Manage Administrator
Information
Protection
Information
Protection
Admins
Information Access and manage DLP alerts and activity explorer. Compliance
Protection Analyst View-only access to DLP policies, sensitivity labels and Administrator
Information
Protection
Information
Protection
Analysts
Information
Protection
Investigators
Role Description Default role
group
assignments
Information Access and manage DLP alerts, activity explorer, and Compliance
Protection content explorer. View-only access to DLP policies, Administrator
Information
Protection
Information
Protection
Investigators
Compliance Data
Administrator
Information
Protection
Information
Protection
Readers
Insider Risk Create, edit, delete, and control access to Insider Risk Compliance
Management Management feature. Administrator
Admin
Insider Risk
Management
Insider Risk
Management
Admins
Organization
Management
Insider Risk Access all insider risk management alerts, cases, and Insider Risk
Management notices templates. Management
Analysis
Insider Risk
Management
Analysts
Role Description Default role
group
assignments
Insider Risk Allow viewing Insider Risk audit trails. Insider Risk
Management Audit Management
Insider Risk
Management
Auditors
Insider Risk Access all insider risk management alerts, cases, Insider Risk
Management notices templates, and the Content Explorer for all Management
Investigation cases.
Insider Risk
Management
Investigators
Insider Risk This role group is visible, but is used by background IRM Contributors
Management services only.
Permanent
contribution
Insider Risk This role group is visible, but is used by background IRM Contributors
Management services only.
Temporary
contribution
Manage Alerts View and edit settings and reports for alerts. Compliance
Administrator
Compliance Data
Administrator
Organization
Management
Security
Administrator
Security
Operator
Role Description Default role
group
assignments
Organization Run, view, and export audit reports and manage Compliance
Configuration compliance policies for DLP, devices, and preservation. Administrator
Compliance Data
Administrator
Organization
Management
Preview View a list of items that are returned from content Data Investigator
searches, and open each item from the list to view its
contents. eDiscovery
Manager
Security
Administrator
Organization
Management
Compliance Data
Administrator
Organization
Management
Records
Management
Compliance Data
Administrator
Organization
Management
Records
Management
Role Description Default role
group
assignments
Review This role lets users access review sets in eDiscovery Data Investigator
(Premium) cases. Users who are assigned this role can
see and open the list of cases on the eDiscovery > eDiscovery
Advanced page in the Microsoft Purview compliance Manager
portal that they're members of. After the user accesses
Reviewer
an eDiscovery (Premium) case, they can select Review
sets to access case data. This role doesn't allow the
user to preview the results of a collection search that's
associated with the case or do other search or case
management tasks. Users with this role can only
access the data in a review set.
Role Management Manage role group membership and create or delete Organization
custom role groups. Management
Search And Purge Lets people bulk-remove data that matches the Data Investigator
criteria of a content search.
Organization
Management
Security View and edit the configuration and reports for Organization
Administrator Security features. Management
Security
Administrator
Security Reader View the configuration and reports for Security Global Reader
features.
Organization
Management
Security
Operator
Security Reader
Role Description Default role
group
assignments
Sensitivity Label View, create, modify, and remove sensitivity labels. Compliance Data
Administrator Administrator
Organization
Management
Security
Administrator
Sensitivity Label View the configuration and usage of sensitivity labels. Global Reader
Reader
Organization
Management
Security Reader
Service Assurance Download the available documents from the Service Global Reader
Tag Contributor View and update membership of existing user tags. Organization
Management
Security
Administrator
Security
Operator
Tag Manager View, update, create, and delete user tags. Organization
Management
Security
Administrator
View-Only Audit View and export audit reports. Because these reports Compliance
Logs might contain sensitive information, you should only Administrator
Global Reader
Organization
Management
Security
Administrator
Security
Operator
Communication
Compliance
Investigators
Compliance
Administrator
Insider Risk
Management
Insider Risk
Management
Admins
Insider Risk
Management
Analysts
Insider
RiskManagement
Investigators
Organization
Management
Privacy
Management
Privacy
Management
Administrators
Privacy
Management
Analysts
Privacy
Management
Investigators
Subject Rights
Request
Administrators
View-Only Device View the configuration and reports for the Device Compliance
Management Management feature. Administrator
Compliance Data
Administrator
Global Reader
Organization
Management
Security
Administrator
Security
Operator
Security Reader
Role Description Default role
group
assignments
View-Only DLP View the settings and reports for data loss prevention Compliance
Compliance (DLP) policies. Administrator
Management
Compliance Data
Administrator
Global Reader
Organization
Management
Security
Administrator
Security
Operator
Security Reader
View-Only IB View the configuration and reports for the Information Compliance
Compliance Barriers feature. Administrator
Management
Compliance Data
Administrator
Global Reader
Organization
Management
Security
Administrator
Security
Operator
Security Reader
Role Description Default role
group
assignments
View-Only Manage View the configuration and reports for the Manage Compliance
Alerts Alerts feature. Administrator
Compliance Data
Administrator
Global Reader
Organization
Management
Security
Administrator
Security
Operator
Security Reader
Compliance Data
Administrator
Global Reader
MailFlow
Administrator
Organization
Management
Compliance Data
Administrator
Global Reader
Organization
Management
Role Description Default role
group
assignments
Management
Compliance Data
Administrator
Global
Administrator
Organization
Management
Data retention information for
Microsoft Defender for Office 365
Article • 10/19/2022 • 2 minutes to read
By default, data across different features is retained for a maximum of 30 days. However,
for some of the features, you can specify the retention period based on policy. See the
following table for the different retention periods for each feature.
7 Note
Microsoft Defender for Office 365 comes in two different Plan types. You can tell if
you have Plan 1 if you have 'Real-time Detections', and Plan 2, if you have Threat
Explorer. The Plan you have influences the tools you will see, so be certain that
you're aware of your Plan as you learn.
Submissions 30 days
AIR (Automated Investigation and Response) 60 days (for investigations meta data)
Campaigns 30 days
Incidents 30 days
Remediation 30 days
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
There are two major factors that determine which policy is applied to a message:
The order of processing for the email protection type: This order is not
configurable, and is described in the following table:
The priority of the policy: For each type of policy (anti-spam, anti-malware, anti-
phishing, etc.), there's a default policy that applies to everyone, but you can create
custom policies that apply to specific users (recipients). Each custom policy has a
priority value that determines the order that the policies are applied in. The default
policy is always applied last.
) Important
For example, consider the following anti-phishing policies in Microsoft Defender for
Office 365 that apply to the same users, and a message that's identified as both user
impersonation and spoofing:
Policy A 1 On Off
Policy B 2 Off On
Assign a higher priority to policies that apply to a small number of users, and a
lower priority to policies that apply to a large number of users. Remember, the
default policy is always applied last.
Configure your higher priority policies to have stricter or more specialized settings
than lower priority policies.
Consider using fewer custom policies (only use custom policies for users who
require stricter or more specialized settings).
Troubleshooting mail sent to Microsoft
365
Article • 12/10/2022 • 7 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
This article provides troubleshooting information for senders who are experiencing
issues when trying to send email to inboxes in Microsoft 365 and best practices for bulk
mailing to customers.
For more information about the error you received, see the list of error codes in Email
non-delivery reports in Exchange Online.
For example, if you receive the following NDR, it indicates that the sending IP address
was blocked by Microsoft:
550 5.7.606-649 Access denied, banned sending IP [x.x.x.x]; To request removal from
host xxxx.outlook.com [x.x.x.x]: 451 4.7.550 Access denied, please try again later
You received the NDR because suspicious activity has been detected from the IP address
and it has been temporarily restricted while it is being further evaluated. If the suspicion
is cleared through evaluation, this restriction will be lifted shortly.
Correct:
From: marketing@shoppershandbag.com
Incorrect:
From: someone@outlook.com
Subject: Catalogs
The easier you make it for people to know who you are and what you are doing, the less
difficulty you will have delivering through most spam filters.
Some senders include this option by requiring recipients to send an email to a certain
alias with "Unsubscribe" in the subject. This is not preferable to the one-click example
above. If you do choose to require recipients to send a mail, ensure that when they click
the link, all the required fields are pre-populated.
Microsoft recommends the double opt-in option instead, which means that the
checkbox for marketing emails or newsletters is unchecked by default. Additionally,
once the registration form has been submitted, a verification email is sent to the user
with a URL that allows them to confirm their decision to receive marketing emails.
This helps ensure that only those users who want to receive marketing email are signed
up for the emails, subsequently clearing the sending company of any questionable email
marketing practices.
When the email message requests that recipients add the sender to the address
book, it should clearly state that such action is not a guarantee of delivery.
Redirects included in the body of the message should be similar and consistent,
and not multiple and varied. A redirect in this context is anything that points away
from the message, such as links and documents. If you have a lot of advertising or
Unsubscribe links or Update the Profile links, they should all point to the same
domain. For example:
unsubscribe.bulkmailer.com
profile.bulkmailer.com
options.bulkmailer.com
unsubscribe.bulkmailer.com
profile.excite.com
options.yahoo.com
Avoid content with large images and attachments, or messages that are solely
composed of an image.
Your public privacy or P3P settings should clearly state the presence of tracking
pixels (web bugs or beacons).
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
In all Microsoft 365 organizations, Exchange Online Protection (EOP) scans all incoming
messages for spam, malware, and other threats. The results of these scans are added to
the following header fields in messages:
For information about how to view an email message header in various email clients, see
View internet message headers in Outlook .
Tip
You can copy and paste the contents of a message header into the Message
Header Analyzer tool. This tool helps parse headers and put them into a more
readable format.
X-Forefront-Antispam-Report message header
fields
After you have the message header information, find the X-Forefront-Antispam-Report
header. There will be multiple field and value pairs in this header separated by
semicolons (;). For example:
...CTRY:;LANG:hr;SCL:1;SRV:;IPV:NLI;SFV:NSPM;PTR:;CAT:NONE;SFTY:;...
The individual fields and values are described in the following table.
7 Note
Field Description
CIP:[IP The connecting IP address. You can use this IP address in the IP Allow List or the IP
address] Block List. For more information, see Configure connection filtering.
CTRY The source country as determined by the connecting IP address, which may not be
the same as the originating sending IP address.
IPV:CAL The message skipped spam filtering because the source IP address was in the IP
Allow List. For more information, see Configure connection filtering.
LANG The language in which the message was written, as specified by the country code
(for example, ru_RU for Russian).
PTR: The PTR record (also known as the reverse DNS lookup) of the source IP address.
[ReverseDNS]
SCL The spam confidence level (SCL) of the message. A higher value indicates the
message is more likely to be spam. For more information, see Spam confidence
level (SCL).
Field Description
SFTY The message was identified as phishing and will also be marked with one of the
following values:
9.19: Domain impersonation. The sending domain is attempting to
impersonate a protected domain. The safety tip for domain impersonation is
added to the message (if it's enabled).
9.20: User impersonation. The sending user is attempting to impersonate a
user in the recipient's organization, or a protected user that's specified in an
anti-phishing policy in Microsoft Defender for Office 365. The safety tip for
user impersonation is added to the message (if it's enabled).
9.25: First contact safety tip. This value might be an indication of a
suspicious or phishing message. For more information, see First contact
safety tip.
SFV:BLK Filtering was skipped and the message was blocked because it was sent from an
address in a user's Blocked Senders list.
For more information about how admins can manage a user's Blocked Senders
list, see Configure junk email settings on Exchange Online mailboxes.
SFV:NSPM Spam filtering marked the message as non-spam and the message was sent to the
intended recipients.
SFV:SFE Filtering was skipped and the message was allowed because it was sent from an
address in a user's Safe Senders list.
For more information about how admins can manage a user's Safe Senders list,
see Configure junk email settings on Exchange Online mailboxes.
SFV:SKA The message skipped spam filtering and was delivered to the Inbox because the
sender was in the allowed senders list or allowed domains list in an anti-spam
policy. For more information, see Configure anti-spam policies.
SFV:SKB The message was marked as spam because it matched a sender in the blocked
senders list or blocked domains list in an anti-spam policy. For more information,
see Configure anti-spam policies.
SFV:SKI Similar to SFV:SKN, the message skipped spam filtering for another reason (for
example, an intra-organizational email within a tenant).
SFV:SKN The message was marked as non-spam prior to being processed by spam filtering.
For example, the message was marked as SCL -1 or Bypass spam filtering by a
mail flow rule.
SFV:SKQ The message was released from the quarantine and was sent to the intended
recipients.
SFV:SKS The message was marked as spam prior to being processed by spam filtering. For
example, the message was marked as SCL 5 to 9 by a mail flow rule.
SRV:BULK The message was identified as bulk email by spam filtering and the bulk complaint
level (BCL) threshold. When the MarkAsSpamBulkMail parameter is On (it's on by
default), a bulk email message is marked as spam (SCL 6). For more information,
see Configure anti-spam policies.
X- The message matched an Advanced Spam Filter (ASF) setting. To see the X-header
CustomSpam: value for each ASF setting, see Advanced Spam Filter (ASF) settings.
[ASFOption]
Field Description
BCL The bulk complaint level (BCL) of the message. A higher BCL indicates a bulk mail message
is more likely to generate complaints (and is therefore more likely to be spam). For more
information, see Bulk complaint level (BCL).
The following list describes the text that's added to the Authentication-Results header
for each type of email authentication check:
text
For example:
text
text
For example:
text
text
dmarc=<pass|fail|bestguesspass|none> action=
<permerror|temperror|oreject|pct.quarantine|pct.reject> header.from=
<domain>
For example:
text
Field Description
Field Description
action Indicates the action taken by the spam filter based on the results of the DMARC
check. For example:
oreject or o.reject: Stands for override reject. In this case Microsoft 365
uses this action when it receives a message that fails the DMARC check
from a domain whose DMARC TXT record has a policy of p=reject. Instead
of deleting or rejecting the message, Microsoft 365 marks the message as
spam. For more information on why Microsoft 365 is configured this way,
see How Microsoft 365 handles inbound email that fails DMARC.
pct.quarantine: Indicates that a percentage less than 100% of messages
that do not pass DMARC will be delivered anyway. This means that the
message failed DMARC and the policy was set to quarantine, but the pct
field was not set to 100% and the system randomly determined not to
apply the DMARC action, as per the specified domain's policy.
pct.reject: Indicates that a percentage less than 100% of messages that do
not pass DMARC will be delivered anyway. This means that the message
failed DMARC and the policy was set to reject, but the pct field was not set
to 100% and the system randomly determined not to apply the DMARC
action, as per the specified domain's policy.
permerror: A permanent error occurred during DMARC evaluation, such as
encountering an incorrectly formed DMARC TXT record in DNS.
Attempting to resend this message isn't likely to end with a different
result. Instead, you may need to contact the domain's owner in order to
resolve the issue.
temperror: A temporary error occurred during DMARC evaluation. You
may be able to request that the sender resend the message later in order
to process the email properly.
dkim Describes the results of the DKIM check for the message. Possible values include:
pass: Indicates the DKIM check for the message passed.
fail (reason): Indicates the DKIM check for the message failed and why. For
example, if the message was not signed or the signature was not verified.
none: Indicates that the message was not signed. This may or may not
indicate that the domain has a DKIM record or the DKIM record does not
evaluate to a result, only that this message was not signed.
Field Description
dmarc Describes the results of the DMARC check for the message. Possible values
include:
pass: Indicates the DMARC check for the message passed.
fail: Indicates the DMARC check for the message failed.
bestguesspass: Indicates that no DMARC TXT record for the domain exists,
but if one had existed, the DMARC check for the message would have
passed.
none: Indicates that no DMARC TXT record exists for the sending domain
in DNS.
header.d Domain identified in the DKIM signature if any. This is the domain that's queried
for the public key.
header.from The domain of the 5322.From address in the email message header (also known
as the From address or P2 sender). Recipient sees the From address in email
clients.
reason The reason the composite authentication passed or failed. The value is a 3-digit
code. For example:
000: The message failed explicit authentication ( compauth=fail ). For
example, the message received a DMARC fail with an action of quarantine
or reject.
001: The message failed implicit authentication ( compauth=fail ). This
means that the sending domain did not have email authentication records
published, or if they did, they had a weaker failure policy (SPF soft fail or
neutral, DMARC policy of p=none ).
002: The organization has a policy for the sender/domain pair that is
explicitly prohibited from sending spoofed email. This setting is manually
set by an admin.
010: The message failed DMARC with an action of reject or quarantine, and
the sending domain is one of your organization's accepted-domains (this
is part of self-to-self, or intra-org, spoofing).
1xx or 7xx: The message passed authentication ( compauth=pass ). The last
two digits are internal codes used by Microsoft 365.
2xx: The message soft-passed implicit authentication ( compauth=softpass ).
The last two digits are internal codes used by Microsoft 365.
3xx: The message was not checked for composite authentication
( compauth=none ).
4xx or 9xx: The message bypassed composite authentication
( compauth=none ). The last two digits are internal codes used by Microsoft
365.
6xx: The message failed implicit email authentication, and the sending
domain is one of your organization's accepted domains (this is part of self-
to-self or intra-org spoofing).
Field Description
smtp.mailfrom The domain of the 5321.MailFrom address (also known as the MAIL FROM
address, P1 sender, or envelope sender). This is the email address that's used for
non-delivery reports (also known as NDRs or bounce messages).
spf Describes the results of the SPF check for the message. Possible values include:
pass (IP address) : The SPF check for the message passed and includes
the sender's IP address. The client is authorized to send or relay email on
behalf of the sender's domain.
fail (IP address) : The SPF check for the message failed and includes the
sender's IP address. This is sometimes called hard fail.
softfail (reason) : The SPF record designated the host as not being
allowed to send, but is in transition.
neutral : The SPF record explicitly states that it does not assert whether
the IP address is authorized to send.
none : The domain doesn't have an SPF record or the SPF record doesn't
evaluate to a result.
temperror : A temporary error has occurred. For example, a DNS error. The
same check later might succeed.
permerror : A permanent error has occurred. For example, the domain has
a badly formatted SPF record.
Reference: Policies, practices, and
guidelines
Article • 12/10/2022 • 3 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
Microsoft is dedicated to helping provide the most trusted user experience on the web.
Therefore, Microsoft has developed various policies, procedures, and adopted several
industry best practices to help protect our users from abusive, unwanted, or malicious
email. Senders attempting to send email to users should ensure they fully understand
and are following the guidance in this article to help in this effort and to help avoid
potential delivery issues.
If you are not in compliance with these policies and guidelines, it may not be possible
for our support team to assist you. If you are adhering to the guidelines, practices, and
policies presented in this article and are still experiencing delivery issues based on your
sending IP address, please follow the steps to submit a delisting request. For
instructions, see Use the delist portal to remove yourself from the blocked senders list.
Technical guidelines
Email sent to Microsoft 365 should comply with the applicable recommendations listed
in the documents below (some links are only available in English).
In addition, email servers connecting to Microsoft 365 must adhere to the following
requirements:
Sender is expected to comply with all technical standards for the transmission of
Internet email, as published by The Internet Society's Internet Engineering Task
Force (IETF), including RFC 5321, RFC 5322, and others.
After given a numeric SMTP error response code between 500 and 599 (also
known as a permanent non-delivery response or NDR), the sender must not
attempt to retransmit that message to that recipient.
After multiple non-delivery responses, the sender must cease further attempts to
send email to that recipient.
Messages must not be transmitted through insecure email relay or proxy servers.
The mechanism for unsubscribing, either from individual lists or all lists hosted by
the sender, must be clearly documented and easy for recipients to find and use.
Reputation management
Senders, ISP's, and other service providers should actively manage the reputation of
your outbound IP addresses.
Law enforcement
If you are a member of law enforcement and wish to serve Microsoft Corporation with
legal documentation regarding Office 365, or if you have questions regarding legal
documentation you have submitted to Microsoft, please call (1) (425) 722-1299.
Sending mail to Microsoft 365
Article • 12/22/2022 • 2 minutes to read
These articles help external senders improve their reputation and increase their ability to
deliver email to users at Microsoft 365. They also provide some information about how
you can report junk email and phishing attempts even if you aren't a Microsoft 365 user
yourself.
If you're not a customer, but are trying to send mail to someone in who is, you're in the
right place. If you're an admin and you need help with fighting spam, this isn't the right
section for you. Instead, go to anti-spam and anti-malware.
Services provided to email system admins that are sending individual and Services for non-
bulk email to customers. customers sending
mail to Office 365
How to fix problems reaching customers at Microsoft 365 through email. Troubleshooting mail
Best practices for sending bulk mail to Microsoft 365 recipients. sent to Office 365
How Microsoft 365 prevents junk email, including phishing and spoofing Anti-spam protection
email, from being sent to our customers. in Microsoft 365
How you, an admin sending email to Microsoft 365 customers, can avoid Reference: Policies,
having email blocked by adhering to our anti-spam policies. This is the practices, and
legal stuff you need to know. guidelines
How Microsoft 365 uses Sender Policy
Framework (SPF) to prevent spoofing
Article • 12/10/2022 • 12 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
Summary: This article describes how Microsoft 365 uses the Sender Policy Framework
(SPF) TXT record in DNS to ensure that destination email systems trust messages sent
from your custom domain. This applies to outbound mail sent from Microsoft 365.
Messages sent from Microsoft 365 to a recipient within Microsoft 365 will always pass
SPF.
An SPF TXT record is a DNS record that helps prevent spoofing and phishing by
verifying the domain name from which email messages are sent. SPF validates the origin
of email messages by verifying the IP address of the sender against the alleged owner of
the sending domain.
7 Note
SPF record types were deprecated by the Internet Engineering Task Force (IETF) in
2014. Instead, ensure that you use TXT records in DNS to publish your SPF
information. The rest of this article uses the term SPF TXT record for clarity.
Domain administrators publish SPF information in TXT records in DNS. The SPF
information identifies authorized outbound email servers. Destination email systems
verify that messages originate from authorized outbound email servers. If you're already
familiar with SPF, or you have a simple deployment, and just need to know what to
include in your SPF TXT record in DNS for Microsoft 365, you can go to Set up SPF in
Microsoft 365 to help prevent spoofing. If you don't have a deployment that is fully
hosted in Microsoft 365, or you want more information about how SPF works or how to
troubleshoot SPF for Microsoft 365, keep reading.
7 Note
Previously, you had to add a different SPF TXT record to your custom domain if you
also used SharePoint Online. This is no longer required. This change should reduce
the risk of SharePoint Online notification messages ending up in the Junk Email
folder. You do not need to make any changes immediately, but if you receive the
"too many lookups" error, modify your SPF TXT record as described in Set up SPF
in Microsoft 365 to help prevent spoofing.
Each SPF TXT record contains three parts: the declaration that it's an SPF TXT record, the
IP addresses that are allowed to send mail from your domain and the external domains
that can send on your domain's behalf, and an enforcement rule. You need all three in a
valid SPF TXT record. This article describes how you form your SPF TXT record and
provides best practices for working with the services in Microsoft 365. Links to
instructions on working with your domain registrar to publish your record to DNS are
also provided.
For example, let's say the following SPF rule exists for contoso.com:
v=spf1 <IP address #1> <IP address #2> <IP address #3> <enforcement rule>
In this example, the SPF rule instructs the receiving email server to only accept mail from
these IP addresses for the domain contoso.com:
IP address #1
IP address #2
IP address #3
This SPF rule tells the receiving email server that if a message comes from contoso.com,
but not from one of these three IP addresses, the receiving server should apply the
enforcement rule to the message. The enforcement rule is usually one of these options:
Hard fail. Mark the message with 'hard fail' in the message envelope and then
follow the receiving server's configured spam policy for this type of message.
Soft fail. Mark the message with 'soft fail' in the message envelope. Typically, email
servers are configured to deliver these messages anyway. Most end users don't see
this mark.
Neutral. Do nothing, that is, don't mark the message envelope. This is reserved for
testing purposes and is rarely used.
The following examples show how SPF works in different situations. In these examples,
contoso.com is the sender and woodgrovebank.com is the receiver.
Since IP address #12 isn't in contoso.com's SPF TXT record, the message fails the SPF
check and the receiver may choose to mark it as spam.
The message originally passes the SPF check at woodgrovebank.com but it fails the SPF
check at outlook.com because IP #25 isn't in contoso.com's SPF TXT record.
Outlook.com might then mark the message as spam. To work around this problem, use
SPF with other email authentication methods such as DKIM and DMARC.
When the receiving server sees this record in DNS, it also performs a DNS lookup on the
SPF TXT record for contoso.net and then for contoso.org. If it finds another include
statement within the records for contoso.net or contoso.org, it will follow those too. In
order to help prevent denial of service attacks, the maximum number of DNS lookups
for a single email message is 10. Each include statement represents an additional DNS
lookup. If a message exceeds the 10 limit, the message fails SPF. Once a message
reaches this limit, depending on the way the receiving server is configured, the sender
may get a message that says the message generated "too many lookups" or that the
"maximum hop count for the message has been exceeded" (which can happen when the
lookups loop and surpass the DNS timeout). For tips on how to avoid this, see
Troubleshooting: Best practices for SPF in Microsoft 365.
text
If you're a fully hosted customer, that is, you have no on-premises mail servers that send
outbound mail, this is the only SPF TXT record that you need to publish for Office 365.
If you have a hybrid deployment (that is, you have some mailboxes on-premises and
some hosted in Microsoft 365), or if you're an Exchange Online Protection (EOP)
standalone customer (that is, your organization uses EOP to protect your on-premises
mailboxes), you should add the outbound IP address for each of your on-premises edge
mail servers to the SPF TXT record in DNS.
For information about the domains you'll need to include for Microsoft 365, see External
DNS records required for SPF. Use the step-by-step instructions for updating SPF (TXT)
records for your domain registrar.
text
For example:
text
where:
v=spf1 is required. This defines the TXT record as an SPF TXT record.
ip4 indicates that you're using IP version 4 addresses. ip6 indicates that you're
using IP version 6 addresses. If you're using IPv6 IP addresses, replace ip4 with ip6
in the examples in this article. You can also specify IP address ranges using CIDR
notation, for example ip4:192.168.0.1/26.
IP address is the IP address that you want to add to the SPF TXT record. Usually,
this is the IP address of the outbound mail server for your organization. You can list
multiple outbound mail servers. For more information, see Example: SPF TXT
record for multiple outbound on-premises mail servers and Microsoft 365.
domain name is the domain you want to add as a legitimate sender. For a list of
domain names you should include for Microsoft 365, see External DNS records
required for SPF.
-all
Indicates hard fail. If you know all of the authorized IP addresses for your
domain, list them in the SPF TXT record, and use the -all (hard fail) qualifier.
Also, if you're only using SPF, that is, you aren't using DMARC or DKIM, you
should use the -all qualifier. We recommend that you use always this qualifier.
~all
Indicates soft fail. If you're not sure that you have the complete list of IP
addresses, then you should use the ~all (soft fail) qualifier. Also, if you're using
DMARC with p=quarantine or p=reject, then you can use ~all. Otherwise, use -
all.
?all
Indicates neutral. This is used when testing SPF. We don't recommend that you
use this qualifier in your live deployment.
text
text
text
Although SPF is designed to help prevent spoofing, but there are spoofing techniques
that SPF can't protect against. In order to protect against these, once you have set up
SPF, you should also configure DKIM and DMARC for Microsoft 365. To get started, see
Use DKIM to validate outbound email sent from your custom domain in Microsoft 365.
Next, see Use DMARC to validate email in Microsoft 365.
If an email message causes more than 10 DNS lookups before it's delivered, the
receiving mail server will respond with a permanent error, also called a permerror, and
cause the message to fail the SPF check. The receiving server may also respond with a
non-delivery report (NDR) that contains an error similar to these:
text
v=spf1 include:_spf.google.com
include:_spfblock.salesforce.com
include:_qa.salesforce.com
include:_spfblock1.salesforce.com
include:spf.mandrillapp.com mx ~all
To avoid the error, you can implement a policy where anyone sending bulk email, for
example, has to use a subdomain specifically for this purpose. You then define a
different SPF TXT record for the subdomain that includes the bulk email.
In some cases, like the salesforce.com example, you have to use the domain in your SPF
TXT record, but in other cases, the third-party may have already created a subdomain
for you to use for this purpose. For example, exacttarget.com has created a subdomain
that you need to use for your SPF TXT record:
text
cust-spf.exacttarget.com
When you include third-party domains in your SPF TXT record, you need to confirm with
the third-party which domain or subdomain to use in order to avoid running into the 10
lookup limit.
Email abuse, junk email, and fraudulent emails (phishing) continue to burden the entire
email ecosystem. To help maintain user trust in the use of email, Microsoft has put
various policies and technologies in place to help protect our users. However, Microsoft
understands that legitimate email should not be negatively affected. Therefore, we have
established a suite of services to help senders improve their ability to deliver email to
Microsoft 365 users by proactively managing their sending reputation.
This overview provides information about benefits we provide to your organization even
if you aren't a customer.
Sender solutions
Service Benefits
Microsoft support Provides self-help and escalation support for delivery issues.
Anti-Spam IP Delist Portal A tool to submit IP delist request. Before submitting this request it is
the sender's responsibility to ensure that any further mail originating
from the IP in question is not abusive or malicious.
Abuse and spam Keeps spam and other unwanted mail from being sent from
reporting for junk email Exchange Online and cluttering up the internet and your mail system.
originating from
Exchange Online
Microsoft support
Microsoft offers several support options for people having trouble sending mail to
Microsoft 365 recipients. We recommend that you:
Follow the instructions in any non-delivery report you receive.
Use the Microsoft 365 delist portal to submit a request to have your IP removed
from the blocked sender's list.
Contact the customer you're trying to email using another method and ask them
to contact Microsoft Support and open a support ticket on your behalf. In some
cases, for legal reasons, Microsoft Support must communicate directly with the
sender who owns the IP space that is being blocked. However, non-customers
typically can't open support tickets.
For more information about Microsoft Technical support for Office 365, see
Support.
) Important
This article is only for EOP customers in hybrid environments with mailboxes in on-
premises Exchange environments. This article does not apply to Microsoft 365
customers with Exchange Online mailboxes.
Specifically, you need to create mail flow rules (also known as transport rules) in your
on-premises Exchange organization with the following settings:
Conditions: Find messages with the following EOP anti-spam headers and values:
X-Forefront-Antispam-Report: SFV:SPM (message marked as spam by spam
filtering)
X-Forefront-Antispam-Report: SFV:SKS (message marked as spam by mail flow
rules in EOP before spam filtering)
X-Forefront-Antispam-Report: SFV:SKB (message marked as spam by spam
filtering due to the sender's email address or email domain being in the blocked
sender list or the blocked domain list in EOP)
For more information about these header values, see Anti-spam message headers.
Action: Set the spam confidence level (SCL) of these messages to 6 (spam).
This article describes how to create the required mail flow rules the Exchange admin
center (EAC) and in the Exchange Management Shell (Exchange PowerShell) in the on-
premises Exchange organization.
Tip
Instead of delivering the messages to the on-premises user's Junk Email folder, you
can configure anti-spam policies in EOP to quarantine spam messages in EOP. For
more information, see Configure anti-spam policies in EOP.
What do you need to know before you begin?
You need to be assigned permissions in the on-premises Exchange environment
before you can do these procedures. Specifically, you need to be assigned the
Transport Rules role, which is assigned to the Organization Management,
Compliance Management, and Records Management roles by default. For more
information, see Add members to a role group.
To open the EAC on an Exchange Server, see Exchange admin center in Exchange
Server. To open the Exchange Management Shell, see Open the Exchange
Management Shell or Connect to Exchange servers using remote PowerShell.
For more information about mail flow rules in on-premises Exchange, see the
following articles:
Mail flow rules in Exchange Server
Mail flow rule conditions and exceptions (predicates) in Exchange Server
Mail flow rule actions in Exchange Server
2. Click Add and select Create a new rule in the drop-down that appears.
3. In the New rule page that opens, configure the following settings:
Name: Enter a unique, descriptive name for the rule. For example:
EOP SFV:SPM to SCL 6
EOP SFV:SKS to SCL 6
EOP SFV:SKB to SCL 6
Apply this rule if: Select A message header > includes any of these words.
In the Enter text header includes Enter words sentence that appears, do the
following steps:
Click Enter text. In the Specify header name dialog that appears, enter X-
Forefront-Antispam-Report and then click OK.
Click Enter words. In the Specify words or phrases dialog that appears,
enter one of the EOP spam header values (SFV:SPM, SFV:SKS, or SFV:SKB),
click Add , and then click OK.
Do the following: Select Modify the message properties > Set the spam
confidence level (SCL).
In the Specify SCL dialog that appears, select 6 (the default value is 5).
Repeat these steps for the remaining EOP spam verdict values (SFV:SPM, SFV:SKS, or
SFV:SKB).
Powershell
For example:
Powershell
Powershell
Powershell
In the EAC, go to Mail flow > Rules, select the rule, and then click Edit to verify
the settings.
In the Exchange Management Shell, replace <RuleName> with the name of the
mail flow rule, and rul the following command to verify the settings:
PowerShell
In an external email system that doesn't scan outbound messages for spam, send
a Generic Test for Unsolicited Bulk Email (GTUBE) message to an affected recipient,
and confirm that it's delivered to their Junk Email folder. A GTUBE message is
similar to the European Institute for Computer Antivirus Research (EICAR) text file
for testing malware settings.
To send a GTUBE message, include the following text in the body of an email
message on a single line, without any spaces or line breaks:
text
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
There are many tools that can be used to monitor the use and transport of personal
data. This topic describes three tools that work well.
In the illustration:
Start with Microsoft Purview data loss prevention reports for monitoring personal
data in SharePoint Online, OneDrive for Business, and email in transit. These
reports provide the greatest level of detail for monitoring personal data. However,
these reports don't include all services in Office 365.
Next, use alert policies and the audit log to monitor activity across services. Set up
ongoing monitoring or search the audit log to investigate an incident. The audit
log works across services—Sway, Power BI, eDiscovery, Dynamics 365, Power
Automate, Microsoft Teams, Admin activity, OneDrive for Business, SharePoint
Online, mail in transit, and mailboxes at rest. Skype conversations are included in
mailboxes at rest.
Finally, Use Microsoft Defender for Cloud Apps to monitor files with sensitive data
in other SaaS providers. Coming soon is the ability to use sensitive information
types and unified labels across Azure Information Protection and Office with
Defender for Cloud Apps. You can set up policies that apply to all of your SaaS
apps or specific apps (like Box). Defender for Cloud Apps doesn't discover files in
Exchange Online, including files attached to email.
Focus on specific time periods and understand the reasons for spikes and trends.
Discover business processes that violate your organization's DLP policies.
Understand any business impact of the DLP policies.
View the justifications submitted by users when they resolve a policy tip by
overriding the policy or reporting a false positive.
Verify compliance with a specific DLP policy by showing any matches for that
policy.
View a list of files with sensitive data that matches your DLP policies in the details
pane.
In addition, you can use the DLP reports to fine-tune your DLP policies as you run them
in test mode.
DLP reports are in the Microsoft Purview compliance portal. Go to Reports >
Organizational data section to find the DLP policy matches, DLP incidents, and DLP
false positives and overrides reports.
For more information, see View the reports for data loss prevention.
Set up alert policies, view alerts, and monitor trends—Use the alert policy and alert
dashboard tools in either the Microsoft 365 Defender portal or the Microsoft
Purview compliance portal.
Search the audit log directly: Search for all events in a specified date rage. Or you
can filter the results based on specific criteria, such as the user who performed the
action, the action, or the target object.
Information compliance and security teams can use these tools to proactively review
activities performed by both end users and administrators across services. Automatic
alerts can be configured to send email notifications when certain activities occur on
specific site collections - for example when content is shared from sites known to
contain GDPR-related information. This allows those teams to follow up with users to
ensure that corporate security policies are followed, or to provide additional training.
Information security teams can also search the audit log to investigate suspected data
breaches and determine both root cause and the extent of the breach. This built-in
capability facilitates compliance with article 33 and 34 of the GDPR, which require
notifications be provided to the GDPR supervisory authority and to the data subjects
themselves of a data breach within a specific time period. Audit log entries are only
retained for 90 days within the service - it is often recommended and many
organizations required that these logs be retained for longer periods of time.
Solutions are available that subscribe to the Unified Audit Logs through the Microsoft
Management Activity API and can both store log entries as needed, and provide
advanced dashboards and alerts. One example is Microsoft Operations Management
Suite (OMS).
More information about alert policies and searching the audit log:
Microsoft Defender for Cloud Apps is a comprehensive service providing deep visibility,
granular controls, and enhanced threat protection for your cloud apps. It identifies more
than 15,000 cloud applications in your network-from all devices-and provides risk
scoring and ongoing risk assessment and analytics. No agents required: information is
collected from your firewalls and proxies to give you complete visibility and context for
cloud usage and shadow IT.
To better understand your cloud environment, the Defender for Cloud Apps investigate
feature provides deep visibility into all activities, files, and accounts for sanctioned and
managed apps. You can gain detailed information on a file level and discover where
data travels in the cloud apps.
For examples, the following illustration demonstrates two Defender for Cloud Apps
policies that can help with GDPR.
The first policy alerts when files with a predefined PII attribute or custom expression that
you choose is shared outside the organization from the SaaS apps that you choose.
The second policy blocks downloads of files to any unmanaged device. You choose the
attributes within the files to look for and the SaaS apps you want the policy to apply to.
These attribute types are coming soon to Defender for Cloud Apps:
7 Note
More information:
Category DLP
Content Includes files that match a present expression: All countries: Finance: Credit
inspection card number
Don't require relevant context: unchecked (this setting will match keywords as
well as regex)
To: infosec@contoso.com
Similar policies:
Notes:
Box monitoring requires a connector be configured using the API Connector SDK.
This policy requires capabilities that are currently in private preview.
Control Settings
Policy No template
template
Policy High
severity
To: infosec@contoso.com
Office 365
Similar policies:
Applies to
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Summary
Is your organization using or planning to get a Security Information and Event
Management (SIEM) server? You might be wondering how it integrates with Microsoft
365 or Office 365. This article provides a list of resources you can use to integrate your
SIEM server with Microsoft 365 services and applications.
Tip
If you don't have a SIEM server yet and are exploring your options, consider
Microsoft Sentinel.
Fabrikam has some content and applications on premises, and some in the cloud
(they have a hybrid cloud deployment). To get security reports across all their
content and applications, Fabrikam has implemented a SIEM server.
Contoso is a financial services organization that has particularly stringent security
requirements. They have added a SIEM server to their environment to take
advantage of the extra security protection they require.
Microsoft Defender for Audit logs SIEM integration with Microsoft Defender
Office 365 for Office 365
Microsoft Defender for HTTPS endpoint Pull alerts to your SIEM tools
Endpoint hosted in Azure
REST API
Microsoft Defender for Log integration SIEM integration with Microsoft Defender
Cloud Apps for Cloud Apps
Tip
Take a look at Microsoft Sentinel. Microsoft Sentinel comes with connectors for
Microsoft solutions. These connectors are available "out of the box" and provide for
real-time integration. You can use Microsoft Sentinel with your Microsoft 365
Defender solutions and Microsoft 365 services, including Office 365, Azure AD,
Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and more.
Note that you can choose tables from any other Microsoft Defender product you find
helpful and applicable while completing the final step, (below).
More resources
Integrate security solutions in Microsoft Defender for Cloud
Applies to
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
SIEM integration enables you to view information, such as malware or phish detected by
Microsoft Defender for Office 365, in your SIEM server reports.
To see an example of SIEM integration with Microsoft Defender for Office 365, see
Tech Community blog: Improve the Effectiveness of your SOC with Defender for
Office 365 and the O365 Management API .
To learn more about the Office 365 Management APIs, see Office 365 Management
APIs overview.
The SIEM server or other similar system polls the audit.general workload to access
detection events. To learn more, see Get started with Office 365 Management APIs.
AuditLogRecordType
The following table summarizes the values of AuditLogRecordType that are relevant for
Microsoft Defender for Office 365 events:
) Important
You must have either the global administrator or Security Administrator role
assigned in the Microsoft 365 Defender portal to set up SIEM integration with
Microsoft Defender for Office 365. For more information, see Permissions in the
Microsoft 365 Defender portal.
Audit logging must be turned on for your Microsoft 365 environment. To get help
with this, see Turn audit log search on or off.
See also
Office 365 threat investigation and response
Automated investigation and response (AIR) in Office 365
Privileged Identity Management (PIM)
and why to use it with Microsoft
Defender for Office 365
Article • 12/06/2022 • 4 minutes to read
Privileged Identity Management (PIM) is an Azure feature that, once set up, gives users
access to data for a limited period of time (sometimes called time-boxed period of time)
so that a specific task can be done. This access is given 'just-in-time' to do the action
that's required, and then revoked. PIM limits the access and time that user has to
sensitive data, reducing exposure risk when compared to privileged administration
accounts that have long-term access to data and other settings. So how can we use this
feature (PIM) in conjunction with Microsoft Defender for Office 365?
Tip
PIM access is scoped to the role and identity level and allows completion of
multiple tasks. It's not to be confused with Privileged Access Management (PAM)
which is scoped at a Task level.
In this example we will configure "Alex", a member of our security team who will have
zero-standing access within Office 365, but can elevate to both a role required for
normal day-to-day operations, such as Threat Hunting and then also to a higher level of
privilege when less frequent but sensitive operations, such as remediating malicious
delivered email is required.
7 Note
This will walk you through the steps required to setup PIM for a Security Analyst
who requires the ability to purge emails using Threat Explorer in Microsoft
Defender for Office 365, but the same steps can be used for other RBAC roles
within the Security, and Compliance portal. For example this process could be used
for a information worker who requires day-to-day access in eDiscovery to perform
searches and case work, but only occasionally needs the elevated right to export
data from the tenant.
Step 1. In the Azure PIM console for your subscription, add the user (Alex) to the Azure
Security Reader role and configure the security settings related to activation.
1. Sign into the Azure AD Admin Center and select Azure Active Directory > Roles
and administrators.
2. Select Security Reader in the list of roles and then Settings > Edit
3. Set the 'Activation maximum duration (hours)' to a normal working day and 'On
activation' to require Azure MFA.
4. As this is Alex's normal privilege level for day-to-day operations, we will Uncheck
Require justification on activation' > Update.
5. Select Add Assignments > No member selected > select or type the name to
search for the correct member.
6. Click the Select button to choose the member you need to add for PIM privileges
> click Next > make no changes on the Add Assignment page (both assignment
type Eligible and duration Permanently Eligible will be defaults ) and Assign.
The name of your user (here 'Alex') will appear under Eligible assignments on the next
page, this means they are able to PIM into the role with the settings configured earlier.
7 Note
Step 2. Create the required second (elevated) permission group for additional tasks and
assign eligibility.
Using Privileged Access groups we can now create our own custom groups and
combine permissions or increase granularity where required to meet your organizational
practices and needs.
Nest the newly created security group into the role group
1. Connect to Security & Compliance PowerShell and run the following command:
PowerShell
2. Navigate to PIM, where the user can activate their day-to-day security reader role.
3. If you try to purge an email using Threat Explorer, you get an error stating you
need additional permissions.
4. PIM a second time into the more elevated role, after a short delay you should now
be able to purge emails without issue.
Our thanks to Customer Engineer Ben Harris for access to the blog post and resources
used for this content.
Add support for anonymous inbound
email over IPv6 in Microsoft 365
Article • 12/10/2022 • 2 minutes to read
Applies to
Microsoft 365 organizations with Exchange Online mailboxes and standalone Exchange
Online Protection (EOP) organizations without Exchange Online mailboxes support
anonymous inbound email over IPv6. The source IPv6 email server must meet both of
the following requirements:
The source IPv6 address must have a valid reverse DNS lookup (PTR) record that
allows the destination to find the domain name from the IPv6 address.
The sender must pass either SPF verification (defined in RFC 7208 ) or DKIM
verification (defined in RFC 6376 ).
Before your organization can receive anonymous inbound email over IPv6, an admin
needs to contact Microsoft support and ask for it. For instructions about how to open a
support request, see Contact support for business products - Admin Help.
After anonymous inbound IPv6 message support is enabled in your organization, the
message will go through the normal message filtering that's provided by the service.
Troubleshooting
If the source email server doesn't have an IPv6 reverse DNS lookup record, the
messages will be rejected with the following error:
If the sender doesn't pass SPF or DKIM validation, the messages will be rejected
with the following error:
550 5.2.1 Service unavailable, [contoso.com] does not accept email over IPv6.
Related topics
Support for validation of DKIM signed messages
Support for validation of DKIM signed
messages
Article • 12/10/2022 • 2 minutes to read
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
Exchange Online Protection (EOP) and Exchange Online both support inbound
validation of Domain Keys Identified Mail (DKIM ) messages.
DKIM validates that an email message wasn't spoofed by someone else, and was sent
from the domain it says it came from. It ties an email message to the organization that
sent it. DKIM verification is used automatically for all messages sent with IPv6. Microsoft
365 also supports DKIM when mail is sent over IPv4. (For more information about IPv6
support, see Support for anonymous inbound email messages over IPv6.)
DKIM validates a digitally signed message that appears in the DKIM-Signature header of
the message headers. The results of a DKIM-Signature validation are stamped in the
Authentication-Results header. The message header text appears similar to the following
(where contoso.com is the sender):
header.d=example.com;
7 Note
For more information about the Authentication-Results header, see RFC 7001
(Message Header Field for Indicating Message Authentication Status .
Microsoft's DKIM implementation conforms with this RFC.
Admins can create Exchange mail flow rules (also known as transport rules) on the
results of DKIM validation. These mail flow rules will allow admins to filter or route
messages as needed.
Application Guard for Office for admins
Article • 12/22/2022 • 10 minutes to read
Applies to: Word, Excel, and PowerPoint for Microsoft 365 Apps, Windows 10 Enterprise,
Windows 11 Enterprise
Microsoft Defender Application Guard for Office (Application Guard for Office) helps
prevent untrusted files from accessing trusted resources, keeping your enterprise safe
from new and emerging attacks. This article walks admins through setting up supported
devices for Application Guard for Office.
Prerequisites
Licensing requirements
Microsoft 365 E5 or Microsoft 365 E5 Security
Safe Documents in Microsoft 365
For detailed system requirements, refer to System requirements for Microsoft Defender
Application Guard. Also, please refer to your computer manufacturer's guides on how to
enable virtualization technology.
To learn more about Microsoft 365 Apps update
channels, see Overview of update channels for Microsoft 365 Apps.
2. Select Microsoft Defender Application Guard under Windows Features and select
OK. Enabling the Application Guard feature will prompt a system reboot. You can
choose to reboot now or after step 3.
The feature can also be enabled by running the following PowerShell command as
administrator:
PowerShell
3. From the Group Policy Editor window, expand Computer Configuration ->
Administrative Templates -> Windows Components -> Microsoft Defender
Application Guard. Enable the Turn on Microsoft Defender Application Guard in
Managed Mode setting. Set the value under Options as 2 or 3.
OMA-URI:
./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Settings/Allow
WindowsDefenderApplicationGuard
Value: 2
7 Note
This is not required, however, configuring optional diagnostics data will help
diagnose reported issues.
This step ensures that the data necessary to identify and fix problems is reaching
Microsoft. Follow these steps to enable diagnostics on your Windows device:
3. Under Privacy, select Diagnostics & feedback and select Optional diagnostic data.
1. Launch Word, Excel, or PowerPoint on a device where the policies have been
deployed.
2. From the app you launched, go to File -> Account. On the Account page, verify
that the expected license is shown.
To confirm that Application Guard for Office is enabled, open an untrusted document.
For example, you can open a document that was downloaded from the internet or an
email attachment from someone outside your organization.
When you first open an untrusted file, you see an Office splash screen like the following
example. Application Guard for Office is being activated and the file is being opened.
Subsequent openings of untrusted files are typically faster.
After the file opens, there are a few visual indicators that signal that the file is open
inside Application Guard for Office:
A callout in the ribbon
7 Note
Configuring these policies can disable some functionality for files opened in
Application Guard for Office.
Policy Description
Don't use Application Enabling this policy forces Word, Excel, and PowerPoint to use the
Guard for Office Protected View isolation container instead of Application Guard for
Office.
Configure Application This policy determines if the Application Guard for Office container is
Guard for Office pre-created for improved run-time performance. When you enable this
container pre- policy, you can specify the number of days to continue pre-creating a
creation container or let the Office built-in heuristic pre-create the container.
Policy Description
Don't allow Enabling this policy prevents a user from copying and pasting content
copy/paste for Office from a document opened in Application Guard for Office to a document
documents opened in opened outside of the container.
Application Guard for
Office
Disable hardware This policy controls whether Application Guard for Office uses hardware
acceleration in acceleration to render graphics. If you enable this setting, Application
Application Guard for Guard for Office uses software-based (CPU) rendering and won't load
Office any third-party graphics drivers or interact with any connected graphics
hardware.
Disable unsupported This policy controls whether Application Guard for Office will block
file types protection unsupported file types from being opened or if it will enable the
in Application Guard redirection to Protected View.
for Office
Turn off camera and Enabling this policy removes Office access to the camera and
microphone access microphone inside Application Guard for Office.
for documents
opened in Application
Guard for Office
Restrict printing from Enabling this policy limits the printers that a user can print to from a file
documents opened in opened in Application Guard for Office. For example, you can use this
Application Guard for policy to restrict users to only print to PDF.
Office
Prevent users from Enabling this policy removes the option (within the Office application
removing Application experience) to disable Application Guard for Office protection or to open
Guard for Office a file outside Application Guard for Office.
protection on files Note: Users can still bypass this policy by manually removing the mark-
of-the-web property from the file or by moving a document to a trusted
location.
7 Note
For the following policies to take effect, users are required to sign out and sign in
again to Windows:
2. If you get an error dialog while launching Application Guard, select Report to
Microsoft in the error dialog to start a new feedback submission. Otherwise,
navigate to https://aka.ms/mdagoffice-fb to select the correct category for
Application Guard, then select + Add new feedback near the top right.
4. Enter a detailed description of the issue and what steps you completed to debug
in the Explain in more detail box, then select Next.
5. Select the bubble next to Problem. Make sure the category selected is Security
and Privacy > Microsoft Defender Application Guard – Office, then select Next.
b. If the issue you're experiencing occurs while Application Guard is running, open
an Application Guard instance. Opening an instance allows additional traces to
be collected from within the Application Guard container.
c. Select Start recording, and wait for the tile to stop spinning and say Stop
recording.
d. Fully reproduce the issue with Application Guard. Reproduction might include
attempting to launch an Application Guard instance and waiting until it fails, or
reproducing an issue in a running Application Guard instance.
f. Keep any running Application Guard instance(s) open, even for a few minutes
after submission, so that container diagnostics can also be collected.
Safe Documents in Microsoft E365 E5 is a feature that uses Microsoft Defender for
Endpoint to scan documents opened in Application Guard for Office. For an additional
layer of protection, users can't leave Application Guard for Office until the results of the
scan have been determined.
7 Note
Advise users to only remove protection if they trust the file and the source of
the file.
Active content like macros and ActiveX controls are disabled in Application Guard
for Office. To enable active content, the Application Guard protection must be
removed.
Untrusted files from network shares or files shared from OneDrive, OneDrive for
Business, or SharePoint Online open as read-only in Application Guard. Users can
save a local copy of such files to continue working in the container or remove
protection to directly work with the original file.
Files that are protected by Information Rights Management (IRM) are blocked by
default. If users want to open such files in Protected View, an administrator must
configure policy settings for unsupported file types for the organization.
Only Accessibility tools that use the UIA framework can provide an accessible
experience for files opened in Application Guard for Office.
Network connectivity is required for the first launch of Application Guard after
installation.
In the document's info section, the Last Modified By property may display
WDAGUtilityAccount as the user. WDAGUtilityAccount is the anonymous account
used by Application Guard. The desktop user's identity isn't available inside the
Application Guard container.
To provide users with the expected file-opening experience, Application Guard uses
logic to pre-create a container when the following heuristic is met on a system: A user
has opened a file in either Protected View or Application Guard in the past 28 days.
When this heuristic is met, Office will pre-create an Application Guard container for the
user after they sign in to Windows. While this pre-create operation is in progress, the
system may experience slow performance, but the effect will resolve as soon as the
operation completes.
7 Note
The hints needed for the heuristic to pre-create the container are generated by
Office applications as a user uses them. If a user installs Office on a new system
where Application Guard is enabled, Office will not pre-create the container until
after the first time a user opens an untrusted document on the system. The user will
observe that this first file takes longer to open in Application Guard.
Known issues
Selecting web links ( http or https ) doesn't open the browser.
The default setting for copy-paste protection policy is to enable clipboard access
to text only.
The default setting for unsupported file types protection policy is to block opening
untrusted unsupported file types that are encrypted or have Information Rights
Management (IRM) set. This includes files that are encrypted by using sensitivity
labels from Microsoft Purview Information Protection.
CSV and HTML files are not supported at this time.
Application Guard for Office currently does not work with NTFS compressed
volumes. If you are seeing an error "ERROR_VIRTUAL_DISK_LIMITATION" please try
uncompressing the volume.
Updates to .NET might cause files to fail to open in Application Guard. As a
workaround, users can restart their device when they come across this failure.
Learn more about the issue at Receiving an error message when attempting to
open Windows Defender Application Guard or Windows Sandbox .
Please see Frequently asked questions - Microsoft Defender Application Guard for
additional information.
Delegated administration FAQ
FAQ
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
This article provides frequently asked questions and answers about delegated
administration tasks in Microsoft 365 for Microsoft partners and resellers. Delegated
administration includes the ability to manage Exchange Online Protection (EOP) settings
for other tenants (companies).
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
Here we answer the most common general questions about Exchange Online Protection
(EOP) cloud-hosted email filtering service. For additional frequently asked questions
(FAQ) topics, go to the following links:
Quarantine FAQ
What is EOP?
EOP is a cloud-hosted email filtering service built to protect customers from spam and
malware, and to implement custom policy rules. EOP is included in any Microsoft 365
subscription that contains Exchange Online mailboxes. EOP is also available as a
standalone offering to help protect on-premises email environments.
Regarding new EOP features, the Microsoft 365 for business roadmap is a good
resource for finding out information about upcoming new features. We'll also be
posting blog articles about new features to the Microsoft 365 Blogs website.
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan
2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365
Defender portal trials hub . Learn about who can sign up and trial terms here.
Applies to
This topic provides answers to frequently asked questions about messages that have
been queued, deferred, or bounced during the Exchange Online Protection (EOP)
filtering process.
e OVERVIEW
h WHAT'S NEW
q VIDEO
Overview video
Evaluate capabilities
b GET STARTED
Get started
b GET STARTED
` DEPLOY
e OVERVIEW
e OVERVIEW
e OVERVIEW
e OVERVIEW
e OVERVIEW
e OVERVIEW
Investigate incidents
Reference
i REFERENCE
e OVERVIEW
h WHAT'S NEW
q VIDEO
Overview video
b GET STARTED
` DEPLOY
Deployment guide
c HOW-TO GUIDE
Migration guide
q VIDEO
Onboarding video
Security operations
e OVERVIEW
Advanced hunting
Threat analytics
e OVERVIEW
Reference
i REFERENCE
Partner integration
Security administration
e OVERVIEW
Next-generation protection
Microsoft Defender for Identity
documentation
Microsoft Defender for Identity cloud service helps protect your enterprise hybrid
environments from multiple types of advanced targeted cyber attacks and insider
threats.
e OVERVIEW
Y ARCHITECTURE
h WHAT'S NEW
Releases
b GET STARTED
Security alerts
Health alerts
c HOW-TO GUIDE
Investigate threats
g TUTORIAL
Investigate assets
Remediation actions
i REFERENCE
Support
e OVERVIEW
h WHAT'S NEW
Releases
q VIDEO
Deployment videos
Get started
f QUICKSTART
i REFERENCE
g TUTORIAL
Detect and manage suspicious activities
Concepts
p CONCEPT
Best practices
b GET STARTED
Discover, classify, label, and protect regulated and sensitive data stored in the cloud
Enforce DLP and compliance policies for data stored in the cloud
g TUTORIAL
p CONCEPT
` DEPLOY
c HOW-TO GUIDE
i REFERENCE
q VIDEO
Additional resources
d TRAINING
Explore Microsoft 365, a complete solution that includes Defender for Cloud Apps
q VIDEO
Overview
e OVERVIEW
c HOW-TO GUIDE
Get started
b GET STARTED
c HOW-TO GUIDE
How to get help or contact support
Overview
e OVERVIEW
Get started
b GET STARTED
c HOW-TO GUIDE
Device inventory
Software inventory
Browser extensions
Certificate inventory
c HOW-TO GUIDE
Dashboard insights
Exposure score
Microsoft Secure Score for Devices
Security baselines
c HOW-TO GUIDE
Vulnerabilities in my organization
Event timeline
c HOW-TO GUIDE
Remediate vulnerabilities