Recent Discussions
Block all internet traffic except some sites
Hi, i've a subset of machines that need only access to some sites, like internal websites, office365 and av updates but i'm being asked to block all other sites. Can i use office365 defender (https://security.microsoft.com/securitysettings/endpoints) to do this? what is the best option? Thx
'system has learned from the submission / mail is automatically allowed'
Hey folks, got an alert about a tenant allow//block list entry expiring. Only recently did we start getting these, because only recently did we start using expiring whitelisting. But I'm a little confused by the details, which says 'Mail from x is now automatically alllowed and the allow entry has been removed' and the activity that ''an allow entry is no longer required as the system has learned from the submission' The referenced email is actually an internal tenant - it receives ticket requests, and sends out ticket updates. But I'm REALLY curious about the 'automatic' allowing. Is this a feature limited to Defender 2, or part of Microsoft's AI detection framework for all 365 Defender/EOP? I don't even remember submitting this email - if I did, it was probably more than 45 days ago. So 1) Is this notice primarily that the entry had expired, but ALSO it's not needed or does this send out as soon as 'the system' recognizes it as legitimate, and removed regardless of the time left? 2) is there a way to review a list of entries Microsoft has 'accepted'? 3) What exactly does this 'allow'? I know that the tenant allow/block list allowed a certain set of lower-risk indicators in an email, but still blocked some higher-risk ones - unless there was a submission made. At that point, more is allowed. But there's still a limit, compared to a blanket bypass on the policy itself.
issues with OpenSSL 3.0.8.0
We are relatively new to Microsoft Defender and one of the issue we are seeing is Attention required: vulnerabilities in Openssl 3.0.8.0 this relates to SQL management studio: c:\program files (x86)\microsoft sql server management studio 19\common7\ide\mashup\odbc drivers\simba spark odbc driver\libcurl32.dlla\openssl32.dlla\libcrypto-3.dll c:\program files (x86)\microsoft sql server management studio 19\common7\ide\mashup\odbc drivers\simba spark odbc driver\libcurl32.dlla\openssl32.dlla\libssl-3.dll c:\program files (x86)\microsoft sql server management studio 19\common7\ide\mashup\odbc drivers\simba spark odbc driver\openssl32.dlla\libcrypto-3.dll c:\program files (x86)\microsoft sql server management studio 19\common7\ide\mashup\odbc drivers\simba spark odbc driver\openssl32.dlla\libssl-3.dll Upon checking our SQL Management studio version we are on the latest version 19.3.4.0 How do we resolve this?Microsoft Defender EOP
We have been experiencing an issue since last week where we are unable to view the details of quarantined emails. Could you please confirm if this is related to a known backend service issue, or if there are any specific troubleshooting steps we should perform on our end? Any guidance or updates would be greatly appreciated.Searching for Activities in Audit Log returns repeated results - appears broken
I'm in Defender, using the Audit Log tool, trying to find out who changed the Anti-Phishing policy on the 23rd of January. Selecting the 'Activities - friendly names' drop-down, and inputting 'policy' returns A number of different categories + activities for stuff unrelated to Defender (ie, Purview, CoPilot in Outlook,, SharePoint AI use, the 365 AC, 'Places Directory' - whatever that is) but nothing related to Defender (the tool I'm opening it within)... The same category - M365 Apps Admin Services cloud policy activities - about 30 times, with every activity it includes. Probably 70% of the results, are just this same thing over and over. I looked into it - because I've never heard of this, yet it SOUNDS like something related to what I do. First off, on the [audit log activities](https://learn.microsoft.com/en-us/purview/audit-log-activities#microsoft-365-apps-admin-services-cloud-policy-activities) KB, this category is listed once, with 4 activities. there's about 13 that show up in each duplicated category in the search, so that's unhelpful. It links to another kb which seems to imply that 'Cloud Policy service' is not an actual thing - it's just a marketing/conceptual term for a functionality of InTune. Why it's not in the InTune KB - I do not know - I've made some suggestions to the KB's The first KB I mentioned does not list any activities for Defender's policies - there's stuff for Endpoint (multiple categories), XDR (multiple categories)... So I have 2 questions. 1) Is anyone able to advise how to get the data I want? At this point, I'm not even sure this audit log would PULL any relevant data, based on the lack of activities - so I don't really want to just blanket search for that date, and sift through stuff. 2) Does anyone know how to use this tool effectively? Know of a KB that is good and reliable and helpful? ThanksHelp me understand why this email was quarantined?
I'm pretty familiar with Defender's Threat Policies. I've probably set them up on 40 tenants. I know the Hosted Content Filter Policy is backend for Anti Spam Inbound policy. I know that, confusingly, the AntiSpam Inbound Policies contain the actions for High Confidence/Normal Confidence Phishing - NOT the AntiPhishing policies (which seem more geared towards impersonation). What I DON'T know is why this was quarantined - and whether the anti-phish policy had anything to do with it. The Policy Type linked is the IB Anti Spam. This tenant is one of the few we have set at a BCL tolerance level of 7 - which shows me that 0 messages in the last 60 days would've been caught for this reason (which would include the email in question). So it was either the SCL or some 'anti phish' component of the anti-spam policy. I have none of the custom 'increase spam score' markers here. I was sure there was a 'evidence' tab within email entity, but i guess not - the only info I have about the detection (now released) is the following: This particular sender does not send reliably over 45 days, but also has been a business partner of this tenant for decades. So rather than the Tenant Allow/Block list which allows a max of 45 days, I want to add it to the offending policy. which SEEMS like it would be the inbound anti-spam - except that it also says it's phishing everywhere. I don't want to bypass both the phishing and spam policies unless I have to - but I don't really know why this got blocked. It's an external address that had sent an email days ago that got through without issue... This one has an attached pdf, but so do they all. Thoughts?
All Excel Macro Files Suddenly Flagged as Malware (X97M/Slacker.gen!A) Across M365 Starting April 16
Starting around 8 PM GMT+8 on April 16, 2025, macro-enabled Excel files with extensions such as .xlsm, .xlsb, or .xls began being automatically flagged as malware, specifically identified as X97M/Slacker.gen!A—when opened or edited in SharePoint, OneDrive, or Teams. Before this, the same files were not flagged as malicious, even when opened or edited, and this behavior had remained consistent for several months. This issue affects our entire tenant, with over 800 files being flagged as malware under the name X97M/Slacker.gen!A. These files are located across various locations and have been modified by different users. We are a Cloud-only tenant, and we have not done any configuration changes in Threat Policies for the past few months.Marking Quarantine Notice senders as safe for entire tenant
Our users get quarantine notices weekly. They're configured to come from email address removed for privacy reasons (the domain specific to tenant).. sometimes they come from email address removed for privacy reasons anyways, but this is fine. The thing is, I end up with a LOT of users who end up receiving these in their junk mail. We have a lot of tenants - I don't really have the time to keep checking them, taking action on mis-junked items. Most stuff is configured to go to quarantine anyway. What's the best way to allow these senders? The IB Anti-Spam safe-senders component is not Secure-Score recommended, and we try to keep these scores high. But the tenant allow/block list allows a max of 45days since last use. There's so many options, I'm a little confused as to what's 'right' ThanksDefender bulk unsanction
I want to unsanctioned all Generative AI apps in cloud catalogue with a risk score 7 or below. But this is 970 apps and I don't feel like doing this one page of 20 at a time I'll be there all day. Can someone suggest a powershell script to set anything in that category risk score 0-7 as unsanctioned?Automated Investigation and Response
Upgraded to Defender for 365 P2 based on the idea of setting automated responses to certain alerts. That's how it was described. Now I'm trying to enable and configure it. The documentation has bounced me around 20 different articles for XDR, Defender Enterprise, Defender for Business... I do not see anywhere to configure the automation in Defender. One doc points me here for making sure it's enabled. when I open this, and go down to Automation, it's simply an empty list of device groups. We don't use Device groups - we don't use Defender Endpoint. Has anyone configured this in a non-XDR environment? What I'm encountering and what was advertised seem very different...upgraded from P1 to P2... how do I configure this?
Upgraded to Defender 365 P2 from P1, based on the automated responses. Kinda figured we'd be able to tweak these, but I guess not? Anyway, I'm a little bit confused about how to set this up maximally. Realized yesterday we had a 'User click a malicious link" investigation that was pending - but no one knew. When I click 'Email Notification' in the 'Incidents' window, it brings me to the XDR settings menu, with options for setting emails to notify of Alerts, Incidents and Threat Analytics. Except we don't have XDR? So I can't tell if these are even valid? The documentation on the AIR component is really hard to decipher - wondering if anyone has much experience with this, and knows how to configure it optimally? As in, how do I notify someone of a Critical Investigation, or something needing approval for remediation? Can I configure certain things to not require approval? Like... removing a reported phishing email from everyone's inbox?Limit access to Quarantine (and only quarantine)
The enduser quarantine is reachable at https://security.microsoft.com/quarantine Based on our security policies, we have limited access using Conditional Access and the cloud app “Microsoft Admin Portals.” Consequently, no user can directly access the quarantine. We have made the necessary exceptions to ensure the quarantine functions properly. However, there is an issue: Users without proper permissions can still navigate extensively within the portal. For example: On the left-side navigation, they can click on “Start.” Within the “Next steps” section, there is a link to “Advanced Hunting.” Although they cannot perform any actions there, the link remains accessible. Additionally, under “Additional Resources,” users can click on any admin center, albeit with limited functionality. Is there anyone with an idea on how to restrict users to the quarantine area only, preventing access to other sections of the portal?
purchased windows defender but account is with godaddy - cannot setup
i purchased windows defender from microsoft, who told me i could use this even though account was hosted through godaddy. when i go to start using microsoft defender for business, it redirects me to godaddy page and there is nothing I can do. I need to know if this works and if so, how to set it up or I need to cancel it.
Enhanced Filtering for (CSE)Connectors
One of my customer is using the Cisco Secure Email as their default gateway with a connector into M365. They would like to enable the enhanced filtering on the connector to improve their anti spam/malware protection. Enhanced Filtering on the “Inbound from Cisco Secure Email” connector: https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors#use-the-microsoft-defender-portal-to-configure-enhanced-filtering-for-connectors-on-an-inbound-connector Do you know if there are any caveats adding a few mailboxes to the policy to test the behavior before they cutover the entire enterprise?
Configure Quarantine Notifications to Admins when the any Email is quarantined
Hi All, Good morning, I would like to understand the possible options in EOP and defender for O365 to send an alert or notification mail to the E-mail administrator as soon as any mail is quarantined for any user mailbox in Exchange online. I searched most of the options, but I don't see any solid solution for this. Please share your thoughts and experience on this. Thanks in advance.Issues with Phishing & Malware Classification, Quarantine, and ZAP Not Triggering
Hello, We are facing issues with Office 365 Defender email alerts related to phishing and malware detection. Below are the key concerns: Emails with Malicious Attachments Emails classified as phishing/malware due to malicious attachments are delivered to users. If quarantined, they are blocked upon release, preventing delivery to recipients. Is this expected behavior? Are there any workarounds to allow delivery after manual review? Retroactive Classification Based on User Actions Emails are later classified as phishing/malware when another user clicks a link. We need better visibility and control over such cases. Any insights on handling this effectively? ZAP Not Triggering We’ve noticed that ZAP (Zero-hour Auto Purge) is not triggering as expected in certain cases. Has anyone experienced similar issues, and are there any known fixes or configurations that might help?No URL Detection in Emails with Extensive %2580 Encoding
Hi Community, I encountered a concerning issue where emails containing URLs with extensive encoding (%2580) completely bypassed all detection and security mechanisms. These encoded URLs weren’t identified as links, which allowed them to evade security scanning. Issue Details: The email contained malicious URLs encoded with %2580. The URLs were not flagged or identified as links, allowing the payload to bypass filters entirely. Questions: Has anyone else encountered similar issues with encoded URLs bypassing detection? What’s the best process to submit this email to Microsoft for analysis and improvements to detection mechanisms, since no URL's were identified? Looking forward to your input and recommendations. Thanks in advance!
Anti-malware policy doesn't block files
Hello Microsoft Community, We have recently found that Anti-malware policy doesn't block files that are set to be blocked by the policy. For example, when we send an *.ics file with a cmd/exe/jse/rdp and other files inside of the ics, the email is not blocked and is delivered to users. We did several tests with external security vendor by sending real malwares, ransomwares and exploits attached to the ics and all of them passed the filtering system. Is anyone aware of the issue? Doesn't MDO scans nested files?! This has happened with a few tenants. Those tenants have Microsoft E5 licenses.
Recent Blogs
- We are pleased to announce that Microsoft Defender for Office 365 now features large language model (LLM)-powered responses within the submission workflow. This update provides security and Exchange ...Jul 01, 2025
