Microsoft Defender for Office 365 topics https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/bd-p/MicrosoftDefenderforOffice365 Microsoft Defender for Office 365 topics Sun, 17 Oct 2021 04:27:40 GMT MicrosoftDefenderforOffice365 2021-10-17T04:27:40Z Adjust the SCL value anti spam policy https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/adjust-the-scl-value-anti-spam-policy/m-p/2844049#M95 <P>I have the ability to adjust the BCL level in the anti spam policy, how do i do the same thing for SCL? Also what is the default SCL number for the default anti spam policy?</P> Wed, 13 Oct 2021 23:27:39 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/adjust-the-scl-value-anti-spam-policy/m-p/2844049#M95 Skipster311-1 2021-10-13T23:27:39Z Attack simulation training experience https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/attack-simulation-training-experience/m-p/2837762#M94 <P>Hello everybody, I want to share my own experience about work with Microsoft Attack simulation:</P><P>- passwords attacks are not accessible for now, why? possibly will be back in future, when?</P><P>- it does not work right now not like a training&nbsp; ( because you have to teach your users how they have to behave when they will receive "fishing email" from Microsoft Attack simulator)</P><P>- if they (users) do not behave right way simulation does not work at all.&nbsp;</P><P>- if you will teach your users how to bypass all built in Microsoft protection features, simulation will be work and assign to user training where it will say " You do not have behave like that, it is dangerous! "</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 12 Oct 2021 12:43:33 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/attack-simulation-training-experience/m-p/2837762#M94 Alex_Nikulin 2021-10-12T12:43:33Z MDO Attack Simulation - Hybrid/On-Prem https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/mdo-attack-simulation-hybrid-on-prem/m-p/2832662#M93 <P>**Copy of post under SCI**:</P><P><A href="https://gorovian.000webhostapp.com/?exam=t5/security-compliance-and-identity/mdo-attack-simulation-hybrid-on-prem/m-p/2826532" target="_blank">MDO Attack Simulation - Hybrid/On-Prem - Microsoft Tech Community</A></P><P>&nbsp;</P><P>Good day community,</P><P>&nbsp;</P><P>Does the Attack Simulation capabilities extend to on-prem/hybrid Exchange environments as well, or only accounts that have been migrated fully to Exchange Online?</P><P>&nbsp;</P><P>TIA</P> Mon, 11 Oct 2021 06:22:39 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/mdo-attack-simulation-hybrid-on-prem/m-p/2832662#M93 SebastiaanR 2021-10-11T06:22:39Z How do I copy allow and block lists from one O365 Defender policy https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/how-do-i-copy-allow-and-block-lists-from-one-o365-defender/m-p/2827095#M90 <P>I tried this command to extract<BR />Get-HostedContentFilterPolicy -Identity Default | Select-Object -Property AllowedSenderDomains | Out-File -FilePath C:\Users\myuser\Documents\Sender.txt</P><P>file does not contain all addresses<BR />through the terminal the output is incomplete</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Image Allowed Sender Domains.png" style="width: 500px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/316206i7FE26D43CED9D60F/image-size/large?v=v2&amp;px=999" role="button" title="Image Allowed Sender Domains.png" alt="Image Allowed Sender Domains.png" /></span></P> Fri, 08 Oct 2021 13:43:58 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/how-do-i-copy-allow-and-block-lists-from-one-o365-defender/m-p/2827095#M90 JoaoManoel-OJC 2021-10-08T13:43:58Z Enhanced Filtering for Connectors not working, MS Support says to use EOP Connection Filter instead! https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/enhanced-filtering-for-connectors-not-working-ms-support-says-to/m-p/2808783#M88 <P>Our mail flow is like this:</P><OL><LI>MX: on-premises Barracuda</LI><LI>Barracuda sends into Exchange on-premises.</LI><LI>Exchange on-premises sends to EXO via HCW-created "Outbound to Office 365" Send Connector.</LI></OL><P>We have listed our Barracuda IP (<STRONG>Skip-IP-#1</STRONG>), and our Exchange on-premises servers' outbound/external IP (<STRONG>Skip-IP-#2</STRONG>) into our Enhanced Filtering for Connectors "skip list".&nbsp; However, we still get tons of incoming emails quarantined, CAT=PHISH, and when I check them in the quarantine (i.e., review their headers), I can see the SPF test is being done against our Exchange on-premises IP (<STRONG>Skip-IP-#2</STRONG>).&nbsp; There are no signs of the two headers being added -&nbsp;<STRONG>X-MS-Exchange-ExternalOriginalInternetSender</STRONG> and&nbsp;<STRONG>X-MS-Exchange-SkipListedInternetSender</STRONG> - which I understand should be getting added if Enhanced Filtering is working (<A href="#" target="_self">per this</A>).</P><P>&nbsp;</P><P>We opened MS Support case&nbsp;27749223, and so far we've been asked to either add the sender (or sender domain) to the EOP inbound spam policy's allow list, or even worse, add our IP's to the EOP Connection Filtering allow list.&nbsp; Both things, but particularly the latter are completely unacceptable.&nbsp; It's as though MS Support has no idea about anything in this realm.&nbsp; Obviously allowing our IP's in the connection filter does the opposite of "enhancing" the filtering of items coming in to EOP/EXO from our Exchange on-premises.</P><P>&nbsp;</P><P>What to do when support is unable to comprehend and this "feature" does nothing?</P> Mon, 04 Oct 2021 12:23:29 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/enhanced-filtering-for-connectors-not-working-ms-support-says-to/m-p/2808783#M88 Jeremy Bradshaw 2021-10-04T12:23:29Z Reporting Broken in 365 Defender - Software Inventory > Windows10 https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/reporting-broken-in-365-defender-software-inventory-gt-windows10/m-p/2772079#M86 <P>Whatever happened in reporting last week behind the scenes seem to have severely broken reporting accuracy under Vulnerability management &gt; Software Inventory &gt; Windows 10 across multiple tenants at security.microsoft.com</P><P>&nbsp;</P><P>Seeing 0 exposed devices out of 100 installed devices where I know there are at least a couple needing reboots for this months patching doesn't look right - please fix asap!</P><P>&nbsp;</P> Tue, 21 Sep 2021 22:01:50 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/reporting-broken-in-365-defender-software-inventory-gt-windows10/m-p/2772079#M86 Craig Harris 2021-09-21T22:01:50Z Problem with Configuration analyzer - Drift Analysis and History https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/problem-with-configuration-analyzer-drift-analysis-and-history/m-p/2750665#M80 <P>Hello,</P><P>When we make a change in policy in O365 security and compliance, for example blocking a domain, all the previous configurations also get saved under the same administrator's name with new timestamps.</P><P>Perhaps it is because the entire config file gets saved under the new settings. So all the history of who changed what gets lost.</P><P>&nbsp;</P><P>So if I add a domain in "blocked list", all the previous changes get saved under my name as well, overwriting every change history including timestamps. Not good.</P><P>&nbsp;</P><P>Can this be fixed some how ?</P><P>&nbsp;</P><P>&nbsp;&nbsp;</P> Tue, 14 Sep 2021 20:47:21 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/problem-with-configuration-analyzer-drift-analysis-and-history/m-p/2750665#M80 salkhan 2021-09-14T20:47:21Z Exchange online inbound connector https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/exchange-online-inbound-connector/m-p/2741530#M79 <P>Sorry for the noob question. Do i need to create a connector in Exchange online to receive emails from the internet ?&nbsp; :)</img> Also for outbound connector to the internet (all domains) what is the recommended TLS settings ? Below is what i currently have configured. The connector is currently disabled.&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Skipster3111_0-1631317031126.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/309697i7829822D456848B3/image-size/medium?v=v2&amp;px=400" role="button" title="Skipster3111_0-1631317031126.png" alt="Skipster3111_0-1631317031126.png" /></span></P><P>&nbsp;</P> Fri, 10 Sep 2021 23:38:22 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/exchange-online-inbound-connector/m-p/2741530#M79 Skipster311-1 2021-09-10T23:38:22Z Microsoft Defender for Office 365 Explorer entity page does not display SCL or BCL values https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/microsoft-defender-for-office-365-explorer-entity-page-does-not/m-p/2735488#M78 <P>I have been searching for information why the Microsoft Defender for Office 365 Explorer entity page does not display SCL or BCL values.</P><P>I can find the information from the message headers, but for some reason this does not populate to the Analysis tab (the new entity page).</P><P>Also, I haven't been able to get full clarity in which phase of the mail flow these get assigned and how.</P><P>Any information that can answer the above topics would be highly appreciated.</P> Thu, 09 Sep 2021 09:01:10 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/microsoft-defender-for-office-365-explorer-entity-page-does-not/m-p/2735488#M78 PerttiTilja 2021-09-09T09:01:10Z Adding Targeted Users/Groups in Attack Simulator https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/adding-targeted-users-groups-in-attack-simulator/m-p/2703695#M75 <P>Is there a setting that may have changed recently or needs to be changed that enables filtering by groups when creating a simulation. I am unable to browse our groups in our organization any longer, I can choose from other options like City, Departments, Titles, etc. but the AD groups do not populate any longer in this list when trying to add Target Users.</P><P>&nbsp;</P><P>Thank you,</P><P>Jerid</P> Tue, 31 Aug 2021 16:45:54 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/adding-targeted-users-groups-in-attack-simulator/m-p/2703695#M75 Jerid 2021-08-31T16:45:54Z Feeding the Attack Simulator https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/feeding-the-attack-simulator/m-p/2672834#M69 <P>Previous commentators have noted the simulator's tendency to send attacks in a single wave. This can lead to a comment from one recipient warning another. Additionally, the wave may overwhelm local IT support.</P><P>&nbsp;</P><P>To my mind it makes sense to split a large recipient base up into slices to be attacked at different times and possibly with minor variations in the payload. I had been looking at dynamic groups to do this.</P><P>&nbsp;</P><P>Am I correct in saying no type of dynamic group is acceptable to the attack simulator? I have tried the new Microsoft 365 groups, but with the group features suppressed to prevent the group itself from mailing, the simulator will not mail the membership either.</P><P>&nbsp;</P><PRE>set-UnifiedGroup -Identity $Group.Name -HiddenFromExchangeClientsEnabled</PRE><PRE>set-UnifiedGroup -Identity $Group.Name -UnifiedGroupWelcomeMessageEnabled:$false</PRE><PRE>set-UnifiedGroup -Identity $Group.Name -SubscriptionEnabled:$false</PRE><PRE>set-UnifiedGroup -Identity $Group.Name -AlwaysSubscribeMembersToCalendarEvents:$false</PRE><PRE>set-UnifiedGroup -Identity $Group.Name -AutoSubscribeNewMembers:$false</PRE><P>&nbsp;</P> Sun, 22 Aug 2021 09:44:48 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/feeding-the-attack-simulator/m-p/2672834#M69 ExMSW4319 2021-08-22T09:44:48Z Outlook report add-in https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/outlook-report-add-in/m-p/2657964#M64 <P>Hello</P><P>In an effort to move away from users using "safe senders" in outlook we are considering using the report add-in. However when i review the permissions the add-in has its a bit concerning. Im reluctant to push out this add-in because the add-in has permissions to read and change email in a users mailbox. Seems excessive&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Skipster3111_0-1629236344281.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/303885i6A8AEBE2329143BC/image-size/medium?v=v2&amp;px=400" role="button" title="Skipster3111_0-1629236344281.png" alt="Skipster3111_0-1629236344281.png" /></span></P><P>&nbsp;</P> Tue, 17 Aug 2021 21:39:57 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/outlook-report-add-in/m-p/2657964#M64 Skipster311-1 2021-08-17T21:39:57Z Password Spray Attack https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/password-spray-attack/m-p/2645521#M61 <P>Is "Password Spray Attack" and "Brute Force Password" deprecated? I can find it in the old portal, but it just redirects to "Attack simlulation training" is the new portal and I can't find the option here.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="khelbo_0-1628860452680.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/303068i077668BA49F0448D/image-size/medium?v=v2&amp;px=400" role="button" title="khelbo_0-1628860452680.png" alt="khelbo_0-1628860452680.png" /></span></P><P>&nbsp;</P> Fri, 13 Aug 2021 13:17:57 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/password-spray-attack/m-p/2645521#M61 khelbo 2021-08-13T13:17:57Z Advanced Delivery Permissions https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/advanced-delivery-permissions/m-p/2532237#M54 <P>I am currently trying to use the new Advanced Delivery policies. The user account I am using is a member of the Organization Management Exchange Online and I have give the account Security Adminstrator permission in <A href="#" target="_blank">https://security.microsoft.com/securitypermissions</A></P><P>&nbsp;</P><P>I still can't access the Advanced Delivery portal via the web portal and I am unable to use the New-SecOpsOverrideRule or New-SecOpsOverridePolicy.</P><P>&nbsp;</P><P>Am I missing something else?</P> Fri, 09 Jul 2021 14:42:50 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/advanced-delivery-permissions/m-p/2532237#M54 owenmurr 2021-07-09T14:42:50Z Defender for Office 365 filtering-only scenario protection for your on-premises Exchange Server https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/defender-for-office-365-filtering-only-scenario-protection-for/m-p/2532120#M53 <P>Do you anyone help me by guiding me to some documents as to how you deploy/configure Defender for Office 365 filtering-only scenario for your on-premises Exchange Server?</P> Fri, 09 Jul 2021 14:03:51 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/defender-for-office-365-filtering-only-scenario-protection-for/m-p/2532120#M53 stewartkennedy83 2021-07-09T14:03:51Z Attack Simulator creating a payload - Dynamic Tags https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/attack-simulator-creating-a-payload-dynamic-tags/m-p/2520881#M48 <P>I have a few questions when creating a payload and the use of the dynamic tags. It could be a setting I'm unaware of or something not configured correctly.</P><P>&nbsp;</P><P>1. Is there a way to define how the dynamic tags pull information? Currently, the tag&nbsp;<SPAN>${userName} is pulling it LastName, FirstName and I would like to have it FirstName LastName so it looks more authentic.</SPAN></P><P><SPAN>2. The dynamic tag&nbsp;${date} does not pull the date it actually displays "${date}" when the payload (email) is sent.</SPAN></P><P>3. Is there a list of dynamic tags and their mappings?</P><P>&nbsp;</P><P>Thank you for any help,</P><P>Jerid</P> Wed, 07 Jul 2021 15:50:45 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/attack-simulator-creating-a-payload-dynamic-tags/m-p/2520881#M48 Jerid 2021-07-07T15:50:45Z Best practice advice https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/best-practice-advice/m-p/2519931#M43 <P>Hello all</P><P>&nbsp;</P><P>I am fairly new to Defender for O365. I am the cloud admin for a small company roughly 1000 accounts. We are moving from mimecast to Defender for O365. I read the article regarding preset security polices, and thought this would be a good place to start, so i enabled the standard policy for all the domains we host. Considering you cannot edit a preset policy i had to edit the default policy to fill in the gaps to account for the things like safe senders, blocked senders, safe domains and blocked domains. Is this the correct strategy to use? From my understanding the preset security policy will take precedence. How does the precedence work? If i create safe senders in the default anti-spam policy will these settings take effect even though the safe senders are not mentioned in the Standard preset security policy ?&nbsp;</P><P>&nbsp;</P><P><A href="#" target="_blank">https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/preset-security-policies?view=o365-worldwide</A></P> Tue, 06 Jul 2021 15:52:35 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/best-practice-advice/m-p/2519931#M43 Skipster311-1 2021-07-06T15:52:35Z End-User Spam Notification - Custom Branding https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/end-user-spam-notification-custom-branding/m-p/2506568#M42 <P>Hello there! Just curious if there is a plan, for Microsoft, to introduce custom branding for end-user spam notifications. I know a possible workaround is prepending a image as a disclaimer via Exchange transport rule, which I will test and validate.&nbsp;<img class="lia-deferred-image lia-image-emoji" src="https://techcommunity.microsoft.com/html/@8341BD79091AF36AA2A09063B554B5CDhttps://techcommunity.microsoft.com/images/emoticons/smile_40x40.gif" alt=":smile:" title=":smile:" /></P><P>&nbsp;</P><P>I know Microsoft is phasing out UserVoice, so I submitted feedback in the Microsoft 365 Security admin center. So, just using the available channels and see what everyone else knows.</P><P>&nbsp;</P><P>Thanks! ^_^</P> Thu, 01 Jul 2021 11:21:02 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/end-user-spam-notification-custom-branding/m-p/2506568#M42 MisterD3k 2021-07-01T11:21:02Z Attack Simulator https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/attack-simulator/m-p/2485912#M40 <P>Just from testing my department yesterday, the one thing I feared would happen, did. It “shotgunned” the email to everyone and within minutes I could hear people talking about it and asking if they got the email. I don’t feel like people learn by themselves when everyone knows what’s going on. I would like to see if it would be possible to have emails go out at defined times (ex. 10 emails every 2 hours until complete).&nbsp; If it's not currently possible, could it be looked at to add it?</P> Fri, 25 Jun 2021 15:03:03 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/attack-simulator/m-p/2485912#M40 Jerid 2021-06-25T15:03:03Z How to Apply EOP / Defender protections to All Users? https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/how-to-apply-eop-defender-protections-to-all-users/m-p/2448364#M31 <P>When enabling a preset security policy, I'm prompted to choose who to apply EOP Protections to and who to apply Defender Protections to (screenshot below).&nbsp; <STRONG>For either of these, how do I select "all users" or "everyone"?</STRONG>&nbsp; I could possibly do it by domain, but I have about 15 domains I'd need to enter, which I can do but I'm wondering if there are aliases I can enter that represent all users.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="apply_protection_to.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/288658i3A418D5C8D83F669/image-size/large?v=v2&amp;px=999" role="button" title="apply_protection_to.png" alt="apply_protection_to.png" /></span></P><P>&nbsp;</P> Tue, 15 Jun 2021 11:30:36 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/how-to-apply-eop-defender-protections-to-all-users/m-p/2448364#M31 benamada 2021-06-15T11:30:36Z Join us for an AMA on Defender for Office 365! https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/join-us-for-an-ama-on-defender-for-office-365/m-p/2373187#M30 <P>The Microsoft Defender for Office 365 team wants to hear from you! We’re excited to invite you to join us&nbsp;for a Tech Community Ask Microsoft Anything (AMA). Our team will be on hand to answer any of your questions about Microsoft Defender for Office 365, Exchange Online Protection, and email and collaboration security in general, so come prepared!</P> <P>&nbsp;</P> <P>The AMA will take place Thursday, May 27, 2021, from 9:00-10:00am Pacific Time. We hope to see you there!</P> <P>&nbsp;</P> <P>Use the link below to add a reminder to your calendar and to join the discussion.</P> <P><A href="#" target="_blank" rel="noopener noreferrer">https://aka.ms/ama/DefenderO365<SPAN>&nbsp;</SPAN></A>&nbsp;</P> Thu, 20 May 2021 18:18:59 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/join-us-for-an-ama-on-defender-for-office-365/m-p/2373187#M30 Giulian Garruba 2021-05-20T18:18:59Z What do we do with Click information? https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/what-do-we-do-with-click-information/m-p/2265463#M27 <P><SPAN>If the "tracks user clicks in supported Office 365 apps." setting is enabled, what are the recommended good practices for using the data that this generates?</SPAN></P> Sat, 10 Apr 2021 15:38:54 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/what-do-we-do-with-click-information/m-p/2265463#M27 Dean Gross 2021-04-10T15:38:54Z ATP Safe Links - Legitimate OneDrive for Business links and Deep Links https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/atp-safe-links-legitimate-onedrive-for-business-links-and-deep/m-p/2234895#M22 <P>ATP Safe Links is blocking legitimate OneDrive for Business links shared by our users internally.</P><P>&nbsp;</P><P>We recently had a compromised user which was blocked by the anti-spam rules as expected.&nbsp;</P><P>&nbsp;</P><P>The malicious actor(s) planted a PDF document (<EM>named "microsoft.pdf"</EM>) in the user's OneDrive with an embedded link to a malicious site. A link to that document was then shared with several users. Anti-spam policy filter saw the number of mails and blocked the user. The users who received the link thought it was a legitimate link shared by the internal user and clicked the link. However, the link was blocked in the browser by the ATP Safe Links.&nbsp;</P><P>&nbsp;</P><P>So far so good. ATP Safe Links IMHO identified the deep linked document as malicious and blocked the users browsing to the OneDrive link. Amazing.</P><P>&nbsp;</P><P><STRONG>However</STRONG>, pretty soon, now all sharing links are getting blocked by the ATP Safe Links. Somehow, it seems, ATP Safe Links has recorded the OneDrive URL as malicious and is now blocking all legitimate internal sharing links.&nbsp;</P><P>&nbsp;</P><P>Interestingly, copy-pasting the raw unwrapped link in the browser works. Only the wrapped links are getting blocked.</P><P>&nbsp;</P><P>Has anybody else experienced this? I've opened a ticket with support and am waiting for them to check it out. Meanwhile, I thought maybe someone who has experienced something similar may help with more information here.</P><P>&nbsp;</P><P>Below is a screenshot of the document which was planted in the user's OneDrive with the name "Microsoft.pdf". The "Access Document" button is the link to an actual external malicious site (which is blocked by browser's native functionality anyway).</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="malicious-odfb-doc.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/266971iD830A6E2DF6BDAA3/image-size/medium?v=v2&amp;px=400" role="button" title="malicious-odfb-doc.png" alt="Malicious document planted in user's OneDrive. The &quot;Access Document&quot; button is a link pointing to an external malicious site." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Malicious document planted in user's OneDrive. The "Access Document" button is a link pointing to an external malicious site.</span></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 25 Mar 2021 11:37:44 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/atp-safe-links-legitimate-onedrive-for-business-links-and-deep/m-p/2234895#M22 Abhimanyu Singh 2021-03-25T11:37:44Z EOP or Defender for Office 365 not working‎ as espected https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/eop-or-defender-for-office-365-not-working-as-espected/m-p/2230095#M21 <P><SPAN>Dear Security Team,</SPAN></P><P><SPAN>We try to test EOP &amp; Defender for Office 365 by sending on purpose SPAM URLs in emails that I know they are SPAM (a simple antispam in "EM Client"), so I forward them to an email of a an E5 developer tenant for test purposes. </SPAN></P><P><SPAN>Results: non of 4 emails were detected with SPAM URLs. </SPAN></P><P><SPAN>We try for two of them, to manually add them through the Threath Explorer but even then it did not detect any issue (See attachement).</SPAN></P><P><SPAN>Is this due to the fact that it were 4 Forwarded emails ? Other reasons ?</SPAN></P><P><SPAN>thank you in advance for your return </SPAN></P><P><SPAN>Kind regards,</SPAN></P><P><SPAN>B.</SPAN></P> Tue, 23 Mar 2021 15:49:44 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/eop-or-defender-for-office-365-not-working-as-espected/m-p/2230095#M21 bzels123 2021-03-23T15:49:44Z Whitelist and Safelist problems https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/whitelist-and-safelist-problems/m-p/2193816#M20 <P>With the introduction of Defender for Office 365, there are several more processes that play a role in scanning emails.<BR /><BR /><STRONG>The Problem: </STRONG></P><P>There is no clear or effective way to whitelist security training providers from link and attachment scanning whether in the web portal, API, or Powershell.</P><P>&nbsp;</P><P><STRONG>Impact:</STRONG><BR />One or more of the systems below consistently block, scan links and/or attachments that belong to security training (not actually malicious) from several major providers, and create false positives.</P><P>&nbsp;</P><P><STRONG>Rules in place:</STRONG></P><P>Sending Server IPs are whitelisted and emails are modified to set message headers such as</P><OL><LI>"<SPAN>X-MS-Exchange-Organization-SkipSafeLinksProcessing" w/ value "1"</SPAN></LI><LI><SPAN>"X-MS-Exchange-Organization-SkipSafeAttachmentProcessing" w/ value "1"</SPAN></LI><LI>Bypass SPAM&nbsp;<SPAN>= "-1"</SPAN></LI></OL><P><SPAN><STRONG>There does not appear to be a way to whitelist from:</STRONG><BR /></SPAN></P><OL><LI><SPAN>SpamZap - Get trapped as SPAM even with bypass.</SPAN></LI><LI><SPAN>PhishZap - Gets trapped as Phish regardless of rules.</SPAN></LI><LI><SPAN>MailboxIntelligenceProtection - Same as Phish.</SPAN></LI><LI>Defender for Office 365 Scanning - The bots are clicking the links and creating false positives</LI><LI>Safe Documents - same as above.</LI><LI><STRONG>Report Message</STRONG> Link Detonation - Detonates links regardless of whether it's whitelisted anywhere else.</LI></OL><P><STRONG>Is anyone aware of a way to do this currently?</STRONG><BR /><EM>There are between 50-100 different wildcard domains needed to whitelist (if we had to do them individually).</EM><BR /><BR /><STRONG>A solution cannot include disabling the above services.</STRONG></P> Mon, 08 Mar 2021 17:34:27 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/whitelist-and-safelist-problems/m-p/2193816#M20 Jonathan Green 2021-03-08T17:34:27Z Metrics from Defender for O365 https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/metrics-from-defender-for-o365/m-p/2119955#M16 <P>I am struggling to reconcile the different sources of information we have about the activities of Defender on our tenancy. If I compare the following EXO PowerShell and KQL, I get answers that do not match. I am fairly certain the problem is that they are compiling slightly different definitions. Where do I look to discover what those definitions are?</P><P>&nbsp;</P><P>get-ATPTotalTrafficReport -StartDate(get-date).AddDays(-15) -EndDate(get-date).AddDays(-1) | ft</P><P>&nbsp;</P><DIV><DIV><SPAN>EmailEvents</SPAN></DIV><DIV><SPAN>| where Timestamp &gt; ago(15d)</SPAN></DIV><DIV><SPAN>| where Timestamp &lt; ago(1d)</SPAN></DIV><DIV><SPAN>| project ThreatTypes</SPAN></DIV><DIV><SPAN>| summarize count () by ThreatTypes</SPAN></DIV><DIV>&nbsp;</DIV><DIV><SPAN>The phishing totals I get are vaguely correct; the KQL ThreatType column can contain several threat types, and if I add all of them together I am only 10% over the figure reported by the commandlet. My spam totals are however wildly out, with the commandlet giving a figure thirteen times the corresponding KQL total. The commandlet also mentions the Bulk total, which does not even appear in the KQL threat types and is another order of magnitude greater still.</SPAN></DIV><DIV>&nbsp;</DIV><DIV><SPAN>Wild guesses and speculation:</SPAN></DIV><DIV>&nbsp;</DIV><UL><LI><SPAN>The commandlet figures arise from the actual EOP and ATP engines whereas EmailEvents only occur if a message gets to the delivery stage (yet KQL shows me messages going to the hosted quarantine?) Alternatively, the commandlet includes edge-detection drops and the KQL query does not.</SPAN></LI></UL><P>&nbsp;</P><UL><LI><SPAN>The commandlet works on our entire tenancy but the Advanced Hunting portal only works on our primary domain, and we have a significant number of other accepted domains (so where is the control to focus on one of the others?)</SPAN></LI></UL><P>&nbsp;</P><UL><LI><SPAN>Both searches are intended for the same period of time but in fact select time periods differently. Alternatively, despite the fact that the last 24 hours (?) are omitted, the data used by one search is prone to latency and will not be available for a further day or so.</SPAN></LI></UL><P>There is some very useful information here somewhere, but unless the discrepancies can be explained it is very vulnerable to criticism.</P></DIV> Wed, 10 Feb 2021 09:30:14 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/metrics-from-defender-for-o365/m-p/2119955#M16 ExMSW4319 2021-02-10T09:30:14Z Attack simulator roadmap https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/attack-simulator-roadmap/m-p/2118261#M13 <P>Hi, we've been experimenting with the new edition of attack simulator, and I'm wondering if and when these feature will be available</P><OL><LI>Integration of Microsoft training with other training software&nbsp;</LI><LI>Automations - what is the purpose of this feature and how it works&nbsp;</LI></OL> Mon, 08 Feb 2021 19:34:22 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/attack-simulator-roadmap/m-p/2118261#M13 aghi670 2021-02-08T19:34:22Z Upgrade to Defender for o365 Plan 2 from Business Premium https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/upgrade-to-defender-for-o365-plan-2-from-business-premium/m-p/2095951#M12 <P>My client is on Microsoft 365 Business Premium. I know Defender Plan 1 comes with it. Can we upgrade to Plan 2 or do we need an Enterprise subscription?</P><P>&nbsp;</P><P>thanks in advance.</P><P>Matt</P> Mon, 25 Jan 2021 22:58:38 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/upgrade-to-defender-for-o365-plan-2-from-business-premium/m-p/2095951#M12 Matt Suderman 2021-01-25T22:58:38Z O365 Attack Simulator (Phishing) - number of users targeted https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/o365-attack-simulator-phishing-number-of-users-targeted/m-p/2095557#M11 <P>Hello,</P><P>&nbsp;</P><P>can anybody tell me what is the maximum number of users I can target with a phishing campaign?</P><P>&nbsp;</P><P>We have around 1700 A3 Licenses with the A5 security addon and when I tried to target all those licensed, the email was sent out only to 98. The simulation was also stuck in Scheduled for more than 10 hours.</P><P>&nbsp;</P><P>Thank you.</P><P>&nbsp;</P> Mon, 25 Jan 2021 21:10:56 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/o365-attack-simulator-phishing-number-of-users-targeted/m-p/2095557#M11 Csaba_Ke 2021-01-25T21:10:56Z O365ATP - BEC Technology https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/o365atp-bec-technology/m-p/1929262#M7 <P>Hi All</P> <P>More and more competitors focus on BEC detection technology, I would like to know If we have any detailed documents mention on this part?</P> <P>&nbsp;</P> <P>Thank you so much for your input</P> <P>&nbsp;</P> <P>Best Regards</P> <P>Dragon</P> Wed, 25 Nov 2020 02:55:24 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/o365atp-bec-technology/m-p/1929262#M7 DragonChang 2020-11-25T02:55:24Z Exclude Safety Tips from certain sender? https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/exclude-safety-tips-from-certain-sender/m-p/1889816#M6 <P>Hi all,</P><P>&nbsp;</P><P>Our HR must use SurveyMonkey for sending out surveys. While I can exclude it from Junk Folder in O365 ATP/Defender for O365, Outlook still displays a warning: <EM>"Jane.Doe@ourcompany.com via SurveyMonkey &lt;member@surveymonkeyuser.com&gt;".&nbsp;</EM></P><P><EM><BR /><BR /></EM>The warning itself is very good, but for this specific user I would like to exclude it.&nbsp;Possible without disabling all Safety Tips?</P><P>&nbsp;</P><P>Thanks</P><P>&nbsp;</P><P>/B</P><P>&nbsp;</P><P>The grey field is the Safety Tip is generated by policy (I at least assume). The yellow is a custom transport rule we have to warn our users.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="surveymonkey-warning.png" style="width: 961px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/233706i1EC4CB08AC2B3A27/image-size/large?v=v2&amp;px=999" role="button" title="surveymonkey-warning.png" alt="surveymonkey-warning.png" /></span></P> Mon, 16 Nov 2020 09:23:44 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/exclude-safety-tips-from-certain-sender/m-p/1889816#M6 Björn Lagerwall 2020-11-16T09:23:44Z Defender for O365 with onprem mailboxes https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/defender-for-o365-with-onprem-mailboxes/m-p/1787317#M4 <DIV class=""><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr"><SPAN>Hi all,</SPAN></DIV></DIV><DIV class=""><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr"><SPAN>Just wanted to confirm the usability of some features of Defender for O365 when having a exchange hibrid scenario but still most of the mailboxes on-prem. From my understanding not all features will work </SPAN></DIV></DIV><UL class="public-DraftStyleDefault-ul"><LI><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr"><SPAN class="yj-editor--link-entity"><SPAN>Safe Attachments</SPAN></SPAN><SPAN> (dynamic delivery will not work for onprem mailboxes)</SPAN></DIV></LI><LI><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr"><SPAN class="yj-editor--link-entity"><SPAN>Safe Links</SPAN></SPAN><SPAN> (works if the MX is pointing to EOP)</SPAN></DIV></LI><LI><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr"><SPAN class="yj-editor--link-entity"><SPAN>ATP for SharePoint, OneDrive, and Microsoft Teams</SPAN></SPAN><SPAN> (not applicable to EXO)</SPAN></DIV></LI><LI><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr"><SPAN class="yj-editor--link-entity"><SPAN>ATP anti-phishing protection</SPAN></SPAN><SPAN> (not sure if all settings will work for onprem mailboxes)</SPAN></DIV></LI><LI><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr"><SPAN class="yj-editor--link-entity"><SPAN>Real-time detections</SPAN></SPAN><SPAN> (reports)</SPAN></DIV></LI></UL><DIV class=""><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr"><SPAN>Thanks in advanced,</SPAN></DIV></DIV><DIV class=""><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr"><SPAN>Rgs</SPAN></DIV><DIV class="public-DraftStyleDefault-block public-DraftStyleDefault-ltr"><SPAN>RM</SPAN></DIV></DIV> Fri, 16 Oct 2020 08:57:36 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/defender-for-o365-with-onprem-mailboxes/m-p/1787317#M4 Ricardo Mendes 2020-10-16T08:57:36Z Configuration analyzer and recommendations https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/configuration-analyzer-and-recommendations/m-p/1778289#M3 <P>Hello,</P><P>I have a question related to the new configuration analyzer for Defender for Office 365. As I understand, in the recommendations is shown, that all settings should be disabled. Do I understand it the right way or?</P> Wed, 14 Oct 2020 06:53:05 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/configuration-analyzer-and-recommendations/m-p/1778289#M3 ChristianFrielingsdorf 2020-10-14T06:53:05Z Restore original mail due to deleted type of malware mail https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/restore-original-mail-due-to-deleted-type-of-malware-mail/m-p/1700635#M1 <P>Microsoft Protection mail service detected malware and deleted. Is it possible to download original mail to analyse ?</P> Wed, 23 Sep 2020 03:33:32 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/restore-original-mail-due-to-deleted-type-of-malware-mail/m-p/1700635#M1 ByamB4 2020-09-23T03:33:32Z