As cyber security becomes a crucial part of the day-to-day activities of every organization, it becomes vital to allow different organizations to customize their security tools in a way that best fits and meets their needs while ensuring that such customization do not compromise on the productivity of its employees. This is why in Microsoft Defender for Office 365 we look at not only offering the best protection and tools to manage detected threats and possible misses, but also focus on continually improving the solutions we offer for protection from false positives. After all, email remains the number one attack vector used by bad actors. Our key principles remain:
Microsoft Defender for Office 365 is rolling out key quarantine management features that will help empower SecOps professionals and end users when triaging emails:
Today Microsoft allows organizations to empower their end users to triage phishing messages. Some organizations would prefer to limit these triage capabilities to their security teams, and others find the capability allows them to augment a smaller SecOps team by extending the process to end users.
With the new quarantine folder policy, SecOps will be able to configure custom end user access (including request release permissions) to messages quarantined by Exchange Online Protection and Microsoft Defender for Office 365 policies which will help alleviate the inefficiencies that comes with fixed controls.
Deception is a key component of phishing attacks, and customers want to eliminate any hesitation when it comes to legitimate system automated messages. We are adding capabilities to making it possible for SecOps to customize end user quarantine notifications with their respective organization logo, email display name, and disclaimer. Doing so helps ensure that users have safe and secure access to their quarantined messages and trains them to recognize legitimate notifications.
With this change we’re giving SecOps the ability to allow senders for a specified period, right from the quarantine workflow. When releasing emails to end users, admins can now opt to remember this decision by creating an entry in the tenant allow/block list that corresponds to the indicator of compromise aligned with the message in question. SecOps can now also choose to allow or prevent users from submitting messages to Microsoft for analysis.
Quarantine release should be efficient, not tedious. In large organizations it can take time to triage quarantine mails. The previous structure in place was aimed at releasing emails in a serialized approach but will now be replaced with a parallel form, helping streamline the process and save your SecOps team valuable time.
To limit exposure to unwanted or malicious content, we are enhancing how users preview quarantined messages to provide additional security against embedded threats. With this change some components in quarantined messages will be distorted and not displayed by default. To see the full contents of the message, users can choose to reveal the full message.
With this update, users who have been granted delegate access to shared mailbox either through direct access or security group access will now be able to triage the quarantine folder items of those mailboxes. This makes managing the quarantine for shared mailboxes easier for users.
In 2020 we launched Priority Account Protection in Defender for Office 365, helping security teams focus on the most visible and most targeted users in their environments. We’re expanding this visibility by incorporating priority account tags in the quarantine experience, enabling security teams to focus on these priority accounts as they triage the quarantine folder.
We are providing the possibility for end user spam notification to go out by default in the end user mailbox language setting.
Previously, security admins had to choose the user specific language for Office 365 to use while sending user quarantine notifications. In an organization where users speak multiple languages this becomes a challenge.
We are revamping the design of the quarantine portal to allow for a better user experience when triaging false positive emails. This new look and feel is more than a cosmetic change – we’ve designed the new experience to help surface more data in a more useful and simple way. The screenshots below show what the new UX adds, like more filters, a revamped flyout, and better filter visibility.
Earlier this year we launched the email entity page, which gives SecOps a 360-degree view of an email, putting all the relevant details in the hands of the analyst. We are replacing the email details panel in quarantine with a panel that provides the same in-depth view of each email in quarantine which will bolster SecOps confidence when making decisions.
We’re continuing to enhance the quarantine experience and workflow for both end users and security teams. Here’s a few enhancements you can expect to see in the coming months:
Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the Defender for Office 365 forum.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.