Skip to Content

MC262781: Microsoft Defender for Office 365: Investigation updates for improved email threats and actions

We are improving Microsoft Defender for Office automated investigation email clustering and actions to ensure that actions only occur on malicious emails still in the mailbox. This will result in more accurate threat information, with fewer email actions, and refreshed actions/data. This message is associated with Microsoft 365 Roadmap ID 82056.

MC262781: Microsoft Defender for Office 365: Investigation updates for improved email threats and actions

We have new updates and improvements to the Automated Investigation and Response (AIR) playbooks to better capture the state of the emails and entities that are being investigated. This results in more accurate threat data and actions – which are better for security operations workflows.

Affected Workloads

  • Exchange Online

When this will happen

The rollout of the updated email clustering will begin in mid-June (June 21st) and will be complete by late July.

How this will affect your organization

Microsoft Defender for Office’s automated investigations improvements uses all threats and the latest delivery location of an email, to provide clearer info and email actions.

Prior to this update

Investigations analyzed emails using original delivery action (i.e. delivered to inbox). This meant an investigation for emails would proactively request email deletion even if emails were already removed from mailboxes.

Update improvements

Microsoft Defender for Office automated investigations will now leverage the latest delivery location, the same as Explorer and Advanced Hunting. Investigations will now only queue actions for approval when malicious emails are still in the mailbox (the latest delivery location is inbox or junk folder).

  • If all malicious emails are not in the mailbox, then the investigation indicates the threats but treats them as remediated with no action required.
  • Email cluster details show how many emails are ‘in mailbox’, ‘not in mailbox’, and ‘on-premise/external’.
    We are also improving email evidence, so it aligns with threats in Explorer like emails, email clusters, URLs, and files to indicate phish confidence level, as well as spam verdicts.
  • Email clusters show counts for those threats and for deciding actions. Investigations only queue actions for malware or high confidence phish. Spam and normal phish are suspicious with no actions.
  • Investigations’ pending actions focus on the most significant problems and reduce unneeded action on normal phish. This reduces the number of investigations requiring action and focuses them on the most significant problems.

To provide more updated and accurate information to security teams, investigations that are pending approval will update email results periodically, until either the investigation expires or actions are approved/rejected. Updating email data for the investigation will update threats found, the location of the emails, and any pending actions.

  • If all malicious emails are removed from the mailboxes after an investigation is completed, but before the investigation’s pending actions are approved – then the pending actions will get closed.
  • If email actions have been thus mitigated/taken due to actions elsewhere, then the investigation will change to remediated and alerts resolved for the investigation.
  • This ensures security teams get clear visibility into present problems, not just previously identified issues that may have been resolved already.

What you need to do to prepare

Notify your security operations team of this upcoming change that will reduce the number of actions they see, change data gathered during an investigation and update the deeplink from the investigation/incident/action center to Explorer to use the latest delivery location.

Learn more

Message ID: MC262781
Published: 17 June 2021
Updated: 03 August 2021
Effective: June 17, 2021

Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook

    Ads Blocker Image Powered by Code Help Pro

    Your Support Matters...

    We run an independent site that is committed to delivering valuable content, but it comes with its challenges. Many of our readers use ad blockers, causing our advertising revenue to decline. Unlike some websites, we have not implemented paywalls to restrict access. Your support can make a significant difference. If you find this website useful and choose to support us, it would greatly secure our future. We appreciate your help. If you are currently using an ad blocker, please consider disabling it for our site. Thank you for your understanding and support.