MC262781: Microsoft Defender for Office 365: Investigation updates for improved email threats and actions

We are improving Microsoft Defender for Office automated investigation email clustering and actions to ensure that actions only occur on malicious emails still in the mailbox. This will result in more accurate threat information, with fewer email actions, and refreshed actions/data. This message is associated with Microsoft 365 Roadmap ID 82056.

We have new updates and improvements to the Automated Investigation and Response (AIR) playbooks to better capture the state of the emails and entities that are being investigated. This results in more accurate threat data and actions – which are better for security operations workflows.

Affected Workloads

• Exchange Online

When this will happen

The rollout of the updated email clustering will begin in mid-June (June 21st) and will be complete by late July.

How this will affect your organization

Microsoft Defender for Office’s automated investigations improvements uses all threats and the latest delivery location of an email, to provide clearer info and email actions.

Prior to this update

Investigations analyzed emails using original delivery action (i.e. delivered to inbox). This meant an investigation for emails would proactively request email deletion even if emails were already removed from mailboxes.

Update improvements

Microsoft Defender for Office automated investigations will now leverage the latest delivery location, the same as Explorer and Advanced Hunting. Investigations will now only queue actions for approval when malicious emails are still in the mailbox (the latest delivery location is inbox or junk folder).

• If all malicious emails are not in the mailbox, then the investigation indicates the threats but treats them as remediated with no action required.
• Email cluster details show how many emails are ‘in mailbox’, ‘not in mailbox’, and ‘on-premise/external’.
  We are also improving email evidence, so it aligns with threats in Explorer like emails, email clusters, URLs, and files to indicate phish confidence level, as well as spam verdicts.
• Email clusters show counts for those threats and for deciding actions. Investigations only queue actions for malware or high confidence phish. Spam and normal phish are suspicious with no actions.
• Investigations’ pending actions focus on the most significant problems and reduce unneeded action on normal phish. This reduces the number of investigations requiring action and focuses them on the most significant problems.

To provide more updated and accurate information to security teams, investigations that are pending approval will update email results periodically, until either the investigation expires or actions are approved/rejected. Updating email data for the investigation will update threats found, the location of the emails, and any pending actions.

• If all malicious emails are removed from the mailboxes after an investigation is completed, but before the investigation’s pending actions are approved – then the pending actions will get closed.
• If email actions have been thus mitigated/taken due to actions elsewhere, then the investigation will change to remediated and alerts resolved for the investigation.
• This ensures security teams get clear visibility into present problems, not just previously identified issues that may have been resolved already.

What you need to do to prepare

Notify your security operations team of this upcoming change that will reduce the number of actions they see, change data gathered during an investigation and update the deeplink from the investigation/incident/action center to Explorer to use the latest delivery location.

Learn more

• Incident and Investigation Evidence
• Email analysis in investigations for Microsoft Defender for Office 365

Message ID: MC262781
Published: 17 June 2021
Updated: 03 August 2021
Effective: June 17, 2021