- Configure Quarantine Policies in Microsoft 365 - Fri, Aug 12 2022
- Data loss prevention policies (DLP) in Microsoft Teams - Mon, Jul 11 2022
- Configuring data loss prevention for email from the Compliance Center in Microsoft 365 - Fri, Dec 3 2021
- Taking action on suspicious emails
- Move and delete
- Move to Junk Folder
- Soft deletion
- Hard deletion
- Move to Inbox
- Track and notify
- Trigger investigation
- Investigate sender
- Investigate recipient
- Add to remediation
- Contact recipients
- Start new submission
- Report clean
- Report phishing
- Report malware
- Report spam
- Tracking emails using different criteria
- URL traces
Taking action on suspicious emails ^
Now that you have investigated all the aspects of spam emails, it's time to take action. The following actions are available for bulk email:
- Move and Delete
- Track and Notify
- Start New Submission
Let's review them all.
Move and delete ^
This would be the most common path for you. Your initial investigation has led you to a conclusion. There are five different actions that you can take.
Move to Junk Folder ^
This is a less aggressive option. Here the selected emails will be moved to the user's Junk folder. The users won't be notified about this; however, they can still access it in the junk folder.
To do this, select all the emails and click Actions > Move to junk folder.
You are then prompted to enter a name for this remediation (as Microsoft calls it). Give it a name and click Next.
On the following screen, choose the severity. Selecting High may force Microsoft to prioritize your request.
On the final page, you can review your selections. The most important part of this page is the utility to export the list of users on which you are taking action. You can click Export to get an Excel sheet for future reference. It's always good to note these things in your tickets or emails.
Then click Start to initiate the action. The Microsoft servers process the request.
Move to Deleted Items
This option moves the selected emails to the Deleted Items folder. This is the course of action, depending on the severity of the issue and the policies in your organization.
Users can still view the emails in the Deleted Items folder.
Soft deletion ^
Here, you move emails to the Recover Deleted Items folder. The difference is that users do not get to see this folder directly. They must follow a few steps to access this folder, as explained in this link.
Hard deletion ^
This option deletes the email permanently, with no chance of recovery. This is an aggressive approach and must be employed only when you are certain that the emails in question aren't needed. This may also be the path in the event of a serious breach of security due to malicious emails.
Move to Inbox ^
Your investigation has led you to believe that the emails in question are legitimate. The Move to Inbox option helps you to legitimize such emails.
Track and notify ^
If your aim is to identify suspicious emails and then notify Microsoft, this path will help you.
Trigger investigation ^
You can select the email you want to be investigated by Microsoft, as shown here.
You can view the progress of the investigation on the Investigations tab, as seen here.
Automated investigation and response (AIR) in Defender for Office 365 is an interesting topic; see this link for more on it.
Investigate sender ^
If you want to investigate only the sender, this option is useful. Starting an investigation of the entire email means requesting Microsoft analyze several aspects of the email.
You can restrict the investigation to the sender only if you have reason to believe that the sender is malicious. Again, the results are displayed on the Investigations tab under Threat Management.
Investigate recipient ^
Just as the sender, you can also initiate an investigation on a recipient. The options to start the investigation and then view the results and recommendations remain the same.
Add to remediation ^
This option is useful when the admin does not have the necessary rights to perform action on the emails. The admin can add the emails to a remediation container. Another admin with the required rights can then approve or reject the actions.
Contact recipients ^
End users can be contacted using this method. However, its recommended to keep end-user communication to a minimum.
Start new submission ^
This section has four options, as shown in the screenshot here.
Report clean ^
This is used to report any false positives to Microsoft. Its status can be followed on the Submissions tab under Threat Management.
Report phishing ^
Emails that are clearly attempts at phishing and have not been identified by Exchange Online Protection (EOP) can be marked as phishing emails and reported to Microsoft.
Report malware ^
You can report emails as malware to Microsoft so they can be analyzed.
Report spam ^
Likewise, emails can be reported as spam to Microsoft.
Tracking emails using different criteria ^
We have already seen that you can track emails using the Sender email address. The other commonly used criteria for tracking emails in Explorer are:
- Sender domain
- Exchange transport rule
- Delivery action
Apart from this, you can also track emails using some advanced queries. These include the following:
- Network message ID
- Internet message ID
- Sender IP
- Alert ID
- Campaign ID
URL traces ^
Defender for Office 365 has a feature called Safe Links. Safe Links provides a layer of security to end users against malicious URLs in emails and other areas. You often have to identify the users who clicked on a specific URL or received an email with that URL. Such situations can be handled using the URL trace criteria in Explorer.
The different options are as follows:
URL—Here, you can paste the URL and search for all the emails that were delivered and that contained that URL.
You can also search using URL domain, URL domain and path, and URL path.
The last option is to search using Click Verdict.
Here, you can search for emails with URLs that were blocked, blocked but overridden, or allowed, among others.