Remediation actions in Microsoft Defender for Office 365
Tip
Did you know you can try the features in Microsoft Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms on Try Microsoft Defender for Office 365.
Remediation actions
Threat protection features in Microsoft Defender for Office 365 include certain remediation actions. Such remediation actions can include:
- Soft delete email messages or clusters
- Block URL (time-of-click)
- Turn off external mail forwarding
- Turn off delegation
In Microsoft Defender for Office 365, remediation actions aren't taken automatically. Instead, remediation actions are taken only upon approval by your organization's security operations team.
Threats and remediation actions
Microsoft Defender for Office 365 includes remediation actions to address various threats. Automated investigations often result in one or more remediation actions to review and approve. In some cases, an automated investigation doesn't result in a specific remediation action. To further investigate and take appropriate actions, use the guidance in the following table.
Category | Threat/risk | Remediation action(s) |
---|---|---|
Malware | Soft delete email/cluster If more than a handful of email messages in a cluster contain malware, the cluster is considered to be malicious. |
|
Malicious URL (A malicious URL was detected by Safe Links.) |
Soft delete email/cluster Block URL (time-of-click verification) Email that contains a malicious URL is considered to be malicious. |
|
Phish | Soft delete email/cluster If more than a handful of email messages in a cluster contain phishing attempts, the whole cluster is considered a phishing attempt. |
|
Zapped phish (Email messages were delivered and then zapped.) |
Soft delete email/cluster Reports are available to view zapped messages. See if ZAP moved a message and FAQs. |
|
Missed phish email reported by a user | Automated investigation triggered by the user's report | |
Volume anomaly (Recent email quantities exceed the previous 7-10 days for matching criteria.) |
Automated investigation doesn't result in a specific pending action. Volume anomaly isn't a clear threat, but is merely an indication of larger email volumes in recent days compared to the last 7-10 days. Although a high volume of email can indicate potential issues, confirmation is needed in terms of either malicious verdicts or a manual review of email messages/clusters. See Find suspicious email that was delivered. |
|
No threats found (The system didn't find any threats based on files, URLs, or analysis of email cluster verdicts.) |
Automated investigation doesn't result in a specific pending action. Threats found and zapped after an investigation is complete aren't reflected in an investigation's numerical findings, but such threats are viewable in Threat Explorer. |
|
User | A user clicked a malicious URL (A user navigated to a page that was later found to be malicious, or a user bypassed a Safe Links warning page to get to a malicious page.) |
Automated investigation doesn't result in a specific pending action. Block URL (time-of-click) Use Threat Explorer to view data about URLs and click verdicts. If your organization is using Microsoft Defender for Endpoint, consider investigating the user to determine if their account is compromised. |
User | A user is sending malware/phish | Automated investigation doesn't result in a specific pending action. The user might be reporting malware/phish, or someone could be spoofing the user as part of an attack. Use Threat Explorer to view and handle email containing malware or phishing. |
User | Email forwarding (Mailbox forwarding rules are configured, chch could be used for data exfiltration.) |
Remove forwarding rule Use the Autoforwarded messages report to view specific details about forwarded email. |
User | Email delegation rules (A user's account has delegations set up.) |
Remove delegation rule If your organization is using Microsoft Defender for Endpoint, consider investigating the user who's getting the delegation permission. |
User | Data exfiltration (A user violated email or file-sharing DLP policies |
Automated investigation doesn't result in a specific pending action. |
User | Anomalous email sending (A user recently sent more email than during the previous 7-10 days.) |
Automated investigation doesn't result in a specific pending action. Sending a large volume of email isn't malicious by itself; the user might just have sent email to a large group of recipients for an event. To investigate, use the New users forwarding email insight in the EAC and Outbound message report in the EAC to determine what's going on and take action. |
Next steps
- View details and results of an automated investigation in Microsoft Defender for Office 365
- View pending or completed remediation actions following an automated investigation in Microsoft Defender for Office 365