Remediation actions in Microsoft Defender for Office 365

Tip

Did you know you can try the features in Microsoft Defender XDR for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms on Try Microsoft Defender for Office 365.

Remediation actions

Threat protection features in Microsoft Defender for Office 365 include certain remediation actions. Such remediation actions can include:

  • Soft delete email messages or clusters
  • Block URL (time-of-click)
  • Turn off external mail forwarding
  • Turn off delegation

In Microsoft Defender for Office 365, remediation actions aren't taken automatically. Instead, remediation actions are taken only upon approval by your organization's security operations team.

Threats and remediation actions

Microsoft Defender for Office 365 includes remediation actions to address various threats. Automated investigations often result in one or more remediation actions to review and approve. In some cases, an automated investigation doesn't result in a specific remediation action. To further investigate and take appropriate actions, use the guidance in the following table.

Category Threat/risk Remediation action(s)
Email Malware Soft delete email/cluster

If more than a handful of email messages in a cluster contain malware, the cluster is considered to be malicious.

Email Malicious URL
(A malicious URL was detected by Safe Links.)
Soft delete email/cluster
Block URL (time-of-click verification)

Email that contains a malicious URL is considered to be malicious.

Email Phish Soft delete email/cluster

If more than a handful of email messages in a cluster contain phishing attempts, the whole cluster is considered a phishing attempt.

Email Zapped phish
(Email messages were delivered and then zapped.)
Soft delete email/cluster

Reports are available to view zapped messages. See if ZAP moved a message and FAQs.

Email Missed phish email reported by a user Automated investigation triggered by the user's report
Email Volume anomaly
(Recent email quantities exceed the previous 7-10 days for matching criteria.)
Automated investigation doesn't result in a specific pending action.

Volume anomaly isn't a clear threat, but is merely an indication of larger email volumes in recent days compared to the last 7-10 days.

Although a high volume of email can indicate potential issues, confirmation is needed in terms of either malicious verdicts or a manual review of email messages/clusters. See Find suspicious email that was delivered.

Email No threats found
(The system didn't find any threats based on files, URLs, or analysis of email cluster verdicts.)
Automated investigation doesn't result in a specific pending action.

Threats found and zapped after an investigation is complete aren't reflected in an investigation's numerical findings, but such threats are viewable in Threat Explorer.

User A user clicked a malicious URL
(A user navigated to a page that was later found to be malicious, or a user bypassed a Safe Links warning page to get to a malicious page.)
Automated investigation doesn't result in a specific pending action.

Block URL (time-of-click)

Use Threat Explorer to view data about URLs and click verdicts.

If your organization is using Microsoft Defender for Endpoint, consider investigating the user to determine if their account is compromised.

User A user is sending malware/phish Automated investigation doesn't result in a specific pending action.

The user might be reporting malware/phish, or someone could be spoofing the user as part of an attack. Use Threat Explorer to view and handle email containing malware or phishing.

User Email forwarding
(Mailbox forwarding rules are configured, chch could be used for data exfiltration.)
Remove forwarding rule

Use the Autoforwarded messages report to view specific details about forwarded email.

User Email delegation rules
(A user's account has delegations set up.)
Remove delegation rule

If your organization is using Microsoft Defender for Endpoint, consider investigating the user who's getting the delegation permission.

User Data exfiltration
(A user violated email or file-sharing DLP policies
Automated investigation doesn't result in a specific pending action.

Get started with Activity Explorer.

User Anomalous email sending
(A user recently sent more email than during the previous 7-10 days.)
Automated investigation doesn't result in a specific pending action.

Sending a large volume of email isn't malicious by itself; the user might just have sent email to a large group of recipients for an event. To investigate, use the New users forwarding email insight in the EAC and Outbound message report in the EAC to determine what's going on and take action.

Next steps