Remediation actions in Microsoft Defender for Office 365

• Applies to:

  ✅ Microsoft Defender for Office 365 Plan 2, ✅ Microsoft Defender XDR

Tip

Did you know you can try the features in Microsoft Defender XDR for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms on Try Microsoft Defender for Office 365.

Remediation actions

Threat protection features in Microsoft Defender for Office 365 include certain remediation actions. Such remediation actions can include:

• Soft delete email messages or clusters
• Block URL (time-of-click)
• Turn off external mail forwarding
• Turn off delegation

In Microsoft Defender for Office 365, remediation actions aren't taken automatically. Instead, remediation actions are taken only upon approval by your organization's security operations team.

Threats and remediation actions

Microsoft Defender for Office 365 includes remediation actions to address various threats. Automated investigations often result in one or more remediation actions to review and approve. In some cases, an automated investigation doesn't result in a specific remediation action. To further investigate and take appropriate actions, use the guidance in the following table.

Category	Threat/risk	Remediation action(s)
Email	Malware	Soft delete email/cluster If more than a handful of email messages in a cluster contain malware, the cluster is considered to be malicious.
Email	Malicious URL (A malicious URL was detected by Safe Links.)	Soft delete email/cluster Block URL (time-of-click verification) Email that contains a malicious URL is considered to be malicious.
Email	Phish	Soft delete email/cluster If more than a handful of email messages in a cluster contain phishing attempts, the whole cluster is considered a phishing attempt.
Email	Zapped phish (Email messages were delivered and then zapped.)	Soft delete email/cluster Reports are available to view zapped messages. See if ZAP moved a message and FAQs.
Email	Missed phish email reported by a user	Automated investigation triggered by the user's report
Email	Volume anomaly (Recent email quantities exceed the previous 7-10 days for matching criteria.)	Automated investigation doesn't result in a specific pending action. Volume anomaly isn't a clear threat, but is merely an indication of larger email volumes in recent days compared to the last 7-10 days. Although a high volume of email can indicate potential issues, confirmation is needed in terms of either malicious verdicts or a manual review of email messages/clusters. See Find suspicious email that was delivered.
Email	No threats found (The system didn't find any threats based on files, URLs, or analysis of email cluster verdicts.)	Automated investigation doesn't result in a specific pending action. Threats found and zapped after an investigation is complete aren't reflected in an investigation's numerical findings, but such threats are viewable in Threat Explorer.
User	A user clicked a malicious URL (A user navigated to a page that was later found to be malicious, or a user bypassed a Safe Links warning page to get to a malicious page.)	Automated investigation doesn't result in a specific pending action. Block URL (time-of-click) Use Threat Explorer to view data about URLs and click verdicts. If your organization is using Microsoft Defender for Endpoint, consider investigating the user to determine if their account is compromised.
User	A user is sending malware/phish	Automated investigation doesn't result in a specific pending action. The user might be reporting malware/phish, or someone could be spoofing the user as part of an attack. Use Threat Explorer to view and handle email containing malware or phishing.
User	Email forwarding (Mailbox forwarding rules are configured, chch could be used for data exfiltration.)	Remove forwarding rule Use the Autoforwarded messages report to view specific details about forwarded email.
User	Email delegation rules (A user's account has delegations set up.)	Remove delegation rule If your organization is using Microsoft Defender for Endpoint, consider investigating the user who's getting the delegation permission.
User	Data exfiltration (A user violated email or file-sharing DLP policies	Automated investigation doesn't result in a specific pending action. Get started with Activity Explorer.
User	Anomalous email sending (A user recently sent more email than during the previous 7-10 days.)	Automated investigation doesn't result in a specific pending action. Sending a large volume of email isn't malicious by itself; the user might just have sent email to a large group of recipients for an event. To investigate, use the New users forwarding email insight in the EAC and Outbound message report in the EAC to determine what's going on and take action.

Next steps

• View details and results of an automated investigation in Microsoft Defender for Office 365
• View pending or completed remediation actions following an automated investigation in Microsoft Defender for Office 365

Related articles

• Learn about automated investigation in Microsoft Defender for Endpoint
• Learn about capabilities in Microsoft Defender XDR