Microsoft Defender for Office 365: Updates

Microsoft Defender for Office 365: Updates

Microsoft Defender for Office 365: Spam detection report to be retired in July

We will retire the Spam detection report from Microsoft Defender for Office 365 beginning July 30, 2021. We are also retiring the PowerShell cmdlet associated with the Spam detection report, Get-MailDetailSpamReport.

Before we fully initiate the retirement of the standalone Spam detection report, we will include spam catches in the Threat protection status report; today it includes only phish and malware catches.

You are receiving this message because our reporting indicates your organization may be using the Spam detection report.

Key points

  • Timing: July 30, 2021
  • Action: transition from the Spam detection report to the Threat protection status report

What you need to do to prepare

Instead of using Spam detection report, we recommend you use the Threat protection status report, which is where we will continue to invest our resources.

You might want update your training and documentation as appropriate.

Microsoft Defender for Office 365: Malware detected in email to be retired in June

We will retire the Malware detected in email report from Microsoft Defender for Office 365 beginning June 14, 2021.

You are receiving this message because our reporting indicates your organization may be using the Malware detected in email report.

Key points

  • Timing: June 14, 2021
  • Action: transition from the Malware detected in email report to the Threat protection status report

What you need to do to prepare

Instead of using Malware detected in email report, we recommend you use the Threat protection status report, which is where we will continue to invest our resources.

You might want update your training and documentation as appropriate.

Microsoft Defender for Office 365: Safe attachment message disposition to be retired in June

We will retire the Safe attachment message disposition report from Microsoft Defender for Office 365 beginning June 14, 2021.

You are receiving this message because our reporting indicates your organization may be using the Safe attachment message disposition report.

Key points

  • Timing: June 14, 2021
  • Action: transition from the Safe attachment message disposition report to the Threat protection status report

What you need to do to prepare

Instead of using Safe attachment message disposition report, we recommend you use the Threat protection status report, which is where we will continue to invest our resources.

You might want update your training and documentation as appropriate.

You might want update your training and documentation as appropriate.

Microsoft Defender for Office 365: Safe attachment file types report to be retired in June

We will retire the Safe attachment file types report from Microsoft Defender for Office 365 beginning June 14, 2021. We are also retiring the PowerShell cmdlets associated with the Safe attachment file types report: Get-AdvancedThreatProtectionTrafficReport and Get-MailDetailMalwareReport.

You are receiving this message because our reporting indicates your organization may be using the Safe attachment file types report.

Key points

  • Timing: June 14, 2021
  • Action: transition from the Safe attachment file types report to the Threat protection status report

What you need to do to prepare

Instead of using Safe attachment file types report, we recommend you use the Threat protection status report, which is where we will continue to invest our resources.

You might want update your training and documentation as appropriate.

Microsoft Defender for Office 365: Forwarding report to be retired in June

We will retire the Forwarding report from Microsoft Defender for Office 365 beginning June 14, 2021.

You are receiving this message because our reporting indicates your organization may be using the Forwarding report.

Key points

  • Timing: June 14, 2021
  • Action: transition from the Forwarding report to the Auto forwarded report in the Microsoft Exchange admin center

What you need to do to prepare

Instead of using the Forwarding report, we recommend you use the Auto forwarded report (https://admin.exchange.microsoft.com/#/reports/autoforwardedmessages), which is where we will continue to invest our resources.

You might want update your training and documentation as appropriate.

Microsoft Defender for Office 365: Updates to post-delivery detections and investigations

Microsoft Defender for Office 365 is introducing new alert policies related to post-delivery detections as well as enhancements to the Automated Investigation & Response (AIR) playbooks associated with them.

In addition, we are modifying the severity classification for six default alert policies to better align the alerts with their impact on your organization.

This message is associated with Microsoft 365 Roadmap ID 70614.

When this will happen

  • New alerts rollout begins on April 14, 2021
  • We will disable two existing alert policies on April 30, 2021
  • The severity classification changes happen at the end of April

How this affects your organization

These new alerts, and the AIR playbooks that will trigger from these alerts, will accurately capture the threats of the emails and entities, including if the URL points to a malicious file or if the file contains a malicious URL.

New alerts:

  • Email messages containing malicious URL removed after delivery
  • Email messages containing malicious file removed after delivery
  • Email messages from a campaign were delivered and later removed
  • Malicious emails were delivered and later removed

Existing alerts that will be disabled the end of April:

  • Email messages containing phish URLs removed after delivery
  • Email messages containing malware removed after delivery

You will see both new and to-be-removed alerts along with new alerts between April 14 and April 30 to provide your security teams with time to handle any required changes. In order to help security teams with the increased alert volume during this short duration, the existing and new alerts will be correlated into the same AIR investigation as well as correlated into the same Incidents.

In addition, we are modifying the severity classification of the following default alert policies to better align with the potential risk and impact on your organization and to help your security teams prioritize alerts.

  • Suspicious Email Forwarding Activity
  • Email reported by user as malware or phish
  • Unusual increase in email reported as phish
  • Admin Submission Result Completed
  • Creation of forwarding/redirect rule
  • eDiscovery search started or exported​

What you need to do to prepare

If you are utilizing alerts either through an API, alert email notification, or in the Office 365 Security & Compliance Center (protection.office.com/viewalerts) or Microsoft Security Center (security.microsoft.com/viewalerts), you will need to modify your workflows by April 30, 2021.

If you are not currently utilizing these alerts you may:

  • Disable the existing alert policies in order to reduce alert volume in your tenant: “Email messages containing phish URLs removed after delivery” and “Email messages containing malware removed after delivery”
  • Do nothing, we will disable these two existing alert policies on April 30, 2021

Learn more

No Comments

Sorry, the comment form is closed at this time.