We have started to get a number of false positives in Quarantine this last week. We have not changed anything but the basic answer I got from MSoft is - "good luck". These are not merely from external, but internal non-triggering emails and even notifications from Defender itself. It does not even recognize itself!
I suspect they may have meant to turn on Artificial Intelligence, but turned on Artificial Stupidity instead.
I have discovered I am not the only one this is happening to but for now, until MSoft realizes this is a problem and addresses it on their end, our solution would be to have a list of all quarantined items emailed to our IT staff to scan over.
Yes, btw, I do know there is a powershell that can do that (to head off that response) but we wanted to explore using the Graph API.
The query is a beta - GET https://graph.microsoft.com/beta/security/threatSubmission/emailThreats but when I run it I get a 401 Unauthorized. I have approved the required permissions, both in the API Explorer and in Entra, but still get that response. Also, I am a Global Admin in this account.
Am I missing something or is this a case of - it's just broken?