Edit

How to handle malicious emails that are delivered to recipients (False Negatives), using Microsoft Defender for Office 365

  • Article

Microsoft Defender for Office 365 helps deal with malicious emails (False Negative) that are delivered to recipients and that put your organizational productivity at risk. Defender for Office 365 can help you understand why emails are getting delivered, how to resolve the situation quickly, and how to prevent similar situations from happening in the future.

What you'll need

  • Microsoft Defender for Office 365 Plan 1 and 2 (included as part of E5). Exchange Online customers can also leverage this.
  • Sufficient permissions (Security Administrator role).
  • 5-10 minutes to perform the steps below.

Handling malicious emails in the Inbox folder of end users

  1. Ask end users to report the email as phishing or junk using Microsoft Message Add-in or Microsoft Phish add-in or the Outlook buttons.
  2. End users can also add the sender to the block senders list in Outlook to prevent emails from this sender from being delivered to their inbox.
  3. Admins can triage the user reported messages from User reported tab on the Submissions page.
  4. From those reported messages, admins can submit to Microsoft for analysis to learn why that email was allowed in the first place.
  5. If needed, while submitting to Microsoft for analysis, admins can create a block entry for the sender to mitigate the problem.
  6. Once the results for submissions are available, read the verdict to understand why emails were allowed, and how your tenant setup could be improved to prevent similar situations from happening in the future.

Handling malicious emails in junk folder of end users

  1. Ask end users to report the email as phishing using Microsoft Message Add-in, or Microsoft Phish Add-in, or the Outlook buttons.
  2. Admins can triage the user reported messages from the User reported tab on the Submissions page.
  3. From those reported messages admins can submit to Microsoft for analysis and learn why that email was allowed in the first place.
  4. If needed, while submitting to Microsoft for analysis, admins can create a block entry for the sender to mitigate the problem.
  5. Once the results for submissions are available, read the verdict to understand why emails were allowed, and how your tenant setup could be improved to prevent similar situations from happening in the future.

Handling malicious emails landing in the quarantine folder of end users

  1. End users receive an email digest about quarantined messages as per the settings enabled by admins.
  2. End users can preview the messages in quarantine, block the sender, and submit those messages to Microsoft for analysis.

Handling malicious emails landing in the quarantine folder of admins

  1. Admins can view the quarantined emails (including the ones asking permission to request release) from the review page.
  2. Admins can submit any malicious, or suspicious messages to Microsoft for analysis, and create a block to mitigate the situation while waiting for verdict.
  3. Once the results for submissions are available, read the verdict to learn why the emails were allowed, and how your tenant setup could be improved to prevent similar situations from happening in the future.