Understanding detection technology in the email entity page of Microsoft Defender for Office 365
If a threat is detected on the Microsoft Defender for Office 365 email entity page, threat information will display on the left-hand flyout. This panel will also show you the detection technology that led to that verdict.
This article is all about helping you understand the different detection technologies, how they work, and how to avoid any false alarms. Stay tuned for the Admin Submissions video at the end.
Detection technology details table
To resolve false positives like the ones listed in the table below, you should always start with an admin submission, which will also prompt you to add an entry into the Tenant Allow/Block List (TABL). This entry adds a temporary override signal to the filters that determined the message was malicious, while filters are updated (if that's appropriate). See the articles below for more information on Admin submissions & TABL.
| The Detection technology | How it reaches a verdict | Notes |
|---|---|---|
| Advanced filter | Machine learning models based detection on email & contents, to detect phish & spam | |
| Antimalware protection | Detection from signature based anti-malware engines | |
| Bulk | Detection for advertising / marketing and similar message types with their relative complaint levels | Step-by-Step guide on how to tune bulk thresholds |
| Campaign | Messages identified and grouped as part of a malware or phish campaign | Learn more about campaigns |
| Domain reputation | The message was sent from a domain that was identified as spam or phish domain, based on internal or external signals | |
| File detonation | Safe Attachments detected a malicious attachment during detonation within a sandbox | |
| File detonation reputation | File attachments previously detected by Safe Attachments during detonation | |
| File reputation | The message contains a file that was previously identified as malicious by other sources | |
| Fingerprint matching | The message resembles a previously detected malicious or spam message | |
| General filter | Phishing or spam signals based on analyst heuristics | |
| Impersonation brand | Sender impersonation of well-known brands | |
| Impersonation domain | Impersonation of sender domains that you own or specified for protection in anti-phishing policies | Impersonation insight overview |
| Impersonation user | Impersonation of protected senders that you specified in anti-phishing policies | Impersonation insight overview |
| IP reputation | The message was sent from an IP that was identified as potentially malicious | |
| Mailbox intelligence impersonation | Sender detected as impersonating an address in the user's personal sender map | Mailbox intelligence impersonation protection |
| Mixed analysis detection | Multiple filters contributed to the verdict for this message | |
| Spoof DMARC | The message failed DMARC authentication | How Microsoft 365 handles inbound email that fails DMARC |
| Spoof external domain | Spoof intelligence detected email spoofing of a domain that is external to your organization | |
| Spoof intra-org | Spoof intelligence detected email spoofing of a user or domain that is internal to your organization | |
| URL detonation | Safe Links detected a malicious URL in the message during detonation within a sandbox | |
| URL detonation reputation | URLs previously detected by Safe Links during detonation | |
| URL malicious reputation | The message contains a URL that was previously identified as malicious or spam by other sources |
Watch a video on submitting messages to Microsoft to learn more
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for