Remediation actions in Microsoft Defender for Office 365

Important

The improved Microsoft 365 security center is now available in public preview. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new. This topic might apply to both Microsoft Defender for Office 365 and Microsoft 365 Defender. Refer to the Applies To section and look for specific call-outs in this article where there might be differences.

Applies to

Remediation actions

Threat protection features in Microsoft Defender for Office 365 include certain remediation actions. Such remediation actions can include:

  • Soft delete email messages or clusters
  • Block URL (time-of-click)
  • Turn off external mail forwarding
  • Turn off delegation

In Microsoft Defender for Office 365, remediation actions are not taken automatically. Instead, remediation actions are taken only upon approval by your organization's security operations team.

Threats and remediation actions

Microsoft Defender for Office 365 includes remediation actions to address various threats. Automated investigations often result in one or more remediation actions to review and approve. In some cases, an automated investigation does not result in a specific remediation action. To further investigate and take appropriate actions, use the guidance in the following table.

Category Threat/risk Remediation action(s)
Email Malware Soft delete email/cluster​

If more than a handful of email messages in a cluster contain malware, the cluster is considered to be malicious.​

Email Malicious URL​
(A malicious URL was detected by Safe Links.)
Soft delete email/cluster​
Block URL (time-of-click verification)

Email that contains a malicious URL is considered to be malicious​.

Email Phish Soft delete email/cluster​

If more than a handful of email messages in a cluster contain phishing attempts, the whole cluster is considered a phishing attempt.​

Email Zapped phish​
(Email messages were delivered and then zapped​.)
Soft delete email/cluster​

Reports are available to view zapped messages. See if ZAP moved a message and FAQs.

Email Missed phish email reported by a user Automated investigation triggered by the user's report
Email Volume anomaly​
(Recent email quantities exceed the previous 7-10 days for matching criteria.​)
Automated investigation does not result in a specific pending action.

Volume anomaly is not a clear threat, but is merely an indication of larger email volumes in recent days compared to the last 7-10 days.

Although a high volume of email can indicate potential issues, confirmation is needed in terms of either malicious verdicts or a manual review of email messages/clusters. See Find suspicious email that was delivered.

Email No threats found
(The system did not find any threats based on files, URLs, or analysis of email cluster verdicts.​)
Automated investigation does not result in a specific pending action.

Threats found and zapped after an investigation is complete are not reflected in an investigation's numerical findings, but such threats are viewable in Threat Explorer.​

User A user clicked a malicious URL
(A user navigated to a page that was later found to be malicious, or a user bypassed a Safe Links warning page to get to a malicious page.​)
Automated investigation does not result in a specific pending action.

Block URL (time-of-click)

Use Threat Explorer to view data about URLs and click verdicts.

If your organization is using Microsoft Defender for Endpoint, consider investigating the user to determine if their account is compromised.

User A user is sending malware/phish Automated investigation does not result in a specific pending action.

The user might be reporting malware/phish, or someone could be spoofing the user as part of an attack. Use Threat Explorer to view and handle email containing malware or phish.

User Email forwarding
(Mailbox forwarding rules are configured, which could be used for data exfiltration​.)
Remove forwarding rule​

Use mail flow insights, including the Autoforwarded messages report, to view more specific details about forwarded email.

User Email delegation rules​
(A user's account has delegation set up.)
Remove delegation rule​

If your organization is using Microsoft Defender for Endpoint, consider investigating the user who's getting the delegation permission.​

User Data exfiltration
(A user violated email or file-sharing DLP policies.)
Automated investigation does not result in a specific pending action.

View DLP reports and take action.

User Anomalous email sending
(A user recently sent more email than during the previous 7-10 days.)
Automated investigation does not result in a specific pending action.

Sending a large volume of email isn't malicious by itself; the user might just have sent email to a large group of recipients for an event. To investigate, use mail flow insights, including the mail flow map report to determine what's going on and take action.

Next steps