Security Admin Center Tenant Allow/Block List Not Able to Block IPv4?
While using the Security Admin Center Tenant Allow/Block List we have been able to block specific email addresses and IPv6 IP addresses but are unable to block IPv4 IP addresses. We have tried both using the console and the CLI but have turned up unsuccessful both times when it comes to IPv4. A large majority of the phishing attempts that we encounter come from IPv4 addresses but we have been unable to block any of these. Will there ever be functionality for IPv4 within the Tenant Allow/Block list or is the only option to use conditional access policies? Also why is this enterprise tool only functional with IPv6 and without documentation stating that it does not work for IPv4?
Change language of Notification Mails for User submitted E-Mails
Hello, I couldnt really find anything regarding this topic, but is there any way to change the language of the E-Mails regarding this topic: Admin review for user reported messages - Microsoft Defender for Office 365 | Microsoft Learn I know how to customize the E-Mails but the subject and general text are still in English and our customers are complaining about this.
Unable to find the security alert in M365 Defender referenced in an email alert.
This happens a lot. I get these emails from Office365Alerts notifying our team that "A medium-severity alert has been triggered". At the bottom of the email is a link to "View alert details". When I click that, the site shows an error: "Can't find it. Either what you are looking for doesn't exist or you need to use a different search string." So, then I go to the Alerts view and filter to show everything (at least I think I am) but there's nothing related to this particular alert (unusual volume of file sharing). Where did it go? EDIT: Including a screenshot of another email I got today. The result of clicking the 'View alert details' is again the same.Alert: Email sending limit exceeded
Hello everyone, Between for 3 days I had a situation where a script was sending 60 mails per minute, and had these type of alerts, but after I've fixed this 3 days ago, I am still receiving these warnings. From mail flow, for example last 24 hours, have only around 30 email sent from the affected email. Don't know what could be, if it's expected or if there's something more. If you need more info let me know please.
Microsoft Security Recommendation issues and Impersonation
Within the numerous dashboards for Microsoft, we see impersonation protection as failed/not compliant, or not enabled in our environment. This is a 2-part question: 1. Does it work well? Why do we see impersonated emails in our environment despite having the users set up for it? We have seen 3 in the last week for our CEO even though he is on the list. 2. Despite having it on and our owned domains added, the environment still shows we don't have it setup. Also, it gives us a limit of 350 users, are we supposed to check each person one by one? Why negatively impact security scores when you are only supposed to set this up for VIPs? Why not allow it to be on for all users? EDIT: This is what it advises even though you are limited to 350 users. Ensure that all users have an assigned anti-phishing policy with ‘Enable domains to protect’, ‘Include domains I own’ and ‘Include custom domains’ options enabled, by either updating your existing policies or creating new ones.
Defender Tenant allow/block list
Hi Could someone please she some light on the questions below. Thank you! I need to fully understand what exactly the Tenant Allow/Block lists does is for the two features below. My understanding. domains and addresses are basically, domains I have manually tagged as allowed or block in the quarantine page. Spoofed servers: allow external senders to send as your domain. But why not just add them to the SPF record.whitelist exernal domain correct method in Exchange online or EOP
Hi HR department will use a third-party tool to bulk send emails to employees. I was provided the sender domains and IPs. I want to avoid the emails going to junk folder or quarantine. What is the best way to whitelist the sender domains? I it thru the tenant allow list, anti-spam inbound policy allow sender list or mail flow exchange rule?Mail Flow Rule (Transport Rule) Name Missing In Quarantine Details
Since August 2, around 5:00 AM Microsoft stopped showing the name of the Mail Flow Rule (Transport Rule) responsible for quarantined emails in the Policy Name field. It now only shows the name of the Policy (defined under the Threat Policies) if it was responsible for the Quarantine. Most of our emails are quarantined because of Transport Rules (Policy Type: Exchange Transport Rule), and not being able to see what Transport Rule was responsible for the quarantined email is a huge problem with false positives, as it will be extremely hard to determine what Transport Rule needs to be edited to prevent the false positive in the future. Attached is a screen shot of 2 email details side-by-side, same external email sent just minutes after each other (during the time the Policy Name went in and out), the one shows Policy Name (the name of the Transport Rule), and the other not. I looked if it was maybe moved to another location or renamed, but that is not the case. Does anyone else has this same problem? Did you find a way to solve it?Users Submissions
Hi, I'm starting with O365 defender, so maybe this is a dumb question, sorry. Some users report the e-mails as phishing and I can see this submissions in O365 defender, no problem so far. When I analyze one of this submissions and choose "Mark and notify as Phishing", for example. The sender is automatic blocked to reach any other user through e-mail in my organization or my action only apply for the user who reported, or not even that and applies only for the specific analyzed message? Thanks in advance.
Email Sending Limits Alert
Is there a way to lower the threshold for this alert? It is currently set to 10,000 emails and we would like to be notified at a lower level if there is an account that sends a bunch of emails out. If I cannot edit this one, can I create another that does the same alert but sooner?
