Microsoft Defender for Office 365: Updates to post-delivery detections and investigations

Microsoft Defender for Office 365 is introducing new alert policies related to post-delivery detections as well as enhancements to the Automated Investigation & Response (AIR) playbooks associated with them.

In addition, we are modifying the severity classification for six default alert policies to better align the alerts with their impact on your organization.

In addition, we are modifying the severity classification of the following default alert policies to better align with the potential risk and impact on your organization and to help your security teams prioritize alerts.

  • Suspicious Email Forwarding Activity
  • Email reported by user as malware or phish
  • Unusual increase in email reported as phish
  • Admin Submission Result Completed
  • Creation of forwarding/redirect rule
  • eDiscovery search started or exported​

If you are utilizing alerts either through an API, alert email notification, or in the Office 365 Security & Compliance Center (protection.office.com/viewalerts) or Microsoft Security Center (security.microsoft.com/viewalerts), you will need to modify your workflows by April 30, 2021.

If you are not currently utilizing these alerts you may:

  • Disable the existing alert policies in order to reduce alert volume in your tenant: “Email messages containing phish URLs removed after delivery” and “Email messages containing malware removed after delivery” 
  • Do nothing, we will disable these two existing alert policies on April 30, 2021

Learn more

Message ID: MC250541


No comments yet

Leave a Reply


I've been working with Microsoft Technologies over the last ten years, mainly focused on creating collaboration and productivity solutions that drive the adoption of Microsoft Modern Workplace.