Microsoft Defender for Office: Updates to investigations

We are improving Microsoft Defender for Office automated investigation email clustering and actions to ensure that actions only occur on malicious emails still in the mailbox. This will result in more accurate threat information, with fewer email actions, and refreshed actions/data.

This message is associated with Microsoft 365 Roadmap ID 82056.

When this will happen:

The rollout of the updated email clustering will begin in mid-June (June 21st) and will be complete by late July.

How this will affect your organization:

Microsoft Defender for Office’s automated investigations improvements use all threats and the latest delivery location of an email, to provide clearer info and email actions.

Prior to this update:

Investigations analyzed emails using original delivery action (i.e. delivered to inbox). This meant an investigation for emails would proactively request email deletion even if emails were already removed from mailboxes.

Update improvements:

Microsoft Defender for Office automated investigations will now leverage the latest delivery location, the same as Explorer and Advanced Hunting. Investigations will now only queue actions for approval when malicious emails are still in the mailbox (latest delivery location is inbox or junk folder).

  • If all malicious emails are not in the mailbox, then the investigation indicates the threats, but treats them as remediated with no action required.
  • Email cluster details show how many emails are ‘in mailbox’, ‘not in mailbox’ and ‘on-premise/external’.

We are also improving email evidence, so it aligns with threats in Explorer like emails, email clusters, URLs, and files to indicate phish confidence level, as well as spam verdicts.

  • Email clusters show counts for those threats and for deciding actions. Investigations only queue actions for malware or high confidence phish. Spam and normal phish are suspicious with no actions.
  • Investigations’ pending actions focus on the most significant problems and reduce unneeded action on normal phish. This reduces the number of investigations requiring action and focuses them on the most significant problems.

To provide more updated and accurate information to security teams, investigations that are pending approval will update email results periodically, until either the investigation expires or actions are approved/rejected. Updating email data for the investigation will update threats found, the location of the emails, and any pending actions.

  • If all malicious emails are removed from the mailboxes after an investigation is completed, but before the investigation’s pending actions are approved – then the pending actions will get closed.
  • If email actions have been thus mitigated/taken due to actions elsewhere, then the investigation will change to remediated and alerts resolved for the investigation.
  • This ensures security teams get clear visibility into present problems, not just previously identified issues that may have been resolved already.

What you need to do to prepare:

Notify your security operations team of this upcoming change that will reduce the number of actions they see, change data gathered during an investigation and update the deeplink from investigation/incident/action center to Explorer to use latest delivery location.

Learn more:

Incident and Investigation Evidence.

Message ID: MC262781


No comments yet

Leave a Reply


I've been working with Microsoft Technologies over the last ten years, mainly focused on creating collaboration and productivity solutions that drive the adoption of Microsoft Modern Workplace.