From 4ad8c67ab6818b2b267d68fddfd7a12066c3fb68 Mon Sep 17 00:00:00 2001 From: Yuka Yamamoto <115063861+YUKAYAMAMOT@users.noreply.github.com> Date: Thu, 19 Sep 2024 14:41:38 +0900 Subject: [PATCH 1/6] =?UTF-8?q?Corrected=20the=20explanation=20of=20?= =?UTF-8?q?=E2=80=9CLink=20in=20Attachment=E2=80=9D=20listed=20in=20the=20?= =?UTF-8?q?Appendix=20under=20=E2=80=9CCalculation=20logic=E2=80=9D.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The current Docs state “The user opened the attachment and clicked on the payload link. However, in reality, the user is not detected simply by clicking on the link, but only after entering his/her credentials. Therefore, I would like to see this corrected. --- defender-office-365/attack-simulation-training-insights.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defender-office-365/attack-simulation-training-insights.md b/defender-office-365/attack-simulation-training-insights.md index 88f45b6736..e04fcffd46 100644 --- a/defender-office-365/attack-simulation-training-insights.md +++ b/defender-office-365/attack-simulation-training-insights.md @@ -459,7 +459,7 @@ How user activity signals are captured is described in the following table. |Opened Attachment|A user opened the attachment.|The signal comes from the client (for example, Outlook or Word).| |Read Message|The user read the simulation message.|Message read signals might experience issues in the following scenarios: | |Out of Office|Determines whether the user is out of office.|Currently calculated by the Automatic replies setting from Outlook.| -|Compromised User|The user was compromised. The compromise signal varies based on the social engineering technique.|| +|Compromised User|The user was compromised. The compromise signal varies based on the social engineering technique.|| |Clicked Message Link|The user clicked on the payload link in the simulation message.|The URL in the simulation is unique for each user, which allows individual user activity tracking. Third-party filtering services or email forwarding can lead to false positives. For more information, see [I see clicks or compromise events from users who insist they didn't click the link in the simulation message](attack-simulation-training-faq.md#i-see-clicks-or-compromise-events-from-users-who-insist-they-didnt-click-the-link-in-the-simulation-message).| |Forwarded Message|The user forwarded the message.|| |Replied to Message|The user replied to the message.|| From e403b17c674f7d4d62de56f60bdb8c0b9a03c7ea Mon Sep 17 00:00:00 2001 From: Mithun Rathinam Date: Fri, 20 Sep 2024 00:22:52 +0530 Subject: [PATCH 2/6] Update defender-for-office-365-whats-new.md correction --- defender-office-365/defender-for-office-365-whats-new.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defender-office-365/defender-for-office-365-whats-new.md b/defender-office-365/defender-for-office-365-whats-new.md index db53d025b9..6b6ffb6dcf 100644 --- a/defender-office-365/defender-for-office-365-whats-new.md +++ b/defender-office-365/defender-for-office-365-whats-new.md @@ -49,7 +49,7 @@ For more information on what's new with other Microsoft Defender security produc - **Tenant Allow/Block List in Microsoft 365 GCC, GCC High, DoD, and Office 365 operated by 21Vianet environments**: The [Tenant Allow/Block List](tenant-allow-block-list-about.md) is now available these environments. They are on parity with the WW commercial experiences. -- **45 days after last used date**: The value **Remove allow entry after** \> **45 days after last used date** is now the default on new allow entries from submissions and existing allow entries in the [Tenant Allow/Block List](tenant-allow-block-list-about.md). The allow entry is triggered and the **LastUsedDate** property is updated when the entity is encountered and identified as malicious during mail flow or at time of click. After the filtering system determines that the entity is clean, the allow entry is automatically removed after 45 days. By default, allow entries for spoofed senders never expire. +- **45 days after last used date**: The value **Remove allow entry after** \> **45 days after last used date** is now the default on new allow entries from submissions. The existing allow entries in the [Tenant Allow/Block List](tenant-allow-block-list-about.md) can also be modified to include the Remove on value of 45 days after last used date. The allow entry is triggered and the **LastUsedDate** property is updated when the entity is encountered and identified as malicious during mail flow or at time of click. After the filtering system determines that the entity is clean, the allow entry is automatically removed after 45 days. By default, allow entries for spoofed senders never expire. - (GA) Learning hub resources have moved from the Microsoft Defender portal to [learn.microsoft.com](https://go.microsoft.com/fwlink/?linkid=2273118). Access Microsoft Defender XDR Ninja training, learning paths, training modules and more. Browse the [list of learning paths](/training/browse/?products=m365-ems-cloud-app-security%2Cdefender-for-cloud-apps%2Cdefender-identity%2Cm365-information-protection%2Cm365-threat-protection%2Cmdatp%2Cdefender-office365&expanded=m365%2Coffice-365), and filter by product, role, level, and subject. From 984740f318649249d2947885a512ff5acb0462d4 Mon Sep 17 00:00:00 2001 From: Mithun Rathinam Date: Fri, 20 Sep 2024 00:50:56 +0530 Subject: [PATCH 3/6] Update submissions-admin.md Corrections --- defender-office-365/submissions-admin.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/defender-office-365/submissions-admin.md b/defender-office-365/submissions-admin.md index ffc22c1fa2..89e858b64d 100644 --- a/defender-office-365/submissions-admin.md +++ b/defender-office-365/submissions-admin.md @@ -306,7 +306,7 @@ After a few moments, the associated allow entries appear on the **Domains & addr > - If the sender email address is not found to be malicious by our filtering system, submitting the email message to Microsoft won't create an allow entry in the Tenant Allow/Block List. > - When an allowed domain or email address, spoofed sender, URL, or file (_entity_) is encountered again, all filters that are associated with the entity are skipped. For email messages, all other entities are still evaluated by the filtering system before making a decision. > - During mail flow, if messages from the allowed domain or email address pass other checks in the filtering stack, the messages are delivered. For example, if a message passes [email authentication checks](email-authentication-about.md), a message from an allowed sender email address are delivered. -> - By default, allow entries for domains and email addresses exist for 30 days. During those 30 days, Microsoft learns from the allow entries and [removes them or automatically extends them](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). After Microsoft learns from the removed allow entries, messages from those domains or email addresses are delivered, unless something else in the message is detected as malicious. By default, allow entries for spoofed senders never expire. +> - By default, allow entries for domains and email addresses are kept for 45 days after the filtering system determines that the entity is clean, and then the allow entry is removed. Or you can set allow entries to expire up to 30 days after you create them. By default, allow entries for spoofed senders never expire. > - For messages that were incorrectly blocked by [domain or user impersonation protection](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365), the allow entry for the domain or sender is not created in the Tenant Allow/Block List. Instead, the domain or sender is added to the **Trusted senders and domains** section in the [anti-phishing policy](anti-phishing-policies-mdo-configure.md#use-the-microsoft-defender-portal-to-modify-anti-phishing-policies) that detected the message. > - When you override the verdict in the spoof intelligence insight, the spoofed sender becomes a manual allow or block entry that only appears on the **Spoofed senders** on the **Tenant Allow/Block Lists** page at . @@ -362,7 +362,7 @@ After a few moments, the allow entry is available on the **Files** tab on the ** > [!IMPORTANT] > -> - By default, allow entries for files exist for 30 days. During those 30 days, Microsoft learns from the allow entries and [removes them or automatically extends them](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). After Microsoft learns from the removed allow entries, messages that contain those files are delivered, unless something else in the message is detected as malicious. +> - By default, allow entries for files are kept for 45 days after the filtering system determines that the entity is clean, and then the allow entry is removed. Or you can set allow entries to expire up to 30 days after you create them. > - When the file is encountered again during mail flow, [Safe Attachments](safe-attachments-about.md) detonation or file reputation checks and all other file-based filters are overridden. If the filtering system determines that all other entities in the email message are clean, the message are delivered. > - During selection, all file-based filters, including [Safe Attachments](safe-attachments-about.md) detonation or file reputation checks are overridden, allowing user access to the file. @@ -420,7 +420,7 @@ After a few moments, the allow entry is available on the **URL** tab on the **Te > [!NOTE] > -> - By default, allow entries for URLs exist for 30 days. During those 30 days, Microsoft learns from the allow entries and [removes them or automatically extends them](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/automatic-tenant-allow-block-list-expiration-management-is-now/ba-p/3723447). After Microsoft learns from the removed allow entries, messages that contain those URLs are delivered, unless something else in the message is detected as malicious. +> - By default, allow entries for URLs are kept for 45 days after the filtering system determines that the entity is clean, and then the allow entry is removed. Or you can set allow entries to expire up to 30 days after you create them. > - When the URL is encountered again during mail flow, [Safe Links](safe-links-about.md) detonation or URL reputation checks and all other URL-based filters are overridden. If the filtering system determines that all other entities in the email message are clean, the message are delivered. > - During selection, all URL-based filters, including [Safe Links](safe-links-about.md) detonation or URL reputation checks are overridden, allowing user access to content at the URL. From f31ce205c573ac95eb27da5a92364d17ff69ebb6 Mon Sep 17 00:00:00 2001 From: Mithun Rathinam Date: Fri, 20 Sep 2024 01:10:27 +0530 Subject: [PATCH 4/6] Update defender-for-office-365-whats-new.md --- defender-office-365/defender-for-office-365-whats-new.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defender-office-365/defender-for-office-365-whats-new.md b/defender-office-365/defender-for-office-365-whats-new.md index 6b6ffb6dcf..877a29ebdc 100644 --- a/defender-office-365/defender-for-office-365-whats-new.md +++ b/defender-office-365/defender-for-office-365-whats-new.md @@ -49,7 +49,7 @@ For more information on what's new with other Microsoft Defender security produc - **Tenant Allow/Block List in Microsoft 365 GCC, GCC High, DoD, and Office 365 operated by 21Vianet environments**: The [Tenant Allow/Block List](tenant-allow-block-list-about.md) is now available these environments. They are on parity with the WW commercial experiences. -- **45 days after last used date**: The value **Remove allow entry after** \> **45 days after last used date** is now the default on new allow entries from submissions. The existing allow entries in the [Tenant Allow/Block List](tenant-allow-block-list-about.md) can also be modified to include the Remove on value of 45 days after last used date. The allow entry is triggered and the **LastUsedDate** property is updated when the entity is encountered and identified as malicious during mail flow or at time of click. After the filtering system determines that the entity is clean, the allow entry is automatically removed after 45 days. By default, allow entries for spoofed senders never expire. +- **45 days after last used date**: The value **Remove allow entry after** \> **45 days after last used date** is now the default on new allow entries from submissions. The existing allow entries in the [Tenant Allow/Block List](tenant-allow-block-list-about.md) can also be modified to include the value **Remove allow entry after** \> **45 days after last used date**. The allow entry is triggered and the **LastUsedDate** property is updated when the entity is encountered and identified as malicious during mail flow or at time of click. After the filtering system determines that the entity is clean, the allow entry is automatically removed after 45 days. By default, allow entries for spoofed senders never expire. - (GA) Learning hub resources have moved from the Microsoft Defender portal to [learn.microsoft.com](https://go.microsoft.com/fwlink/?linkid=2273118). Access Microsoft Defender XDR Ninja training, learning paths, training modules and more. Browse the [list of learning paths](/training/browse/?products=m365-ems-cloud-app-security%2Cdefender-for-cloud-apps%2Cdefender-identity%2Cm365-information-protection%2Cm365-threat-protection%2Cmdatp%2Cdefender-office365&expanded=m365%2Coffice-365), and filter by product, role, level, and subject. From 7321606ccfd0d0acdb7087bf3d948746219e9737 Mon Sep 17 00:00:00 2001 From: Dhairyya Agarwal <12413099+dhairyya@users.noreply.github.com> Date: Thu, 19 Sep 2024 16:16:00 -0700 Subject: [PATCH 5/6] TABL sender block apply to internal Fixed documentation saying TABL sender block does not apply to internal --- defender-office-365/tenant-allow-block-list-about.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defender-office-365/tenant-allow-block-list-about.md b/defender-office-365/tenant-allow-block-list-about.md index e35b588224..b586f2eed5 100644 --- a/defender-office-365/tenant-allow-block-list-about.md +++ b/defender-office-365/tenant-allow-block-list-about.md @@ -34,7 +34,7 @@ In Microsoft 365 organizations with mailboxes in Exchange Online or standalone E The Tenant Allow/Block List in the Microsoft Defender portal gives you a way to manually override the Defender for Office 365 or EOP filtering verdicts. The list is used during mail flow for incoming messages from external senders. -The Tenant Allow/Block List doesn't apply to internal messages sent within the organization. But block entries for **Domains and email addresses** also prevent users in the organization from *sending* email to those blocked domains and addresses. +The Tenant Allow/Block List domains & addresses, spoofed senders apply to internal messages sent within the organization. Block entries for **Domains and email addresses** also prevent users in the organization from *sending* email to those blocked domains and addresses. The Tenant Allow/Block list is available in the Microsoft Defender portal at **Email & collaboration** \> **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**. Or, to go directly to the **Tenant Allow/Block Lists** page, use . From e6577f7cddfd20eab9369bab511b7d4f7f4f4132 Mon Sep 17 00:00:00 2001 From: Chris Davis Date: Thu, 19 Sep 2024 16:42:58 -0700 Subject: [PATCH 6/6] Update tenant-allow-block-list-about.md --- defender-office-365/tenant-allow-block-list-about.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defender-office-365/tenant-allow-block-list-about.md b/defender-office-365/tenant-allow-block-list-about.md index b586f2eed5..eaa00be14b 100644 --- a/defender-office-365/tenant-allow-block-list-about.md +++ b/defender-office-365/tenant-allow-block-list-about.md @@ -8,7 +8,7 @@ manager: deniseb audience: ITPro ms.topic: how-to ms.localizationpriority: medium -ms.date: 07/18/2024 +ms.date: 09/19/2024 search.appverid: - MET150 ms.collection: @@ -34,7 +34,7 @@ In Microsoft 365 organizations with mailboxes in Exchange Online or standalone E The Tenant Allow/Block List in the Microsoft Defender portal gives you a way to manually override the Defender for Office 365 or EOP filtering verdicts. The list is used during mail flow for incoming messages from external senders. -The Tenant Allow/Block List domains & addresses, spoofed senders apply to internal messages sent within the organization. Block entries for **Domains and email addresses** also prevent users in the organization from *sending* email to those blocked domains and addresses. +Entries for **Domains and email addresses** and **Spoofed senders** apply to internal messages sent within the organization. Block entries for **Domains and email addresses** also prevent users in the organization from *sending* email to those blocked domains and addresses. The Tenant Allow/Block list is available in the Microsoft Defender portal at **Email & collaboration** \> **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**. Or, to go directly to the **Tenant Allow/Block Lists** page, use .