E-mail Protection Guides - Microsoft 365 Defender for Exchange Online (EOP and ATP)

The Exchange Online Protection (EOP) and Advanced Threat Protection (ATP) elements of Microsoft 365 Defender protect you from junk e-mail and other security threats.

What happens to my inbound e-mail?

If you have Microsoft 365 Defender turned on, with EOP and ATP protecting you, every e-mail that you receive will be processed and assessed as far as risks.  This will involve looking at the sender, the contents of the message, any links in the message, and any attachments in the message.

Depending upon how trusted the sender is, and the content of the message, Microsoft 365 Defender may allow the message to flow through to your Inbox normally, or depending upon the risk that the system perceives, it may categorise the message as Junk, Phishing, Malware or other forms of attack.

Links and Attachments

The Advanced Threat Protection (ATP) system will check links and attachments in e-mails sent to you.

Links and attachments are some of the biggest risks that occur via e-mail.  Links can be used to try to get you to visit malicious websites, to either download malware, or to tempt you to go to "Phishing" sites.  Phishing sites are fraudulent sites set up to look like a real site, e.g. Microsoft 365 or HMRC login pages, in order to prompted you to type in your username and password.

 

ATP SafeLinks aims to detect these malicious links, and replaces them with a "Safelink" so that if you click on the link, ATP can check the site for you first before you visit it.  ATP is constantly learning using a combination of humans and artificial intelligence, to updated it's database of safe and unsafe sites.  Safe sites you should be allowed to visit, and unsafe sites will be blocked.  However by the very nature of the threats, new unsafe sites are constantly being created.  So this is not 100% protection - the first people targetted with a new unsafe site may not be protected.  ATP is like a vaccine - it gives you very good protection, protecting you from the majority of threats, but you do still need to have awareness and be on your guard.  It will also sometimes prevent you from getting to a site that is valid.

ATP SafeAttachments aims to protect you from malware being sent as an attachment.  It will attempt to open an attachment and check that it is safe, before releasing the e-mail to you. 

Based upon the content of the message, the sender, and the links and attachments, 365 Defender will then categorise the message and take one of a number of actions.  Legitimate, Junk/Spam, Phishing, or Malware.

What's Junk email?

Junk email messages are typically referred to as spam. These are messages that you don't want to receive that may be advertising products you don't use or find offensive. If you choose the Junk option, a copy of the message may be sent to Microsoft to help update EOP's spam filters, and the message will be moved from your Inbox to your Junk Email folder. 


What's phishing?

Phishing is the practice of luring you into disclosing personal information, such as bank account numbers and passwords. Often phishing messages look legitimate, but have deceptive links that actually open fake websites. If you select Phishing, a copy of your message may be sent to Microsoft to help update EOP's filters, and the message will be moved from your Inbox to your Junk Email folder. 

What's malware?

Malware is types of software/files that attempt to do something detrimental to your system - deleting data, sending a copy of you data to someone else, or encrypting it to request a ransom ("Ransomware"). If the system suspects it has found Malware it will usually quarantine it so that only an administrator can see it and review it. 

What's a legitimate email?

If you know the sender and you're expecting the message, or if you receive a message that's mistakenly marked as junk, you can use the Report Message add-in to mark the message as Not Junk. This will move the message from the Junk Email folder back to your Inbox. 

 

Quarantine

When Microsoft Defender determines that a message is suspicious, it may either route the message to your Junk folder, or it may hold it in "Quarantine" in order to protect you and your system. You will normally get an e-mail every 24 hours if there are any new messages that have been held in quarantine for you.  

You can check if there are any messages in Quarantine without waiting for the automated quarantine summary, and you can review what is in your quarantined by following the instructions below.

How to access Quarantine

Go the the below url, and sign in with your Office 365 credentials
https://protection.office.com/quarantine

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Select the detail you want to filter by here, Sender Address, or Subject are all available. Message ID is default.

  • You can filter by multiple addresses, or combine the above criteria by selecting each filter, then typing the criteria, then select the drop down for sort results by again and repeat.

To release an e-mail

Select the email:

 

 

 

Select "Release the message":

 

 

Select “Report messages to Microsoft for analysis” and “Release Messages to all recipients” where applicable, then “Release Message”.

1 - go to quarantine page.png
2 - using ATP quarantine.png
3 - release an e-mail from quarantine.pn
4 - release an email from quarantine ste
5 - release an email from quarantine ste