All news with #defender for office 365 tag

🛡️ Microsoft published updated email security benchmarks comparing Defender, secure email gateways (SEGs), and integrated cloud email security (ICES) solutions. The data shows Microsoft Defender removes an average of 70.8% of malicious email post-delivery, with ICES partners contributing the remaining 29.2% of post-delivery remediation. Layering matters: integrated ICES solutions improve marketing and bulk filtering by an average of 13.7%, while incremental gains for spam and malicious filtering were modest (around 0.29% and 0.24% respectively). The report also compares misses per 1,000 users, showing Defender had fewer high-severity misses than several evaluated SEG vendors.

⚠️ Microsoft says a software error in its email security system incorrectly flagged thousands of legitimate URLs as phishing links, preventing users from opening messages across Exchange Online and Teams. The issue, which began on February 5 and persisted until February 12, caused some emails to be quarantined and generated false "potentially malicious URL click" alerts for administrators. Microsoft traced the fault to a logic error in heuristic detection rules intended to catch credential phishing and said it will publish a final report after full remediation.

🔒 Microsoft Defender researchers uncovered a multi‑stage AiTM phishing and BEC campaign that abused SharePoint file‑sharing to deliver credential‑harvesting traps and maintain persistence by creating malicious inbox rules. Attackers used trusted vendor‑style lures and legitimate SharePoint redirects to capture session cookies or credentials, then expanded the campaign across energy sector organizations by sending more than 600 phishing messages from compromised accounts. Defender XDR and Office 365 detections exposed session cookie theft, replay attempts, and malicious inbox rules — remediation requires revoking session cookies, deleting attacker‑created inbox rules, and restoring MFA controls in addition to password resets.

🔒 Microsoft will let security administrators block external users from sending messages, placing calls, or inviting employees to meetings in Teams, managed directly through the Tenant Allow/Block List in the Microsoft Defender portal. The capability integrates with Defender for Office 365 and the Defender XDR web portal and applies across all Teams clients without altering existing domain blocks or federation settings. Organizations must enable two disabled Teams admin center settings to grant security teams permission to manage blocked domains and users.

🔒 Microsoft has been named a Leader in the 2025 Gartner® Magic Quadrant for Email Security, recognizing advances in Microsoft Defender for Office 365. The announcement highlights agentic AI innovations and automated workflows—including an agentic email grading system and the Microsoft Security Copilot Phishing Triage Agent—that reduce manual triage and speed investigations. Microsoft also cites new protections like email bombing detection and expanded coverage across collaboration surfaces such as Microsoft Teams, while committing to greater transparency through in-product benchmarking and reporting.

⚠️ Researchers warn a cross-tenant blind spot in Microsoft Teams can allow attackers to sidestep Microsoft Defender for Office 365 when users accept guest access in another tenant. Protections follow the hosting tenant, not the user's home organization, enabling attackers to create protection-free malicious tenants using low-tier licenses. Organizations should restrict B2B invitations, enable cross-tenant access controls, and train users to reject unsolicited guest invites.

🔒 Security researchers warn that a cross-tenant collaboration design in Microsoft Teams can cause a user's Defender for Office 365 protections to be dropped when they accept a guest invitation and join another tenant. The default-enabled feature MC1182004 (chat with any email) lowers the bar for attackers to spin up hostile tenants and deliver links or files that bypass URL scanning, Safe Links, file sandboxing and zero-hour auto purge. Administrators are advised to treat guest access as a trust boundary: restrict B2B invites to vetted domains, enforce Entra ID cross-tenant policies, and disable the 'chat with Anyone' capability where appropriate.

📥 Microsoft is enabling threshold-based auto-archiving by default for Exchange Online, moving the oldest items to users' archive mailboxes when primary mailbox usage approaches 90%, provided an archive is provisioned and has available space. The Managed Folder Assistant will continuously monitor mailbox sizes and archive until usage drops below the threshold. Rollout begins this month for public clouds and is scheduled for government clouds in November; users can tag items with the Never Move to Archive flag to prevent them from being archived. The change complements recent Defender for Office 365 updates that detect email bombing attacks.

🔒 Microsoft Threat Intelligence stopped a credential phishing campaign that likely used AI-generated code to hide a payload inside an SVG file disguised as a PDF. Attackers sent self-addressed emails from a compromised small-business account, hiding real targets in the Bcc field and attaching a file named "23mb – PDF- 6 pages.svg." Embedded JavaScript decoded business-style obfuscation to redirect victims to a fake CAPTCHA and a fraudulent sign-in page, and Microsoft Defender for Office 365 blocked the campaign by flagging delivery patterns, suspicious domains and anomalous code behavior.