Microsoft Defender for Office now allows Automated Investigation and Response (AIR) to automatically remove malicious emails using multiple similar attributes. Previously, automation was limited to detecting Similar Files and Similar URLs, but this update extends the capability to include additional attributes.
With this feature, AIR creates clusters of related emails by analyzing sender information (IP address, sender domain) and message content. The attributes used include:
-
BodyFingerprintBin1 / SenderIp
-
BodyFingerprintBin1 / P2SenderDomain
-
Subject / P2SenderDomain
-
Subject / SenderIp
How it works:
When AIR identifies a malicious file or URL, it forms a cluster around that indicator. The automated investigation then examines all messages in the cluster and determines their locations.
If the messages are found in user mailboxes, AIR automatically applies remediation actions. By supporting multiple similar attributes, AIR can now identify and clean related emails more effectively. This reduces the need for manual review, shortens remediation time, and lowers false positives.
Important: If Similar Files or Similar URLs were previously enabled, clustering based on multiple similar attributes is not automatically enabled and must be configured separately.
License Requirement:
This automation capability is available with Microsoft Defender for Office Plan 2 (P2).
#MicrosoftSecurity #MicrosoftDefender
No comments:
Post a Comment